Updates from: 04/04/2024 01:16:34
Service Microsoft Docs article Related commit history on GitHub Change details
ai-services Groundedness https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-safety/concepts/groundedness.md
The maximum character limit for the grounding sources is 55,000 characters per A
To use this API, you must create your Azure AI Content Safety resource in the supported regions. Currently, it's available in the following Azure regions: - East US 2-- East US (only for non-reasoning)
+- East US
- West US - Sweden Central
If you need a higher rate, [contact us](mailto:contentsafetysupport@microsoft.co
Follow the quickstart to get started using Azure AI Content Safety to detect groundedness. > [!div class="nextstepaction"]
-> [Groundedness detection quickstart](../quickstart-groundedness.md)
+> [Groundedness detection quickstart](../quickstart-groundedness.md)
ai-services Concept Composed Models https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-composed-models.md
With the introduction of [**custom classification models**](./concept-custom-cla
* With models composed using v2.1 of the API continues to be supported, requiring no updates.
-* For custom models, the maximum number that can be composed is 100.
+* For custom models, the maximum number that can be composed is 200.
::: moniker-end
ai-services Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/managed-identity.md
description: Provides guidance on how to set managed identity with Microsoft Entra ID Previously updated : 02/29/2024 Last updated : 04/03/2024 recommendations: false
In the following sections, you'll use the Azure CLI to sign in, and obtain a bea
## Assign yourself to the Cognitive Services User role
-Assign yourself the [Cognitive Services User](role-based-access-control.md#cognitive-services-contributor) role to allow you to use your account to make Azure OpenAI API calls rather than having to use key-based auth. After you make this change it can take up to 5 minutes before the change takes effect.
+Assign yourself either the [Cognitive Services OpenAI User](role-based-access-control.md#cognitive-services-openai-user) or [Cognitive Services OpenAI Contributor](role-based-access-control.md#cognitive-services-openai-contributor) role to allow you to use your account to make Azure OpenAI inference API calls rather than having to use key-based auth. After you make this change it can take up to 5 minutes before the change takes effect.
## Sign into the Azure CLI
ai-services Role Based Access Control https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/role-based-access-control.md
Previously updated : 11/15/2023 Last updated : 04/03/2024 recommendations: false
If a user were granted role-based access to only this role for an Azure OpenAI r
✅ Ability to view the resource and associated model deployments in Azure OpenAI Studio. <br> ✅ Ability to view what models are available for deployment in Azure OpenAI Studio. <br> ✅ Use the Chat, Completions, and DALL-E (preview) playground experiences to generate text and images with any models that have already been deployed to this Azure OpenAI resource. <br>
+✅ Make inference API calls with Microsoft Entra ID.
A user with only this role assigned would be unable to:
This role is typically granted access at the resource group level for a user in
A user with only this role assigned would be unable to: ❌ Access quota <br>
+❌ Make inference API calls with Microsoft Entra ID.
### Cognitive Services Usages Reader
All the capabilities of Cognitive Services Contributor plus the ability to:
|Create customized content filters|❌|❌|✅| ➖ | |Add a data source for the “on your data” feature|❌|❌|✅| ➖ | |Access quota|❌|❌|❌|✅|-
+|Make inference API calls with Microsoft Entra ID| ✅ | ✅ | ❌ | ➖ |
## Common Issues ### Unable to view Azure Cognitive Search option in Azure OpenAI Studio
ai-services Speech Synthesis Markup Pronunciation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-synthesis-markup-pronunciation.md
The speech synthesis engine speaks the following example as "World Wide Web Cons
The Mathematical Markup Language (MathML) is an XML-compliant markup language that describes mathematical content and structure. The Speech service can use the MathML as input text to properly pronounce mathematical notations in the output audio. > [!NOTE]
-> The MathML elements (tags) are currently supported by all neural voices in the `en-US` and `en-AU` locales.
+> The MathML elements (tags) are currently supported in the following locales: `de-DE`, `en-AU`, `en-GB`, `en-US`, `es-ES`, `es-MX`, `fr-CA`, `fr-FR`, `it-IT`, `ja-JP`, `ko-KR`, `pt-BR`, and `zh-CN`.
All elements from the [MathML 2.0](https://www.w3.org/TR/MathML2/) and [MathML 3.0](https://www.w3.org/TR/MathML3/) specifications are supported, except the MathML 3.0 [Elementary Math](https://www.w3.org/TR/MathML3/chapter3.html#presm.elementary) elements.
ai-services What Is Text To Speech Avatar https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/text-to-speech-avatar/what-is-text-to-speech-avatar.md
Azure AI text to speech avatar feature capabilities include:
With text to speech avatar's advanced neural network models, the feature empowers you to deliver lifelike and high-quality synthetic talking avatar videos for various applications while adhering to responsible AI practices. > [!TIP]
-> To convert text to speech with a no-code approach, try the [Text to speech avatar tool in Speech Studio](https://aka.ms/speechstudio/talkingavatar).
+> To convert text to speech with a no-code approach, try the [Text to speech avatar tool in Speech Studio](https://speech.microsoft.com/portal/talkingavatar).
## Avatar voice and language
-You can choose from a range of prebuilt voices for the avatar. The language support for text to speech avatar is the same as the language support for text to speech. For details, see [Language and voice support for the Speech service](../language-support.md?tabs=tts). Prebuilt text to speech avatars can be accessed through the [Speech Studio portal](https://aka.ms/speechstudio/talkingavatar) or via API.
+You can choose from a range of prebuilt voices for the avatar. The language support for text to speech avatar is the same as the language support for text to speech. For details, see [Language and voice support for the Speech service](../language-support.md?tabs=tts). Prebuilt text to speech avatars can be accessed through the [Speech Studio portal](https://speech.microsoft.com/portal/talkingavatar) or via API.
The voice in the synthetic video could be a prebuilt neural voice available on Azure AI Speech or the [custom neural voice](../custom-neural-voice.md) of voice talent selected by you.
aks Access Control Managed Azure Ad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/access-control-managed-azure-ad.md
description: Learn how to access clusters when integrating Microsoft Entra ID in
Last updated 04/20/2023+++
Make sure the admin of the security group has given your account an *Active* ass
[az-role-assignment-create]: /cli/azure/role/assignment#az_role_assignment_create [aad-assignments]: ../active-directory/privileged-identity-management/groups-assign-member-owner.md#assign-an-owner-or-member-of-a-group [az-aks-create]: /cli/azure/aks#az_aks_create+
aks Access Private Cluster https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/access-private-cluster.md
Last updated 09/15/2023+++ # Access a private Azure Kubernetes Service (AKS) cluster
In this article, you learned how to access a private cluster and run commands on
<!-- links - internal --> [command-invoke-troubleshoot]: /troubleshoot/azure/azure-kubernetes/resolve-az-aks-command-invoke-failures+
aks Active Active Solution https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/active-active-solution.md
If you're considering a different solution, see the following articles:
- [Active passive disaster recovery solution overview for Azure Kubernetes Service (AKS)](./active-passive-solution.md) - [Passive cold solution overview for Azure Kubernetes Service (AKS)](./passive-cold-solution.md)+
aks Active Passive Solution https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/active-passive-solution.md
If you're considering a different solution, see the following articles:
- [Active active high availability solution overview for Azure Kubernetes Service (AKS)](./active-active-solution.md) - [Passive cold solution overview for Azure Kubernetes Service (AKS)](./passive-cold-solution.md)+
aks Ai Toolchain Operator https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/ai-toolchain-operator.md
description: Learn how to enable the AI toolchain operator add-on on Azure Kuber
Last updated 02/28/2024+++ # Deploy an AI model on Azure Kubernetes Service (AKS) with the AI toolchain operator (preview)
For more inference model options, see the [KAITO GitHub repository](https://gith
[az-feature-register]: /cli/azure/feature#az_feature_register [az-feature-show]: /cli/azure/feature#az_feature_show [az-provider-register]: /cli/azure/provider#az_provider_register+
aks Aks Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/aks-diagnostics.md
Title: Azure Kubernetes Service (AKS) Diagnose and Solve Problems Overview description: Learn about self-diagnosing clusters in Azure Kubernetes Service. -++ Last updated 03/10/2023
Deploying applications on AKS requires adherence to best practices to guarantee
* Read the [triage practices section](/azure/architecture/operator-guides/aks/aks-triage-practices) of the AKS day-2 operations guide. * Post your questions or feedback at [UserVoice](https://feedback.azure.com/d365community/forum/aabe212a-f724-ec11-b6e6-000d3a4f0da0) by adding "[Diag]" in the title.+
aks Aks Support Help https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/aks-support-help.md
Title: Support and troubleshooting for Azure Kubernetes Service (AKS)
description: This article provides support and troubleshooting options for Azure Kubernetes Service (AKS). Last updated 09/27/2023+++
Learn about important product updates, roadmap, and announcements in [Azure Upda
## Next steps Visit the [Azure Kubernetes Service (AKS) documentation](./index.yml).+
aks Api Server Vnet Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/api-server-vnet-integration.md
For associated best practices, see [Best practices for network connectivity and
[az-role-assignment-create]: /cli/azure/role/assignment#az-role-assignment-create [ref-support-levels]: /cli/azure/reference-types-and-status [az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials+
aks App Routing Migration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/app-routing-migration.md
After migrating to the application routing add-on, learn how to [monitor Ingress
<!-- EXTERNAL LINKS --> [kubectl-get]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get [kubectl-delete]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#delete+
aks App Routing Nginx Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/app-routing-nginx-configuration.md
The application routing add-on uses a Kubernetes [custom resource definition (CR
When you enable the application routing add-on with NGINX, it creates an ingress controller called `default` in the `app-routing-namespace` configured with a public facing Azure load balancer. That ingress controller uses an ingress class name of `webapprouting.kubernetes.azure.com`.
-You can modify the configuration of the default ingress controller by editing its configuration.
-
-```bash
-kubectl edit nginxingresscontroller default -n app-routing-system
-```
- ### Create another public facing NGINX ingress controller To create another NGINX ingress controller with a public facing Azure Load Balancer:
aks App Routing Nginx Prometheus https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/app-routing-nginx-prometheus.md
Then upload the desired dashboard file and click on **Load**.
[kubectl-apply]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply [grafana-nginx-dashboard]: https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/grafana/dashboards/nginx.json [grafana-nginx-request-performance-dashboard]: https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/grafana/dashboards/request-handling-performance.json+
aks App Routing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/app-routing.md
For other configurations, see:
* [Application routing add-on configuration][custom-ingress-configurations] * [Configure internal NGIX ingress controller for Azure private DNS zone][create-nginx-private-controller].
-With the retirement of [Open Service Mesh][open-service-mesh-docs] (OSM) by the Cloud Native Computing Foundation (CNCF), using the application routing add-on is the default method for all AKS clusters.
+With the retirement of [Open Service Mesh][open-service-mesh-docs] (OSM) by the Cloud Native Computing Foundation (CNCF), using the application routing add-on with OSM is not recommended.
## Prerequisites
With the retirement of [Open Service Mesh][open-service-mesh-docs] (OSM) by the
- The application routing add-on supports up to five Azure DNS zones. - All global Azure DNS zones integrated with the add-on have to be in the same resource group. - All private Azure DNS zones integrated with the add-on have to be in the same resource group.-- Editing any resources in the `app-routing-system` namespace, including the Ingress-nginx ConfigMap, isn't supported.
+- Editing the ingress-nginx `ConfigMap` in the `app-routing-system` namespace isn't supported.
## Enable application routing using Azure CLI
When the application routing add-on is disabled, some Kubernetes resources might
[kubectl]: https://kubernetes.io/docs/reference/kubectl/ [kubectl-apply]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply [ingress-backend]: https://release-v1-2.docs.openservicemesh.io/docs/guides/traffic_management/ingress/#ingressbackend-api+
aks Artifact Streaming https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/artifact-streaming.md
This article described how to enable Artifact Streaming on your AKS node pools t
[az-acr-artifact-streaming-create]: /cli/azure/acr/artifact-streaming#az-acr-artifact-streaming-create [az-acr-manifest-list-referrers]: /cli/azure/acr/manifest#az-acr-manifest-list-referrers [az-aks-nodepool-show]: /cli/azure/aks/nodepool#az-aks-nodepool-show+
aks Auto Upgrade Cluster https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/auto-upgrade-cluster.md
For a detailed discussion of upgrade best practices and other considerations, se
[pdb-best-practices]: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ [release-tracker]: release-tracker.md [k8s-deprecation]: https://kubernetes.io/blog/2022/11/18/upcoming-changes-in-kubernetes-1-26/#:~:text=A%20deprecated%20API%20is%20one%20that%20has%20been,point%20you%20must%20migrate%20to%20using%20the%20replacement
-[unattended-upgrades]: https://help.ubuntu.com/community/AutomaticSecurityUpdates
+[unattended-upgrades]: https://help.ubuntu.com/community/AutomaticSecurityUpdates
aks Auto Upgrade Node Os Image https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/auto-upgrade-node-os-image.md
For a detailed discussion of upgrade best practices and other considerations, se
[az-aks-update]: /cli/azure/aks#az-aks-update <!-- LINKS - external -->
-[Blog]: https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/increased-security-and-resiliency-of-canonical-workloads-on/ba-p/3970623
+[Blog]: https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/increased-security-and-resiliency-of-canonical-workloads-on/ba-p/3970623
aks Automated Deployments https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/automated-deployments.md
Learn more about [GitHub Actions for Kubernetes][kubernetes-action].
<!-- LINKS --> [kubernetes-action]: kubernetes-action.md+
aks Availability Zones https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/availability-zones.md
description: Learn how to create a cluster that distributes nodes across availab
Last updated 12/06/2023+++ # Create an Azure Kubernetes Service (AKS) cluster that uses availability zones
This article described how to create an AKS cluster using availability zones. Fo
<!-- LINKS - external --> [kubectl-describe]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#describe [kubectl-well_known_labels]: https://kubernetes.io/docs/reference/labels-annotations-taints/+
aks Azure Ad Integration Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-ad-integration-cli.md
Title: Integrate Microsoft Entra ID with Azure Kubernetes Service (AKS) (legacy) description: Learn how to use the Azure CLI to create and Microsoft Entra ID-enabled Azure Kubernetes Service (AKS) cluster (legacy)-+
For best practices on identity and resource control, see [Best practices for aut
[managed-aad]: managed-azure-ad.md [managed-aad-migrate]: managed-azure-ad.md#migrate-a-legacy-azure-ad-cluster-to-integration [az-aks-show]: /cli/azure/aks#az_aks_show+
aks Azure Blob Csi https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-blob-csi.md
Last updated 11/24/2023+++ # Use Azure Blob storage Container Storage Interface (CSI) driver
To have a storage volume persist for your workload, you can use a StatefulSet. T
[azure-disk-csi-driver]: azure-disk-csi.md [azure-files-csi-driver]: azure-files-csi.md [install-azure-cli]: /cli/azure/install-azure-cli+
aks Azure Cni Overlay https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-cni-overlay.md
To learn how to utilize AKS with your own Container Network Interface (CNI) plug
[az-aks-update]: /cli/azure/aks#az-aks-update [az-extension-add]: /cli/azure/extension#az-extension-add [az-extension-update]: /cli/azure/extension#az-extension-update+
aks Azure Cni Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-cni-overview.md
Learn more about networking in AKS in the following articles:
[azure-cni-overlay]: azure-cni-overlay.md [configure-azure-cni-dynamic-ip-allocation]: configure-azure-cni-dynamic-ip-allocation.md [configure-azure-cni-static-block-allocation]: configure-azure-cni-static-block-allocation.md+
aks Azure Cni Powered By Cilium https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-cni-powered-by-cilium.md
Learn more about networking in AKS in the following articles:
<!-- LINKS - Internal --> [aks-ingress-basic]: ingress-basic.md+
aks Azure Csi Disk Storage Provision https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-csi-disk-storage-provision.md
Last updated 03/05/2024+++ # Create and use a volume with Azure Disks in Azure Kubernetes Service (AKS)
kubectl delete -f azure-pvc.yaml
[azure-disk-write-accelerator]: ../virtual-machines/windows/how-to-enable-write-accelerator.md [on-demand-bursting]: ../virtual-machines/disk-bursting.md [customer-usage-attribution]: ../marketplace/azure-partner-customer-usage-attribution.md+
aks Azure Csi Files Storage Provision https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-csi-files-storage-provision.md
Last updated 03/05/2024+++ # Create and use a volume with Azure Files in Azure Kubernetes Service (AKS)
For associated best practices, see [Best practices for storage and backups in AK
[tag-resources]: ../azure-resource-manager/management/tag-resources.md [azure-files-usage]: ../storage/files/understand-performance.md#choosing-a-performance-tier-based-on-usage-patterns [az-storage-account-create]: /cli/azure/storage/account#az-storage-account-create+
aks Azure Disk Csi https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-disk-csi.md
Last updated 04/19/2023+++ # Use the Azure Disk Container Storage Interface (CSI) driver in Azure Kubernetes Service (AKS)
The output of the command resembles the following example:
[az-premium-ssd]: ../virtual-machines/disks-types.md#premium-ssds [general-purpose-machine-sizes]: ../virtual-machines/sizes-general.md [disk-based-solutions]: /azure/cloud-adoption-framework/scenarios/app-platform/aks/storage#disk-based-solutions+
aks Azure Disk Customer Managed Keys https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-disk-customer-managed-keys.md
Last updated 02/01/2024+++ # Bring your own keys (BYOK) with Azure managed disks in Azure Kubernetes Service (AKS)
Review [best practices for AKS cluster security][best-practices-security]
[customer-managed-keys-windows]: ../virtual-machines/disk-encryption.md#customer-managed-keys [customer-managed-keys-linux]: ../virtual-machines/disk-encryption.md#customer-managed-keys [key-vault-generate]: ../key-vault/general/manage-with-cli2.md+
aks Azure Files Csi https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-files-csi.md
Last updated 01/11/2024+++ # Use Azure Files Container Storage Interface (CSI) driver in Azure Kubernetes Service (AKS)
The output of the commands resembles the following example:
[azure-private-endpoint-dns]: ../private-link/private-endpoint-dns.md#azure-services-dns-zone-configuration [azure-netapp-files-mount-options-best-practices]: ../azure-netapp-files/performance-linux-mount-options.md#rsize-and-wsize [nfs-file-share-mount-options]: ../storage/files/storage-files-how-to-mount-nfs-shares.md#mount-options+
aks Azure Hpc Cache https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-hpc-cache.md
az feature show --namespace "Microsoft.StorageCache"
[az-hpc-cache-blob-storage-target-add]: /cli/azure/hpc-cache/blob-storage-target#az_hpc_cache_blob_storage_target_add [az-network-private-dns-zone-create]: /cli/azure/network/private-dns/zone#az_network_private_dns_zone_create [az-network-private-dns-link-vnet-create]: /cli/azure/network/private-dns/link/vnet#az_network_private_dns_link_vnet_create
-[az-network-private-dns-record-set-a-create]: /cli/azure/network/private-dns/record-set/a#az_network_private_dns_record_set_a_create
+[az-network-private-dns-record-set-a-create]: /cli/azure/network/private-dns/record-set/a#az_network_private_dns_record_set_a_create
aks Azure Hybrid Benefit https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-hybrid-benefit.md
To learn more about Windows containers on AKS, see the following resources:
* [Learn how to deploy, manage, and monitor Windows containers on AKS](/training/paths/deploy-manage-monitor-wincontainers-aks). * Open an issue or provide feedback in the [Windows containers GitHub repository](https://github.com/microsoft/Windows-Containers/issues). * Review the [third-party partner solutions for Windows on AKS](windows-aks-partner-solutions.md).+
aks Azure Linux Aks Partner Solutions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-linux-aks-partner-solutions.md
For more information, see [CloudCasa by Catalogic Solutions](https://cloudcasa.i
## Next steps [Learn more about the Azure Linux Container Host on AKS](../azure-linux/intro-azure-linux.md).+
aks Azure Netapp Files Dual Protocol https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-netapp-files-dual-protocol.md
Last updated 02/26/2024+++ # Provision Azure NetApp Files dual-protocol volumes for Azure Kubernetes Service
Astra Trident supports many features with Azure NetApp Files. For more informati
[azure-netapp-smb]: azure-netapp-files-smb.md [azure-netapp-files]: azure-netapp-files.md [azure-netapp-files-volume-dual-protocol]: ../azure-netapp-files/create-volumes-dual-protocol.md+
aks Azure Netapp Files Nfs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-netapp-files-nfs.md
Last updated 05/08/2023+++ # Provision Azure NetApp Files NFS volumes for Azure Kubernetes Service
Astra Trident supports many features with Azure NetApp Files. For more informati
[install-azure-cli]: /cli/azure/install-azure-cli [use-tags]: use-tags.md [azure-ad-app-registration]: ../active-directory/develop/howto-create-service-principal-portal.md+
aks Azure Netapp Files Smb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-netapp-files-smb.md
Last updated 05/08/2023+++ # Provision Azure NetApp Files SMB volumes for Azure Kubernetes Service
Astra Trident supports many features with Azure NetApp Files. For more informati
[install-azure-cli]: /cli/azure/install-azure-cli [use-tags]: use-tags.md [azure-ad-app-registration]: ../active-directory/develop/howto-create-service-principal-portal.md+
aks Azure Netapp Files https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-netapp-files.md
Last updated 05/08/2023+++ # Configure Azure NetApp Files for Azure Kubernetes Service
Astra Trident supports many features with Azure NetApp Files. For more informati
[install-azure-cli]: /cli/azure/install-azure-cli [use-tags]: use-tags.md [azure-ad-app-registration]: ../active-directory/develop/howto-create-service-principal-portal.md+
aks Azure Nfs Volume https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-nfs-volume.md
ls -l
[azure-linux-vm]: ../virtual-machines/linux/endorsed-distros.md [linux-create]: ../virtual-machines/linux/tutorial-manage-vm.md [azure-files-overview]: ../storage/files/storage-files-introduction.md+
aks Best Practices App Cluster Reliability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/best-practices-app-cluster-reliability.md
description: Learn the best practices for deployment and cluster reliability for Azure Kubernetes Service (AKS) workloads. Last updated 03/11/2024+++ # Deployment and cluster reliability best practices for Azure Kubernetes Service (AKS)
This article focused on best practices for deployment and cluster reliability fo
* [High availability and disaster recovery overview for AKS](./ha-dr-overview.md) * [Run AKS clusters at scale](./best-practices-performance-scale-large.md) * [Baseline architecture for an AKS cluster](/azure/architecture/reference-architectures/containers/aks/baseline-aks)+
aks Best Practices Cost https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/best-practices-cost.md
description: Recommendations and best practices for optimizing costs in Azure Kubernetes Service (AKS). Last updated 02/21/2024+++ # Optimize costs in Azure Kubernetes Service (AKS)
Cost optimization is an ongoing and iterative effort. Learn more by reviewing th
* [Optimize Compute Costs on AKS](/training/modules/aks-optimize-compute-costs/) * [AKS Cost Optimization Techniques](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/azure-kubernetes-service-aks-cost-optimization-techniques/ba-p/3652908) * [What is FinOps?](/azure/cost-management-billing/finops/)+
aks Best Practices Performance Scale Large https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/best-practices-performance-scale-large.md
description: Learn the best practices for performance and scaling for large workloads in Azure Kubernetes Service (AKS). Last updated 01/18/2024+++ # Best practices for performance and scaling for large workloads in Azure Kubernetes Service (AKS)
As you scale your AKS clusters to larger scale points, keep the following node p
<!-- LINKS - External --> [throttling-policies]: https://azure.microsoft.com/blog/api-management-advanced-caching-and-throttling-policies/+
aks Best Practices Performance Scale https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/best-practices-performance-scale.md
description: Learn the best practices for performance and scaling for small to medium workloads in Azure Kubernetes Service (AKS). Last updated 11/03/2023+++ # Best practices for performance and scaling for small to medium workloads in Azure Kubernetes Service (AKS)
Ephemeral OS disks can provide dynamic IOPS and throughput for your application,
### Pod scheduling The memory and CPU resources allocated to a VM have a direct impact on the performance of the pods running on the VM. When a pod is created, it's assigned a certain amount of memory and CPU resources, which are used to run the application. If the VM doesn't have enough memory or CPU resources available, it can cause the pods to slow down or even crash. If the VM has too much memory or CPU resources available, it can cause the pods to run inefficiently, wasting resources and increasing costs. We recommend monitoring the total pod requests across your workloads against the total allocatable resources for best scheduling predictability and performance. You can also set the maximum pods per node based on your capacity planning using `--max-pods`.+
aks Cis Azure Linux https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cis-azure-linux.md
For more information about Azure Linux Container Host security, see the followin
[cis-benchmarks]: /compliance/regulatory/offering-CIS-Benchmark [linux-security-baseline]: ../governance/policy/samples/guest-configuration-baseline-linux.md [linux-container-host-aks]: ../azure-linux/intro-azure-linux.md+
aks Cis Windows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cis-windows.md
description: Learn how AKS applies the CIS benchmark to Windows Server 2022 imag
Last updated 09/27/2023+++ # Azure Kubernetes Service (AKS) Windows image alignment with Center for Internet Security (CIS) benchmark
For more information about AKS security, see the following articles:
<!-- INTERNAL LINKS --> [cis-benchmarks]: /compliance/regulatory/offering-CIS-Benchmark [security-concepts-aks-apps-clusters]: concepts-security.md
-[windows-security-baseline]: ../governance/policy/samples/guest-configuration-baseline-windows.md
+[windows-security-baseline]: ../governance/policy/samples/guest-configuration-baseline-windows.md
aks Cluster Autoscaler Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cluster-autoscaler-overview.md
description: Learn about cluster autoscaling in Azure Kubernetes Service (AKS) using the cluster autoscaler. Last updated 01/05/2024+++ # Cluster autoscaling in Azure Kubernetes Service (AKS) overview
Depending on how long the scaling operations have been experiencing failures, it
<!-- LINKS > [vertical-pod-autoscaler]: vertical-pod-autoscaler.md [horizontal-pod-autoscaler]:concepts-scale.md#horizontal-pod-autoscaler+
aks Cluster Autoscaler https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cluster-autoscaler.md
description: Learn how to use the cluster autoscaler to automatically scale your
Last updated 01/11/2024+++ # Use the cluster autoscaler in Azure Kubernetes Service (AKS)
To further help improve cluster resource utilization and free up CPU and memory
[az-aks-nodepool-update]: https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview#enable-cluster-auto-scaler-for-a-node-pool [kubernetes-faq]: https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#ca-doesnt-work-but-it-used-to-work-yesterday-why [kubernetes-cluster-autoscaler]: https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler+
aks Cluster Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cluster-configuration.md
description: Learn how to configure a cluster in Azure Kubernetes Service (AKS)
Last updated 06/20/2023+++ # Configure an AKS cluster
az aks update -n aksTest -g aksTest --nrg-lockdown-restriction-level Unrestricte
[az-aks-nodepool-add]: /cli/azure/aks/nodepool#az_aks_nodepool_add [az-aks-nodepool-show]: /cli/azure/aks/nodepool#az_aks_nodepool_show [az-vm-list]: /cli/azure/vm#az_vm_list+
aks Cluster Extensions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cluster-extensions.md
You can also [select and deploy Kubernetes applications available through Market
<!-- EXTERNAL --> [arc-k8s-regions]: https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc&regions=all+
aks Concepts Clusters Workloads https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/concepts-clusters-workloads.md
description: Learn about the core components that make up workloads and clusters
Last updated 01/16/2024+++ # Core Kubernetes concepts for Azure Kubernetes Service
This article covers some of the core Kubernetes components and how they apply to
[aks-tags]: use-tags.md [aks-support]: support-policies.md#user-customization-of-agent-nodes [intro-azure-linux]: ../azure-linux/intro-azure-linux.md+
aks Concepts Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/concepts-identity.md
For more information on core Kubernetes and AKS concepts, see the following arti
[aks-concepts-network]: concepts-network.md [operator-best-practices-identity]: operator-best-practices-identity.md [upgrade-per-cluster]: ../azure-monitor/containers/container-insights-update-metrics.md#upgrade-per-cluster-using-azure-cli+
aks Concepts Network https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/concepts-network.md
Title: Concepts - Networking in Azure Kubernetes Services (AKS)
description: Learn about networking in Azure Kubernetes Service (AKS), including kubenet and Azure CNI networking, ingress controllers, load balancers, and static IP addresses. Last updated 03/26/2024+++
For more information on core Kubernetes and AKS concepts, see the following arti
[azure-cni-powered-by-cilium]: azure-cni-powered-by-cilium.md [azure-cni-powered-by-cilium-limitations]: azure-cni-powered-by-cilium.md#limitations [use-byo-cni]: use-byo-cni.md+
aks Concepts Scale https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/concepts-scale.md
Title: Concepts - Scale applications in Azure Kubernetes Services (AKS)
description: Learn about scaling in Azure Kubernetes Service (AKS), including the horizontal pod autoscaler, cluster autoscaler, and Azure Container Instances. Last updated 03/18/2024+++ # Scaling options for applications in Azure Kubernetes Service (AKS)
For more information on core Kubernetes and AKS concepts, see the following arti
[aks-concepts-identity]: concepts-identity.md [aks-concepts-network]: concepts-network.md [virtual-nodes-cli]: virtual-nodes-cli.md
-[keda-overview]: keda-about.md
+[keda-overview]: keda-about.md
aks Concepts Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/concepts-security.md
For more information on core Kubernetes and AKS concepts, see:
[microsoft-vulnerability-management-aks]: concepts-vulnerability-management.md [aks-vulnerability-management-nodes]: concepts-vulnerability-management.md#worker-nodes [manage-ssh-access]: manage-ssh-node-access.md
-[trusted-launch]: use-trusted-launch.md
+[trusted-launch]: use-trusted-launch.md
aks Concepts Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/concepts-storage.md
Title: Concepts - Storage in Azure Kubernetes Services (AKS)
description: Learn about storage in Azure Kubernetes Service (AKS), including volumes, persistent volumes, storage classes, and claims. Last updated 03/19/2024+++
For more information on core Kubernetes and AKS concepts, see the following arti
[azure-disk-customer-managed-key]: azure-disk-customer-managed-keys.md [azure-aks-storage-considerations]: /azure/cloud-adoption-framework/scenarios/app-platform/aks/storage [azure-container-storage]: ../storage/container-storage/container-storage-introduction.md+
aks Concepts Sustainable Software Engineering https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/concepts-sustainable-software-engineering.md
Title: Concepts - Sustainable software engineering in Azure Kubernetes Services
description: Learn about sustainable software engineering in Azure Kubernetes Service (AKS). Last updated 06/20/2023+++ # Sustainable software engineering practices in Azure Kubernetes Service (AKS)
Many attacks on cloud infrastructure seek to misuse deployed resources for the a
> [!div class="nextstepaction"] > [Azure Well-Architected Framework review of AKS](/azure/architecture/framework/services/compute/azure-kubernetes-service/azure-kubernetes-service)+
aks Confidential Containers Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/confidential-containers-overview.md
description: Learn about Confidential Containers (preview) on an Azure Kubernete
Last updated 03/18/2024+++ # Confidential Containers (preview) with Azure Kubernetes Service (AKS)
With the local container filesystem backed by VM memory, writing to the containe
[azure-dedicated-hosts]: ../virtual-machines/dedicated-hosts.md [deploy-confidential-containers-default-aks]: deploy-confidential-containers-default-policy.md [confidential-containers-security-policy]: ../confidential-computing/confidential-containers-aks-security-policy.md+
aks Configure Azure Cni Dynamic Ip Allocation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/configure-azure-cni-dynamic-ip-allocation.md
Learn more about networking in AKS in the following articles:
[azure-cni-prereq]: ./configure-azure-cni.md#prerequisites [azure-cni-deployment-parameters]: ./azure-cni-overview.md#deployment-parameters [az-aks-enable-addons]: /cli/azure/aks#az_aks_enable_addons+
aks Configure Azure Cni Static Block Allocation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/configure-azure-cni-static-block-allocation.md
Learn more about networking in AKS in the following articles:
[azure-cni-prereq]: ./configure-azure-cni.md#prerequisites [azure-cni-deployment-parameters]: ./azure-cni-overview.md#deployment-parameters [az-aks-enable-addons]: /cli/azure/aks#az_aks_enable_addons+
aks Configure Azure Cni https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/configure-azure-cni.md
az aks create \
To configure Azure CNI networking with dynamic IP allocation and enhanced subnet support, see [Configure Azure CNI networking for dynamic allocation of IPs and enhanced subnet support in AKS](configure-azure-cni-dynamic-ip-allocation.md). +
aks Configure Kube Proxy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/configure-kube-proxy.md
This article covered how to configure `kube-proxy` in Azure Kubernetes Service (
[az-extension-update]: /cli/azure/extension#az-extension-update [az-aks-create]: /cli/azure/aks#az-aks-create [az-aks-update]: /cli/azure/aks#az-aks-update+
aks Configure Kubenet Dual Stack https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/configure-kubenet-dual-stack.md
Once the cluster has been created, you can deploy your workloads. This article w
[az-group-create]: /cli/azure/group#az_group_create [az-aks-create]: /cli/azure/aks#az_aks_create [az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials+
aks Configure Kubenet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/configure-kubenet.md
This article showed you how to deploy your AKS cluster into your existing virtua
[custom-route-table]: ../virtual-network/manage-route-table.md [Create an AKS cluster with user-assigned managed identity]: configure-kubenet.md#create-an-aks-cluster-with-user-assigned-managed-identity [bring-your-own-control-plane-managed-identity]: ../aks/use-managed-identity.md#bring-your-own-managed-identity+
aks Control Plane Metrics Default List https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/control-plane-metrics-default-list.md
description: This article describes the minimal ingestion profile metrics for Az
Last updated 01/31/2024+++
The following are metrics that are allow-listed with `minimalingestionprofile=tr
<!-- INTERNAL LINKS --> [azure-monitor-prometheus-metrics-scrape-config-minimal]: ../azure-monitor/containers/prometheus-metrics-scrape-configuration-minimal.md+
aks Coredns Custom https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/coredns-custom.md
To learn more about core network concepts, see [Network concepts for application
[aks-quickstart-cli]: ./learn/quick-kubernetes-deploy-cli.md [aks-quickstart-portal]: ./learn/quick-kubernetes-deploy-portal.md [aks-quickstart-powershell]: ./learn/quick-kubernetes-deploy-powershell.md+
aks Cost Analysis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cost-analysis.md
See the following guide to troubleshoot [AKS cost analysis add-on issues](/troub
## Learn more
-Visibility is one element of cost management. Refer to [Optimize Costs in Azure Kubernetes Service (AKS)](./best-practices-cost.md) for other best practices on how to gain control over your kubernetes cost.
+Visibility is one element of cost management. Refer to [Optimize Costs in Azure Kubernetes Service (AKS)](./best-practices-cost.md) for other best practices on how to gain control over your kubernetes cost.
aks Create Nginx Ingress Private Controller https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/create-nginx-ingress-private-controller.md
For other configuration information related to SSL encryption other advanced NGI
[az-network-private-dns-zone-create]: /cli/azure/network/private-dns/zone?#az-network-private-dns-zone-create [az-network-private-dns-link-vnet-create]: /cli/azure/network/private-dns/link/vnet#az-network-private-dns-link-vnet-create [az-network-private-dns-record-set-a-list]: /cli/azure/network/private-dns/record-set/a#az-network-private-dns-record-set-a-list+
aks Create Node Pools https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/create-node-pools.md
description: Learn how to create multiple node pools for a cluster in Azure Kube
Last updated 12/08/2023+++
In this article, you learned how to create multiple node pools in an AKS cluster
[use-system-pool]: use-system-pools.md [restricted-vm-sizes]: ../virtual-machines/sizes.md [aks-taints]: manage-node-pools.md#set-node-pool-taints+
aks Csi Secrets Store Configuration Options https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-secrets-store-configuration-options.md
To learn more about the Azure Key Vault provider for Secrets Store CSI Driver, s
<!-- LINKS EXTERNAL --> [reloader]: https://github.com/stakater/Reloader+
aks Csi Secrets Store Driver https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-secrets-store-driver.md
In this article, you learned how to use the Azure Key Vault provider for Secrets
<!-- LINKS EXTERNAL --> [kube-csi]: https://kubernetes-csi.github.io/docs/ [kubernetes-version-support]: ./supported-kubernetes-versions.md?tabs=azure-cli#kubernetes-version-support-policy+
aks Csi Secrets Store Identity Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-secrets-store-identity-access.md
In this article, you learned how to create and provide an identity to access you
[az-identity-create]: /cli/azure/identity#az-identity-create [az-role-assignment-create]: /cli/azure/role/assignment#az-role-assignment-create [az-aks-disable-addons]: /cli/azure/aks#az-aks-disable-addons+
aks Csi Secrets Store Nginx Tls https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-secrets-store-nginx-tls.md
We can now deploy a Kubernetes ingress resource referencing the secret.
<!-- LINKS EXTERNAL --> [kubernetes-ingress-tls]: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls+
aks Csi Storage Drivers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-storage-drivers.md
Title: Container Storage Interface (CSI) drivers on Azure Kubernetes Service (AK
description: Learn about and deploy the Container Storage Interface (CSI) drivers for Azure Disks and Azure Files in an Azure Kubernetes Service (AKS) cluster Last updated 03/14/2024+++
To review the migration options for your storage classes and upgrade your cluste
[azure-policy-aks-definition]: ../governance/policy/samples/built-in-policies.md#kubernetes [encrypt-managed-disks-customer-managed-keys]: ../virtual-machines/disks-cross-tenant-customer-managed-keys.md [azure-disk-customer-managed-keys]: azure-disk-customer-managed-keys.md+
aks Custom Certificate Authority https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/custom-certificate-authority.md
For more information on AKS security best practices, see [Best practices for clu
[az-feature-show]: /cli/azure/feature#az-feature-show [az-feature-register]: /cli/azure/feature#az-feature-register [az-provider-register]: /cli/azure/provider#az-provider-register+
aks Custom Node Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/custom-node-configuration.md
The settings below can be used to tune the operation of the virtual memory (VM)
[az-feature-register]: /cli/azure/feature#az-feature-register [az-feature-show]: /cli/azure/feature#az-feature-show [az-provider-register]: /cli/azure/provider#az-provider-register+
aks Dapr Migration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/dapr-migration.md
Learn more about [Dapr][dapr-overview] and [how to use it][dapr-howto].
<!-- LINKS EXTERNAL --> [dapr-prod-guidelines]: https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-production/#enabling-high-availability-in-an-existing-dapr-deployment+
aks Dapr Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/dapr-settings.md
Once you have successfully provisioned Dapr in your AKS cluster, try deploying a
[dapr-troubleshooting]: https://docs.dapr.io/operations/troubleshooting/common_issues/ [supported-cloud-regions]: https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc [dapr-mariner]: https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-deploy/#using-mariner-based-images+
aks Dapr Workflow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/dapr-workflow.md
Notice that the workflow status is marked as completed.
[deployment-yaml]: https://github.com/Azure/dapr-workflows-aks-sample/blob/main/Deploy/deployment.yaml [docker]: https://docs.docker.com/get-docker/ [helm]: https://helm.sh/docs/intro/install/+
aks Dapr https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/dapr.md
az k8s-extension delete --resource-group myResourceGroup --cluster-name myAKSClu
[dapr-supported-version]: https://docs.dapr.io/operations/support/support-release-policy/#supported-versions [dapr-troubleshooting]: https://docs.dapr.io/operations/troubleshooting/common_issues/ [supported-cloud-regions]: https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc+
aks Deploy Application Az Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/deploy-application-az-cli.md
To deploy the application (extension) through Azure CLI, follow the steps outlin
- Learn about [Kubernetes applications available through Marketplace](deploy-marketplace.md). - Learn about [cluster extensions](cluster-extensions.md).+
aks Deploy Application Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/deploy-application-template.md
Once you've accepted the terms, you can deploy your ARM template. For instructio
- Learn about [Kubernetes applications available through Marketplace](deploy-marketplace.md). - Learn about [cluster extensions](cluster-extensions.md).+
aks Deploy Confidential Containers Default Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/deploy-confidential-containers-default-policy.md
Title: Deploy an AKS cluster with Confidential Containers (preview)
description: Learn how to create an Azure Kubernetes Service (AKS) cluster with Confidential Containers (preview) and a default security policy by using the Azure CLI. Last updated 01/10/2024+++
kubectl delete pod pod-name
[az-attestation-show]: /cli/azure/attestation#az-attestation-show [attestation-quickstart-azure-cli]: ../attestation/quickstart-azure-cli.md [symptom-role-assignment-changes-are-not-being-detected]: ../role-based-access-control/troubleshooting.md#symptomrole-assignment-changes-are-not-being-detected+
aks Deploy Extensions Az Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/deploy-extensions-az-cli.md
az k8s-extension delete --name azureml --cluster-name <clusterName> --resource-g
[use-managed-identity]: ./use-managed-identity.md [workload-identity-overview]: workload-identity-overview.md [use-azure-ad-pod-identity]: use-azure-ad-pod-identity.md+
aks Deploy Marketplace https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/deploy-marketplace.md
If you experience issues, see the [troubleshooting checklist for failed deployme
[marketplace-troubleshoot]: /troubleshoot/azure/azure-kubernetes/troubleshoot-failed-kubernetes-deployment-offer +
aks Deployment Safeguards https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/deployment-safeguards.md
To learn more, see [workload validation in Gatekeeper](https://open-policy-agent
[Azure-Policy-built-in-definition-docs]: /azure/aks/policy-reference#policy-definitions [Azure-Policy-compliance-portal]: https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Compliance [Azure-Policy-RBAC-permissions]: /azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy+
aks Developer Best Practices Resource Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/developer-best-practices-resource-management.md
description: Learn the application developer best practices for resource management in Azure Kubernetes Service (AKS). Last updated 05/25/2023+++ # Best practices for application developers to manage resources in Azure Kubernetes Service (AKS)
To implement some of these best practices, see [Develop with Bridge to Kubernete
[btk]: /visualstudio/containers/overview-bridge-to-kubernetes [operator-best-practices-isolation]: operator-best-practices-cluster-isolation.md [resource-quotas]: operator-best-practices-scheduler.md#enforce-resource-quotas+
aks Devops Pipeline https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/devops-pipeline.md
You're now ready to create a release, which means to start the process of runnin
1. In the pipeline view, choose the status link in the stages of the pipeline to see the logs and agent output. ::: zone-end+
aks Draft Devx Extension Aks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/draft-devx-extension-aks.md
In this article, you learned how to use Draft and the DevX extension for Visual
[aks-acr-authenticate]: ../aks/cluster-container-registry-integration.md [devx-extension]: https://marketplace.visualstudio.com/items?itemName=ms-kubernetes-tools.aks-devx-tools [draft]: https://github.com/Azure/draft+
aks Draft https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/draft.md
After you create your artifacts and set up GitHub OIDC, you can use `draft gener
[az-aks-draft-create]: /cli/azure/aks/draft#az-aks-draft-create [az-aks-draft-setup-gh]: /cli/azure/aks/draft#az-aks-draft-setup-gh [az-aks-draft-generate-workflow]: /cli/azure/aks/draft#az-aks-draft-generate-workflow+
aks Edge Zones https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/edge-zones.md
After deploying your AKS cluster in an Edge Zone, learn about how you can [confi
[az-aks-create]: /cli/azure/aks#az_aks_create [preset-config]: ./quotas-skus-regions.md#cluster-configuration-presets-in-the-azure-portal+
aks Egress Outboundtype https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/egress-outboundtype.md
az aks update -g <resourceGroup> -n <clusterName> --outbound-type userAssignedNA
[az-feature-show]: /cli/azure/feature#az_feature_show [az-provider-register]: /cli/azure/provider#az_provider_register [az-aks-update]: /cli/azure/aks#az_aks_update+
aks Egress Udr https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/egress-udr.md
For more information on user-defined routes and Azure networking, see:
* [Azure networking UDR overview](../virtual-network/virtual-networks-udr-overview.md) * [How to create, change, or delete a route table](../virtual-network/manage-route-table.md).+
aks Enable Fips Nodes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/enable-fips-nodes.md
To learn more about AKS security, see [Best practices for cluster security and u
[install-azure-cli]: /cli/azure/install-azure-cli [node-image-upgrade]: node-image-upgrade.md [errors-mount-file-share-fips]: /troubleshoot/azure/azure-kubernetes/fail-to-mount-azure-file-share#fipsnodepool+
aks Enable Host Encryption https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/enable-host-encryption.md
description: Learn how to configure a host-based encryption in an Azure Kubernet
Last updated 07/17/2023 +++ ms.devlang: azurecli
Before you begin, review the following prerequisites and limitations.
[akv-built-in-roles]: ../key-vault/general/rbac-guide.md#azure-built-in-roles-for-key-vault-data-plane-operations [az-aks-create]: /cli/azure/aks#az-aks-create [az-aks-nodepool-add]: /cli/azure/aks/nodepool#az-aks-nodepool-add+
aks Events https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/events.md
Now that you understand Kubernetes events, you can continue your monitoring and
[aks-azure-monitor]: ./monitor-aks.md [container-insights]: ../azure-monitor/containers/container-insights-enable-aks.md [k8s-events]: https://kubernetes.io/docs/reference/kubernetes-api/cluster-resources/event-v1/+
aks Free Standard Pricing Tiers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/free-standard-pricing-tiers.md
Title: Azure Kubernetes Service (AKS) Free, Standard and Premium pricing tiers f
description: Learn about the Azure Kubernetes Service (AKS) Free, Standard, and Premium pricing plans and what features, deployment patterns, and recommendations to consider between each plan. Last updated 04/07/2023+++
This process takes several minutes to complete. You shouldn't experience any dow
[long-term-support]: long-term-support.md [long-term-support-update]: long-term-support.md#enable-lts-on-an-existing-cluster [install-azure-cli]: /cli/azure/install-azure-cli+
aks Gpu Cluster https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/gpu-cluster.md
Last updated 04/10/2023+++ #Customer intent: As a cluster administrator or developer, I want to create an AKS cluster that can use high-performance GPU-based VMs for compute-intensive workloads.
To see the GPU in action, you can schedule a GPU-enabled workload with the appro
[az-extension-add]: /cli/azure/extension#az-extension-add [az-extension-update]: /cli/azure/extension#az-extension-update [NVadsA10]: /azure/virtual-machines/nva10v5-series+
aks Ha Dr Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/ha-dr-overview.md
For more information, see the following articles:
- [About AKS backup using Azure Backup (preview)](../backup/azure-kubernetes-service-backup-overview.md) - [Back up AKS using Azure Backup (preview)](../backup/azure-kubernetes-service-cluster-backup.md)+
aks Howto Deploy Java Liberty App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/howto-deploy-java-liberty-app.md
Title: Deploy a Java application with Open Liberty/WebSphere Liberty on an Azure Kubernetes Service (AKS) cluster recommendations: false description: Deploy a Java application with Open Liberty/WebSphere Liberty on an Azure Kubernetes Service (AKS) cluster-+ Previously updated : 04/02/2024 Last updated : 01/16/2024 keywords: java, jakartaee, javaee, microprofile, open-liberty, websphere-liberty, aks, kubernetes
The Open Liberty Operator simplifies the deployment and management of applicatio
For more information on Open Liberty, see [the Open Liberty project page](https://openliberty.io/). For more information on IBM WebSphere Liberty, see [the WebSphere Liberty product page](https://www.ibm.com/cloud/websphere-liberty).
-This article uses the Azure Marketplace offer for Open/WebSphere Liberty to accelerate your journey to AKS. The offer automatically provisions a number of Azure resources including an Azure Container Registry (ACR) instance, an AKS cluster, an Azure App Gateway Ingress Controller (AGIC) instance, the Liberty Operators, and optionally a container image including Liberty and your application. To see the offer, visit the [Azure portal](https://aka.ms/liberty-aks). If you prefer manual step-by-step guidance for running Liberty on AKS that doesn't utilize the automation enabled by the offer, see [Manually deploy a Java application with Open Liberty or WebSphere Liberty on an Azure Kubernetes Service (AKS) cluster](/azure/developer/java/ee/howto-deploy-java-liberty-app-manual).
+This article uses the Azure Marketplace offer for Open/WebSphere Liberty to accelerate your journey to AKS. The offer automatically provisions a number of Azure resources including an Azure Container Registry (ACR) instance, an AKS cluster, an Azure App Gateway Ingress Controller (AGIC) instance, the Liberty Operator, and optionally a container image including Liberty and your application. To see the offer, visit the [Azure portal](https://aka.ms/liberty-aks). If you prefer manual step-by-step guidance for running Liberty on AKS that doesn't utilize the automation enabled by the offer, see [Manually deploy a Java application with Open Liberty or WebSphere Liberty on an Azure Kubernetes Service (AKS) cluster](/azure/developer/java/ee/howto-deploy-java-liberty-app-manual).
This article is intended to help you quickly get to deployment. Before going to production, you should explore [Tuning Liberty](https://www.ibm.com/docs/was-liberty/base?topic=tuning-liberty). [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]
+* You can use Azure Cloud Shell or a local terminal.
+ [!INCLUDE [azure-cli-prepare-your-environment.md](~/reusable-content/azure-cli/azure-cli-prepare-your-environment.md)]
+* This article requires at least version 2.31.0 of Azure CLI. If using Azure Cloud Shell, the latest version is already installed.
+ > [!NOTE] > You can also execute this guidance from the [Azure Cloud Shell](/azure/cloud-shell/quickstart). This approach has all the prerequisite tools pre-installed, with the exception of Docker. > > :::image type="icon" source="~/reusable-content/ce-skilling/azure/media/cloud-shell/launch-cloud-shell-button.png" alt-text="Button to launch the Azure Cloud Shell." border="false" link="https://shell.azure.com":::
-* Prepare a local machine with a Unix-like operating system installed (for example, Ubuntu, macOS, Windows Subsystem for Linux).
-* This article requires at least version 2.31.0 of Azure CLI.
-* Install a Java SE implementation, version 17 or later. (for example, [Eclipse Open J9](https://www.eclipse.org/openj9/)).
-* Install [Maven](https://maven.apache.org/download.cgi) 3.5.0 or higher.
-* Install [Docker](https://docs.docker.com/get-docker/) for your OS.
+* If running the commands in this guide locally (instead of Azure Cloud Shell):
+ * Prepare a local machine with Unix-like operating system installed (for example, Ubuntu, Azure Linux, macOS, Windows Subsystem for Linux).
+ * Install a Java SE implementation, version 17 or later. (for example, [Eclipse Open J9](https://www.eclipse.org/openj9/)).
+ * Install [Maven](https://maven.apache.org/download.cgi) 3.5.0 or higher.
+ * Install [Docker](https://docs.docker.com/get-docker/) for your OS.
* Make sure you're assigned either the `Owner` role or the `Contributor` and `User Access Administrator` roles in the subscription. You can verify it by following steps in [List role assignments for a user or group](../role-based-access-control/role-assignments-list-portal.md#list-role-assignments-for-a-user-or-group). ## Create a Liberty on AKS deployment using the portal
You can learn more from the following references:
* [Open Liberty](https://openliberty.io/) * [Open Liberty Operator](https://github.com/OpenLiberty/open-liberty-operator) * [Open Liberty Server Configuration](https://openliberty.io/docs/ref/config/)+
aks Howto Deploy Java Quarkus App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/howto-deploy-java-quarkus-app.md
Title: "Deploy Quarkus on Azure Kubernetes Service" description: Shows how to quickly stand up Quarkus on Azure Kubernetes Service.-+
You may also want to use `docker rmi` to delete the container images `postgres`
- [Deploy serverless Java apps with Quarkus on Azure Functions](/azure/azure-functions/functions-create-first-quarkus) - [Quarkus](https://quarkus.io/) - [Jakarta EE on Azure](/azure/developer/java/ee)+
aks Howto Deploy Java Wls App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/howto-deploy-java-wls-app.md
Title: "Deploy WebLogic Server on Azure Kubernetes Service using the Azure portal" description: Shows how to quickly stand up WebLogic Server on Azure Kubernetes Service.-+ Last updated 02/09/2024
Learn more about running WLS on AKS or virtual machines by following these links
> [!div class="nextstepaction"] > [WLS on virtual machines](/azure/virtual-machines/workloads/oracle/oracle-weblogic)+
aks Http Application Routing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/http-application-routing.md
For information on how to install an HTTPS-secured ingress controller in AKS, se
[kubectl-logs]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#logs [ingress]: https://kubernetes.io/docs/concepts/services-networking/ingress/ [ingress-resource]: https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource+
aks Http Proxy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/http-proxy.md
For more information regarding the network requirements of AKS clusters, see [co
[az-extension-add]: /cli/azure/extension#az_extension_add [az-extension-update]: /cli/azure/extension#az-extension-update [install-azure-cli]: /cli/azure/install-azure-cli+
aks Image Cleaner https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/image-cleaner.md
The `eraser-aks-xxxxx` pod deletes within 10 minutes after work completion. You
[az-aks-update]: /cli/azure/aks#az_aks_update [trivy]: https://github.com/aquasecurity/trivy [az-aks-show]: /cli/azure/aks#az_aks_show+
aks Image Integrity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/image-integrity.md
In this article, you learned how to use Image Integrity to validate signed image
<! External links -> [ratify]: https://github.com/deislabs/ratify [image-integrity-policy]: https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcf426bb8-b320-4321-8545-1b784a5df3a4+
aks Ingress Basic https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/ingress-basic.md
This article included some external components to AKS. To learn more about these
[acr-helm]: ../container-registry/container-registry-helm-repos.md [azure-powershell-install]: /powershell/azure/install-az-ps [aks-app-add-on]: app-routing.md+
aks Ingress Tls https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/ingress-tls.md
You can also:
[new-az-public-ip-address]: /powershell/module/az.network/new-azpublicipaddress [aks-app-add-on]: app-routing.md [parameter-targettag]: /powershell/module/az.containerregistry/import-azcontainerregistryimage+
aks Integrations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/integrations.md
description: Learn about the add-ons, extensions, and open-source integrations y
Last updated 05/22/2023+++ # Add-ons, extensions, and other integrations with Azure Kubernetes Service (AKS)
For more information, see [Windows AKS partner solutions][windows-aks-partner-so
[github-actions-aks]: kubernetes-action.md [az-aks-enable-addons]: /cli/azure/aks#az-aks-enable-addons [windows-aks-partner-solutions]: windows-aks-partner-solutions.md+
aks Internal Lb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/internal-lb.md
To learn more about Kubernetes services, see the [Kubernetes services documentat
[get-azvirtualnetworksubnetconfig]: /powershell/module/az.network/get-azvirtualnetworksubnetconfig [az-network-private-link-service-list]: /cli/azure/network/private-link-service#az_network_private_link_service_list [az-network-private-endpoint-create]: /cli/azure/network/private-endpoint#az_network_private_endpoint_create+
aks Intro Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/intro-kubernetes.md
description: Learn the features and benefits of Azure Kubernetes Service to depl
Last updated 05/02/2023+++ # What is Azure Kubernetes Service?
Learn more about deploying and managing AKS.
[helm]: quickstart-helm.md [aks-best-practices]: best-practices.md [intro-azure-linux]: ../azure-linux/intro-azure-linux.md+
aks Istio About https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/istio-about.md
Istio-based service mesh add-on for AKS has the following limitations:
[azure-cni-cilium]: azure-cni-powered-by-cilium.md [open-service-mesh-about]: open-service-mesh-about.md
-[istio-deploy-addon]: istio-deploy-addon.md
+[istio-deploy-addon]: istio-deploy-addon.md
aks Istio Deploy Addon https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/istio-deploy-addon.md
az group delete --name ${RESOURCE_GROUP} --yes --no-wait
[istio-deploy-ingress]: istio-deploy-ingress.md [az-aks-mesh-get-revisions]: /cli/azure/aks/mesh#az-aks-mesh-get-revisions(aks-preview) [bicep-aks-resource-definition]: /azure/templates/microsoft.containerservice/managedclusters+
aks Istio Deploy Ingress https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/istio-deploy-ingress.md
az group delete --name ${RESOURCE_GROUP} --yes --no-wait
``` [istio-deploy-addon]: istio-deploy-addon.md+
aks Istio Meshconfig https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/istio-meshconfig.md
Fields present in [open source MeshConfig reference documentation][istio-meshcon
[istio-meshconfig]: https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/ [istio-sidecar-race-condition]: https://istio.io/latest/docs/ops/common-problems/injection/#pod-or-containers-start-with-network-issues-if-istio-proxy-is-not-ready+
aks Istio Plugin Ca https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/istio-plugin-ca.md
You may need to periodically rotate the certificate authorities for security or
[az-aks-mesh-disable]: /cli/azure/aks/mesh#az-aks-mesh-disable [istio-generate-certs]: https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/#plug-in-certificates-and-key-into-the-cluster [istio-mtls-reference]: https://istio.io/latest/docs/concepts/security/#mutual-tls-authentication+
aks Istio Upgrade https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/istio-upgrade.md
The following example illustrates how to upgrade from revision `asm-1-18` to `as
[istio-canary-upstream]: https://istio.io/latest/docs/setup/upgrade/canary/ [meshconfig]: ./istio-meshconfig.md [meshconfig-canary-upgrade]: ./istio-meshconfig.md#mesh-configuration-and-upgrades+
aks Keda About https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/keda-about.md
For GA Kubernetes versions, AKS offers full support of the corresponding KEDA mi
[keda-scalers]: https://keda.sh/docs/scalers/ [keda-http-add-on]: https://github.com/kedacore/http-add-on [keda-cosmos-db-scaler]: https://github.com/kedacore/external-scaler-azure-cosmos-db
-[azure-support-faq]: https://azure.microsoft.com/support/legal/faq/
+[azure-support-faq]: https://azure.microsoft.com/support/legal/faq/
aks Keda Deploy Add On Arm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/keda-deploy-add-on-arm.md
To learn more, view the [upstream KEDA docs][keda].
[keda-scalers]: https://keda.sh/docs/scalers/ [keda-sample]: https://github.com/kedacore/sample-dotnet-worker-servicebus-queue [keda]: https://keda.sh/docs/2.12/+
aks Keda Deploy Add On Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/keda-deploy-add-on-cli.md
To learn more, view the [upstream KEDA docs][keda].
[kubectl]: https://kubernetes.io/docs/user-guide/kubectl [keda-sample]: https://github.com/kedacore/sample-dotnet-worker-servicebus-queue [keda]: https://keda.sh/docs/2.12/+
aks Keda Integrations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/keda-integrations.md
You can also install external scalers to autoscale on other Azure
[keda-sample]: https://github.com/kedacore/sample-dotnet-worker-servicebus-queue [prometheus-scaler]: https://keda.sh/docs/2.11/scalers/prometheus/ [keda]: https://keda.sh/docs/2.12/+
aks Kubelet Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/kubelet-logs.md
description: Learn how to view troubleshooting information in the kubelet logs f
Last updated 05/09/2023+++ #Customer intent: As a cluster operator, I want to view the logs for the kubelet that runs on each node in an AKS cluster to troubleshoot problems.
If you need more troubleshooting information for the Kubernetes main, see [view
[aks-quickstart-portal]: ./learn/quick-kubernetes-deploy-portal.md [aks-quickstart-powershell]: ./learn/quick-kubernetes-deploy-powershell.md [azure-container-logs]: ../azure-monitor/containers/container-insights-overview.md+
aks Kubernetes Action https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/kubernetes-action.md
Title: Build, test, and deploy containers to Azure Kubernetes Service (AKS) usin
description: Learn how to use GitHub Actions to build, test, and deploy containers to Azure Kubernetes Service (AKS). Last updated 09/12/2023+++
Review the following starter workflows for AKS. For more information, see [Using
[gh-azure-vote]: https://github.com/Azure-Samples/azure-voting-app-redis [actions/checkout]: https://github.com/actions/checkout [az-ad-sp-create-for-rbac]: /cli/azure/ad/sp#az-ad-sp-create-for-rbac+
aks Kubernetes Helm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/kubernetes-helm.md
Title: Install existing applications with Helm in Azure Kubernetes Service (AKS) description: Learn how to use the Helm packaging tool to deploy containers in an Azure Kubernetes Service (AKS) cluster-+ Last updated 05/09/2023-+ #Customer intent: As a cluster operator or developer, I want to learn how to deploy Helm into an AKS cluster and then install and manage applications using Helm charts.
For more information about managing Kubernetes application deployments with Helm
[aks-quickstart-portal]: ./learn/quick-kubernetes-deploy-portal.md [aks-quickstart-powershell]: ./learn/quick-kubernetes-deploy-powershell.md [taints]: operator-best-practices-advanced-scheduler.md+
aks Kubernetes Service Principal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/kubernetes-service-principal.md
description: Learn how to create and manage a Microsoft Entra service principal
Last updated 06/27/2023+++ #Customer intent: As a cluster operator, I want to understand how to create a service principal and delegate permissions for AKS to access required resources. In large enterprise environments, the user that deploys the cluster (or CI/CD system), may not have permissions to create this service principal automatically when the cluster is created.
For information on how to update the credentials, see [Update or rotate the cred
[remove-azadserviceprincipal]: /powershell/module/az.resources/remove-azadserviceprincipal [use-managed-identity]: use-managed-identity.md [managed-identity-resources-overview]: ..//active-directory/managed-identities-azure-resources/overview.md+
aks Quick Kubernetes Deploy Azd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-kubernetes-deploy-azd.md
To learn more about AKS and walk through a complete code-to-deployment example,
[kubernetes-concepts]: ../concepts-clusters-workloads.md [aks-solution-guidance]: /azure/architecture/reference-architectures/containers/aks-start-here?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json [baseline-reference-architecture]: /azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json+
aks Quick Kubernetes Deploy Bicep Extensibility Kubernetes Provider https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-kubernetes-deploy-bicep-extensibility-kubernetes-provider.md
description: Learn how to quickly deploy a Kubernetes cluster using the Bicep ex
Last updated 01/11/2024+++ #Customer intent: As a developer or cluster operator, I want to quickly deploy an AKS cluster and deploy an application so that I can see how to run applications using the managed Kubernetes service in Azure.
