+- East US

+> [Groundedness detection quickstart](../quickstart-groundedness.md)

+* For custom models, the maximum number that can be composed is 200.

+Assign yourself either the [Cognitive Services OpenAI User](role-based-access-control.md#cognitive-services-openai-user) or [Cognitive Services OpenAI Contributor](role-based-access-control.md#cognitive-services-openai-contributor) role to allow you to use your account to make Azure OpenAI inference API calls rather than having to use key-based auth. After you make this change it can take up to 5 minutes before the change takes effect.

+✅ Make inference API calls with Microsoft Entra ID.

+❌ Make inference API calls with Microsoft Entra ID.

+|Make inference API calls with Microsoft Entra ID| ✅ | ✅ | ❌ | ➖ |

+> The MathML elements (tags) are currently supported in the following locales: `de-DE`, `en-AU`, `en-GB`, `en-US`, `es-ES`, `es-MX`, `fr-CA`, `fr-FR`, `it-IT`, `ja-JP`, `ko-KR`, `pt-BR`, and `zh-CN`.

+> To convert text to speech with a no-code approach, try the [Text to speech avatar tool in Speech Studio](https://speech.microsoft.com/portal/talkingavatar).

+You can choose from a range of prebuilt voices for the avatar. The language support for text to speech avatar is the same as the language support for text to speech. For details, see [Language and voice support for the Speech service](../language-support.md?tabs=tts). Prebuilt text to speech avatars can be accessed through the [Speech Studio portal](https://speech.microsoft.com/portal/talkingavatar) or via API.

+With the retirement of [Open Service Mesh][open-service-mesh-docs] (OSM) by the Cloud Native Computing Foundation (CNCF), using the application routing add-on with OSM is not recommended.

+- Editing the ingress-nginx `ConfigMap` in the `app-routing-system` namespace isn't supported.

+[unattended-upgrades]: https://help.ubuntu.com/community/AutomaticSecurityUpdates

+[Blog]: https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/increased-security-and-resiliency-of-canonical-workloads-on/ba-p/3970623

+[az-network-private-dns-record-set-a-create]: /cli/azure/network/private-dns/record-set/a#az_network_private_dns_record_set_a_create

+[windows-security-baseline]: ../governance/policy/samples/guest-configuration-baseline-windows.md

+[keda-overview]: keda-about.md

+[trusted-launch]: use-trusted-launch.md

+Visibility is one element of cost management. Refer to [Optimize Costs in Azure Kubernetes Service (AKS)](./best-practices-cost.md) for other best practices on how to gain control over your kubernetes cost.

+This article uses the Azure Marketplace offer for Open/WebSphere Liberty to accelerate your journey to AKS. The offer automatically provisions a number of Azure resources including an Azure Container Registry (ACR) instance, an AKS cluster, an Azure App Gateway Ingress Controller (AGIC) instance, the Liberty Operator, and optionally a container image including Liberty and your application. To see the offer, visit the [Azure portal](https://aka.ms/liberty-aks). If you prefer manual step-by-step guidance for running Liberty on AKS that doesn't utilize the automation enabled by the offer, see [Manually deploy a Java application with Open Liberty or WebSphere Liberty on an Azure Kubernetes Service (AKS) cluster](/azure/developer/java/ee/howto-deploy-java-liberty-app-manual).

+* You can use Azure Cloud Shell or a local terminal.

+* This article requires at least version 2.31.0 of Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

+* If running the commands in this guide locally (instead of Azure Cloud Shell):

+ * Prepare a local machine with Unix-like operating system installed (for example, Ubuntu, Azure Linux, macOS, Windows Subsystem for Linux).

+ * Install a Java SE implementation, version 17 or later. (for example, [Eclipse Open J9](https://www.eclipse.org/openj9/)).

+ * Install [Maven](https://maven.apache.org/download.cgi) 3.5.0 or higher.

+ * Install [Docker](https://docs.docker.com/get-docker/) for your OS.

+[istio-deploy-addon]: istio-deploy-addon.md

+[azure-support-faq]: https://azure.microsoft.com/support/legal/faq/

+* The second network rule allows access to port 1194 and 123 via UDP. If you're deploying to Microsoft Azure operated by 21Vianet, see the [Azure operated by 21Vianet required network rules](./outbound-rules-control-egress.md#microsoft-azure-operated-by-21vianet-required-network-rules). Both these rules will only allow traffic destined to the Azure Region CIDR in this article, which is East US.

+* The third network rule opens port 123 to `ntp.ubuntu.com` FQDN via UDP. Adding an FQDN as a network rule is one of the specific features of Azure Firewall, so you'll need to adapt it when using your own options.

+ az network firewall network-rule create -g $RG -f $FWNAME --collection-name 'aksfwnr' -n 'time' --protocols 'UDP' --source-addresses '*' --destination-fqdns 'ntp.ubuntu.com' --destination-ports 123

+[run-command-invoke]: /cli/azure/vmss/run-command#az-vmss-run-command-invoke

+| 1.30 | Apr 2024 | May 2024 | Jun 2024 | | Until 1.34 GA |

+Platform support policy applies to clusters in an n-3 version (where n is the latest supported AKS GA minor version), before the cluster drops to n-4. For example, Kubernetes v1.26 is considered platform support when v1.29 is the latest GA version. However, during the v1.30 GA release, v1.26 will then auto-upgrade to v1.27. If you are a running an n-2 version, the moment it becomes n-3 it also becomes deprecated, and you enter into the platform support policy.

+Each API Management [pricing tier](api-management-key-concepts.md#api-management-tiers) offers a distinct set of features and per unit [capacity](api-management-capacity.md). The following table summarizes the key features available in each of the tiers. Some features might work differently or have different capabilities depending on the tier. In such cases the differences are called out in the documentation articles describing these individual features.

+> * The Consumption tier isn't available in the US Government cloud or the Microsoft Azure operated by 21Vianet cloud.

+> * For information about APIs supported in the API Management gateway available in different tiers, see [API Management gateways overview](api-management-gateways-overview.md#backend-apis).

+| Feature | Consumption | Developer | Basic | Basic v2 |Standard | Standard v2 | Premium |

+| -- | -- | | | | -- | -- | - |

+| Microsoft Entra integration¹ | No | Yes | No | Yes | Yes | Yes | Yes |

+| Virtual Network (VNet) injection support | No | Yes | No | No | No | No | Yes |

+| Private endpoint support for inbound connections | No | Yes | Yes | No | Yes | No | Yes |

+| Outbound virtual network integration support | No | No | No | No | No | Yes | No |

+| Multi-region deployment | No | No | No | No | No | No | Yes |

+| Availability zones | No | No | No | No | No | No | Yes |

+| Multiple custom domain names for gateway | No | Yes | No | No | No | No | Yes |

+| Developer portal² | No | Yes | Yes | Yes | Yes | Yes | Yes |

+| Built-in cache | No | Yes | Yes | Yes | Yes | Yes | Yes |

+| [External cache](./api-management-howto-cache-external.md) | Yes | Yes | Yes | Yes | Yes | Yes |Yes |

+| Autoscaling | No | No | Yes | No | Yes | No |Yes |

+| API analytics | No | Yes | Yes | Yes | Yes | Yes | Yes |

+| [Self-hosted gateway](self-hosted-gateway-overview.md)³ | No | Yes | No | No | No | No | Yes |

+| [Workspaces](workspaces-overview.md) | No | No | No | No | No | No | Yes |

+| [TLS settings](api-management-howto-manage-protocols-ciphers.md) | Yes | Yes | Yes | Yes | Yes | Yes | Yes |

+| [Client certificate authentication](api-management-howto-mutual-certificates-for-clients.md) | Yes | Yes | Yes | Yes | Yes | Yes |Yes |

+| [Policies](api-management-howto-policies.md)⁴ | Yes | Yes | Yes | Yes | Yes | Yes | Yes |

+| [Credential manager](credentials-overview.md) | Yes | Yes | Yes | Yes | Yes | Yes | Yes |

+| [Backup and restore](api-management-howto-disaster-recovery-backup-restore.md) | No | Yes | Yes | No | Yes | No | Yes |

+| [Management over Git](api-management-configuration-repository-git.md) | No | Yes | Yes |No | Yes | No | Yes |

+| Direct management API | No | Yes | Yes | No | Yes |No | Yes |

+| Azure Monitor metrics | Yes | Yes | Yes | Yes | Yes | Yes | Yes |

+| Azure Monitor and Log Analytics request logs | No | Yes | Yes | Yes | Yes | Yes |Yes |

+| Application Insights request logs | Yes | Yes | Yes | Yes | Yes | Yes |Yes |

+| Static IP | No | Yes | Yes | No |Yes | No | Yes |

+⁴ See [Gateway overview](api-management-gateways-overview.md#policies) for differences in policy support in the classic, v2, consumption, and self-hosted gateways. <br/>

+* For more information about the API Management service tiers and features, see:

+ * [API Management tiers](api-management-key-concepts.md#api-management-tiers)

+ * [Feature-based comparison of the Azure API Management tiers](api-management-features.md).