To learn more about AKS and walk through a complete code-to-deployment example,
[az-sshkey-create]: /cli/azure/sshkey#az_sshkey_create [baseline-reference-architecture]: /azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json [aks-solution-guidance]: /azure/architecture/reference-architectures/containers/aks-start-here?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json+
aks Quick Kubernetes Deploy Bicep https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-kubernetes-deploy-bicep.md
Title: 'Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using Bicep
description: Learn how to quickly deploy a Kubernetes cluster using a Bicep file and deploy an application in Azure Kubernetes Service (AKS). Last updated 12/27/2023+++ #Customer intent: As a developer or cluster operator, I want to quickly deploy an AKS cluster and deploy an application so that I can see how to run applications using the managed Kubernetes service in Azure.
To learn more about AKS and walk through a complete code-to-deployment example,
[az-sshkey-create]: /cli/azure/sshkey#az_sshkey_create [baseline-reference-architecture]: /azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json [aks-solution-guidance]: /azure/architecture/reference-architectures/containers/aks-start-here?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json+
aks Quick Kubernetes Deploy Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-kubernetes-deploy-cli.md
Title: 'Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using Azure
description: Learn how to quickly deploy a Kubernetes cluster and deploy an application in Azure Kubernetes Service (AKS) using Azure CLI. Last updated 01/10/2024+++ #Customer intent: As a developer or cluster operator, I want to deploy an AKS cluster and deploy an application so I can see how to run applications using the managed Kubernetes service in Azure.
To learn more about AKS and walk through a complete code-to-deployment example,
[kubernetes-deployment]: ../concepts-clusters-workloads.md#deployments-and-yaml-manifests [aks-solution-guidance]: /azure/architecture/reference-architectures/containers/aks-start-here?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json [baseline-reference-architecture]: /azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json+
aks Quick Kubernetes Deploy Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-kubernetes-deploy-powershell.md
Title: 'Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using Azure
description: Learn how to quickly deploy a Kubernetes cluster and deploy an application in Azure Kubernetes Service (AKS) using PowerShell. Last updated 01/11/2024+++ #Customer intent: As a developer or cluster operator, I want to quickly deploy an AKS cluster and deploy an application so that I can see how to run applications using the managed Kubernetes service in Azure.
To learn more about AKS and walk through a complete code-to-deployment example,
[azure-resource-group]: ../../azure-resource-manager/management/overview.md [baseline-reference-architecture]: /azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json [aks-solution-guidance]: /azure/architecture/reference-architectures/containers/aks-start-here?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json+
aks Quick Kubernetes Deploy Rm Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-kubernetes-deploy-rm-template.md
Title: 'Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using an AR
description: Learn how to quickly deploy a Kubernetes cluster using an Azure Resource Manager template and deploy an application in Azure Kubernetes Service (AKS). Last updated 01/12/2024+++ #Customer intent: As a developer or cluster operator, I want to quickly deploy an AKS cluster and deploy an application so that I can see how to run applications using the managed Kubernetes service in Azure.
To learn more about AKS and walk through a complete code-to-deployment example,
[ssh-keys]: ../../virtual-machines/linux/create-ssh-keys-detailed.md [baseline-reference-architecture]: /azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json [aks-solution-guidance]: /azure/architecture/reference-architectures/containers/aks-start-here?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json+
aks Quick Kubernetes Deploy Terraform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-kubernetes-deploy-terraform.md
To learn more about AKS and walk through a complete code-to-deployment example,
[azd-hooks]: /azure/developer/azure-developer-cli/reference#azd-hooks [azd-overview]: /azure/developer/azure-developer-cli [aks-home]: /azure/aks+
aks Quick Windows Container Deploy Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-windows-container-deploy-cli.md
description: Learn how to quickly deploy a Kubernetes cluster and deploy an appl
Last updated 01/11/2024+++ #Customer intent: As a developer or cluster operator, I want to quickly deploy an AKS cluster and deploy a Windows Server container so that I can see how to run applications running on a Windows Server container using the managed Kubernetes service in Azure.
To learn more about AKS, and to walk through a complete code-to-deployment examp
[windows-server-password]: /windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements#reference [win-faq-change-admin-creds]: ../windows-faq.md#how-do-i-change-the-administrator-password-for-windows-server-nodes-on-my-cluster [baseline-reference-architecture]: /azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json+
aks Quick Windows Container Deploy Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-windows-container-deploy-powershell.md
Title: Deploy a Windows Server container on an Azure Kubernetes Service (AKS) cl
description: Learn how to quickly deploy a Kubernetes cluster and deploy an application in a Windows Server container in Azure Kubernetes Service (AKS) using PowerShell. Last updated 01/11/2024+++ #Customer intent: As a developer or cluster operator, I want to quickly deploy an AKS cluster and deploy a Windows Server container so that I can see how to run applications running on a Windows Server container using the managed Kubernetes service in Azure.
To learn more about AKS, and to walk through a complete code-to-deployment examp
[new-azaksnodepool]: /powershell/module/az.aks/new-azaksnodepool [baseline-reference-architecture]: /azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json [win-faq-change-admin-creds]: ../windows-faq.md#how-do-i-change-the-administrator-password-for-windows-server-nodes-on-my-cluster+
aks Limit Egress Traffic https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/limit-egress-traffic.md
Previously updated : 04/02/2024 Last updated : 12/05/2023 #Customer intent: As a cluster operator, I want to restrict egress traffic for nodes to only access defined ports and addresses and improve cluster security.
For information on how to override Azure's default system routes or add addition
This section covers three network rules and an application rule you can use to configure on your firewall. You may need to adapt these rules based on your deployment. * The first network rule allows access to port 9000 via TCP.
-* The second network rule allows access to port 1194 via UDP. If you're deploying to Microsoft Azure operated by 21Vianet, see the [Azure operated by 21Vianet required network rules](./outbound-rules-control-egress.md#microsoft-azure-operated-by-21vianet-required-network-rules). Both these rules will only allow traffic destined to the Azure Region CIDR in this article, which is East US.
+* The second network rule allows access to port 1194 and 123 via UDP. If you're deploying to Microsoft Azure operated by 21Vianet, see the [Azure operated by 21Vianet required network rules](./outbound-rules-control-egress.md#microsoft-azure-operated-by-21vianet-required-network-rules). Both these rules will only allow traffic destined to the Azure Region CIDR in this article, which is East US.
+* The third network rule opens port 123 to `ntp.ubuntu.com` FQDN via UDP. Adding an FQDN as a network rule is one of the specific features of Azure Firewall, so you'll need to adapt it when using your own options.
* The fourth and fifth network rules allow access to pull containers from GitHub Container Registry (ghcr.io) and Docker Hub (docker.io). 1. Create the network rules using the [`az network firewall network-rule create`][az-network-firewall-network-rule-create] command.
This section covers three network rules and an application rule you can use to c
az network firewall network-rule create -g $RG -f $FWNAME --collection-name 'aksfwnr' -n 'apitcp' --protocols 'TCP' --source-addresses '*' --destination-addresses "AzureCloud.$LOC" --destination-ports 9000
+ az network firewall network-rule create -g $RG -f $FWNAME --collection-name 'aksfwnr' -n 'time' --protocols 'UDP' --source-addresses '*' --destination-fqdns 'ntp.ubuntu.com' --destination-ports 123
+ az network firewall network-rule create -g $RG -f $FWNAME --collection-name 'aksfwnr' -n 'ghcr' --protocols 'TCP' --source-addresses '*' --destination-fqdns ghcr.io pkg-containers.githubusercontent.com --destination-ports '443' az network firewall network-rule create -g $RG -f $FWNAME --collection-name 'aksfwnr' -n 'docker' --protocols 'TCP' --source-addresses '*' --destination-fqdns docker.io registry-1.docker.io production.cloudflare.docker.com --destination-ports '443'
In this article, you learned how to secure your outbound traffic using Azure Fir
[Use a pre-created kubelet managed identity]: use-managed-identity.md#use-a-pre-created-kubelet-managed-identity [az-identity-create]: /cli/azure/identity#az_identity_create [az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials+
aks Load Balancer Standard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/load-balancer-standard.md
To learn more about using internal load balancer for inbound traffic, see the [A
[maxsurge]: ./upgrade-aks-cluster.md#customize-node-surge-upgrade [az-lb]: ../load-balancer/load-balancer-overview.md [alb-outbound-rules]: ../load-balancer/outbound-rules.md+
aks Long Term Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/long-term-support.md
az aks upgrade --resource-group myResourceGroup --name myAKSCluster --kubernetes
> [!NOTE] > Kubernetes 1.30.2 is used as an example version in this article. Check the [AKS release tracker](release-tracker.md) for available Kubernetes releases.+
aks Manage Abort Operations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/manage-abort-operations.md
Title: Abort an Azure Kubernetes Service (AKS) long running operation
description: Learn how to terminate a long running operation on an Azure Kubernetes Service cluster at the node pool or cluster level. Last updated 3/23/2023+++
Learn more about [Container insights](../azure-monitor/containers/container-insi
<!-- LINKS - internal --> [install-azure-cli]: /cli/azure/install-azure-cli+
aks Manage Azure Rbac https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/manage-azure-rbac.md
To learn more about AKS authentication, authorization, Kubernetes RBAC, and Azur
[az-role-definition-create]: /cli/azure/role/definition#az-role-definition-create [az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials [kubernetes-rbac]: /azure/aks/concepts-identity#azure-rbac-for-kubernetes-authorization+
aks Manage Local Accounts Managed Azure Ad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/manage-local-accounts-managed-azure-ad.md
description: Learn how to managed local accounts when integrating Microsoft Entr
Last updated 04/20/2023+++
You can disable local accounts using the parameter `disable-local-accounts`. The
[az-aks-update]: /cli/azure/aks#az_aks_update [az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials [azure-rbac-integration]: manage-azure-rbac.md+
aks Manage Node Pools https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/manage-node-pools.md
description: Learn how to manage node pools for a cluster in Azure Kubernetes Se
Last updated 07/19/2023+++
When you use an Azure Resource Manager template to create and manage resources,
[use-tags]: use-tags.md [az-extension-add]: /cli/azure/extension#az_extension_add [az-extension-update]: /cli/azure/extension#az_extension_update+
aks Manage Ssh Node Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/manage-ssh-node-access.md
Last updated 02/12/2024+++ # Manage SSH for secure access to Azure Kubernetes Service (AKS) nodes
To help troubleshoot any issues with SSH connectivity to your clusters nodes, yo
[az-aks-nodepool-upgrade]: /cli/azure/aks/nodepool#az-aks-nodepool-upgrade [network-security-group-rules-overview]: concepts-security.md#azure-network-security-groups [kubelet-debug-node-access]: node-access.md
-[run-command-invoke]: /cli/azure/vmss/run-command#az-vmss-run-command-invoke
+[run-command-invoke]: /cli/azure/vmss/run-command#az-vmss-run-command-invoke
aks Monitor Aks Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/monitor-aks-reference.md
Title: Monitor AKS data reference
description: Important reference material needed when you monitor AKS Last updated 08/01/2023+++
For more information on the schema of Activity Log entries, see [Activity Log s
- See [Monitoring Azure AKS](monitor-aks.md) for a description of monitoring Azure AKS. - See [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md) for details on monitoring Azure resources.+
aks Monitor Aks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/monitor-aks.md
Title: Monitor Azure Kubernetes Service (AKS) description: Start here to learn how to monitor Azure Kubernetes Service (AKS).-+
When the [Network Observability](/azure/aks/network-observability-overview) add-
<!-- Add additional links. You can change the wording of these and add more if useful. --> - See [Monitoring AKS data reference](monitor-aks-reference.md) for a reference of the metrics, logs, and other important values created by AKS.+
aks Monitor Control Plane Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/monitor-control-plane-metrics.md
After evaluating this preview feature, [share your feedback][share-feedback]. We
[list-of-default-metrics-aks-control-plane]: control-plane-metrics-default-list.md [az-feature-unregister]: /cli/azure/feature#az-feature-unregister [release-tracker]: https://releases.aks.azure.com/#tabversion+
aks Nat Gateway https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/nat-gateway.md
For more information on Azure NAT Gateway, see [Azure NAT Gateway][nat-docs].
[az-network-vnet-create]: /cli/azure/network/vnet#az_network_vnet_create [az-aks-nodepool-add]: /cli/azure/aks/nodepool#az_aks_nodepool_add [az-provider-register]: /cli/azure/provider#az_provider_register+
aks Network Observability Byo Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/network-observability-byo-cli.md
In this how-to article, you learned how to install and enable AKS Network Observ
- For more information about AKS Network Observability, see [What is Azure Kubernetes Service (AKS) Network Observability?](network-observability-overview.md). - To create an AKS cluster with Network Observability and managed Prometheus and Grafana, see [Setup Network Observability for Azure Kubernetes Service (AKS) Azure managed Prometheus and Grafana](network-observability-managed-cli.md).+
aks Network Observability Managed Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/network-observability-managed-cli.md
In this how-to article, you learned how to install and enable AKS Network Observ
- For more information about AKS Network Observability, see [What is Azure Kubernetes Service (AKS) Network Observability?](network-observability-overview.md). - To create an AKS cluster with Network Observability and BYO Prometheus and Grafana, see [Setup Network Observability for Azure Kubernetes Service (AKS) BYO Prometheus and Grafana](network-observability-byo-cli.md).+
aks Network Observability Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/network-observability-overview.md
Certain scale limitations apply when you use Azure managed Prometheus and Grafan
- To create an AKS cluster with Network Observability and Azure managed Prometheus and Grafana, see [Setup Network Observability for Azure Kubernetes Service (AKS) Azure managed Prometheus and Grafana](network-observability-managed-cli.md). - To create an AKS cluster with Network Observability and BYO Prometheus and Grafana, see [Setup Network Observability for Azure Kubernetes Service (AKS) BYO Prometheus and Grafana](network-observability-byo-cli.md).+
aks Node Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/node-access.md
description: Learn how to connect to Azure Kubernetes Service (AKS) cluster node
Last updated 01/08/2024+++ #Customer intent: As a cluster operator, I want to learn how to connect to virtual machines in an AKS cluster to perform maintenance or troubleshoot a problem.
To learn about managing your SSH keys, see [Manage SSH configuration][manage-ssh
[agent-pool-rest-api]: /rest/api/aks/agent-pools/get#agentpool [manage-ssh-node-access]: manage-ssh-node-access.md [azure-bastion-linux]:../bastion/bastion-connect-vm-ssh-linux.md+
aks Node Auto Repair https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/node-auto-repair.md
Title: Automatically repair Azure Kubernetes Service (AKS) nodes
description: Learn about node auto-repair functionality and how AKS fixes broken worker nodes. Last updated 05/30/2023+++ # Azure Kubernetes Service (AKS) node auto-repair
Use [availability zones][availability-zones] to increase high availability with
[vm-updates]: ../virtual-machines/maintenance-and-updates.md [scheduled-events]: ../virtual-machines/linux/scheduled-events.md [spot-node-pools]: spot-node-pool.md+
aks Node Image Upgrade https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/node-image-upgrade.md
Last updated 03/28/2023+++ # Upgrade Azure Kubernetes Service (AKS) node images
az aks nodepool show \
[az-aks-upgrade]: /cli/azure/aks#az_aks_upgrade [az-aks-show]: /cli/azure/aks#az_aks_show [upgrade-operators-guide]: /azure/architecture/operator-guides/aks/aks-upgrade-practices+
aks Node Pool Snapshot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/node-pool-snapshot.md
az aks create --name myAKSCluster2 --resource-group myResourceGroup --snapshot-i
[az-feature-register]: /cli/azure/feature#az_feature_register [az-aks-install-cli]: /cli/azure/aks#az_aks_install_cli [az-provider-register]: /cli/azure/provider#az_provider_register+
aks Node Problem Detector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/node-problem-detector.md
Title: Node Problem Detector (NPD) in Azure Kubernetes Service (AKS) nodes
description: Learn about how AKS uses Node Problem Detector to expose issues with the node. Last updated 05/31/2023+++ # Node Problem Detector (NPD) in Azure Kubernetes Service (AKS) nodes
problem_gauge{reason="VMEventScheduled",type="VMEventScheduled"} 0
## Next steps For more information on NPD, see [kubernetes/node-problem-detector](https://github.com/kubernetes/node-problem-detector).+
aks Node Updates Kured https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/node-updates-kured.md
Last updated 04/19/2023+++ #Customer intent: As a cluster administrator, I want to know how to automatically apply Linux updates and reboot nodes in AKS for security and/or compliance
For a detailed discussion of upgrade best practices and other considerations, se
[nodepool-upgrade]: manage-node-pools.md#upgrade-a-single-node-pool [node-image-upgrade]: node-image-upgrade.md [upgrade-operators-guide]: /azure/architecture/operator-guides/aks/aks-upgrade-practices+
aks Node Upgrade Github Actions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/node-upgrade-github-actions.md
Last updated 10/05/2023+++ #Customer intent: As a cluster administrator, I want to know how to automatically apply Linux updates and reboot nodes in AKS for security and/or compliance
For a detailed discussion of upgrade best practices and other considerations, se
[azure-rbac-scope-levels]: ../role-based-access-control/scope-overview.md#scope-format [az-ad-sp-create-for-rbac]: /cli/azure/ad/sp#az-ad-sp-create-for-rbac [upgrade-operators-guide]: /azure/architecture/operator-guides/aks/aks-upgrade-practices+
aks Open Ai Secure Access Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/open-ai-secure-access-quickstart.md
For more information on Microsoft Entra Workload ID, see [Microsoft Entra Worklo
[kubectl-get-pods]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get [kubectl-logs]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#logs [kubectl-describe-pod]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#describe+
aks Open Service Mesh About https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/open-service-mesh-about.md
After enabling the OSM add-on using the [Azure CLI][osm-azure-cli] or a [Bicep t
[osm-nginx]: https://release-v1-2.docs.openservicemesh.io/docs/demos/ingress_k8s_nginx [app-routing]: app-routing.md [istio-about]: istio-about.md+
aks Open Service Mesh Istio Migration Guidance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/open-service-mesh-istio-migration-guidance.md
You should now see both the `bookbuyer` and `bookthief` UI incrementing for the
## Summary We hope this walk-through provided the necessary guidance on how to migrate your current OSM policies to Istio policies. Take time and review the [Istio Concepts](https://istio.io/latest/docs/concepts/) and walking through [Istio's own Getting Started guide](https://istio.io/latest/docs/setup/getting-started/) to learn how to use the Istio service mesh to manage your applications.+
aks Open Service Mesh Uninstall Add On https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/open-service-mesh-uninstall-add-on.md
description: How to uninstall the Open Service Mesh on Azure Kubernetes Service
Last updated 06/19/2023+++ # Uninstall the Open Service Mesh (OSM) add-on from your Azure Kubernetes Service (AKS) cluster
Learn more about [Open Service Mesh][osm].
<!-- LINKS - Internal --> [az-aks-disable-addon]: /cli/azure/aks#az_aks_disable_addons [osm]: ./open-service-mesh-about.md+
aks Openfaas https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/openfaas.md
Continue to learn with the [OpenFaaS workshop][openfaas-workshop], which include
[az-group-create]: /cli/azure/group#az_group_create [az-cosmosdb-create]: /cli/azure/cosmosdb#az_cosmosdb_create [az-cosmosdb-list]: /cli/azure/cosmosdb#az_cosmosdb_list+
aks Supported Kubernetes Versions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/supported-kubernetes-versions.md
For the past release history, see [Kubernetes history](https://github.com/kubern
| K8s version | Upstream release | AKS preview | AKS GA | End of life | Platform support | |--|-|--||-|--|
-| 1.25 | Aug 2022 | Oct 2022 | Dec 2022 | Jan 14, 2024 | Until 1.29 GA |
| 1.26 | Dec 2022 | Feb 2023 | Apr 2023 | Mar 2024 | Until 1.30 GA | | 1.27* | Apr 2023 | Jun 2023 | Jul 2023 | Jul 2024, LTS until Jul 2025 | Until 1.31 GA | | 1.28 | Aug 2023 | Sep 2023 | Nov 2023 | Nov 2024 | Until 1.32 GA| | 1.29 | Dec 2023 | Feb 2024 | Mar 2024 | | Until 1.33 GA |
+| 1.30 | Apr 2024 | May 2024 | Jun 2024 | | Until 1.34 GA |
*\* Indicates the version is designated for Long Term Support*
Note the following important changes before you upgrade to any of the available
|Kubernetes Version | AKS Managed Addons | AKS Components | OS components | Breaking Changes | Notes |--||-||-||
-| 1.25 | Azure policy 1.0.1<br>Metrics-Server 0.6.3<br>KEDA 2.9.3<br>Open Service Mesh 1.2.3<br>Core DNS V1.9.4<br>Overlay VPA 0.11.0<br>Azure-Keyvault-SecretsProvider 1.4.1<br>Application Gateway Ingress Controller (AGIC) 1.5.3<br>Image Cleaner v1.1.1<br>Azure Workload identity v1.0.0<br>MDC Defender 1.0.56<br>Azure Active Directory Pod Identity 1.8.13.6<br>GitOps 1.7.0<br>KMS 0.5.0| Cilium 1.12.8<br>CNI 1.4.44<br> Cluster Autoscaler 1.8.5.3<br> | OS Image Ubuntu 18.04 Cgroups V1 <br>ContainerD 1.7<br>Azure Linux 2.0<br>Cgroups V1<br>ContainerD 1.6<br>| Ubuntu 22.04 by default with cgroupv2 and Overlay VPA 0.13.0 |CgroupsV2 - If you deploy Java applications with the JDK, prefer to use JDK 11.0.16 and later or JDK 15 and later, which fully support cgroup v2
| 1.26 | Azure policy 1.3.0<br>Metrics-Server 0.6.3<br>KEDA 2.10.1<br>Open Service Mesh 1.2.3<br>Core DNS V1.9.4<br>Overlay VPA 0.11.0<br>Azure-Keyvault-SecretsProvider 1.4.1<br>Application Gateway Ingress Controller (AGIC) 1.5.3<br>Image Cleaner v1.2.3<br>Azure Workload identity v1.0.0<br>MDC Defender 1.0.56<br>Azure Active Directory Pod Identity 1.8.13.6<br>GitOps 1.7.0<br>KMS 0.5.0<br>azurefile-csi-driver 1.26.10<br>| Cilium 1.12.8<br>CNI 1.4.44<br> Cluster Autoscaler 1.8.5.3<br> | OS Image Ubuntu 22.04 Cgroups V2 <br>ContainerD 1.7<br>Azure Linux 2.0<br>Cgroups V1<br>ContainerD 1.6<br>|azurefile-csi-driver 1.26.10 |None | 1.27 | Azure policy 1.3.0<br>azuredisk-csi driver v1.28.5<br>azurefile-csi driver v1.28.7<br>blob-csi v1.22.4<br>csi-attacher v4.3.0<br>csi-resizer v1.8.0<br>csi-snapshotter v6.2.2<br>snapshot-controller v6.2.2<br>Metrics-Server 0.6.3<br>Keda 2.11.2<br>Open Service Mesh 1.2.3<br>Core DNS V1.9.4<br>Overlay VPA 0.11.0<br>Azure-Keyvault-SecretsProvider 1.4.1<br>Application Gateway Ingress Controller (AGIC) 1.7.2<br>Image Cleaner v1.2.3<br>Azure Workload identity v1.0.0<br>MDC Defender 1.0.56<br>Azure Active Directory Pod Identity 1.8.13.6<br>GitOps 1.7.0<br>azurefile-csi-driver 1.28.7<br>KMS 0.5.0<br>CSI Secret store driver 1.3.4-1<br>|Cilium 1.13.10-1<br>CNI 1.4.44<br> Cluster Autoscaler 1.8.5.3<br> | OS Image Ubuntu 22.04 Cgroups V2 <br>ContainerD 1.7 for Linux and 1.6 for Windows<br>Azure Linux 2.0<br>Cgroups V1<br>ContainerD 1.6<br>|Keda 2.11.2<br>Cilium 1.13.10-1<br>azurefile-csi-driver 1.28.7<br>azuredisk-csi driver v1.28.5<br>blob-csi v1.22.4<br>csi-attacher v4.3.0<br>csi-resizer v1.8.0<br>csi-snapshotter v6.2.2<br>snapshot-controller v6.2.2|Because of Ubuntu 22.04 FIPS certification status, we'll switch AKS FIPS nodes from 18.04 to 20.04 from 1.27 onwards. | 1.28 | Azure policy 1.3.0<br>azurefile-csi-driver 1.29.2<br>csi-node-driver-registrar v2.9.0<br>csi-livenessprobe 2.11.0<br>azuredisk-csi-linux v1.29.2<br>azuredisk-csi-windows v1.29.2<br>csi-provisioner v3.6.2<br>csi-attacher v4.5.0<br>csi-resizer v1.9.3<br>csi-snapshotter v6.2.2<br>snapshot-controller v6.2.2<br>Metrics-Server 0.6.3<br>KEDA 2.11.2<br>Open Service Mesh 1.2.7<br>Core DNS V1.9.4<br>Overlay VPA 0.13.0<br>Azure-Keyvault-SecretsProvider 1.4.1<br>Application Gateway Ingress Controller (AGIC) 1.7.2<br>Image Cleaner v1.2.3<br>Azure Workload identity v1.2.0<br>MDC Defender Security Publisher 1.0.68<br>CSI Secret store driver 1.3.4-1<br>MDC Defender Old File Cleaner 1.3.68<br>MDC Defender Pod Collector 1.0.78<br>MDC Defender Low Level Collector 1.3.81<br>Azure Active Directory Pod Identity 1.8.13.6<br>GitOps 1.8.1|Cilium 1.13.10-1<br>CNI v1.4.43.1 (Default)/v1.5.11 (Azure CNI Overlay)<br> Cluster Autoscaler 1.27.3<br>Tigera-Operator 1.28.13| OS Image Ubuntu 22.04 Cgroups V2 <br>ContainerD 1.7.5 for Linux and 1.7.1 for Windows<br>Azure Linux 2.0<br>Cgroups V1<br>ContainerD 1.6<br>|azurefile-csi-driver 1.29.2<br>csi-resizer v1.9.3<br>csi-attacher v4.4.2<br>csi-provisioner v4.4.2<br>blob-csi v1.23.2<br>azurefile-csi driver v1.29.2<br>azuredisk-csi driver v1.29.2<br>csi-livenessprobe v2.11.0<br>csi-node-driver-registrar v2.9.0|None
New Supported Version List
Platform support policy is a reduced support plan for certain unsupported Kubernetes versions. During platform support, customers only receive support from Microsoft for AKS/Azure platform related issues. Any issues related to Kubernetes functionality and components aren't supported.
-Platform support policy applies to clusters in an n-3 version (where n is the latest supported AKS GA minor version), before the cluster drops to n-4. For example, Kubernetes v1.25 is considered platform support when v1.28 is the latest GA version. However, during the v1.29 GA release, v1.25 will then auto-upgrade to v1.26. If you are a running an n-2 version, the moment it becomes n-3 it also becomes deprecated, and you enter into the platform support policy.
+Platform support policy applies to clusters in an n-3 version (where n is the latest supported AKS GA minor version), before the cluster drops to n-4. For example, Kubernetes v1.26 is considered platform support when v1.29 is the latest GA version. However, during the v1.30 GA release, v1.26 will then auto-upgrade to v1.27. If you are a running an n-2 version, the moment it becomes n-3 it also becomes deprecated, and you enter into the platform support policy.
AKS relies on the releases and patches from [Kubernetes](https://kubernetes.io/releases/), which is an Open Source project that only supports a sliding window of three minor versions. AKS can only guarantee [full support](#kubernetes-version-support-policy) while those versions are being serviced upstream. Since there's no more patches being produced upstream, AKS can either leave those versions unpatched or fork. Due to this limitation, platform support doesn't support anything from relying on Kubernetes upstream.
api-management Add Api Manually https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/add-api-manually.md
# Add an API manually + This article shows steps to add an API manually to the API Management instance. When you want to mock the API, you can create a blank API or define it manually. For details about mocking an API, see [Mock API responses](mock-api-responses.md). If you want to import an existing API, see [related topics](#related-topics) section.
api-management Api Management Api Import Restrictions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-api-import-restrictions.md
# API import restrictions and known issues + When importing an API, you might encounter some restrictions or need to identify and rectify issues before you can successfully import. In this article, you'll learn: * API Management's behavior during OpenAPI import.
api-management Api Management Authenticate Authorize Azure Openai https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-authenticate-authorize-azure-openai.md
# Authenticate and authorize access to Azure OpenAI APIs using Azure API Management + In this article, you learn about ways to authenticate and authorize to Azure OpenAI API endpoints that are managed using Azure API Management. This article shows the following common methods: * **Authentication** - Authenticate to an Azure OpenAI API using policies that authenticate using either an API key or a Microsoft Entra ID managed identity.
api-management Api Management Capacity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-capacity.md
# Capacity of an Azure API Management instance + **Capacity** is the most important [Azure Monitor metric](api-management-howto-use-azure-monitor.md#view-metrics-of-your-apis) for making informed decisions whether to [scale or upgrade](upgrade-and-scale.md) an API Management instance to accommodate more load. Its construction is complex and imposes certain behavior. This article explains what the **capacity** is and how it behaves. It shows how to access **capacity** metrics in the Azure portal and suggests when to consider scaling or upgrading your API Management instance.
api-management Api Management Configuration Repository Git https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-configuration-repository-git.md
# How to save and configure your API Management service configuration using Git + Each API Management service instance maintains a configuration database that contains information about the configuration and metadata for the service instance. Changes can be made to the service instance by changing a setting in the Azure portal, using Azure tools such as Azure PowerShell or the Azure CLI, or making a REST API call. In addition to these methods, you can manage your service instance configuration using Git, enabling scenarios such as: * **Configuration versioning** - Download and store different versions of your service configuration
This article describes how to enable and use Git to manage your service configur
> [!IMPORTANT] > This feature is designed to work with small to medium API Management service configurations, such as those with an exported size less than 10 MB, or with fewer than 10,000 entities. Services with a large number of entities (products, APIs, operations, schemas, and so on) may experience unexpected failures when processing Git commands. If you encounter such failures, please reduce the size of your service configuration and try again. Contact Azure Support if you need assistance. --- ## Access Git configuration in your service 1. Navigate to your API Management instance in the [Azure portal](https://portal.azure.com/).
api-management Api Management Debug Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-debug-policies.md
Last updated 09/22/2020 + # Debug Azure API Management policies in Visual Studio Code + [Policies](api-management-policies.md) in Azure API Management provide powerful capabilities that help API publishers address cross-cutting concerns such as authentication, authorization, throttling, caching, and transformation. Policies are a collection of statements that are executed sequentially on the request or response of an API. This article describes how to debug API Management policies using the [Azure API Management Extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-apimanagement).
This article describes how to debug API Management policies using the [Azure API
## Restrictions and limitations
-* This feature is only available in the **Developer** tier of API Management. Each API Management instance supports only one concurrent debugging session.
- * This feature uses the built-in (service-level) all-access subscription (display name "Built-in all-access subscription") for debugging. The [**Allow tracing**](api-management-howto-api-inspector.md#verify-allow-tracing-setting) setting must be enabled in this subscription. [!INCLUDE [api-management-tracing-alert](../../includes/api-management-tracing-alert.md)]
api-management Api Management Error Handling Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-error-handling-policies.md
# Error handling in API Management policies + By providing a `ProxyError` object, Azure API Management allows publishers to respond to error conditions, which may occur during processing of requests. The `ProxyError` object is accessed through the [context.LastError](api-management-policy-expressions.md#ContextVariables) property and can be used by policies in the `on-error` policy section. This article provides a reference for the error handling capabilities in Azure API Management. ## Error handling in API Management
api-management Api Management Features https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-features.md
Previously updated : 06/27/2023 Last updated : 03/13/2024 # Feature-based comparison of the Azure API Management tiers
-Each API Management [pricing tier](https://aka.ms/apimpricing) offers a distinct set of features and per unit [capacity](api-management-capacity.md). The following table summarizes the key features available in each of the tiers. Some features might work differently or have different capabilities depending on the tier. In such cases the differences are called out in the documentation articles describing these individual features.
+
+Each API Management [pricing tier](api-management-key-concepts.md#api-management-tiers) offers a distinct set of features and per unit [capacity](api-management-capacity.md). The following table summarizes the key features available in each of the tiers. Some features might work differently or have different capabilities depending on the tier. In such cases the differences are called out in the documentation articles describing these individual features.
> [!IMPORTANT] > * The Developer tier is for non-production use cases and evaluations. It doesn't offer SLA.
-> * The Consumption tier isn't available in the US Government cloud or the Microsoft Azure operated by 21Vianet cloud.
-> * API Management **v2 tiers** are now in preview, with updated feature availability. [Learn more](v2-service-tiers-overview.md).
--
-| Feature | Consumption | Developer | Basic | Standard | Premium |
-| -- | -- | | -- | -- | - |
-| Microsoft Entra integration<sup>1</sup> | No | Yes | No | Yes | Yes |
-| Virtual Network (VNet) support | No | Yes | No | No | Yes |
-| Private endpoint support for inbound connections | No | Yes | Yes | Yes | Yes |
-| Multi-region deployment | No | No | No | No | Yes |
-| Availability zones | No | No | No | No | Yes |
-| Multiple custom domain names | No | Yes | No | No | Yes |
-| Developer portal<sup>2</sup> | No | Yes | Yes | Yes | Yes |
-| Built-in cache | No | Yes | Yes | Yes | Yes |
-| Built-in analytics | No | Yes | Yes | Yes | Yes |
-| [Self-hosted gateway](self-hosted-gateway-overview.md)<sup>3</sup> | No | Yes | No | No | Yes |
-| [Workspaces](workspaces-overview.md) | No | No | No | No | Yes |
-| [TLS settings](api-management-howto-manage-protocols-ciphers.md) | Yes | Yes | Yes | Yes | Yes |
-| [External cache](./api-management-howto-cache-external.md) | Yes | Yes | Yes | Yes | Yes |
-| [Client certificate authentication](api-management-howto-mutual-certificates-for-clients.md) | Yes | Yes | Yes | Yes | Yes |
-| [Policies](api-management-howto-policies.md)<sup>4</sup> | Yes | Yes | Yes | Yes | Yes |
-| [API credentials](credentials-overview.md) | Yes | Yes | Yes | Yes | Yes |
-| [Backup and restore](api-management-howto-disaster-recovery-backup-restore.md) | No | Yes | Yes | Yes | Yes |
-| [Management over Git](api-management-configuration-repository-git.md) | No | Yes | Yes | Yes | Yes |
-| Direct management API | No | Yes | Yes | Yes | Yes |
-| Azure Monitor metrics | Yes | Yes | Yes | Yes | Yes |
-| Azure Monitor and Log Analytics request logs | No | Yes | Yes | Yes | Yes |
-| Application Insights request logs | Yes | Yes | Yes | Yes | Yes |
-| Static IP | No | Yes | Yes | Yes | Yes |
-| [Pass-through WebSocket APIs](websocket-api.md) | No | Yes | Yes | Yes | Yes |
-| [Pass-through GraphQL APIs](graphql-apis-overview.md) | Yes | Yes | Yes | Yes | Yes |
-| [Synthetic GraphQL APIs](graphql-apis-overview.md) | Yes | Yes | Yes | Yes | Yes |
-| [Pass-through gRPC APIs](grpc-api.md) (preview) | No | Yes | No | No | Yes |
+> * The Consumption tier isn't available in the US Government cloud or the Microsoft Azure operated by 21Vianet cloud.
+> * For information about APIs supported in the API Management gateway available in different tiers, see [API Management gateways overview](api-management-gateways-overview.md#backend-apis).
++
+| Feature | Consumption | Developer | Basic | Basic v2 |Standard | Standard v2 | Premium |
+| -- | -- | | | | -- | -- | - |
+| Microsoft Entra integration<sup>1</sup> | No | Yes | No | Yes | Yes | Yes | Yes |
+| Virtual Network (VNet) injection support | No | Yes | No | No | No | No | Yes |
+| Private endpoint support for inbound connections | No | Yes | Yes | No | Yes | No | Yes |
+| Outbound virtual network integration support | No | No | No | No | No | Yes | No |
+| Multi-region deployment | No | No | No | No | No | No | Yes |
+| Availability zones | No | No | No | No | No | No | Yes |
+| Multiple custom domain names for gateway | No | Yes | No | No | No | No | Yes |
+| Developer portal<sup>2</sup> | No | Yes | Yes | Yes | Yes | Yes | Yes |
+| Built-in cache | No | Yes | Yes | Yes | Yes | Yes | Yes |
+| [External cache](./api-management-howto-cache-external.md) | Yes | Yes | Yes | Yes | Yes | Yes |Yes |
+| Autoscaling | No | No | Yes | No | Yes | No |Yes |
+| API analytics | No | Yes | Yes | Yes | Yes | Yes | Yes |
+| [Self-hosted gateway](self-hosted-gateway-overview.md)<sup>3</sup> | No | Yes | No | No | No | No | Yes |
+| [Workspaces](workspaces-overview.md) | No | No | No | No | No | No | Yes |
+| [TLS settings](api-management-howto-manage-protocols-ciphers.md) | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
+| [Client certificate authentication](api-management-howto-mutual-certificates-for-clients.md) | Yes | Yes | Yes | Yes | Yes | Yes |Yes |
+| [Policies](api-management-howto-policies.md)<sup>4</sup> | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
+| [Credential manager](credentials-overview.md) | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
+| [Backup and restore](api-management-howto-disaster-recovery-backup-restore.md) | No | Yes | Yes | No | Yes | No | Yes |
+| [Management over Git](api-management-configuration-repository-git.md) | No | Yes | Yes |No | Yes | No | Yes |
+| Direct management API | No | Yes | Yes | No | Yes |No | Yes |
+| Azure Monitor metrics | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
+| Azure Monitor and Log Analytics request logs | No | Yes | Yes | Yes | Yes | Yes |Yes |
+| Application Insights request logs | Yes | Yes | Yes | Yes | Yes | Yes |Yes |
+| Static IP | No | Yes | Yes | No |Yes | No | Yes |
<sup>1</sup> Enables the use of Microsoft Entra ID (and Azure AD B2C) as an identity provider for user sign in on the developer portal.<br/> <sup>2</sup> Including related functionality such as users, groups, issues, applications, and email templates and notifications.<br/> <sup>3</sup> See [Gateway overview](api-management-gateways-overview.md#feature-comparison-managed-versus-self-hosted-gateways) for a feature comparison of managed versus self-hosted gateways. In the Developer tier self-hosted gateways are limited to a single gateway node. <br/>
-<sup>4</sup> See [Gateway overview](api-management-gateways-overview.md#policies) for differences in policy support in the dedicated, consumption, and self-hosted gateways. <br/>
+<sup>4</sup> See [Gateway overview](api-management-gateways-overview.md#policies) for differences in policy support in the classic, v2, consumption, and self-hosted gateways. <br/>
api-management Api Management Gateways Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-gateways-overview.md
Previously updated : 11/6/2023 Last updated : 03/28/2024 # API gateway in Azure API Management + This article provides information about the roles and features of the API Management *gateway* component and compares the gateways you can deploy. Related information: * For an overview of API Management scenarios, components, and concepts, see [What is Azure API Management?](api-management-key-concepts.md)
-* For more information about the API Management service tiers and features, see [Feature-based comparison of the Azure API Management tiers](api-management-features.md).
-
+* For more information about the API Management service tiers and features, see:
+ * [API Management tiers](api-management-key-concepts.md#api-management-tiers)
+ * [Feature-based comparison of the Azure API Management tiers](api-management-features.md).
## Role of the gateway
API Management offers both managed and self-hosted gateways:
* **Managed** - The managed gateway is the default gateway component that is deployed in Azure for every API Management instance in every service tier. With the managed gateway, all API traffic flows through Azure regardless of where backends implementing the APIs are hosted. > [!NOTE]
- > Because of differences in the underlying service architecture, the Consumption tier gateway currently lacks some capabilities of the dedicated gateway. For details, see the section [Feature comparison: Managed versus self-hosted gateways](#feature-comparison-managed-versus-self-hosted-gateways).
+ > Because of differences in the underlying service architecture, the gateways provided in the different API Management service tiers have some differences in capabilities. For details, see the section [Feature comparison: Managed versus self-hosted gateways](#feature-comparison-managed-versus-self-hosted-gateways).
>
-* **Self-hosted** - The [self-hosted gateway](self-hosted-gateway-overview.md) is an optional, containerized version of the default managed gateway. It's useful for hybrid and multicloud scenarios where there's a requirement to run the gateways off of Azure in the same environments where API backends are hosted. The self-hosted gateway enables customers with hybrid IT infrastructure to manage APIs hosted on-premises and across clouds from a single API Management service in Azure.
+* **Self-hosted** - The [self-hosted gateway](self-hosted-gateway-overview.md) is an optional, containerized version of the default managed gateway that is available in select service tiers. It's useful for hybrid and multicloud scenarios where there's a requirement to run the gateways off of Azure in the same environments where API backends are hosted. The self-hosted gateway enables customers with hybrid IT infrastructure to manage APIs hosted on-premises and across clouds from a single API Management service in Azure.
* The self-hosted gateway is [packaged](self-hosted-gateway-overview.md#packaging) as a Linux-based Docker container and is commonly deployed to Kubernetes, including to [Azure Kubernetes Service](how-to-deploy-self-hosted-gateway-azure-kubernetes-service.md) and [Azure Arc-enabled Kubernetes](how-to-deploy-self-hosted-gateway-azure-arc.md).
API Management offers both managed and self-hosted gateways:
## Feature comparison: Managed versus self-hosted gateways
-The following table compares features available in the managed gateway versus the features in the self-hosted gateway. Differences are also shown between the managed gateway for dedicated service tiers (Developer, Basic, Standard, Premium) and for the Consumption tier.
+The following tables compare features available in the following API Management gateways:
+
+* **Classic** - the managed gateway available in the Developer, Basic, Standard, and Premium service tiers (formerly grouped as *dedicated* tiers)
+* **V2** - the managed gateway available in the Basic v2 and Standard v2 tiers
+* **Consumption** - the managed gateway available in the Consumption tier
+* **Self-hosted** - the optional self-hosted gateway available in select service tiers
> [!NOTE] > * Some features of managed and self-hosted gateways are supported only in certain [service tiers](api-management-features.md) or with certain [deployment environments](self-hosted-gateway-overview.md#packaging) for self-hosted gateways.
The following table compares features available in the managed gateway versus th
### Infrastructure
-| Feature support | Managed (Dedicated) | Managed (Consumption) | Self-hosted |
-| | -- | -- | - |
-| [Custom domains](configure-custom-domain.md) | ✔️ | ✔️ | ✔️ |
-| [Built-in cache](api-management-howto-cache.md) | ✔️ | ❌ | ❌ |
-| [External Redis-compatible cache](api-management-howto-cache-external.md) | ✔️ | ✔️ | ✔️ |
-| [Virtual network injection](virtual-network-concepts.md) | Developer, Premium | ❌ | ✔️<sup>1,2</sup> |
-| [Private endpoints](private-endpoint.md) | ✔️ | ❌ | ❌ |
-| [Availability zones](zone-redundancy.md) | Premium | ❌ | ✔️<sup>1</sup> |
-| [Multi-region deployment](api-management-howto-deploy-multi-region.md) | Premium | ❌ | ✔️<sup>1</sup> |
-| [CA root certificates](api-management-howto-ca-certificates.md) for certificate validation | ✔️ | ❌ | ✔️<sup>3</sup> |
-| [Managed domain certificates](configure-custom-domain.md?tabs=managed#domain-certificate-options) | ✔️ | ✔️ | ❌ |
-| [TLS settings](api-management-howto-manage-protocols-ciphers.md) | ✔️ | ✔️ | ✔️ |
-| **HTTP/2** (Client-to-gateway) | ✔️<sup>4</sup> | ❌ | ✔️ |
-| **HTTP/2** (Gateway-to-backend) | ❌ | ❌ | ✔️ |
-| API threat detection with [Defender for APIs](protect-with-defender-for-apis.md) | ✔️ | ❌ | ❌ |
+| Feature support | Classic | V2 | Consumption | Self-hosted |
+| | | -- | -- | - |
+| [Custom domains](configure-custom-domain.md) | ✔️ | ✔️ | ✔️ | ✔️ |
+| [Built-in cache](api-management-howto-cache.md) | ✔️ | ✔️ | ❌ | ❌ |
+| [External Redis-compatible cache](api-management-howto-cache-external.md) | ✔️ | ✔️ |✔️ | ✔️ |
+| [Virtual network injection](virtual-network-concepts.md) | Developer, Premium | ❌ | ❌ | ✔️<sup>1,2</sup> |
+| [Inbound private endpoints](private-endpoint.md) | Developer, Basic, Standard, Premium | ❌ | ❌ | ❌ |
+| [Outbound virtual network integration](integrate-vnet-outbound.md) | ❌ | Standard V2 | ❌ | ❌ |
+| [Availability zones](zone-redundancy.md) | Premium | ❌ | ❌ | ✔️<sup>1</sup> |
+| [Multi-region deployment](api-management-howto-deploy-multi-region.md) | Premium | ❌ | ❌ | ✔️<sup>1</sup> |
+| [CA root certificates](api-management-howto-ca-certificates.md) for certificate validation | ✔️ | ✔️ | ❌ | ✔️<sup>3</sup> |
+| [CA root certificates](api-management-howto-ca-certificates.md) for certificate validation | ✔️ | ✔️ | ❌ | ✔️<sup>3</sup> |
+| [Managed domain certificates](configure-custom-domain.md?tabs=managed#domain-certificate-options) | Developer, Basic, Standard, Premium | ✔️ | ✔️ | ❌ |
+| [TLS settings](api-management-howto-manage-protocols-ciphers.md) | ✔️ | ✔️ | ✔️ | ✔️ |
+| **HTTP/2** (Client-to-gateway) | ✔️<sup>4</sup> | ✔️<sup>4</sup> |❌ | ✔️ |
+| **HTTP/2** (Gateway-to-backend) | ❌ | ❌ | ❌ | ✔️ |
+| API threat detection with [Defender for APIs](protect-with-defender-for-apis.md) | ✔️ | ✔️ | ❌ | ❌ |
<sup>1</sup> Depends on how the gateway is deployed, but is the responsibility of the customer.<br/> <sup>2</sup> Connectivity to the self-hosted gateway v2 [configuration endpoint](self-hosted-gateway-overview.md#fqdn-dependencies) requires DNS resolution of the endpoint hostname.<br/>
The following table compares features available in the managed gateway versus th
### Backend APIs
-| API | Managed (Dedicated) | Managed (Consumption) | Self-hosted |
-| | -- | -- | - |
-| [OpenAPI specification](import-api-from-oas.md) | ✔️ | ✔️ | ✔️ |
-| [WSDL specification](import-soap-api.md) | ✔️ | ✔️ | ✔️ |
-| WADL specification | ✔️ | ✔️ | ✔️ |
-| [Logic App](import-logic-app-as-api.md) | ✔️ | ✔️ | ✔️ |
-| [App Service](import-app-service-as-api.md) | ✔️ | ✔️ | ✔️ |
-| [Function App](import-function-app-as-api.md) | ✔️ | ✔️ | ✔️ |
-| [Container App](import-container-app-with-oas.md) | ✔️ | ✔️ | ✔️ |
-| [Service Fabric](../service-fabric/service-fabric-api-management-overview.md) | Developer, Premium | ❌ | ❌ |
-| [Pass-through GraphQL](graphql-apis-overview.md) | ✔️ | ✔️ | ✔️ |
-| [Synthetic GraphQL](graphql-apis-overview.md)| ✔️ | ✔️<sup>1</sup> | ✔️<sup>1</sup> |
-| [Pass-through WebSocket](websocket-api.md) | ✔️ | ❌ | ✔️ |
-| [Pass-through gRPC](grpc-api.md) | ❌ | ❌ | ✔️ |
-| [Azure OpenAI](azure-openai-api-from-specification.md) | ✔️ | ✔️ | ✔️ |
-| [Circuit breaker in backend](backends.md#circuit-breaker-preview) | ✔️ | ❌ | ✔️ |
-| [Load-balanced backend pool](backends.md#load-balanced-pool-preview) | ✔️ | ✔️ | ✔️ |
+| Feature support | Classic | V2 | Consumption | Self-hosted |
+| | | -- | -- | - |
+| [OpenAPI specification](import-api-from-oas.md) | ✔️ | ✔️ | ✔️ | ✔️ |
+| [WSDL specification](import-soap-api.md) | ✔️ | ✔️ | ✔️ | ✔️ |
+| WADL specification | ✔️ | ✔️ | ✔️ | ✔️ |
+| [Logic App](import-logic-app-as-api.md) | ✔️ | ✔️ | ✔️ |✔️ |
+| [App Service](import-app-service-as-api.md) | ✔️ | ✔️ | ✔️ | ✔️ |
+| [Function App](import-function-app-as-api.md) | ✔️ | ✔️ | ✔️ | ✔️ |
+| [Container App](import-container-app-with-oas.md) | ✔️ | ✔️ | ✔️ | ✔️ |
+| [Service Fabric](../service-fabric/service-fabric-api-management-overview.md) | Developer, Premium | ❌ |❌ | ❌ |
+| [Pass-through GraphQL](graphql-apis-overview.md) | ✔️ | ✔️ |✔️ | ✔️ |
+| [Synthetic GraphQL](graphql-apis-overview.md)| ✔️ | ✔️ | ✔️<sup>1</sup> | ✔️<sup>1</sup> |
+| [Pass-through WebSocket](websocket-api.md) | ✔️ | ✔️ | ❌ | ✔️ |
+| [Pass-through gRPC](grpc-api.md) (preview) | ❌ | ❌ | ❌ | ✔️ |
+| [OData](import-api-from-odata.md) (preview) | ✔️ | ✔️ | ✔️ | ✔️ |
+| [Pass-through GraphQL](graphql-apis-overview.md) | ✔️ | ✔️ |✔️ | ✔️ |
+| [Azure OpenAI](azure-openai-api-from-specification.md) | ✔️ | ✔️ | ✔️ | ✔️ |
+| [Circuit breaker in backend](backends.md#circuit-breaker-preview) (preview) | ✔️ | ✔️ | ❌ | ✔️ |
+| [Load-balanced backend pool](backends.md#load-balanced-pool-preview) (preview) | ✔️ | ✔️ | ✔️ | ✔️ |
<sup>1</sup> Synthetic GraphQL subscriptions (preview) aren't supported.
The following table compares features available in the managed gateway versus th
Managed and self-hosted gateways support all available [policies](api-management-policies.md) in policy definitions with the following exceptions.
-| Policy | Managed (Dedicated) | Managed (Consumption) | Self-hosted<sup>1</sup> |
-| | -- | -- | - |
-| [Dapr integration](api-management-policies.md#dapr-integration-policies) | ❌ | ❌ | ✔️ |
-| [GraphQL resolvers](api-management-policies.md#graphql-resolver-policies) and [GraphQL validation](api-management-policies.md#validation-policies)| ✔️ | ✔️ | ❌ |
-| [Get authorization context](get-authorization-context-policy.md) | ✔️ | ✔️ | ❌ |
-| [Quota and rate limit](api-management-policies.md#access-restriction-policies) | ✔️ | ✔️<sup>2</sup> | ✔️<sup>3</sup>
+| Feature support | Classic | V2 | Consumption | Self-hosted<sup>1</sup> |
+| | | -- | -- | - |
+| [Dapr integration](api-management-policies.md#integration-and-external-communication) | ❌ | ❌ |❌ | ✔️ |
+| [GraphQL resolvers](api-management-policies.md#graphql-resolvers) and [GraphQL validation](api-management-policies.md#content-validation)| ✔️ | ✔️ |✔️ | ❌ |
+| [Get authorization context](get-authorization-context-policy.md) | ✔️ | ✔️ |✔️ | ❌ |
+| [Quota and rate limit](api-management-policies.md#rate-limiting-and-quotas) | ✔️ | ✔️<sup>2</sup> | ✔️<sup>3</sup> | ✔️<sup>4</sup> |
<sup>1</sup> Configured policies that aren't supported by the self-hosted gateway are skipped during policy execution.<br/>
+<sup>2</sup> The quota by key policy isn't available in the v2 tiers.<br/>
<sup>2</sup> The rate limit by key and quota by key policies aren't available in the Consumption tier.<br/> <sup>3</sup> [!INCLUDE [api-management-self-hosted-gateway-rate-limit](../../includes/api-management-self-hosted-gateway-rate-limit.md)] [Learn more](how-to-self-hosted-gateway-on-kubernetes-in-production.md#request-throttling)
Managed and self-hosted gateways support all available [policies](api-management
For details about monitoring options, see [Observability in Azure API Management](observability.md).
-| Feature | Managed (Dedicated) | Managed (Consumption) | Self-hosted |
-| | -- | -- | - |
-| [API analytics](howto-use-analytics.md) | ✔️ | ❌ | ❌ |
-| [Application Insights](api-management-howto-app-insights.md) | ✔️ | ✔️ | ✔️ |
-| [Logging through Event Hubs](api-management-howto-log-event-hubs.md) | ✔️ | ✔️ | ✔️ |
-| [Metrics in Azure Monitor](api-management-howto-use-azure-monitor.md#view-metrics-of-your-apis) | ✔️ | ✔️ | ✔️ |
-| [OpenTelemetry Collector](how-to-deploy-self-hosted-gateway-kubernetes-opentelemetry.md) | ❌ | ❌ | ✔️ |
-| [Request logs in Azure Monitor and Log Analytics](api-management-howto-use-azure-monitor.md#resource-logs) | ✔️ | ❌ | ❌<sup>1</sup> |
-| [Local metrics and logs](how-to-configure-local-metrics-logs.md) | ❌ | ❌ | ✔️ |
-| [Request tracing](api-management-howto-api-inspector.md) | ✔️ | ✔️ | ✔️ |
-
-<sup>1</sup> The self-hosted gateway currently doesn't send resource logs (diagnostic logs) to Azure Monitor. Optionally [send metrics](how-to-configure-cloud-metrics-logs.md) to Azure Monitor, or [configure and persist logs locally](how-to-configure-local-metrics-logs.md) where the self-hosted gateway is deployed.
+| Feature support | Classic | V2 | Consumption | Self-hosted |
+| | | -- | -- | - |
+| [API analytics](howto-use-analytics.md) | ✔️ | ✔️<sup>1</sup> | ❌ | ❌ |
+| [Application Insights](api-management-howto-app-insights.md) | ✔️ | ✔️ | ✔️ | ✔️ |
+| [Logging through Event Hubs](api-management-howto-log-event-hubs.md) | ✔️ | ✔️ | ✔️ | ✔️ |
+| [Metrics in Azure Monitor](api-management-howto-use-azure-monitor.md#view-metrics-of-your-apis) | ✔️ | ✔️ |✔️ | ✔️ |
+| [OpenTelemetry Collector](how-to-deploy-self-hosted-gateway-kubernetes-opentelemetry.md) | ❌ | ❌ | ❌ | ✔️ |
+| [Request logs in Azure Monitor and Log Analytics](api-management-howto-use-azure-monitor.md#resource-logs) | ✔️ | ✔️ | ❌ | ❌<sup>2</sup> |
+| [Local metrics and logs](how-to-configure-local-metrics-logs.md) | ❌ | ❌ | ❌ | ✔️ |
+| [Request tracing](api-management-howto-api-inspector.md) | ✔️ | ❌<sup>3</sup> | ✔️ | ✔️ |
+
+<sup>1</sup> The v2 tiers support Azure Monitor-based analytics.<br/>
+<sup>2</sup> The self-hosted gateway currently doesn't send resource logs (diagnostic logs) to Azure Monitor. Optionally [send metrics](how-to-configure-cloud-metrics-logs.md) to Azure Monitor, or [configure and persist logs locally](how-to-configure-local-metrics-logs.md) where the self-hosted gateway is deployed.<br/>
+<sup>3</sup> Tracing is currently unavailable in the v2 tiers.
### Authentication and authorization Managed and self-hosted gateways support all available [API authentication and authorization options](authentication-authorization-overview.md) with the following exceptions.
-| Feature | Managed (Dedicated) | Managed (Consumption) | Self-hosted |
-| | -- | -- | - |
-| [Credential manager](credentials-overview.md) | ✔️ | ✔️ | ❌ |
+| Feature support | Classic | V2 | Consumption | Self-hosted |
+| | | -- | -- | - |
+| [Credential manager](credentials-overview.md) | ✔️ | ✔️ | ✔️ | ❌ |
## Gateway throughput and scaling
For estimated maximum gateway throughput in the API Management service tiers, se
> [!IMPORTANT] > Throughput figures are presented for information only and must not be relied upon for capacity and budget planning. See [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/) for details.
-* **Dedicated service tiers**
+* **Classic tiers**
* Scale gateway capacity by adding and removing scale [units](upgrade-and-scale.md), or upgrade the service tier. (Scaling not available in the Developer tier.)
- * In the Standard and Premium tiers, optionally configure [Azure Monitor autoscale](api-management-howto-autoscale.md).
+ * In the Basic, Standard, and Premium tiers, optionally configure [Azure Monitor autoscale](api-management-howto-autoscale.md).
* In the Premium tier, optionally add and distribute gateway capacity across multiple [regions](api-management-howto-deploy-multi-region.md).
+* **v2 tiers**
+ * Scale gateway capacity by adding and removing scale [units](upgrade-and-scale.md), or upgrade the service tier.
+ * **Consumption tier** * API Management instances in the Consumption tier scale automatically based on the traffic.
api-management Api Management Get Started Publish Versions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-get-started-publish-versions.md
# Tutorial: Publish multiple versions of your API + There are times when it's impractical to have all callers to your API use exactly the same version. When callers want to upgrade to a later version, they want an approach that's easy to understand. As shown in this tutorial, it is possible to provide multiple *versions* in Azure API Management. For background, see [Versions](api-management-versions.md) & [Revisions](api-management-revisions.md).
api-management Api Management Get Started Revise Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-get-started-revise-api.md
# Tutorial: Use revisions to make non-breaking API changes safely++ When your API is ready to go and is used by developers, you eventually need to make changes to that API and at the same time not disrupt callers of your API. It's also useful to let developers know about the changes you made. In Azure API Management, use *revisions* to make non-breaking API changes so you can model and test changes safely. When ready, you can make a revision current and replace your current API.
api-management Api Management Howto Aad B2c https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-aad-b2c.md
# How to authorize developer accounts by using Azure Active Directory B2C in Azure API Management Azure Active Directory B2C is a cloud identity management solution for consumer-facing web and mobile applications. You can use it to manage access to your API Management developer portal.
For an overview of options to secure the developer portal, see [Secure access to
> * This article has been updated with steps to configure an Azure AD B2C app using the Microsoft Authentication Library ([MSAL](../active-directory/develop/msal-overview.md)). > * If you previously configured an Azure AD B2C app for user sign-in using the Azure AD Authentication Library (ADAL), we recommend that you [migrate to MSAL](#migrate-to-msal). ## Prerequisites
api-management Api Management Howto Aad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-aad.md
Although a new account will automatically be created when a new user signs in wi
[Publish a product]: api-management-howto-add-products.md#publish-product [Get started with Azure API Management]: get-started-create-service-instance.md [API Management policy reference]: ./api-management-policies.md
-[Caching policies]: ./api-management-policies.md#caching-policies
+[Caching policies]: ./api-management-policies.md#caching
[Create an API Management service instance]: get-started-create-service-instance.md [https://oauth.net/2/]: https://oauth.net/2/
api-management Api Management Howto Add Products https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-add-products.md
ms.devlang: azurecli
# Tutorial: Create and publish a product + In Azure API Management, a [*product*](api-management-terminology.md#term-definitions) contains one or more APIs, a usage quota, and the terms of use. After a product is published, developers can [subscribe](api-management-subscriptions.md) to the product and begin to use the product's APIs. In this tutorial, you learn how to:
api-management Api Management Howto Api Inspector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-api-inspector.md
Previously updated : 08/08/2022 Last updated : 03/26/2024 # Tutorial: Debug your APIs using request tracing + This tutorial describes how to inspect (trace) request processing in Azure API Management. Tracing helps you debug and troubleshoot your API. In this tutorial, you learn how to:
In this tutorial, you learn how to:
:::image type="content" source="media/api-management-howto-api-inspector/api-inspector-002.png" alt-text="Screenshot showing the API inspector." lightbox="media/api-management-howto-api-inspector/api-inspector-002.png"::: + ## Prerequisites + Learn the [Azure API Management terminology](api-management-terminology.md).
api-management Api Management Howto App Insights https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-app-insights.md
# How to integrate Azure API Management with Azure Application Insights + You can easily integrate Azure Application Insights with Azure API Management. Azure Application Insights is an extensible service for web developers building and managing apps on multiple platforms. In this guide, you will: * Walk through Application Insights integration into API Management. * Learn strategies for reducing performance impact on your API Management service instance.
api-management Api Management Howto Autoscale https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-autoscale.md
-# Automatically scale an Azure API Management instance
+# Automatically scale an Azure API Management instance
-An Azure API Management service instance can scale automatically based on a set of rules. This behavior can be enabled and configured through [Azure Monitor autoscale](../azure-monitor/autoscale/autoscale-overview.md#supported-services-for-autoscale) and is currently supported only in the **Basic**, **Standard**, and **Premium** tiers of the Azure API Management service.
+
+An Azure API Management service instance can scale automatically based on a set of rules. This behavior can be enabled and configured through [Azure Monitor autoscale](../azure-monitor/autoscale/autoscale-overview.md#supported-services-for-autoscale).
The article walks through the process of configuring autoscale and suggests optimal configuration of autoscale rules.
To follow the steps from this article, you must:
+ Understand the concept of [capacity](api-management-capacity.md) of an API Management instance. + Understand [manual scaling](upgrade-and-scale.md) of an API Management instance, including cost consequences. - ## Azure API Management autoscale limitations Certain limitations and consequences of scaling decisions need to be considered before configuring autoscale behavior.
api-management Api Management Howto Ca Certificates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-ca-certificates.md
# How to add a custom CA certificate in Azure API Management + Azure API Management allows installing CA certificates on the machine inside the trusted root and intermediate certificate stores. This functionality should be used if your services require a custom CA certificate. The article shows how to manage CA certificates of an Azure API Management service instance in the Azure portal. For example, if you use self-signed client certificates, you can upload custom trusted root certificates to API Management.
CA certificates uploaded to API Management can only be used for certificate vali
[!INCLUDE [updated-for-az](../../includes/updated-for-az.md)] ## <a name="step1"> </a>Upload a CA certificate
api-management Api Management Howto Cache External https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-cache-external.md
# Use an external Redis-compatible cache in Azure API Management + In addition to utilizing the built-in cache, Azure API Management allows for caching responses in an external Redis-compatible cache, such as Azure Cache for Redis. Using an external cache allows you to overcome a few limitations of the built-in cache:
Using an external cache allows you to overcome a few limitations of the built-in
* Use caching with the Consumption tier of API Management * Enable caching in the [API Management self-hosted gateway](self-hosted-gateway-overview.md)
-For more detailed information about caching, see [API Management caching policies](api-management-caching-policies.md) and [Custom caching in Azure API Management](api-management-sample-cache-by-key.md).
+For more detailed information about caching, see [API Management caching policies](api-management-policies.md#caching) and [Custom caching in Azure API Management](api-management-sample-cache-by-key.md).
![Bring your own cache to APIM](media/api-management-howto-cache-external/overview.png)
The **Use from** setting in the configuration specifies the location of your API
## Use the external cache
-After adding a Redis-compatible cache, configure [caching policies](api-management-caching-policies.md) to enable response caching, or caching of values by key, in the external cache.
+After adding a Redis-compatible cache, configure [caching policies](api-management-policies.md#caching) to enable response caching, or caching of values by key, in the external cache.
For a detailed example, see [Add caching to improve performance in Azure API Management](api-management-howto-cache.md).
For a detailed example, see [Add caching to improve performance in Azure API Man
* To cache items by key using policy expressions, see [Custom caching in Azure API Management](api-management-sample-cache-by-key.md). [API Management policy reference]: ./api-management-policies.md
-[Caching policies]: ./api-management-caching-policies.md
+[Caching policies]: ./api-management-policies.md#caching
api-management Api Management Howto Cache https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-cache.md
ms.assetid: 740f6a27-8323-474d-ade2-828ae0c75e7a Previously updated : 11/13/2020 Last updated : 03/20/2024 # Add caching to improve performance in Azure API Management + APIs and operations in API Management can be configured with response caching. Response caching can significantly reduce latency for API callers and backend load for API providers. > [!IMPORTANT] > Built-in cache is volatile and is shared by all units in the same region in the same API Management service. Regardless of the cache type being used (internal or external), if the cache-related operations fail to connect to the cache due to the volatility of the cache or any other reason, the API call that uses the cache related operation doesn't raise an error, and the cache operation completes successfully. In the case of a read operation, a null value is returned to the calling policy expression. Your policy code should be designed to ensure that there's a "fallback" mechanism to retrieve data not found in the cache.
-For more detailed information about caching, see [API Management caching policies](api-management-caching-policies.md) and [Custom caching in Azure API Management](api-management-sample-cache-by-key.md).
+For more detailed information about caching, see [API Management caching policies](api-management-policies.md#caching) and [Custom caching in Azure API Management](api-management-sample-cache-by-key.md).
![cache policies](media/api-management-howto-cache/cache-policies.png)
What you'll learn:
> * Add response caching for your API > * Verify caching in action
-## Availability
> [!NOTE]
-> Internal cache is not available in the **Consumption** tier of Azure API Management. You can [use an external Azure Cache for Redis](api-management-howto-cache-external.md) instead.
+> Internal cache is not available in the **Consumption** tier of Azure API Management. You can [use an external Azure Cache for Redis](api-management-howto-cache-external.md) instead. You can also configure an external cache in other API Management service tiers.
>
-> For feature availability in the v2 tiers (preview), see the [v2 tiers overview](v2-service-tiers-overview.md).
+ ## Prerequisites
With caching policies shown in this example, the first request to the **GetSpeak
**Duration** specifies the expiration interval of the cached responses. In this example, the interval is **20** seconds. > [!TIP]
-> If you are using an external cache, as described in [Use an external Azure Cache for Redis in Azure API Management](api-management-howto-cache-external.md), you may want to specify the `caching-type` attribute of the caching policies. See [API Management caching policies](api-management-caching-policies.md) for more details.
+> If you are using an external cache, as described in [Use an external Azure Cache for Redis in Azure API Management](api-management-howto-cache-external.md), you may want to specify the `caching-type` attribute of the caching policies. See [API Management caching policies](api-management-policies.md#caching) for more details.
## <a name="test-operation"> </a>Call an operation and test the caching To see the caching in action, call the operation from the developer portal.
To see the caching in action, call the operation from the developer portal.
[Get started with Azure API Management]: get-started-create-service-instance.md [API Management policy reference]: ./api-management-policies.md
-[Caching policies]: ./api-management-caching-policies.md
+[Caching policies]: ./api-management-policies.md#caching
[Create an API Management service instance]: get-started-create-service-instance.md
api-management Api Management Howto Configure Custom Domain Gateway https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-configure-custom-domain-gateway.md
# Configure a custom domain name for a self-hosted gateway
-When you provision a [self-hosted Azure API Management gateway](self-hosted-gateway-overview.md), it is not assigned a host name and has to be referenced by its IP address. This article shows how to map an existing custom DNS name (also referred to as hostname) to a self-hosted gateway.
- [!INCLUDE [api-management-availability-premium-dev](../../includes/api-management-availability-premium-dev.md)]
+When you provision a [self-hosted Azure API Management gateway](self-hosted-gateway-overview.md), it is not assigned a host name and has to be referenced by its IP address. This article shows how to map an existing custom DNS name (also referred to as hostname) to a self-hosted gateway.
+ ## Prerequisites To perform the steps described in this article, you must have:
api-management Api Management Howto Configure Notifications https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-configure-notifications.md
# How to configure notifications and notification templates in Azure API Management + API Management provides the ability to configure email notifications for specific events, and to configure the email templates that are used to communicate with the administrators and developers of an API Management instance. This article shows how to configure notifications for the available events, and provides an overview of configuring the email templates used for these events. ## Prerequisites If you don't have an API Management service instance, complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md). - [!INCLUDE [api-management-navigate-to-instance.md](../../includes/api-management-navigate-to-instance.md)] ## <a name="publisher-notifications"> </a>Configure notifications in the portal
api-management Api Management Howto Create Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-create-groups.md
# How to create and use groups to manage developer accounts in Azure API Management + In API Management, groups are used to manage the visibility of products to developers. Products are first made visible to groups, and then developers in those groups can view and subscribe to the products that are associated with the groups. API Management has the following immutable system groups:
This guide shows how administrators of an API Management instance can add new gr
In addition to creating and managing groups in the Azure portal, you can create and manage your groups using the API Management REST API [Group](/rest/api/apimanagement/apimanagementrest/azure-api-management-rest-api-group-entity) entity. - ## Prerequisites Complete tasks in this article: [Create an Azure API Management instance](get-started-create-service-instance.md).
api-management Api Management Howto Create Or Invite Developers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-create-or-invite-developers.md
Previously updated : 02/13/2018 Last updated : 03/20/2024 # How to manage user accounts in Azure API Management
-In API Management, developers are the users of the APIs that you expose using API Management. This guide shows how to create and invite developers to use the APIs and products that you make available to them with your API Management instance. For information on managing user accounts programmatically, see the [User entity](/rest/api/apimanagement/current-ga/user) documentation in the [API Management REST](/rest/api/apimanagement/) reference.
+In API Management, developers are the users of the APIs that you expose using API Management. This guide shows how to create and invite developers to use the APIs and products that you make available to them with your API Management instance. For information on managing user accounts programmatically, see the [User entity](/rest/api/apimanagement/current-ga/user) documentation in the [API Management REST](/rest/api/apimanagement/) reference.
## Prerequisites
api-management Api Management Howto Create Subscriptions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-create-subscriptions.md
Previously updated : 08/03/2022 Last updated : 03/26/2024 # Create subscriptions in Azure API Management + When you publish APIs through Azure API Management, it's easy and common to secure access to those APIs by using subscription keys. Client applications that need to consume the published APIs must include a valid subscription key in HTTP requests when they make calls to those APIs. To get a subscription key for accessing APIs, a subscription is required. For more information about subscriptions, see [Subscriptions in Azure API Management](api-management-subscriptions.md). This article walks through the steps for creating subscriptions in the Azure portal.
To take the steps in this article, the prerequisites are as follows:
1. Optionally, select **Allow tracing** to enable tracing for debugging and troubleshooting APIs. [Learn more](api-management-howto-api-inspector.md) [!INCLUDE [api-management-tracing-alert](../../includes/api-management-tracing-alert.md)]+
+ [!INCLUDE [api-management-availability-tracing-v2-tiers](../../includes/api-management-availability-tracing-v2-tiers.md)]
+ 1. Select a **Scope** of the subscription from the dropdown list. [Learn more](api-management-subscriptions.md#scope-of-subscriptions) 1. Optionally, choose if the subscription should be associated with a **User** and whether to send a notification for use with the developer portal. 1. Select **Create**.
api-management Api Management Howto Deploy Multi Region https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-deploy-multi-region.md
# Deploy an Azure API Management instance to multiple Azure regions + Azure API Management supports multi-region deployment, which enables API publishers to add regional API gateways to an existing API Management instance in one or more supported Azure regions. Multi-region deployment helps reduce request latency perceived by geographically distributed API consumers and improves service availability if one region goes offline. When adding a region, you configure:
When adding a region, you configure:
>[!IMPORTANT] > The feature to enable storing customer data in a single region is currently only available in the Southeast Asia Region (Singapore) of the Asia Pacific Geo. For all other regions, customer data is stored in Geo. - ## About multi-region deployment [!INCLUDE [api-management-multi-region-concepts](../../includes/api-management-multi-region-concepts.md)]
api-management Api Management Howto Developer Portal Customize https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-developer-portal-customize.md
# Tutorial: Access and customize the developer portal
-In this tutorial, you'll get started with customizing the API Management *developer portal*. The developer portal is an automatically generated, fully customizable website with the documentation of your APIs. It's where API consumers can discover your APIs, learn how to use them, and request access.
+The *developer portal* is an automatically generated, fully customizable website with the documentation of your APIs. It is where API consumers can discover your APIs, learn how to use them, and request access.
In this tutorial, you learn how to:
For more information about developer portal features and options, see [Azure API
- Complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md). - [Import and publish](import-and-publish.md) an API. + ## Access the portal as an administrator
api-management Api Management Howto Disaster Recovery Backup Restore https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-disaster-recovery-backup-restore.md
# How to implement disaster recovery using service backup and restore in Azure API Management + By publishing and managing your APIs via Azure API Management, you're taking advantage of fault tolerance and infrastructure capabilities that you'd otherwise design, implement, and manage manually. The Azure platform mitigates a large fraction of potential failures at a fraction of the cost. To recover from availability problems that affect your API Management service, be ready to reconstitute your service in another region at any time. Depending on your recovery time objective, you might want to keep a standby service in one or more regions. You might also try to maintain their configuration and content in sync with the active service according to your recovery point objective. The API management backup and restore capabilities provide the necessary building blocks for implementing disaster recovery strategy.
This article shows how to automate backup and restore operations of your API Man
[!INCLUDE [updated-for-az](../../includes/updated-for-az.md)] - ## Prerequisites * An API Management service instance. If you don't have one, see [Create an API Management service instance](get-started-create-service-instance.md).
api-management Api Management Howto Integrate Internal Vnet Appgateway https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md
# Integrate API Management in an internal virtual network with Application Gateway + You can configure Azure API Management in a [virtual network in internal mode](api-management-using-with-internal-vnet.md), which makes it accessible only within the virtual network. [Azure Application Gateway](../application-gateway/overview.md) is a platform as a service (PaaS) that acts as a Layer-7 load balancer. It acts as a reverse-proxy service and provides among its offerings Azure Web Application Firewall (WAF). By combining API Management provisioned in an internal virtual network with the Application Gateway front end, you can:
For architectural guidance, see:
> [!NOTE] > This article has been updated to use the [Application Gateway WAF_v2 SKU](../application-gateway/application-gateway-autoscaling-zone-redundant.md). - ## Prerequisites [!INCLUDE [updated-for-az](../../includes/updated-for-az.md)]
api-management Api Management Howto Ip Addresses https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-ip-addresses.md
# IP addresses of Azure API Management + In this article we describe how to retrieve the IP addresses of Azure API Management service. IP addresses can be public or private if the service is in a virtual network. You can use IP addresses to create firewall rules, filter the incoming traffic to the backend services, or restrict the outbound traffic. ## IP addresses of API Management service
API Management uses a public IP address for a connection outside the VNet or a p
* When API management is deployed in an external or internal virtual network and API management connects to private (intranet-facing) backends, internal IP addresses (dynamic IP, or DIP addresses) from the subnet are used for the runtime API traffic. When a request is sent from API Management to a private backend, a private IP address will be visible as the origin of the request.
- Therefore, if IP restriction lists secure resources within the VNet or a peered VNet, it is recommended to use the whole API Management [subnet range](virtual-network-concepts.md#subnet-size) with an IP rule - and (in internal mode) not just the private IP address associated with the API Management resource.
+ Therefore, if IP restriction lists secure resources within the VNet or a peered VNet, it is recommended to use the whole API Management [subnet range](virtual-network-injection-resources.md#subnet-size) with an IP rule - and (in internal mode) not just the private IP address associated with the API Management resource.
* When a request is sent from API Management to a public (internet-facing) backend, a public IP address will always be visible as the origin of the request. ## IP addresses of Consumption, Basic v2, and Standard v2 tier API Management service
-If your API Management instance is created in a service tier that runs on a shared infrastructure, it doesn't have a dedicated IP address. Currently, instances in the following service tiers run on a shared infrastructure and without a deterministic IP address: Consumption, Basic v2 (preview), Standard v2 (preview).
+If your API Management instance is created in a service tier that runs on a shared infrastructure, it doesn't have a dedicated IP address. Currently, instances in the following service tiers run on a shared infrastructure and without a deterministic IP address: Consumption, Basic v2, Standard v2.
If you need to add the outbound IP addresses used by your Consumption, Basic v2, or Standard v2 tier instance to an allowlist, you can add the instance's data center (Azure region) to an allowlist. You can [download a JSON file that lists IP addresses for all Azure data centers](https://www.microsoft.com/download/details.aspx?id=56519). Then find the JSON fragment that applies to the region that your instance runs in.
api-management Api Management Howto Log Event Hubs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-log-event-hubs.md
# How to log events to Azure Event Hubs in Azure API Management + This article describes how to log API Management events using Azure Event Hubs. Azure Event Hubs is a highly scalable data ingress service that can ingest millions of events per second so that you can process and analyze the massive amounts of data produced by your connected devices and applications. Event Hubs acts as the "front door" for an event pipeline, and once data is collected into an event hub, it can be transformed and stored using any real-time analytics provider or batching/storage adapters. Event Hubs decouples the production of a stream of events from the consumption of those events, so that event consumers can access the events on their own schedule.
api-management Api Management Howto Manage Protocols Ciphers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-manage-protocols-ciphers.md
# Manage protocols and ciphers in Azure API Management + Azure API Management supports multiple versions of Transport Layer Security (TLS) protocol to secure API traffic for: * Client side * Backend side
By default, API Management enables TLS 1.2 for client and backend connectivity a
:::image type="content" source="media/api-management-howto-manage-protocols-ciphers/api-management-protocols-ciphers.png" alt-text="Screenshot of managing protocols and ciphers in the Azure portal."::: - > [!NOTE] > * If you're using the self-hosted gateway, see [self-hosted gateway security](self-hosted-gateway-overview.md#security) to manage TLS protocols and cipher suites.
-> * Currently, API Management doesn't support TLS 1.3.
-> * The Consumption tier doesn't support changes to the default cipher configuration.
+> * The following tiers don't support changes to the default cipher configuration: **Consumption**, **Basic v2**, **Standard v2**.
## Prerequisites
api-management Api Management Howto Migrate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-migrate.md
# How to move Azure API Management across regions + This article describes how to move an API Management instance to a different Azure region. You might move your instance to another region for many reasons. For example: * Locate your instance closer to your API consumers
To move API Management instances from one Azure region to another, use the servi
> [!NOTE] > API Management also supports [multi-region deployment](api-management-howto-deploy-multi-region.md), which distributes a single Azure API management service across multiple Azure regions. Multi-region deployment helps reduce request latency perceived by geographically distributed API consumers and improves service availability if one region goes offline. - ## Considerations * Choose the same API Management pricing tier in the source and target regions.
api-management Api Management Howto Mutual Certificates For Clients https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-mutual-certificates-for-clients.md
# How to secure APIs using client certificate authentication in API Management + API Management provides the capability to secure access to APIs (that is, client to API Management) using client certificates and mutual TLS authentication. You can validate certificates presented by the connecting client and check certificate properties against desired values using policy expressions. For information about securing access to the backend service of an API using client certificates (that is, API Management to backend), see [How to secure back-end services using client certificate authentication](./api-management-howto-mutual-certificates.md).
Using key vault certificates is recommended because it helps improve API Managem
### Developer, Basic, Standard, or Premium tier
-To receive and verify client certificates over HTTP/2 in the Developer, Basic, Standard, or Premium tiers, you must enable the **Negotiate client certificate** setting on the **Custom domain** blade as shown below.
+To receive and verify client certificates over HTTP/2 in the Developer, Basic, Basic v2, Standard, Standard v2, or Premium tiers, you must enable the **Negotiate client certificate** setting on the **Custom domain** blade as shown below.
![Negotiate client certificate](./media/api-management-howto-mutual-certificates-for-clients/negotiate-client-certificate.png)
You can also create policy expressions with the [`context` variable](api-managem
> [!IMPORTANT] > * Starting May 2021, the `context.Request.Certificate` property only requests the certificate when the API Management instance's [`hostnameConfiguration`](/rest/api/apimanagement/current-ga/api-management-service/create-or-update#hostnameconfiguration) sets the `negotiateClientCertificate` property to True. By default, `negotiateClientCertificate` is set to False. > * If TLS renegotiation is disabled in your client, you may see TLS errors when requesting the certificate using the `context.Request.Certificate` property. If this occurs, enable TLS renegotiation settings in the client.
+> * Certification renegotiation is not supported in the API Management v2 tiers.
### Checking the issuer and subject
api-management Api Management Howto Mutual Certificates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-mutual-certificates.md
# Secure backend services using client certificate authentication in Azure API Management ++ API Management allows you to secure access to the backend service of an API using client certificates and mutual TLS authentication. This guide shows how to manage certificates in an Azure API Management service instance using the Azure portal. It also explains how to configure an API to use a certificate to access a backend service. You can also manage API Management certificates using the [API Management REST API](/rest/api/apimanagement/current-ga/certificate).
To delete a certificate, select it and then select **Delete** from the context m
[Publish a product]: api-management-howto-add-products.md#publish-product [Get started with Azure API Management]: get-started-create-service-instance.md [API Management policy reference]: ./api-management-policies.md
-[Caching policies]: ./api-management-policies.md#caching-policies
+[Caching policies]: ./api-management-policies.md#caching
[Create an API Management service instance]: get-started-create-service-instance.md
-[Azure API Management REST API Certificate entity]: ./api-management-caching-policies.md
[WebApp-GraphAPI-DotNet]: https://github.com/AzureADSamples/WebApp-GraphAPI-DotNet [to configure certificate authentication in Azure WebSites refer to this article]: ../app-service/app-service-web-configure-tls-mutual-auth.md
api-management Api Management Howto Oauth2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-oauth2.md
# How to authorize test console of developer portal by configuring OAuth 2.0 user authorization + Many APIs support [OAuth 2.0](https://oauth.net/2/) to secure the API and ensure that only valid users have access, and they can only access resources to which they're entitled. To use Azure API Management's interactive developer console with such APIs, the service allows you to configure an external provider for OAuth 2.0 user authorization. Configuring OAuth 2.0 user authorization in the test console of the developer portal provides developers with a convenient way to acquire an OAuth 2.0 access token. From the test console, the token is then passed to the backend with the API call. Token validation must be configured separately - either using a [JWT validation policy](validate-jwt-policy.md), or in the backend service.
This article shows you how to configure your API Management service instance to
If you haven't yet created an API Management service instance, see [Create an API Management service instance][Create an API Management service instance]. ## Scenario overview
For more information about using OAuth 2.0 and API Management, see [Protect a we
[Publish a product]: api-management-howto-add-products.md#publish-product [Get started with Azure API Management]: get-started-create-service-instance.md [API Management policy reference]: ./api-management-policies.md
-[Caching policies]: ./api-management-policies.md#caching-policies
+[Caching policies]: ./api-management-policies.md#caching
[Create an API Management service instance]: get-started-create-service-instance.md [https://oauth.net/2/]: https://oauth.net/2/
api-management Api Management Howto Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-policies.md
# Policies in Azure API Management + In Azure API Management, API publishers can change API behavior through configuration using *policies*. Policies are a collection of statements that are run sequentially on the request or response of an API. API Management provides more than 50 policies out of the box that you can configure to address common API scenarios such as authentication, rate limiting, caching, and transformation of requests or responses. For a complete list, see [API Management policy reference](api-management-policies.md). Popular policies include:
Unless the policy specifies otherwise, [policy expressions](api-management-polic
Each expression has access to the implicitly provided `context` variable and an allowed subset of .NET Framework types.
-Policy expressions provide a sophisticated means to control traffic and modify API behavior without requiring you to write specialized code or modify backend services. Some policies are based on policy expressions, such as [Control flow][Control flow] and [Set variable][Set variable]. For more information, see [Advanced policies][Advanced policies].
+Policy expressions provide a sophisticated means to control traffic and modify API behavior without requiring you to write specialized code or modify backend services. Some policies are based on policy expressions, such as [Control flow][Control flow] and [Set variable][Set variable].
## Scopes
The following example uses [policy expressions][Policy expressions] and the [`se
[API]: api-management-howto-add-products.md [Operation]: ./mock-api-responses.md
-[Advanced policies]: ./api-management-advanced-policies.md
+[Policy control and flow policies]: ./api-management-policies.md#policy-control-and-flow
[Control flow]: choose-policy.md [Set variable]: set-variable-policy.md [Policy expressions]: ./api-management-policy-expressions.md
api-management Api Management Howto Properties https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-properties.md
# Use named values in Azure API Management policies + [API Management policies](api-management-howto-policies.md) are a powerful capability of the system that allow the publisher to change the behavior of the API through configuration. Policies are a collection of statements that are executed sequentially on the request or response of an API. Policy statements can be constructed using literal text values, policy expressions, and named values. *Named values* are a global collection of name/value pairs in each API Management instance. There is no imposed limit on the number of items in the collection. Named values can be used to manage constant string values and secrets across all API configurations and policies.
api-management Api Management Howto Protect Backend With Aad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-protect-backend-with-aad.md
# Protect an API in Azure API Management using OAuth 2.0 authorization with Microsoft Entra ID + In this article, you'll learn high level steps to configure your [Azure API Management](api-management-key-concepts.md) instance to protect an API, by using the [OAuth 2.0 protocol with Microsoft Entra ID](../active-directory/develop/active-directory-v2-protocols.md). For a conceptual overview of API authorization, see [Authentication and authorization to APIs in API Management](authentication-authorization-overview.md).
api-management Api Management Howto Provision Self Hosted Gateway https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-provision-self-hosted-gateway.md
# Provision a self-hosted gateway in Azure API Management
-Provisioning a gateway resource in your Azure API Management instance is a prerequisite for deploying a self-hosted gateway. This article walks through the steps to provision a gateway resource in API Management.
- [!INCLUDE [api-management-availability-premium-dev](../../includes/api-management-availability-premium-dev.md)]
+Provisioning a gateway resource in your Azure API Management instance is a prerequisite for deploying a self-hosted gateway. This article walks through the steps to provision a gateway resource in API Management.
+ ## Prerequisites Complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md)
api-management Api Management Howto Setup Delegation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-setup-delegation.md
# How to delegate user registration and product subscription
-Delegation enables your website to own the user data and perform custom validation. With delegation, you can handle developer sign-in/sign-up (and related account management operations) and product subscription using your existing website, instead of the developer portal's built-in functionality.
- [!INCLUDE [premium-dev-standard-basic.md](../../includes/api-management-availability-premium-dev-standard-basic.md)]
+Delegation enables your website to own the user data and perform custom validation. With delegation, you can handle developer sign-in/sign-up (and related account management operations) and product subscription using your existing website, instead of the developer portal's built-in functionality.
+ ## Delegating developer sign-in and sign-up To delegate developer sign-in and sign-up and developer account management options to your existing website, create a special delegation endpoint on your site. This special delegation acts as the entry-point for any sign-in/sign-up and related requests initiated from the API Management developer portal.
api-management Api Management Howto Use Azure Monitor https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-use-azure-monitor.md
# Tutorial: Monitor published APIs + With Azure Monitor, you can visualize, query, route, archive, and take actions on the metrics or logs coming from your Azure API Management service. In this tutorial, you learn how to:
api-management Api Management Howto Use Managed Service Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-use-managed-service-identity.md
# Use managed identities in Azure API Management + This article shows you how to create a managed identity for an Azure API Management instance and how to use it to access other resources. A managed identity generated by Microsoft Entra ID allows your API Management instance to easily and securely access other Microsoft Entra protected resources, such as Azure Key Vault. Azure manages this identity, so you don't have to provision or rotate any secrets. For more information about managed identities, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md). You can grant two types of identities to an API Management instance:
api-management Api Management In Workspace https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-in-workspace.md
Last updated 03/10/2023
# Manage APIs and other resources in your API Management workspace
-This article is an introduction to managing APIs, products, subscriptions, and other API Management resources in a *workspace*. A workspace is a place where a development team can own, manage, update, and productize their own APIs, while a central API platform team manages the API Management infrastructure. Learn about the [workspace features](workspaces-overview.md)
- [!INCLUDE [api-management-availability-premium](../../includes/api-management-availability-premium.md)]
+This article is an introduction to managing APIs, products, subscriptions, and other API Management resources in a *workspace*. A workspace is a place where a development team can own, manage, update, and productize their own APIs, while a central API platform team manages the API Management infrastructure. Learn about the [workspace features](workspaces-overview.md)
+ > [!NOTE] > * Workspaces are a preview feature of API Management and subject to certain [limitations](workspaces-overview.md#preview-limitations). > * Workspaces are supported in API Management REST API version 2022-09-01-preview or later.
api-management Api Management Key Concepts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-key-concepts.md
Previously updated : 12/13/2023 Last updated : 03/28/2024 # What is Azure API Management? + This article provides an overview of common scenarios and key components of Azure API Management. Azure API Management is a hybrid, multicloud management platform for APIs across all environments. As a platform-as-a-service, API Management supports the complete API lifecycle. > [!TIP]
Common scenarios include:
## API Management components
-Azure API Management is made up of an API *gateway*, a *management plane*, and a *developer portal*. These components are Azure-hosted and fully managed by default. API Management is available in various [tiers](api-management-features.md) differing in capacity and features.
+Azure API Management is made up of an API *gateway*, a *management plane*, and a *developer portal*. These components are Azure-hosted and fully managed by default. API Management is available in various [tiers](#api-management-tiers) differing in capacity and features.
:::image type="content" source="media/api-management-key-concepts-experiment/api-management-components.png" alt-text="Diagram showing key components of Azure API Management.":::
Using the developer portal, developers can:
* Download API definitions * Manage API keys
+## API Management tiers
+
+API Management is offered in a variety of pricing tiers to meet the needs of different customers. Each tier offers a distinct combination of features, performance, capacity limits, scalability, SLA, and pricing for different scenarios. The tiers are grouped as follows:
+
+* **Classic** - The original API Management offering, including the Developer, Basic, Standard, and Premium tiers. The Premium tier is designed for enterprises requiring access to private backends, enhanced security features, multi-region deployments, availability zones, and high scalability. The Developer tier is an economical option for non-production use, while the Basic, Standard, and Premium tiers are production-ready tiers.
+* **V2** - A new set of tiers that offer fast provisioning and scaling, including Basic v2 for development and testing, and Standard v2 for production workloads. Standard v2 supports simplified connection to network-isolated backends.
+* **Consumption** - The Consumption tier is a serverless gateway for managing APIs that scales based on demand and billed per execution. It is designed for applications with serverless compute, microservices-based architectures, and those with variable traffic patterns.
+
+**More information**:
+* [Feature-based comparison of the Azure API Management tiers](api-management-features.md)
+* [V2 service tiers](v2-service-tiers-overview.md)
+* [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/)
+ ## Integration with Azure services API Management integrates with many complementary Azure services to create enterprise solutions, including:
API Management integrates with many complementary Azure services to create enter
* [Basic enterprise integration](/azure/architecture/reference-architectures/enterprise-integration/basic-enterprise-integration?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json) * [Landing zone accelerator](/azure/cloud-adoption-framework/scenarios/app-platform/api-management/landing-zone-accelerator?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json) - ## Key concepts ### APIs
api-management Api Management Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-kubernetes.md
# Use Azure API Management with microservices deployed in Azure Kubernetes Service + Microservices are perfect for building APIs. With [Azure Kubernetes Service](https://azure.microsoft.com/services/kubernetes-service/) (AKS), you can quickly deploy and operate a [microservices-based architecture](/azure/architecture/guide/architecture-styles/microservices) in the cloud. You can then leverage [Azure API Management](https://aka.ms/apimrocks) (API Management) to publish your microservices as APIs for internal and external consumption. This article describes the options of deploying API Management with AKS. It assumes basic knowledge of Kubernetes, API Management, and Azure networking. ## Background
api-management Api Management Log To Eventhub Sample https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-log-to-eventhub-sample.md
Last updated 01/23/2018
# Monitor your APIs with Azure API Management, Event Hubs, and Moesif++ The [API Management service](api-management-key-concepts.md) provides many capabilities to enhance the processing of HTTP requests sent to your HTTP API. However, the existence of the requests and responses is transient. The request is made and it flows through the API Management service to your backend API. Your API processes the request and a response flows back through to the API consumer. The API Management service keeps some important statistics about the APIs for display in the Azure portal dashboard, but beyond that, the details are gone. By using the log-to-eventhub policy in the API Management service, you can send any details from the request and response to an [Azure Event Hub](../event-hubs/event-hubs-about.md). There are a variety of reasons why you may want to generate events from HTTP messages being sent to your APIs. Some examples include audit trail of updates, usage analytics, exception alerting, and third-party integrations.
api-management Api Management Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-policies.md
Previously updated : 03/08/2024 Last updated : 03/28/2024 # API Management policy reference
-This section provides links to reference articles for all API Management policies.
++
+This section provides brief descriptions and links to reference articles for all API Management policies. The API Management [gateways](api-management-gateways-overview.md) that support each policy are indicated. For detailed policy settings and examples, see the linked reference articles.
More information about policies:
More information about policies:
> [!IMPORTANT] > [Limit call rate by subscription](rate-limit-policy.md) and [Set usage quota by subscription](quota-policy.md) have a dependency on the subscription key. A subscription key isn't required when other policies are applied.
-## Access restriction policies
-- [Check HTTP header](check-header-policy.md) - Enforces existence and/or value of an HTTP Header.-- [Get authorization context](get-authorization-context-policy.md) - Gets the authorization context of a specified [connection](credentials-overview.md) to a credential provider configured in the API Management instance.-- [Limit call rate by subscription](rate-limit-policy.md) - Prevents API usage spikes by limiting call rate, on a per subscription basis.-- [Limit call rate by key](rate-limit-by-key-policy.md) - Prevents API usage spikes by limiting call rate, on a per key basis.-- [Restrict caller IPs](ip-filter-policy.md) - Filters (allows/denies) calls from specific IP addresses and/or address ranges.-- [Set usage quota by subscription](quota-policy.md) - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per subscription basis.-- [Set usage quota by key](quota-by-key-policy.md) - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per key basis.-- [Validate Microsoft Entra token](validate-azure-ad-token-policy.md) - Enforces existence and validity of a Microsoft Entra JWT extracted from either a specified HTTP header, query parameter, or token value.-- [Validate JWT](validate-jwt-policy.md) - Enforces existence and validity of a JWT extracted from either a specified HTTP Header, query parameter, or token value.-- [Validate client certificate](validate-client-certificate-policy.md) - Enforces that a certificate presented by a client to an API Management instance matches specified validation rules and claims.-
-## Advanced policies
-- [Control flow](choose-policy.md) - Conditionally applies policy statements based on the results of the evaluation of Boolean [expressions](api-management-policy-expressions.md).-- [Emit metrics](emit-metric-policy.md) - Sends custom metrics to Application Insights at execution.-- [Forward request](forward-request-policy.md) - Forwards the request to the backend service.-- [Include fragment](include-fragment-policy.md) - Inserts a policy fragment in the policy definition.-- [Limit concurrency](limit-concurrency-policy.md) - Prevents enclosed policies from executing by more than the specified number of requests at a time.-- [Log to event hub](log-to-eventhub-policy.md) - Sends messages in the specified format to an event hub defined by a Logger entity.-- [Mock response](mock-response-policy.md) - Aborts pipeline execution and returns a mocked response directly to the caller.-- [Retry](retry-policy.md) - Retries execution of the enclosed policy statements, if and until the condition is met. Execution will repeat at the specified time intervals and up to the specified retry count.-- [Return response](return-response-policy.md) - Aborts pipeline execution and returns the specified response directly to the caller.-- [Send one way request](send-one-way-request-policy.md) - Sends a request to the specified URL without waiting for a response.-- [Send request](send-request-policy.md) - Sends a request to the specified URL.-- [Set HTTP proxy](proxy-policy.md) - Allows you to route forwarded requests via an HTTP proxy.-- [Set request method](set-method-policy.md) - Allows you to change the HTTP method for a request.-- [Set status code](set-status-policy.md) - Changes the HTTP status code to the specified value.-- [Set variable](set-variable-policy.md) - Persists a value in a named [context](api-management-policy-expressions.md#ContextVariables) variable for later access.-- [Trace](trace-policy.md) - Adds custom traces into the [request tracing](./api-management-howto-api-inspector.md) output in the test console, Application Insights telemetries, and resource logs.-- [Wait](wait-policy.md) - Waits for enclosed [Send request](send-request-policy.md), [Get value from cache](cache-lookup-value-policy.md), or [Control flow](choose-policy.md) policies to complete before proceeding.-
-## Authentication policies
-- [Authenticate with Basic](authentication-basic-policy.md) - Authenticate with a backend service using Basic authentication.-- [Authenticate with client certificate](authentication-certificate-policy.md) - Authenticate with a backend service using client certificates.-- [Authenticate with managed identity](authentication-managed-identity-policy.md) - Authenticate with a backend service using a [managed identity](../active-directory/managed-identities-azure-resources/overview.md).-
-## Caching policies
-- [Get from cache](cache-lookup-policy.md) - Perform cache lookup and return a valid cached response when available.-- [Store to cache](cache-store-policy.md) - Caches response according to the specified cache control configuration.-- [Get value from cache](cache-lookup-value-policy.md) - Retrieve a cached item by key.-- [Store value in cache](cache-store-value-policy.md) - Store an item in the cache by key.-- [Remove value from cache](cache-remove-value-policy.md) - Remove an item in the cache by key.-
-## Cross-domain policies
-- [Allow cross-domain calls](cross-domain-policy.md) - Makes the API accessible from Adobe Flash and Microsoft Silverlight browser-based clients.-- [CORS](cors-policy.md) - Adds cross-origin resource sharing (CORS) support to an operation or an API to allow cross-domain calls from browser-based clients.-- [JSONP](jsonp-policy.md) - Adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients.-
-## Dapr integration policies
-- [Send request to a service](set-backend-service-dapr-policy.md): Uses Dapr runtime to locate and reliably communicate with a Dapr microservice. To learn more about service invocation in Dapr, see the description in this [README](https://github.com/dapr/docs/blob/master/README.md#service-invocation) file.-- [Send message to Pub/Sub topic](publish-to-dapr-policy.md): Uses Dapr runtime to publish a message to a Publish/Subscribe topic. To learn more about Publish/Subscribe messaging in Dapr, see the description in this [README](https://github.com/dapr/docs/blob/master/README.md) file.-- [Trigger output binding](invoke-dapr-binding-policy.md): Uses Dapr runtime to invoke an external system via output binding. To learn more about bindings in Dapr, see the description in this [README](https://github.com/dapr/docs/blob/master/README.md) file.-
-## GraphQL resolver policies
-- [Azure SQL data source for resolver](sql-data-source-policy.md) - Configures the Azure SQL request and optional response to resolve data for an object type and field in a GraphQL schema.-- [Cosmos DB data source for resolver](cosmosdb-data-source-policy.md) - Configures the Cosmos DB request and optional response to resolve data for an object type and field in a GraphQL schema.-- [HTTP data source for resolver](http-data-source-policy.md) - Configures the HTTP request and optionally the HTTP response to resolve data for an object type and field in a GraphQL schema.-- [Publish event to GraphQL subscription](publish-event-policy.md) - Publishes an event to one or more subscriptions specified in a GraphQL API schema. Configure the policy in a GraphQL resolver for a related field in the schema for another operation type such as a mutation. -
-## Transformation policies
-- [Convert JSON to XML](json-to-xml-policy.md) - Converts request or response body from JSON to XML.-- [Convert XML to JSON](xml-to-json-policy.md) - Converts request or response body from XML to JSON.-- [Find and replace string in body](find-and-replace-policy.md) - Finds a request or response substring and replaces it with a different substring.-- [Mask URLs in content](redirect-content-urls-policy.md) - Rewrites (masks) links in the response body so that they point to the equivalent link via the gateway.-- [Set backend service](set-backend-service-policy.md) - Changes the backend service base URL of an incoming request to a URL or a [backend](backends.md). Referencing a backend resource allows you to manage the backend service base URL and other settings in a single place. Also implement [load balancing of traffic across a pool of backend services](backends.md#load-balanced-pool-preview) and [circuit breaker rules](backends.md#circuit-breaker-preview) to protect the backend from too many requests.-- [Set body](set-body-policy.md) - Sets the message body for a request or response.-- [Set HTTP header](set-header-policy.md) - Assigns a value to an existing response and/or request header or adds a new response and/or request header.-- [Set query string parameter](set-query-parameter-policy.md) - Adds, replaces value of, or deletes request query string parameter.-- [Rewrite URL](rewrite-uri-policy.md) - Converts a request URL from its public form to the form expected by the web service.-- [Transform XML using an XSLT](xsl-transform-policy.md) - Applies an XSL transformation to XML in the request or response body.-
-## Validation policies
--- [Validate content](validate-content-policy.md) - Validates the size or content of a request or response body against one or more API schemas. The supported schema formats are JSON and XML.-- [Validate GraphQL request](validate-graphql-request-policy.md) - Validates and authorizes a request to a GraphQL API. -- [Validate OData request](validate-odata-request-policy.md) - Validates a request to an OData API to ensure conformance with the OData specification.-- [Validate parameters](validate-parameters-policy.md) - Validates the request header, query, or path parameters against the API schema.-- [Validate headers](validate-headers-policy.md) - Validates the response headers against the API schema.-- [Validate status code](validate-status-code-policy.md) - Validates the HTTP status codes in responses against the API schema.
+## Rate limiting and quotas
+
+|Policy |Description |Classic | V2 | Consumption | Self-hosted |
+||||||--|
+| [Limit call rate by subscription](rate-limit-policy.md) | Prevents API usage spikes by limiting call rate, on a per subscription basis. | Yes | Yes | Yes | Yes |
+| [Limit call rate by key](rate-limit-by-key-policy.md) | Prevents API usage spikes by limiting call rate, on a per key basis. | Yes | Yes | No | Yes |
+| [Set usage quota by subscription](quota-policy.md) | Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per subscription basis. | Yes | Yes | Yes | Yes
+| [Set usage quota by key](quota-by-key-policy.md) | Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per key basis. | Yes | No | No | Yes |
+| [Limit concurrency](limit-concurrency-policy.md) | Prevents enclosed policies from executing by more than the specified number of requests at a time. | Yes | Yes | Yes | Yes |
+
+## Authentication and authorization
+
+|Policy |Description | Classic | V2 | Consumption |Self-hosted |
+||||||--|
+| [Check HTTP header](check-header-policy.md) | Enforces existence and/or value of an HTTP header. | Yes | Yes | Yes | Yes |
+| [Get authorization context](get-authorization-context-policy.md) | Gets the authorization context of a specified [connection](credentials-overview.md) to a credential provider configured in the API Management instance. | Yes | Yes | Yes | No |
+| [Restrict caller IPs](ip-filter-policy.md) | Filters (allows/denies) calls from specific IP addresses and/or address ranges. | Yes | Yes | Yes | Yes |
+| [Validate Microsoft Entra token](validate-azure-ad-token-policy.md) | Enforces existence and validity of a Microsoft Entra (formerly called Azure Active Directory) JWT extracted from either a specified HTTP header, query parameter, or token value. | Yes | Yes | Yes | Yes |
+| [Validate JWT](validate-jwt-policy.md) | Enforces existence and validity of a JWT extracted from either a specified HTTP header, query parameter, or token value. | Yes | Yes | Yes | Yes |
+| [Validate client certificate](validate-client-certificate-policy.md) |Enforces that a certificate presented by a client to an API Management instance matches specified validation rules and claims. | Yes | Yes | Yes | Yes |
+| [Authenticate with Basic](authentication-basic-policy.md) | Authenticates with a backend service using Basic authentication. | Yes | Yes | Yes | Yes |
+| [Authenticate with client certificate](authentication-certificate-policy.md) | Authenticates with a backend service using client certificates. | Yes | Yes | Yes | Yes |
+| [Authenticate with managed identity](authentication-managed-identity-policy.md) | Authenticates with a backend service using a [managed identity](../active-directory/managed-identities-azure-resources/overview.md). | Yes | Yes | Yes | Yes |
+
+## Content validation
+
+|Policy |Description | Classic | V2 | Consumption |Self-hosted |
+||||||--|
+| [Validate content](validate-content-policy.md) | Validates the size or content of a request or response body against one or more API schemas. The supported schema formats are JSON and XML. | Yes | Yes | Yes | Yes |
+| [Validate GraphQL request](validate-graphql-request-policy.md) | Validates and authorizes a request to a GraphQL API. | Yes | Yes | Yes | Yes |
+| [Validate OData request](validate-odata-request-policy.md) | Validates a request to an OData API to ensure conformance with the OData specification. | Yes | Yes | Yes | Yes |
+| [Validate parameters](validate-parameters-policy.md) | Validates the request header, query, or path parameters against the API schema. | Yes | Yes | Yes | Yes |
+| [Validate headers](validate-headers-policy.md) | Validates the response headers against the API schema. | Yes | Yes | Yes | Yes |
+| [Validate status code](validate-status-code-policy.md) | Validates the HTTP status codes in responses against the API schema. | Yes | Yes | Yes | Yes |
+
+## Routing
+
+|Policy |Description | Classic | V2 | Consumption |Self-hosted |
+||||||--|
+| [Forward request](forward-request-policy.md) | Forwards the request to the backend service. | Yes | Yes | Yes | Yes |
+| [Set backend service](set-backend-service-policy.md) | Changes the backend service base URL of an incoming request to a URL or a [backend](backends.md). Referencing a backend resource allows you to manage the backend service base URL and other settings in a single place. Also implement [load balancing of traffic across a pool of backend services](backends.md#load-balanced-pool-preview) and [circuit breaker rules](backends.md#circuit-breaker-preview) to protect the backend from too many requests. | Yes | Yes | Yes | Yes |
+| [Set HTTP proxy](proxy-policy.md) | Allows you to route forwarded requests via an HTTP proxy. | Yes | Yes | Yes | Yes |
+
+## Caching
+
+|Policy |Description | Classic | V2 | Consumption |Self-hosted |
+||||||--|
+| [Get from cache](cache-lookup-policy.md) | Performs cache lookup and return a valid cached response when available. | Yes | Yes | Yes | Yes |
+| [Store to cache](cache-store-policy.md) | Caches response according to the specified cache control configuration. | Yes | Yes | Yes | Yes |
+| [Get value from cache](cache-lookup-value-policy.md) | Retrieves a cached item by key. | Yes | Yes | Yes | Yes |
+| [Store value in cache](cache-store-value-policy.md) | Stores an item in the cache by key. | Yes | Yes | Yes | Yes |
+| [Remove value from cache](cache-remove-value-policy.md) | Removes an item in the cache by key. | Yes | Yes | Yes | Yes |
+
+## Transformation
+
+|Policy |Description | Classic | V2 | Consumption |Self-hosted |
+||||||--|
+| [Set request method](set-method-policy.md) | Allows you to change the HTTP method for a request. | Yes | Yes | Yes | Yes |
+| [Set status code](set-status-policy.md) | Changes the HTTP status code to the specified value. | Yes | Yes | Yes | Yes |
+| [Set variable](set-variable-policy.md) | Persists a value in a named [context](api-management-policy-expressions.md#ContextVariables) variable for later access. | Yes | Yes | Yes | Yes |
+| [Set body](set-body-policy.md) | Sets the message body for a request or response. | Yes | Yes | Yes | Yes |
+| [Set HTTP header](set-header-policy.md) | Assigns a value to an existing response and/or request header or adds a new response and/or request header. | Yes | Yes | Yes | Yes |
+| [Set query string parameter](set-query-parameter-policy.md) | Adds, replaces value of, or deletes request query string parameter. | Yes | Yes | Yes | Yes |
+| [Rewrite URL](rewrite-uri-policy.md) | Converts a request URL from its public form to the form expected by the web service. | Yes | Yes | Yes | Yes |
+| [Convert JSON to XML](json-to-xml-policy.md) | Converts request or response body from JSON to XML. | Yes | Yes | Yes | Yes |
+| [Convert XML to JSON](xml-to-json-policy.md) | Converts request or response body from XML to JSON. | Yes | Yes | Yes | Yes |
+| [Find and replace string in body](find-and-replace-policy.md) | Finds a request or response substring and replaces it with a different substring. | Yes | Yes | Yes | Yes |
+| [Mask URLs in content](redirect-content-urls-policy.md) | Rewrites (masks) links in the response body so that they point to the equivalent link via the gateway. | Yes | Yes | Yes | Yes |
+| [Transform XML using an XSLT](xsl-transform-policy.md) | Applies an XSL transformation to XML in the request or response body. | Yes | Yes | Yes | Yes |
+| [Return response](return-response-policy.md) | Aborts pipeline execution and returns the specified response directly to the caller. | Yes | Yes | Yes | Yes |
+| [Mock response](mock-response-policy.md) | Aborts pipeline execution and returns a mocked response directly to the caller. | Yes | Yes | Yes | Yes |
+
+## Cross-domain
+
+|Policy |Description | Classic | V2 | Consumption |Self-hosted |
+||||||--|
+| [Allow cross-domain calls](cross-domain-policy.md) | Makes the API accessible from Adobe Flash and Microsoft Silverlight browser-based clients. | Yes | Yes | Yes | Yes |
+| [CORS](cors-policy.md) | Adds cross-origin resource sharing (CORS) support to an operation or an API to allow cross-domain calls from browser-based clients. | Yes | Yes | Yes | Yes |
+| [JSONP](jsonp-policy.md) | Adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients. | Yes | Yes | Yes | Yes |
+
+## Integration and external communication
+
+|Policy |Description | Classic | V2 | Consumption |Self-hosted |
+||||||--|
+ | [Send request](send-request-policy.md) | Sends a request to the specified URL. | Yes | Yes | Yes | Yes |
+ | [Send one way request](send-one-way-request-policy.md) | Sends a request to the specified URL without waiting for a response. | Yes | Yes | Yes | Yes |
+| [Log to event hub](log-to-eventhub-policy.md) | Sends messages in the specified format to an event hub defined by a Logger entity.| Yes | Yes | Yes | Yes |
+| [Send request to a service (Dapr)](set-backend-service-dapr-policy.md)| Uses Dapr runtime to locate and reliably communicate with a Dapr microservice. To learn more about service invocation in Dapr, see the description in this [README](https://github.com/dapr/docs/blob/master/README.md#service-invocation) file. | No | No | No | Yes |
+| [Send message to Pub/Sub topic (Dapr)](publish-to-dapr-policy.md) | Uses Dapr runtime to publish a message to a Publish/Subscribe topic. To learn more about Publish/Subscribe messaging in Dapr, see the description in this [README](https://github.com/dapr/docs/blob/master/README.md) file. | No | No | No | Yes |
+| [Trigger output binding (Dapr)](invoke-dapr-binding-policy.md) | Uses Dapr runtime to invoke an external system via output binding. To learn more about bindings in Dapr, see the description in this [README](https://github.com/dapr/docs/blob/master/README.md) file. | No | No | No | Yes |
+
+## Logging
+
+|Policy |Description | Classic | V2 | Consumption |Self-hosted |
+||||||--|
+| [Trace](trace-policy.md) | Adds custom traces into the [request tracing](./api-management-howto-api-inspector.md) output in the test console, Application Insights telemetries, and resource logs. | Yes | Yes<sup>1</sup> | Yes | Yes |
+| [Emit metrics](emit-metric-policy.md) | Sends custom metrics to Application Insights at execution. | Yes | Yes | Yes | Yes |
+
+<sup>1</sup> In the V2 gateway, the `trace` policy currently does not add tracing output in the test console.
+
+## GraphQL resolvers
+
+|Policy |Description | Classic | V2 | Consumption |Self-hosted |
+||||||--|
+| [Azure SQL data source for resolver](sql-data-source-policy.md) | Configures the Azure SQL request and optional response to resolve data for an object type and field in a GraphQL schema. | Yes | Yes | No | No |
+| [Cosmos DB data source for resolver](cosmosdb-data-source-policy.md) | Configures the Cosmos DB request and optional response to resolve data for an object type and field in a GraphQL schema. | Yes | Yes | No | No |
+| [HTTP data source for resolver](http-data-source-policy.md) | Configures the HTTP request and optionally the HTTP response to resolve data for an object type and field in a GraphQL schema. | Yes | Yes | Yes | No |
+| [Publish event to GraphQL subscription](publish-event-policy.md) | Publishes an event to one or more subscriptions specified in a GraphQL API schema. Configure the policy in a GraphQL resolver for a related field in the schema for another operation type such as a mutation. | Yes | Yes | Yes | No |
+
+## Policy control and flow
+
+|Policy |Description | Classic | V2 | Consumption |Self-hosted |
+||||||--|
+| [Control flow](choose-policy.md) | Conditionally applies policy statements based on the results of the evaluation of Boolean [expressions](api-management-policy-expressions.md). | Yes | Yes | Yes | Yes |
+| [Include fragment](include-fragment-policy.md) | Inserts a policy fragment in the policy definition. | Yes | Yes | Yes | Yes |
+| [Retry](retry-policy.md) | Retries execution of the enclosed policy statements, if and until the condition is met. Execution will repeat at the specified time intervals and up to the specified retry count. | Yes | Yes | Yes | Yes |
+ | [Wait](wait-policy.md) | Waits for enclosed [Send request](send-request-policy.md), [Get value from cache](cache-lookup-value-policy.md), or [Control flow](choose-policy.md) policies to complete before proceeding. | Yes | Yes | Yes | Yes |
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Api Management Policy Expressions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-policy-expressions.md
Last updated 03/07/2023
# API Management policy expressions++ This article discusses policy expressions syntax in C# 7. Each expression has access to: * The implicitly provided [context](api-management-policy-expressions.md#ContextVariables) variable. * An allowed [subset](api-management-policy-expressions.md#CLRTypes) of .NET Framework types.
api-management Api Management Revisions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-revisions.md
# Revisions in Azure API Management + Revisions allow you to make changes to your APIs in a controlled and safe way. When you want to make changes, create a new revision. You can then edit and test API without disturbing your API consumers. When you're ready, you then make your revision current. At the same time, you can optionally post an entry to the change log, to keep your API consumers up to date with what has changed. The change log is published to your developer portal. > [!NOTE]
api-management Api Management Role Based Access Control https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-role-based-access-control.md
# How to use role-based access control in Azure API Management + Azure API Management relies on Azure role-based access control (Azure RBAC) to enable fine-grained access management for API Management services and entities (for example, APIs and policies). This article gives you an overview of the built-in and custom roles in API Management. For more information on access management in the Azure portal, see [Get started with access management in the Azure portal](../role-based-access-control/overview.md). [!INCLUDE [updated-for-az](../../includes/updated-for-az.md)]
api-management Api Management Sample Cache By Key https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-sample-cache-by-key.md
# Custom caching in Azure API Management++ Azure API Management service has built-in support for [HTTP response caching](api-management-howto-cache.md) using the resource URL as the key. The key can be modified by request headers using the `vary-by` properties. This is useful for caching entire HTTP responses (also known as representations), but sometimes it's useful to just cache a portion of a representation. The [cache-lookup-value](cache-lookup-value-policy.md) and [cache-store-value](cache-store-value-policy.md) policies provide the ability to store and retrieve arbitrary pieces of data from within policy definitions. This ability also adds value to the [send-request](send-request-policy.md) policy because you can cache responses from external services. ## Architecture
api-management Api Management Sample Flexible Throttling https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-sample-flexible-throttling.md
# Advanced request throttling with Azure API Management++ Being able to throttle incoming requests is a key role of Azure API Management. Either by controlling the rate of requests or the total requests/data transferred, API Management allows API providers to protect their APIs from abuse and create value for different API product tiers. ## Rate limits and quotas
Rate throttling capabilities that are scoped to a particular subscription are us
## Custom key-based throttling > [!NOTE]
-> The `rate-limit-by-key` and `quota-by-key` policies are not available when in the Consumption tier of Azure API Management.
+> The `rate-limit-by-key` and `quota-by-key` policies are not available when in the Consumption tier of Azure API Management. The `quota-by-key` policy is also currently not available in the v2 tiers.
The [rate-limit-by-key](rate-limit-by-key-policy.md) and [quota-by-key](quota-by-key-policy.md) policies provide a more flexible solution to traffic control. These policies allow you to define expressions to identify the keys that are used to track traffic usage. The way this works is easiest illustrated with an example.
api-management Api Management Sample Send Request https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-sample-send-request.md
# Using external services from the Azure API Management service++ The policies available in Azure API Management service can do a wide range of useful work based purely on the incoming request, the outgoing response, and basic configuration information. However, being able to interact with external services from API Management policies opens up many more opportunities. You have previously seen how to interact with the [Azure Event Hub service for logging, monitoring, and analytics](api-management-log-to-eventhub-sample.md). This article demonstrates policies that allow you to interact with any external HTTP-based service. These policies can be used for triggering remote events or for retrieving information that is used to manipulate the original request and response in some way.
There are certain tradeoffs when using a fire-and-forget style of request. If fo
The `send-request` policy enables using an external service to perform complex processing functions and return data to the API management service that can be used for further policy processing. ### Authorizing reference tokens
-A major function of API Management is protecting backend resources. If the authorization server used by your API creates [JWT tokens](../active-directory/develop/security-tokens.md#json-web-tokens-and-claims) as part of its OAuth2 flow, as [Microsoft Entra ID](../active-directory/hybrid/whatis-hybrid-identity.md) does, then you can use the `validate-jwt` policy to verify the validity of the token. Some authorization servers create what are called [reference tokens](https://leastprivilege.com/2015/11/25/reference-tokens-and-introspection/) that cannot be verified without making a callback to the authorization server.
+A major function of API Management is protecting backend resources. If the authorization server used by your API creates [JWT tokens](../active-directory/develop/security-tokens.md#json-web-tokens-and-claims) as part of its OAuth2 flow, as [Microsoft Entra ID](../active-directory/hybrid/whatis-hybrid-identity.md) does, then you can use the `validate-jwt` policy or `validate-azure-ad-token` policy to verify the validity of the token. Some authorization servers create what are called [reference tokens](https://leastprivilege.com/2015/11/25/reference-tokens-and-introspection/) that cannot be verified without making a callback to the authorization server.
### Standardized introspection In the past, there has been no standardized way of verifying a reference token with an authorization server. However a recently proposed standard [RFC 7662](https://tools.ietf.org/html/rfc7662) was published by the IETF that defines how a resource server can verify the validity of a token.
api-management Api Management Subscriptions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-subscriptions.md
# Subscriptions in Azure API Management + In Azure API Management, *subscriptions* are the most common way for API consumers to access APIs published through an API Management instance. This article provides an overview of the concept. > [!NOTE]
api-management Api Management Terminology https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-terminology.md
# Azure API Management terminology + This article gives definitions for the terms that are specific to Azure API Management. ## Term definitions
api-management Api Management Troubleshoot Cannot Add Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-troubleshoot-cannot-add-custom-domain.md
# Failed to update API Management service hostnames + This article describes the "Failed to update API Management service hostnames" error that you may experience when you add a custom domain for the Azure API Management service. This article provides troubleshooting steps to help you resolve the issue. ## Symptoms
api-management Api Management Using With Internal Vnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-using-with-internal-vnet.md
Previously updated : 01/03/2022 Last updated : 03/26/2024 # Deploy your Azure API Management instance to a virtual network - internal mode
-Azure API Management can be deployed (injected) inside an Azure virtual network (VNet) to access backend services within the network. For VNet connectivity options, requirements, and considerations, see [Using a virtual network with Azure API Management](virtual-network-concepts.md).
+
+Azure API Management can be deployed (injected) inside an Azure virtual network (VNet) to access backend services within the network. For VNet connectivity options, requirements, and considerations, see:
+
+* [Using a virtual network with Azure API Management](virtual-network-concepts.md)
+* [Network resource requirements for API Management injection into a virtual network](virtual-network-injection-resources.md)
This article explains how to set up VNet connectivity for your API Management instance in the *internal* mode. In this mode, you can only access the following API Management endpoints within a VNet whose access you control. * The API gateway
For configurations specific to the *external* mode, where the API Management end
[!INCLUDE [updated-for-az](../../includes/updated-for-az.md)] - [!INCLUDE [api-management-virtual-network-prerequisites](../../includes/api-management-virtual-network-prerequisites.md)] ## Enable VNet connection
api-management Api Management Using With Vnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-using-with-vnet.md
Previously updated : 01/03/2022 Last updated : 03/26/2024 # Deploy your Azure API Management instance to a virtual network - external mode
-Azure API Management can be deployed (injected) inside an Azure virtual network (VNet) to access backend services within the network. For VNet connectivity options, requirements, and considerations, see [Using a virtual network with Azure API Management](virtual-network-concepts.md).
+
+Azure API Management can be deployed (injected) inside an Azure virtual network (VNet) to access backend services within the network. For VNet connectivity options, requirements, and considerations, see:
+
+* [Using a virtual network with Azure API Management](virtual-network-concepts.md)
+* [Network resource requirements for API Management injection into a virtual network](virtual-network-injection-resources.md)
This article explains how to set up VNet connectivity for your API Management instance in the *external* mode, where the developer portal, API gateway, and other API Management endpoints are accessible from the public internet, and backend services are located in the network.
For configurations specific to the *internal* mode, where the endpoints are acce
[!INCLUDE [updated-for-az](../../includes/updated-for-az.md)] - [!INCLUDE [api-management-virtual-network-prerequisites](../../includes/api-management-virtual-network-prerequisites.md)] ## Enable VNet connection
For configurations specific to the *internal* mode, where the endpoints are acce
7. In the top navigation bar, select **Save**, then select **Apply network configuration**.
-It can take 15 to 45 minutes to update the API Management instance. The Developer tier has downtime during the process. The Basic and higher SKUs don't have downtime during the process.
+It can take 15 to 45 minutes to update the API Management instance. Instances in the Developer tier have downtime during the process. Instances in the Premium tier don't have downtime during the process.
### Enable connectivity using a Resource Manager template (`stv2` compute platform)
api-management Api Management Versions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-versions.md
# Versions in Azure API Management + Versions allow you to present groups of related APIs to your developers. You can use versions to handle breaking changes in your API safely. Clients can choose to use your new API version when they're ready, while existing clients continue to use an older version. Versions are differentiated through a version identifier (which is any string value you choose), and a versioning scheme allows clients to identify which version of an API they want to use. For most purposes, each API version can be considered its own independent API. Two different API versions might have different sets of operations and different policies.
api-management Authentication Authorization Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/authentication-authorization-overview.md
# Authentication and authorization to APIs in Azure API Management + This article is an introduction to a rich, flexible set of features in API Management that help you secure users' access to managed APIs. API authentication and authorization in API Management involve securing the end-to-end communication of client apps to the API Management gateway and through to backend APIs. In many customer environments, OAuth 2.0 is the preferred API authorization protocol. API Management supports OAuth 2.0 authorization between the client and the API Management gateway, between the gateway and the backend API, or both independently.
api-management Authentication Basic Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/authentication-basic-policy.md
Previously updated : 12/01/2022 Last updated : 03/18/2024 # Authenticate with Basic + Use the `authentication-basic` policy to authenticate with a backend service using Basic authentication. This policy effectively sets the HTTP Authorization header to the value corresponding to the credentials provided in the policy. [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
Use the `authentication-basic` policy to authenticate with a backend service usi
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
Use the `authentication-basic` policy to authenticate with a backend service usi
## Related policies
-* [API Management authentication policies](api-management-authentication-policies.md)
+* [Authentication and authorization](api-management-policies.md#authentication-and-authorization)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Authentication Certificate Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/authentication-certificate-policy.md
Previously updated : 12/01/2022 Last updated : 03/18/2024 # Authenticate with client certificate + Use the `authentication-certificate` policy to authenticate with a backend service using a client certificate. When the certificate is [installed into API Management](./api-management-howto-mutual-certificates.md) first, identify it first by its thumbprint or certificate ID (resource name). > [!CAUTION]
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Examples
## Related policies
-* [API Management authentication policies](api-management-authentication-policies.md)
+* [Authentication and authorization](api-management-policies.md#authentication-and-authorization)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Authentication Managed Identity Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/authentication-managed-identity-policy.md
Previously updated : 12/06/2022 Last updated : 03/18/2024 # Authenticate with managed identity + Use the `authentication-managed-identity` policy to authenticate with a backend service using the managed identity. This policy essentially uses the managed identity to obtain an access token from Microsoft Entra ID for accessing the specified resource. After successfully obtaining the token, the policy will set the value of the token in the `Authorization` header using the `Bearer` scheme. API Management caches the token until it expires. Both system-assigned identity and any of the multiple user-assigned identities can be used to request a token. If `client-id` is not provided, system-assigned identity is assumed. If the `client-id` variable is provided, token is requested for that user-assigned identity from Microsoft Entra ID.