+ > Because of differences in the underlying service architecture, the gateways provided in the different API Management service tiers have some differences in capabilities. For details, see the section [Feature comparison: Managed versus self-hosted gateways](#feature-comparison-managed-versus-self-hosted-gateways).

+* **Self-hosted** - The [self-hosted gateway](self-hosted-gateway-overview.md) is an optional, containerized version of the default managed gateway that is available in select service tiers. It's useful for hybrid and multicloud scenarios where there's a requirement to run the gateways off of Azure in the same environments where API backends are hosted. The self-hosted gateway enables customers with hybrid IT infrastructure to manage APIs hosted on-premises and across clouds from a single API Management service in Azure.

+The following tables compare features available in the following API Management gateways:

+* **Classic** - the managed gateway available in the Developer, Basic, Standard, and Premium service tiers (formerly grouped as *dedicated* tiers)

+* **V2** - the managed gateway available in the Basic v2 and Standard v2 tiers

+* **Consumption** - the managed gateway available in the Consumption tier

+* **Self-hosted** - the optional self-hosted gateway available in select service tiers

+| Feature support | Classic | V2 | Consumption | Self-hosted |

+| | | -- | -- | - |

+| [Custom domains](configure-custom-domain.md) | ✔️ | ✔️ | ✔️ | ✔️ |

+| [Built-in cache](api-management-howto-cache.md) | ✔️ | ✔️ | ❌ | ❌ |

+| [External Redis-compatible cache](api-management-howto-cache-external.md) | ✔️ | ✔️ |✔️ | ✔️ |

+| [Virtual network injection](virtual-network-concepts.md) | Developer, Premium | ❌ | ❌ | ✔️^1,2 |

+| [Inbound private endpoints](private-endpoint.md) | Developer, Basic, Standard, Premium | ❌ | ❌ | ❌ |

+| [Outbound virtual network integration](integrate-vnet-outbound.md) | ❌ | Standard V2 | ❌ | ❌ |

+| [Availability zones](zone-redundancy.md) | Premium | Γ¥î | Γ¥î | Γ£ö∩╕Ź |

+| [Multi-region deployment](api-management-howto-deploy-multi-region.md) | Premium | Γ¥î | Γ¥î | Γ£ö∩╕Ź |

+| [CA root certificates](api-management-howto-ca-certificates.md) for certificate validation | Γ£ö∩╕Å | Γ£ö∩╕Å | Γ¥î | Γ£ö∩╕ų |

+| [CA root certificates](api-management-howto-ca-certificates.md) for certificate validation | Γ£ö∩╕Å | Γ£ö∩╕Å | Γ¥î | Γ£ö∩╕ų |

+| [Managed domain certificates](configure-custom-domain.md?tabs=managed#domain-certificate-options) | Developer, Basic, Standard, Premium | ✔️ | ✔️ | ❌ |

+| [TLS settings](api-management-howto-manage-protocols-ciphers.md) | ✔️ | ✔️ | ✔️ | ✔️ |

+| **HTTP/2** (Client-to-gateway) | Γ£ö∩╕Å⁴ | Γ£ö∩╕Å⁴ |Γ¥î | Γ£ö∩╕Å |

+| **HTTP/2** (Gateway-to-backend) | ❌ | ❌ | ❌ | ✔️ |

+| API threat detection with [Defender for APIs](protect-with-defender-for-apis.md) | ✔️ | ✔️ | ❌ | ❌ |

+| Feature support | Classic | V2 | Consumption | Self-hosted |

+| | | -- | -- | - |

+| [OpenAPI specification](import-api-from-oas.md) | ✔️ | ✔️ | ✔️ | ✔️ |

+| [WSDL specification](import-soap-api.md) | ✔️ | ✔️ | ✔️ | ✔️ |

+| WADL specification | ✔️ | ✔️ | ✔️ | ✔️ |

+| [Logic App](import-logic-app-as-api.md) | ✔️ | ✔️ | ✔️ |✔️ |

+| [App Service](import-app-service-as-api.md) | ✔️ | ✔️ | ✔️ | ✔️ |

+| [Function App](import-function-app-as-api.md) | ✔️ | ✔️ | ✔️ | ✔️ |

+| [Container App](import-container-app-with-oas.md) | ✔️ | ✔️ | ✔️ | ✔️ |

+| [Service Fabric](../service-fabric/service-fabric-api-management-overview.md) | Developer, Premium | ❌ |❌ | ❌ |

+| [Pass-through GraphQL](graphql-apis-overview.md) | ✔️ | ✔️ |✔️ | ✔️ |

+| [Synthetic GraphQL](graphql-apis-overview.md)| Γ£ö∩╕Å | Γ£ö∩╕Å | Γ£ö∩╕Ź | Γ£ö∩╕Ź |

+| [Pass-through WebSocket](websocket-api.md) | ✔️ | ✔️ | ❌ | ✔️ |

+| [Pass-through gRPC](grpc-api.md) (preview) | ❌ | ❌ | ❌ | ✔️ |

+| [OData](import-api-from-odata.md) (preview) | ✔️ | ✔️ | ✔️ | ✔️ |

+| [Pass-through GraphQL](graphql-apis-overview.md) | ✔️ | ✔️ |✔️ | ✔️ |

+| [Azure OpenAI](azure-openai-api-from-specification.md) | ✔️ | ✔️ | ✔️ | ✔️ |

+| [Circuit breaker in backend](backends.md#circuit-breaker-preview) (preview) | ✔️ | ✔️ | ❌ | ✔️ |

+| [Load-balanced backend pool](backends.md#load-balanced-pool-preview) (preview) | ✔️ | ✔️ | ✔️ | ✔️ |

+| Feature support | Classic | V2 | Consumption | Self-hosted¹ |

+| | | -- | -- | - |

+| [Dapr integration](api-management-policies.md#integration-and-external-communication) | ❌ | ❌ |❌ | ✔️ |

+| [GraphQL resolvers](api-management-policies.md#graphql-resolvers) and [GraphQL validation](api-management-policies.md#content-validation)| ✔️ | ✔️ |✔️ | ❌ |

+| [Get authorization context](get-authorization-context-policy.md) | ✔️ | ✔️ |✔️ | ❌ |

+| [Quota and rate limit](api-management-policies.md#rate-limiting-and-quotas) | Γ£ö∩╕Å | Γ£ö∩╕Ų | Γ£ö∩╕ų | Γ£ö∩╕Å⁴ |

+² The quota by key policy isn't available in the v2 tiers.<br/>

+| Feature support | Classic | V2 | Consumption | Self-hosted |

+| | | -- | -- | - |

+| [API analytics](howto-use-analytics.md) | Γ£ö∩╕Å | Γ£ö∩╕Ź | Γ¥î | Γ¥î |

+| [Application Insights](api-management-howto-app-insights.md) | ✔️ | ✔️ | ✔️ | ✔️ |

+| [Logging through Event Hubs](api-management-howto-log-event-hubs.md) | ✔️ | ✔️ | ✔️ | ✔️ |

+| [Metrics in Azure Monitor](api-management-howto-use-azure-monitor.md#view-metrics-of-your-apis) | ✔️ | ✔️ |✔️ | ✔️ |

+| [OpenTelemetry Collector](how-to-deploy-self-hosted-gateway-kubernetes-opentelemetry.md) | ❌ | ❌ | ❌ | ✔️ |

+| [Request logs in Azure Monitor and Log Analytics](api-management-howto-use-azure-monitor.md#resource-logs) | Γ£ö∩╕Å | Γ£ö∩╕Å | Γ¥î | Γ¥î² |

+| [Local metrics and logs](how-to-configure-local-metrics-logs.md) | ❌ | ❌ | ❌ | ✔️ |

+| [Request tracing](api-management-howto-api-inspector.md) | Γ£ö∩╕Å | Γ¥î³ | Γ£ö∩╕Å | Γ£ö∩╕Å |

+¹ The v2 tiers support Azure Monitor-based analytics.<br/>

+² The self-hosted gateway currently doesn't send resource logs (diagnostic logs) to Azure Monitor. Optionally [send metrics](how-to-configure-cloud-metrics-logs.md) to Azure Monitor, or [configure and persist logs locally](how-to-configure-local-metrics-logs.md) where the self-hosted gateway is deployed.<br/>

+³ Tracing is currently unavailable in the v2 tiers.

+| Feature support | Classic | V2 | Consumption | Self-hosted |

+| | | -- | -- | - |

+| [Credential manager](credentials-overview.md) | ✔️ | ✔️ | ✔️ | ❌ |

+* **Classic tiers**

+ * In the Basic, Standard, and Premium tiers, optionally configure [Azure Monitor autoscale](api-management-howto-autoscale.md).

+* **v2 tiers**

+ * Scale gateway capacity by adding and removing scale [units](upgrade-and-scale.md), or upgrade the service tier.

+[Caching policies]: ./api-management-policies.md#caching

+# Automatically scale an Azure API Management instance

+An Azure API Management service instance can scale automatically based on a set of rules. This behavior can be enabled and configured through [Azure Monitor autoscale](../azure-monitor/autoscale/autoscale-overview.md#supported-services-for-autoscale).

+For more detailed information about caching, see [API Management caching policies](api-management-policies.md#caching) and [Custom caching in Azure API Management](api-management-sample-cache-by-key.md).

+After adding a Redis-compatible cache, configure [caching policies](api-management-policies.md#caching) to enable response caching, or caching of values by key, in the external cache.

+[Caching policies]: ./api-management-policies.md#caching

+For more detailed information about caching, see [API Management caching policies](api-management-policies.md#caching) and [Custom caching in Azure API Management](api-management-sample-cache-by-key.md).

+> Internal cache is not available in the **Consumption** tier of Azure API Management. You can [use an external Azure Cache for Redis](api-management-howto-cache-external.md) instead. You can also configure an external cache in other API Management service tiers.

+> If you are using an external cache, as described in [Use an external Azure Cache for Redis in Azure API Management](api-management-howto-cache-external.md), you may want to specify the `caching-type` attribute of the caching policies. See [API Management caching policies](api-management-policies.md#caching) for more details.

+[Caching policies]: ./api-management-policies.md#caching

+When you provision a [self-hosted Azure API Management gateway](self-hosted-gateway-overview.md), it is not assigned a host name and has to be referenced by its IP address. This article shows how to map an existing custom DNS name (also referred to as hostname) to a self-hosted gateway.

+In API Management, developers are the users of the APIs that you expose using API Management. This guide shows how to create and invite developers to use the APIs and products that you make available to them with your API Management instance. For information on managing user accounts programmatically, see the [User entity](/rest/api/apimanagement/current-ga/user) documentation in the [API Management REST](/rest/api/apimanagement/) reference.

+ [!INCLUDE [api-management-availability-tracing-v2-tiers](../../includes/api-management-availability-tracing-v2-tiers.md)]

+The *developer portal* is an automatically generated, fully customizable website with the documentation of your APIs. It is where API consumers can discover your APIs, learn how to use them, and request access.

+ Therefore, if IP restriction lists secure resources within the VNet or a peered VNet, it is recommended to use the whole API Management [subnet range](virtual-network-injection-resources.md#subnet-size) with an IP rule - and (in internal mode) not just the private IP address associated with the API Management resource.

+If your API Management instance is created in a service tier that runs on a shared infrastructure, it doesn't have a dedicated IP address. Currently, instances in the following service tiers run on a shared infrastructure and without a deterministic IP address: Consumption, Basic v2, Standard v2.

+> * The following tiers don't support changes to the default cipher configuration: **Consumption**, **Basic v2**, **Standard v2**.

+To receive and verify client certificates over HTTP/2 in the Developer, Basic, Basic v2, Standard, Standard v2, or Premium tiers, you must enable the **Negotiate client certificate** setting on the **Custom domain** blade as shown below.

+> * Certification renegotiation is not supported in the API Management v2 tiers.

+[Caching policies]: ./api-management-policies.md#caching

+[Caching policies]: ./api-management-policies.md#caching

+Policy expressions provide a sophisticated means to control traffic and modify API behavior without requiring you to write specialized code or modify backend services. Some policies are based on policy expressions, such as [Control flow][Control flow] and [Set variable][Set variable].

+[Policy control and flow policies]: ./api-management-policies.md#policy-control-and-flow

+Provisioning a gateway resource in your Azure API Management instance is a prerequisite for deploying a self-hosted gateway. This article walks through the steps to provision a gateway resource in API Management.

+Delegation enables your website to own the user data and perform custom validation. With delegation, you can handle developer sign-in/sign-up (and related account management operations) and product subscription using your existing website, instead of the developer portal's built-in functionality.

+This article is an introduction to managing APIs, products, subscriptions, and other API Management resources in a *workspace*. A workspace is a place where a development team can own, manage, update, and productize their own APIs, while a central API platform team manages the API Management infrastructure. Learn about the [workspace features](workspaces-overview.md)

+Azure API Management is made up of an API *gateway*, a *management plane*, and a *developer portal*. These components are Azure-hosted and fully managed by default. API Management is available in various [tiers](#api-management-tiers) differing in capacity and features.

+## API Management tiers

+API Management is offered in a variety of pricing tiers to meet the needs of different customers. Each tier offers a distinct combination of features, performance, capacity limits, scalability, SLA, and pricing for different scenarios. The tiers are grouped as follows:

+* **Classic** - The original API Management offering, including the Developer, Basic, Standard, and Premium tiers. The Premium tier is designed for enterprises requiring access to private backends, enhanced security features, multi-region deployments, availability zones, and high scalability. The Developer tier is an economical option for non-production use, while the Basic, Standard, and Premium tiers are production-ready tiers.

+* **V2** - A new set of tiers that offer fast provisioning and scaling, including Basic v2 for development and testing, and Standard v2 for production workloads. Standard v2 supports simplified connection to network-isolated backends.

+* **Consumption** - The Consumption tier is a serverless gateway for managing APIs that scales based on demand and billed per execution. It is designed for applications with serverless compute, microservices-based architectures, and those with variable traffic patterns.

+**More information**:

+* [Feature-based comparison of the Azure API Management tiers](api-management-features.md)

+* [V2 service tiers](v2-service-tiers-overview.md)

+* [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/)

+This section provides brief descriptions and links to reference articles for all API Management policies. The API Management [gateways](api-management-gateways-overview.md) that support each policy are indicated. For detailed policy settings and examples, see the linked reference articles.

+## Rate limiting and quotas

+|Policy |Description |Classic | V2 | Consumption | Self-hosted |

+||||||--|

+| [Limit call rate by subscription](rate-limit-policy.md) | Prevents API usage spikes by limiting call rate, on a per subscription basis. | Yes | Yes | Yes | Yes |

+| [Limit call rate by key](rate-limit-by-key-policy.md) | Prevents API usage spikes by limiting call rate, on a per key basis. | Yes | Yes | No | Yes |

+| [Set usage quota by subscription](quota-policy.md) | Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per subscription basis. | Yes | Yes | Yes | Yes

+| [Set usage quota by key](quota-by-key-policy.md) | Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per key basis. | Yes | No | No | Yes |

+| [Limit concurrency](limit-concurrency-policy.md) | Prevents enclosed policies from executing by more than the specified number of requests at a time. | Yes | Yes | Yes | Yes |

+## Authentication and authorization

+|Policy |Description | Classic | V2 | Consumption |Self-hosted |

+||||||--|

+| [Check HTTP header](check-header-policy.md) | Enforces existence and/or value of an HTTP header. | Yes | Yes | Yes | Yes |

+| [Get authorization context](get-authorization-context-policy.md) | Gets the authorization context of a specified [connection](credentials-overview.md) to a credential provider configured in the API Management instance. | Yes | Yes | Yes | No |

+| [Restrict caller IPs](ip-filter-policy.md) | Filters (allows/denies) calls from specific IP addresses and/or address ranges. | Yes | Yes | Yes | Yes |

+| [Validate Microsoft Entra token](validate-azure-ad-token-policy.md) | Enforces existence and validity of a Microsoft Entra (formerly called Azure Active Directory) JWT extracted from either a specified HTTP header, query parameter, or token value. | Yes | Yes | Yes | Yes |

+| [Validate JWT](validate-jwt-policy.md) | Enforces existence and validity of a JWT extracted from either a specified HTTP header, query parameter, or token value. | Yes | Yes | Yes | Yes |