Both system-assigned identity and any of the multiple user-assigned identities c
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Examples
Both system-assigned identity and any of the multiple user-assigned identities c
## Related policies
-* [API Management authentication policies](api-management-authentication-policies.md)
+* [Authentication and authorization](api-management-policies.md#authentication-and-authorization)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Automate Portal Deployments https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/automate-portal-deployments.md
# Automate developer portal deployments + The API Management developer portal supports programmatic access to content. It allows you to import data to or export from an API Management service through the [content management REST API](/rest/api/apimanagement/). The REST API access works for both managed and self-hosted portals. ## Automated migration script
api-management Automation Manage Api Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/automation-manage-api-management.md
Last updated 02/13/2018
# Managing Azure API Management using Azure Automation++ This guide introduces you to the Azure Automation service, and how it can be used to simplify management of Azure API Management. ## What is Azure Automation?
api-management Azure Openai Api From Specification https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/azure-openai-api-from-specification.md
# Import an Azure OpenAI API as a REST API + This article shows how to import an [Azure OpenAI](/azure/ai-services/openai/overview) API into an Azure API Management instance from its OpenAPI specification. After importing the API as a REST API, you can manage and secure it, and publish it to developers. ## Prerequisites
api-management Backends https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/backends.md
# Backends in API Management + A *backend* (or *API backend*) in API Management is an HTTP service that implements your front-end API and its operations. When importing certain APIs, API Management configures the API backend automatically. For example, API Management configures the backend web service when importing:
api-management Api Version Retirement Sep 2023 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/api-version-retirement-sep-2023.md
# API version retirements (September 2023) + Azure API Management uses Azure Resource Manager (ARM) to configure your API Management instances. The API version is embedded in your use of templates that describe your infrastructure, tools that are used to configure the service, and programs that you write to manage your Azure API Management services. On 30 September 2023, all API versions for the Azure API Management service prior to **2021-08-01** will be retired and API calls using those API versions will fail. This means you'll no longer be able to create or manage your API Management services using your existing templates, tools, scripts, and programs until they've been updated. Data operations (such as accessing the APIs or Products configured on Azure API Management) will be unaffected by this update, including after 30 September 2023.
api-management Captcha Endpoint Change Sep 2025 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/captcha-endpoint-change-sep-2025.md
# CAPTCHA endpoint update (September 2025) + On 30 September, 2025 as part of our continuing work to increase the resiliency of API Management services, we're permanently changing the CAPTCHA endpoint used by the developer portal. This change will have no effect on the availability of your API Management service. However, you may have to take steps described below to continue using the developer portal beyond 30 September, 2025.
api-management Identity Provider Adal Retirement Sep 2025 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/identity-provider-adal-retirement-sep-2025.md
# ADAL-based Microsoft Entra ID or Azure AD B2C identity provider retirement (September 2025) + On 30 September, 2025 as part of our continuing work to increase the resiliency of API Management services, we're removing the support for the previous library for user authentication and authorization in the developer portal (AD Authentication Library, or ADAL). You need to migrate your Microsoft Entra ID or Azure AD B2C applications, change identity provider configuration to use the Microsoft Authentication Library (MSAL), and republish your developer portal. This change will have no effect on the availability of your API Management service. However, you have to take steps described below to configure your API Management service if you wish to continue using Microsoft Entra ID or Azure AD B2C identity providers beyond 30 September, 2025.
api-management Legacy Portal Retirement Oct 2023 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/legacy-portal-retirement-oct-2023.md
# Legacy developer portal retirement (October 2023) + Azure API Management in the dedicated service tiers provides a customizable developer portal where API consumers can discover APIs managed in your API Management instance, learn how to use them, and request access. The current ("new") developer portal was released in October 2020 and is the successor to an earlier ("legacy") version of the developer portal. The legacy portal was deprecated with the release of the new developer portal. On 31 October 2023, the legacy portal was retired and will no longer be supported. If you want to continue using the developer portal, you must migrate to the new developer portal.
api-management Metrics Retirement Aug 2023 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/metrics-retirement-aug-2023.md
# Metrics retirements (August 2023) + Azure API Management integrates natively with Azure Monitor and emits metrics every minute, giving customers visibility into the state and health of their APIs. The following five legacy metrics have been deprecated since May 2019 and will no longer be available after 31 August 2023: * Total Gateway Requests
api-management Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/overview.md
# Upcoming breaking changes + The following table lists all the upcoming breaking changes and feature retirements for Azure API Management. | Change Title | Effective Date |
api-management Rp Source Ip Address Change Mar 2023 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/rp-source-ip-address-change-mar-2023.md
# Resource Provider source IP address updates (March 2023) + On 31 March, 2023 as part of our continuing work to increase the resiliency of API Management services, we're making the resource providers for Azure API Management zone redundant in each region. The IP address that the resource provider uses to communicate with your service will change in seven regions: | Region | Old IP Address | New IP Address |
api-management Rp Source Ip Address Change Sep 2023 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/rp-source-ip-address-change-sep-2023.md
# Resource provider source IP address updates (September 2023) + On 30 September 2023 as part of our continuing work to increase the resiliency of API Management services, we're making the resource providers for Azure API Management zone redundant in each region. The IP address that the resource provider uses to communicate with your service will change if it's located in Switzerland North: * Old IP address: 51.107.0.91
api-management Self Hosted Gateway V0 V1 Retirement Oct 2023 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/self-hosted-gateway-v0-v1-retirement-oct-2023.md
# Support ending for Azure API Management self-hosted gateway version 0 and version 1 container images (October 2023) + The [self-hosted gateway](../self-hosted-gateway-overview.md) is an optional, containerized version of the default managed gateway included in every API Management service. On 1 October 2023 we're removing support for the v0 and v1 versions of the self-hosted gateway container image. If you've deployed the self-hosted gateway using either of these container images, you need to take the steps below to continue using the self-hosted gateway by migrating to the v2 container image and configuration API. ## Is my service affected by this?
api-management Stv1 Platform Retirement August 2024 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/stv1-platform-retirement-august-2024.md
# stv1 platform retirement (August 2024) + As a cloud platform-as-a-service (PaaS), Azure API Management abstracts many details of the infrastructure used to host and run your service. **The infrastructure associated with the API Management `stv1` compute platform version will be retired effective 31 August 2024.** A more current compute platform version (`stv2`) is already available, and provides enhanced service capabilities. The following table summarizes the compute platforms currently used for instances in the different API Management service tiers.
api-management Workspaces Breaking Changes June 2024 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/workspaces-breaking-changes-june-2024.md
# Workspaces - breaking changes (June 2024) + On 14 June 2024, as part of our development of [workspaces](../workspaces-overview.md) (preview) in Azure API Management, we're introducing several breaking changes. These changes will have no effect on the availability of your API Management service. However, you may have to take action to continue using full workspaces functionality beyond 14 June 2024.
api-management Cache Lookup Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/cache-lookup-policy.md
Previously updated : 12/07/2022 Last updated : 03/18/2024 # Get from cache + Use the `cache-lookup` policy to perform cache lookup and return a valid cached response when available. This policy can be applied in cases where response content remains static over a period of time. Response caching reduces bandwidth and processing requirements imposed on the backend web server and lowers latency perceived by API consumers. > [!NOTE]
Use the `cache-lookup` policy to perform cache lookup and return a valid cached
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
For more information, see [Policy expressions](api-management-policy-expressions
## Related policies
-* [API Management caching policies](api-management-caching-policies.md)
+* [Caching](api-management-policies.md#caching)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Cache Lookup Value Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/cache-lookup-value-policy.md
Previously updated : 12/07/2022 Last updated : 03/18/2024 # Get value from cache++ Use the `cache-lookup-value` policy to perform cache lookup by key and return a cached value. The key can have an arbitrary string value and is typically provided using a policy expression. > [!NOTE]
Use the `cache-lookup-value` policy to perform cache lookup by key and return a
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Example
For more information and examples of this policy, see [Custom caching in Azure A
## Related policies
-* [API Management caching policies](api-management-caching-policies.md)
+* [Caching](api-management-policies.md#caching)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Cache Remove Value Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/cache-remove-value-policy.md
Previously updated : 12/07/2022 Last updated : 03/18/2024 # Remove value from cache++ The `cache-remove-value` deletes a cached item identified by its key. The key can have an arbitrary string value and is typically provided using a policy expression. [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
The `cache-remove-value` deletes a cached item identified by its key. The key ca
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Example
For more information and examples of this policy, see [Custom caching in Azure A
## Related policies
-* [API Management caching policies](api-management-caching-policies.md)
+* [Caching](api-management-policies.md#caching)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Cache Store Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/cache-store-policy.md
Previously updated : 01/02/2024 Last updated : 03/18/2024 # Store to cache + The `cache-store` policy caches responses according to the specified cache settings. This policy can be applied in cases where response content remains static over a period of time. Response caching reduces bandwidth and processing requirements imposed on the backend web server and lowers latency perceived by API consumers. > [!NOTE]
The `cache-store` policy caches responses according to the specified cache setti
- [**Policy sections:**](./api-management-howto-policies.md#sections) outbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
For more information, see [Policy expressions](api-management-policy-expressions
## Related policies
-* [API Management caching policies](api-management-caching-policies.md)
+* [Caching](api-management-policies.md#caching)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Cache Store Value Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/cache-store-value-policy.md
Previously updated : 12/07/2022 Last updated : 03/18/2024 # Store value in cache++ The `cache-store-value` performs cache storage by key. The key can have an arbitrary string value and is typically provided using a policy expression. > [!NOTE]
The `cache-store-value` performs cache storage by key. The key can have an arbit
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Example
For more information and examples of this policy, see [Custom caching in Azure A
## Related policies
-* [API Management caching policies](api-management-caching-policies.md)
+* [Caching](api-management-policies.md#caching)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Check Header Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/check-header-policy.md
Previously updated : 12/08/2022 Last updated : 03/18/2024 # Check HTTP header + Use the `check-header` policy to enforce that a request has a specified HTTP header. You can optionally check to see if the header has a specific value or one of a range of allowed values. If the check fails, the policy terminates request processing and returns the HTTP status code and error message specified by the policy. [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
Use the `check-header` policy to enforce that a request has a specified HTTP he
- **[Policy sections:](./api-management-howto-policies.md#sections)** inbound - **[Policy scopes:](./api-management-howto-policies.md#scopes)** global, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Example
Use the `check-header` policy to enforce that a request has a specified HTTP he
## Related policies
-* [API Management access restriction policies](api-management-access-restriction-policies.md)
+* [Authentication and authorization](api-management-policies.md#authentication-and-authorization)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Choose Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/choose-policy.md
Previously updated : 12/08/2022 Last updated : 03/18/2024 # Control flow + Use the `choose` policy to conditionally apply policy statements based on the results of the evaluation of Boolean [expressions](api-management-policy-expressions.md). Use the policy for control flow similar to an if-then-else or a switch construct in a programming language.
The `choose` policy must contain at least one `<when/>` element. The `<otherwise
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Examples
This example shows how to perform content filtering by removing data elements fr
## Related policies
-* [API Management advanced policies](api-management-advanced-policies.md)
+* [Policy control and flow](api-management-policies.md#policy-control-and-flow)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Compute Infrastructure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/compute-infrastructure.md
Title: Azure API Management compute platform
-description: Learn about the compute platform used to host your API Management service instance. Instances in the dedicated service tiers of API Management are hosted on the stv1 or stv2 compute platform.
+description: Learn about the compute platform used to host your API Management service instance. Instances in the classic service tiers of API Management are hosted on the stv1 or stv2 compute platform.
-# Compute platform for Azure API Management
+# Compute platform for Azure API Management - Classic tiers
+ As a cloud platform-as-a-service (PaaS), Azure API Management abstracts many details of the infrastructure used to host and run your service. You can create, manage, and scale most aspects of your API Management instance without needing to know about its underlying resources.
Most new instances created in service tiers other than the Consumption tier are
## What are the compute platforms for API Management?
-The following table summarizes the compute platforms currently used in the **Consumption**, **Developer**, **Basic**, **Standard**, and **Premium** tiers of API Management. This table doesn't apply to the [v2 pricing tiers (preview)](#what-about-the-v2-pricing-tiers).
+The following table summarizes the compute platforms currently used in the **Consumption**, **Developer**, **Basic**, **Standard**, and **Premium** tiers of API Management. This table doesn't apply to the [v2 pricing tiers](#what-about-the-v2-pricing-tiers).
| Version | Description | Architecture | Tiers | | -| -| -- | - |
Migration steps depend on features enabled in your API Management instance. If t
## What about the v2 pricing tiers?
-The v2 pricing tiers are a new set of tiers for API Management currently in preview. Hosted on a new, highly scalable and available Azure infrastructure that's different from the `stv1` and `stv2` compute platforms, the v2 tiers aren't affected by the retirement of the `stv1` platform.
+The v2 pricing tiers are a new set of tiers for API Management. Hosted on a new, highly scalable and available Azure infrastructure that's different from the `stv1` and `stv2` compute platforms, the v2 tiers aren't affected by the retirement of the `stv1` platform.
The v2 tiers are designed to make API Management accessible to a broader set of customers and offer flexible options for a wider variety of scenarios. For more information, see [v2 tiers overview](v2-service-tiers-overview.md).
api-management Configure Credential Connection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/configure-credential-connection.md
# Configure multiple connections + You can configure multiple connections to a credential provider in your API Management instance. For example, if you configured Microsoft Entra ID as a credential provider, you might need to create multiple connections for different scenarios and users. In this article, you learn how to add a connection to an existing provider, using credential manager in the portal. For an overview of credential manager, see [About API credentials and credential manager](credentials-overview.md).
api-management Configure Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/configure-custom-domain.md
# Configure a custom domain name for your Azure API Management instance + When you create an Azure API Management service instance in the Azure cloud, Azure assigns it a `azure-api.net` subdomain (for example, `apim-service-name.azure-api.net`). You can also expose your API Management endpoints using your own custom domain name, such as **`contoso.com`**. This article shows you how to map an existing custom DNS name to endpoints exposed by an API Management instance. > [!IMPORTANT]
API Management offers a free, managed TLS certificate for your domain, if you do
* Not supported in the following Azure regions: France South and South Africa West * Currently available only in the Azure cloud * Does not support root domain names (for example, `contoso.com`). Requires a fully qualified name such as `api.contoso.com`.
+* Supports only public domain names
* Can only be configured when updating an existing API Management instance, not when creating an instance
api-management Configure Graphql Resolver https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/configure-graphql-resolver.md
# Configure a GraphQL resolver ++ Configure a resolver to retrieve or set data for a GraphQL field in an object type specified in a GraphQL schema. The schema must be imported to API Management as a GraphQL API. Currently, API Management supports resolvers that can access the following data sources:
You can define the resolver as follows:
For more resolver examples, see:
-* [GraphQL resolver policies](api-management-policies.md#graphql-resolver-policies)
+* [GraphQL resolver policies](api-management-policies.md#graphql-resolvers)
* [Sample APIs for Azure API Management](https://github.com/Azure-Samples/api-management-sample-apis)
api-management Cors Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/cors-policy.md
Previously updated : 01/02/2024 Last updated : 03/18/2024 # CORS + The `cors` policy adds cross-origin resource sharing (CORS) support to an operation or an API to allow cross-domain calls from browser-based clients. [!INCLUDE [api-management-policy-form-alert](../../includes/api-management-policy-form-alert.md)]
The `cors` policy adds cross-origin resource sharing (CORS) support to an operat
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes * You may configure the `cors` policy at more than one scope (for example, at the product scope and the global scope). Ensure that the `base` element is configured at the operation, API, and product scopes to inherit needed policies at the parent scopes.
This example demonstrates how to support [preflight requests](https://developer.
## Related policies
-* [API Management cross-domain policies](api-management-cross-domain-policies.md)
+* [Cross-domain](api-management-policies.md#cross-domain)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Cosmosdb Data Source Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/cosmosdb-data-source-policy.md
Previously updated : 06/07/2023 Last updated : 03/18/2024 # Cosmos DB data source for a resolver + The `cosmosdb-data-source` resolver policy resolves data for an object type and field in a GraphQL schema by using a [Cosmos DB](../cosmos-db/introduction.md) data source. The schema must be imported to API Management as a GraphQL API. Use the policy to configure a single query request, read request, delete request, or write request and an optional response from the Cosmos DB data source.
Use the policy to configure a single query request, read request, delete request
## Usage - [**Policy scopes:**](./api-management-howto-policies.md#scopes) GraphQL resolver-- [**Gateways:**](api-management-gateways-overview.md) dedicated
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2
### Usage notes
type Query {
## Related policies
-* [GraphQL resolver policies](api-management-policies.md#graphql-resolver-policies)
+* [GraphQL resolvers](api-management-policies.md#graphql-resolvers)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Credentials Configure Common Providers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/credentials-configure-common-providers.md
# Configure common credential providers in credential manager + In this article, you learn about configuring identity providers for managed [connections](credentials-overview.md) in your API Management instance. Settings for the following common providers are shown: * Microsoft Entra provider
api-management Credentials How To Azure Ad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/credentials-how-to-azure-ad.md
# Configure credential manager - Microsoft Graph API + This article guides you through the steps required to create a managed [connection](credentials-overview.md) to the Microsoft Graph API within Azure API Management. The authorization code grant type is used in this example. You learn how to:
The preceding policy definition consists of two parts:
## Related content
-* Learn more about [access restriction policies](api-management-access-restriction-policies.md)
+* Learn more about [authentication and authorization policies](api-management-policies.md#authentication-and-authorization) in Azure API Management.
* Learn more about [scopes and permissions](../active-directory/develop/scopes-oidc.md) in Microsoft Entra ID.
api-management Credentials How To Github https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/credentials-how-to-github.md
# Configure credential manager - GitHub API + In this article, you learn how to create a managed [connection](credentials-overview.md) in API Management and call a GitHub API that requires an OAuth 2.0 token. The authorization code grant type is used in this example. You learn how to:
The preceding policy definition consists of three parts:
## Related content
-* Learn more about [access restriction policies](api-management-access-restriction-policies.md).
+* Learn more about [authentication and authorization policies](api-management-policies.md#authentication-and-authorization)
* Learn more about GitHub's [REST API](https://docs.github.com/en/rest?apiVersion=2022-11-28)
api-management Credentials How To User Delegated https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/credentials-how-to-user-delegated.md
# Configure credential manager - user-delegated access to backend API + This article guides you through the high level steps to configure and use a managed [connection](credentials-overview.md) that grants Microsoft Entra users or groups delegated permissions to a backend OAuth 2.0 API. Follow these steps for scenarios when a client app (or bot) needs to access backend secured online resources on behalf of an authenticated user (for example, checking emails or placing an order). ## Scenario overview
In the preceding policy definition, replace:
## Related content
-* Learn more about [access restriction policies](api-management-access-restriction-policies.md)
+* Learn more about [authentication and authorization policies](api-management-policies.md#authentication-and-authorization)
* Learn more about [scopes and permissions](../active-directory/develop/scopes-oidc.md) in Microsoft Entra ID.
api-management Credentials Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/credentials-overview.md
# About API credentials and credential manager + To help you manage access to backend APIs, your API Management instance includes a *credential manager*. Use credential manager to manage, store, and control access to API credentials from your API Management instance. > [!NOTE]
All underlying connections and access policies are also deleted.
### Are the access tokens cached by API Management?
-In the dedicated service tiers, the access token is cached by the API Management instance until 3 minutes before the token expiration time. If the access token is less than 3 minutes away from expiration, the cached time will be until the access token expires.
+In the classic and v2 service tiers, the access token is cached by the API Management instance until 3 minutes before the token expiration time. If the access token is less than 3 minutes away from expiration, the cached time will be until the access token expires.
Access tokens aren't cached in the Consumption tier.
api-management Credentials Process Flow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/credentials-process-flow.md
# OAuth 2.0 connections in credential manager - process details and flows ++ This article provides details about the process flows for managing OAuth 2.0 connections using credential manager in Azure API Management. The process flows are divided into two parts: **management** and **runtime**. For background about credential manager in API Management, see [About credential manager and API credentials in API Management](credentials-overview.md).
api-management Cross Domain Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/cross-domain-policy.md
Previously updated : 12/07/2022 Last updated : 03/18/2024 # Allow cross-domain calls + Use the `cross-domain` policy to make the API accessible from Adobe Flash and Microsoft Silverlight browser-based clients. [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
Child elements must conform to the [Adobe cross-domain policy file specification
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Example
Child elements must conform to the [Adobe cross-domain policy file specification
## Related policies
-* [API Management cross-domain policies](api-management-cross-domain-policies.md)
+* [Cross-domain](api-management-policies.md#cross-domain)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Developer Portal Alternative Processes Self Host https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-alternative-processes-self-host.md
# Alternative approaches to self-host developer portal + There are several alternative approaches you can explore when you [self-host a developer portal](developer-portal-self-host.md): * Use production builds of the designer and the publisher.
api-management Developer Portal Basic Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-basic-authentication.md
# Configure users of the developer portal to authenticate using usernames and passwords + In the developer portal for Azure API Management, the default authentication method for users is to provide a username and password. In this article, learn how to set up users with basic authentication credentials to the developer portal. For an overview of options to secure the developer portal, see [Secure access to the API Management developer portal](secure-developer-portal-access.md).
For an overview of options to secure the developer portal, see [Secure access to
- Complete the [Create an Azure API Management instance](get-started-create-service-instance.md) quickstart. - [!INCLUDE [api-management-navigate-to-instance.md](../../includes/api-management-navigate-to-instance.md)]
api-management Developer Portal Extend Custom Functionality https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-extend-custom-functionality.md
# Extend the developer portal with custom widgets ++ The API Management [developer portal](api-management-howto-developer-portal.md) features a visual editor and built-in widgets so that you can customize and style the portal's appearance. However, you may need to customize the developer portal further with custom functionality. For example, you might want to integrate your developer portal with a support system that involves adding a custom interface. This article explains ways to add custom functionality such as custom widgets to your API Management developer portal.
-The following table summarizes three options, with links to more detail.
+The following table summarizes two options, with links to more detail.
|Method |Description | ||| |[Custom HTML code widget](#use-custom-html-code-widget) | - Lightweight solution for API publishers to add custom logic for basic use cases<br/><br/>- Copy and paste custom HTML code into a form, and developer portal renders it in an iframe | |[Create and upload custom widget](#create-and-upload-custom-widget) | - Developer solution for more advanced widget use cases<br/><br/>- Requires local implementation in React, Vue, or plain TypeScript<br/><br/>- Widget scaffold and tools provided to help developers create widget and upload to developer portal<br/><br/>- Widget creation, testing, and deployment can be scripted through open source [React Component Toolkit](#create-custom-widgets-using-open-source-react-component-toolkit)<br/><br/>- Supports workflows for source control, versioning, and code reuse |
-|[Self-host developer portal](developer-portal-self-host.md) | - Legacy extensibility option for customers who need to customize source code of the entire portal core<br/><br/> - Gives complete flexibility for customizing portal experience<br/><br/>- Requires advanced configuration<br/><br/>- Customer responsible for managing complete code lifecycle: fork code base, develop, deploy, host, patch, and upgrade |
+
+> [!NOTE]
+> [Self-hosting the developer portal](developer-portal-self-host.md) is an extensibility option for customers who need to customize the source code of the entire portal core. It gives complete flexibility for customizing portal experience, but requires advanced configuration. With self-hosting, you're responsible for managing complete code lifecycle: fork code base, develop, deploy, host, patch, and upgrade.
+++ ## Use Custom HTML code widget The managed developer portal includes a **Custom HTML code** widget where you can insert HTML code for small portal customizations. For example, use custom HTML to embed a video or to add a form. The portal renders the custom widget in an inline frame (iframe).
api-management Developer Portal Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-faq.md
# API Management developer portal - frequently asked questions
-This article provides answers to frequently asked questions about the [developer portal](developer-portal-overview.md) in Azure API Management.
## What if I need functionality that isn't supported in the portal? You have the following options:
-* For small customizations, use a built-in widget to [add custom HTML](developer-portal-extend-custom-functionality.md#use-custom-html-code-widget).
+* For small customizations, use a built-in widget to [add custom HTML](developer-portal-extend-custom-functionality.md#use-custom-html-code-widget). Currently, the custom HTML code widget isn't available in the v2 tiers of API Management.
-* For larger customizations, [create and upload](developer-portal-extend-custom-functionality.md#create-and-upload-custom-widget) a custom widget to the managed developer portal.
+* For larger customizations, [create and upload](developer-portal-extend-custom-functionality.md#create-and-upload-custom-widget) a custom widget to the managed developer portal. Currently, custom widgets aren't available in the v2 tiers of API Management.
* [Self-host the developer portal](developer-portal-self-host.md), only if you need to make modifications to the core of the developer portal codebase.
api-management Developer Portal Integrate Application Insights https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-integrate-application-insights.md
# Integrate Application Insights to developer portal + A popular feature of Azure Monitor is Application Insights. It's an extensible Application Performance Management (APM) service for developers and DevOps professionals. Use it to monitor your developer portal and detect performance anomalies. Application Insights includes powerful analytics tools to help you learn what users actually do while visiting your developer portal. ## Add Application Insights to your portal
api-management Developer Portal Integrate Google Tag Manager https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-integrate-google-tag-manager.md
# Integrate Google Tag Manager to API Management developer portal + [Google Tag Manager](https://developers.google.com/tag-manager) is a tag management system created by Google. You can use it to manage JavaScript and HTML tags used for tracking and analytics on websites. For example, you can use Google Tag Manager to integrate Google Analytics, heatmaps, or chatbots like LiveChat. Follow the steps in this article to plug Google Tag Manager into your managed or self-hosted developer portal in Azure API Management.
api-management Developer Portal Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-overview.md
# Overview of the developer portal + The API Management *developer portal* is an automatically generated, fully customizable website with the documentation of your APIs. It's where API consumers can discover your APIs, learn how to use them, request access, and try them out. This article introduces features of the developer portal, the types of content the portal presents, and options to manage and extend the developer portal for your specific users and scenarios.
api-management Developer Portal Self Host https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-self-host.md
description: Learn how to self-host the developer portal for Azure API Management. Previously updated : 06/07/2022 Last updated : 03/29/2024 # Self-host the API Management developer portal + This tutorial describes how to self-host the [API Management developer portal](api-management-howto-developer-portal.md). Self-hosting is one of several options to [extend the functionality](developer-portal-extend-custom-functionality.md) of the developer portal. For example, you can self-host multiple portals for your API Management instance, with different features. When you self-host a portal, you become its maintainer and you're responsible for its upgrades. > [!IMPORTANT]
This tutorial describes how to self-host the [API Management developer portal](a
If you have already uploaded or modified media files in the managed portal, see [Move from managed to self-hosted](#move-from-managed-to-self-hosted-developer-portal), later in this article. - ## Prerequisites To set up a local development environment, you need to have:
api-management Developer Portal Testing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-testing.md
# Test the self-hosted developer portal + This article explains how to set up unit tests and end-to-end tests for your [self-hosted portal](developer-portal-self-host.md). ## Unit tests
api-management Devops Api Development Templates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/devops-api-development-templates.md
# Use DevOps and CI/CD to publish APIs + With the strategic value of APIs in the enterprise, adopting DevOps continuous integration (CI) and deployment (CD) techniques has become an important aspect of API development. This article discusses the decisions you'll need to make to adopt DevOps principles for the management of APIs. API DevOps consists of three parts:
api-management Diagnose Solve Problems https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/diagnose-solve-problems.md
Title: Azure API Management Diagnose and solve problems description: Learn how to troubleshoot issues with your API in Azure API Management with the Diagnose and Solve tool in the Azure portal. -+ Last updated 02/05/2021-+ # Azure API Management Diagnostics overview + When you build and manage an API in Azure API Management, you want to be prepared for any issues that may arise, from 404 not found errors to 502 bad gateway error. API Management Diagnostics is an intelligent and interactive experience to help you troubleshoot your API published in APIM with no configuration required. When you do run into issues with your published APIs, API Management Diagnostics points out whatΓÇÖs wrong, and guides you to the right information to quickly troubleshoot and resolve the issue. Although this experience is most helpful when you re having issues with your API within the last 24 hours, all the diagnostic graphs are always available for you to analyze. - ## Open API Management Diagnostics To access API Management Diagnostics, navigate to your API Management service instance in the [Azure portal](https://portal.azure.com). In the left navigation, select **Diagnose and solve problems**.
api-management Diagnostic Logs Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/diagnostic-logs-reference.md
# Diagnostics logs settings reference: API Management + This reference describes settings for API diagnostics logging from an API Management instance. To enable logging of API requests, see the following guidance: * [Collect resource logs](api-management-howto-use-azure-monitor.md#resource-logs)
api-management Edit Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/edit-api.md
# Edit an API + The steps in this tutorial show you how to use API Management to edit an API. + You can add, rename, or delete operations in the Azure portal.
api-management Emit Metric Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/emit-metric-policy.md
Previously updated : 06/02/2023 Last updated : 03/18/2024 # Emit custom metrics + The `emit-metric` policy sends custom metrics in the specified format to Application Insights. > [!NOTE]
The `emit-metric` policy sends custom metrics in the specified format to Applica
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
The following example sends a custom metric to count the number of API requests
## Related policies
-* [API Management advanced policies](api-management-advanced-policies.md)
+* [Logging](api-management-policies.md#logging)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Enable Cors Power Platform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/enable-cors-power-platform.md
# Enable CORS policies for API Management custom connector ++ Cross-origin resource sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. Customers can add a [CORS policy](cors-policy.md) to their web APIs in Azure API Management, which adds cross-origin resource sharing support to an operation or an API to allow cross-domain calls from browser-based clients. If you've exported an API from API Management as a [custom connector](export-api-power-platform.md) in the Power Platform and want to use browser-based clients including Power Apps or Power Automate to call the API, you need to configure your API to explicitly enable cross-origin requests from Power Platform applications. This article shows you how to configure the following two necessary policy settings:
api-management Export Api Postman https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/export-api-postman.md
# Export API definition to Postman for API testing and monitoring + To enhance development of your APIs, you can export an API fronted in API Management to [Postman](https://www.postman.com/product/what-is-postman/). Export an API definition from API Management as a Postman [collection](https://learning.postman.com/docs/getting-started/creating-the-first-collection/) so that you can use Postman's tools to design, document, test, monitor, and collaborate on APIs. ## Prerequisites
api-management Export Api Power Platform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/export-api-power-platform.md
# Export APIs from Azure API Management to the Power Platform + Citizen developers using the Microsoft [Power Platform](https://powerplatform.microsoft.com) often need to reach the business capabilities that are developed by professional developers and deployed in Azure. [Azure API Management](https://aka.ms/apimrocks) enables professional developers to publish their backend service as APIs, and easily export these APIs to the Power Platform ([Power Apps](/powerapps/powerapps-overview) and [Power Automate](/power-automate/getting-started)) as custom connectors for discovery and consumption by citizen developers. This article walks through the steps in the Azure portal to create a Power Platform [custom connector](/connectors/custom-connectors/) to an API in API Management. With this capability, citizen developers can use the Power Platform to create and distribute apps that are based on internal and external APIs managed by API Management.
api-management Find And Replace Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/find-and-replace-policy.md
Previously updated : 12/02/2022 Last updated : 03/18/2024 # Find and replace string in body++ The `find-and-replace` policy finds a request or response substring and replaces it with a different substring. [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
The `find-and-replace` policy finds a request or response substring and replaces
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Example
The `find-and-replace` policy finds a request or response substring and replaces
## Related policies
-* [API Management transformation policies](api-management-transformation-policies.md)
+* [Transformation](api-management-policies.md#transformation)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Forward Request Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/forward-request-policy.md
Previously updated : 10/19/2023 Last updated : 03/18/2024 # Forward request + The `forward-request` policy forwards the incoming request to the backend service specified in the request [context](api-management-policy-expressions.md#ContextVariables). The backend service URL is specified in the API [settings](./import-and-publish.md) and can be changed using the [set backend service](api-management-transformation-policies.md) policy. > [!IMPORTANT]
The `forward-request` policy forwards the incoming request to the backend servic
- [**Policy sections:**](./api-management-howto-policies.md#sections) backend - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Examples
This operation level policy doesn't forward requests to the backend service.
## Related policies
-* [API Management advanced policies](api-management-advanced-policies.md)
+* [Routing](api-management-policies.md#routing)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Front Door Api Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/front-door-api-management.md
# Configure Front Door Standard/Premium in front of Azure API Management + Azure Front Door is a modern application delivery network platform providing a secure, scalable content delivery network (CDN), dynamic site acceleration, and global HTTP(s) load balancing for your global web applications. When used in front of API Management, Front Door can provide TLS offloading, end-to-end TLS, load balancing, response caching of GET requests, and a web application firewall, among other capabilities. For a full list of supported features, see [What is Azure Front Door?](../frontdoor/front-door-overview.md) [!INCLUDE [ddos-waf-recommendation](../../includes/ddos-waf-recommendation.md)]
api-management Gateway Log Schema Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/gateway-log-schema-reference.md
# Reference: API Management resource log schema + This article provides a schema reference for the Azure API Management GatewayLogs resource log. Log entries also include fields in the [top-level common schema](../azure-monitor/essentials/resource-logs-schema.md#top-level-common-schema). To enable collection of the resource log in API Management, see [Monitor published APIs](api-management-howto-use-azure-monitor.md#resource-logs).
api-management Get Authorization Context Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/get-authorization-context-policy.md
Previously updated : 11/15/2023 Last updated : 03/18/2024 # Get authorization context + Use the `get-authorization-context` policy to get the authorization context of a specified [connection](credentials-overview.md) (formerly called an *authorization*) to a credential provider that is configured in the API Management instance. The policy fetches and stores authorization and refresh tokens from the configured credential provider using the connection.
class Authorization
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption
### Usage notes
class Authorization
## Related policies
-* [API Management access restriction policies](api-management-access-restriction-policies.md)
+* [Authentication and authorization](api-management-policies.md#authentication-and-authorization)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Get Started Create Service Instance Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/get-started-create-service-instance-cli.md
ms.devlang: azurecli
# Quickstart: Create a new Azure API Management instance by using the Azure CLI + This quickstart describes the steps for creating a new API Management instance by using Azure CLI commands. After creating an instance, you can use the Azure CLI for common management tasks such as importing APIs in your API Management instance. [!INCLUDE [api-management-quickstart-intro](../../includes/api-management-quickstart-intro.md)]
api-management Get Started Create Service Instance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/get-started-create-service-instance.md
# Quickstart: Create a new Azure API Management instance by using the Azure portal + This quickstart describes the steps for creating a new API Management instance using the Azure portal. After creating an instance, you can use the Azure portal for common management tasks such as importing APIs in your API Management instance. [!INCLUDE [api-management-quickstart-intro](../../includes/api-management-quickstart-intro.md)]
api-management Graphql Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/graphql-api.md
# Import a GraphQL API + [!INCLUDE [api-management-graphql-intro.md](../../includes/api-management-graphql-intro.md)] In this article, you'll:
If your GraphQL API supports a subscription, you can test it in the test consol
## Secure your GraphQL API
-Secure your GraphQL API by applying both existing [access control policies](api-management-policies.md#access-restriction-policies) and a [GraphQL validation policy](validate-graphql-request-policy.md) to protect against GraphQL-specific attacks.
+Secure your GraphQL API by applying both existing [authentication and authorization policies](api-management-policies.md#authentication-and-authorization) and a [GraphQL validation policy](validate-graphql-request-policy.md) to protect against GraphQL-specific attacks.
[!INCLUDE [api-management-define-api-topics.md](../../includes/api-management-define-api-topics.md)]
api-management Graphql Apis Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/graphql-apis-overview.md
# Overview of GraphQL APIs in Azure API Management + You can use API Management to manage GraphQL APIs - APIs based on the GraphQL query language. GraphQL provides a complete and understandable description of the data in an API, giving clients the power to efficiently retrieve exactly the data they need. [Learn more about GraphQL](https://graphql.org/learn/) API Management helps you import, manage, protect, test, publish, and monitor GraphQL APIs. You can choose one of two API models:
api-management Graphql Schema Resolve Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/graphql-schema-resolve-api.md
Last updated 05/31/2023
# Add a synthetic GraphQL API and set up field resolvers [!INCLUDE [api-management-graphql-intro.md](../../includes/api-management-graphql-intro.md)]
type User {
## Secure your GraphQL API
-Secure your GraphQL API by applying both existing [access control policies](api-management-policies.md#access-restriction-policies) and a [GraphQL validation policy](validate-graphql-request-policy.md) to protect against GraphQL-specific attacks.
+Secure your GraphQL API by applying both existing [authentication and authorization policies](api-management-policies.md#authentication-and-authorization) and a [GraphQL validation policy](validate-graphql-request-policy.md) to protect against GraphQL-specific attacks.
[!INCLUDE [api-management-define-api-topics.md](../../includes/api-management-define-api-topics.md)]
api-management Grpc Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/grpc-api.md
# Import a gRPC API (preview) + This article shows how to import a gRPC service definition as an API in API Management. You can then manage the API in API Management, secure access and apply other polices, and pass gRPC API requests through the gateway to the gRPC backend. To add a gRPC API to API Management, you need to:
API Management supports pass-through with the following types of gRPC service me
> * Importing a gRPC API is in preview. Currently, gRPC APIs are only supported in the self-hosted gateway, not the managed gateway for your API Management instance. > * Currently, testing gRPC APIs isn't supported in the test console of the Azure portal or in the API Management developer portal. - ## Prerequisites * An API Management instance. If you don't already have one, complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md).
api-management High Availability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/high-availability.md
# Ensure API Management availability and reliability This article introduces service capabilities and considerations to ensure that your API Management instance continues to serve API requests if Azure outages occur.
api-management How To Configure Cloud Metrics Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-configure-cloud-metrics-logs.md
# Configure cloud metrics and logs for Azure API Management self-hosted gateway + This article provides details for configuring cloud metrics and logs for the [self-hosted gateway](./self-hosted-gateway-overview.md). The self-hosted gateway has to be associated with an API management service and requires outbound TCP/IP connectivity to Azure on port 443. The gateway leverages the outbound connection to send telemetry to Azure, if configured to do so. - ## Metrics By default, the self-hosted gateway emits a number of metrics through [Azure Monitor](https://azure.microsoft.com/services/monitor/), same as the managed gateway [in the cloud](api-management-howto-use-azure-monitor.md).
api-management How To Configure Local Metrics Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-configure-local-metrics-logs.md
# Configure local metrics and logs for Azure API Management self-hosted gateway
-This article provides details for configuring local metrics and logs for the [self-hosted gateway](./self-hosted-gateway-overview.md) deployed on a Kubernetes cluster. For configuring cloud metrics and logs, see [this article](how-to-configure-cloud-metrics-logs.md).
- [!INCLUDE [api-management-availability-premium-dev](../../includes/api-management-availability-premium-dev.md)]
+This article provides details for configuring local metrics and logs for the [self-hosted gateway](./self-hosted-gateway-overview.md) deployed on a Kubernetes cluster. For configuring cloud metrics and logs, see [this article](how-to-configure-cloud-metrics-logs.md).
+ ## Metrics The self-hosted gateway supports [StatsD](https://github.com/statsd/statsd), which has become a unifying protocol for metrics collection and aggregation. This section walks through the steps for deploying StatsD to Kubernetes, configuring the gateway to emit metrics via StatsD, and using [Prometheus](https://prometheus.io/) to monitor the metrics.
api-management How To Configure Service Fabric Backend https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-configure-service-fabric-backend.md
# Set up a Service Fabric backend in API Management using the Azure portal + This article shows how to configure a [Service Fabric](../service-fabric/service-fabric-api-management-overview.md) service as a custom API backend using the Azure portal. For demonstration purposes, it shows how to set up a basic stateless ASP.NET Core Reliable Service as the Service Fabric backend. For background, see [Backends in API Management](backends.md).
api-management How To Create Workspace https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-create-workspace.md
# Set up a workspace
-Set up a [workspace](workspaces-overview.md) (preview) to enable a decentralized API development team to manage and productize their own APIs, while a central API platform team maintains the API Management infrastructure. After you create a workspace and assign permissions, workspace collaborators can create and manage their own APIs, products, subscriptions, and related resources.
- [!INCLUDE [api-management-availability-premium](../../includes/api-management-availability-premium.md)]
+Set up a [workspace](workspaces-overview.md) (preview) to enable a decentralized API development team to manage and productize their own APIs, while a central API platform team maintains the API Management infrastructure. After you create a workspace and assign permissions, workspace collaborators can create and manage their own APIs, products, subscriptions, and related resources.
+ > [!NOTE] > * Workspaces are a preview feature of API Management and subject to certain [limitations](workspaces-overview.md#preview-limitations). > * Workspaces are supported in API Management REST API version 2022-09-01-preview or later.
api-management How To Deploy Self Hosted Gateway Azure Arc https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-deploy-self-hosted-gateway-azure-arc.md
Last updated 06/12/2023
# Deploy an Azure API Management gateway on Azure Arc (preview) + With the integration between Azure API Management and [Azure Arc on Kubernetes](../azure-arc/kubernetes/overview.md), you can deploy the API Management gateway component as an [extension in an Azure Arc-enabled Kubernetes cluster](../azure-arc/kubernetes/extensions.md). Deploying the API Management gateway on an Azure Arc-enabled Kubernetes cluster expands API Management support for hybrid and multicloud environments. Enable the deployment using a cluster extension to make managing and applying policies to your Azure Arc-enabled cluster a consistent experience.
Deploying the API Management gateway on an Azure Arc-enabled Kubernetes cluster
> [!NOTE] > You can also deploy the self-hosted gateway [directly to Kubernetes](./how-to-deploy-self-hosted-gateway-azure-kubernetes-service.md). - ## Prerequisites * [Connect your Kubernetes cluster](../azure-arc/kubernetes/quickstart-connect-cluster.md) within a supported Azure Arc region.
api-management How To Deploy Self Hosted Gateway Azure Kubernetes Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-deploy-self-hosted-gateway-azure-kubernetes-service.md
Last updated 06/11/2021
-# Deploy to Azure Kubernetes Service
+# Deploy an Azure API Management self-hosted gateway to Azure Kubernetes Service
+ This article provides the steps for deploying self-hosted gateway component of Azure API Management to [Azure Kubernetes Service](https://azure.microsoft.com/services/kubernetes-service/). For deploying self-hosted gateway to a Kubernetes cluster, see the how-to article for deployment by using a [deployment YAML file](how-to-deploy-self-hosted-gateway-kubernetes.md) or [with Helm](how-to-deploy-self-hosted-gateway-kubernetes-helm.md).
This article provides the steps for deploying self-hosted gateway component of A
> [!NOTE] > You can also deploy self-hosted gateway to an [Azure Arc-enabled Kubernetes cluster](how-to-deploy-self-hosted-gateway-azure-arc.md) as a [cluster extension](../azure-arc/kubernetes/extensions.md). - ## Prerequisites - [Create an Azure API Management instance](get-started-create-service-instance.md)
api-management How To Deploy Self Hosted Gateway Container Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-deploy-self-hosted-gateway-container-apps.md
# Deploy an Azure API Management self-hosted gateway to Azure Container Apps + This article provides the steps to deploy the [self-hosted gateway](self-hosted-gateway-overview.md) component of Azure API Management to [Azure Container Apps](../container-apps/overview.md). Deploy a self-hosted gateway to a container app to access APIs that are hosted in the same Azure Container Apps environment. - ## Prerequisites - Complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md).
api-management How To Deploy Self Hosted Gateway Docker https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-deploy-self-hosted-gateway-docker.md
# Deploy an Azure API Management self-hosted gateway to Docker + This article provides the steps for deploying self-hosted gateway component of Azure API Management to a Docker environment. [!INCLUDE [preview](./includes/preview/preview-callout-self-hosted-gateway-deprecation.md)]
This article provides the steps for deploying self-hosted gateway component of A
> [!NOTE] > Hosting self-hosted gateway in Docker is best suited for evaluation and development use cases. Kubernetes is recommended for production use. Learn how to [deploy with Helm](how-to-deploy-self-hosted-gateway-kubernetes-helm.md) or using [deployment YAML file](how-to-deploy-self-hosted-gateway-kubernetes.md) to learn how to deploy self-hosted gateway to Kubernetes. - ## Prerequisites - Complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md)
api-management How To Deploy Self Hosted Gateway Kubernetes Helm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-deploy-self-hosted-gateway-kubernetes-helm.md
Last updated 12/21/2021
-# Deploy to Kubernetes with Helm
+# Deploy self-hosted gateway to Kubernetes with Helm
+ [Helm][helm] is an open-source packaging tool that helps you install and manage the lifecycle of Kubernetes applications. It allows you to manage Kubernetes charts, which are packages of pre-configured Kubernetes resources.
This article provides the steps for deploying self-hosted gateway component of A
> [!NOTE] > You can also deploy self-hosted gateway to an [Azure Arc-enabled Kubernetes cluster](how-to-deploy-self-hosted-gateway-azure-arc.md) as a [cluster extension](../azure-arc/kubernetes/extensions.md). - ## Prerequisites - Create a Kubernetes cluster, or have access to an existing one.
api-management How To Deploy Self Hosted Gateway Kubernetes Opentelemetry https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-deploy-self-hosted-gateway-kubernetes-opentelemetry.md
Last updated 12/17/2021
# Deploy self-hosted gateway to Kubernetes with OpenTelemetry integration + This article describes the steps for deploying the self-hosted gateway component of Azure API Management to a Kubernetes cluster and automatically send all metrics to an [OpenTelemetry Collector](https://opentelemetry.io/docs/collector/). [!INCLUDE [preview](./includes/preview/preview-callout-self-hosted-gateway-opentelemetry.md)]
You learn how to:
> * Generate metrics by consuming APIs on the self-hosted gateway. > * Use the metrics from the OpenTelemetry Collector. - ## Prerequisites - [Create an Azure API Management instance](get-started-create-service-instance.md)
api-management How To Deploy Self Hosted Gateway Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-deploy-self-hosted-gateway-kubernetes.md
Last updated 05/22/2023
# Deploy a self-hosted gateway to Kubernetes with YAML + This article describes the steps for deploying the self-hosted gateway component of Azure API Management to a Kubernetes cluster. [!INCLUDE [preview](./includes/preview/preview-callout-self-hosted-gateway-deprecation.md)]
This article describes the steps for deploying the self-hosted gateway component
> [!NOTE] > You can also deploy self-hosted gateway to an [Azure Arc-enabled Kubernetes cluster](how-to-deploy-self-hosted-gateway-azure-arc.md) as a [cluster extension](../azure-arc/kubernetes/extensions.md). - ## Prerequisites - Complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md).
api-management How To Event Grid https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-event-grid.md
# Send events from API Management to Event Grid + API Management integrates with [Azure Event Grid](../event-grid/overview.md) so that you can send event notifications to other services and trigger downstream processes. Event Grid is a fully managed event routing service that uses a publish-subscribe model. Event Grid has built-in support for Azure services like [Azure Functions](../azure-functions/functions-overview.md) and [Azure Logic Apps](../logic-apps/logic-apps-overview.md), and can deliver event alerts to non-Azure services using webhooks. For example, using integration with Event Grid, you can build an application that updates a database, creates a billing account, and sends an email notification each time a user is added to your API Management instance.
api-management How To Self Hosted Gateway On Kubernetes In Production https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-self-hosted-gateway-on-kubernetes-in-production.md
Last updated 01/17/2023
# Guidance for running self-hosted gateway on Kubernetes in production + In order to run the self-hosted gateway in production, there are various aspects to take in to mind. For example, it should be deployed in a highly available manner, use configuration backups to handle temporary disconnects and many more. This article provides guidance on how to run [self-hosted gateway](./self-hosted-gateway-overview.md) on Kubernetes for production workloads to ensure that it will run smoothly and reliably. [!INCLUDE [preview](./includes/preview/preview-callout-self-hosted-gateway-deprecation.md)] - ## Access token Without a valid access token, a self-hosted gateway can't access and download configuration data from the endpoint of the associated API Management service. The access token can be valid for a maximum of 30 days. It must be regenerated, and the cluster configured with a fresh token, either manually or via automation before it expires.
api-management How To Server Sent Events https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-server-sent-events.md
Last updated 02/24/2022
# Configure API for server-sent events + This article provides guidelines for configuring an API in API Management that implements server-sent events (SSE). SSE is based on the HTML5 `EventSource` standard for streaming (pushing) data automatically to a client over HTTP after a client has established a connection. > [!TIP]
This article provides guidelines for configuring an API in API Management that i
- An existing API Management instance. [Create one if you haven't already](get-started-create-service-instance.md). - An API that implements SSE. [Import and publish](import-and-publish.md) the API to your API Management instance using one of the supported import methods. - ## Guidelines for SSE Follow these guidelines when using API Management to reach a backend API that implements SSE.
-* **Choose service tier for long-running HTTP connections** - SSE relies on a long-running HTTP connection. Long-running connections are supported in the dedicated API Management tiers, but not in the Consumption tier.
+* **Choose service tier for long-running HTTP connections** - SSE relies on a long-running HTTP connection that is supported in certain API Management [pricing tiers](api-management-key-concepts.md#api-management-tiers). Long-running connections are supported in the classic and v2 API Management tiers, but not in the Consumption tier.
* **Keep idle connections alive** - If a connection between client and backend could be idle for 4 minutes or longer, implement a mechanism to keep the connection alive. For example, enable a TCP keepalive signal at the backend of the connection, or send traffic from the client side at least once per 4 minutes.
Follow these guidelines when using API Management to reach a backend API that im
* **Avoid logging request/response body for Azure Monitor, Application Insights, and Event Hubs** - You can configure API request logging for Azure Monitor or Application Insights using diagnostic settings. The diagnostic settings allow you to log the request/response body at various stages of the request execution. For APIs that implement SSE, this can cause unexpected buffering which can lead to problems. Diagnostic settings for Azure Monitor and Application Insights configured at the global/All APIs scope apply to all APIs in the service. You can override the settings for individual APIs as needed. When logging to Event Hubs, you configure the scope and amount of context information for request/response logging by using the [log-to-eventhubs](api-management-howto-log-event-hubs.md#configure-log-to-eventhub-policy). For APIs that implement SSE, ensure you have disabled request/response body logging for Azure Monitor, Application Insights, and Event Hubs.
-* **Disable response caching** - To ensure that notifications to the client are timely, verify that [response caching](api-management-howto-cache.md) isn't enabled. For more information, see [API Management caching policies](api-management-caching-policies.md).
+* **Disable response caching** - To ensure that notifications to the client are timely, verify that [response caching](api-management-howto-cache.md) isn't enabled. For more information, see [API Management caching policies](api-management-policies.md#caching).
* **Test API under load** - Follow general practices to test your API under load to detect performance or configuration issues before going into production.
api-management Howto Protect Backend Frontend Azure Ad B2c https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/howto-protect-backend-frontend-azure-ad-b2c.md
# Protect serverless APIs with Azure API Management and Azure AD B2C for consumption from a SPA + This scenario shows you how to configure your Azure API Management instance to protect an API. We'll use the Azure AD B2C SPA (Auth Code + PKCE) flow to acquire a token, alongside API Management to secure an Azure Functions backend using EasyAuth.
Open the Azure AD B2C blade in the portal and do the following steps.
> > We still have no IP security applied, if you have a valid key and OAuth2 token, anyone can call this from anywhere - ideally we want to force all requests to come via API Management. >
- > If you're using the API Management Consumption, Basic v2, and Standard v2 tiers then [there isn't a dedicated Azure API Management Virtual IP](./api-management-howto-ip-addresses.md#ip-addresses-of-consumption-basic-v2-and-standard-v2-tier-api-management-service) to allow-list with the functions access-restrictions. In the Azure API Management dedicated tiers [the VIP is single tenant and for the lifetime of the resource](./api-management-howto-ip-addresses.md#changes-to-the-ip-addresses). For the tiers that run on shared infrastructure, you can lock down your API calls via the shared secret function key in the portion of the URI you copied above. Also, for these tiers - steps 12-17 below do not apply.
+ > If you're using the API Management Consumption, Basic v2, and Standard v2 tiers then [there isn't a dedicated Azure API Management Virtual IP](./api-management-howto-ip-addresses.md#ip-addresses-of-consumption-basic-v2-and-standard-v2-tier-api-management-service) to allow-list with the functions access-restrictions. In the Azure API Management classic (dedicated) tiers [the VIP is single tenant and for the lifetime of the resource](./api-management-howto-ip-addresses.md#changes-to-the-ip-addresses). For the tiers that run on shared infrastructure, you can lock down your API calls via the shared secret function key in the portion of the URI you copied above. Also, for these tiers - steps 12-17 below do not apply.
1. Close the 'Authentication' blade from the App Service / Functions portal. 1. Open the *API Management blade of the portal*, then open *your instance*.
api-management Howto Use Analytics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/howto-use-analytics.md
Title: Use API analytics in Azure API Management | Microsoft Docs
-description: Use analytics in Azure API Management to help you understand and categorize the usage of your APIs and API performance.
+description: Use analytics in Azure API Management to understand and categorize the usage of your APIs and API performance. Analytics is provided using an Azure workbook.
Previously updated : 02/23/2022 Last updated : 03/26/2024 + # Get API analytics in Azure API Management
-Azure API Management provides built-in analytics for your APIs. Analyze the usage and performance of the APIs in your API Management instance across several dimensions, including:
+
+Azure API Management provides analytics for your APIs so that you can analyze their usage and performance. Use analytics for high-level monitoring and troubleshooting of your APIs. For other monitoring features, including near real-time metrics and resource logs for diagnostics and auditing, see [Tutorial: Monitor published APIs](api-management-howto-use-azure-monitor.md).
+++
+## About API analytics
+
+* API Management provides analytics using an [Azure Monitor-based dashboard](../azure-monitor/visualize/workbooks-overview.md). The dashboard aggregates data in an Azure Log Analytics workspace.
+
+* In the classic API Management service tiers, your API Management instance also includes legacy *built-in analytics* in the Azure portal, and analytics data can be accessed using the API Management REST API. Equivalent data is shown in the Azure Monitor-based dashboard and built-in analytics.
+
+> [!IMPORTANT]
+> * The Azure Monitor-based dashboard is the recommended way to access analytics data.
+> * Legacy built-in analytics isn't available in the v2 tiers.
+
+With API analytics, analyze the usage and performance of the APIs in your API Management instance across several dimensions, including:
* Time * Geography
Azure API Management provides built-in analytics for your APIs. Analyze the usag
* Requests > [!NOTE]
-> * API analytics provides data on requests (including failed and unauthorized requests) that are matched with an API and operation. Other calls aren't reported.
+> * API analytics provides data on requests, including failed and unauthorized requests.
> * Geography values are approximate based on IP address mapping.
+> * There may be a delay of 15 minutes or more in the availability of analytics data.
+## Azure Monitor-based dashboard
-Use analytics for high-level monitoring and troubleshooting of your APIs. For additional monitoring features, including near real-time metrics and resource logs for diagnostics and auditing, see [Tutorial: Monitor published APIs](api-management-howto-use-azure-monitor.md).
+To use the Azure Monitor-based dashboard, you need to configure a Log Analytics workspace as a data source for API Management gateway logs.
+If you need to configure one, the following are brief steps to send gateway logs to a Log Analytics workspace. For more information, see [Tutorial: Monitor published APIs](api-management-howto-use-azure-monitor.md#resource-logs). This is a one-time setup.
-## Analytics - portal
+1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.
+1. In the left-hand menu, under **Monitoring**, select **Diagnostic settings** > **+ Add diagnostic setting**.
+1. Enter a descriptive name for the diagnostic setting.
+1. In **Logs**, select **Logs related to ApiManagement Gateway**.
+1. In **Destination details**, select **Send to Log Analytics** and select a Log Analytics workspace in the same or a different subscription. If you need to create a workspace, see [Create a Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md).
+1. Accept defaults for other settings, or customize as needed. Select **Save**.
-Use the Azure portal to review analytics data at a glance for your API Management instance.
+### Access the dashboard
-1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.
-1. In the left-hand menu, under **Monitoring**, select **Analytics**.
+After a Log Analytics workspace is configured, access the Azure Monitor-based dashboard to analyze the usage and performance of your APIs.
+
+1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.
+1. In the left-hand menu, under **Monitoring**, select **Insights**. The analytics dashboard opens.
+1. Select a time range for data.
+1. Select a report category for analytics data, such as **Timeline**, **Geography**, and so on.
+
+## Legacy built-in analytics
- :::image type="content" source="media/howto-use-analytics/monitoring-menu-analytics.png" alt-text="Select analytics for API Management instance in portal":::
+In certain API Management service tiers, built-in analytics is also available in the Azure portal, and analytics data can be accessed using the API Management REST API.
+
+### Built-in analytics - portal
+
+To access the built-in analytics in the Azure portal:
+
+1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.
+1. In the left-hand menu, under **Monitoring**, select **Analytics**.
1. Select a time range for data, or enter a custom time range. 1. Select a report category for analytics data, such as **Timeline**, **Geography**, and so on. 1. Optionally, filter the report by one or more additional categories.
-## Analytics - REST API
+### Analytics - REST API
-Use [Reports](/rest/api/apimanagement/current-ga/reports) operations in the API Management REST API to retrieve and filter analytics data for your API Management instance.
+Use [Reports](/rest/api/apimanagement/reports) operations in the API Management REST API to retrieve and filter analytics data for your API Management instance.
Available operations return report records by API, geography, API operations, product, request, subscription, time, or user.
-## Next steps
+## Related content
* For an introduction to Azure Monitor features in API Management, see [Tutorial: Monitor published APIs](api-management-howto-use-azure-monitor.md) * For detailed HTTP logging and monitoring, see [Monitor your APIs with Azure API Management, Event Hubs, and Moesif](api-management-log-to-eventhub-sample.md).
-* Learn about integrating [Azure API Management with Azure Application Insights](api-management-howto-app-insights.md).
+* Learn about integrating [Azure API Management with Azure Application Insights](api-management-howto-app-insights.md).
api-management Http Data Source Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/http-data-source-policy.md
# HTTP data source for a resolver + The `http-data-source` resolver policy configures the HTTP request and optionally the HTTP response to resolve data for an object type and field in a GraphQL schema. The schema must be imported to API Management as a GraphQL API. [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
The `http-data-source` resolver policy configures the HTTP request and optionall
## Usage - [**Policy scopes:**](./api-management-howto-policies.md#scopes) GraphQL resolver-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption
### Usage notes
For this example, we mock the customer results from an external source, and hard
## Related policies
-* [GraphQL resolver policies](api-management-policies.md#graphql-resolver-policies)
+* [GraphQL resolvers](api-management-policies.md#graphql-resolvers)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Import And Publish https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/import-and-publish.md
# Tutorial: Import and publish your first API + This tutorial shows how to import an OpenAPI specification backend API in JSON format into Azure API Management. Microsoft provides the backend API used in this example, and hosts it on Azure at `https://conferenceapi.azurewebsites.net`. Once you import the backend API into API Management, your API Management API becomes a façade for the backend API. You can customize the façade to your needs in API Management without touching the backend API. For more information, see [Transform and protect your API](transform-api.md).
api-management Import Api From Oas https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/import-api-from-oas.md
# Import an OpenAPI specification + This article shows how to import an "OpenAPI specification" backend API residing at `https://conferenceapi.azurewebsites.net?format=json`. This backend API is provided by Microsoft and hosted on Azure. The article also shows how to test the APIM API. In this article, you learn how to:
After importing the API, if needed, you can update the settings by using the [Se
## Validate against an OpenAPI specification
-You can configure API Management [validation policies](api-management-policies.md#validation-policies) to validate requests and responses (or elements of them) against the schema in an OpenAPI specification. For example, use the [validate-content](validate-content-policy.md) policy to validate the size or content of a request or response body.
+You can configure API Management [validation policies](api-management-policies.md#content-validation) to validate requests and responses (or elements of them) against the schema in an OpenAPI specification. For example, use the [validate-content](validate-content-policy.md) policy to validate the size or content of a request or response body.
## Next steps
api-management Import Api From Odata https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/import-api-from-odata.md
# Import an OData API + This article shows how to import an OData-compliant service as an API in API Management. In this article, you learn how to:
api-management Import App Service As Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/import-app-service-as-api.md
# Import an Azure Web App as an API + This article shows how to import an Azure Web App to Azure API Management and test the imported API, using the Azure portal. > [!NOTE]
api-management Import Container App With Oas https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/import-container-app-with-oas.md
# Import an Azure Container App as an API + This article shows how to import an Azure Container App to Azure API Management and test the imported API using the Azure portal. In this article, you learn how to: > [!div class="checklist"]
api-management Import Function App As Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/import-function-app-as-api.md
# Import an Azure Function App as an API in Azure API Management + Azure API Management supports importing Azure Function Apps as new APIs or appending them to existing APIs. The process automatically generates a host key in the Azure Function App, which is then assigned to a named value in Azure API Management. This article walks through importing and testing an Azure Function App as an API in Azure API Management.
api-management Import Logic App As Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/import-logic-app-as-api.md
# Import a Logic App as an API + This article shows how to import a Logic App as an API and test the imported API. In this article, you learn how to:
api-management Import Soap Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/import-soap-api.md
# Import SOAP API to API Management + This article shows how to import a WSDL specification, which is a standard XML representation of a SOAP API. The article also shows how to test the API in API Management. In this article, you learn how to:
api-management Include Fragment Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/include-fragment-policy.md
Previously updated : 12/08/2022 Last updated : 03/18/2024 # Include fragment + The `include-fragment` policy inserts the contents of a previously created [policy fragment](policy-fragments.md) in the policy definition. A policy fragment is a centrally managed, reusable XML policy snippet that can be included in policy definitions in your API Management instance. The policy inserts the policy fragment as-is at the location you select in the policy definition.
The policy inserts the policy fragment as-is at the location you select in the p
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Example
In the following example, the policy fragment named *myFragment* is added in the
## Related policies
-* [API Management advanced policies](api-management-advanced-policies.md)
+* [Policy control and flow](api-management-policies.md#policy-control-and-flow)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Integrate Vnet Outbound https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/integrate-vnet-outbound.md
Previously updated : 11/20/2023 Last updated : 03/13/2024
-# Integrate an Azure API Management instance with a private VNet for outbound connections (preview)
+# Integrate an Azure API Management instance with a private VNet for outbound connections
+ This article guides you through the process of configuring *VNet integration* for your Azure API Management instance so that your API Management instance can make outbound requests to API backends that are isolated in the network.