+| [Validate client certificate](validate-client-certificate-policy.md) |Enforces that a certificate presented by a client to an API Management instance matches specified validation rules and claims. | Yes | Yes | Yes | Yes |

+| [Authenticate with Basic](authentication-basic-policy.md) | Authenticates with a backend service using Basic authentication. | Yes | Yes | Yes | Yes |

+| [Authenticate with client certificate](authentication-certificate-policy.md) | Authenticates with a backend service using client certificates. | Yes | Yes | Yes | Yes |

+| [Authenticate with managed identity](authentication-managed-identity-policy.md) | Authenticates with a backend service using a [managed identity](../active-directory/managed-identities-azure-resources/overview.md). | Yes | Yes | Yes | Yes |

+## Content validation

+|Policy |Description | Classic | V2 | Consumption |Self-hosted |

+||||||--|

+| [Validate content](validate-content-policy.md) | Validates the size or content of a request or response body against one or more API schemas. The supported schema formats are JSON and XML. | Yes | Yes | Yes | Yes |

+| [Validate GraphQL request](validate-graphql-request-policy.md) | Validates and authorizes a request to a GraphQL API. | Yes | Yes | Yes | Yes |

+| [Validate OData request](validate-odata-request-policy.md) | Validates a request to an OData API to ensure conformance with the OData specification. | Yes | Yes | Yes | Yes |

+| [Validate parameters](validate-parameters-policy.md) | Validates the request header, query, or path parameters against the API schema. | Yes | Yes | Yes | Yes |

+| [Validate headers](validate-headers-policy.md) | Validates the response headers against the API schema. | Yes | Yes | Yes | Yes |

+| [Validate status code](validate-status-code-policy.md) | Validates the HTTP status codes in responses against the API schema. | Yes | Yes | Yes | Yes |

+## Routing

+|Policy |Description | Classic | V2 | Consumption |Self-hosted |

+||||||--|

+| [Forward request](forward-request-policy.md) | Forwards the request to the backend service. | Yes | Yes | Yes | Yes |

+| [Set backend service](set-backend-service-policy.md) | Changes the backend service base URL of an incoming request to a URL or a [backend](backends.md). Referencing a backend resource allows you to manage the backend service base URL and other settings in a single place. Also implement [load balancing of traffic across a pool of backend services](backends.md#load-balanced-pool-preview) and [circuit breaker rules](backends.md#circuit-breaker-preview) to protect the backend from too many requests. | Yes | Yes | Yes | Yes |

+| [Set HTTP proxy](proxy-policy.md) | Allows you to route forwarded requests via an HTTP proxy. | Yes | Yes | Yes | Yes |

+## Caching

+|Policy |Description | Classic | V2 | Consumption |Self-hosted |

+||||||--|

+| [Get from cache](cache-lookup-policy.md) | Performs cache lookup and return a valid cached response when available. | Yes | Yes | Yes | Yes |

+| [Store to cache](cache-store-policy.md) | Caches response according to the specified cache control configuration. | Yes | Yes | Yes | Yes |

+| [Get value from cache](cache-lookup-value-policy.md) | Retrieves a cached item by key. | Yes | Yes | Yes | Yes |

+| [Store value in cache](cache-store-value-policy.md) | Stores an item in the cache by key. | Yes | Yes | Yes | Yes |

+| [Remove value from cache](cache-remove-value-policy.md) | Removes an item in the cache by key. | Yes | Yes | Yes | Yes |

+## Transformation

+|Policy |Description | Classic | V2 | Consumption |Self-hosted |

+||||||--|

+| [Set request method](set-method-policy.md) | Allows you to change the HTTP method for a request. | Yes | Yes | Yes | Yes |

+| [Set status code](set-status-policy.md) | Changes the HTTP status code to the specified value. | Yes | Yes | Yes | Yes |

+| [Set variable](set-variable-policy.md) | Persists a value in a named [context](api-management-policy-expressions.md#ContextVariables) variable for later access. | Yes | Yes | Yes | Yes |

+| [Set body](set-body-policy.md) | Sets the message body for a request or response. | Yes | Yes | Yes | Yes |

+| [Set HTTP header](set-header-policy.md) | Assigns a value to an existing response and/or request header or adds a new response and/or request header. | Yes | Yes | Yes | Yes |

+| [Set query string parameter](set-query-parameter-policy.md) | Adds, replaces value of, or deletes request query string parameter. | Yes | Yes | Yes | Yes |

+| [Rewrite URL](rewrite-uri-policy.md) | Converts a request URL from its public form to the form expected by the web service. | Yes | Yes | Yes | Yes |

+| [Convert JSON to XML](json-to-xml-policy.md) | Converts request or response body from JSON to XML. | Yes | Yes | Yes | Yes |

+| [Convert XML to JSON](xml-to-json-policy.md) | Converts request or response body from XML to JSON. | Yes | Yes | Yes | Yes |

+| [Find and replace string in body](find-and-replace-policy.md) | Finds a request or response substring and replaces it with a different substring. | Yes | Yes | Yes | Yes |

+| [Mask URLs in content](redirect-content-urls-policy.md) | Rewrites (masks) links in the response body so that they point to the equivalent link via the gateway. | Yes | Yes | Yes | Yes |

+| [Transform XML using an XSLT](xsl-transform-policy.md) | Applies an XSL transformation to XML in the request or response body. | Yes | Yes | Yes | Yes |

+| [Return response](return-response-policy.md) | Aborts pipeline execution and returns the specified response directly to the caller. | Yes | Yes | Yes | Yes |

+| [Mock response](mock-response-policy.md) | Aborts pipeline execution and returns a mocked response directly to the caller. | Yes | Yes | Yes | Yes |

+## Cross-domain

+|Policy |Description | Classic | V2 | Consumption |Self-hosted |

+||||||--|

+| [Allow cross-domain calls](cross-domain-policy.md) | Makes the API accessible from Adobe Flash and Microsoft Silverlight browser-based clients. | Yes | Yes | Yes | Yes |

+| [CORS](cors-policy.md) | Adds cross-origin resource sharing (CORS) support to an operation or an API to allow cross-domain calls from browser-based clients. | Yes | Yes | Yes | Yes |

+| [JSONP](jsonp-policy.md) | Adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients. | Yes | Yes | Yes | Yes |

+## Integration and external communication

+|Policy |Description | Classic | V2 | Consumption |Self-hosted |

+||||||--|

+ | [Send request](send-request-policy.md) | Sends a request to the specified URL. | Yes | Yes | Yes | Yes |

+ | [Send one way request](send-one-way-request-policy.md) | Sends a request to the specified URL without waiting for a response. | Yes | Yes | Yes | Yes |

+| [Log to event hub](log-to-eventhub-policy.md) | Sends messages in the specified format to an event hub defined by a Logger entity.| Yes | Yes | Yes | Yes |

+| [Send request to a service (Dapr)](set-backend-service-dapr-policy.md)| Uses Dapr runtime to locate and reliably communicate with a Dapr microservice. To learn more about service invocation in Dapr, see the description in this [README](https://github.com/dapr/docs/blob/master/README.md#service-invocation) file. | No | No | No | Yes |

+| [Send message to Pub/Sub topic (Dapr)](publish-to-dapr-policy.md) | Uses Dapr runtime to publish a message to a Publish/Subscribe topic. To learn more about Publish/Subscribe messaging in Dapr, see the description in this [README](https://github.com/dapr/docs/blob/master/README.md) file. | No | No | No | Yes |

+| [Trigger output binding (Dapr)](invoke-dapr-binding-policy.md) | Uses Dapr runtime to invoke an external system via output binding. To learn more about bindings in Dapr, see the description in this [README](https://github.com/dapr/docs/blob/master/README.md) file. | No | No | No | Yes |

+## Logging

+|Policy |Description | Classic | V2 | Consumption |Self-hosted |

+||||||--|

+| [Trace](trace-policy.md) | Adds custom traces into the [request tracing](./api-management-howto-api-inspector.md) output in the test console, Application Insights telemetries, and resource logs. | Yes | Yes¹ | Yes | Yes |

+| [Emit metrics](emit-metric-policy.md) | Sends custom metrics to Application Insights at execution. | Yes | Yes | Yes | Yes |

+¹ In the V2 gateway, the `trace` policy currently does not add tracing output in the test console.

+## GraphQL resolvers

+|Policy |Description | Classic | V2 | Consumption |Self-hosted |

+||||||--|

+| [Azure SQL data source for resolver](sql-data-source-policy.md) | Configures the Azure SQL request and optional response to resolve data for an object type and field in a GraphQL schema. | Yes | Yes | No | No |

+| [Cosmos DB data source for resolver](cosmosdb-data-source-policy.md) | Configures the Cosmos DB request and optional response to resolve data for an object type and field in a GraphQL schema. | Yes | Yes | No | No |

+| [HTTP data source for resolver](http-data-source-policy.md) | Configures the HTTP request and optionally the HTTP response to resolve data for an object type and field in a GraphQL schema. | Yes | Yes | Yes | No |

+| [Publish event to GraphQL subscription](publish-event-policy.md) | Publishes an event to one or more subscriptions specified in a GraphQL API schema. Configure the policy in a GraphQL resolver for a related field in the schema for another operation type such as a mutation. | Yes | Yes | Yes | No |

+## Policy control and flow

+|Policy |Description | Classic | V2 | Consumption |Self-hosted |

+||||||--|

+| [Control flow](choose-policy.md) | Conditionally applies policy statements based on the results of the evaluation of Boolean [expressions](api-management-policy-expressions.md). | Yes | Yes | Yes | Yes |

+| [Include fragment](include-fragment-policy.md) | Inserts a policy fragment in the policy definition. | Yes | Yes | Yes | Yes |

+| [Retry](retry-policy.md) | Retries execution of the enclosed policy statements, if and until the condition is met. Execution will repeat at the specified time intervals and up to the specified retry count. | Yes | Yes | Yes | Yes |

+ | [Wait](wait-policy.md) | Waits for enclosed [Send request](send-request-policy.md), [Get value from cache](cache-lookup-value-policy.md), or [Control flow](choose-policy.md) policies to complete before proceeding. | Yes | Yes | Yes | Yes |

+> The `rate-limit-by-key` and `quota-by-key` policies are not available when in the Consumption tier of Azure API Management. The `quota-by-key` policy is also currently not available in the v2 tiers.

+A major function of API Management is protecting backend resources. If the authorization server used by your API creates [JWT tokens](../active-directory/develop/security-tokens.md#json-web-tokens-and-claims) as part of its OAuth2 flow, as [Microsoft Entra ID](../active-directory/hybrid/whatis-hybrid-identity.md) does, then you can use the `validate-jwt` policy or `validate-azure-ad-token` policy to verify the validity of the token. Some authorization servers create what are called [reference tokens](https://leastprivilege.com/2015/11/25/reference-tokens-and-introspection/) that cannot be verified without making a callback to the authorization server.

+Azure API Management can be deployed (injected) inside an Azure virtual network (VNet) to access backend services within the network. For VNet connectivity options, requirements, and considerations, see:

+* [Using a virtual network with Azure API Management](virtual-network-concepts.md)

+* [Network resource requirements for API Management injection into a virtual network](virtual-network-injection-resources.md)

+Azure API Management can be deployed (injected) inside an Azure virtual network (VNet) to access backend services within the network. For VNet connectivity options, requirements, and considerations, see:

+* [Using a virtual network with Azure API Management](virtual-network-concepts.md)

+* [Network resource requirements for API Management injection into a virtual network](virtual-network-injection-resources.md)

+It can take 15 to 45 minutes to update the API Management instance. Instances in the Developer tier have downtime during the process. Instances in the Premium tier don't have downtime during the process.

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Authentication and authorization](api-management-policies.md#authentication-and-authorization)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Authentication and authorization](api-management-policies.md#authentication-and-authorization)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Authentication and authorization](api-management-policies.md#authentication-and-authorization)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Caching](api-management-policies.md#caching)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Caching](api-management-policies.md#caching)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Caching](api-management-policies.md#caching)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Caching](api-management-policies.md#caching)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Caching](api-management-policies.md#caching)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Authentication and authorization](api-management-policies.md#authentication-and-authorization)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Policy control and flow](api-management-policies.md#policy-control-and-flow)

+description: Learn about the compute platform used to host your API Management service instance. Instances in the classic service tiers of API Management are hosted on the stv1 or stv2 compute platform.

+# Compute platform for Azure API Management - Classic tiers

+The following table summarizes the compute platforms currently used in the **Consumption**, **Developer**, **Basic**, **Standard**, and **Premium** tiers of API Management. This table doesn't apply to the [v2 pricing tiers](#what-about-the-v2-pricing-tiers).

+The v2 pricing tiers are a new set of tiers for API Management. Hosted on a new, highly scalable and available Azure infrastructure that's different from the `stv1` and `stv2` compute platforms, the v2 tiers aren't affected by the retirement of the `stv1` platform.

+* Supports only public domain names

+* [GraphQL resolver policies](api-management-policies.md#graphql-resolvers)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Cross-domain](api-management-policies.md#cross-domain)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2

+* [GraphQL resolvers](api-management-policies.md#graphql-resolvers)

+* Learn more about [authentication and authorization policies](api-management-policies.md#authentication-and-authorization) in Azure API Management.

+* Learn more about [authentication and authorization policies](api-management-policies.md#authentication-and-authorization)

+* Learn more about [authentication and authorization policies](api-management-policies.md#authentication-and-authorization)

+In the classic and v2 service tiers, the access token is cached by the API Management instance until 3 minutes before the token expiration time. If the access token is less than 3 minutes away from expiration, the cached time will be until the access token expires.

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Cross-domain](api-management-policies.md#cross-domain)

+The following table summarizes two options, with links to more detail.

+> [!NOTE]

+> [Self-hosting the developer portal](developer-portal-self-host.md) is an extensibility option for customers who need to customize the source code of the entire portal core. It gives complete flexibility for customizing portal experience, but requires advanced configuration. With self-hosting, you're responsible for managing complete code lifecycle: fork code base, develop, deploy, host, patch, and upgrade.

+* For small customizations, use a built-in widget to [add custom HTML](developer-portal-extend-custom-functionality.md#use-custom-html-code-widget). Currently, the custom HTML code widget isn't available in the v2 tiers of API Management.

+* For larger customizations, [create and upload](developer-portal-extend-custom-functionality.md#create-and-upload-custom-widget) a custom widget to the managed developer portal. Currently, custom widgets aren't available in the v2 tiers of API Management.

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Logging](api-management-policies.md#logging)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Transformation](api-management-policies.md#transformation)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Routing](api-management-policies.md#routing)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption

+* [Authentication and authorization](api-management-policies.md#authentication-and-authorization)

+Secure your GraphQL API by applying both existing [authentication and authorization policies](api-management-policies.md#authentication-and-authorization) and a [GraphQL validation policy](validate-graphql-request-policy.md) to protect against GraphQL-specific attacks.

+Secure your GraphQL API by applying both existing [authentication and authorization policies](api-management-policies.md#authentication-and-authorization) and a [GraphQL validation policy](validate-graphql-request-policy.md) to protect against GraphQL-specific attacks.

+This article provides details for configuring local metrics and logs for the [self-hosted gateway](./self-hosted-gateway-overview.md) deployed on a Kubernetes cluster. For configuring cloud metrics and logs, see [this article](how-to-configure-cloud-metrics-logs.md).

+Set up a [workspace](workspaces-overview.md) (preview) to enable a decentralized API development team to manage and productize their own APIs, while a central API platform team maintains the API Management infrastructure. After you create a workspace and assign permissions, workspace collaborators can create and manage their own APIs, products, subscriptions, and related resources.

+# Deploy an Azure API Management self-hosted gateway to Azure Kubernetes Service

+# Deploy self-hosted gateway to Kubernetes with Helm

+* **Choose service tier for long-running HTTP connections** - SSE relies on a long-running HTTP connection that is supported in certain API Management [pricing tiers](api-management-key-concepts.md#api-management-tiers). Long-running connections are supported in the classic and v2 API Management tiers, but not in the Consumption tier.

+* **Disable response caching** - To ensure that notifications to the client are timely, verify that [response caching](api-management-howto-cache.md) isn't enabled. For more information, see [API Management caching policies](api-management-policies.md#caching).

+ > If you're using the API Management Consumption, Basic v2, and Standard v2 tiers then [there isn't a dedicated Azure API Management Virtual IP](./api-management-howto-ip-addresses.md#ip-addresses-of-consumption-basic-v2-and-standard-v2-tier-api-management-service) to allow-list with the functions access-restrictions. In the Azure API Management classic (dedicated) tiers [the VIP is single tenant and for the lifetime of the resource](./api-management-howto-ip-addresses.md#changes-to-the-ip-addresses). For the tiers that run on shared infrastructure, you can lock down your API calls via the shared secret function key in the portion of the URI you copied above. Also, for these tiers - steps 12-17 below do not apply.