When an API Management instance is integrated with a virtual network for outboun
:::image type="content" source="./media/integrate-vnet-outbound/vnet-integration.svg" alt-text="Diagram of integrating API Management instance with a delegated subnet." ::: - ## Prerequisites - An Azure API Management instance in the [Standard v2](v2-service-tiers-overview.md) pricing tier
api-management Invoke Dapr Binding Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/invoke-dapr-binding-policy.md
Previously updated : 12/07/2022 Last updated : 03/18/2024 # Trigger output binding + The `invoke-dapr-binding` policy instructs API Management gateway to trigger an outbound Dapr [binding](https://github.com/dapr/docs/blob/master/README.md). The policy accomplishes that by making an HTTP POST request to `http://localhost:3500/v1.0/bindings/{{bind-name}},` replacing the template parameter and adding content specified in the policy statement. The policy assumes that Dapr runtime is running in a sidecar container in the same pod as the gateway. Dapr runtime is responsible for invoking the external resource represented by the binding. Learn more about [Dapr integration with API Management](self-hosted-gateway-enable-dapr.md).
The "backend" section is empty and the request is not forwarded to the backend.
## Related policies
-* [API Management Dapr integration policies](api-management-dapr-policies.md)
+* [Integration and external communication](api-management-policies.md#integration-and-external-communication)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Ip Filter Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/ip-filter-policy.md
Previously updated : 12/08/2022 Last updated : 03/18/2024 # Restrict caller IPs + The `ip-filter` policy filters (allows/denies) calls from specific IP addresses and/or address ranges. [!INCLUDE [api-management-policy-form-alert](../../includes/api-management-policy-form-alert.md)]
The `ip-filter` policy filters (allows/denies) calls from specific IP addresses
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
In the following example, the policy only allows requests coming either from the
## Related policies
-* [API Management access restriction policies](api-management-access-restriction-policies.md)
+* [Authentication and authorization](api-management-policies.md#authentication-and-authorization)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Json To Xml Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/json-to-xml-policy.md
Previously updated : 12/08/2022 Last updated : 03/18/2024 # Convert JSON to XML++ The `json-to-xml` policy converts a request or response body from JSON to XML. [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
The `json-to-xml` policy converts a request or response body from JSON to XML.
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Example
The XML response to the client will be:
## Related policies
-* [API Management transformation policies](api-management-transformation-policies.md)
+* [Transformation](api-management-policies.md#transformation)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Jsonp Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/jsonp-policy.md
Previously updated : 12/07/2022 Last updated : 03/18/2024 # JSONP + The `jsonp` policy adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients. JSONP is a method used in JavaScript programs to request data from a server in a different domain. JSONP bypasses the limitation enforced by most web browsers where access to web pages must be in the same domain. [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
The `jsonp` policy adds JSON with padding (JSONP) support to an operation or an
- [**Policy sections:**](./api-management-howto-policies.md#sections) outbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
If you add the callback parameter `?cb=XXX`, it will return a JSONP result, wrap
## Related policies
-* [API Management cross-domain policies](api-management-cross-domain-policies.md)
+* [Cross-domain](api-management-policies.md#cross-domain)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Limit Concurrency Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/limit-concurrency-policy.md
Previously updated : 12/08/2022 Last updated : 03/18/2024 # Limit concurrency + The `limit-concurrency` policy prevents enclosed policies from executing by more than the specified number of requests at any time. When that number is exceeded, new requests will fail immediately with the `429` Too Many Requests status code. [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
The `limit-concurrency` policy prevents enclosed policies from executing by more
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Example
The following example demonstrates how to limit number of requests forwarded to
## Related policies
-* [API Management advanced policies](api-management-advanced-policies.md)
+* [Rate limiting and quotas](api-management-policies.md#rate-limiting-and-quotas)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Log To Eventhub Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/log-to-eventhub-policy.md
Previously updated : 12/08/2022 Last updated : 03/18/2024 # Log to event hub + The `log-to-eventhub` policy sends messages in the specified format to an event hub defined by a [Logger](/rest/api/apimanagement/current-ga/logger) entity. As its name implies, the policy is used for saving selected request or response context information for online or offline analysis. > [!NOTE]
The `log-to-eventhub` policy sends messages in the specified format to an event
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
Any string can be used as the value to be logged in Event Hubs. In this example
## Related policies
-* [API Management advanced policies](api-management-advanced-policies.md)
+* [Integration and external communication](api-management-policies.md#integration-and-external-communication)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Migrate Stv1 To Stv2 No Vnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/migrate-stv1-to-stv2-no-vnet.md
# Migrate a non-VNet-injected API Management instance to the stv2 compute platform + This article provides steps to migrate an API Management instance hosted on the `stv1` compute platform in-place to the `stv2` platform when the instance *is not* injected (deployed) in an external or internal VNet. For this scenario, migrate your instance using the Azure portal or the [Migrate to stv2](/rest/api/apimanagement/current-g#how-do-i-know-which-platform-hosts-my-api-management-instance). If you need to migrate a *VNnet-injected* API Management hosted on the `stv1` platform, see [Migrate a VNet-injected API Management instance to the stv2 platform](migrate-stv1-to-stv2-vnet.md).
If you need to migrate a *VNnet-injected* API Management hosted on the `stv1` pl
> * Depending on your migration process, you might have temporary downtime during migration, and you might need to update your network dependencies after migration to reach your API Management instance. Plan your migration accordingly. > * Migration to `stv2` is not reversible. - ## What happens during migration? API Management platform migration from `stv1` to `stv2` involves updating the underlying compute alone and has no impact on the service/API configuration persisted in the storage layer. For an instance that's not deployed in a VNet:
api-management Migrate Stv1 To Stv2 Vnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/migrate-stv1-to-stv2-vnet.md
# Migrate a VNet-injected API Management instance hosted on the stv1 platform to stv2 + This article provides steps to migrate an API Management instance hosted on the `stv1` compute platform in-place to the `stv2` platform when the instance is injected (deployed) in an [external](api-management-using-with-vnet.md) or [internal](api-management-using-with-internal-vnet.md) VNet. For this scenario, migrate your instance by updating the VNet configuration settings. [Find out if you need to do this](compute-infrastructure.md#how-do-i-know-which-platform-hosts-my-api-management-instance). If you need to migrate a *non-VNnet-injected* API Management hosted on the `stv1` platform, see [Migrate a non-VNet-injected API Management instance to the stv2 platform](migrate-stv1-to-stv2-no-vnet.md).
If you need to migrate a *non-VNnet-injected* API Management hosted on the `stv1
> * The VIP address of your instance will change. After migration, you'll need to update any network dependencies including DNS, firewall rules, and VNets to use the new VIP address. Plan your migration accordingly. > * Migration to `stv2` is not reversible. - ## What happens during migration? API Management platform migration from `stv1` to `stv2` involves updating the underlying compute alone and has no impact on the service/API configuration persisted in the storage layer.
api-management Migrate Stv1 To Stv2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/migrate-stv1-to-stv2.md
# Migrate an API Management instance hosted on the stv1 platform to stv2 + Here we help you find guidance to migrate your API Management instance hosted on the `stv1` compute platform to the newer `stv2` platform. [Find out if you need to do this](compute-infrastructure.md#how-do-i-know-which-platform-hosts-my-api-management-instance). There are two different migration scenarios, depending on whether or not your API Management instance is currently deployed (injected) in an [external](api-management-using-with-vnet.md) or [internal](api-management-using-with-internal-vnet.md) VNet. Choose the migration guide for your scenario. Both scenarios migrate an existing instance in-place to the `stv2` platform.
api-management Mitigate Owasp Api Threats https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/mitigate-owasp-api-threats.md
# Recommendations to mitigate OWASP API Security Top 10 threats using API Management + The Open Web Application Security Project ([OWASP](https://owasp.org/about/)) Foundation works to improve software security through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences. The OWASP [API Security Project](https://owasp.org/www-project-api-security/) focuses on strategies and solutions to understand and mitigate the unique *vulnerabilities and security risks of APIs*. In this article, we'll discuss recommendations to use Azure API Management to mitigate the top 10 API threats identified by OWASP.
More information about this threat: [API2:2019 Broken User Authentication](https
Use API Management for user authentication and authorization:
-* **Authentication** - API Management supports the following [authentication methods](api-management-authentication-policies.md):
+* **Authentication** - API Management supports the following [authentication methods](api-management-policies.md#authentication-and-authorization):
* [Basic authentication](authentication-basic-policy.md) policy - Username and password credentials.
Use API Management for user authentication and authorization:
More recommendations:
-* Use [access restriction policies](api-management-access-restriction-policies.md) in API Management to increase security. For example, [call rate limiting](rate-limit-policy.md) slows down bad actors using brute force attacks to compromise credentials.
+* Use policies in API Management to increase security. For example, [call rate limiting](rate-limit-policy.md) slows down bad actors using brute force attacks to compromise credentials.
* APIs should use TLS/SSL (transport security) to protect the credentials or tokens. Credentials and tokens should be sent in request headers and not as query parameters.
More information about this threat: [API3:2019 Excessive Data Exposure](https://
* [Versions](api-management-versions.md) for breaking changes, for example, the removal of a field from an interface.
-* If it's not possible to alter the backend interface design and excessive data is a concern, use API Management [transformation policies](transform-api.md) to rewrite response payloads and mask or filter data. For example, [remove unneeded JSON properties](./policies/filter-response-content.md) from a response body.
+* If it's not possible to alter the backend interface design and excessive data is a concern, use API Management [transformation policies](api-management-policies.md#transformation) to rewrite response payloads and mask or filter data. For example, [remove unneeded JSON properties](./policies/filter-response-content.md) from a response body.
* [Response content validation](validate-content-policy.md) in API Management can be used with an XML or JSON schema to block responses with undocumented properties or improper values. The policy also supports blocking responses exceeding a specified size.
More information about this threat: [API6:2019 Mass assignment](https://github.c
* Precisely define XML and JSON contracts in the API schema and use [validate content](validate-content-policy.md) and [validate parameters](validate-parameters-policy.md) policies to block requests and responses with undocumented properties. Blocking requests with undocumented properties mitigates attacks, while blocking responses with undocumented properties makes it harder to reverse-engineer potential attack vectors.
-* If the backend interface can't be changed, use [transformation policies](transform-api.md) to rewrite request and response payloads and decouple the API contracts from backend contracts. For example, mask or filter data or [remove unneeded JSON properties](./policies/filter-response-content.md).
+* If the backend interface can't be changed, use [transformation policies](api-management-policies.md#transformation) to rewrite request and response payloads and decouple the API contracts from backend contracts. For example, mask or filter data or [remove unneeded JSON properties](./policies/filter-response-content.md).
## Security misconfiguration
More information about this threat: [API7:2019 Security misconfiguration](https:
* Configure the [CORS](cors-policy.md) policy and don't use wildcard `*` for any configuration option. Instead, explicitly list allowed values.
- * Set [validation policies](validation-policies.md) to `prevent` in production environments to validate JSON and XML schemas, headers, query parameters, and status codes, and to enforce the maximum size for request or response.
+ * Set [validation policies](api-management-policies.md#content-validation) to `prevent` in production environments to validate JSON and XML schemas, headers, query parameters, and status codes, and to enforce the maximum size for request or response.
* If API Management is outside a network boundary, client IP validation is still possible using the [restrict caller IPs](ip-filter-policy.md) policy. Ensure that it uses an allowlist, not a blocklist.
More information about this threat: [API8:2019 Injection](https://github.com/OWA
> [!IMPORTANT] > Ensure that a bad actor can't bypass the gateway hosting the WAF and connect directly to the API Management gateway or backend API itself. Possible mitigations include: [network ACLs](../virtual-network/network-security-groups-overview.md), using API Management policy to [restrict inbound traffic by client IP](ip-filter-policy.md), removing public access where not required, and [client certificate authentication](api-management-howto-mutual-certificates-for-clients.md) (also known as mutual TLS or mTLS).
-* Use schema and parameter [validation](validation-policies.md) policies, where applicable, to further constrain and validate the request before it reaches the backend API service.
+* Use schema and parameter [validation](api-management-policies.md#content-validation) policies, where applicable, to further constrain and validate the request before it reaches the backend API service.
The schema supplied with the API definition should have a regex pattern constraint applied to vulnerable fields. Each regex should be tested to ensure that it constrains the field sufficiently to mitigate common injection attempts.
api-management Mock Api Responses https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/mock-api-responses.md
# Tutorial: Mock API responses + Backend APIs are imported into an API Management (APIM) API or created and managed manually. The steps in this tutorial, show you how to: + Use API Management to create a blank HTTP API
api-management Mock Response Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/mock-response-policy.md
Previously updated : 12/08/2022 Last updated : 03/18/2024 # Mock response + The `mock-response` policy, as the name implies, is used to mock APIs and operations. It cancels normal pipeline execution and returns a mocked response to the caller. The policy always tries to return responses of highest fidelity. It prefers response content examples, when available. It generates sample responses from schemas, when schemas are provided and examples aren't. If neither examples or schemas are found, responses with no content are returned. [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
The `mock-response` policy, as the name implies, is used to mock APIs and operat
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
The `mock-response` policy, as the name implies, is used to mock APIs and operat
## Related policies
-* [API Management advanced policies](api-management-advanced-policies.md)
+* [Transformation](api-management-policies.md#transformation)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Monetization Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/monetization-overview.md
# Monetization with Azure API Management + Modern web APIs underpin the digital economy. They provide a company's intellectual property (IP) to third parties and generate revenue by: - Packaging IP in the form of data, algorithms, or processes.
api-management Monetization Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/monetization-support.md
# How API Management supports monetization + With [Azure API Management](./api-management-key-concepts.md) service platform, you can: * Publish APIs, to which your consumers subscribe. * De-risk implementation.
api-management Observability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/observability.md
# Observability in Azure API Management + Observability is the ability to understand the internal state of a system from the data it produces and the ability to explore that data to answer questions about what happened and why. Azure API Management helps organizations centralize the management of all APIs. Since it serves as a single point of entry of all API traffic, it is an ideal place to observe the APIs.
Azure API Management allows you to choose to use the managed gateway or [self-ho
The table below summarizes all the observability capabilities supported by API Management to operate APIs and what deployment models they support. These capabilities can be used by API publishers and others who have permissions to operate or manage the API Management instance. > [!NOTE]
-> For API consumers who use the developer portal, a built-in API report is available. It only provides information about their individual API usage during the preceding 90 days.
+> For API consumers who use the developer portal, a built-in API report is available. It only provides information about their individual API usage during the preceding 90 days. Currently, the built-in API report is not available in the developer portal for the v2 service tiers.
> | Tool | Useful for | Data lag | Retention | Sampling | Data kind | Supported Deployment Model(s) | |:- |:-|:- |:-|:- |: |:- |
api-management Plan Manage Costs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/plan-manage-costs.md
Last updated 06/11/2021
# Plan and manage costs for API Management + This article describes how you plan for and manage costs for Azure API Management. First, you use the Azure pricing calculator to help plan for API Management costs before you add any resources for the service to estimate costs. After you've started using API Management resources, use Cost Management features to set budgets and monitor costs. You can also review forecasted costs and identify spending trends to identify areas where you might want to act. Costs for API Management are only a portion of the monthly costs in your Azure bill. Although this article explains how to plan for and manage costs for API Management, you're billed for all Azure services and resources used in your Azure subscription, including the third-party services.
When you create or use Azure resources with API Management, you'll get charged b
| Tiers | Description | | -- | -- | | Consumption | Incurs no fixed costs. You are billed based on the number of API calls to the service above a certain threshold. |
-| Developer, Basic, Standard, and Premium | Incur monthly costs, based on the number of [units](./api-management-capacity.md) and [self-hosted gateways](./self-hosted-gateway-overview.md). Self-hosted gateways are free for the Developer tier. [Upgrade](./upgrade-and-scale.md) to a different service tier at any time. |
+| Developer, Basic, Basic v2, Standard, Standard v2, and Premium | Incur monthly costs, based on the number of [units](./api-management-capacity.md) and [self-hosted gateways](./self-hosted-gateway-overview.md). Self-hosted gateways are free for the Developer tier. Different [upgrade](./upgrade-and-scale.md) options are available, depending on your service tier. |
You may also incur additional charges when you use other Azure resources with API Management, like virtual networks, availability zones, and multi-region writes. At the end of your billing cycle, the charges for each meter are summed. Your bill or invoice shows a section for all API Management costs. There's a separate line item for each meter.
api-management Policy Fragments https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/policy-fragments.md
# Reuse policy configurations in your API Management policy definitions + This article shows you how to create and use *policy fragments* in your API Management policy definitions. Policy fragments are centrally managed, reusable XML snippets containing one or more API Management [policy](api-management-howto-policies.md) configurations. Policy fragments help you configure policies consistently and maintain policy definitions without needing to repeat or retype XML code.
api-management Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/policy-reference.md
# Azure Policy built-in policy definitions for Azure API Management + This page is an index of [Azure Policy](../governance/policy/overview.md) built-in policy definitions for Azure API Management. For additional Azure Policy built-ins for other services, see [Azure Policy built-in definitions](../governance/policy/samples/built-in-policies.md). If you're looking for policies you can use to modify API behavior in API Management, see [API Management policy reference](api-management-policies.md).
api-management Powershell Create Service Instance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/powershell-create-service-instance.md
# Quickstart: Create a new Azure API Management instance by using PowerShell + In this quickstart, you create a new API Management instance by using Azure PowerShell cmdlets. After creating an instance, you can use Azure PowerShell cmdlets for common management actions such as importing APIs in your API Management instance. [!INCLUDE [api-management-quickstart-intro](../../includes/api-management-quickstart-intro.md)]
api-management Private Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/private-endpoint.md
Last updated 03/20/2023
# Connect privately to API Management using an inbound private endpoint + You can configure an inbound [private endpoint](../private-link/private-endpoint-overview.md) for your API Management instance to allow clients in your private network to securely access the instance over [Azure Private Link](../private-link/private-link-overview.md). * The private endpoint uses an IP address from an Azure VNet in which it's hosted.
You can configure an inbound [private endpoint](../private-link/private-endpoint
[!INCLUDE [api-management-private-endpoint](../../includes/api-management-private-endpoint.md)] -- ## Limitations * Only the API Management instance's Gateway endpoint supports inbound Private Link connections.
api-management Protect With Ddos Protection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/protect-with-ddos-protection.md
# Defend your Azure API Management instance against DDoS attacks + This article shows how to defend your Azure API Management instance against distributed denial of service (DDoS) attacks by enabling [Azure DDoS Protection](../ddos-protection/ddos-protection-overview.md). Azure DDoS Protection provides enhanced DDoS mitigation features to defend against volumetric and protocol DDoS attacks.ΓÇï [!INCLUDE [ddos-waf-recommendation](../../includes/ddos-waf-recommendation.md)] - ## Supported configurations Enabling Azure DDoS Protection for API Management is supported only for instances **deployed (injected) in a VNet** in [external mode](api-management-using-with-vnet.md) or [internal mode](api-management-using-with-internal-vnet.md).
api-management Protect With Defender For Apis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/protect-with-defender-for-apis.md
# Enable advanced API security features using Microsoft Defender for Cloud + [Defender for APIs](/azure/defender-for-cloud/defender-for-apis-introduction), a capability of [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction), offers full lifecycle protection, detection, and response coverage for APIs that are managed in Azure API Management. The service empowers security practitioners to gain visibility into their business-critical APIs, understand their security posture, prioritize vulnerability fixes, and detect active runtime threats within minutes. Capabilities of Defender for APIs include:
Capabilities of Defender for APIs include:
This article shows how to use the Azure portal to enable Defender for APIs from your API Management instance and view a summary of security recommendations and alerts for onboarded APIs. - ## Plan limitations * Currently, Defender for APIs discovers and analyzes REST APIs only.
api-management Proxy Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/proxy-policy.md
Previously updated : 12/08/2022 Last updated : 03/18/2024 # Set HTTP proxy + The `proxy` policy allows you to route requests forwarded to backends via an HTTP proxy. Only HTTP (not HTTPS) is supported between the gateway and the proxy. Basic and NTLM authentication only. [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
The `proxy` policy allows you to route requests forwarded to backends via an HTT
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Example
In this example, [named values](api-management-howto-properties.md) are used for
## Related policies
-* [API Management advanced policies](api-management-advanced-policies.md)
+* [Routing](api-management-policies.md#routing)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Publish Event Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/publish-event-policy.md
Previously updated : 05/24/2023 Last updated : 03/18/2024 # Publish event to GraphQL subscription + The `publish-event` policy publishes an event to one or more subscriptions specified in a GraphQL API schema. Configure the policy in a [GraphQL resolver](configure-graphql-resolver.md) for a related field in the schema for another operation type such as a mutation. At runtime, the event is published to connected GraphQL clients. Learn more about [GraphQL APIs in API Management](graphql-apis-overview.md). [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
The `publish-event` policy publishes an event to one or more subscriptions speci
- [**Policy sections:**](./api-management-howto-policies.md#sections) `http-response` element in `http-data-source` resolver - [**Policy scopes:**](./api-management-howto-policies.md#scopes) GraphQL resolver only-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption
### Usage notes
type Subscription {
## Related policies
-* [GraphQL resolver policies](api-management-policies.md#graphql-resolver-policies)
+* [GraphQL resolvers](api-management-policies.md#graphql-resolvers)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Publish To Dapr Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/publish-to-dapr-policy.md
Previously updated : 12/07/2022 Last updated : 03/18/2024 # Send message to Pub/Sub topic + The `publish-to-dapr` policy instructs API Management gateway to send a message to a Dapr Publish/Subscribe topic. The policy accomplishes that by making an HTTP POST request to `http://localhost:3500/v1.0/publish/{{pubsub-name}}/{{topic}}`, replacing template parameters and adding content specified in the policy statement. The policy assumes that Dapr runtime is running in a sidecar container in the same pod as the gateway. Dapr runtime implements the Pub/Sub semantics. Learn more about [Dapr integration with API Management](self-hosted-gateway-enable-dapr.md).
The "backend" section is empty and the request is not forwarded to the backend.
## Related policies
-* [API Management Dapr integration policies](api-management-dapr-policies.md)
+* [Integration and external communication](api-management-policies.md#integration-and-external-communication)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Quickstart Arm Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/quickstart-arm-template.md
Previously updated : 12/12/2023 Last updated : 03/25/2024 # Quickstart: Create a new Azure API Management service instance using an ARM template + This quickstart describes how to use an Azure Resource Manager template (ARM template) to create an Azure API Management instance. You can also use ARM templates for common management tasks such as importing APIs in your API Management instance. [!INCLUDE [api-management-quickstart-intro](../../includes/api-management-quickstart-intro.md)]
More Azure API Management template samples can be found in [Azure Quickstart Tem
- **Region**: select a location for the resource group. Example: **Central US**. - **Publisher Email**: enter an email address to receive notifications. - **Publisher Name**: enter a name you choose for the API publisher.
- - **Sku**: accept the default value of **Developer**.
+ - **Sku**: accept the default value of **Developer**. Alternatively, choose another value.
- **Sku Count**: accept the default value. - **Location**: accept the generated location for the API Management service.
More Azure API Management template samples can be found in [Azure Quickstart Tem
1. Select **Review + Create**, then review the terms and conditions. If you agree, select **Create**. > [!TIP]
- > It can take between 30 and 40 minutes to create and activate an API Management service in the Developer tier.
+ > It can take between 30 and 40 minutes to create and activate an API Management service in the Developer tier. Times vary by tier.
1. After the instance has been created successfully, you get a notification:
api-management Quickstart Bicep https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/quickstart-bicep.md
tags: azure-resource-manager, bicep
Previously updated : 12/12/2023 Last updated : 03/25/2024 # Quickstart: Create a new Azure API Management service instance using Bicep + This quickstart describes how to use a Bicep file to create an Azure API Management instance. You can also use Bicep for common management tasks such as importing APIs in your API Management instance. [!INCLUDE [api-management-quickstart-intro](../../includes/api-management-quickstart-intro.md)]
The following resource is defined in the Bicep file:
- **[Microsoft.ApiManagement/service](/azure/templates/microsoft.apimanagement/service)**
-In this example, the Bicep file configures the API Management instance in the Developer tier, an economical option to evaluate Azure API Management. This tier isn't for production use.
+In this example, the Bicep file by default configures the API Management instance in the Developer tier, an economical option to evaluate Azure API Management. This tier isn't for production use.
More Azure API Management Bicep samples can be found in [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/?resourceType=Microsoft.Apimanagement&pageNumber=1&sort=Popular).
You can use Azure CLI or Azure PowerShell to deploy the Bicep file. For more in
When the deployment finishes, you should see a message indicating the deployment succeeded.
+ > [!TIP]
+ > It can take between 30 and 40 minutes to create and activate an API Management service in the Developer tier. Times vary by tier.
+ ## Review deployed resources Use the Azure portal, Azure CLI or Azure PowerShell to list the deployed App Configuration resource in the resource group.
api-management Quickstart Terraform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/quickstart-terraform.md
ai-usage: ai-assisted
# Quickstart: Create an Azure API Management instance using Terraform + This article shows how to use [Terraform](/azure/terraform) to create an API Management instance on Azure. You can also use Terraform for common management tasks such as importing APIs in your API Management instance. [!INCLUDE [api-management-quickstart-intro](../../includes/api-management-quickstart-intro.md)]
api-management Quota By Key Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/quota-by-key-policy.md
Previously updated : 12/08/2022 Last updated : 03/18/2024 # Set usage quota by key + The `quota-by-key` policy enforces a renewable or lifetime call volume and/or bandwidth quota, on a per key basis. The key can have an arbitrary string value and is typically provided using a policy expression. Optional increment condition can be added to specify which requests should be counted towards the quota. If multiple policies would increment the same key value, it is incremented only once per request. When the quota is exceeded, the caller receives a `403 Forbidden` response status code, and the response includes a `Retry-After` header whose value is the recommended retry interval in seconds. To understand the difference between rate limits and quotas, [see Rate limits and quotas.](./api-management-sample-flexible-throttling.md#rate-limits-and-quotas)
To understand the difference between rate limits and quotas, [see Rate limits an
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, self-hosted
### Usage notes
For more information and examples of this policy, see [Advanced request throttli
## Related policies
-* [API Management access restriction policies](api-management-access-restriction-policies.md)
+* [Rate limiting and quotas](api-management-policies.md#rate-limiting-and-quotas)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Quota Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/quota-policy.md
Previously updated : 09/27/2022 Last updated : 03/18/2024 # Set usage quota by subscription + The `quota` policy enforces a renewable or lifetime call volume and/or bandwidth quota, on a per subscription basis. When the quota is exceeded, the caller receives a `403 Forbidden` response status code, and the response includes a `Retry-After` header whose value is the recommended retry interval in seconds. To understand the difference between rate limits and quotas, [see Rate limits and quotas.](./api-management-sample-flexible-throttling.md#rate-limits-and-quotas)
To understand the difference between rate limits and quotas, [see Rate limits an
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) product-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
To understand the difference between rate limits and quotas, [see Rate limits an
## Related policies
-* [API Management access restriction policies](api-management-access-restriction-policies.md)
+* [Rate limiting and quotas](api-management-policies.md#rate-limiting-and-quotas)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Rate Limit By Key Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/rate-limit-by-key-policy.md
Previously updated : 12/08/2022 Last updated : 03/18/2024 + # Limit call rate by key + The `rate-limit-by-key` policy prevents API usage spikes on a per key basis by limiting the call rate to a specified number per a specified time period. The key can have an arbitrary string value and is typically provided using a policy expression. Optional increment condition can be added to specify which requests should be counted towards the limit. When this call rate is exceeded, the caller receives a `429 Too Many Requests` response status code. To understand the difference between rate limits and quotas, [see Rate limits and quotas.](./api-management-sample-flexible-throttling.md#rate-limits-and-quotas)
To understand the difference between rate limits and quotas, [see Rate limits an
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, self-hosted
### Usage notes
For more information and examples of this policy, see [Advanced request throttli
## Related policies
-* [API Management access restriction policies](api-management-access-restriction-policies.md)
+* [Rate limiting and quotas](api-management-policies.md#rate-limiting-and-quotas)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Rate Limit Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/rate-limit-policy.md
Previously updated : 01/11/2023 Last updated : 03/18/2024 # Limit call rate by subscription + The `rate-limit` policy prevents API usage spikes on a per subscription basis by limiting the call rate to a specified number per a specified time period. When the call rate is exceeded, the caller receives a `429 Too Many Requests` response status code. To understand the difference between rate limits and quotas, [see Rate limits and quotas.](./api-management-sample-flexible-throttling.md#rate-limits-and-quotas)
To understand the difference between rate limits and quotas, [see Rate limits an
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
In the following example, the per subscription rate limit is 20 calls per 90 sec
## Related policies
-* [API Management access restriction policies](api-management-access-restriction-policies.md)
+* [Rate limiting and quotas](api-management-policies.md#rate-limiting-and-quotas)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Redirect Content Urls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/redirect-content-urls-policy.md
Previously updated : 12/02/2022 Last updated : 03/18/2024 # Mask URLs in content++ The `redirect-content-urls` policy rewrites (masks) links in the response body so that they point to the equivalent link via the gateway. Use in the outbound section to rewrite response body links to the backend service to make them point to the gateway. Use in the inbound section for an opposite effect. > [!NOTE]
The `redirect-content-urls` policy rewrites (masks) links in the response body s
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
The `redirect-content-urls` policy rewrites (masks) links in the response body s
## Related policies
-* [API Management transformation policies](api-management-transformation-policies.md)
+* [Transformation](api-management-policies.md#transformation)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Restify Soap Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/restify-soap-api.md
# Import SOAP API to API Management and convert to REST + This article shows how to import a SOAP API as a WSDL specification and then convert it to a REST API. The article also shows how to test the API in API Management. In this article, you learn how to:
api-management Retry Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/retry-policy.md
Previously updated : 12/08/2022 Last updated : 03/18/2024 # Retry + The `retry` policy executes its child policies once and then retries their execution until the retry `condition` becomes `false` or retry `count` is exhausted. [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
The `retry` policy may contain any other policies as its child elements.
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Examples
In the following example, sending a request to a URL other than the defined back
## Related policies
-* [API Management advanced policies](api-management-advanced-policies.md)
+* [Policy control and flow](api-management-policies.md#policy-control-and-flow)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Return Response Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/return-response-policy.md
Previously updated : 12/08/2022 Last updated : 03/18/2024 # Return response + The `return-response` policy cancels pipeline execution and returns either a default or custom response to the caller. Default response is `200 OK` with no body. Custom response can be specified via a context variable or policy statements. When both are provided, the response contained within the context variable is modified by the policy statements before being returned to the caller. [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
The `return-response` policy cancels pipeline execution and returns either a def
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
The `return-response` policy cancels pipeline execution and returns either a def
## Related policies
-* [API Management advanced policies](api-management-advanced-policies.md)
+* [Transformation](api-management-policies.md#transformation)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Rewrite Uri Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/rewrite-uri-policy.md
Previously updated : 03/28/2023 Last updated : 03/18/2024 # Rewrite URL + The `rewrite-uri` policy converts a request URL from its public form to the form expected by the web service, as shown in the following example. - Public URL - `http://api.example.com/storenumber/ordernumber`
This policy can be used when a human and/or browser-friendly URL should be trans
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
You can only add query string parameters using the policy. You can't add extra t
## Related policies -- [API Management transformation policies](api-management-transformation-policies.md)
+- [Transformation](api-management-policies.md#transformation)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Sap Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/sap-api.md
Last updated 07/21/2023
# Import SAP OData metadata as an API + This article shows how to import an OData service using its metadata description. In this article, [SAP Gateway Foundation](https://help.sap.com/viewer/product/SAP_GATEWAY) serves as an example. In this article, you'll:
Choose one of the following methods to import your API to API Management: import
:::image type="content" source="media/sap-api/get-root-operation.png" alt-text="Get operation for service root":::
-Also, configure authentication to your backend using an appropriate method for your environment. For examples, see [API Management authentication policies](api-management-authentication-policies.md).
+Also, configure authentication to your backend using an appropriate method for your environment. For examples, see [API Management authentication and authorization policies](api-management-policies.md#authentication-and-authorization).
## Test your API
api-management Secure Developer Portal Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/secure-developer-portal-access.md
# Secure access to the API Management developer portal + API Management has a fully customizable, standalone, managed [developer portal](api-management-howto-developer-portal.md), which can be used externally (or internally) to allow developer users to discover and interact with the APIs published through API Management. The developer portal has several options to facilitate secure user sign-up and sign-in.
api-management Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure API Management description: Lists Azure Policy Regulatory Compliance controls available for Azure API Management. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/06/2024 Last updated : 03/18/2024
# Azure Policy Regulatory Compliance controls for Azure API Management + [Regulatory Compliance in Azure Policy](../governance/policy/concepts/regulatory-compliance.md) provides Microsoft created and managed initiative definitions, known as _built-ins_, for the **compliance domains** and **security controls** related to different compliance standards. This
api-management Self Hosted Gateway Arc Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-arc-reference.md
# Reference: Self-hosted gateway Azure Arc configuration settings + This article provides a reference for required and optional settings that are used to configure the Azure Arc extension for API Management [self-hosted gateway container](self-hosted-gateway-overview.md). [!INCLUDE [preview](./includes/preview/preview-callout-self-hosted-gateway-azure-arc.md)]
api-management Self Hosted Gateway Enable Azure Ad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-enable-azure-ad.md
# Use Microsoft Entra authentication for the self-hosted gateway + The Azure API Management [self-hosted gateway](self-hosted-gateway-overview.md) needs connectivity with its associated cloud-based API Management instance for reporting status, checking for and applying configuration updates, and sending metrics and events. In addition to using a gateway access token (authentication key) to connect with its cloud-based API Management instance, you can enable the self-hosted gateway to authenticate to its associated cloud instance by using an [Microsoft Entra app](../active-directory/develop/app-objects-and-service-principals.md). With Microsoft Entra authentication, you can configure longer expiry times for secrets and use standard steps to manage and rotate secrets in Active Directory.
api-management Self Hosted Gateway Enable Dapr https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-enable-dapr.md
# Enable Dapr support in the self-hosted gateway + Dapr integration in API Management enables operations teams to directly expose Dapr microservices deployed on Kubernetes clusters as APIs, and make those APIs discoverable and easily consumable by developers with proper controls across multiple Dapr deploymentsΓÇöwhether in the cloud, on-premises, or on the edge. ## About Dapr
template:
## Dapr integration policies
-API Management provides specific [policies](api-management-policies.md#dapr-integration-policies) to interact with Dapr APIs exposed through the self-hosted gateway.
+API Management provides specific [policies](api-management-policies.md#integration-and-external-communication) to interact with Dapr APIs exposed through the self-hosted gateway.
## Next steps
api-management Self Hosted Gateway Migration Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-migration-guide.md
# Self-hosted gateway migration guide + This article explains how to migrate existing self-hosted gateway deployments to self-hosted gateway v2. > [!IMPORTANT] > Support for Azure API Management self-hosted gateway version 0 and version 1 container images is ending on 1 October 2023, along with its corresponding Configuration API v1. [Learn more in our deprecation documentation](./breaking-changes/self-hosted-gateway-v0-v1-retirement-oct-2023.md) - ## What's new? As we strive to make it easier for customers to deploy our self-hosted gateway, we've **introduced a new configuration API** that removes the dependency on Azure Storage, unless you're using [API inspector](api-management-howto-api-inspector.md) or quotas.
api-management Self Hosted Gateway Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-overview.md
# Self-hosted gateway overview + The self-hosted gateway is an optional, containerized version of the default managed gateway included in every API Management service. It's useful for scenarios such as placing gateways in the same environments where you host your APIs. Use the self-hosted gateway to improve API traffic flow and address API security and compliance requirements. This article explains how the self-hosted gateway feature of Azure API Management enables hybrid and multicloud API management, presents its high-level architecture, and highlights its capabilities. For an overview of the features across the various gateway offerings, see [API gateway in API Management](api-management-gateways-overview.md#feature-comparison-managed-versus-self-hosted-gateways). - ## Hybrid and multicloud API management The self-hosted gateway feature expands API Management support for hybrid and multicloud environments and enables organizations to efficiently and securely manage APIs hosted on-premises and across clouds from a single API Management service in Azure.
api-management Self Hosted Gateway Settings Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-settings-reference.md
# Reference: Self-hosted gateway container configuration settings + This article provides a reference for required and optional settings that are used to configure the API Management [self-hosted gateway container](self-hosted-gateway-overview.md). To learn more about our (Kubernetes) production guidance, we recommend reading [this article](how-to-self-hosted-gateway-on-kubernetes-in-production.md).
api-management Self Hosted Gateway Support Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-support-policies.md
Last updated 05/12/2023
# Support policies for self-hosted gateway + The Azure API Management service, in the Developer and Premium tiers, allows the deployment of the API Management gateway as a container running in on-premises infrastructure, other clouds, and Azure infrastructure options that support containers. This article provides details about technical support policies and limitations for the API Management [self-hosted gateway](self-hosted-gateway-overview.md). [!INCLUDE [preview](./includes/preview/preview-callout-self-hosted-gateway-deprecation.md)] - ## Differences between managed gateway and self-hosted gateway When deploying an instance of the API Management service, you'll always get a managed API gateway as part of the service. This gateway runs in infrastructure managed by Azure, and the software is also managed, updated, and managed by Azure.
api-management Send One Way Request Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/send-one-way-request-policy.md
Previously updated : 08/02/2023 Last updated : 03/18/2024 # Send one way request + The `send-one-way-request` policy sends the provided request to the specified URL without waiting for a response. [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
The `send-one-way-request` policy sends the provided request to the specified UR
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Example
This example uses the `send-one-way-request` policy to send a message to a Slack
## Related policies
-* [API Management advanced policies](api-management-advanced-policies.md)
+* [Intergration and external communication](api-management-policies.md#integration-and-external-communication)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Send Request Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/send-request-policy.md
Previously updated : 08/02/2023 Last updated : 03/18/2024 # Send request + The `send-request` policy sends the provided request to the specified URL, waiting no longer than the set timeout value. [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
This example shows one way to verify a reference token with an authorization ser
## Related policies
-* [API Management advanced policies](api-management-advanced-policies.md)
+* [Integration and external communication](api-management-policies.md#integration-and-external-communication)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Set Backend Service Dapr Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/set-backend-service-dapr-policy.md
Previously updated : 12/07/2022 Last updated : 03/18/2024 # Send request to a service + The `set-backend-service` policy sets the target URL for the current request to `http://localhost:3500/v1.0/invoke/{app-id}[.{ns-name}]/method/{method-name}`, replacing template parameters with values specified in the policy statement. The policy assumes that Dapr runs in a sidecar container in the same pod as the gateway. Upon receiving the request, Dapr runtime performs service discovery and actual invocation, including possible protocol translation between HTTP and gRPC, retries, distributed tracing, and error handling. Learn more about [Dapr integration with API Management](self-hosted-gateway-enable-dapr.md).
The `forward-request` policy is shown here for clarity. The policy is typically
## Related policies
-* [API Management Dapr integration policies](api-management-dapr-policies.md)
+* [Integration and external communication](api-management-policies.md#integration-and-external-communication)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Set Backend Service Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/set-backend-service-policy.md
Previously updated : 03/14/2024 Last updated : 03/18/2024 # Set backend service++ Use the `set-backend-service` policy to redirect an incoming request to a different backend than the one specified in the API settings for that operation. This policy changes the backend service base URL of the incoming request to a URL or [backend](backends.md) specified in the policy. Referencing a backend entity allows you to manage the backend service base URL and other settings in a single place and reuse them across multiple APIs and operations. Also implement [load balancing of traffic across a pool of backend services](backends.md#load-balanced-pool-preview) and [circuit breaker rules](backends.md#circuit-breaker-preview) to protect the backend from too many requests.
Referencing a backend entity allows you to manage the backend service base URL a
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, backend - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
Initially the backend service base URL is derived from the API settings. So the
When the [<choose\>](choose-policy.md) policy statement is applied the backend service base URL may change again either to `http://contoso.com/api/8.2` or `http://contoso.com/api/9.1`, depending on the value of the version request query parameter. For example, if the value is `"2013-15"` the final request URL becomes `http://contoso.com/api/8.2/partners/15?version=2013-15&subscription-key=abcdef`.
-If further transformation of the request is desired, other [Transformation policies](api-management-transformation-policies.md) can be used. For example, to remove the version query parameter now that the request is being routed to a version specific backend, the [Set query string parameter](set-query-parameter-policy.md) policy can be used to remove the now redundant version attribute.
+If further transformation of the request is desired, other [Transformation policies](api-management-policies.md#transformation) can be used. For example, to remove the version query parameter now that the request is being routed to a version specific backend, the [Set query string parameter](set-query-parameter-policy.md) policy can be used to remove the now redundant version attribute.
### Route requests to a service fabric backend
In this example the policy routes the request to a service fabric backend, using
## Related policies
-* [API Management transformation policies](api-management-transformation-policies.md)
+* [Routing](api-management-policies.md#routing)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Set Body Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/set-body-policy.md
Previously updated : 02/02/2024 Last updated : 03/18/2024 # Set body + Use the `set-body` policy to set the message body for a request or response. To access the message body you can use the `context.Request.Body` property or the `context.Response.Body`, depending on whether the policy is in the inbound or outbound section. > [!IMPORTANT]
OriginalUrl.
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
The following example uses the `AsFormUrlEncodedContent()` expression to access
## Related policies
-* [API Management transformation policies](api-management-transformation-policies.md)
+* [Transformation](api-management-policies.md#transformation)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Set Edit Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/set-edit-policies.md
# How to set or edit Azure API Management policies + This article shows you how to configure policies in your API Management instance by editing policy definitions in the Azure portal. Each policy definition is an XML document that describes a sequence of inbound and outbound statements that run sequentially on an API request and response. The policy editor in the portal provides guided forms for API publishers to add and edit policies in policy definitions. You can also edit the XML directly in the policy code editor.
api-management Set Header Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/set-header-policy.md
Previously updated : 12/08/2022 Last updated : 03/18/2024 # Set header + The `set-header` policy assigns a value to an existing HTTP response and/or request header or adds a new response and/or request header. Use the policy to insert a list of HTTP headers into an HTTP message. When placed in an inbound pipeline, this policy sets the HTTP headers for the request being passed to the target service. When placed in an outbound pipeline, this policy sets the HTTP headers for the response being sent to the gatewayΓÇÖs client.
The `set-header` policy assigns a value to an existing HTTP response and/or requ
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
This example shows how to apply policy at the API level to supply context inform
## Related policies -- [API Management transformation policies](api-management-transformation-policies.md)
+- [Transformation](api-management-policies.md#transformation)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Set Method Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/set-method-policy.md
Previously updated : 12/08/2022 Last updated : 03/18/2024 # Set request method + The `set-method` policy allows you to change the HTTP request method for a request. [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
The value of the element specifies the HTTP method, such as `POST`, `GET`, and s
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Example
This example uses the `set-method` policy to send a message to a Slack chat room
## Related policies
-* [API Management advanced policies](api-management-advanced-policies.md)
+* [Transformation](api-management-policies.md#transformation)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Set Query Parameter Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/set-query-parameter-policy.md
Previously updated : 12/08/2022 Last updated : 03/18/2024 # Set query string parameter + The `set-query-parameter` policy adds, replaces value of, or deletes request query string parameter. Can be used to pass query parameters expected by the backend service which are optional or never present in the request. [!INCLUDE [api-management-policy-form-alert](../../includes/api-management-policy-form-alert.md)]
The `set-query-parameter` policy adds, replaces value of, or deletes request que
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, backend - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Examples
The `set-query-parameter` policy adds, replaces value of, or deletes request que
## Related policies -- [API Management transformation policies](api-management-transformation-policies.md)
+- [Transformation](api-management-policies.md#transformation)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Set Status Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/set-status-policy.md
Previously updated : 12/08/2022 Last updated : 03/18/2024 # Set status code ++ The `set-status` policy sets the HTTP status code to the specified value. [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
The `set-status` policy sets the HTTP status code to the specified value.
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Example
This example shows how to return a 401 response if the authorization token is in
``` - ## Related policies
-* [API Management advanced policies](api-management-advanced-policies.md)
+* [Transformation](api-management-policies.md#transformation)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Set Variable Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/set-variable-policy.md
Previously updated : 12/08/2022 Last updated : 03/18/2024 # Set variable
-The `set-variable` policy declares a [context](api-management-policy-expressions.md#ContextVariables) variable and assigns it a value specified via an [expression](api-management-policy-expressions.md) or a string literal. if the expression contains a literal it will be converted to a string and the type of the value will be `System.String`.
+
+The `set-variable` policy declares a [context](api-management-policy-expressions.md#ContextVariables) variable and assigns it a value specified via an [expression](api-management-policy-expressions.md) or a string literal. If the expression contains a literal it will be converted to a string and the type of the value will be `System.String`.
[!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
The `set-variable` policy declares a [context](api-management-policy-expressions
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Allowed types
The following example demonstrates a `set-variable` policy in the inbound sectio
## Related policies
-* [API Management advanced policies](api-management-advanced-policies.md)
+* [Transformation](api-management-policies.md#transformation)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Soft Delete https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/soft-delete.md
Last updated 02/07/2022
# API Management soft-delete (preview) + With API Management soft-delete, you can recover and restore a recently deleted API Management instance. This feature protects against accidental deletion of your API Management instance. Currently, depending on how you delete an API Management instance, the instance is either soft-deleted and recoverable during a retention period, or it's permanently deleted:
api-management Sql Data Source Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/sql-data-source-policy.md
Previously updated : 06/07/2023 Last updated : 03/18/2024 # Azure SQL data source for a resolver + The `sql-data-source` resolver policy configures a Transact-SQL (T-SQL) request to an [Azure SQL](/azure/azure-sql/azure-sql-iaas-vs-paas-what-is-overview) database and an optional response to resolve data for an object type and field in a GraphQL schema. The schema must be imported to API Management as a GraphQL API. > [!NOTE]
The `sql-data-source` resolver policy configures a Transact-SQL (T-SQL) request
## Usage - [**Policy scopes:**](./api-management-howto-policies.md#scopes) GraphQL resolver-- [**Gateways:**](api-management-gateways-overview.md) dedicated
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2
### Usage notes
The following example resolves a GraphQL mutation using a T-SQL INSERT statement
## Related policies
-* [GraphQL resolver policies](api-management-policies.md#graphql-resolver-policies)
+* [GraphQL resolvers](api-management-policies.md#graphql-resolvers)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Trace Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/trace-policy.md
Previously updated : 12/08/2022 Last updated : 03/18/2024 # Trace + The `trace` policy adds a custom trace into the request tracing output in the test console, Application Insights telemetries, and/or resource logs. - The policy adds a custom trace to the [request tracing](./api-management-howto-api-inspector.md) output in the test console when tracing is triggered, that is, `Ocp-Apim-Trace` request header is present and set to `true` and `Ocp-Apim-Subscription-Key` request header is present and holds a valid key that allows tracing.
The `trace` policy adds a custom trace into the request tracing output in the te
[!INCLUDE [api-management-tracing-alert](../../includes/api-management-tracing-alert.md)] + [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)] ## Policy statement
The `trace` policy adds a custom trace into the request tracing output in the te
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Example
The `trace` policy adds a custom trace into the request tracing output in the te
## Related policies
-* [API Management advanced policies](api-management-advanced-policies.md)
+* [Logging](api-management-policies.md#logging)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Transform Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/transform-api.md
# Tutorial: Transform and protect your API + In this tutorial, you'll learn about configuring common [policies](api-management-howto-policies.md) to transform your API. You might want to transform your API so it doesn't reveal private backend info. Transforming an API can help you hide the technology stack info that's running in the backend, or hide the original URLs that appear in the body of the API's HTTP response. This tutorial also explains how to add protection to your backend API by configuring a rate limit policy, so that the API isn't overused by developers. For more policy options, see [API Management policies](api-management-policies.md).
api-management Troubleshoot Response Timeout And Errors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/troubleshoot-response-timeout-and-errors.md
# Troubleshooting client response timeouts and errors with API Management + This article helps you troubleshoot intermittent connection errors and related latency issues in [Azure API Management](./api-management-key-concepts.md). Specifically, this article will provide information and troubleshooting for the exhaustion of source address network translation (SNAT) ports. If you require more help, contact the Azure experts at [Azure Community Support](https://azure.microsoft.com/support/community/) or file a support request with [Azure Support](https://azure.microsoft.com/support/options/). ## Symptoms
For more, see [Add caching to improve performance in Azure API Management](api-m
If it makes sense for your business scenario, you can implement access restriction policies for your API Management product. For example, the `rate-limit-by-key` policy can be used to prevent API usage spikes on a per key basis by limiting the call rate per a specified time period.
-See [API Management access restriction policies](api-management-access-restriction-policies.md) for more info.
+See [Rate limiting and quota policies](api-management-policies.md#rate-limiting-and-quotas) for more info.
## See also
api-management Upgrade And Scale https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/upgrade-and-scale.md
Previously updated : 03/30/2023 Last updated : 03/21/2024 # Upgrade and scale an Azure API Management instance
-Customers can scale an Azure API Management instance in a dedicated service tier by adding and removing units. A **unit** is composed of dedicated Azure resources and has a certain load-bearing capacity expressed as a number of API calls per second. This number doesn't represent a call limit, but rather an estimated maximum throughput value to allow for rough capacity planning. Actual throughput and latency vary broadly depending on factors such as number and rate of concurrent connections, the kind and number of configured policies, request and response sizes, and backend latency.
+Customers can scale an Azure API Management instance in a dedicated service tier by adding and removing units. A **unit** is composed of dedicated Azure resources and has a certain load-bearing capacity expressed as a number of API calls per second. This number doesn't represent a call limit, but rather an estimated maximum throughput value to allow for rough capacity planning. Actual throughput and latency vary broadly depending on factors such as number and rate of concurrent connections, the kind and number of configured policies, request and response sizes, and backend latency.
> [!NOTE]
-> * In the **Standard** and **Premium** tiers of the API Management service, you can configure an instance to [scale automatically](api-management-howto-autoscale.md) based on a set of rules.
+> * In the **Basic**, **Standard**, and **Premium** tiers of the API Management service, you can configure an instance to [scale automatically](api-management-howto-autoscale.md) based on a set of rules.
> * API Management instances in the **Consumption** tier scale automatically based on the traffic. Currently, you cannot upgrade from or downgrade to the Consumption tier. The throughput and price of each unit depend on the [service tier](api-management-features.md) in which the unit exists. If you need to increase capacity for a service within a tier, you should add a unit. If the tier that is currently selected in your API Management instance doesn't allow adding more units, you need to upgrade to a higher-level tier.
->[!NOTE]
->See [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio) for features, scale limits, and estimated throughput in each tier. To get more accurate throughput numbers, you need to look at a realistic scenario for your APIs. See [Capacity of an Azure API Management instance](api-management-capacity.md).
+> [!NOTE]
+> See [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio) for features, scale limits, and estimated throughput in each tier. To get more accurate throughput numbers, you need to look at a realistic scenario for your APIs. See [Capacity of an Azure API Management instance](api-management-capacity.md).
## Prerequisites
To follow the steps from this article, you must:
## Upgrade and scale
-You can choose between four dedicated tiers: **Developer**, **Basic**, **Standard**, and **Premium**.
+You can choose between the following dedicated tiers: **Developer**, **Basic**, **Basic v2**, **Standard**, **Standard v2**, and **Premium**.
* The **Developer** tier should be used to evaluate the service; it shouldn't be used for production. The **Developer** tier doesn't have SLA and you can't scale this tier (add/remove units).
-* **Basic**, **Standard**, and **Premium** are production tiers that have SLA and can be scaled. For pricing details and scale limits, see [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/#pricing).
+* **Basic**, **Basic v2**, **Standard**, **Standard v2**, and **Premium** are production tiers that have SLA and can be scaled. For pricing details and scale limits, see [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/#pricing).
* The **Premium** tier enables you to distribute a single Azure API Management instance across any number of desired Azure regions. When you initially create an Azure API Management service, the instance contains only one unit and resides in a single Azure region (the **primary** region). Additional regions can be easily added. When adding a region, you specify the number of units you want to allocate. For example, you can have one unit in the primary region and five units in some other region. You can tailor the number of units to the traffic you have in each region. For more information, see [How to deploy an Azure API Management service instance to multiple Azure regions](api-management-howto-deploy-multi-region.md).
-* You can upgrade and downgrade to and from any dedicated service tier. Downgrading can remove some features. For example, downgrading to Standard or Basic from the Premium tier can remove virtual networks or multi-region deployment.
+* You can upgrade and downgrade to and from certain dedicated services tiers:
+ * You can upgrade and downgrade to and from classic tiers (**Developer**, **Basic**, **Standard**, and **Premium**).
+
+ * You can upgrade and downgrade to and from v2 tiers (**Basic v2** and **Standard v2**).
+
+ Downgrading can remove some features. For example, downgrading to **Standard** or **Basic** from the **Premium** tier can remove virtual networks or multi-region deployment.
> [!NOTE]
-> The upgrade or scale process can take from 15 to 45 minutes to apply. You get notified when it is done.
+> The upgrade or scale process can take up to 15 to 45 minutes to apply. You get notified when it is done.
## Scale your API Management instance
+You can use the portal to scale your API Management instance. How you scale depends on the service tier you are using.
+ ![Scale API Management service in Azure portal](./media/upgrade-and-scale/portal-scale.png)
+### Add or remove units - classic service tiers
+ 1. Navigate to your API Management instance in the [Azure portal](https://portal.azure.com/).
-1. Select **Locations** from the menu.
+1. Select **Locations** from the left-hand menu.
1. Select the row with the location you want to scale. 1. Specify the new number of **Units** - use the slider if available, or select or type the number. 1. Select **Apply**. > [!NOTE]
-> In the Premium service tier, you can optionally configure availability zones and a virtual network in a selected location. For more information, see [Deploy API Management service to an additional location](api-management-howto-deploy-multi-region.md).
+> In the **Premium** service tier, you can optionally configure availability zones and a virtual network in a selected location. For more information, see [Deploy API Management service to an additional location](api-management-howto-deploy-multi-region.md).
+
+### Add or remove units - v2 service tiers
+
+1. Navigate to your API Management instance in the [Azure portal](https://portal.azure.com/).
+1. Select **Scale** from the left-hand menu.
+1. Specify the new number of **Units** - use the slider, or select or type the number.
+1. Select **Save**.
## Change your API Management service tier
You can choose between four dedicated tiers: **Developer**, **Basic**, **Standa
1. Select **Save**. ## Downtime during scaling up and down
-If you're scaling from or to the Developer tier, there will be downtime. Otherwise, there is no downtime.
+If you're scaling from or to the **Developer** tier, there will be downtime. Otherwise, there is no downtime.
## Compute isolation If your security requirements include [compute isolation](../azure-government/azure-secure-isolation-guidance.md#compute-isolation), you can use the **Isolated** pricing tier. This tier ensures the compute resources of an API Management service instance consume the entire physical host and provide the necessary level of isolation required to support, for example, US Department of Defense Impact Level 5 (IL5) workloads. To get access to the Isolated tier, [create a support request](../azure-portal/supportability/how-to-create-azure-support-request.md).
-## Next steps
+## Related content
- [How to deploy an Azure API Management service instance to multiple Azure regions](api-management-howto-deploy-multi-region.md) - [How to automatically scale an Azure API Management service instance](api-management-howto-autoscale.md)
api-management V2 Service Tiers Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/v2-service-tiers-overview.md
Title: Azure API Management - v2 tiers (preview)
-description: Introduction to key scenarios, capabilities, and concepts of the v2 tiers (SKUs) of the Azure API Management service. The v2 tiers are in preview.
+ Title: Azure API Management - v2 tiers
+description: Introduction to key scenarios, capabilities, and concepts of the v2 tiers (SKUs) of the Azure API Management service.
Previously updated : 01/31/2024 Last updated : 03/21/2024
-# New Azure API Management tiers (preview)
+# Azure API Management v2 tiers
-We're introducing a new set of pricing tiers (SKUs) for Azure API Management: the *v2 tiers*. The new tiers are built on a new, more reliable and scalable platform and are designed to make API Management accessible to a broader set of customers and offer flexible options for a wider variety of scenarios.
-Currently in preview, the following v2 tiers are available:
+We're introducing a new set of pricing tiers (SKUs) for Azure API Management: the *v2 tiers*. The new tiers are built on a new, more reliable and scalable platform and are designed to make API Management accessible to a broader set of customers and offer flexible options for a wider variety of scenarios. The v2 tiers are in addition to the existing classic tiers (Developer, Basic, Standard, and Premium) and the Consumption tier. [Learn more](api-management-key-concepts.md#api-management-tiers).
-* **Basic v2** - The Basic v2 tier is designed for development and testing scenarios, and is supported with an SLA. In the Basic v2 tier, the developer portal is an optional add-on.
+The following v2 tiers are generally available:
-* **Standard v2** - Standard v2 is a production-ready tier with support planned for advanced API Management features previously available only in a Premium tier of API Management, including high availability and networking options.
+* **Basic v2** - The Basic v2 tier is designed for development and testing scenarios, and is supported with an SLA.
+
+* **Standard v2** - Standard v2 is a production-ready tier with support for network-isolated backends.
## Key capabilities
Currently in preview, the following v2 tiers are available:
* **More options for production workloads** - The v2 tiers are all supported with an SLA. Upgrade from Basic v2 to Standard v2 to add more production options.
-* **Developer portal options** - Enable the [developer portal](api-management-howto-developer-portal.md) when you're ready to let API consumers discover your APIs. The developer portal is included in the Standard v2 tier, and is an add-on in the Basic v2 tier.
+* **Developer portal options** - Enable the [developer portal](api-management-howto-developer-portal.md) when you're ready to let API consumers discover your APIs.
## Networking options
-In preview, the v2 tiers currently support the following options to limit network traffic from your API Management instance to protected API backends:
--
-* **Standard v2**
-
- **Outbound** - VNet integration to allow your API Management instance to reach API backends that are isolated in a VNet. The API Management gateway, management plane, and developer portal remain publicly accessible from the internet. The VNet must be in the same region as the API Management instance. [Learn more](integrate-vnet-outbound.md).
+The Standard v2 tier supports VNet integration to allow your API Management instance to reach API backends that are isolated in a single connected VNet. The API Management gateway, management plane, and developer portal remain publicly accessible from the internet. The VNet must be in the same region as the API Management instance. [Learn more](integrate-vnet-outbound.md).
-
-## Features and limitations
+## Features
### API version
-The v2 tiers are supported in API Management API version **2023-03-01-preview** or later.
+The v2 tiers are supported in API Management API version **2023-05-01-preview** or later.
### Supported regions-
-In preview, the v2 tiers are available in the following regions:
-
-* East US
+The v2 tiers are available in the following regions:
* South Central US * West US * France Central
+* Germany West Central
* North Europe * West Europe * UK South
+* UK West
* Brazil South
+* Australia Central
* Australia East * Australia Southeast * East Asia
+* Southeast Asia
+* Korea Central
### Feature availability
-Most capabilities of the existing (v1) tiers are planned for the v2 tiers. However, the following capabilities aren't supported in the v2 tiers:
+Most capabilities of the classic API Management tiers are supported in the v2 tiers. However, the following capabilities aren't supported in the v2 tiers:
* API Management service configuration using Git * Back up and restore of API Management instance * Enabling Azure DDoS Protection
+* Built-in analytics (replaced with Azure Monitor-based dashboard)
-### Preview limitations
-
-Currently, the following API Management capabilities are unavailable in the v2 tiers preview and are planned for later release. Where indicated, certain features are planned only for the Standard v2 tier. Features may be enabled during the preview period.
+### Limitations
+The following API Management capabilities are currently unavailable in the v2 tiers.
**Infrastructure and networking**
-* Zone redundancy (*Standard v2*)
-* Multi-region deployment (*Standard v2*)
-* Multiple custom domain names (*Standard v2*)
+* Zone redundancy
+* Multi-region deployment
+* Multiple custom domain names
* Capacity metric * Autoscaling
-* Built-in analytics
* Inbound connection using a private endpoint
+* Injection in a VNet in external mode or internal mode
* Upgrade to v2 tiers from v1 tiers
-* Workspaces (*Standard v2*)
+* Workspaces
**Developer portal** * Delegation of user registration and product subscription * Reports
+* Custom HTML code widget and custom widget
+* Self-hosted developer portal
**Gateway**
-* Self-hosted gateway (*Standard v2*)
-* Management of Websocket APIs
-* Rate limit by key and quota by key policies
+* Self-hosted gateway
+* Quota by key policy
* Cipher configuration * Client certificate renegotiation
+* Request tracing in the test console
* Requests to the gateway over localhost
- > [!NOTE]
- > Currently the policy document size limit in the v2 tiers is 16 KiB.
+## Resource limits
+
+The following resource limits apply to the v2 tiers.
++
+## Developer portal limits
+
+The following limits apply to the developer portal in the v2 tiers.
+ ## Deployment
Deploy an instance of the Basic v2 or Standard v2 tier using the Azure portal, A
### Q: Can I migrate from my existing API Management instance to a new v2 tier instance?
-A: No. Currently you can't migrate an existing API Management instance (in the Consumption, Developer, Basic, Standard, or Premium tier) to a new v2 tier instance. Currently the new tiers are available for newly created service instances only.
+A: No. Currently you can't migrate an existing API Management instance (in the Consumption, Developer, Basic, Standard, or Premium tier) to a new v2 tier instance. Currently the v2 tiers are available for newly created service instances only.
### Q: What's the relationship between the stv2 compute platform and the v2 tiers?
A: Yes, there are no changes to the Basic or Standard tiers.
### Q: What is the difference between VNet integration in Standard v2 tier and VNet support in the Premium tier?
-A: A Standard v2 service instance can be integrated with a VNet to provide secure access to the backends residing there. A Standard v2 service instance integrated with a VNet will have a public IP address that can be secured separately, via Private Link, if necessary. The Premium tier supports a [fully private integration](api-management-using-with-internal-vnet.md) with a VNet (often referred to as injection into VNet) without exposing a public IP address.
+A: A Standard v2 service instance can be integrated with a VNet to provide secure access to the backends residing there. A Standard v2 service instance integrated with a VNet will have a public IP address. The Premium tier supports a [fully private integration](api-management-using-with-internal-vnet.md) with a VNet (often referred to as injection into VNet) without exposing a public IP address.
### Q: Can I deploy an instance of the Basic v2 or Standard v2 tier entirely in my VNet?
A: Yes, a Premium v2 preview is planned and will be announced separately.