+description: Use analytics in Azure API Management to understand and categorize the usage of your APIs and API performance. Analytics is provided using an Azure workbook.

+Azure API Management provides analytics for your APIs so that you can analyze their usage and performance. Use analytics for high-level monitoring and troubleshooting of your APIs. For other monitoring features, including near real-time metrics and resource logs for diagnostics and auditing, see [Tutorial: Monitor published APIs](api-management-howto-use-azure-monitor.md).

+## About API analytics

+* API Management provides analytics using an [Azure Monitor-based dashboard](../azure-monitor/visualize/workbooks-overview.md). The dashboard aggregates data in an Azure Log Analytics workspace.

+* In the classic API Management service tiers, your API Management instance also includes legacy *built-in analytics* in the Azure portal, and analytics data can be accessed using the API Management REST API. Equivalent data is shown in the Azure Monitor-based dashboard and built-in analytics.

+> [!IMPORTANT]

+> * The Azure Monitor-based dashboard is the recommended way to access analytics data.

+> * Legacy built-in analytics isn't available in the v2 tiers.

+With API analytics, analyze the usage and performance of the APIs in your API Management instance across several dimensions, including:

+> * API analytics provides data on requests, including failed and unauthorized requests.

+> * There may be a delay of 15 minutes or more in the availability of analytics data.

+## Azure Monitor-based dashboard

+To use the Azure Monitor-based dashboard, you need to configure a Log Analytics workspace as a data source for API Management gateway logs.

+If you need to configure one, the following are brief steps to send gateway logs to a Log Analytics workspace. For more information, see [Tutorial: Monitor published APIs](api-management-howto-use-azure-monitor.md#resource-logs). This is a one-time setup.

+1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.

+1. In the left-hand menu, under **Monitoring**, select **Diagnostic settings** > **+ Add diagnostic setting**.

+1. Enter a descriptive name for the diagnostic setting.

+1. In **Logs**, select **Logs related to ApiManagement Gateway**.

+1. In **Destination details**, select **Send to Log Analytics** and select a Log Analytics workspace in the same or a different subscription. If you need to create a workspace, see [Create a Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md).

+1. Accept defaults for other settings, or customize as needed. Select **Save**.

+### Access the dashboard

+After a Log Analytics workspace is configured, access the Azure Monitor-based dashboard to analyze the usage and performance of your APIs.

+1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.

+1. In the left-hand menu, under **Monitoring**, select **Insights**. The analytics dashboard opens.

+1. Select a time range for data.

+1. Select a report category for analytics data, such as **Timeline**, **Geography**, and so on.

+## Legacy built-in analytics

+In certain API Management service tiers, built-in analytics is also available in the Azure portal, and analytics data can be accessed using the API Management REST API.

+### Built-in analytics - portal

+To access the built-in analytics in the Azure portal:

+1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.

+1. In the left-hand menu, under **Monitoring**, select **Analytics**.

+### Analytics - REST API

+Use [Reports](/rest/api/apimanagement/reports) operations in the API Management REST API to retrieve and filter analytics data for your API Management instance.

+## Related content

+* Learn about integrating [Azure API Management with Azure Application Insights](api-management-howto-app-insights.md).

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption

+* [GraphQL resolvers](api-management-policies.md#graphql-resolvers)

+You can configure API Management [validation policies](api-management-policies.md#content-validation) to validate requests and responses (or elements of them) against the schema in an OpenAPI specification. For example, use the [validate-content](validate-content-policy.md) policy to validate the size or content of a request or response body.

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Policy control and flow](api-management-policies.md#policy-control-and-flow)

+# Integrate an Azure API Management instance with a private VNet for outbound connections

+* [Integration and external communication](api-management-policies.md#integration-and-external-communication)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Authentication and authorization](api-management-policies.md#authentication-and-authorization)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Transformation](api-management-policies.md#transformation)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Cross-domain](api-management-policies.md#cross-domain)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Rate limiting and quotas](api-management-policies.md#rate-limiting-and-quotas)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Integration and external communication](api-management-policies.md#integration-and-external-communication)

+* **Authentication** - API Management supports the following [authentication methods](api-management-policies.md#authentication-and-authorization):

+* Use policies in API Management to increase security. For example, [call rate limiting](rate-limit-policy.md) slows down bad actors using brute force attacks to compromise credentials.

+* If it's not possible to alter the backend interface design and excessive data is a concern, use API Management [transformation policies](api-management-policies.md#transformation) to rewrite response payloads and mask or filter data. For example, [remove unneeded JSON properties](./policies/filter-response-content.md) from a response body.

+* If the backend interface can't be changed, use [transformation policies](api-management-policies.md#transformation) to rewrite request and response payloads and decouple the API contracts from backend contracts. For example, mask or filter data or [remove unneeded JSON properties](./policies/filter-response-content.md).

+ * Set [validation policies](api-management-policies.md#content-validation) to `prevent` in production environments to validate JSON and XML schemas, headers, query parameters, and status codes, and to enforce the maximum size for request or response.

+* Use schema and parameter [validation](api-management-policies.md#content-validation) policies, where applicable, to further constrain and validate the request before it reaches the backend API service.

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Transformation](api-management-policies.md#transformation)

+> For API consumers who use the developer portal, a built-in API report is available. It only provides information about their individual API usage during the preceding 90 days. Currently, the built-in API report is not available in the developer portal for the v2 service tiers.

+| Developer, Basic, Basic v2, Standard, Standard v2, and Premium | Incur monthly costs, based on the number of [units](./api-management-capacity.md) and [self-hosted gateways](./self-hosted-gateway-overview.md). Self-hosted gateways are free for the Developer tier. Different [upgrade](./upgrade-and-scale.md) options are available, depending on your service tier. |

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Routing](api-management-policies.md#routing)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption

+* [GraphQL resolvers](api-management-policies.md#graphql-resolvers)

+* [Integration and external communication](api-management-policies.md#integration-and-external-communication)

+ - **Sku**: accept the default value of **Developer**. Alternatively, choose another value.

+ > It can take between 30 and 40 minutes to create and activate an API Management service in the Developer tier. Times vary by tier.

+In this example, the Bicep file by default configures the API Management instance in the Developer tier, an economical option to evaluate Azure API Management. This tier isn't for production use.

+ > [!TIP]

+ > It can take between 30 and 40 minutes to create and activate an API Management service in the Developer tier. Times vary by tier.

+- [**Gateways:**](api-management-gateways-overview.md) classic, self-hosted

+* [Rate limiting and quotas](api-management-policies.md#rate-limiting-and-quotas)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Rate limiting and quotas](api-management-policies.md#rate-limiting-and-quotas)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, self-hosted

+* [Rate limiting and quotas](api-management-policies.md#rate-limiting-and-quotas)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Rate limiting and quotas](api-management-policies.md#rate-limiting-and-quotas)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Transformation](api-management-policies.md#transformation)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Policy control and flow](api-management-policies.md#policy-control-and-flow)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Transformation](api-management-policies.md#transformation)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+- [Transformation](api-management-policies.md#transformation)

+Also, configure authentication to your backend using an appropriate method for your environment. For examples, see [API Management authentication and authorization policies](api-management-policies.md#authentication-and-authorization).

+API Management provides specific [policies](api-management-policies.md#integration-and-external-communication) to interact with Dapr APIs exposed through the self-hosted gateway.

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Intergration and external communication](api-management-policies.md#integration-and-external-communication)

+* [Integration and external communication](api-management-policies.md#integration-and-external-communication)

+* [Integration and external communication](api-management-policies.md#integration-and-external-communication)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+If further transformation of the request is desired, other [Transformation policies](api-management-policies.md#transformation) can be used. For example, to remove the version query parameter now that the request is being routed to a version specific backend, the [Set query string parameter](set-query-parameter-policy.md) policy can be used to remove the now redundant version attribute.

+* [Routing](api-management-policies.md#routing)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Transformation](api-management-policies.md#transformation)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+- [Transformation](api-management-policies.md#transformation)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Transformation](api-management-policies.md#transformation)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+- [Transformation](api-management-policies.md#transformation)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Transformation](api-management-policies.md#transformation)

+The `set-variable` policy declares a [context](api-management-policy-expressions.md#ContextVariables) variable and assigns it a value specified via an [expression](api-management-policy-expressions.md) or a string literal. If the expression contains a literal it will be converted to a string and the type of the value will be `System.String`.

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Transformation](api-management-policies.md#transformation)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2

+* [GraphQL resolvers](api-management-policies.md#graphql-resolvers)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Logging](api-management-policies.md#logging)

+See [Rate limiting and quota policies](api-management-policies.md#rate-limiting-and-quotas) for more info.

+Customers can scale an Azure API Management instance in a dedicated service tier by adding and removing units. A **unit** is composed of dedicated Azure resources and has a certain load-bearing capacity expressed as a number of API calls per second. This number doesn't represent a call limit, but rather an estimated maximum throughput value to allow for rough capacity planning. Actual throughput and latency vary broadly depending on factors such as number and rate of concurrent connections, the kind and number of configured policies, request and response sizes, and backend latency.

+> * In the **Basic**, **Standard**, and **Premium** tiers of the API Management service, you can configure an instance to [scale automatically](api-management-howto-autoscale.md) based on a set of rules.

+> [!NOTE]

+> See [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio) for features, scale limits, and estimated throughput in each tier. To get more accurate throughput numbers, you need to look at a realistic scenario for your APIs. See [Capacity of an Azure API Management instance](api-management-capacity.md).

+You can choose between the following dedicated tiers: **Developer**, **Basic**, **Basic v2**, **Standard**, **Standard v2**, and **Premium**.

+* **Basic**, **Basic v2**, **Standard**, **Standard v2**, and **Premium** are production tiers that have SLA and can be scaled. For pricing details and scale limits, see [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/#pricing).

+* You can upgrade and downgrade to and from certain dedicated services tiers:

+ * You can upgrade and downgrade to and from classic tiers (**Developer**, **Basic**, **Standard**, and **Premium**).

+

+ * You can upgrade and downgrade to and from v2 tiers (**Basic v2** and **Standard v2**).

+ Downgrading can remove some features. For example, downgrading to **Standard** or **Basic** from the **Premium** tier can remove virtual networks or multi-region deployment.

+> The upgrade or scale process can take up to 15 to 45 minutes to apply. You get notified when it is done.

+You can use the portal to scale your API Management instance. How you scale depends on the service tier you are using.

+### Add or remove units - classic service tiers

+1. Select **Locations** from the left-hand menu.

+> In the **Premium** service tier, you can optionally configure availability zones and a virtual network in a selected location. For more information, see [Deploy API Management service to an additional location](api-management-howto-deploy-multi-region.md).

+### Add or remove units - v2 service tiers

+1. Navigate to your API Management instance in the [Azure portal](https://portal.azure.com/).

+1. Select **Scale** from the left-hand menu.

+1. Specify the new number of **Units** - use the slider, or select or type the number.

+1. Select **Save**.

+If you're scaling from or to the **Developer** tier, there will be downtime. Otherwise, there is no downtime.

+## Related content

+ Title: Azure API Management - v2 tiers

+description: Introduction to key scenarios, capabilities, and concepts of the v2 tiers (SKUs) of the Azure API Management service.

+# Azure API Management v2 tiers

+We're introducing a new set of pricing tiers (SKUs) for Azure API Management: the *v2 tiers*. The new tiers are built on a new, more reliable and scalable platform and are designed to make API Management accessible to a broader set of customers and offer flexible options for a wider variety of scenarios. The v2 tiers are in addition to the existing classic tiers (Developer, Basic, Standard, and Premium) and the Consumption tier. [Learn more](api-management-key-concepts.md#api-management-tiers).

+The following v2 tiers are generally available:

+* **Basic v2** - The Basic v2 tier is designed for development and testing scenarios, and is supported with an SLA.

+* **Standard v2** - Standard v2 is a production-ready tier with support for network-isolated backends.

+* **Developer portal options** - Enable the [developer portal](api-management-howto-developer-portal.md) when you're ready to let API consumers discover your APIs.

+The Standard v2 tier supports VNet integration to allow your API Management instance to reach API backends that are isolated in a single connected VNet. The API Management gateway, management plane, and developer portal remain publicly accessible from the internet. The VNet must be in the same region as the API Management instance. [Learn more](integrate-vnet-outbound.md).

+## Features

+The v2 tiers are supported in API Management API version **2023-05-01-preview** or later.

+The v2 tiers are available in the following regions:

+* Germany West Central

+* UK West

+* Australia Central

+* Southeast Asia

+* Korea Central

+Most capabilities of the classic API Management tiers are supported in the v2 tiers. However, the following capabilities aren't supported in the v2 tiers:

+* Built-in analytics (replaced with Azure Monitor-based dashboard)

+### Limitations

+The following API Management capabilities are currently unavailable in the v2 tiers.

+* Zone redundancy

+* Multi-region deployment

+* Multiple custom domain names

+* Injection in a VNet in external mode or internal mode

+* Workspaces

+* Custom HTML code widget and custom widget

+* Self-hosted developer portal

+* Self-hosted gateway

+* Quota by key policy

+* Request tracing in the test console

+## Resource limits

+The following resource limits apply to the v2 tiers.

+## Developer portal limits

+The following limits apply to the developer portal in the v2 tiers.

+A: No. Currently you can't migrate an existing API Management instance (in the Consumption, Developer, Basic, Standard, or Premium tier) to a new v2 tier instance. Currently the v2 tiers are available for newly created service instances only.

+A: A Standard v2 service instance can be integrated with a VNet to provide secure access to the backends residing there. A Standard v2 service instance integrated with a VNet will have a public IP address. The Premium tier supports a [fully private integration](api-management-using-with-internal-vnet.md) with a VNet (often referred to as injection into VNet) without exposing a public IP address.

+* Compare the API Management [tiers](api-management-features.md).

+* Learn more about the [API Management gateways](api-management-gateways-overview.md)

+* Learn about [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/).

+The `validate-azure-ad-token` policy enforces the existence and validity of a JSON web token (JWT) that was provided by the Microsoft Entra (formerly called Azure Active Directory) service for a specified set of principals in the directory. The JWT can be extracted from a specified HTTP header, query parameter, or value provided using a policy expression or context variable.

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Authentication and authorization](api-management-policies.md#authentication-and-authorization)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Authentication and authorization](api-management-policies.md#authentication-and-authorization)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Content validation](api-management-policies.md#content-validation)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Content validation](api-management-policies.md#content-validation)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Content validation](api-management-policies.md#content-validation)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Authentication and authorization](api-management-policies.md#authentication-and-authorization)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Content validation](api-management-policies.md#content-validation)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Content validation](api-management-policies.md#content-validation)

+*"One of the value propositions of the cloud is that itΓÇÖs continually improving, delivering new capabilities and features, as well as security and reliability enhancements. But since the platform is continuously evolving, change is inevitable."* - Mark Russinovich, CTO, Azure

+## Related content

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Content validation](api-management-policies.md#content-validation)

+description: Learn about scenarios and requirements to secure inbound or outbound traffic for your API Management instance using an Azure virtual network.

+# Use a virtual network to secure inbound or outbound traffic for Azure API Management

+By default your API Management is accessed from the internet at a public endpoint, and acts as a gateway to public backends. API Management provides several options to secure access to your API Management instance and to backend APIs using an Azure virtual network. Available options depend on the [service tier](api-management-features.md) of your API Management instance.

+* **Integration** of your API Management instance with a subnet in a virtual network so that your API Management gateway can make outbound requests to API backends that are isolated in the network.

+|**[Virtual network injection - external](#virtual-network-injection)** | Developer, Premium | Developer portal, gateway, management plane, and Git repository | Inbound and outbound traffic can be allowed to internet, peered virtual networks, Express Route, and S2S VPN connections. | External access to private and on-premises backends |

+|**[Virtual network injection - internal](#virtual-network-injection)** | Developer, Premium | Developer portal, gateway, management plane, and Git repository | Inbound and outbound traffic can be allowed to peered virtual networks, Express Route, and S2S VPN connections. | Internal access to private and on-premises backends |

+|**[Outbound integration](#outbound-integration)** | Standard v2 | Gateway only | Outbound request traffic can reach APIs hosted in a delegated subnet of a virtual network. | External access to private and on-premises backends |

+|**[Inbound private endpoint](#inbound-private-endpoint)** | Developer, Basic, Standard, Premium | Gateway only (managed gateway supported, self-hosted gateway not supported) | Only inbound traffic can be allowed from internet, peered virtual networks, Express Route, and S2S VPN connections. | Secure client connection to API Management gateway |

+* [Network resource requirements for API Management injection into a virtual network](virtual-network-injection-resources.md).