## Related content
-* Learn more about the API Management [tiers](api-management-features.md).
--
+* Compare the API Management [tiers](api-management-features.md).
+* Learn more about the [API Management gateways](api-management-gateways-overview.md)
+* Learn about [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/).
api-management Validate Azure Ad Token Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-azure-ad-token-policy.md
Previously updated : 10/19/2023 Last updated : 03/18/2024 # Validate Microsoft Entra token
-The `validate-azure-ad-token` policy enforces the existence and validity of a JSON web token (JWT) that was provided by the Microsoft Entra service for a specified set of principals in the directory. The JWT can be extracted from a specified HTTP header, query parameter, or value provided using a policy expression or context variable.
+
+The `validate-azure-ad-token` policy enforces the existence and validity of a JSON web token (JWT) that was provided by the Microsoft Entra (formerly called Azure Active Directory) service for a specified set of principals in the directory. The JWT can be extracted from a specified HTTP header, query parameter, or value provided using a policy expression or context variable.
> [!NOTE] > To validate a JWT that was provided by another identity provider, API Management also provides the generic [`validate-jwt`](validate-jwt-policy.md) policy.
The `validate-azure-ad-token` policy enforces the existence and validity of a JS
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
For more details on optional claims, read [Provide optional claims to your app](
## Related policies
-* [API Management access restriction policies](api-management-access-restriction-policies.md)
+* [Authentication and authorization](api-management-policies.md#authentication-and-authorization)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Validate Client Certificate Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-client-certificate-policy.md
Previously updated : 12/08/2022 Last updated : 03/18/2024 # Validate client certificate + Use the `validate-client-certificate` policy to enforce that a certificate presented by a client to an API Management instance matches specified validation rules and claims such as subject or issuer for one or more certificate identities. To be considered valid, a client certificate must match all the validation rules defined by the attributes at the top-level element and match all defined claims for at least one of the defined identities.
For more information about custom CA certificates and certificate authorities, s
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Example
The following example validates a client certificate to match the policy's defau
## Related policies
-* [API Management access restriction policies](api-management-access-restriction-policies.md)
+* [Authentication and authorization](api-management-policies.md#authentication-and-authorization)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Validate Content Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-content-policy.md
Previously updated : 12/05/2022 Last updated : 03/18/2024 # Validate content++ The `validate-content` policy validates the size or content of a request or response body against one or more [supported schemas](#schemas-for-content-validation). The following table shows the schema formats and request or response content types that the policy supports. Content type values are case insensitive.
The policy validates the following content in the request or response against th
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
[!INCLUDE [api-management-validation-policy-common](../../includes/api-management-validation-policy-common.md)]
In the following example, API Management interprets any request as a request wit
## Related policies
-* [API Management validation policies](validation-policies.md)
+* [Content validation](api-management-policies.md#content-validation)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Validate Graphql Request Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-graphql-request-policy.md
Previously updated : 12/02/2022 Last updated : 03/18/2024 # Validate GraphQL request + The `validate-graphql-request` policy validates the GraphQL request and authorizes access to specific query paths in a GraphQL API. An invalid query is a "request error". Authorization is only done for valid requests. [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
Available actions are described in the following table.
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
This example applies the following validation and authorization rules to a Graph
## Related policies
-* [Validation policies](api-management-policies.md#validation-policies)
+* [Content validation](api-management-policies.md#content-validation)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Validate Headers Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-headers-policy.md
Previously updated : 12/05/2022 Last updated : 03/18/2024 # Validate headers + The `validate-headers` policy validates the response headers against the API schema. > [!IMPORTANT]
The `validate-headers` policy validates the response headers against the API sch
- [**Policy sections:**](./api-management-howto-policies.md#sections) outbound, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
The `validate-headers` policy validates the response headers against the API sch
## Related policies
-* [API Management validation policies](validation-policies.md)
+* [Content validation](api-management-policies.md#content-validation)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Validate Jwt Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-jwt-policy.md
Previously updated : 03/05/2024 Last updated : 03/18/2024 # Validate JWT + The `validate-jwt` policy enforces existence and validity of a supported JSON web token (JWT) extracted from a specified HTTP header, extracted from a specified query parameter, or matching a specific value. > [!NOTE]
The `validate-jwt` policy enforces existence and validity of a supported JSON we
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
This example shows how to use the `validate-jwt` policy to authorize access to o
``` ## Related policies
-* [API Management access restriction policies](api-management-access-restriction-policies.md)
+* [Authentication and authorization](api-management-policies.md#authentication-and-authorization)
api-management Validate Odata Request Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-odata-request-policy.md
Previously updated : 06/06/2023 Last updated : 03/18/2024 # Validate OData request + The `validate-odata-request` policy validates the request URL, headers, and parameters of a request to an OData API to ensure conformance with the [OData specification](https://www.odata.org/documentation). > [!NOTE]
The `validate-odata-request` policy validates the request URL, headers, and para
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
The following example validates a request to an OData API and assumes a default
## Related policies
-* [Validation policies](api-management-policies.md#validation-policies)
+* [Content validation](api-management-policies.md#content-validation)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Validate Parameters Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-parameters-policy.md
Previously updated : 12/05/2022 Last updated : 03/18/2024 # Validate parameters + The `validate-parameters` policy validates the header, query, or path parameters in requests against the API schema. > [!IMPORTANT]
The `validate-parameters` policy validates the header, query, or path parameters
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
In this example, all query and path parameters are validated in the prevention m
## Related policies
-* [API Management validation policies](validation-policies.md)
+* [Content validation](api-management-policies.md#content-validation)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Validate Service Updates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-service-updates.md
# Validate service updates to avoid disruption to your production API Management instances
-*"One of the value propositions of the cloud is that itΓÇÖs continually improving, delivering new capabilities and features, as well as security and reliability enhancements. But since the platform is continuously evolving, change is inevitable." - Mark Russinovich, CTO, Azure*
+
+*"One of the value propositions of the cloud is that itΓÇÖs continually improving, delivering new capabilities and features, as well as security and reliability enhancements. But since the platform is continuously evolving, change is inevitable."* - Mark Russinovich, CTO, Azure
Microsoft uses a safe deployment practices framework to thoroughly test, monitor, and validate service updates, and then deploy them to Azure regions using a phased approach. Even so, service updates that reach your API Management instances could introduce unanticipated risks to your production workloads and disrupt your API consumers. Learn how you can apply our safe deployment approach to reduce risks by validating the updates before they reach your production API Management environments.
Here are example strategies to use an API Management instance as a canary deploy
* **Deploy duplicate instances in a region** - If your production workload is a Premium tier instance in a specific region, consider deploying a similarly configured instance in a lower tier that receives updates earlier. For example, configure a pre-production instance in the Developer tier to validate updates.
-## Next steps
+## Related content
* Learn [how to monitor](api-management-howto-use-azure-monitor.md) your API Management instance. * Learn about other options to [observe](observability.md) your API Management instance.
api-management Validate Status Code Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-status-code-policy.md
Previously updated : 12/05/2022 Last updated : 03/18/2024 # Validate status code + The `validate-status-code` policy validates the HTTP status codes in responses against the API schema. This policy may be used to prevent leakage of backend errors, which can contain stack traces. [!INCLUDE [api-management-validation-policy-schema-size-note](../../includes/api-management-validation-policy-schema-size-note.md)]
The `validate-status-code` policy validates the HTTP status codes in responses a
- [**Policy sections:**](./api-management-howto-policies.md#sections) outbound, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
The `validate-status-code` policy validates the HTTP status codes in responses a
## Related policies
-* [API Management validation policies](validation-policies.md)
+* [Content validation](api-management-policies.md#content-validation)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Virtual Network Concepts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/virtual-network-concepts.md
Title: Azure API Management with an Azure virtual network
-description: Learn about scenarios and requirements to secure inbound and outbound traffic for your API Management instance using an Azure virtual network.
+description: Learn about scenarios and requirements to secure inbound or outbound traffic for your API Management instance using an Azure virtual network.
Previously updated : 09/14/2023 Last updated : 03/26/2024
-# Use a virtual network to secure inbound and outbound traffic for Azure API Management
+# Use a virtual network to secure inbound or outbound traffic for Azure API Management
-API Management provides several options to secure access to your API Management instance and APIs using an Azure virtual network. API Management supports the following options. Available options depend on the [service tier](api-management-features.md) of your API Management instance.
+By default your API Management is accessed from the internet at a public endpoint, and acts as a gateway to public backends. API Management provides several options to secure access to your API Management instance and to backend APIs using an Azure virtual network. Available options depend on the [service tier](api-management-features.md) of your API Management instance.
* **Injection** of the API Management instance into a subnet in the virtual network, enabling the gateway to access resources in the network. You can choose one of two injection modes: *external* or *internal*. They differ in whether inbound connectivity to the gateway and other API Management endpoints is allowed from the internet or only from within the virtual network.
+* **Integration** of your API Management instance with a subnet in a virtual network so that your API Management gateway can make outbound requests to API backends that are isolated in the network.
+ * **Enabling secure and private inbound connectivity** to the API Management gateway using a *private endpoint*. The following table compares virtual networking options. For more information, see later sections of this article and links to detailed guidance. |Networking model |Supported tiers |Supported components |Supported traffic |Usage scenario | |||||-|
-|**[Virtual network injection - external](#virtual-network-injection)** | Developer, Premium | Developer portal, gateway, management plane, and Git repository | Inbound and outbound traffic can be allowed to internet, peered virtual networks, Express Route, and S2S VPN connections. | External access to private and on-premises backends
-|**[Virtual network injection - internal](#virtual-network-injection)** | Developer, Premium | Developer portal, gateway, management plane, and Git repository. | Inbound and outbound traffic can be allowed to peered virtual networks, Express Route, and S2S VPN connections. | Internal access to private and on-premises backends
-|**[Inbound private endpoint](#inbound-private-endpoint)** | Developer, Basic, Standard, Premium | Gateway only (managed gateway supported, self-hosted gateway not supported). | Only inbound traffic can be allowed from internet, peered virtual networks, Express Route, and S2S VPN connections. | Secure client connection to API Management gateway |
-
+|**[Virtual network injection - external](#virtual-network-injection)** | Developer, Premium | Developer portal, gateway, management plane, and Git repository | Inbound and outbound traffic can be allowed to internet, peered virtual networks, Express Route, and S2S VPN connections. | External access to private and on-premises backends |
+|**[Virtual network injection - internal](#virtual-network-injection)** | Developer, Premium | Developer portal, gateway, management plane, and Git repository | Inbound and outbound traffic can be allowed to peered virtual networks, Express Route, and S2S VPN connections. | Internal access to private and on-premises backends |
+|**[Outbound integration](#outbound-integration)** | Standard v2 | Gateway only | Outbound request traffic can reach APIs hosted in a delegated subnet of a virtual network. | External access to private and on-premises backends |
+|**[Inbound private endpoint](#inbound-private-endpoint)** | Developer, Basic, Standard, Premium | Gateway only (managed gateway supported, self-hosted gateway not supported) | Only inbound traffic can be allowed from internet, peered virtual networks, Express Route, and S2S VPN connections. | Secure client connection to API Management gateway |
## Virtual network injection+ With VNet injection, deploy ("inject") your API Management instance in a subnet in a non-internet-routable network to which you control access. In the virtual network, your API Management instance can securely access other networked Azure resources and also connect to on-premises networks using various VPN technologies. To learn more about Azure VNets, start with the information in the [Azure Virtual Network Overview](../virtual-network/virtual-networks-overview.md). You can use the Azure portal, Azure CLI, Azure Resource Manager templates, or other tools for the configuration. You control inbound and outbound traffic into the subnet in which API Management is deployed by using [network security groups](../virtual-network/network-security-groups-overview.md).
For detailed deployment steps and network configuration, see:
* [Deploy your API Management instance to a virtual network - external mode](./api-management-using-with-vnet.md). * [Deploy your API Management instance to a virtual network - internal mode](./api-management-using-with-internal-vnet.md).
+* [Network resource requirements for API Management injection into a virtual network](virtual-network-injection-resources.md).
### Access options Using a virtual network, you can configure the developer portal, API gateway, and other API Management endpoints to be accessible either from the internet (external mode) or only within the VNet (internal mode).
Using a virtual network, you can configure the developer portal, API gateway, an
* Enable hybrid cloud scenarios by exposing your cloud-based APIs and on-premises APIs through a common gateway. * Manage your APIs hosted in multiple geographic locations, using a single gateway endpoint.
+## Outbound integration
-### Network resource requirements for injection
-
-The following are virtual network resource requirements for API Management injection into a VNet. Some requirements differ depending on the version (`stv2` or `stv1`) of the [compute platform](compute-infrastructure.md) hosting your API Management instance.
-
-#### [stv2](#tab/stv2)
-
-* An Azure Resource Manager virtual network is required.
-* You must provide a Standard SKU [public IPv4 address](../virtual-network/ip-services/public-ip-addresses.md#sku) in addition to specifying a virtual network and subnet.
-* The subnet used to connect to the API Management instance may contain other Azure resource types.
-* The subnet used to connect to the API Management instance should not have any delegations enabled. The "Delegate subnet to a service" setting for the subnet should be set to "None".
-* A [network security group](../virtual-network/network-security-groups-overview.md) attached to the subnet above. A network security group (NSG) is required to explicitly allow inbound connectivity, because the load balancer used internally by API Management is secure by default and rejects all inbound traffic.
-* The API Management service, virtual network and subnet, and public IP address resource must be in the same region and subscription.
-* For multi-region API Management deployments, configure virtual network resources separately for each location.
-
-#### [stv1](#tab/stv1)
-
-* An Azure Resource Manager virtual network is required.
-* The subnet used to connect to the API Management instance must be dedicated to API Management. It can't contain other Azure resource types.
-* The subnet used to connect to the API Management instance should not have any delegations enabled. The "Delegate subnet to a service" setting for the subnet should be set to "None".
-* The API Management service, virtual network, and subnet resources must be in the same region and subscription.
-* For multi-region API Management deployments, configure virtual network resources separately for each location.
--
+The Standard v2 tier supports VNet integration to allow your API Management instance to reach API backends that are isolated in a single connected VNet. The API Management gateway, management plane, and developer portal remain publicly accessible from the internet.
-### Subnet size
+Outbound integration enables the API Management instance to reach both public and network-isolated backend services.
-The minimum size of the subnet in which API Management can be deployed is /29, which provides three usable IP addresses. Each extra scale [unit](api-management-capacity.md) of API Management requires two more IP addresses. The minimum size requirement is based on the following considerations:
-* Azure reserves five IP addresses within each subnet that can't be used. The first and last IP addresses of the subnets are reserved for protocol conformance. Three more addresses are used for Azure services. For more information, see [Are there any restrictions on using IP addresses within these subnets?](../virtual-network/virtual-networks-faq.md#are-there-any-restrictions-on-using-ip-addresses-within-these-subnets).
-
-* In addition to the IP addresses used by the Azure VNet infrastructure, each API Management instance in the subnet uses:
- * Two IP addresses per unit of Basic, Standard, or Premium SKU, or
- * One IP address for the Developer SKU.
-
-* When deploying into an [internal VNet](./api-management-using-with-internal-vnet.md), the instance requires an extra IP address for the internal load balancer.
-
-#### Examples
-
-* For Basic, Standard, or Premium SKUs:
-
- * **/29 subnet**: 8 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 0 remaining IP addresses left for scale-out units.
-
- * **/28 subnet**: 16 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 8 remaining IP addresses left for four scale-out units (2 IP addresses/scale-out unit) for a total of five units. **This subnet efficiently maximizes Basic and Standard SKU scale-out limits.**
-
- * **/27 subnet**: 32 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 24 remaining IP addresses left for twelve scale-out units (2 IP addresses/scale-out unit) for a total of thirteen units. **This subnet efficiently maximizes the soft-limit Premium SKU scale-out limit.**
-
- * **/26 subnet**: 64 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 56 remaining IP addresses left for twenty-eight scale-out units (2 IP addresses/scale-out unit) for a total of twenty-nine units. It is possible, with an Azure Support ticket, to scale the Premium SKU past twelve units. If you foresee such high demand, consider the /26 subnet.
-
- * **/25 subnet**: 128 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 120 remaining IP addresses left for sixty scale-out units (2 IP addresses/scale-out unit) for a total of sixty-one units. This is an extremely large, theoretical number of scale-out units.
-
-> [!IMPORTANT]
-> The private IP addresses of internal load balancer and API Management units are assigned dynamically. Therefore, it is impossible to anticipate the private IP of the API Management instance prior to its deployment. Additionally, changing to a different subnet and then returning may cause a change in the private IP address.
-
-### Routing
-
-See the Routing guidance when deploying your API Management instance into an [external VNet](./api-management-using-with-vnet.md#routing) or [internal VNet](./api-management-using-with-internal-vnet.md#routing).
-
-Learn more about the [IP addresses of API Management](api-management-howto-ip-addresses.md).
-
-### DNS
-
-* In external mode, the VNet enables [Azure-provided name resolution](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#azure-provided-name-resolution) by default for your API Management endpoints and other Azure resources. It doesn't provide name resolution for on-premises resources. Optionally, configure your own DNS solution.
-
-* In internal mode, you must provide your own DNS solution to ensure name resolution for API Management endpoints and other required Azure resources. We recommend configuring an Azure [private DNS zone](../dns/private-dns-overview.md).
-
-For more information, see the DNS guidance when deploying your API Management instance into an [external VNet](./api-management-using-with-vnet.md#routing) or [internal VNet](./api-management-using-with-internal-vnet.md#routing).
-
-Related information:
-* [Name resolution for resources in Azure virtual networks](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server).
-* [Create an Azure private DNS zone](../dns/private-dns-getstarted-portal.md)
-
-> [!IMPORTANT]
-> If you plan to use a custom DNS solution for the VNet, set it up **before** deploying an API Management service into it. Otherwise, you'll need to update the API Management service each time you change the DNS server(s) by running the [Apply Network Configuration Operation](/rest/api/apimanagement/current-ga/api-management-service/apply-network-configuration-updates), or by selecting **Apply network configuration** in the service instance's network configuration window in the Azure portal.
-
-### Limitations
-
-Some virtual network limitations differ depending on the version (`stv2` or `stv1`) of the [compute platform](compute-infrastructure.md) hosting your API Management instance.
-
-#### [stv2](#tab/stv2)
-
-* A subnet containing API Management instances can't be moved across subscriptions.
-* For multi-region API Management deployments configured in internal VNet mode, users own the routing and are responsible for managing the load balancing across multiple regions.
-* To import an API to API Management from an [OpenAPI specification](import-and-publish.md), the specification URL must be hosted at a publicly accessible internet address.
-
-#### [stv1](#tab/stv1)
-
-* A subnet containing API Management instances can't be moved across subscriptions.
-* For multi-region API Management deployments configured in internal VNet mode, users own the routing and are responsible for managing the load balancing across multiple regions.
-* To import an API to API Management from an [OpenAPI specification](import-and-publish.md), the specification URL must be hosted at a publicly accessible internet address.
-* Due to platform limitations, connectivity between a resource in a globally peered VNet in another region and an API Management service in internal mode doesn't work. For more information, see the [virtual network documentation](../virtual-network/virtual-network-manage-peering.md#requirements-and-constraints).
--
+For more information, see [Integrate an Azure API Management instance with a private VNet for outbound connections](integrate-vnet-outbound.md).
## Inbound private endpoint
Virtual network configuration with API Management:
* [Deploy your Azure API Management instance to a virtual network - external mode](./api-management-using-with-vnet.md). * [Deploy your Azure API Management instance to a virtual network - internal mode](./api-management-using-with-internal-vnet.md). * [Connect privately to API Management using a private endpoint](private-endpoint.md)
+* [Integrate an Azure API Management instance with a private VNet for outbound connections](integrate-vnet-outbound.md)
* [Defend your Azure API Management instance against DDoS attacks](protect-with-ddos-protection.md) Related articles:
api-management Virtual Network Injection Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/virtual-network-injection-resources.md
+
+ Title: Azure API Management virtual network integration - network resources
+description: Learn about requirements for network resources when you deploy (inject) your API Management instance in an Azure virtual network.
++++ Last updated : 03/26/2024+++
+# Network resource requirements for API Management injection into a virtual network
++
+The following are virtual network resource requirements for API Management injection into a virtual network. Some requirements differ depending on the version (`stv2` or `stv1`) of the [compute platform](compute-infrastructure.md) hosting your API Management instance.
+
+#### [stv2](#tab/stv2)
+
+* An Azure Resource Manager virtual network is required.
+* You must provide a Standard SKU [public IPv4 address](../virtual-network/ip-services/public-ip-addresses.md#sku) in addition to specifying a virtual network and subnet.
+* The subnet used to connect to the API Management instance may contain other Azure resource types.
+* The subnet used to connect to the API Management instance should not have any delegations enabled. The "Delegate subnet to a service" setting for the subnet should be set to "None".
+* A [network security group](../virtual-network/network-security-groups-overview.md) attached to the subnet above. A network security group (NSG) is required to explicitly allow inbound connectivity, because the load balancer used internally by API Management is secure by default and rejects all inbound traffic.
+* The API Management service, virtual network and subnet, and public IP address resource must be in the same region and subscription.
+* For multi-region API Management deployments, configure virtual network resources separately for each location.
+
+#### [stv1](#tab/stv1)
+
+* An Azure Resource Manager virtual network is required.
+* The subnet used to connect to the API Management instance must be dedicated to API Management. It can't contain other Azure resource types.
+* The subnet used to connect to the API Management instance should not have any delegations enabled. The "Delegate subnet to a service" setting for the subnet should be set to "None".
+* The API Management service, virtual network, and subnet resources must be in the same region and subscription.
+* For multi-region API Management deployments, configure virtual network resources separately for each location.
++
+## Subnet size
+
+The minimum size of the subnet in which API Management can be deployed is /29, which provides three usable IP addresses. Each extra scale [unit](api-management-capacity.md) of API Management requires two more IP addresses. The minimum size requirement is based on the following considerations:
+
+* Azure reserves five IP addresses within each subnet that can't be used. The first and last IP addresses of the subnets are reserved for protocol conformance. Three more addresses are used for Azure services. For more information, see [Are there any restrictions on using IP addresses within these subnets?](../virtual-network/virtual-networks-faq.md#are-there-any-restrictions-on-using-ip-addresses-within-these-subnets).
+
+* In addition to the IP addresses used by the Azure virtual network infrastructure, each API Management instance in the subnet uses:
+ * Two IP addresses per unit of Basic, Standard, or Premium SKU, or
+ * One IP address for the Developer SKU.
+
+* When deploying into an [internal virtual network](./api-management-using-with-internal-vnet.md), the instance requires an extra IP address for the internal load balancer.
+
+### Examples
+
+* **/29 subnet**: 8 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 0 remaining IP addresses left for scale-out units.
+
+* **/28 subnet**: 16 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 8 remaining IP addresses left for four scale-out units (2 IP addresses/scale-out unit) for a total of five units.
+
+* **/27 subnet**: 32 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 24 remaining IP addresses left for 12 scale-out units (2 IP addresses/scale-out unit) for a total of 13 units.
+
+* **/26 subnet**: 64 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 56 remaining IP addresses left for 28 scale-out units (2 IP addresses/scale-out unit) for a total of 29 units.
+
+* **/25 subnet**: 128 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 120 remaining IP addresses left for 60 scale-out units (2 IP addresses/scale-out unit) for a total of 61 units. This is a large, theoretical number of scale-out units.
+
+> [!NOTE]
+> It is currently possible to scale the Premium SKU to 31 units. If you foresee demand approaching this limit, consider the /26 subnet or /25 submit.
+
+> [!IMPORTANT]
+> The private IP addresses of internal load balancer and API Management units are assigned dynamically. Therefore, it is impossible to anticipate the private IP of the API Management instance prior to its deployment. Additionally, changing to a different subnet and then returning may cause a change in the private IP address.
+
+## Routing
+
+See the Routing guidance when deploying your API Management instance into an [external virtual network](./api-management-using-with-vnet.md#routing) or [internal virtual network](./api-management-using-with-internal-vnet.md#routing).
+
+Learn more about the [IP addresses of API Management](api-management-howto-ip-addresses.md).
+
+## DNS
+
+* In external mode, the virtual network enables [Azure-provided name resolution](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#azure-provided-name-resolution) by default for your API Management endpoints and other Azure resources. It doesn't provide name resolution for on-premises resources. Optionally, configure your own DNS solution.
+
+* In internal mode, you must provide your own DNS solution to ensure name resolution for API Management endpoints and other required Azure resources. We recommend configuring an Azure [private DNS zone](../dns/private-dns-overview.md).
+
+For more information, see the DNS guidance when deploying your API Management instance into an [external virtual network](./api-management-using-with-vnet.md#routing) or [internal virtual network](./api-management-using-with-internal-vnet.md#routing).
+
+Related information:
+* [Name resolution for resources in Azure virtual networks](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server).
+* [Create an Azure private DNS zone](../dns/private-dns-getstarted-portal.md)
+
+> [!IMPORTANT]
+> If you plan to use a custom DNS solution for the VNet, set it up **before** deploying an API Management service into it. Otherwise, you'll need to update the API Management service each time you change the DNS server(s) by running the [Apply Network Configuration Operation](/rest/api/apimanagement/current-ga/api-management-service/apply-network-configuration-updates), or by selecting **Apply network configuration** in the service instance's network configuration window in the Azure portal.
+
+## Limitations
+
+Some virtual network limitations differ depending on the version (`stv2` or `stv1`) of the [compute platform](compute-infrastructure.md) hosting your API Management instance.
+
+#### [stv2](#tab/stv2)
+
+* A subnet containing API Management instances can't be moved across subscriptions.
+* For multi-region API Management deployments configured in internal virtual network mode, users own the routing and are responsible for managing the load balancing across multiple regions.
+* To import an API to API Management from an [OpenAPI specification](import-and-publish.md), the specification URL must be hosted at a publicly accessible internet address.
+
+#### [stv1](#tab/stv1)
+
+* A subnet containing API Management instances can't be moved across subscriptions.
+* For multi-region API Management deployments configured in internal virtual network mode, users own the routing and are responsible for managing the load balancing across multiple regions.
+* To import an API to API Management from an [OpenAPI specification](import-and-publish.md), the specification URL must be hosted at a publicly accessible internet address.
+* Due to platform limitations, connectivity between a resource in a globally peered virtual network in another region and an API Management service in internal mode doesn't work. For more information, see the [virtual network documentation](../virtual-network/virtual-network-manage-peering.md#requirements-and-constraints).
++++
+## Related content
+
+* [Site-to-site VPN](../vpn-gateway/design.md#s2smulti)
+* [Connect virtual networks from different deployment models using PowerShell](../vpn-gateway/vpn-gateway-connect-different-deployment-models-powershell.md)
+* [Azure Virtual Network frequently asked questions](../virtual-network/virtual-networks-faq.md)
++++
api-management Virtual Network Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/virtual-network-reference.md
# Virtual network configuration reference: API Management
-This reference provides detailed network configuration settings for an API Management instance deployed in an Azure virtual network in the [external](api-management-using-with-vnet.md) or [internal](api-management-using-with-internal-vnet.md) mode.
+
+This reference provides detailed network configuration settings for an API Management instance deployed (injected) in an Azure virtual network in the [external](api-management-using-with-vnet.md) or [internal](api-management-using-with-internal-vnet.md) mode.
For VNet connectivity options, requirements, and considerations, see [Using a virtual network with Azure API Management](virtual-network-concepts.md).
api-management Visual Studio Code Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/visual-studio-code-tutorial.md
# Tutorial: Use the Azure API Management extension for Visual Studio Code to import and manage APIs + In this tutorial, you learn how to use the API Management extension for Visual Studio Code for common operations in API Management. Use the familiar Visual Studio Code environment to import, update, test, and manage APIs. You learn how to:
api-management Visualize Using Managed Grafana Dashboard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/visualize-using-managed-grafana-dashboard.md
# Visualize API Management monitoring data using a Managed Grafana dashboard + You can use [Azure Managed Grafana](../managed-grafana/index.yml) to visualize API Management monitoring data that is collected into a Log Analytics workspace. Use a prebuilt [API Management dashboard](https://grafana.com/grafana/dashboards/16604-azure-api-management) for real-time visualization of logs and metrics collected from your API Management instance. * [Learn more about Azure Managed Grafana](../managed-grafan)
api-management Vscode Create Service Instance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/vscode-create-service-instance.md
# Quickstart: Create a new Azure API Management instance using Visual Studio Code + This quickstart describes the steps to create a new API Management instance using the *Azure API Management Extension* for Visual Studio Code. After creating an instance, you can use the extension for common management tasks such as importing APIs in your API Management instance. [!INCLUDE [api-management-quickstart-intro](../../includes/api-management-quickstart-intro.md)]
api-management Wait Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/wait-policy.md
Previously updated : 12/08/2022 Last updated : 03/18/2024 # Wait + The `wait` policy executes its immediate child policies in parallel, and waits for either all or one of its immediate child policies to complete before it completes. The `wait` policy can have as its immediate child policies one or more of the following: [`send-request`](send-request-policy.md), [`cache-lookup-value`](cache-lookup-value-policy.md), and [`choose`](choose-policy.md) policies. [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
May contain as child elements only `send-request`, `cache-lookup-value`, and `ch
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Example
In the following example, there are two `choose` policies as immediate child pol
## Related policies
-* [API Management advanced policies](api-management-advanced-policies.md)
+* [Policy control and flow](api-management-policies.md#policy-control-and-flow)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Websocket Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/websocket-api.md
# Import a WebSocket API + With API ManagementΓÇÖs WebSocket API solution, API publishers can quickly add a WebSocket API in API Management via the Azure portal, Azure CLI, Azure PowerShell, and other Azure tools. You can secure WebSocket APIs by applying existing access control policies, like [JWT validation](validate-jwt-policy.md). You can also test WebSocket APIs using the API test consoles in both Azure portal and developer portal. Building on existing observability capabilities, API Management provides metrics and logs for monitoring and troubleshooting WebSocket APIs.
api-management Workspaces Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/workspaces-overview.md
# Workspaces in Azure API Management
-In API Management, *workspaces* allow decentralized API development teams to manage and productize their own APIs, while a central API platform team maintains the API Management infrastructure. Each workspace contains APIs, products, subscriptions, and related entities that are accessible only to the workspace collaborators. Access is controlled through Azure role-based access control (RBAC).
- [!INCLUDE [api-management-availability-premium](../../includes/api-management-availability-premium.md)]
+In API Management, *workspaces* allow decentralized API development teams to manage and productize their own APIs, while a central API platform team maintains the API Management infrastructure. Each workspace contains APIs, products, subscriptions, and related entities that are accessible only to the workspace collaborators. Access is controlled through Azure role-based access control (RBAC).
> [!NOTE] > * Workspaces are a preview feature of API Management and subject to certain [limitations](#preview-limitations).
api-management Xml To Json Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/xml-to-json-policy.md
Previously updated : 12/02/2022 Last updated : 03/18/2024 # Convert XML to JSON++ The `xml-to-json` policy converts a request or response body from XML to JSON. This policy can be used to modernize APIs based on XML-only backend web services. [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
The `xml-to-json` policy converts a request or response body from XML to JSON. T
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
## Example
The `xml-to-json` policy converts a request or response body from XML to JSON. T
## Related policies
-* [API Management transformation policies](api-management-transformation-policies.md)
+* [Transformation](api-management-policies.md#transformation)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
api-management Xsl Transform Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/xsl-transform-policy.md
Previously updated : 01/02/2024 Last updated : 03/18/2024 # Transform XML using an XSLT + The `xsl-transform` policy applies an XSL transformation to XML in the request or response body. [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
The `xsl-transform` policy applies an XSL transformation to XML in the request o
- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted
### Usage notes
The `xsl-transform` policy applies an XSL transformation to XML in the request o
## Related policies -- [API Management transformation policies](api-management-transformation-policies.md)
+- [Transformation](api-management-policies.md#transformation)
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
app-service Configure Language Java https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-language-java.md
This example transform adds a new connector node to `server.xml`. Note the *Iden
<!-- This is the new connector --> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
- keystroreFile="${{user.home}}/.keystore" keystorePass="changeit"
+ keystoreFile="${{user.home}}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS" /> </xsl:template>
An example xsl file is provided below. The example xsl file adds a new connector
<!-- This is the new connector --> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
- keystroreFile="${{user.home}}/.keystore" keystorePass="changeit"
+ keystoreFile="${{user.home}}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS" /> </xsl:template>
app-service Quickstart Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/quickstart-python.md
To run the application locally:
pip install -r requirements.txt ```
-1. Integrate a database:
-
- ```Python
-
- from azure.cosmos.aio import CosmosClient
- from azure.cosmos import exceptions
- from azure.cosmos.partition_key import PartitionKey
-
- from configs.credential import HOST, MASTER_KEY, DATABASE_ID
--
- def get_database_client():
- # Initialize the Cosmos client
- client = CosmosClient(HOST, MASTER_KEY)
-
- # Create or get a reference to a database
- try:
- database = client.create_database_if_not_exists(id=DATABASE_ID)
- print(f'Database "{DATABASE_ID}" created or retrieved successfully.')
-
- except exceptions.CosmosResourceExistsError:
- database = client.get_database_client(DATABASE_ID)
- print('Database with id \'{0}\' was found'.format(DATABASE_ID))
-
- return database
--
- def get_container_client(container_id):
- database = get_database_client()
- # Create or get a reference to a container
- try:
- container = database.create_container(id=container_id, partition_key=PartitionKey(path='/partitionKey'))
- print('Container with id \'{0}\' created'.format(container_id))
-
- except exceptions.CosmosResourceExistsError:
- container = database.get_container_client(container_id)
- print('Container with id \'{0}\' was found'.format(container_id))
-
- return container
-
- async def create_item(container_id, item):
- async with CosmosClient(HOST, credential=MASTER_KEY) as client:
- database = client.get_database_client(DATABASE_ID)
- container = database.get_container_client(container_id)
- await container.upsert_item(body=item)
-
- async def get_items(container_id):
- items = []
- try:
- async with CosmosClient(HOST, credential=MASTER_KEY) as client:
- database = client.get_database_client(DATABASE_ID)
- container = database.get_container_client(container_id)
- async for item in container.read_all_items():
- items.append(item)
- except Exception as e:
- print(f"An error occurred: {e}")
-
- return items
- ```
- 1. Run the app: ```Console
app-service Quickstart Wordpress https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/quickstart-wordpress.md
description: Create your first WordPress site on Azure App Service in minutes.
keywords: app service, azure app service, wordpress, preview, app service on linux, plugins, mysql flexible server, wordpress on linux, php Previously updated : 05/15/2023 Last updated : 03/28/2024 # ms.devlang: wordpress
In this quickstart, you'll learn how to create and deploy your first [WordPress]
To complete this quickstart, you need an Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs).
-> [!IMPORTANT]
-> After November 28, 2022, [PHP will only be supported on App Service on Linux.](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/php_support.md#end-of-life-for-php-74).
->
-> For migrating WordPress to App Service, visit [Migrating to App Service](migrate-wordpress.md). Additional documentation can be found at [WordPress - App Service on Linux](https://github.com/Azure/wordpress-linux-appservice).
->
-> To submit feedback on improving the WordPress experience on App Service, visit [Web Apps Community](https://feedback.azure.com/d365community/forum/b09330d1-c625-ec11-b6e6-000d3a4f0f1c).
->
- ## Create WordPress site using Azure portal 1. To start creating the WordPress site, browse to [https://portal.azure.com/#create/WordPress.WordPress](https://portal.azure.com/#create/WordPress.WordPress).
azure-app-configuration Quickstart Feature Flag Azure Kubernetes Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/quickstart-feature-flag-azure-kubernetes-service.md
+
+ Title: Quickstart for using Azure App Configuration Feature Management in Azure Kubernetes Service
+description: In this quickstart, create an ASP.NET core web app and use feature flag in it running in AKS and use the Azure App Configuration Kubernetes Provider to load key-values and feature flags from App Configuration store.
+++
+ms.devlang: csharp
++ Last updated : 02/23/2024+
+#Customer intent: As an Azure Kubernetes Service user, I want to manage all my app settings in one place using Azure App Configuration.
++
+# Quickstart: Add feature flags to workloads in Azure Kubernetes Service
+
+In this quickstart, you'll create a feature flag in Azure App Configuration and use it to dynamically control the visibility of a new web page in an ASP.NET Core app running in AKS without restarting or redeploying it.
+
+## Prerequisites
+
+Follow the documents to use dynamic configuration in Azure Kubernetes Service.
+
+* [Quickstart: Use Azure App Configuration in Azure Kubernetes Service](./quickstart-azure-kubernetes-service.md)
+* [Tutorial: Use dynamic configuration in Azure Kubernetes Service](./enable-dynamic-configuration-azure-kubernetes-service.md)
+
+## Create a feature flag
+
+Add a feature flag called *Beta* to the App Configuration store and leave **Label** and **Description** with their default values. For more information about how to add feature flags to a store using the Azure portal or the CLI, go to [Create a feature flag](./quickstart-azure-app-configuration-create.md#create-a-feature-flag).
+
+> [!div class="mx-imgBorder"]
+> ![Screenshot showing creating feature flag named Beta.](./media/add-beta-feature-flag.png)
+
+## Use a feature flag
+
+In this section, you will use feature flags in a simple ASP.NET web application and run it in Azure Kubernetes Service (AKS).
+
+1. Navigate into the project's directory you created in the [Quickstart](./quickstart-azure-kubernetes-service.md), and run the following command to add a reference to the [Microsoft.FeatureManagement.AspNetCore](https://www.nuget.org/packages/Microsoft.FeatureManagement.AspNetCore) NuGet package version 3.2.0 or later.
+
+ ```dotnetcli
+ dotnet add package Microsoft.FeatureManagement.AspNetCore
+ ```
+
+1. Open *program.cs*, and add feature management to the service collection of your app by calling `AddFeatureManagement`.
+
+ ```csharp
+ // Existing code in Program.cs
+ // ... ...
+
+ // Add a JSON configuration source
+ builder.Configuration.AddJsonFile("config/mysettings.json", reloadOnChange: true, optional: false);
+
+ // Add feature management to the container of services.
+ builder.Services.AddFeatureManagement();
+
+ var app = builder.Build();
+
+ // The rest of existing code in program.cs
+ // ... ...
+ ```
+
+ Add `using Microsoft.FeatureManagement;` at the top of the file if it's not present.
+
+1. Add a new empty Razor page named **Beta** under the *Pages* directory. It includes two files *Beta.cshtml* and *Beta.cshtml.cs*.
+
+ Open *Beta.cshtml*, and update it with the following markup:
+
+ ```cshtml
+ @page
+ @model MyWebApp.Pages.BetaModel
+ @{
+ ViewData["Title"] = "Beta Page";
+ }
+
+ <h1>This is the beta website.</h1>
+ ```
+
+ Open *Beta.cshtml.cs*, and add `FeatureGate` attribute to the `BetaModel` class. The `FeatureGate` attribute ensures the *Beta* page is accessible only when the *Beta* feature flag is enabled. If the *Beta* feature flag isn't enabled, the page will return 404 Not Found.
+
+ ```csharp
+ using Microsoft.AspNetCore.Mvc.RazorPages;
+ using Microsoft.FeatureManagement.Mvc;
+
+ namespace MyWebApp.Pages
+ {
+ [FeatureGate("Beta")]
+ public class BetaModel : PageModel
+ {
+ public void OnGet()
+ {
+ }
+ }
+ }
+ ```
+
+1. Open *Pages/_ViewImports.cshtml*, and register the feature manager Tag Helper using an `@addTagHelper` directive:
+
+ ```cshtml
+ @addTagHelper *, Microsoft.FeatureManagement.AspNetCore
+ ```
+
+ The preceding code allows the `<feature>` Tag Helper to be used in the project's *.cshtml* files.
+
+1. Open *_Layout.cshtml* in the *Pages*\\*Shared* directory. Insert a new `<feature>` tag in between the *Home* and *Privacy* navbar items, as shown in the highlighted lines below.
+
+ :::code language="html" source="../../includes/azure-app-configuration-navbar.md" range="22-36" highlight="6-10":::
+
+ The `<feature>` tag ensures the *Beta* menu item is shown only when the *Beta* feature flag is enabled.
+
+1. [Containerize the application](./quickstart-azure-kubernetes-service.md#containerize-the-application) and [Push the image to Azure Container Registry](./quickstart-azure-kubernetes-service.md#push-the-image-to-azure-container-registry).
+
+1. [Deploy the application](./quickstart-azure-kubernetes-service.md#deploy-the-application). Refresh the browser and the web page will look like this:
+
+ ![Screenshot showing Kubernetes Provider after using configMap without feature flag.](./media/quickstarts/kubernetes-provider-feature-flag-no-beta-home.png)
+
+## Use Kubernetes Provider to load feature flags
+
+1. Update the *appConfigurationProvider.yaml* file located in the *Deployment* directory with the following content.
+
+ ```yaml
+ apiVersion: azconfig.io/v1
+ kind: AzureAppConfigurationProvider
+ metadata:
+ name: appconfigurationprovider-sample
+ spec:
+ endpoint: <your-app-configuration-store-endpoint>
+ target:
+ configMapName: configmap-created-by-appconfig-provider
+ configMapData:
+ type: json
+ key: mysettings.json
+ auth:
+ workloadIdentity:
+ managedIdentityClientId: <your-managed-identity-client-id>
+ featureFlag:
+ selectors:
+ - keyFilter: 'Beta'
+ refresh:
+ enabled: true
+ ```
+
+ > [!TIP]
+ > When no `selectors` are specified in `featureFlag` section, the Kubernetes Provider will not load feature flags from your App Configuration store. The default refresh interval of feature flags is 30 seconds when `featureFlag.refresh` enabled. You can customize this behavior via the `featureFlag.refresh.interval` parameter.
+
+1. Run the following command to apply the changes.
+
+ ```console
+ kubectl apply -f ./Deployment -n appconfig-demo
+ ```
+
+1. Update the **Beta** feature flag in your App Configuration store. Enable the flag by selecting the checkbox under **Enabled**.
+
+1. After refreshing the browser multiple times, the updated content will become visible once the ConfigMap has been updated within 30 seconds.
+
+ ![Screenshot showing Kubernetes Provider after using configMap with feature flag enabled.](./media/quickstarts/kubernetes-provider-feature-flag-home.png)
+
+1. Select the **Beta** menu. It will bring you to the beta website that you enabled dynamically.
+
+ ![Screenshot showing beta page Kubernetes Provider after using configMap.](./media/quickstarts/kubernetes-provider-feature-flag-beta-page.png)
+
+## Clean up resources
+
+Uninstall the App Configuration Kubernetes Provider from your AKS cluster if you want to keep the AKS cluster.
+
+```console
+helm uninstall azureappconfiguration.kubernetesprovider --namespace azappconfig-system
+```
++
+## Next steps
+
+In this quickstart, you:
+
+* Added feature management capability to an ASP.NET Core app running in Azure Kubernetes Service (AKS).
+* Connected your AKS cluster to your App Configuration store using the App Configuration Kubernetes Provider.
+* Created a ConfigMap with key-values and feature flags from your App Configuration store.
+* Ran the application with dynamic configuration from your App Configuration store without changing your application code.
+
+To learn more about the Azure App Configuration Kubernetes Provider, see [Azure App Configuration Kubernetes Provider reference](./reference-kubernetes-provider.md).
+
+To learn more about feature management capability, continue to the following tutorial.
+
+> [!div class="nextstepaction"]
+> [Enable features for targeted audiences](./howto-targetingfilter-aspnet-core.md)
+
+> [!div class="nextstepaction"]
+> [Use feature filters for conditional feature flags](./howto-feature-filters-aspnet-core.md)
azure-functions Functions Bindings Signalr Service Trigger https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-signalr-service-trigger.md
See [Class based model](../azure-signalr/signalr-concept-serverless-development-
public class HubName1 : ServerlessHub { [FunctionName("SignalRTest")]
- public async Task SendMessage([SignalRTrigger]InvocationContext invocationContext, string message, ILogger logger)
+ public Task SendMessage([SignalRTrigger]InvocationContext invocationContext, string message, ILogger logger)
{ logger.LogInformation($"Receive {message} from {invocationContext.ConnectionId}."); }
Traditional model obeys the convention of Azure Function developed by C#. If you
```cs [FunctionName("SignalRTest")]
-public static async Task Run([SignalRTrigger("SignalRTest", "messages", "SendMessage", parameterNames: new string[] {"message"})]InvocationContext invocationContext, string message, ILogger logger)
+public static Task Run([SignalRTrigger("SignalRTest", "messages", "SendMessage", parameterNames: new string[] {"message"})]InvocationContext invocationContext, string message, ILogger logger)
{ logger.LogInformation($"Receive {message} from {invocationContext.ConnectionId}."); }
Because it can be hard to use `ParameterNames` in the trigger, the following exa
```cs [FunctionName("SignalRTest")]
-public static async Task Run([SignalRTrigger("SignalRTest", "messages", "SendMessage")]InvocationContext invocationContext, [SignalRParameter]string message, ILogger logger)
+public static Task Run([SignalRTrigger("SignalRTest", "messages", "SendMessage")]InvocationContext invocationContext, [SignalRParameter]string message, ILogger logger)
{ logger.LogInformation($"Receive {message} from {invocationContext.ConnectionId}."); }
app.generic("function1",
Here's the JavaScript code: ```javascript
-module.exports = async function (context, invocation) {
+module.exports = function (context, invocation) {
context.log(`Receive ${context.bindingData.message} from ${invocation.ConnectionId}.`) }; ```
azure-functions Functions Reference Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-reference-python.md
When you deploy your project to a function app in Azure, the entire contents of
## Connect to a database
-[Azure Cosmos DB](../cosmos-db/introduction.md) is a fully managed NoSQL and relational database for modern app development including AI, digital commerce, Internet of Things, booking management, and other types of solutions. It offers single-digit millisecond response times, automatic and instant scalability, and guaranteed speed at any scale. Its various APIs can accommodate all your operational data models, including relational, document, vector, key-value, graph, and table.
+[Azure Cosmos DB](../cosmos-db/introduction.md) is a fully managed NoSQL, relational, and vector database for modern app development including AI, digital commerce, Internet of Things, booking management, and other types of solutions. It offers single-digit millisecond response times, automatic and instant scalability, and guaranteed speed at any scale. Its various APIs can accommodate all your operational data models, including relational, document, vector, key-value, graph, and table.
To connect to Cosmos DB, first [create an account, database, and container](../cosmos-db/nosql/quickstart-portal.md). Then you may connect Functions to Cosmos DB using [trigger and bindings](functions-bindings-cosmosdb-v2.md), like this [example](functions-add-output-binding-cosmos-db-vs-code.md). You may also use the Python library for Cosmos DB, like so:
azure-monitor Alerts Processing Rules https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-processing-rules.md
Severity | The rule applies only to alerts with the selected severities. |
* If you define multiple filters in a rule, all the rules apply. There's a logical AND between all filters. For example, if you set both `resource type = "Virtual Machines"` and `severity = "Sev0"`, then the rule applies only for `Sev0` alerts on virtual machines in the scope. * Each filter can include up to five values. There's a logical OR between the values.
- For example, if you set `description contains "this, that" (in the field there is no need to write the apostrophes), then the rule applies only to alerts whose description contains either `this` or `that`.
+ For example, if you set description contains "this, that" (in the field there is no need to write the apostrophes), then the rule applies only to alerts whose description contains either "this" or "that".
* Notice that you dont have any spaces (before, after or between) the string that is matched it will effect the matching of the filter. ### What should this rule do?
azure-monitor Proactive Failure Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/proactive-failure-diagnostics.md
Notice that if you delete an Application Insights resource, the associated Failu
## Triage and diagnose an alert
-An alert indicates that an abnormal rise in the failed request rate was detected. It's likely that there's some problem with your app or its environment.
An alert indicates that an abnormal rise in the failed request rate was detected. It's likely that there's some problem with your app or its environment. To investigate further, click on 'View full details in Application Insights.' The links in this page take you straight to a [search page](../app/diagnostic-search.md) filtered to the relevant requests, exception, dependency, or traces.
azure-monitor Sampling Classic Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/sampling-classic-api.md
Use the [examples in the earlier section of this page](#configuring-adaptive-sam
* Configuring too high a sampling percentage (not aggressive enough) results in an insufficient reduction in the volume of the collected telemetry. You can still experience telemetry data loss related to throttling, and the cost of using Application Insights might be higher than you planned due to overage charges.
+*What happens if I configure both IncludedTypes and ExcludedTypes settings?*
+
+* It's best not to set both `ExcludedTypes` and `IncludedTypes` in your configuration to prevent any conflicts and ensure clear telemetry collection settings.
+* Telemetry types that are listed in `ExcludedTypes` are excluded even if they are also set in `IncludedTypes` settings. ExcludedTypes will take precedence over IncludedTypes.
+ *On what platforms can I use sampling?* * Ingestion sampling can occur automatically for any telemetry above a certain volume, if the SDK isn't performing sampling. This configuration would work, for example, if you're using an older version of the ASP.NET SDK or Java SDK.
azure-monitor Basic Logs Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/basic-logs-configure.md
All custom tables created with or migrated to the [data collection rule (DCR)-ba
| Media Services | [AMSLiveEventOperations](/azure/azure-monitor/reference/tables/AMSLiveEventOperations)<br>[AMSKeyDeliveryRequests](/azure/azure-monitor/reference/tables/AMSKeyDeliveryRequests)<br>[AMSMediaAccountHealth](/azure/azure-monitor/reference/tables/AMSMediaAccountHealth)<br>[AMSStreamingEndpointRequests](/azure/azure-monitor/reference/tables/AMSStreamingEndpointRequests) | | Microsoft Graph | [MicrosoftGraphActivityLogs](/azure/azure-monitor/reference/tables/microsoftgraphactivitylogs) | | Monitor | [AzureMetricsV2](/azure/azure-monitor/reference/tables/AzureMetricsV2) |
-| Network Devices (Operator Nexus) | [MNFDeviceUpdates](/azure/azure-monitor/reference/tables/MNFDeviceUpdates)<br>[MNFSystemStateMessageUpdates](/azure/azure-monitor/reference/tables/MNFSystemStateMessageUpdates) |
+| Network Devices (Operator Nexus) | [MNFDeviceUpdates](/azure/azure-monitor/reference/tables/MNFDeviceUpdates)<br>[MNFSystemStateMessageUpdates](/azure/azure-monitor/reference/tables/MNFSystemStateMessageUpdates) <br>[MNFSystemSessionHistoryUpdates](/azure/azure-monitor/reference/tables/mnfsystemsessionhistoryupdates) |
| Network Managers | [AVNMConnectivityConfigurationChange](/azure/azure-monitor/reference/tables/AVNMConnectivityConfigurationChange)<br>[AVNMIPAMPoolAllocationChange](/azure/azure-monitor/reference/tables/AVNMIPAMPoolAllocationChange) | | Nexus Clusters | [NCCKubernetesLogs](/azure/azure-monitor/reference/tables/NCCKubernetesLogs)<br>[NCCVMOrchestrationLogs](/azure/azure-monitor/reference/tables/NCCVMOrchestrationLogs) | | Nexus Storage Appliances | [NCSStorageLogs](/azure/azure-monitor/reference/tables/NCSStorageLogs)<br>[NCSStorageAlerts](/azure/azure-monitor/reference/tables/NCSStorageAlerts) |
azure-netapp-files Faq Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-integration.md
Using Azure NetApp Files NFS or SMB volumes with AVS for *Guest OS mounts* is su
## Which Unicode Character Encoding does Azure NetApp Files support for the creation and display of file and directory names?
-Azure NetApp Files only supports file and directory names that are encoded with the [UTF-8 Unicode Character Encoding](https://en.wikipedia.org/wiki/UTF-8), *C locale* (or _C.UTF-8_) format for both NFS and SMB volumes. Only strict ASCII characters are valid.
-
-If you try to create files or directories using supplementary characters or surrogate pairs such as nonregular characters or emoji unsupported by C.UTF-8, the operation fails. A Windows client produces an error message similar to ΓÇ£The file name you specified is not valid or too long. Specify a different file name.ΓÇ¥
-
-For more information, see [Understand volume languages](understand-volume-languages.md).
+For information on Unicode character support, see [Understand volume languages](understand-volume-languages.md) and [Understand path lengths](understand-path-lengths.md).
## Does Azure Databricks support mounting Azure NetApp Files NFS volumes?
azure-netapp-files Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/whats-new.md
Azure NetApp Files is updated regularly. This article provides a summary about the latest new features and enhancements.
+## March 2024
+ * [Large volumes (Preview) improvement:](large-volumes-requirements-considerations.md) new minimum size of 50 TiB Large volumes support a minimum size of 50 TiB. Large volumes still support a maximum quota of 500 TiB.
-## March 2024
- * [Availability zone volume placement](manage-availability-zone-volume-placement.md) is now generally available (GA). You can deploy new volumes in the logical availability zone of your choice to create cross-zone volumes to improve resiliency in case of zonal failures. This feature is available in all availability zone-enabled regions with Azure NetApp Files presence.
azure-resource-manager Azure Subscription Service Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/azure-subscription-service-limits.md
The following limits apply when you use Azure Resource Manager and Azure resourc
## API Management limits
+This section provides information about limits that apply to Azure API Management instances in different [service tiers](../../api-management/api-management-features.md), including the following:
+
+* [API Management classic tiers](#limitsapi-management-classic-tiers)
+* [API Management v2 tiers](#limitsapi-management-v2-tiers)
+* [Developer portal in API Management v2 tiers](#limitsdeveloper-portal-in-api-management-v2-tiers)
+
+### Limits - API Management classic tiers
+ [!INCLUDE [api-management-service-limits](../../../includes/api-management-service-limits.md)]
+### Limits - API Management v2 tiers
++
+### Limits - Developer portal in API Management v2 tiers
+++ ## App Service limits [!INCLUDE [azure-websites-limits](../../../includes/azure-websites-limits.md)]
azure-signalr Signalr Concept Serverless Development Config https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-signalr/signalr-concept-serverless-development-config.md
The class-based model is dedicated for C#.
The class-based model provides better programming experience, which can replace SignalR input and output bindings, with the following features: - More flexible negotiation, sending messages and managing groups experience. - More managing functionalities are supported, including closing connections, checking whether a connection, user, or group exists.-- Strongly Typed hub-- Unified connection string setting in one place.
+- Strongly typed hub
+- Unified hub name and connection string setting in one place.
The following code demonstrates how to write SignalR bindings in class-based model:
-In the *Functions.cs* file, define your hub, which extends a base class `ServerlessHub`:
+Firstly, define your hub derived from a class `ServerlessHub`:
```cs [SignalRConnection("AzureSignalRConnectionString")] public class Functions : ServerlessHub {
- private const string HubName = nameof(Functions);
+ private const string HubName = nameof(Functions); // Used by SignalR trigger only
public Functions(IServiceProvider serviceProvider) : base(serviceProvider) {
var host = new HostBuilder()
### Negotiation experience in class-based model
-Instead of using SignalR input binding `[SignalRConnectionInfoInput]`, negotiation in class-based model can be more flexible. Base class `ServerlessHub` has a method `NegotiateAsync`, which allows user to customize negotiation options such as `userId`, `claims`, etc.
+Instead of using SignalR input binding `[SignalRConnectionInfoInput]`, negotiation in class-based model can be more flexible. Base class `ServerlessHub` has a method `NegotiateAsync`, which allows users to customize negotiation options such as `userId`, `claims`, etc.
```cs Task<BinaryData> NegotiateAsync(NegotiationOptions? options = null)
You could send messages, manage groups, or manage clients by accessing the membe
- `ServerlessHub.UserGroups` for managing users with groups, such as adding users to groups, removing users from groups. - `ServerlessHub.ClientManager` for checking connections existence, closing connections, etc.
-### Strongly Typed Hub
+### Strongly typed Hub
[Strongly typed hub](/aspnet/core/signalr/hubs?#strongly-typed-hubs) allows you to use strongly typed methods when you send messages to clients. To use strongly typed hub in class based model, extract client methods into an interface `T`, and make your hub class derived from `ServerlessHub<T>`.
Then you can use the strongly typed methods as follows:
[SignalRConnection("AzureSignalRConnectionString")] public class Functions : ServerlessHub<IChatClient> {
- private const string HubName = nameof(Functions);
+ private const string HubName = nameof(Functions); // Used by SignalR trigger only
public Functions(IServiceProvider serviceProvider) : base(serviceProvider) {
public class Functions : ServerlessHub<IChatClient>
> [!NOTE] > You can get a complete project sample from [GitHub](https://github.com/aspnet/AzureSignalR-samples/tree/main/samples/DotnetIsolated-ClassBased/).
-### Unified connection string setting in one place
+### Unified hub name and connection string setting in one place
-You might have noticed the `SignalRConnection` attribute used on serverless hub classes. It looks like this:
-```cs
-[SignalRConnection("AzureSignalRConnectionString")]
-public class Functions : ServerlessHub<IChatClient>
-```
-
-It allows you to customize where the SignalR Service bindings look for connection string. If it's absent, the default value `AzureSignalRConnectionString` is used.
+* The class name of the serverless hub is automatically used as `HubName`.
+* You might have noticed the `SignalRConnection` attribute used on serverless hub classes as follows:
+ ```cs
+ [SignalRConnection("AzureSignalRConnectionString")]
+ public class Functions : ServerlessHub<IChatClient>
+ ```
+ It allows you to customize where the connection string for serverless hub is. If it's absent, the default value `AzureSignalRConnectionString` is used.
> [!IMPORTANT]
-> `SignalRConnection` attribute doesn't change the connection string setting of SignalR triggers, even though you use SignalR triggers inside the serverless hub. You should specify the connection string setting for each SignalR trigger if you want to customize it.
+> SignalR triggers and serverless hubs are independent. Therefore, the class name of serverless hub and `SignalRConnection` attribute doesn't change the settings of SignalR triggers, even though you use SignalR triggers inside the serverless hub.
# [In-process model](#tab/in-process)
public class HubName1 : ServerlessHub
} ```
-All functions that want to use the class-based model need to be a method of the class that inherits from **ServerlessHub**. The class name `SignalRTestHub` in the sample is the hub name.
+All functions that want to use the class-based model need to be a method of the class that inherits from **ServerlessHub**. The class name `HubName1` in the sample is the hub name.
### Define hub method
In class based model, `[SignalRParameter]` is unnecessary because all the argume
### Negotiation experience in class-based model
-Instead of using SignalR input binding `[SignalR]`, negotiation in class-based model can be more flexible. Base class `ServerlessHub` has a method.
+Instead of using SignalR input binding `[SignalR]`, negotiation in class-based model can be more flexible. Base class `ServerlessHub` has a method:
```cs SignalRConnectionInfo Negotiate(string userId = null, IList<Claim> claims = null, TimeSpan? lifeTime = null) ```
-This features user customizes `userId` or `claims` during the function execution.
+This feature allows user to customize `userId` or `claims` during the function execution.
## Use `SignalRFilterAttribute`
azure-vmware Azure Security Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/azure-security-integration.md
After connecting data sources to Microsoft Sentinel, you can create rules to gen
6. On the **Incident settings** tab, enable **Create incidents from alerts triggered by this analytics rule** and select **Next: Automated response**.
- :::image type="content" source="../sentinel/media/tutorial-detect-threats-custom/general-tab.png" alt-text="Screenshot showing the Analytic rule wizard for creating a new rule in Microsoft Sentinel.":::
+ :::image type="content" source="../sentinel/media/detect-threats-custom/general-tab.png" alt-text="Screenshot showing the Analytic rule wizard for creating a new rule in Microsoft Sentinel.":::
7. Select **Next: Review**.
azure-web-pubsub Concept Azure Ad Authorization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/concept-azure-ad-authorization.md
Microsoft Entra authorizes access rights to secured resources through [Azure rol
Before assigning an Azure RBAC role to a security principal, it's important to identify the appropriate level of access that the principal should have. It's recommended to grant the role with the narrowest possible scope. Resources located underneath inherit Azure RBAC roles with broader scopes.
-You can scope access to Azure SignalR resources at the following levels, beginning with the narrowest scope:
+You can scope access to Azure Web PubSub resources at the following levels, beginning with the narrowest scope:
- **An individual resource.**
backup Backup Instant Restore Capability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-instant-restore-capability.md
Title: Azure Instant Restore Capability description: Azure Instant Restore Capability and FAQs for VM backup stack, Resource Manager deployment model- Previously updated : 07/20/2023 Last updated : 04/03/2024 # Get improved backup and restore performance with Azure Backup Instant Restore capability
-> [!NOTE]
-> Based on feedback from users, we've renamed **VM backup stack V2** to **Instant Restore** to reduce confusion with Azure Stack functionality.
-> All Azure Backup users have now been upgraded to **Instant Restore**.
+This article describes the improved backup and restore performance of Instant Restore capability in Azure Backup.
+
+## Key capabilities
-The new model for Instant Restore provides the following feature enhancements:
+The Instant Restore feature provides the following capabilities:
* Ability to use snapshots taken as part of a backup job that's available for recovery without waiting for data transfer to the vault to finish. It reduces the wait time for snapshots to copy to the vault before triggering restore.
-* Reduces backup and restore times by retaining snapshots locally, for two days by default. This default snapshot retention value is configurable to any value between 1 to 5 days.
+* Reduces backup and restore times by retaining snapshots locally, for *two days* using Standard policy and for *seven days* using Enhanced policy by default. This default snapshot retention value is configurable to any value between 1 to 5 days for Standard policy and 1 to 30 days for Enhanced policy.
* Supports disk sizes up to 32 TB. Resizing of disks isn't recommended by Azure Backup.
-* Supports Standard SSD disks along with Standard HDD disks and Premium SSD disks.
+* Standard policy supports Standard SSD disks along with Standard HDD disks and Premium SSD disks. Enhanced policy supports backup and instant restore of Premium SSD v2 and Ultra Disks, in addition to standard HDD, standard SSD, and Premium SSD v1 disks.
* Ability to use an unmanaged VMs original storage accounts (per disk), when restoring. This ability exists even when the VM has disks that are distributed across storage accounts. It speeds up restore operations for a wide variety of VM configurations. * For backup of VMs that are using unmanaged premium disks in storage accounts, with Instant Restore, we recommend allocating *50%* free space of the total allocated storage space, which is required **only** for the first backup. The 50% free space isn't a requirement for backups after the first backup is complete.
-## What's new in this feature
+## How Instant Restore works?
-Currently, the backup job consists of two phases:
+A backup job consists of two phases:
1. Taking a VM snapshot. 2. Transferring a VM snapshot to the Azure Recovery Services vault.
-A recovery point is considered created only after phases 1 and 2 are completed. As a part of this upgrade, a recovery point is created as soon as the snapshot is finished and this recovery point of snapshot type can be used to perform a restore using the same restore flow. You can identify this recovery point in the Azure portal by using ΓÇ£snapshotΓÇ¥ as the recovery point type, and after the snapshot is transferred to the vault, the recovery point type changes to ΓÇ£snapshot and vaultΓÇ¥.
-
-![Backup job in VM backup stack Resource Manager deployment model--storage and vault](./media/backup-azure-vms/instant-rp-flow.png)
+A recovery point is created as soon as the snapshot is finished and this recovery point of snapshot type can be used to perform a restore using the same restore flow. You can identify this recovery point in the Azure portal by using *snapshot* as the recovery point type, and after the snapshot is transferred to the vault, the recovery point type changes to *snapshot and vault*.
-By default, snapshots are retained for two days. This feature allows restore operation from these snapshots there by cutting down the restore times. It reduces the time required to transform and copy data back from the vault.
## Feature considerations
-* Snapshots are stored along with the disks to boost recovery point creation and to speed up restore operations. As a result, you'll see storage costs that correspond to snapshots taken during this period.
-* Incremental snapshots are stored as page blobs. All the users using unmanaged disks are charged for the snapshots stored in their local storage account. Since the restore point collections used by Managed VM backups use blob snapshots at the underlying storage level, for managed disks you'll see costs corresponding to blob snapshot pricing and they're incremental.
-* For premium storage accounts, the snapshots taken for instant recovery points count towards the 10-TB limit of allocated space.
-* You get an ability to configure the snapshot retention based on the restore needs. Depending on the requirement, you can set the snapshot retention to a minimum of one day in the backup policy pane as explained below. This will help you save cost for snapshot retention if you donΓÇÖt perform restores frequently.
-* It's a one directional upgrade. Once upgraded to Instant restore, you can't go back.
-* When you use an Instant Restore recovery point, you must restore the VM or disks to a subscription and resource group that don't require CMK-encrypted disks via Azure Policy.
-
->[!NOTE]
->With this instant restore upgrade, the snapshot retention duration of all the customers (**new and existing both included**) will be set to a default value of two days. However, you can set the duration according to your requirement to any value between 1 to 5 days.
+* The snapshots are stored along with the disks to boost recovery point creation and to speed up restore operations. As a result, you'll see storage costs that correspond to snapshots taken during this period.
+* For standard policy, all snapshots are incremental in nature and are stored as page blobs. All the users using unmanaged disks are charged for the snapshots stored in their local storage account. Since the restore point collections used by Managed VM backups use blob snapshots at the underlying storage level, for managed disks you'll see costs corresponding to blob snapshot pricing and they're incremental.
+* For premium storage accounts, the snapshots taken for instant recovery points count towards the 10-TB limit of allocated space. For Enhanced policy, only Managed VM backups are supported. The initial snapshot is a full copy of the disk(s). The subsequent snapshots are incremental in nature and occupy only delta changes to disks since the last snapshot.
+ When you use an Instant Restore recovery point, you must restore the VM or disks to a subscription and resource group that don't require CMK-encrypted disks via Azure Policy.
## Cost impact
-The incremental snapshots are stored in the VM's storage account, which is used for instant recovery. Incremental snapshot means the space occupied by a snapshot is equal to the space occupied by pages that are written after the snapshot was created. Billing is still for the per GB used space occupied by the snapshot, and the price per GB is same as mentioned on the [pricing page](https://azure.microsoft.com/pricing/details/managed-disks/). For VMs that use unmanaged disks, the snapshots can be seen in the menu for the VHD file of each disk. For managed disks, snapshots are stored in a restore point collection resource in a designated resource group, and the snapshots themselves aren't directly visible.
+Instant Restore feature for snapshots (stored along with the disks) boosts recovery point creation and speed up restore operations. This incurs additional storage costs for the corresponding snapshots taken during this period. The snapshot storage cost varies depending on the type of backup policy.
+
+### Cost impact of standard policy
+
+Standard policy uses blob snapshots for Instant Restore functionality. All snapshots are incremental in nature and stored in the VM's storage account, which is used for instant recovery. Incremental snapshot means the space occupied by a snapshot is equal to the space occupied by pages that are written after the snapshot was created. Billing is still for the per GB used space occupied by the snapshot as explained in [this section](../storage/blobs/snapshots-overview.md#pricing-and-billing). As an illustration, consider a VM with 100GB in size, change rate of 2% and retention of 5 days for Instant Restore. In this case, the snapshot storage billed will be 10GB (100* 0.02* 5).
+
+For VMs that use unmanaged disks, the snapshots can be seen in the menu for the VHD file of each disk. For managed disks, snapshots are stored in a restore point collection resource in a designated resource group, and the snapshots themselves aren't directly visible.
+
+### Cost impact of enhanced policy
+
+Enhanced policy uses Managed disk snapshots for Instant Restore functionality. The initial snapshot is a full copy of the disk(s). The subsequent snapshots are incremental in nature and occupy only delta changes to disks since the last snapshot. Pricing for managed disk snapshots is explained in [this pricing page](https://azure.microsoft.com/pricing/details/managed-disks/).
+
+For example, a VM with 100GB in size has a change rate of 2% and retention of 5 days for Instant Restore. In this case, the snapshot storage billed will be 108GB (100 + 100 X 0.02 X 4).
>[!NOTE]
-> Snapshot retention is fixed to 5 days for weekly policies.
+> Snapshot retention is fixed to 5 days for weekly policies for Standard policy and can vary between 5 to 20 days for enhanced policy.
## Configure snapshot retention
Yes, for premium storage accounts the snapshots taken for instant recovery point
### How does the snapshot retention work during the five-day period?
-Each day a new snapshot is taken, then there are five individual incremental snapshots. The size of the snapshot depends on the data churn, which are in most cases around 2%-7%.
+For Standard policy, each day a new snapshot is taken, then there are five individual incremental snapshots. The size of the snapshot depends on the data churn, which are in most cases around 2%-7%. For Enhanced policy, the initial snapshot is a full snapshot and subsequent snapshots are incremental in nature.
### Is an instant restore snapshot an incremental snapshot or full snapshot?
-Snapshots taken as a part of instant restore capability are incremental snapshots.
+For Standard policy, snapshots taken as a part of instant restore capability are incremental snapshots. For Enhanced policy, the initial snapshot is a full snapshot and subsequent snapshots are incremental in nature.
### How can I calculate the approximate cost increase due to instant restore feature?
-It depends on the churn of the VM. In a steady state, you can assume the increase in cost is = Snapshot retention period daily churn per VM storage cost per GB.
+It depends on the churn of the VM.
+
+- **Standard policy**: In a steady state, you can assume the increase in cost is = Snapshot retention period daily churn per VM snapshot storage cost per GB.
+- **Enhanced policy**: In a steady state, you can assume the increase in cost is = ((Size of VM) + (Snapshot retention period-1)*daily churn per VM) * snapshot storage cost per GB.
### If the recovery type for a restore point is ΓÇ£Snapshot and vaultΓÇ¥ and I perform a restore operation, which recovery type will be used? If the recovery type is ΓÇ£snapshot and vaultΓÇ¥, restore will be automatically done from the local snapshot, which will be much faster compared to the restore done from the vault.
-### What happens if I select retention period of restore point (Tier 2) less than the snapshot (Tier1) retention period?
+### What happens if I select retention period of restore point (Tier 2) less than the snapshot (Tier 1) retention period?
-The new model doesn't allow deleting the restore point (Tier2) unless the snapshot (Tier1) is deleted. We recommend scheduling restore point (Tier2) retention period greater than the snapshot retention period.
+The new model doesn't allow deleting the restore point (Tier 2) unless the snapshot (Tier 1) is deleted. We recommend scheduling restore point (Tier 2) retention period greater than the snapshot retention period.
### Why does my snapshot still exist, even after the set retention period in backup policy?
If the recovery point has a snapshot and it's the latest recovery point availabl
### Why do I see more snapshots than my retention policy?
-In a scenario where a retention policy is set as ΓÇ£1ΓÇ¥, you can find two snapshots. This mandates that at least one latest recovery point always be present, in case all subsequent backups fail due to an issue in the VM. This can cause the presence of two snapshots.<br></br>So, if the policy is for "n" snapshots, you can find ΓÇ£n+1ΓÇ¥ snapshots at times. Further, you can even find ΓÇ£n+1+2ΓÇ¥ snapshots if there is a delay in garbage collection. This can happen at rare times when:
+In a scenario where a retention policy is set as ΓÇ£1ΓÇ¥, you can find two snapshots. This mandates that at least one latest recovery point always be present, in case all subsequent backups fail due to an issue in the VM. This can cause the presence of two snapshots.<br></br>So, if the policy is for "n" snapshots, you can find ΓÇ£n+1ΓÇ¥ snapshots at times. Further, you can even find ΓÇ£n+1+2ΓÇ¥ snapshots if there's a delay in garbage collection. This can happen at rare times when:
- You clean up snapshots, which are past retention. - The garbage collector (GC) in the backend is under heavy load.
Instant restore feature is enabled for everyone and can't be disabled. You can r
### Is it safe to restart the VM during the transfer process (which can take many hours)? Will restarting the VM interrupt or slow down the transfer?
-Yes it's safe, and there is absolutely no impact in data transfer speed.
+Yes it's safe, and there's absolutely no impact in data transfer speed.
batch Batch Automatic Scaling https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/batch-automatic-scaling.md
Title: Autoscale compute nodes in an Azure Batch pool description: Enable automatic scaling on an Azure Batch cloud pool to dynamically adjust the number of compute nodes in the pool. Previously updated : 02/29/2024 Last updated : 04/02/2024
You can use both resource and task metrics when you define a formula. You adjust
| Metric | Description | |-|--|
-| Resource | Resource metrics are based on the CPU, the bandwidth, the memory usage of compute nodes, and the number of nodes.<br><br>These service-defined variables are useful for making adjustments based on node count:<br>- $TargetDedicatedNodes <br>- $TargetLowPriorityNodes <br>- $CurrentDedicatedNodes <br>- $CurrentLowPriorityNodes <br>- $PreemptedNodeCount <br>- $SampleNodeCount <br><br>These service-defined variables are useful for making adjustments based on node resource usage: <br>- $CPUPercent <br>- $WallClockSeconds <br>- $MemoryBytes <br>- $DiskBytes <br>- $DiskReadBytes <br>- $DiskWriteBytes <br>- $DiskReadOps <br>- $DiskWriteOps <br>- $NetworkInBytes <br>- $NetworkOutBytes |
+| Resource | Resource metrics are based on the CPU, the bandwidth, the memory usage of compute nodes, and the number of nodes.<br><br>These service-defined variables are useful for making adjustments based on node count:<br>- $TargetDedicatedNodes <br>- $TargetLowPriorityNodes <br>- $CurrentDedicatedNodes <br>- $CurrentLowPriorityNodes <br>- $PreemptedNodeCount <br>- $UsableNodeCount <br><br>These service-defined variables are useful for making adjustments based on node resource usage: <br>- $CPUPercent <br>- $WallClockSeconds <br>- $MemoryBytes <br>- $DiskBytes <br>- $DiskReadBytes <br>- $DiskWriteBytes <br>- $DiskReadOps <br>- $DiskWriteOps <br>- $NetworkInBytes <br>- $NetworkOutBytes |
| Task | Task metrics are based on the status of tasks, such as Active, Pending, and Completed. The following service-defined variables are useful for making pool-size adjustments based on task metrics: <br>- $ActiveTasks <br>- $RunningTasks <br>- $PendingTasks <br>- $SucceededTasks <br>- $FailedTasks | ## Obtain sample data
batch Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/best-practices.md
Title: Best practices description: Learn best practices and useful tips for developing your Azure Batch solutions. Previously updated : 02/29/2024 Last updated : 04/02/2024
A job doesn't automatically move to completed state unless explicitly terminated
There's a default [active job and job schedule quota](batch-quota-limit.md#resource-quotas). Jobs and job schedules in completed state don't count towards this quota.
+Delete jobs when they're no longer needed, even if in completed state. Although completed jobs don't count towards
+active job quota, it's beneficial to periodically clean up completed jobs. For example,
+[listing jobs](/rest/api/batchservice/job/list) will be more efficient when the total number of jobs is a smaller
+set (even if proper filters are applied to the request).
+ ## Tasks [Tasks](jobs-and-tasks.md#tasks) are individual units of work that comprise a job. Tasks are submitted by the user and scheduled by Batch on to compute nodes. The following sections provide suggestions for designing your tasks to handle issues and perform efficiently.
Deleting tasks accomplishes two things:
> For tasks just submitted to Batch, the DeleteTask API call takes up to 10 minutes to take effect. Before it takes effect, > other tasks might be prevented from being scheduled. It's because Batch Scheduler still tries to schedule the tasks just > deleted. If you wanted to delete one task shortly after it's submitted, please terminate the task instead (since the
-> terminate task will take effect immediately). And then delete the task 10 minutes later.
+> terminate task request will take effect immediately). And then delete the task 10 minutes later.
### Submit large numbers of tasks in collection
cloud-services-extended-support In Place Migration Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cloud-services-extended-support/in-place-migration-overview.md
The below table highlights comparison between these two options.
| Redeploy | In-place migration | |||
-| Customers can deploy a new cloud service directly in Azure Resource Manager and then delete the old cloud service in Azure Service Manager thorough validation. | The in-place migration tool enables a seamless, platform orchestrated migration of existing Cloud Services (classic) deployments to Cloud Services (extended support). |
+| Customers can deploy a new cloud service directly in Azure Resource Manager and then delete the old cloud service in Azure Service Manager after thorough validation. | The in-place migration tool enables a seamless, platform orchestrated migration of existing Cloud Services (classic) deployments to Cloud Services (extended support). |
| Redeploy allows customers to: <br><br> - Define resource names. <br><br> - Organize or reuse resources as preferred. <br><br> - Reuse service configuration and definition files with minimal changes. | For in-place migration, the platform: <br><br> - Defines resource names. <br><br> - Organizes each deployment and related resources in individual Resource Groups. <br><br> - Modifies existing configuration and definition file for Azure Resource Manager. | | Customers need to orchestrate traffic to the new deployment. | Migration retains IP address and data path remains the same. | | Customers need to delete the old cloud services in Azure Resource Manager. | Platform deletes the Cloud Services (classic) resources after migration. |
communication-services Call Automation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/call-automation/call-automation.md
The Call Automation events are sent to the web hook callback URI specified when
To understand which events are published for different actions, refer to [this guide](../../how-tos/call-automation/actions-for-call-control.md) that provides code samples and sequence diagrams for various call control flows.
+When acknowledging callback events, it's best practice to respond with standard HTTP status codes like 200 OK. Detailed information is unnecessary and is more suitable for your debugging processes.
+ To learn how to secure the callback event delivery, refer to [this guide](../../how-tos/call-automation/secure-webhook-endpoint.md). ### Operation Callback Uri
communication-services Email Optout Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/email/email-optout-management.md
+
+ Title: Emails opt out management using suppression list within Azure Communication Service Email
+
+description: Learn about Managing Opt-outs to enhance Email Delivery in your B2C Communications.
++++ Last updated : 04/01/2024++++
+# Overview
++
+This article provides the Email delivery best practices and how to use the Azure Communication Services Email suppression list feature that allows customers to manage opt-out capabilities for email communications. It also provides information on the features that are important for emails opt out management that helps you improve email complaint management, promote better email practices, and increase your email delivery success, boosting the likelihood of getting to recipients' inboxes efficiently.
+
+## Opt out or unsubscribe management: Ensuring transparent sender reputation
+It's important to know how interested your customers are in your email communication and to respect their opt-out or unsubscribe requests when they decide not to get emails from you. This helps you keep a good sender reputation. Whether you have a manual or automated process in place for handling unsubscribes, it's important to provide an "unsubscribe" link in the email payload you send. When recipients decide not to receive further emails, they can click on the 'unsubscribe' link and remove their email address from your mailing list.
+
+The functionality of the links and instructions in the email is vital; they must be working correctly and promptly notify the application mailing list to remove the contact from the appropriate list or lists. A proper unsubscribe mechanism should be explicit and transparent from the subscriber's perspective, ensuring they know precisely which messages they're unsubscribing from. Ideally, they should be offered a preferences center that gives them the option to unsubscribe in cases where they're subscribed to multiple lists within your organization. This process prevents accidental unsubscribes and allows users to manage their opt-in and opt-out preferences effectively through the unsubscribe management process.
+
+## Managing emails opt out preferences with suppression list in Azure Communication Service Email
+Azure Communication Service Email offers a powerful platform with a centralized managed unsubscribe list with opt out preferences saved to our data store. This feature helps the developers to meet guidelines of email providers, requiring one-click list-unsubscribe implementation in the emails sent from our platform. To proactively identify and avoid significant delivery problems, suppression list features, including but not limited to:
+
+* Offers domain-level, customer managed lists that provide opt-out capabilities.
+* Provides Azure resources that allow for Create, Read, Update, and Delete (CRUD) operations via Azure portal, Management SDKs, or REST APIs.
+* Apply filters in the sending pipeline, all recipients are filtered against the addresses in the domain suppression lists and email delivery isn't attempted for the recipient addresses.
+* Gives the ability to manage a suppression list for each sender email address, which is used to filter/suppress email recipient addresses when sending emails.
+* Caches suppression list data to reduce expensive database lookups, and this caching is domain-specific based on the frequency of use.
+* Adds Email addresses programmatically for an easy opt-out process for unsubscribing.
+
+### Benefits of opt out or unsubscribe management
+Using a suppression list in Azure Communication Services offers several benefits:
+* Compliance and Legal Considerations: This feature is crucial for adhering to legal responsibilities defined in local government legislation like the CAN-SPAM Act in the United States. It ensures that customers can easily manage opt-outs and maintain compliance with these regulations.
+* Better Sender Reputation: When emails aren't sent to users who have chosen to opt out, it helps protect the senderΓÇÖs reputation and lowers the chance of being blocked by email providers.
+* Improved User Experience: It respects the preferences of users who don't wish to receive communications, leading to a better user experience and potentially higher engagement rates with recipients who choose to receive emails.
+* Operational Efficiency: Suppression lists can be managed programmatically, allowing for efficient handling of large numbers of opt-out requests without manual intervention.
+* Cost-Effectiveness: By not sending emails to recipients who opted out, it reduces the volume of sent emails, which can lower operational costs associated with email delivery.
+* Data-Driven Decisions: The suppression list feature provides insights into the number of opt-outs, which can be valuable data for making informed decisions about email campaign strategies.
+
+These benefits contribute to a more efficient, compliant, and user-friendly email communication system when using Azure Communication Services. To enable email logs and monitor your email delivery, follow the steps outlined in [Azure Communication Services email logs Communication Service in Azure Communication Service](../../concepts/analytics/logs/email-logs.md).
+
+## Next steps
+
+The following documents may be interesting to you:
+
+- Familiarize yourself with the [Email client library](../email/sdk-features.md)
+- How to send emails with custom verified domains? [Add custom domains](../../quickstarts/email/add-custom-verified-domains.md)
+- How to send emails with Azure Managed Domains? [Add Azure Managed domains](../../quickstarts/email/add-azure-managed-domains.md)
communication-services Email Smtp Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/email/email-smtp-overview.md
# Azure Communication Services Email SMTP as Service+ Email is still a vital channel for global businesses to connect with customers, and it's an essential part of business communications. Many businesses made large investments in on-premises infrastructures to support the strong SMTP email needs of their line-of-business (LOB) applications. However, delivering and securing outgoing emails from these existing LOB applications poses a varied challenge. As outgoing emails become more numerous and important, the difficulties of managing this critical aspect of communication become more obvious. Organizations often face problems such as email deliverability, security risks, and the need for centralized control over outgoing communications.
communication-services Privacy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/privacy.md
The list of geographies you can choose from includes:
- United Kingdom - United States
+> [!Note]
+> Advanced Messaging for WhatsApp is only available in the following Regions.
+
+- Asia Pacific
+- Australia
+- Europe
+- United Kingdom
+- United States
+ ## Data collection Azure Communication Services only collects diagnostic data required to deliver the service.
communication-services Known Limitations Acs Telephony https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/telephony/known-limitations-acs-telephony.md
Previously updated : 12/05/2023 Last updated : 04/03/2024
This article provides information about limitations and known issues related to
- Location-based routing isn't supported. - No quality dashboard is available for customers. - Enhanced 911 isn't supported.-- In-band DTMF is not supported, use RFC 2833 DTMF instead.-- Multiple IP addresses mapped with the same FQDN on the SBC side are not supported.
+- In-band Dual-tone multi-frequency (DTMF) isn't supported. Use RFC 2833 DTMF instead.
+- Multiple IP addresses mapped with the same FQDN on the SBC side aren't supported.
+- Maximum call duration is 30 hours.
## Next steps
communication-services Send Email Smtp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/quickstarts/email/send-email-smtp/send-email-smtp.md
zone_pivot_groups: acs-smtp-sending-method # Quickstart: Send email with SMTP In this quick start, you learn about how to send email using SMTP.
communication-services Smtp Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/quickstarts/email/send-email-smtp/smtp-authentication.md
# Quickstart: How to create authentication credentials for sending emails using SMTP - In this quick start, you learn about how to use an Entra application to create the authentication credentials for using SMTP to send an email using Azure Communication Services. ## Prerequisites
communication-services Ask Device Permission Api Takes Too Long https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/resources/troubleshooting/voice-video-calling/device-issues/ask-device-permission-api-takes-too-long.md
+
+ Title: Device and permission issues - askDevicePermission API takes too long
+
+description: Learn how to troubleshoot when askDevicePermission API takes too long.
++++ Last updated : 03/29/2024+++++
+# The askDevicePermission API takes too long
+The [`askDevicePermission`](/javascript/api/%40azure/communication-react/calladapterdevicemanagement?view=azure-node-latest&preserve-view=true#@azure-communication-react-calladapterdevicemanagement-askdevicepermission) API prompts the end user via the browser asking if they allow permission to use camera or microphone.
+If the end user approves camera or microphone usage, then those devices are available to be used in a call. The devices availability is reflected in available device list.
+
+User taking a long time to approve the permission can cause delay in the API response.
+
+Occasionally, the device list update step can take a long time.
+A delay in the driver layer is usually the cause of the issue. The issue can happen with some virtual audio devices in particular. [Chromium Issue 1402866](https://bugs.chromium.org/p/chromium/issues/detail?id=1402866&no_tracker_redirect=1)
+
+## How to detect using the SDK
+To detect this issue, you can measure the time difference between when you call the [`askDevicePermission`](/javascript/api/%40azure/communication-react/calladapterdevicemanagement?view=azure-node-latest&preserve-view=true#@azure-communication-react-calladapterdevicemanagement-askdevicepermission) API and when the promise resolves or rejects.
+
+## How to mitigate or resolve
+If the [`askDevicePermission`](/javascript/api/%40azure/communication-react/calladapterdevicemanagement?view=azure-node-latest&preserve-view=true#@azure-communication-react-calladapterdevicemanagement-askdevicepermission) API fails due to the user not responding to the UI permission prompt,
+the application can retry the API again and the user should see the UI permission prompt.
+
+As for other reasons, such as the device list updating taking too long to complete, the user should check their devices and see if there's any device that could potentially be causing this issue.
+They may need to update or remove the problematic device to resolve the issue.
communication-services No Enumerated Microphone List https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/resources/troubleshooting/voice-video-calling/device-issues/no-enumerated-microphone-list.md
+
+ Title: Device and permission issues - getMicrophones API doesn't return detailed microphone list
+
+description: Learn how to troubleshoot when getMicrophones API doesn't return detailed microphone list.
++++ Last updated : 03/29/2024+++++
+# The getMicrophones API doesn't return detailed microphone list
+If a user reports they can't see the detailed microphone list,
+it's likely because the user didn't grant permission to access the microphone.
+When the permission state is `prompt` or `denied`, the browser doesn't provide detailed information about the microphone devices.
+In this scenario, the [`DeviceManager.getMicrophones`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getmicrophones) API returns an array with one object, where the `id` is set to `microphone:` and the name is set to an empty string.
+
+It's important to note that this scenario differs from the scenario where a user doesn't have any microphone on their device. If a device doesn't have any microphones the [`DeviceManager.getMicrophones`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getmicrophones) API returns an empty array, indicating that there's no available microphone devices on the user's system.
+
+## How to detect using the SDK
+[`DeviceManager.getMicrophones`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getmicrophones) API returns an empty array or an array with an object, where the `id` is set to `microphone:` and the name is set to an empty string.
+
+Additionally, to detect the scenario where the user removes the microphone during the call and there are no available microphones in the system,
+the application can listen to the [`noMicrophoneDevicesEnumerated`](/javascript/api/azure-communication-services/@azure/communication-calling/latestmediadiagnostics?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-latestmediadiagnostics-nomicrophonedevicesenumerated) event being raised to true in the [User Facing Diagnostics Feature](../../../../concepts/voice-video-calling/user-facing-diagnostics.md).
+This event can help the application understand the current situation, so it can show a warning message on its UI accordingly.
+
+## How to mitigate or resolve
+Your application should always call the [`DeviceManager.askDevicePermission`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-askdevicepermission) API to ensure that the required permissions are granted.
+If the user doesn't grant the microphone permission, your application should display a warning message on its user interface.
+
+Additionally, your application should listen to the [`noMicrophoneDevicesEnumerated`](/javascript/api/azure-communication-services/@azure/communication-calling/latestmediadiagnostics?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-latestmediadiagnostics-nomicrophonedevicesenumerated) event and show a message when there are no available microphone devices.
+If the application provides a device selection page before the call,
+it can also check whether the microphone list is empty and shows a warning accordingly indicating no mic devices available.
communication-services No Enumerated Speaker List https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/resources/troubleshooting/voice-video-calling/device-issues/no-enumerated-speaker-list.md
+
+ Title: Device and permission issues - getSpeakers API doesn't return detailed speaker list
+
+description: Learn how to troubleshoot when getSpeakers API doesn't return detailed speaker list.
++++ Last updated : 03/28/2024+++++
+# The getSpeakers API doesn't return detailed speaker list
+If a user reports that they can't see the detailed speaker list, it could be because the application doesn't have permission to access the microphone.
+Alternatively, the platform may not support speaker enumeration.
+
+The way browsers currently work may seem counterintuitive, as the permission to access the microphone can interfere with the enumeration of speakers.
+The speaker and microphone enumeration shares the same permission information.
+
+When the microphone permission state is `prompt` or `denied`, the browser doesn't provide detailed information about the microphone devices and speaker devices.
+In this scenario, [`DeviceManager.getSpeakers`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getspeakers) API returns an array with one object, where the `id` is set to `speaker:` and the name is set to an empty string.
+
+Some platforms, such as iOS Safari, macOS Safari, or earlier versions of Firefox don't support speaker enumeration.
+
+It's important to note that this scenario is different from the scenario where a user doesn't have any audio output device.
+In the latter case, the [`DeviceManager.getSpeakers`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getspeakers) API only returns an empty array, indicating that there's no available audio output device in the user's system.
+
+## How to detect using the SDK
+[`DeviceManager.getSpeakers`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getspeakers) API returns an empty array or an array with an object, where the `id` is set to `speaker:` and the name is set to an empty string.
+
+Additionally, to detect the scenario where the user removes the speaker during the call and there are no available audio output devices in the system, the application can listen to the `noSpeakerDevicesEnumerated` event being raised to true in the [User Facing Diagnostics Feature](../../../../concepts/voice-video-calling/user-facing-diagnostics.md). This event can help the application understand the current situation, and show the warning message on its UI accordingly.
+
+For the platform that doesn't support speaker enumeration, you get an error when calling [`DeviceManager.getSpeakers`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getspeakers) API.
+
+The error code/subcode is
+
+| error | Details |
+||-|
+| code | 405 (Method Not Allowed) |
+| subcode | 40606 |
+| message | This device doesn't support speaker enumeration. |
+| resultCategories | Expected |
+
+## How to mitigate or resolve
+The application should always call the `DeviceManager.askDevicePermission` API to ensure that the required permissions are granted.
+If the user doesn't grant the microphone permission, the application should show a warning on its user interface, so the user knows that they aren't able to see the speaker device list.
+
+The application should also check whether the speaker list is empty or handle the error when calling [`DeviceManager.getSpeakers`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getspeakers) API, and show a warning accordingly.
+Additionally, the application should listen to the `noSpeakerDevicesEnumerated` event and show a message when there are no available speaker devices.
communication-services No Permission Prompt https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/resources/troubleshooting/voice-video-calling/device-issues/no-permission-prompt.md
+
+ Title: Device and permission issues - no permission prompt after calling askDevicePermission
+
+description: Learn why there's no permission prompt after calling askDevicePermission.
++++ Last updated : 03/29/2024+++++
+# No permission prompt shows when calling askDevicePermission
+If a user reports that they don't see any permission prompts, it may be because they previously granted or denied permission and the browser caches the result.
+
+Not showing the permission prompt isn't a problem if the browser has the required permission.
+However, if the user can't see the device list, it could be because they denied permission before.
+
+Another possible reason for the lack of a permission prompt is that the user's system doesn't have any microphone or camera devices available,
+causing the browser to skip the prompt even if the permission state is set to `prompt`.
+
+## How to detect using the SDK
+We can't detect whether the permission prompt actually shows or not, as this browser behavior can't be detected at JavaScript layer.
+
+## How to mitigate or resolve
+The application should check the result of [`DeviceManager.askDevicePermission`](/javascript/api/%40azure/communication-react/calladapterdevicemanagement?view=azure-node-latest&preserve-view=true#@azure-communication-react-calladapterdevicemanagement-askdevicepermission) API.
+If the result is false, it may indicate that user denied the permission now or previously.
+
+The application should show a warning message and ask the user to check their browser settings to ensure that correct permissions were granted.
+They also need to verify that their system has the necessary devices installed and configured properly.
communication-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/resources/troubleshooting/voice-video-calling/device-issues/overview.md
+
+ Title: Device and permission issues - Overview
+
+description: Overview of device and permission issues
++++ Last updated : 03/29/2024+++++
+# Overview of device and permission issues
+In the WebJS calling SDK, there are two types of permissions: browser permissions and system permissions.
+When an application needs to access a user's audio or video input device, it requires permissions granted at both the browser and system level.
+
+If an application doesn't have the required permission, it can't access the device,
+which means that other participants in the call are unable to see or hear the user.
+
+To avoid these issues, it's important for users to grant the necessary permissions when prompted by the browser.
+If a user accidentally denies permission or needs to change their permissions later, they can usually do so through the browser settings.
+
+The permission is also necessary for the application to retrieve detailed device list information.
+The application can call [`DeviceManager.askDevicePermission`](/javascript/api/%40azure/communication-react/calladapterdevicemanagement?view=azure-node-latest&preserve-view=true#@azure-communication-react-calladapterdevicemanagement-askdevicepermission) to trigger the permission prompt UI.
+However, the browser may cache the permission result and return it without showing the permission prompt UI.
+If the permission result is `denied`, the user needs to update the permission through the browser settings.
+
+## Common issues related to the device and permission
+Here are some common issues related to devices and permissions, along with their potential causes:
+
+### The getMicrophones API returns an empty array or doesn't return detailed microphone list
+* The microphone device isn't available in the system.
+* The microphone permission isn't granted.
+
+### The getSpeakers API returns an empty array or doesn't return detailed speaker list
+* The speaker device isn't available in the system.
+* The browser doesn't support speaker enumeration.
+* The microphone permission isn't granted.
+
+### No permission prompt shows when calling askDevicePermission
+* The browser caches the permission result granted or denied previously and returns it without prompting the user.
+* The microphone device isn't available when requesting microphone permission.
+* The camera device isn't available when requesting camera permission.
+
+### The askDevicePermission API takes too long
+* The user doesn't grant or deny the permission prompt.
+* The device driver layer responds slowly.
+
+## Next steps
+
+This overview article provides basic information on device and permission issues you may encounter when using the WebJS calling SDK.
+For more detailed guidance, follow the links to the pages listed within the `Device and permission issues` section of this troubleshooting guide.
container-apps Workload Profiles Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/workload-profiles-overview.md
There are different types and sizes of workload profiles available by region. By
| Display name | Name | vCPU | Memory (GiB) | GPU | Category | Allocation | |||||||
-| Consumption | consumption |4 | 8 | - | Consumption | per replica |
+| Consumption | Consumption |4 | 8 | - | Consumption | per replica |
| Dedicated-D4 | D4 | 4 | 16 | - | General purpose | per node | | Dedicated-D8 | D8 | 8 | 32 | - | General purpose | per node | | Dedicated-D16 | D16 | 16 | 64 | - | General purpose | per node |
cosmos-db Ai Advantage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/ai-advantage.md
There are many benefits when using Azure Cosmos DB and Azure AI together:
The Azure AI Advantage offer is for existing Azure AI and GitHub Copilot customers who want to use Azure Cosmos DB as part of their solution stack. With this offer, you get: -- Free 40,000 RU/s of Azure Cosmos DB throughput for 90 days.
+- Free 40,000 [RU/s](request-units.md) of Azure Cosmos DB throughput (equivalent of up to $6,000) for 90 days.
- Funding to implement a new AI application using Azure Cosmos DB and/or Azure Kubernetes Service. For more information, speak to your Microsoft representative.
cosmos-db Free Tier https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/free-tier.md
Last updated 07/08/2022
Azure Cosmos DB free tier makes it easy to get started, develop, test your applications, or even run small production workloads for free. When free tier is enabled on an account, you'll get the first 1000 RU/s and 25 GB of storage in the account for free. The throughput and storage consumed beyond these limits are billed at regular price. Free tier is available for all API accounts with provisioned throughput, autoscale throughput, single, or multiple write regions.
-Free tier lasts indefinitely for the lifetime of the account and it comes with all the [benefits and features](introduction.md#key-benefits) of a regular Azure Cosmos DB account. These benefits include unlimited storage and throughput (RU/s), SLAs, high availability, turnkey global distribution in all Azure regions, and more.
+Free tier lasts indefinitely for the lifetime of the account and it comes with all the [benefits and features](introduction.md#an-ai-database-with-unmatched-reliability-and-flexibility) of a regular Azure Cosmos DB account. These benefits include unlimited storage and throughput (RU/s), SLAs, high availability, turnkey global distribution in all Azure regions, and more.
You can have up to one free tier Azure Cosmos DB account per an Azure subscription and you must opt in when creating the account. If you don't see the option to apply the free tier discount, another account in the subscription has already been enabled with free tier. If you create an account with free tier and then delete it, you can apply free tier for a new account. When creating a new account, itΓÇÖs recommended to enable the free tier discount if itΓÇÖs available.
cosmos-db Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/introduction.md
Title: Azure Cosmos DB ΓÇô Unified AI Database
-description: Azure Cosmos DB is a global multi-model database and ideal database for AI applications requiring speed, elasticity and availability with native support for NoSQL, relational, and vector data.
+ Title: Unified AI Database
+
+description: Database for AI Era - Azure Cosmos DB is a NoSQL, relational, and vector database that provides unmatched reliability and flexibility for your operational data needs.
Previously updated : 11/02/2023 Last updated : 04/03/2024 adobe-target: true
-# Azure Cosmos DB ΓÇô Unified AI Database
+# Database for AI Era
[!INCLUDE[NoSQL, MongoDB, Cassandra, Gremlin, Table, PostgreSQL](includes/appliesto-nosql-mongodb-cassandra-gremlin-table-postgresql.md)]
-> OpenAI relies on Cosmos DB to dynamically scale their ChatGPT service ΓÇô one of the fastest-growing consumer apps ever ΓÇô enabling high reliability and low maintenance.ΓÇ¥ ΓÇô Satya Nadella, Microsoft chairman and chief executive officer
+> "OpenAI relies on Cosmos DB to dynamically scale their ChatGPT service ΓÇô one of the fastest-growing consumer apps ever ΓÇô enabling high reliability and low maintenance." ΓÇô Satya Nadella, Microsoft chairman and chief executive officer
Today's applications are required to be highly responsive and always online. They must respond in real time to large changes in usage at peak hours, store ever increasing volumes of data, and make this data available to users in milliseconds. To achieve low latency and high availability, instances of these applications need to be deployed in datacenters that are close to their users.
-Recently, the surge of AI-powered applications created another layer of complexity, because many of these applications currently integrate a multitude of data stores. For example, some teams built applications that simultaneously connect to MongoDB, Postgres, Redis, and Gremlin. These databases differ in implementation workflow and operational performances, posing extra complexity for scaling applications.
+The surge of AI-powered applications created another layer of complexity, because many of these applications integrate a multitude of data stores. For example, some organizations built applications that simultaneously connect to MongoDB, Postgres, Redis, and Gremlin. These databases differ in implementation workflow and operational performances, posing extra complexity for scaling applications.
-Azure Cosmos DB simplifies and expedites your application development by being the single AI database for your operational data needs, from caching to vector search. It accommodates all your operational data models, including relational, document, vector, key-value, graph, and table.
+Azure Cosmos DB simplifies and expedites your application development by being the single database for your operational data needs, from caching to backup to vector search. It provides the data infrastructure for modern applications like AI, digital commerce, Internet of Things, and booking management. It can accommodate all your operational data models, including relational, document, vector, key-value, graph, and table.
-Azure Cosmos DB is a fully managed NoSQL, relational, and vector database for AI, digital commerce, Internet of Things, booking management, and other types of modern applications. It offers single-digit millisecond response times, automatic and instant scalability, along with guaranteed speed at any scale. Business continuity is assured with [SLA-backed](https://azure.microsoft.com/support/legal/sla/cosmos-db) availability and enterprise-grade security.
+## An AI database providing industry-leading capabilities... for free
+
+Azure Cosmos DB is a fully managed NoSQL, relational, and vector database. It offers single-digit millisecond response times, automatic and instant scalability, along with guaranteed speed at any scale. Business continuity is assured with [SLA-backed](https://azure.microsoft.com/support/legal/sla/cosmos-db) availability and enterprise-grade security.
App development is faster and more productive thanks to: - Turnkey multi-region data distribution anywhere in the world - Open source APIs-- SDKs for popular languages.-- AI database functionalities like native vector search or seamless integration with Azure AI Services to support Retrieval Augmented Generation
+- SDKs for popular languages
+- AI database functionalities like integrated vector database or seamless integration with Azure AI Services to support Retrieval Augmented Generation
+- Query Copilot for generating NoSQL queries based on your natural language prompts [(preview)](nosql/query/how-to-enable-use-copilot.md)
-As a fully managed service, Azure Cosmos DB takes database administration off your hands with automatic management, updates and patching. It also handles capacity management with cost-effective serverless and automatic scaling options that respond to application needs to match capacity with demand.
+As a fully managed service, Azure Cosmos DB takes database administration off your hands with automatic management, updates, and patching. It also handles capacity management with cost-effective serverless and automatic scaling options that respond to application needs to match capacity with demand.
-If you are an existing Azure AI or GitHub Copilot customer, you may try Azure Cosmos DB for free with 40,000 [RU/s](request-units.md) of throughput for 90 days under the Azure AI Advantage offer.
+If you're an existing Azure AI or GitHub Copilot customer, you may try Azure Cosmos DB for free with 40,000 [RU/s](request-units.md) of throughput for 90 days under the Azure AI Advantage offer.
> [!div class="nextstepaction"] > [90-day Free Trial with Azure AI Advantage](ai-advantage.md)
-If you are not an Azure customer, you may use the 30-day Free Trial without an Azure subscription. No commitment follows the end of your trial period.
-
-> [!div class="nextstepaction"]
-> [30-day Free Trial without an Azure subscription](https://azure.microsoft.com/try/cosmosdb/)
-
-Alternatively, you may use the Azure Cosmos DB lifetime free tier with the first 1000 [RU/s](request-units.md) of throughput and 25 GB of storage free.
+If you aren't an Azure customer, you may use the [30-day Free Trial without an Azure subscription](https://azure.microsoft.com/try/cosmosdb/). No commitment follows the end of your trial period.
-> [!div class="nextstepaction"]
-> [Azure Cosmos DB lifetime free tier](free-tier.md)
+Alternatively, you may use the [Azure Cosmos DB lifetime free tier](free-tier.md) with the first 1000 [RU/s](request-units.md) of throughput and 25 GB of storage free.
> [!TIP] > To learn more about Azure Cosmos DB, join us every Thursday at 1PM Pacific on Azure Cosmos DB Live TV. See the [Upcoming session schedule and past episodes](https://gotcosmos.com/tv).
-## Azure Cosmos DB is more than an AI database
-
-Besides AI database, Azure Cosmos DB should also be your goto database for web, mobile, gaming, and IoT applications. Azure Cosmos DB is well positioned for solutions that handle massive amounts of data, reads, and writes at a global scale with near-real response times. Azure Cosmos DB's guaranteed high availability, high throughput, low latency, and tunable consistency are huge advantages when building these types of applications. Learn about how Azure Cosmos DB can be used to build IoT and telematics, retail and marketing, gaming and web and mobile applications.
+## An AI database for more than just AI apps
-## Key Benefits
+Besides AI, Azure Cosmos DB should also be your goto database for web, mobile, gaming, and IoT applications. Azure Cosmos DB is well positioned for solutions that handle massive amounts of data, reads, and writes at a global scale with near-real response times. Azure Cosmos DB's guaranteed high availability, high throughput, low latency, and tunable consistency are huge advantages when building these types of applications. Learn about how Azure Cosmos DB can be used to build IoT and telematics, retail and marketing, gaming and web and mobile applications.
-Here's some key benefits of using Azure Cosmos DB.
+## An AI database with unmatched reliability and flexibility
### Guaranteed speed at any scale
Gain unparalleled [SLA-backed](https://azure.microsoft.com/support/legal/sla/cos
### Simplified application development
-Build fast with open-source APIs, multiple SDKs, schemaless data and no-ETL analytics over operational data.
+Build fast with open-source APIs, multiple SDKs, schemaless data, and no-ETL analytics over operational data.
- Deeply integrated with key Azure services used in modern (cloud-native) app development including Azure Functions, IoT Hub, AKS (Azure Kubernetes Service), App Service, and more. - Choose from multiple database APIs including the native API for NoSQL, MongoDB, PostgreSQL, Apache Cassandra, Apache Gremlin, and Table. - Use Azure Cosmos DB as your unified AI database for data models like relational, document, vector, key-value, graph, and table.-- Build apps on API for NoSQL using the languages of your choice with SDKs for .NET, Java, Node.js and Python. Or your choice of drivers for any of the other database APIs.
+- Build apps on API for NoSQL using the languages of your choice with SDKs for .NET, Java, Node.js, and Python. Or your choice of drivers for any of the other database APIs.
- Change feed makes it easy to track and manage changes to database containers and create triggered events with Azure Functions. - Azure Cosmos DB's schema-less service automatically indexes all your data, regardless of the data model, to deliver blazing fast queries.
Guarantee business continuity, 99.999% availability, and enterprise-level securi
### Fully managed and cost-effective
-End-to-end database management, with serverless and automatic scaling matching your application and TCO needs
+End-to-end database management, with serverless and automatic scaling matching your application and total cost of ownership (TCO) needs.
- Fully managed database service. Automatic, no touch, maintenance, patching, and updates, saving developers time and money. - Cost-effective options for unpredictable or sporadic workloads of any size or scale, enabling developers to get started easily without having to plan or manage capacity.
cosmos-db Vector Search Ai https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/vcore/vector-search-ai.md
Title: Build AI apps with vector search-
-description: Enhance AI-powered applications with Retrieval Augmented Generation (RAG) by using Azure Cosmos DB for MongoDB vCore vector search.
+ Title: Open-source vector databases
+
+description: Open-source vector databases
Previously updated : 08/28/2023 Last updated : 04/02/2024
-# Build AI apps with Azure Cosmos DB for MongoDB vCore vector search
+# Open-source vector databases
[!INCLUDE[MongoDB vCore](../../includes/appliesto-mongodb-vcore.md)]
-Language models available in Azure OpenAI Service can elevate the capabilities of your AI-driven applications. To fully unleash the potential of language models, you must give them access to timely and relevant data from your application's data store. You can accomplish this process, known as Retrieval Augmented Generation (RAG), by using Azure Cosmos DB.
+When developers select vector databases, the open-source options provide numerous benefits. "Open source" means that the software's source code is available freely, enabling users to customize the database according to their specific needs. This flexibility is beneficial for organizations that are subject to unique regulatory requirements on data, such as companies in the financial services industry.
-This article delves into the core concepts of RAG. It provides links to tutorials and sample code that exemplify RAG strategies by using vector search in Azure Cosmos DB for MongoDB vCore.
+Another advantage of open-source vector databases is the strong community support they enjoy. Active user communities often contribute to the development of these databases, provide support, and share best practices, promoting innovation.
-RAG elevates AI-powered applications by incorporating external knowledge and data into model inputs. With vector search in Azure Cosmos DB for MongoDB vCore, this process becomes seamless. You can use it to integrate the most pertinent information into your AI models with minimal effort.
+Some individuals opt for open-source vector databases because they are "free," meaning there's no cost to acquire or use the software. An alternative is using the free tiers offered by managed vector database services. These managed services provide not only cost-free access up to a certain usage limit but also simplify the operational burden by handling maintenance, updates, and scalability. Therefore, by using the free tier of managed vector database services, users can achieve cost savings while reducing management overhead. This approach allows users to focus more on their core activities rather than on database administration.
-By using [embeddings](../../../ai-services/openai/tutorials/embeddings.md) and vector search, you can provide your AI applications with the context that they need to excel. Through the provided tutorials and code samples, you can become proficient in using RAG to create smarter and more context-aware AI solutions.
+## Working mechanism of open-source vector databases
-## What is Retrieval Augmented Generation?
+Open-source vector databases are designed to store and manage vector embeddings, which are mathematical representations of data in a high-dimensional space. In this space, each dimension corresponds to a feature of the data, and tens of thousands of dimensions might be used to represent sophisticated data. A vector's position in this space represents its characteristics. Words, phrases, or entire documents, and images, audio, and other types of data can all be vectorized. These vector embeddings are used in similarity search, multi-modal search, recommendations engines, large languages models (LLMs), etc.
-RAG uses external knowledge and models to efficiently manage custom data or domain-specific expertise. This process involves extracting information from an external data source and integrating it into the model's input through prompt engineering. A robust approach is essential to identify the most pertinent data from the external source within the [token limitations of a request](../../../ai-services/openai/quotas-limits.md).
+These databases' architecture typically includes a storage engine and an indexing mechanism. The storage engine optimizes the storage of vector data for efficient retrieval and manipulation, while the indexing mechanism organizes the data for fast searching and retrieval operations.
-RAG addresses these limitations by using embeddings, which convert data into vectors. Embeddings capture the semantic essence of the text and enable context comprehension beyond simple keywords.
+In a vector database, embeddings are indexed and queried through vector search algorithms based on their vector distance or similarity. A robust mechanism is necessary to identify the most relevant data. Some well-known vector search algorithms include Hierarchical Navigable Small World (HNSW), Inverted File (IVF), etc.
-## What is vector search?
+Vector databases are used in numerous domains and situations across analytical and generative AI, including natural language processing, video and image recognition, recommendation system, search, etc. For example, you can use a vector database to:
-[Vector search](./vector-search.md) is an approach that enables the discovery of analogous items based on shared data characteristics. It deviates from the necessity for precise matches within a property field.
+- Identify similar images, documents, and songs based on their contents, themes, sentiments, and styles
+- Identify similar products based on their characteristics, features, and user groups
+- Recommend contents, products, or services based on individuals' preferences
+- Recommend contents, products, or services based on user groups' similarities
+- Identify the best-fit potential options from a large pool of choices to meet complex requirements
+- Identify data anomalies or fraudulent activities that are dissimilar from predominant or normal patterns
+- Implement persistent memory for AI agents
+- Enable retrieval-augmented generation (RAG)
-This method is invaluable in applications like text similarity searches, image association, recommendation systems, and anomaly detection. Its functionality revolves around the use of vector representations (sequences of numerical values) that are generated from your data via machine learning models or embeddings APIs. Examples of such APIs encompass [Azure OpenAI embeddings](/azure/ai-services/openai/how-to/embeddings) or [Hugging Face on Azure](https://azure.microsoft.com/solutions/hugging-face-on-azure/).
+## Selecting the best open-source vector database
-The technique gauges the disparity between your query vector and the data vectors. The data vectors that show the closest proximity to your query vector are identified as semantically akin.
+Choosing the best open-source vector database requires considering several factors. Performance and scalability of the database are crucial, as they impact whether the database can handle your specific workload requirements. Databases with efficient indexing and querying capabilities usually offer optimal performance. Another factor is the community support and documentation available for the database. A robust community and ample documentation can provide valuable assistance. Here are some popular open-source vector databases:
-## How does vector search work in Azure Cosmos DB for MongoDB vCore?
+- Chroma
+- Milvus
+- Qdrant
+- Weaviate
-You can truly harness the power of RAG through the native vector search capability in Azure Cosmos DB for MongoDB vCore. This feature combines AI-focused applications with stored data in Azure Cosmos DB.
+>[!NOTE]
+>The most popular option may not be the best option for you. To find the best fit for your needs, you should compare different options based on features, supported data types, compatibility with existing tools and frameworks you use. Ease of installation, configuration, and maintenance should also be considered to ensure smooth integration into your workflow.
-Vector search optimally stores, indexes, and searches high-dimensional vector data directly within Azure Cosmos DB for MongoDB vCore, alongside other application data. This capability eliminates the need to migrate data to costlier alternatives for vector search functionality.
+## Challenges with open-source vector databases
-## Code samples and tutorials
+Open-source vector databases pose challenges that are typical of open-source software:
-- [.NET tutorial - recipe chatbot](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples/tree/main/C%23/CosmosDB-MongoDBvCore): Walk through creating a recipe chatbot by using .NET, to showcase the application of RAG in a culinary scenario.-- [Python notebook tutorial - Azure product chatbot](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples/tree/main/Python/CosmosDB-MongoDB-vCore): Learn how to construct an Azure product chatbot that highlights the benefits of RAG.
+- Setup: Users need in-depth knowledge to install, configure, and operate, especially for complex deployments. Optimizing resources and configuration while scaling up operation requires close monitoring and adjustments.
+- Maintenance: Users must manage their own updates, patches, and maintenance. Thus, ML expertise wouldn't suffice; users must also have extensive experience in database administration.
+- Support: Official support can be limited compared to managed services, relying more on community assistance.
-## Next steps
+Therefore, while free initially, open-source vector databases incur significant costs when scaling up. Expanding operations necessitates more hardware, skilled IT staff, and advanced infrastructure management, leading to higher expenses in hardware, personnel, and operational costs. Scaling open-source vector databases can be financially demanding despite the lack of licensing fees.
+
+## Addressing the challenges
-- Learn more about [Azure OpenAI embeddings](../../../ai-services/openai/concepts/understand-embeddings.md)-- Learn how to [generate embeddings using Azure OpenAI](../../../ai-services/openai/tutorials/embeddings.md)
+A fully managed database service helps developers avoid the hassles from setting up, maintaining, and relying on community assistance for an open-source vector database. The Integrated Vector Database in Azure Cosmos DB for MongoDB vCore offers a life-time free tier. It allows developers to enjoy the same financial benefit associated with open-source vector databases, while the service provider handles maintenance, updates, and scalability. When itΓÇÖs time to scale up operations, upgrading is quick and easy while keeping a low [total cost of ownership (TCO)](introduction.md#low-total-cost-of-ownership-tco).
+
+## Next steps
+> [!div class="nextstepaction"]
+> [Create a lifetime free-tier vCore cluster for Azure Cosmos DB for MongoDB](free-tier.md)
cosmos-db Vector Search https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/vcore/vector-search.md
This guide demonstrates how to create a vector index, add documents that have ve
## Related content -- [With Semantic Kernel, orchestrate your data retrieval with Azure Cosmos DB for MongoDB vCore](/semantic-kernel/memories/vector-db#available-connectors-to-vector-databases)
+- [.NET RAG Pattern retail reference solution](https://github.com/Azure/Vector-Search-AI-Assistant-MongoDBvCore)
+- [.NET tutorial - recipe chatbot](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples/tree/main/C%23/CosmosDB-MongoDBvCore)
+- [C# RAG pattern - Integrate Open AI Services with Cosmos](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples/tree/main/C%23/CosmosDB-MongoDBvCore)
+- [Python RAG pattern - Azure product chatbot](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples/tree/main/Python/CosmosDB-MongoDB-vCore)
+- [Python notebook tutorial - Vector database integration through LangChain](https://python.langchain.com/docs/integrations/vectorstores/azure_cosmos_db)
+- [Python notebook tutorial - LLM Caching integration through LangChain](https://python.langchain.com/docs/integrations/llms/llm_caching#azure-cosmos-db-semantic-cache)
+- [Python - LlamaIndex integration](https://docs.llamaindex.ai/en/stable/examples/vector_stores/AzureCosmosDBMongoDBvCoreDemo.html)
+- [Python - Semantic Kernel memory integration](https://github.com/microsoft/semantic-kernel/tree/main/python/semantic_kernel/connectors/memory/azure_cosmosdb)
## Next step > [!div class="nextstepaction"]
-> [Build AI apps with Integrated Vector Database in Azure Cosmos DB for MongoDB vCore](vector-search-ai.md)
+> [Create a lifetime free-tier vCore cluster for Azure Cosmos DB for MongoDB](free-tier.md)
cosmos-db Computed Properties https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/computed-properties.md
During the preview, computed properties must be created using the .NET v3 or Jav
| | | | | **.NET SDK v3** | >= [3.34.0-preview](https://www.nuget.org/packages/Microsoft.Azure.Cosmos/3.34.0-preview) | Computed properties are currently available only in preview package versions. | | **Java SDK v4** | >= [4.46.0](https://mvnrepository.com/artifact/com.azure/azure-cosmos/4.46.0) | Computed properties are currently under preview version. |
+| **Python SDK** | >= [v4.5.2b5](https://pypi.org/project/azure-cosmos/4.5.2b5/) | Computed properties are currently under preview version. |
### Create computed properties by using the SDK
containerProperties.setComputedProperties(computedProperties);
client.getDatabase("myDatabase").createContainer(containerProperties); ```
+### [Python](#tab/python)
+
+You can define multiple computed properties in a list and then add them to the container properties. Python SDK currently doesn't support computed properties on existing containers.
+
+```python
+computed_properties = [{'name': "cp_lower", 'query': "SELECT VALUE LOWER(c.db_group) FROM c"},
+ {'name': "cp_power", 'query': "SELECT VALUE POWER(c.val, 2) FROM c"},
+ {'name': "cp_str_len", 'query': "SELECT VALUE LENGTH(c.stringProperty) FROM c"}]
+
+container_with_computed_props = db.create_container_if_not_exists(
+ "myContainer", PartitionKey(path="/pk"), computed_properties=computed_properties)
+```
+Computed properties can be used like any other property in queries. For example, you can use the computed property `cp_lower` in a query like this:
+
+```python
+queried_items = list(
+ container_with_computed_props.query_items(query='Select * from c Where c.cp_power = 25', partition_key="test"))
+```
++ Here's an example of how to update computed properties on an existing container:
containerProperties.setComputedProperties(modifiedComputedProperites);
container.replace(containerProperties); ```
+### [Python](#tab/python)
+Updating computed properties on an existing container is not supported in Python SDK. You can only define computed properties when creating a new container. This is a work in progress currently.
+ > [!TIP]
cosmos-db Optimize Dev Test https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/optimize-dev-test.md
This article describes the different options to use Azure Cosmos DB for developm
Azure Cosmos DB free tier makes it easy to get started, develop and test your applications, or even run small production workloads for free. When free tier is enabled on an account, you'll get the first 1000 RU/s and 25 GB of storage in the account free.
-Free tier lasts indefinitely for the lifetime of the account and comes with all the [benefits and features](introduction.md#key-benefits) of a regular Azure Cosmos DB account, including unlimited storage and throughput (RU/s), SLAs, high availability, turnkey global distribution in all Azure regions, and more. You can create a free tier account using Azure portal, CLI, PowerShell, and a Resource Manager template. To learn more, see how to [create a free tier account](free-tier.md) article and the [pricing page](https://azure.microsoft.com/pricing/details/cosmos-db/).
+Free tier lasts indefinitely for the lifetime of the account and comes with all the [benefits and features](introduction.md#an-ai-database-with-unmatched-reliability-and-flexibility) of a regular Azure Cosmos DB account, including unlimited storage and throughput (RU/s), SLAs, high availability, turnkey global distribution in all Azure regions, and more. You can create a free tier account using Azure portal, CLI, PowerShell, and a Resource Manager template. To learn more, see how to [create a free tier account](free-tier.md) article and the [pricing page](https://azure.microsoft.com/pricing/details/cosmos-db/).
## Azure free account
cosmos-db Priority Based Execution https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/priority-based-execution.md
To get started using priority-based execution, navigate to the **Features** page
- Java v4: [v4.45.0](https://mvnrepository.com/artifact/com.azure/azure-cosmos/4.45.0) or later - Spark 3.2: [v4.19.0](https://central.sonatype.com/artifact/com.azure.cosmos.spark/azure-cosmos-spark_3-2_2-12/4.19.0) or later - JavaScript v4: [v4.0.0](https://www.npmjs.com/package/@azure/cosmos) or later-- Python 4.6.0: [v4.6.0](https://pypi.org/project/azure-cosmos/4.6.0/) or later
+- Python: [v4.5.2b2](https://pypi.org/project/azure-cosmos/4.5.2b2/) or later. Available only in preview version.
## Code samples
cosmos-db Vector Database https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/vector-database.md
Use the natively [integrated vector database in Azure Cosmos DB for MongoDB vCor
- [.NET RAG Pattern retail reference solution](https://github.com/Azure/Vector-Search-AI-Assistant-MongoDBvCore) - [.NET tutorial - recipe chatbot](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples/tree/main/C%23/CosmosDB-MongoDBvCore)-- [Python notebook tutorial - Azure product chatbot](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples/tree/main/Python/CosmosDB-MongoDB-vCore)
+- [C# RAG pattern - Integrate Open AI Services with Cosmos](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples/tree/main/C%23/CosmosDB-MongoDBvCore)
+- [Python RAG pattern - Azure product chatbot](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples/tree/main/Python/CosmosDB-MongoDB-vCore)
- [Python notebook tutorial - Vector database integration through LangChain](https://python.langchain.com/docs/integrations/vectorstores/azure_cosmos_db) - [Python notebook tutorial - LLM Caching integration through LangChain](https://python.langchain.com/docs/integrations/llms/llm_caching#azure-cosmos-db-semantic-cache) - [Python - LlamaIndex integration](https://docs.llamaindex.ai/en/stable/examples/vector_stores/AzureCosmosDBMongoDBvCoreDemo.html)
cost-management-billing Understand Ea Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/understand-ea-roles.md
Users with this role have the highest level of access to the Enrollment. They ca
- Manage other enterprise administrators. - Manage department administrators. - Manage notification contacts.-- Purchase Azure services, including reservations.
+- Purchase Azure services, including reservations/savings plans.
- View usage across all accounts. - View unbilled charges across all accounts. - Create new subscriptions under active enrollment accounts.-- View and manage all reservation orders and reservations that apply to the Enterprise Agreement.
- - Enterprise administrator (read-only) can view reservation orders and reservations. They can't manage them.
+- View and manage all reservation/savings plan orders and reservations/savings plans that apply to the Enterprise Agreement.
+ - Enterprise administrator (read-only) can view reservation/savings plan orders and reservations/savings plans. They can't manage them.
You can have multiple enterprise administrators in an enterprise enrollment. You can grant read-only access to enterprise administrators.
The enterprise administrator role can be assigned to multiple accounts.
Users with this role have permissions to purchase Azure services, but aren't allowed to manage accounts. They can: -- Purchase Azure services, including reservations.
+- Purchase Azure services, including reservations/savings plans.
- View usage across all accounts. - View unbilled charges across all accounts.-- View and manage all reservation orders and reservations that apply to the Enterprise Agreement.
+- View and manage all reservation/savings plan orders and reservations/savings plans that apply to the Enterprise Agreement.
The EA purchaser role is currently enabled only for SPN-based access. To learn how to assign the role to a service principal name, see [Assign roles to Azure Enterprise Agreement service principal names](assign-roles-azure-service-principals.md).
The following sections describe the limitations and capabilities of each role.
|Add or remove Department Administrators|✔|✘|✘|✔|✘|✘|✘| |View Accounts in the enrollment |✔|✔|✔|✔⁵|✔⁵|✘|✔| |Add Accounts to the enrollment and change Account Owner|✔|✘|✘|✔⁵|✘|✘|✘|
-|Purchase reservations|✔|✘⁶|✔|✘|✘|✘|✘|
+|Purchase reservations/savings plans|✔|✘⁶|✔|✘|✘|✘|✘|
|Create and manage subscriptions and subscription permissions|✔|✘|✘|✘|✘|✔|✘| - ⁴ Notification contacts are sent email communications about the Azure Enterprise Agreement. - ⁵ Task is limited to accounts in your department.-- ⁶ A subscription owner or reservation purchaser can purchase and manage reservations and savings plans within the subscription, and only if permitted by the reservation purchase enabled flag. Enterprise administrators can purchase and manage reservations and savings plans across the billing account. Enterprise administrators (read-only) can view all purchased reservations and savings plans. The reservation purchase enabled flag doesn't affect the EA administrator roles. The Enterprise Admin (read-only) role holder isn't permitted to make purchases. However, if a user with that role also holds either a subscription owner or reservation purchaser permission, the user can purchase reservations and savings plans, regardless of the flag.
+- ⁶ A subscription owner, reservation purchaser or savings plan purchaser can purchase and manage reservations and savings plans within the subscription, and only if permitted by the reservation/savings plan purchase-enabled flags. Enterprise administrators can purchase and manage reservations and savings plans across the billing account. Enterprise administrators (read-only) can view all purchased reservations and savings plans. The reservation/savings plan purchase-enabled flags don't affect the EA administrator roles. The Enterprise Admin (read-only) role holder isn't permitted to make purchases. However, if a user with that role also holds either a subscription owner, reservation purchaser or savings plan purchaser permission, the user can purchase reservations and/or savings plans, regardless of the flags.
## Add a new enterprise administrator
cost-management-billing Buy Savings Plan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/savings-plan/buy-savings-plan.md
Savings plan discounts only apply to resources associated with subscriptions pur
> Azure savings plan isn't supported for the China legacy Online Service Premium Agreement (OSPA) platform. ### Enterprise Agreement customers
+Saving plan purchasing for Enterprice Agreement (EA) customers is limited to the following:
+- EA admins with write permissions can purchase savings plans from **Cost Management + Billing** > **Savings plan**. No subscription-specific permissions are needed.
+- Users with Subscription owner or Savings plan purchaser roles in at least one subscription in the enrollment account can purchase savings plans from **Home** > **Savings plan**.
-- EA admins with write permissions can directly purchase savings plans from **Cost Management + Billing** > **Savings plan**. No subscription-specific permissions are needed.-- Subscription owners for one of the subscriptions in the enrollment account can purchase savings plans from **Home** > **Savings plan**.-
-Enterprise Agreement (EA) customers can limit purchases to only EA admins by disabling the Add Savings Plan option in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_GTM/ModernBillingMenuBlade/BillingAccounts). Navigate to the **Policies** menu to change settings.
+EA customers can limit savings plan purchases to only EA admins by disabling the Add Savings Plan option in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_GTM/ModernBillingMenuBlade/BillingAccounts). Navigate to the **Policies** menu to change settings.
### Microsoft Customer Agreement (MCA) customers
+Saving plan purchasing for Microsoft Customer Agreement (MCA) customers is limited to the following:
+- Users with billing profile contributor permissions or higher can purchase savings plans from **Cost Management + Billing** > **Savings plan** experience. No subscription-specific permissions are needed.
+- Users with Subscription owner or Savings plan purchaser roles in at least one subscription in the billing profile can purchase savings plans from **Home** > **Savings plan**.
-- Customers with billing profile contributor permissions or higher can purchase savings plans from **Cost Management + Billing** > **Savings plan** experience. No subscription-specific permissions are needed.-- Subscription owners for one of the subscriptions in the billing profile can purchase savings plans from **Home** > **Savings plan**.-
-To disallow savings plan purchases on a billing profile, billing profile contributors can navigate to the **Policies** menu under the billing profile and adjust the Azure Savings Plan option.
+MCA customers can limit savings plan purchases to users with billing profile contributor permissions or higher by disabling the Add Savings Plan option in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_GTM/ModernBillingMenuBlade/BillingAccounts). Navigate to the **Policies** menu to change settings.
### Microsoft Partner Agreement partners
Buy savings plans by using Azure RBAC permissions or with permissions on your bi
#### To purchase using Azure RBAC permissions -- You must be an Owner of the subscription that you plan to use, specified as `billingScopeId`.
+- You must have the Savings plan purchaser role within, or be an Owner of, the subscription that you plan to use, specified as `billingScopeId`.
- The `billingScopeId` property in the request body must use the `/subscriptions/10000000-0000-0000-0000-000000000000` format. #### To purchase using billing permissions
cost-management-billing Download Savings Plan Price Sheet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/savings-plan/download-savings-plan-price-sheet.md
This article explains how you can download the price sheet for an Enterprise Agr
## Download EA price sheet
-To download your EA price sheet, do the following tasks.
+To download your EA price sheet via Azure portal, do the following tasks.
1. Sign in to the [Azure portal](https://portal.azure.com/). 2. Search for **Cost Management + Billing**.
To download your EA price sheet, do the following tasks.
## Download MCA price sheet
-To download your MCA price sheet, do the following tasks.
+To download your MCA price sheet via Azure portal, do the following tasks.
1. Sign in to the [Azure portal](https://portal.azure.com/). 2. Search for **Cost Management + Billing**.
To download your MCA price sheet, do the following tasks.
5. Select **Download Azure price sheet for** _current month and year_. File generation may take a few moments. 6. Open the file and filter on `priceType` to see `SavingsPlan` plan price records.
+## Download price sheet using APIs
+To learn more about downloading your price sheet using price sheet APIs, see the following articles:
+ - [Learn more about EA price sheet](/rest/api/cost-management/price-sheet).
+ - [Learn more about MCA price sheet](/rest/api/consumption/price-sheet).
+ - [Learn more about retail price sheet](/rest/api/cost-management/retail-prices/azure-retail-prices).
++ ## Need help? Contact us. If you have questions about Azure savings plan for compute, contact your account team or [create a support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest). Temporarily, Microsoft only provides expert support for Azure savings plan for compute in English.
data-factory Self Hosted Integration Runtime Troubleshoot Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/self-hosted-integration-runtime-troubleshoot-guide.md
To generate the error report ID for Microsoft Support, follow these instructions
> [!NOTE] > The folder is not `C:\Program Files (x86)\Java\`
- - JRE 7 and JRE 8 are both compatible for this copy activity. JRE 6 and versions that are earlier than JRE 6 have not been validated for this use.
+ - Java Runtime (JRE) is version 11 or greater, from a JRE provider such as [Microsoft OpenJDK 11](https://aka.ms/download-jdk/microsoft-jdk-11.0.19-windows-x64.msi) or [Eclipse Temurin 11](https://adoptium.net/temurin/releases/?version=11). Ensure that the JAVA_HOME system environment variable is set to the JDK folder (not just the JRE folder) you may also need to add the bin folder to your system's PATH environment variable.
2. Check the registry for the appropriate settings. To do this, follow these steps:
defender-for-cloud Agentless Vulnerability Assessment Aws https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/agentless-vulnerability-assessment-aws.md
Container vulnerability assessment powered by Microsoft Defender Vulnerability M
- **Reporting** - Container Vulnerability Assessment for AWS powered by Microsoft Defender Vulnerability Management provides vulnerability reports using following recommendations:
- | Recommendation | Description | Assessment Key|
- |--|--|--|
- | [AWS registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainerRegistryRecommendationDetailsBlade/assessmentKey/c27441ae-775c-45be-8ffa-655de37362ce) | Scans your AWS registries container images for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c27441ae-775c-45be-8ffa-655de37362ce |
- | [AWS running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainersRuntimeRecommendationDetailsBlade/assessmentKey/682b2595-d045-4cff-b5aa-46624eb2dd8f)ΓÇ»| Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Elastic Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | 682b2595-d045-4cff-b5aa-46624eb2dd8f |
+These are the new recommendations that report on runtime container vulnerabilities and registry image vulnerabilities. They are currently in preview, but are intended to replace the old recommendations. These new recommendations do not count toward secure score while in preview. The scan engine for both sets of recommendations is the same.
+
+| Recommendation | Description | Assessment Key|
+|--|--|--|
+| [[Preview] Container images in AWS registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/2a139383-ec7e-462a-90ac-b1b60e87d576) | Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards. | 2a139383-ec7e-462a-90ac-b1b60e87d576 |
+| [[Preview] Containers running in AWS should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/d5d1e526-363a-4223-b860-f4b6e710859f)ΓÇ»| Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards. | d5d1e526-363a-4223-b860-f4b6e710859f |
+
+These are the older recommendations that are currently on a retirement path:
+
+| Recommendation | Description | Assessment Key|
+|--|--|--|
+| [AWS registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainerRegistryRecommendationDetailsBlade/assessmentKey/c27441ae-775c-45be-8ffa-655de37362ce) | Scans your AWS registries container images for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c27441ae-775c-45be-8ffa-655de37362ce |
+| [AWS running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainersRuntimeRecommendationDetailsBlade/assessmentKey/682b2595-d045-4cff-b5aa-46624eb2dd8f)ΓÇ»| Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Elastic Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | 682b2595-d045-4cff-b5aa-46624eb2dd8f |
- **Query vulnerability information via the Azure Resource Graph** - Ability to query vulnerability information via the [Azure Resource Graph](../governance/resource-graph/overview.md#how-resource-graph-complements-azure-resource-manager). Learn how to [query recommendations via ARG](review-security-recommendations.md).
A detailed description of the scan process is described as follows:
- All newly discovered images are pulled, and an inventory is created for each image. Image inventory is kept to avoid further image pulls, unless required by new scanner capabilities.ΓÇï - Using the inventory, vulnerability reports are generated for new images, and updated for images previously scanned which were either pushed in the last 90 days to a registry, or are currently running. To determine if an image is currently running, Defender for Cloud uses both [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) and [inventory collected via the Defender sensor running on EKS nodes](defender-for-containers-enable.md#enablement-method-per-capability)
- - Vulnerability reports for registry container images are provided as a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainerRegistryRecommendationDetailsBlade/assessmentKey/c27441ae-775c-45be-8ffa-655de37362ce).
-- For customers using either [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or [inventory collected via the Defender sensor running on EKS nodes](defender-for-containers-enable.md#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/ContainersRuntimeRecommendationDetailsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5) for remediating vulnerabilities for vulnerable images running on an EKS cluster. For customers using only [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours.
+ - Vulnerability reports for registry container images are provided as a [recommendation](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/2a139383-ec7e-462a-90ac-b1b60e87d576).
+- For customers using either [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or [inventory collected via the Defender sensor running on EKS nodes](defender-for-containers-enable.md#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/d5d1e526-363a-4223-b860-f4b6e710859f) for remediating vulnerabilities for vulnerable images running on an EKS cluster. For customers using only [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours.
> [!NOTE] > For [Defender for Container Registries (deprecated)](defender-for-container-registries-introduction.md), images are scanned once on push, on pull, and rescanned only once a week.
defender-for-cloud Agentless Vulnerability Assessment Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/agentless-vulnerability-assessment-azure.md
Container vulnerability assessment powered by Microsoft Defender Vulnerability M
- **Exploitability information** - Each vulnerability report is searched through exploitability databases to assist our customers with determining actual risk associated with each reported vulnerability. - **Reporting** - Container Vulnerability Assessment for Azure powered by Microsoft Defender Vulnerability Management provides vulnerability reports using following recommendations:
- | Recommendation | Description | Assessment Key |
- |--|--|--|
- | [Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AzureContainerRegistryRecommendationDetailsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c0b7cfc6-3172-465a-b378-53c7ff2cc0d5 |
- | [Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/ContainersRuntimeRecommendationDetailsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5)  | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5 |
+These are the new recommendations that report on runtime container vulnerabilities and registry image vulnerabilities. They are currently in preview, but are intended to replace the old recommendations. These new recommendations do not count toward secure score while in preview. The scan engine for both sets of recommendations is the same.
+
+| Recommendation | Description | Assessment Key |
+|--|--|--|
+| [[Preview] Container images in Azure registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/33422d8f-ab1e-42be-bc9a-38685bb567b9) | Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards. | 33422d8f-ab1e-42be-bc9a-38685bb567b9 |
+| [[Preview] Containers running in Azure should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e9acaf48-d2cf-45a3-a6e7-3caa2ef769e0)  | Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards. | e9acaf48-d2cf-45a3-a6e7-3caa2ef769e0 |
+
+These are the older recommendations that are currently on a retirement path:
+
+| Recommendation | Description | Assessment Key|
+|--|--|--|
+| [Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AzureContainerRegistryRecommendationDetailsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c0b7cfc6-3172-465a-b378-53c7ff2cc0d5 |
+| [Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/ContainersRuntimeRecommendationDetailsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5)  | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5 |
- **Query vulnerability information via the Azure Resource Graph** - Ability to query vulnerability information via the [Azure Resource Graph](../governance/resource-graph/overview.md#how-resource-graph-complements-azure-resource-manager). Learn how to [query recommendations via ARG](review-security-recommendations.md). - **Query scan results via REST API** - Learn how to query scan results via [REST API](subassessment-rest-api.md).
A detailed description of the scan process is described as follows:
- All newly discovered images are pulled, and an inventory is created for each image. Image inventory is kept to avoid further image pulls, unless required by new scanner capabilities.ΓÇï - Using the inventory, vulnerability reports are generated for new images, and updated for images previously scanned which were either pushed in the last 90 days to a registry, or are currently running. To determine if an image is currently running, Defender for Cloud uses both [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) and [inventory collected via the Defender sensor running on AKS nodes](defender-for-containers-enable.md#enablement-method-per-capability)
- - Vulnerability reports for registry container images are provided as a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AzureContainerRegistryRecommendationDetailsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5).
-- For customers using either [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or [inventory collected via the Defender sensor running on AKS nodes](defender-for-containers-enable.md#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/ContainersRuntimeRecommendationDetailsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5) for remediating vulnerabilities for vulnerable images running on an AKS cluster. For customers using only [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours.
+ - Vulnerability reports for registry container images are provided as a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AzureContainerRegistryRecommendationDetailsBlade/assessmentKey/33422d8f-ab1e-42be-bc9a-38685bb567b9).
+- For customers using either [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or [inventory collected via the Defender sensor running on AKS nodes](defender-for-containers-enable.md#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/ContainersRuntimeRecommendationDetailsBlade/assessmentKey/e9acaf48-d2cf-45a3-a6e7-3caa2ef769e0) for remediating vulnerabilities for vulnerable images running on an AKS cluster. For customers using only [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours.
> [!NOTE] > For [Defender for Container Registries (deprecated)](defender-for-container-registries-introduction.md), images are scanned once on push, on pull, and rescanned only once a week.
defender-for-cloud Agentless Vulnerability Assessment Gcp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/agentless-vulnerability-assessment-gcp.md
Container vulnerability assessment powered by Microsoft Defender Vulnerability M
- **Reporting** - Container Vulnerability Assessment for GCP powered by Microsoft Defender Vulnerability Management provides vulnerability reports using following recommendations:
- | Recommendation | Description | Assessment Key|
- |--|--|--|
- | [GCP registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainerRegistryRecommendationDetailsBlade/assessmentKey/5cc3a2c1-8397-456f-8792-fe9d0d4c9145) | Scans your GCP registries container images for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c27441ae-775c-45be-8ffa-655de37362ce |
- | [GCP running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainersRuntimeRecommendationDetailsBlade/assessmentKey/e538731a-80c8-4317-a119-13075e002516)ΓÇ»| Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Google Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | 5cc3a2c1-8397-456f-8792-fe9d0d4c9145 |
+These are the new recommendations that report on runtime container vulnerabilities and registry image vulnerabilities. They are currently in preview, but are intended to replace the old recommendations. These new recommendations do not count toward secure score while in preview. The scan engine for both sets of recommendations is the same.
+
+| Recommendation | Description | Assessment Key|
+|--|--|--|
+| [[Preview] Container images in GCP registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/24e37609-dcf5-4a3b-b2b0-b7d76f2e4e04) | Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards. | 24e37609-dcf5-4a3b-b2b0-b7d76f2e4e04 |
+| [[Preview] Containers running in GCP should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c7c1d31d-a604-4b86-96df-63448618e165)ΓÇ»| Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards. | c7c1d31d-a604-4b86-96df-63448618e165 |
+
+These are the older recommendations that are currently on a retirement path:
+
+| Recommendation | Description | Assessment Key|
+|--|--|--|
+| [GCP registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainerRegistryRecommendationDetailsBlade/assessmentKey/5cc3a2c1-8397-456f-8792-fe9d0d4c9145) | Scans your GCP registries container images for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c27441ae-775c-45be-8ffa-655de37362ce |
+| [GCP running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainersRuntimeRecommendationDetailsBlade/assessmentKey/e538731a-80c8-4317-a119-13075e002516)ΓÇ»| Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Google Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | 5cc3a2c1-8397-456f-8792-fe9d0d4c9145 |
- **Query vulnerability information via the Azure Resource Graph** - Ability to query vulnerability information via the [Azure Resource Graph](../governance/resource-graph/overview.md#how-resource-graph-complements-azure-resource-manager). Learn how to [query recommendations via ARG](review-security-recommendations.md).
A detailed description of the scan process is described as follows:
- All newly discovered images are pulled, and an inventory is created for each image. Image inventory is kept to avoid further image pulls, unless required by new scanner capabilities.ΓÇï - Using the inventory, vulnerability reports are generated for new images, and updated for images previously scanned which were either pushed in the last 90 days to a registry, or are currently running. To determine if an image is currently running, Defender for Cloud uses both [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) and [inventory collected via the Defender sensor running on GKE nodes](defender-for-containers-enable.md#enablement-method-per-capability)
- - Vulnerability reports for registry container images are provided as a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainerRegistryRecommendationDetailsBlade/assessmentKey/5cc3a2c1-8397-456f-8792-fe9d0d4c9145).
-- For customers using either [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or [inventory collected via the Defender sensor running on GKE nodes](defender-for-containers-enable.md#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainersRuntimeRecommendationDetailsBlade/assessmentKey/e538731a-80c8-4317-a119-13075e002516) for remediating vulnerabilities for vulnerable images running on a GKE cluster. For customers using only [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours.
+ - Vulnerability reports for registry container images are provided as a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainerRegistryRecommendationDetailsBlade/assessmentKey/24e37609-dcf5-4a3b-b2b0-b7d76f2e4e04).
+- For customers using either [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or [inventory collected via the Defender sensor running on GKE nodes](defender-for-containers-enable.md#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainersRuntimeRecommendationDetailsBlade/assessmentKey/c7c1d31d-a604-4b86-96df-63448618e165) for remediating vulnerabilities for vulnerable images running on a GKE cluster. For customers using only [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours.
> [!NOTE] > For [Defender for Container Registries (deprecated)](defender-for-container-registries-introduction.md), images are scanned once on push, on pull, and rescanned only once a week.
defender-for-cloud Attack Path Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/attack-path-api.md
+
+ Title: Retrieve attack path data with API
+description: Learn how to Retrieve attack path data with APIs in Microsoft Defender for Cloud and enhance the security of your environment.
+++ Last updated : 03/03/2024
+#customer intent: As a developer, I want to learn how to retrieve attack path data with APIs in Microsoft Defender for Cloud so that I can enhance the security of my environment.
++
+# Retrieve attack path data with API
+
+You can consume attack path data programmatically by querying Azure Resource Graph (ARG) API.
+Learn [how to query ARG API](/rest/api/azureresourcegraph/resourcegraph(2020-04-01-preview)/resources/resources?source=recommendations&tabs=HTTP).
+
+## Consume attack path data programmatically using API
+
+The following examples show sample ARG queries that you can run:
+
+**Get all attack paths in subscription ΓÇÿXΓÇÖ**:
+
+```kusto
+securityresources
+| where type == "microsoft.security/attackpaths"
+| where subscriptionId == <SUBSCRIPTION_ID>
+```
+
+**Get all instances for a specific attack path**:
+For example, `Internet exposed VM with high severity vulnerabilities and read permission to a Key Vault`.
+
+```kusto
+securityresources
+| where type == "microsoft.security/attackpaths"
+| where subscriptionId == "212f9889-769e-45ae-ab43-6da33674bd26"
+| extend AttackPathDisplayName = tostring(properties["displayName"])
+| where AttackPathDisplayName == "<DISPLAY_NAME>"
+```
+
+### API response schema
+
+The following table lists the data fields returned from the API response:
+
+| Field | Description |
+|--|--|
+| ID | The Azure resource ID of the attack path instance|
+| Name | The Unique identifier of the attack path instance|
+| Type | The Azure resource type, always equals `microsoft.security/attackpaths`|
+| Tenant ID | The tenant ID of the attack path instance |
+| Location | The location of the attack path |
+| Subscription ID | The subscription of the attack path |
+| Properties.description | The description of the attack path |
+| Properties.displayName | The display name of the attack path |
+| Properties.attackPathType | The type of the attack path|
+| Properties.manualRemediationSteps | Manual remediation steps of the attack path |
+| Properties.refreshInterval | The refresh interval of the attack path |
+| Properties.potentialImpact | The potential impact of the attack path being breached |
+| Properties.riskCategories | The categories of risk of the attack path |
+| Properties.entryPointEntityInternalID | The internal ID of the entry point entity of the attack path |
+| Properties.targetEntityInternalID | The internal ID of the target entity of the attack path |
+| Properties.assessments | Mapping of entity internal ID to the security assessments on that entity |
+| Properties.graphComponent | List of graph components representing the attack path |
+| Properties.graphComponent.insights | List of insights graph components related to the attack path |
+| Properties.graphComponent.entities | List of entities graph components related to the attack path |
+| Properties.graphComponent.connections | List of connections graph components related to the attack path |
+| Properties.AttackPathID | The unique identifier of the attack path instance |
+
+## Next step
+
+> [!div class="nextstepaction"]
+> [build queries with cloud security explorer](how-to-manage-cloud-security-explorer.md).
defender-for-cloud Concept Regulatory Compliance Standards https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/concept-regulatory-compliance-standards.md
Title: Regulatory compliance standards in Microsoft Defender for Cloud
-description: Learn about regulatory compliance standards in Microsoft Defender for Cloud
- Previously updated : 11/27/2023
+ Title: Regulatory compliance in Defender for Cloud
+description: Learn about regulatory compliance standards and certification in Microsoft Defender for Cloud, and how it helps ensure compliance with industry regulations.
+++ Last updated : 03/31/2024
+#customer intent: As a cloud security professional, I want to understand how Defender for Cloud helps me meet regulatory compliance standards, so that I can ensure my organization is compliant with industry standards and regulations.
-# Regulatory compliance standards
+# Regulatory compliance standards in Microsoft Defender for Cloud
Microsoft Defender for Cloud streamlines the regulatory compliance process by helping you to identify issues that are preventing you from meeting a particular compliance standard, or achieving compliance certification.
By default, when you enable Defender for Cloud, the following standards are enab
- For **AWS**: [Microsoft Cloud Security Benchmark (MCSB)](concept-regulatory-compliance.md) and [AWS Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html). - For **GCP**: [Microsoft Cloud Security Benchmark (MCSB)](concept-regulatory-compliance.md) and **GCP Default**.
-## Next steps
+## Available regulatory standards
+
+The following regulatory standards are available in Defender for Cloud:
+
+| Standards for Azure subscriptions | Standards for AWS accounts | Standards for GCP projects |
+|--|--|--|
+| Australian Government ISM Protected | AWS Foundational Security Best Practices | Brazilian General Personal Data Protection Law (LGPD)|
+| Canada Federal PBMM | AWS Well-Architected Framework | California Consumer Privacy Act (CCPA)|
+| CIS Azure Foundations | Brazilian General Personal Data Protection Law (LGPD) | CIS Controls|
+| CMMC | California Consumer Privacy Act (CCPA) | CIS GCP Foundations|
+| FedRAMP ΓÇÿHΓÇÖ & ΓÇÿMΓÇÖ | CIS AWS Foundations | CIS Google Cloud Platform Foundation Benchmark|
+| HIPAA/HITRUST | CRI Profile | CIS Google Kubernetes Engine (GKE) Benchmark|
+| ISO/IEC 27001 | CSA Cloud Controls Matrix (CCM) | CRI Profile|
+| New Zealand ISM Restricted | GDPR | CSA Cloud Controls Matrix (CCM)|
+| NIST SP 800-171 | ISO/IEC 27001 | Cybersecurity Maturity Model Certification (CMMC)|
+| NIST SP 800-53 | ISO/IEC 27002 | FFIEC Cybersecurity Assessment Tool (CAT)|
+| PCI DSS | NIST Cybersecurity Framework (CSF) | GDPR|
+| RMIT Malaysia | NIST SP 800-172 | ISO/IEC 27001|
+| SOC 2 | PCI DSS | ISO/IEC 27002|
+| SWIFT CSP CSCF | | ISO/IEC 27017|
+| UK OFFICIAL and UK NHS | | NIST Cybersecurity Framework (CSF)|
+| | | NIST SP 800-53 |
+| | | NIST SP 800-171|
+| | | NIST SP 800-172|
+| | | PCI DSS|
+| | | Sarbanes Oxley Act (SOX)|
+| | | SOC 2|
+
+## Related content
- [Assign regulatory compliance standards](update-regulatory-compliance-packages.md)-- [Improve regulatory compliance](regulatory-compliance-dashboard.md)
defender-for-cloud Defender For Databases Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-databases-introduction.md
Title: Microsoft Defender for open-source relational databases
+ Title: What is Defender for open-source databases
description: Learn about the benefits and features of Microsoft Defender for open-source relational databases such as PostgreSQL, MySQL, and MariaDB Previously updated : 06/19/2022 Last updated : 04/02/2024
+#customer intent: As a reader, I want to understand the purpose and features of Microsoft Defender for open-source relational databases so that I can make informed decisions about its usage.
-# Overview of Microsoft Defender for open-source relational databases
+# What is Microsoft Defender for open-source relational databases
This plan brings threat protections for the following open-source relational databases:
Defender for Cloud detects anomalous activities indicating unusual and potential
## Availability
-| Aspect | Details |
-|--|:-|
-| Release state: | General availability (GA) |
-| Pricing: | **Microsoft Defender for open-source relational databases** is billed as shown on the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/) |
-| Supported environments:|:::image type="icon" source="./media/icons/yes-icon.png"::: PaaS<br>:::image type="icon" source="./media/icons/no-icon.png"::: Azure Arc-enabled machines |
-| Protected versions of PostgreSQL: | Single Server - General Purpose and Memory Optimized. Learn more in [PostgreSQL Single Server pricing tiers](../postgresql/concepts-pricing-tiers.md). Flexible Server - all pricing tiers (enablement is currently only supported at resource level).|
-| Protected versions of MySQL: | Single Server - General Purpose and Memory Optimized. Learn more in [MySQL pricing tiers](../mysql/concepts-pricing-tiers.md). |
-| Protected versions of MariaDB: | General Purpose and Memory Optimized. Learn more in [MariaDB pricing tiers](../mariadb/concepts-pricing-tiers.md). |
-| Clouds: | :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br> :::image type="icon" source="./media/icons/yes-icon.png"::: Azure Government<br>:::image type="icon" source="./media/icons/no-icon.png"::: Microsoft Azure operated by 21Vianet |
+Check out the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/) for pricing information for Microsoft Defender for open-source relational databases.
+
+Defender for open-source relational database is supported on PaaS environments and not on Azure Arc-enabled machines.
+
+**Protected versions of PostgreSQL include**:
+- Single Server - General Purpose and Memory Optimized. Learn more in [PostgreSQL Single Server pricing tiers](../postgresql/concepts-pricing-tiers.md).
+- Flexible Server - all pricing tiers.
+
+**Protected versions of MySQL include**:
+- Single Server - General Purpose and Memory Optimized. Learn more in [MySQL pricing tiers](../mysql/concepts-pricing-tiers.md).
+- Flexible Server - all pricing tiers.
+
+**Protected versions of MariaDB include**:
+- General Purpose and Memory Optimized. Learn more in [MariaDB pricing tiers](../mariadb/concepts-pricing-tiers.md).
+
+View [cloud availability](support-matrix-cloud-environment.md#cloud-support) for Defender for open-source relational databases
## What are the benefits of Microsoft Defender for open-source relational databases?
These alerts appear in Defender for Cloud's security alerts page and include:
Threat intelligence enriched security alerts are triggered when there are: -- **Anomalous database access and query patterns** - For example, an abnormally high number of failed sign-in attempts with different credentials (a brute force attempt)-- **Suspicious database activities** - For example, a legitimate user accessing an SQL Server from a breached computer which communicated with a crypto-mining C&C server-- **Brute-force attacks** ΓÇô With the ability to separate simple brute force from brute force on a valid user or a successful brute force
+- **Anomalous database access and query patterns** - For example, an abnormally high number of failed sign-in attempts with different credentials (a brute force attempt).
+- **Suspicious database activities** - For example, a legitimate user accessing an SQL Server from a breached computer which communicated with a crypto-mining C&C server.
+- **Brute-force attacks** ΓÇô With the ability to separate simple brute force or a successful brute force.
> [!TIP] > View the full list of security alerts for database servers [in the alerts reference page](alerts-reference.md#alerts-for-open-source-relational-databases).
-## Next steps
-
-In this article, you learned about Microsoft Defender for open-source relational databases.
+## Related articles
-> [!div class="nextstepaction"]
-> [Enable enhanced protections](enable-enhanced-security.md)
+- [Enable Microsoft Defender for open-source relational databases and respond to alerts](defender-for-databases-usage.md)
+- [Common questions about Defender for Databases](faq-defender-for-databases.yml)
defender-for-cloud Defender For Databases Usage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-databases-usage.md
Title: Setting up and responding to alerts from Microsoft Defender for open-source relational databases
-description: Learn how to configure Microsoft Defender for open-source relational databases to detect anomalous database activities indicating potential security threats to the database.
Previously updated : 11/09/2021
+ Title: Microsoft Defender for open-source relational databases
+description: Configure Microsoft Defender for open-source relational databases to detect potential security threats.
Last updated : 04/02/2024
+#customer intent: As a reader, I want to learn how to configure Microsoft Defender for open-source relational databases to enhance the security of my databases.
+ # Enable Microsoft Defender for open-source relational databases and respond to alerts Microsoft Defender for Cloud detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases for the following
Defender for Cloud sends email notifications when it detects anomalous database
1. For additional details and recommended actions for investigating the current threat and remediating future threats, select a specific alert.
- :::image type="content" source="media/defender-for-databases-usage/specific-alert-details.png" alt-text="Details of a specific alert." lightbox="media/defender-for-databases-usage/specific-alert-details.png":::
+ :::image type="content" source="media/defender-for-databases-usage/specific-alert-details.png" alt-text="Screenshot that shows the details of a specific alert." lightbox="media/defender-for-databases-usage/specific-alert-details.png":::
> [!TIP] > For a detailed tutorial on how to handle your alerts, see [Manage and respond to alerts](tutorial-security-incident.md).
-## Next steps
+## Next step
-- [Automate responses to Defender for Cloud triggers](workflow-automation.md)-- [Stream alerts to a SIEM, SOAR, or ITSM solution](export-to-siem.md)-- [Suppress alerts from Defender for Cloud](alerts-suppression-rules.md)
+> [!div class="nextstepaction"]
+> [Automate responses to Defender for Cloud triggers](workflow-automation.md)
defender-for-cloud Disable Vulnerability Findings Containers Secure Score https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/disable-vulnerability-findings-containers-secure-score.md
+
+ Title: Creating exemptions and disabling vulnerabilities (Secure score)
+description: Learn how to create exemptions and disable vulnerabilities (Secure score)
+ Last updated : 07/09/2023++
+# Create exemptions and disable vulnerability assessment findings on Container registry images and running images (Secure score)
+
+>[!NOTE]
+>You can customize your vulnerability assessment experience by exempting management groups, subscriptions, or specific resources from your secure score. Learn how to [create an exemption](exempt-resource.md) for a resource or subscription.
+
+If you have an organizational need to ignore a finding, rather than remediate it, you can optionally disable it. Disabled findings don't affect your secure score or generate unwanted noise.
+
+When a finding matches the criteria you defined in your disable rules, it doesn't appear in the list of findings. Typical scenario examples include:
+
+- Disable findings with severity below medium
+- Disable findings for images that the vendor won't fix
+
+> [!IMPORTANT]
+> To create a rule, you need permissions to edit a policy in Azure Policy.
+> Learn more in [Azure RBAC permissions in Azure Policy](../governance/policy/overview.md#azure-rbac-permissions-in-azure-policy).
+
+You can use a combination of any of the following criteria:
+
+- **CVE** - Enter the CVEs of the findings you want to exclude. Ensure the CVEs are valid. Separate multiple CVEs with a semicolon. For example, CVE-2020-1347; CVE-2020-1346.
+- **Image digest** - Specify images for which vulnerabilities should be excluded based on the image digest. Separate multiple digests with a semicolon, for example: `sha256:9b920e938111710c2768b31699aac9d1ae80ab6284454e8a9ff42e887fa1db31;sha256:ab0ab32f75988da9b146de7a3589c47e919393ae51bbf2d8a0d55dd92542451c`
+- **OS version** - Specify images for which vulnerabilities should be excluded based on the image OS. Separate multiple versions with a semicolon, for example: ubuntu_linux_20.04;alpine_3.17
+- **Minimum Severity** - Select low, medium, high, or critical to exclude vulnerabilities less than the specified severity level.
+- **Fix status** - Select the option to exclude vulnerabilities based on their fix status.
+
+Disable rules apply per recommendation, for example, to disable [CVE-2017-17512](https://github.com/advisories/GHSA-fc69-2v7r-7r95) both on the registry images and runtime images, the disable rule has to be configured in both places.
+
+> [!NOTE]
+> The [Azure Preview Supplemental Terms](//azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+ To create a rule:
+
+1. From the recommendations detail page for [Container registry images should have vulnerability findings resolved powered by Microsoft Defender Vulnerability Management](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5) or [Running container images should have vulnerability findings resolved powered by Microsoft Defender Vulnerability Management
+](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5), select **Disable rule**.
+
+1. Select the relevant scope.
+
+1. Define your criteria. You can use any of the following criteria:
+
+ - **CVE** - Enter the CVEs of the findings you want to exclude. Ensure the CVEs are valid. Separate multiple CVEs with a semicolon. For example, CVE-2020-1347; CVE-2020-1346.
+ - **Image digest** - Specify images for which vulnerabilities should be excluded based on the image digest. Separate multiple digests with a semicolon, for example: `sha256:9b920e938111710c2768b31699aac9d1ae80ab6284454e8a9ff42e887fa1db31;sha256:ab0ab32f75988da9b146de7a3589c47e919393ae51bbf2d8a0d55dd92542451c`
+ - **OS version** - Specify images for which vulnerabilities should be excluded based on the image OS. Separate multiple versions with a semicolon, for example: ubuntu_linux_20.04;alpine_3.17
+ - **Minimum Severity** - Select low, medium, high, or critical to exclude vulnerabilities less than and equal to the specified severity level.
+ - **Fix status** - Select the option to exclude vulnerabilities based on their fix status.
+
+1. In the justification text box, add your justification for why a specific vulnerability was disabled. This provides clarity and understanding for anyone reviewing the rule.
+
+1. Select **Apply rule**.
+
+ :::image type="content" source="./media/disable-vulnerability-findings-containers/disable-rules-secure-score.png" alt-text="Screenshot showing where to create a disable rule for vulnerability findings on registry images." lightbox="media/disable-vulnerability-findings-containers/disable-rules.png":::
+
+ > [!IMPORTANT]
+ > Changes might take up to 24 hours to take effect.
+
+**To view, override, or delete a rule:**
+
+1. From the recommendations detail page, select **Disable rule**.
+1. From the scope list, subscriptions with active rules show as **Rule applied**.
+1. To view or delete the rule, select the ellipsis menu ("...").
+1. Do one of the following:
+ - To view or override a disable rule - select **View rule**, make any changes you want, and select **Override rule**.
+ - To delete a disable rule - select **Delete rule**.
+
+ :::image type="content" source="./media/disable-vulnerability-findings-containers/override-rules.png" alt-text="Screenshot showing where to view, delete or override a rule for vulnerability findings on registry images." lightbox="media/disable-vulnerability-findings-containers/override-rules.png":::
+
+## Next steps
+
+- Learn how to [view and remediate vulnerability assessment findings for registry images](view-and-remediate-vulnerability-assessment-findings.md).
+- Learn about [agentless container posture](concept-agentless-containers.md).
defender-for-cloud Disable Vulnerability Findings Containers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/disable-vulnerability-findings-containers.md
Disable rules apply per recommendation, for example, to disable [CVE-2017-17512]
> [!NOTE] > The [Azure Preview Supplemental Terms](//azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
- To create a rule:
+## To create a rule
-1. From the recommendations detail page for [Container registry images should have vulnerability findings resolved powered by Microsoft Defender Vulnerability Management](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5) or [Running container images should have vulnerability findings resolved powered by Microsoft Defender Vulnerability Management
-](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5), select **Disable rule**.
+1. From the recommendations detail page for [Container registry images should have vulnerability findings resolved powered by Microsoft Defender Vulnerability Management](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/33422d8f-ab1e-42be-bc9a-38685bb567b9) or [Containers running in Azure should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e9acaf48-d2cf-45a3-a6e7-3caa2ef769e0), select **Disable rule**.
1. Select the relevant scope.
Disable rules apply per recommendation, for example, to disable [CVE-2017-17512]
> [!IMPORTANT] > Changes might take up to 24 hours to take effect.
-**To view, override, or delete a rule:**
+## To view, override, or delete a rule
1. From the recommendations detail page, select **Disable rule**. 1. From the scope list, subscriptions with active rules show as **Rule applied**.
defender-for-cloud How To Manage Attack Path https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/how-to-manage-attack-path.md
Title: Identify and remediate attack paths in Microsoft Defender for Cloud
-description: Learn how to identify and remediate attack paths in Microsoft Defender for Cloud
+ Title: Identify and remediate attack paths
++
+description: Learn how to identify and remediate attack paths in Microsoft Defender for Cloud and enhance the security of your environment.
- Previously updated : 12/06/2023 Last updated : 03/05/2024
+#customer intent: As a security analyst, I want to learn how to identify and remediate attack paths in Microsoft Defender for Cloud so that I can enhance the security of my environment.
# Identify and remediate attack paths
Defender for Cloud's contextual security capabilities assists security teams in
Attack path analysis helps you to address the security issues that pose immediate threats with the greatest potential of being exploited in your environment. Defender for Cloud analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. It also highlights the security recommendations that need to be resolved in order to mitigate it.
-## Availability
+By default attack paths are organized by their risk level. The risk level is determined by a context-aware risk-prioritization engine that considers the risk factors of each resource. Learn more about how Defender for Cloud [prioritizes security recommendations](risk-prioritization.md).
-| Aspect | Details |
-|--|--|
-| Release state | GA (General Availability) |
-| Prerequisites | - [Enable agentless scanning](enable-vulnerability-assessment-agentless.md), or [Enable Defender for Server P1 (which includes MDVM)](defender-for-servers-introduction.md) or [Defender for Server P2 (which includes MDVM and Qualys)](defender-for-servers-introduction.md). <br> - [Enable Defender CSPM](enable-enhanced-security.md) <br> - Enable agentless container posture extension in Defender CSPM, or [Enable Defender for Containers](defender-for-containers-enable.md), and install the relevant agents in order to view attack paths that are related to containers. This also gives you the ability to [query](how-to-manage-cloud-security-explorer.md#build-a-query-with-the-cloud-security-explorer) containers data plane workloads in security explorer. |
-| Required plans | - Defender Cloud Security Posture Management (CSPM) enabled |
-| Required roles and permissions: | - **Security Reader** <br> - **Security Admin** <br> - **Reader** <br> - **Contributor** <br> - **Owner** |
-| Clouds: | :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds (Azure, AWS, GCP) <br>:::image type="icon" source="./media/icons/no-icon.png"::: National (Azure Government, Azure China 21Vianet) |
+## Prerequisites
-## Features of the attack path overview page
+You must [enable Defender Cloud Security Posture Management (CSPM)](enable-enhanced-security.md) and have [agentless scanning](enable-vulnerability-assessment-agentless.md) enabled.
-The attack path page shows you an overview of all of your attack paths. You can also see your affected resources and a list of active attack paths.
+- You must enable [Defender for Server P1 (which includes MDVM)](defender-for-servers-introduction.md) or [Defender for Server P2 (which includes MDVM and Qualys)](defender-for-servers-introduction.md).
+**To view attack paths that are related to containers**:
-On this page you can organize your attack paths based on risk level, name, environment, paths count, risk factors, entry point, target, the number of affected resources, or the number of active recommendations.
+- You must [enable agentless container posture extension](tutorial-enable-cspm-plan.md) in Defender CSPM
+ or
+- You can [enable Defender for Containers](defender-for-containers-enable.md), and install the relevant agents in order to view attack paths that are related to containers. This also gives you the ability to [query](how-to-manage-cloud-security-explorer.md#build-a-query-with-the-cloud-security-explorer) containers data plane workloads in security explorer.
-For each attack path, you can see all of risk factors and any affected resources.
+- **Required roles and permissions**: Security Reader, Security Admin, Reader, Contributor or Owner.
-The potential risk factors include credentials exposure, compute abuse, data exposure, subscription and account takeover.
+## Identify attack paths
-Learn more about [the cloud security graph, attack path analysis, and the cloud security explorer?](concept-attack-path.md).
+The attack path page shows you an overview of all of your attack paths. You can also see your affected resources and a list of active attack paths.
-## Investigate and remediate attack paths
You can use Attack path analysis to locate the biggest risks to your environment and to remediate them.
-**To investigate and remediate an attack path**:
+**To identify attack paths**:
1. Sign in to the [Azure portal](https://portal.azure.com).
You can use Attack path analysis to locate the biggest risks to your environmen
1. Select a node.
- :::image type="content" source="media/how-to-manage-cloud-map/node-select.png" alt-text="Screenshot of the attack path screen that shows you where the nodes are located for selection." lightbox="media/how-to-manage-cloud-map/node-select.png":::
+ :::image type="content" source="media/how-to-manage-attack-path/node-select.png" alt-text="Screenshot of the attack path screen that shows you where the nodes are located for selection." lightbox="media/how-to-manage-attack-path/node-select.png":::
1. Select **Insight** to view the associated insights for that node.
- :::image type="content" source="media/how-to-manage-cloud-map/insights.png" alt-text="Screenshot of the insights tab for a specific node." lightbox="media/how-to-manage-cloud-map/insights.png":::
+ :::image type="content" source="media/how-to-manage-attack-path/insights.png" alt-text="Screenshot of the insights tab for a specific node." lightbox="media/how-to-manage-attack-path/insights.png":::
1. Select **Recommendations**.
- :::image type="content" source="media/how-to-manage-cloud-map/attack-path-recommendations.png" alt-text="Screenshot that shows you where to select recommendations on the screen." lightbox="media/how-to-manage-cloud-map/attack-path-recommendations.png":::
+ :::image type="content" source="media/how-to-manage-attack-path/attack-path-recommendations.png" alt-text="Screenshot that shows you where to select recommendations on the screen." lightbox="media/how-to-manage-attack-path/attack-path-recommendations.png":::
1. Select a recommendation.
-1. Follow the remediation steps to remediate the recommendation.
+1. [Remediate the recommendation](implement-security-recommendations.md).
+
+## Remediate attack paths
+
+Once you have investigated an attack path and reviewed all of the associated findings and recommendations, you can start to remediate the attack path.
+
+**To remediate an attack path**:
+
+1. Navigate to **Microsoft Defender for Cloud** > **Attack path analysis**.
+
+1. Select an attack path.
-1. Select other nodes as necessary and view their insights and recommendations as necessary.
+1. Select **Remediation**.
+
+ :::image type="content" source="media/how-to-manage-attack-path/recommendations-tab.png" alt-text="Screenshot of the attack path that shows you where to select remediation." lightbox="media/how-to-manage-attack-path/recommendations-tab.png":::
+
+1. Select a recommendation.
+
+1. [Remediate the recommendation](implement-security-recommendations.md).
Once an attack path is resolved, it can take up to 24 hours for an attack path to be removed from the list.
-## View all recommendations with attack path
+## Remediate all recommendations within an attack path
-Attack path analysis also gives you the ability to see all recommendations by attack path without having to check each node individually. You can resolve all recommendations without having to view each node individually.
+Attack path analysis grants you the ability to see all recommendations by attack path without having to check each node individually. You can resolve all recommendations without having to view each node individually.
The remediation path contains two types of recommendation:
The remediation path contains two types of recommendation:
1. Select **Remediation**.
- :::image type="content" source="media/how-to-manage-cloud-map/bulk-recommendations.png" alt-text="Screenshot that shows where to select on the screen to see the attack paths full list of recommendations." lightbox="media/how-to-manage-cloud-map/bulk-recommendations.png":::
+ :::image type="content" source="media/how-to-manage-attack-path/bulk-recommendations.png" alt-text="Screenshot that shows where to select on the screen to see the attack paths full list of recommendations." lightbox="media/how-to-manage-attack-path/bulk-recommendations.png":::
+
+1. Expand **Additional recommendations**.
1. Select a recommendation.
-1. Follow the remediation steps to remediate the recommendation.
+1. [Remediate the recommendation](implement-security-recommendations.md).
Once an attack path is resolved, it can take up to 24 hours for an attack path to be removed from the list.
-## Consume attack path data programmatically using API
-
-You can consume attack path data programmatically by querying Azure Resource Graph (ARG) API.
-Learn [how to query ARG API](/rest/api/azureresourcegraph/resourcegraph(2020-04-01-preview)/resources/resources?source=recommendations&tabs=HTTP).
-
-The following examples show sample ARG queries that you can run:
-
-**Get all attack paths in subscription ΓÇÿXΓÇÖ**:
-
-```kusto
-securityresources
-| where type == "microsoft.security/attackpaths"
-| where subscriptionId == <SUBSCRIPTION_ID>
-```
-
-**Get all instances for a specific attack path**:
-For example, `Internet exposed VM with high severity vulnerabilities and read permission to a Key Vault`.
-
-```kusto
-securityresources
-| where type == "microsoft.security/attackpaths"
-| where subscriptionId == "212f9889-769e-45ae-ab43-6da33674bd26"
-| extend AttackPathDisplayName = tostring(properties["displayName"])
-| where AttackPathDisplayName == "<DISPLAY_NAME>"
-```
-
-### API response schema
-
-The following table lists the data fields returned from the API response:
-
-| Field | Description |
-|--|--|
-| ID | The Azure resource ID of the attack path instance|
-| Name | The Unique identifier of the attack path instance|
-| Type | The Azure resource type, always equals `microsoft.security/attackpaths`|
-| Tenant ID | The tenant ID of the attack path instance |
-| Location | The location of the attack path |
-| Subscription ID | The subscription of the attack path |
-| Properties.description | The description of the attack path |
-| Properties.displayName | The display name of the attack path |
-| Properties.attackPathType | The type of the attack path|
-| Properties.manualRemediationSteps | Manual remediation steps of the attack path |
-| Properties.refreshInterval | The refresh interval of the attack path |
-| Properties.potentialImpact | The potential impact of the attack path being breached |
-| Properties.riskCategories | The categories of risk of the attack path |
-| Properties.entryPointEntityInternalID | The internal ID of the entry point entity of the attack path |
-| Properties.targetEntityInternalID | The internal ID of the target entity of the attack path |
-| Properties.assessments | Mapping of entity internal ID to the security assessments on that entity |
-| Properties.graphComponent | List of graph components representing the attack path |
-| Properties.graphComponent.insights | List of insights graph components related to the attack path |
-| Properties.graphComponent.entities | List of entities graph components related to the attack path |
-| Properties.graphComponent.connections | List of connections graph components related to the attack path |
-| Properties.AttackPathID | The unique identifier of the attack path instance |
-
-## Next Steps
-
-Learn how to [build queries with cloud security explorer](how-to-manage-cloud-security-explorer.md).
+## Next Step
+
+> [!div class="nextstepaction"]
+> [build queries with cloud security explorer](how-to-manage-cloud-security-explorer.md).
defender-for-cloud How To Manage Cloud Security Explorer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/how-to-manage-cloud-security-explorer.md
Title: Build queries with cloud security explorer in Microsoft Defender for Cloud
-description: Learn how to build queries with cloud security explorer in Microsoft Defender for Cloud
+ Title: Build queries with cloud security explorer
+description: Learn how to build queries with cloud security explorer in Microsoft Defender for Cloud to proactively identify security risks in your cloud environment.
Previously updated : 11/01/2023 Last updated : 02/29/2024++
+ai-usage: ai-assisted
+# Customer Intent: As a security professional, I want to learn how to build queries with cloud security explorer in Microsoft Defender for Cloud so that I can proactively identify security risks in my cloud environment and improve my security posture.
# Build queries with cloud security explorer Defender for Cloud's contextual security capabilities assists security teams in reducing the risk of impactful breaches. Defender for Cloud uses environmental context to perform a risk assessment of your security issues, identifies the biggest security risks, and distinguishes them from less risky issues.
-Use the cloud security explorer, to proactively identify security risks in your cloud environment by running graph-based queries on the cloud security graph, which is Defender for Cloud's context engine. You can prioritize your security team's concerns, while taking your organization's specific context and conventions into account.
+Use the cloud security explorer, to proactively identify security risks in your cloud environment by running graph-based queries on the cloud security graph, which is Defender for Cloud's context engine. You can prioritize your security team's concerns, while taking your organization's specific context and conventions into account.
With the cloud security explorer, you can query all of your security issues and environment context such as assets inventory, exposure to internet, permissions, and lateral movement between resources and across multiple clouds (Azure AWS, and GCP).
-Learn more about [the cloud security graph, attack path analysis, and the cloud security explorer](concept-attack-path.md).
-
-## Availability
-
-| Aspect | Details |
-|--|--|
-| Release state | GA (General Availability) |
-| Required plans | - Defender Cloud Security Posture Management (CSPM) enabled<br>- Defender for Servers P2 customers can use the explorer UI to query for keys and secrets, but must have Defender CSPM enabled to get the full value of the Explorer. |
-| Required roles and permissions: | - **Security Reader** <br> - **Security Admin** <br> - **Reader** <br> - **Contributor** <br> - **Owner** |
-| Clouds: | :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds (Azure, AWS, GCP) <br>:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds <br>:::image type="icon" source="./media/icons/no-icon.png"::: National (Azure Government, Microsoft Azure operated by 21Vianet) |
- ## Prerequisites -- You must [enable Defender CSPM](enable-enhanced-security.md).
- - For agentless container posture, you must enable the following extensions:
- - Agentless discovery for Kubernetes (preview)
- - Container registries vulnerability assessments (preview)
+- You must [enable Defender CSPM](enable-enhanced-security.md)
+ - You must [enable agentless scanning](enable-vulnerability-assessment-agentless.md).
+
+ For agentless container posture, you must enable the following extensions:
+ - [Agentless discovery for Kubernetes](tutorial-enable-cspm-plan.md#enable-the-components-of-the-defender-cspm-plan)
+ - [Agentless container vulnerability assessment](tutorial-enable-cspm-plan.md#enable-the-components-of-the-defender-cspm-plan)
-- You must [enable agentless scanning](enable-vulnerability-assessment-agentless.md).
+ > [!NOTE]
+ > If you only have [Defender for Servers P2](tutorial-enable-servers-plan.md) plan 2 enabled, you can use the cloud security explorer to query for keys and secrets, but you must have Defender CSPM enabled to get the full value of the explorer.
- Required roles and permissions: - Security Reader
Use the query link to share a query with other people. After creating a query, s
:::image type="content" source="media/how-to-manage-cloud-security/cloud-security-explorer-share-query.png" alt-text="Screenshot showing the Share Query Link icon." lightbox="media/how-to-manage-cloud-security/cloud-security-explorer-share-query.png":::
-## Next steps
-
-View the [reference list of attack paths and cloud security graph components](attack-path-reference.md).
+## Next step
-Learn about the [Defender CSPM plan options](concept-cloud-security-posture-management.md).
+> [!div class="nextstepaction"]
+> [Learn about the cloud security graph, attack path analysis, and the cloud security explorer](concept-attack-path.md)
defender-for-cloud Implement Security Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/implement-security-recommendations.md
Title: Remediate security recommendations in Microsoft Defender for Cloud
-description: Learn how to remediate security recommendations in Microsoft Defender for Cloud.
+ Title: Remediate recommendations
+description: Remediate security recommendations in Microsoft Defender for Cloud to improve the security posture of your environments.
-- Previously updated : 03/05/2024++ Last updated : 03/07/2024
+ai-usage: ai-assisted
+#customer intent: As a security professional, I want to understand how to remediate security recommendations in Microsoft Defender for Cloud so that I can improve my security posture.
-# Remediate security recommendations
+# Remediate recommendations
Resources and workloads protected by Microsoft Defender for Cloud are assessed against built-in and custom security standards enabled in your Azure subscriptions, AWS accounts, and GCP projects. Based on those assessments, security recommendations provide practical steps to remediate security issues, and improve security posture.
-This article describes how to remediate security recommendations in your Defender for Cloud deployment using the latest version of the portal experience.
-
-## Before you start
+This article describes how to remediate security recommendations in your Defender for Cloud deployment.
Before you attempt to remediate a recommendation you should review it in detail. Learn how to [review security recommendations](review-security-recommendations.md).
-> [!IMPORTANT]
-> This page discusses how to use the new recommendations experience where you have the ability to prioritize your recommendations by their effective risk level. To view this experience, you must select **Try it now**.
->
-> :::image type="content" source="media/review-security-recommendations/try-it-now.png" alt-text="Screenshot that shows where the try it now button is located on the recommendations page." lightbox="media/review-security-recommendations/try-it-now.png":::
-
-## Group recommendations by risk level
-
-Before you start remediating, we recommend grouping your recommendations by risk level in order to remediate the most critical recommendations first.
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-
-1. Navigate to **Microsoft Defender for Cloud** > **Recommendations**.
-
-1. Select **Group by** > **Primary grouping** > **Risk level** > **Apply**.
-
- :::image type="content" source="media/implement-security-recommendations/group-by-risk-level.png" alt-text="Screenshot of the recommendations page that shows how to group your recommendations." lightbox="media/implement-security-recommendations/group-by-risk-level.png":::
-
- Recommendations are displayed in groups of risk levels.
-
-You can now review critical and other recommendations to understand the recommendation and remediation steps. Use the graph to understand the risk to your business, including which resources are exploitable, and the effect that the recommendation has on your business.
+## Remediate a recommendation
-## Remediate recommendations
-
-After reviewing recommendations by risk, decide which one to remediate first.
+Recommendations are prioritized based on the risk level of the security issue by default.
In addition to risk level, we recommend that you prioritize the security controls in the default [Microsoft Cloud Security Benchmark (MCSB)](concept-regulatory-compliance.md) standard in Defender for Cloud, since these controls affect your [secure score](secure-score-security-controls.md).
In addition to risk level, we recommend that you prioritize the security control
1. Navigate to **Microsoft Defender for Cloud** > **Recommendations**.
-1. Select a recommendation to remediate.
+ :::image type="content" source="media/implement-security-recommendations/recommendations-page.png" alt-text="Screenshot of the recommendations page that shows all of the affected resources by their risk level." lightbox="media/implement-security-recommendations/recommendations-page.png":::
+
+1. Select a recommendation.
1. Select **Take action**. 1. Locate the Remediate section and follow the remediation instructions.
- :::image type="content" source="./media/implement-security-recommendations/security-center-remediate-recommendation.png" alt-text="This screenshot shows manual remediation steps for a recommendation." lightbox="./media/implement-security-recommendations/security-center-remediate-recommendation.png":::
+ :::image type="content" source="./media/implement-security-recommendations/remediate-recommendation.png" alt-text="This screenshot shows manual remediation steps for a recommendation." lightbox="./media/implement-security-recommendations/remediate-recommendation.png":::
## Use the Fix option
-To simplify remediation and improve your environment's security (and increase your secure score), many recommendations include a **Fix** option to help you quickly remediate a recommendation on multiple resources. If the Fix button isn't present in the recommendation, then there's no option to apply a quick fix.
+To simplify the remediation process, a Fix button may appear in a recommendation. The Fix button helps you quickly remediate a recommendation on multiple resources. If the Fix button is not present in the recommendation, then there is no option to apply a quick fix, and you must follow the presented remediation steps to address the recommendation.
**To remediate a recommendation with the Fix button**:
Security admins can fix issues at scale with automatic script generation in AWS
Copy and run the script to remediate the recommendation.
-## Next steps
+## Next step
-Learn about [using governance rules in your remediation processes](governance-rules.md).
+> [!div class="nextstepaction"]
+> [Governance rules in your remediation processes](governance-rules.md)
defender-for-cloud Recommendations Reference Aws https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/recommendations-reference-aws.md
To learn more about the supported runtimes that this control checks for the supp
## AWS Container recommendations
+### [[Preview] Container images in AWS registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/2a139383-ec7e-462a-90ac-b1b60e87d576)
+
+**Description**: Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards.
+
+**Severity**: High
+
+**Type**: Vulnerability Assessment
+
+### [[Preview] Containers running in AWS should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/d5d1e526-363a-4223-b860-f4b6e710859f)
+
+**Description**: Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards.
+
+**Severity**: High
+
+**Type**: Vulnerability Assessment
+ ### [EKS clusters should grant the required AWS permissions to Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/7d3a977e-46f1-419a-9046-4bd44db80aac) **Description**: Microsoft Defender for Containers provides protections for your EKS clusters.
Enabling managed platform updates ensures that the latest available platform fix
### [Elastic Load Balancer shouldn't have ACM certificate expired or expiring in 90 days.](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/a5e0d700-3de1-469a-96d2-6536d9a92604)
-**Description**: This check identifies Elastic Load Balancers (ELB) which are using ACM certificates expired or expiring in 90 days. AWS Certificate Manager (ACM) is the preferred tool to provision, manage, and deploy your server certificates. With ACM. you can request a certificate or deploy an existing ACM or external certificate to AWS resources. As a best practice, it's recommended to reimport expiring/expired certificates while preserving the ELB associations of the original certificate.
+**Description**: This check identifies Elastic Load Balancers (ELB) which are using ACM certificates expired or expiring in 90 days. AWS Certificate Manager (ACM) is the preferred tool to provision, manage, and deploy your server certificates. With ACM, you can request a certificate or deploy an existing ACM or external certificate to AWS resources. As a best practice, it's recommended to reimport expiring/expired certificates while preserving the ELB associations of the original certificate.
**Severity**: High
IAM database authentication allows authentication to database instances with an
### [IAM customer managed policies should not allow decryption actions on all KMS keys](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/d088fb9f-11dc-451e-8f79-393916e42bb2)
-**Description**: Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses [Zelkova](https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova), an automated reasoning engine, to validate and warn you about policies that might grant broad access to your secrets across AWS accounts.This control fails if the "kms:Decrypt" or "kms:ReEncryptFrom" actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It doesn't check inline policies or AWS managed policies.
+**Description**: Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses [Zelkova](https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova), an automated reasoning engine, to validate and warn you about policies that might grant broad access to your secrets across AWS accounts. This control fails if the "kms:Decrypt" or "kms:ReEncryptFrom" actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It doesn't check inline policies or AWS managed policies.
With AWS KMS, you control who can use your KMS keys and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the "kms:Decrypt" or "kms:ReEncryptFrom" permissions and only for the keys that are required to perform a task. Otherwise, the user might use keys that aren't appropriate for your data. Instead of granting permissions for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow users to use only those keys. For example, don't allow "kms:Decrypt" permission on all KMS keys. Instead, allow "kms:Decrypt" only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.
defender-for-cloud Recommendations Reference Gcp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/recommendations-reference-gcp.md
At least business critical VMs should have VM disks encrypted with CSEK.
## GCP Container recommendations
+### [[Preview] Container images in GCP registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/24e37609-dcf5-4a3b-b2b0-b7d76f2e4e04)
+
+**Description**: Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards.
+
+**Severity**: High
+
+**Type**: Vulnerability Assessment
+
+### [[Preview] Containers running in GCP should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c7c1d31d-a604-4b86-96df-63448618e165)
+
+**Description**: Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards.
+
+**Severity**: High
+
+**Type**: Vulnerability Assessment
+ ### [Advanced configuration of Defender for Containers should be enabled on GCP connectors](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/b7683ca3-3a11-49b6-b9d4-a112713edfa3) **Description**: Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. To ensure you the solution is provisioned properly, and the full set of capabilities are available, enable all advanced configuration settings.
defender-for-cloud Recommendations Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/recommendations-reference.md
When you restore from a recovery point, you can restore the whole VM or specific
**Severity**: Low
-### [EDR solution should be installed on Virtual Machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/06e3a6db-6c0c-4ad9-943f-31d9d73ecf6c)
+### [EDR solution should be installed on Virtual Machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/06e3a6db-6c0c-4ad9-943f-31d9d73ecf6c)
**Description**: Installing an Endpoint Detection and Response (EDR) solution on virtual machines is important for protection against advanced threats. EDRs aid in preventing, detecting, investigating, and responding to these threats. Microsoft Defender for Servers can be used to deploy Microsoft Defender for Endpoint. If a resource is classified as "Unhealthy", it indicates the absence of a supported EDR solution. If an EDR solution is installed but not discoverable by this recommendation, it can be exempted. Without an EDR solution, the virtual machines are at risk of advanced threats.
Learn more about [Trusted launch for Azure virtual machines](../virtual-machines
## Container recommendations
+### [[Preview] Container images in Azure registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/33422d8f-ab1e-42be-bc9a-38685bb567b9)
+
+**Description**: Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards.
+
+**Severity**: High
+
+**Type**: Vulnerability Assessment
+
+### [[Preview] Containers running in Azure should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e9acaf48-d2cf-45a3-a6e7-3caa2ef769e0)
+
+**Description**: Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards.
+
+**Severity**: High
+
+**Type**: Vulnerability Assessment
+ ### [(Enable if required) Container registries should be encrypted with a customer-managed key (CMK)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/af560c4d-9c05-e073-b9f1-f7a94958ff25) **Description**: Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
Privileged containers have all of the root capabilities of a host machine. They
### [Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5)
+> [!IMPORTANT]
+> This recommendation is on a retirement path. It is being replaced by the recommendation [[[Preview] Container images in Azure registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/33422d8f-ab1e-42be-bc9a-38685bb567b9)](#preview-container-images-in-azure-registry-should-have-vulnerability-findings-resolvedhttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey33422d8f-ab1e-42be-bc9a-38685bb567b9).
+ **Description**: Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. (Related policy: [Vulnerabilities in Azure Container Registry images should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f5f0f936f-2f01-4bf5-b6be-d423792fa562)).
Privileged containers have all of the root capabilities of a host machine. They
**Type**: Vulnerability Assessment
-### [Azure running container images should have vulnerabilities resolved - (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/41503391-efa5-47ee-9282-4eff6131462c)
-
-**Description**: Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks.
-(No related policy)
-
-**Severity**: High
-
-**Type**: Vulnerability Assessment
- ### [Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5)
+> [!IMPORTANT]
+> This recommendation is on a retirement path. It is being replaced by the recommendation [[[Preview] Containers running in Azure should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e9acaf48-d2cf-45a3-a6e7-3caa2ef769e0)](#preview-containers-running-in-azure-should-have-vulnerability-findings-resolvedhttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkeye9acaf48-d2cf-45a3-a6e7-3caa2ef769e0).
+ **Description**: Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. **Severity**: High
defender-for-cloud Release Notes