+## Outbound integration

+The Standard v2 tier supports VNet integration to allow your API Management instance to reach API backends that are isolated in a single connected VNet. The API Management gateway, management plane, and developer portal remain publicly accessible from the internet.

+Outbound integration enables the API Management instance to reach both public and network-isolated backend services.

+For more information, see [Integrate an Azure API Management instance with a private VNet for outbound connections](integrate-vnet-outbound.md).

+* [Integrate an Azure API Management instance with a private VNet for outbound connections](integrate-vnet-outbound.md)

+ Title: Azure API Management virtual network integration - network resources

+description: Learn about requirements for network resources when you deploy (inject) your API Management instance in an Azure virtual network.

+# Network resource requirements for API Management injection into a virtual network

+The following are virtual network resource requirements for API Management injection into a virtual network. Some requirements differ depending on the version (`stv2` or `stv1`) of the [compute platform](compute-infrastructure.md) hosting your API Management instance.

+#### [stv2](#tab/stv2)

+* An Azure Resource Manager virtual network is required.

+* You must provide a Standard SKU [public IPv4 address](../virtual-network/ip-services/public-ip-addresses.md#sku) in addition to specifying a virtual network and subnet.

+* The subnet used to connect to the API Management instance may contain other Azure resource types.

+* The subnet used to connect to the API Management instance should not have any delegations enabled. The "Delegate subnet to a service" setting for the subnet should be set to "None".

+* A [network security group](../virtual-network/network-security-groups-overview.md) attached to the subnet above. A network security group (NSG) is required to explicitly allow inbound connectivity, because the load balancer used internally by API Management is secure by default and rejects all inbound traffic.

+* The API Management service, virtual network and subnet, and public IP address resource must be in the same region and subscription.

+* For multi-region API Management deployments, configure virtual network resources separately for each location.

+#### [stv1](#tab/stv1)

+* An Azure Resource Manager virtual network is required.

+* The subnet used to connect to the API Management instance must be dedicated to API Management. It can't contain other Azure resource types.

+* The subnet used to connect to the API Management instance should not have any delegations enabled. The "Delegate subnet to a service" setting for the subnet should be set to "None".

+* The API Management service, virtual network, and subnet resources must be in the same region and subscription.

+* For multi-region API Management deployments, configure virtual network resources separately for each location.

+## Subnet size

+The minimum size of the subnet in which API Management can be deployed is /29, which provides three usable IP addresses. Each extra scale [unit](api-management-capacity.md) of API Management requires two more IP addresses. The minimum size requirement is based on the following considerations:

+* Azure reserves five IP addresses within each subnet that can't be used. The first and last IP addresses of the subnets are reserved for protocol conformance. Three more addresses are used for Azure services. For more information, see [Are there any restrictions on using IP addresses within these subnets?](../virtual-network/virtual-networks-faq.md#are-there-any-restrictions-on-using-ip-addresses-within-these-subnets).

+* In addition to the IP addresses used by the Azure virtual network infrastructure, each API Management instance in the subnet uses:

+ * Two IP addresses per unit of Basic, Standard, or Premium SKU, or

+ * One IP address for the Developer SKU.

+* When deploying into an [internal virtual network](./api-management-using-with-internal-vnet.md), the instance requires an extra IP address for the internal load balancer.

+### Examples

+* **/29 subnet**: 8 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 0 remaining IP addresses left for scale-out units.

+

+* **/28 subnet**: 16 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 8 remaining IP addresses left for four scale-out units (2 IP addresses/scale-out unit) for a total of five units.

+

+* **/27 subnet**: 32 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 24 remaining IP addresses left for 12 scale-out units (2 IP addresses/scale-out unit) for a total of 13 units.

+

+* **/26 subnet**: 64 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 56 remaining IP addresses left for 28 scale-out units (2 IP addresses/scale-out unit) for a total of 29 units.

+

+* **/25 subnet**: 128 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 120 remaining IP addresses left for 60 scale-out units (2 IP addresses/scale-out unit) for a total of 61 units. This is a large, theoretical number of scale-out units.

+> [!NOTE]

+> It is currently possible to scale the Premium SKU to 31 units. If you foresee demand approaching this limit, consider the /26 subnet or /25 submit.

+> [!IMPORTANT]

+> The private IP addresses of internal load balancer and API Management units are assigned dynamically. Therefore, it is impossible to anticipate the private IP of the API Management instance prior to its deployment. Additionally, changing to a different subnet and then returning may cause a change in the private IP address.

+## Routing

+See the Routing guidance when deploying your API Management instance into an [external virtual network](./api-management-using-with-vnet.md#routing) or [internal virtual network](./api-management-using-with-internal-vnet.md#routing).

+Learn more about the [IP addresses of API Management](api-management-howto-ip-addresses.md).

+## DNS

+* In external mode, the virtual network enables [Azure-provided name resolution](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#azure-provided-name-resolution) by default for your API Management endpoints and other Azure resources. It doesn't provide name resolution for on-premises resources. Optionally, configure your own DNS solution.

+* In internal mode, you must provide your own DNS solution to ensure name resolution for API Management endpoints and other required Azure resources. We recommend configuring an Azure [private DNS zone](../dns/private-dns-overview.md).

+For more information, see the DNS guidance when deploying your API Management instance into an [external virtual network](./api-management-using-with-vnet.md#routing) or [internal virtual network](./api-management-using-with-internal-vnet.md#routing).

+Related information:

+* [Name resolution for resources in Azure virtual networks](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server).

+* [Create an Azure private DNS zone](../dns/private-dns-getstarted-portal.md)

+> [!IMPORTANT]

+> If you plan to use a custom DNS solution for the VNet, set it up **before** deploying an API Management service into it. Otherwise, you'll need to update the API Management service each time you change the DNS server(s) by running the [Apply Network Configuration Operation](/rest/api/apimanagement/current-ga/api-management-service/apply-network-configuration-updates), or by selecting **Apply network configuration** in the service instance's network configuration window in the Azure portal.

+## Limitations

+Some virtual network limitations differ depending on the version (`stv2` or `stv1`) of the [compute platform](compute-infrastructure.md) hosting your API Management instance.

+#### [stv2](#tab/stv2)

+* A subnet containing API Management instances can't be moved across subscriptions.

+* For multi-region API Management deployments configured in internal virtual network mode, users own the routing and are responsible for managing the load balancing across multiple regions.

+* To import an API to API Management from an [OpenAPI specification](import-and-publish.md), the specification URL must be hosted at a publicly accessible internet address.

+#### [stv1](#tab/stv1)

+* A subnet containing API Management instances can't be moved across subscriptions.

+* For multi-region API Management deployments configured in internal virtual network mode, users own the routing and are responsible for managing the load balancing across multiple regions.

+* To import an API to API Management from an [OpenAPI specification](import-and-publish.md), the specification URL must be hosted at a publicly accessible internet address.

+* Due to platform limitations, connectivity between a resource in a globally peered virtual network in another region and an API Management service in internal mode doesn't work. For more information, see the [virtual network documentation](../virtual-network/virtual-network-manage-peering.md#requirements-and-constraints).

+## Related content

+* [Site-to-site VPN](../vpn-gateway/design.md#s2smulti)

+* [Connect virtual networks from different deployment models using PowerShell](../vpn-gateway/vpn-gateway-connect-different-deployment-models-powershell.md)

+* [Azure Virtual Network frequently asked questions](../virtual-network/virtual-networks-faq.md)

+This reference provides detailed network configuration settings for an API Management instance deployed (injected) in an Azure virtual network in the [external](api-management-using-with-vnet.md) or [internal](api-management-using-with-internal-vnet.md) mode.

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Policy control and flow](api-management-policies.md#policy-control-and-flow)

+In API Management, *workspaces* allow decentralized API development teams to manage and productize their own APIs, while a central API platform team maintains the API Management infrastructure. Each workspace contains APIs, products, subscriptions, and related entities that are accessible only to the workspace collaborators. Access is controlled through Azure role-based access control (RBAC).

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* [Transformation](api-management-policies.md#transformation)

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+- [Transformation](api-management-policies.md#transformation)

+ keystoreFile="${{user.home}}/.keystore" keystorePass="changeit"

+ keystoreFile="${{user.home}}/.keystore" keystorePass="changeit"

+ Title: Quickstart for using Azure App Configuration Feature Management in Azure Kubernetes Service

+description: In this quickstart, create an ASP.NET core web app and use feature flag in it running in AKS and use the Azure App Configuration Kubernetes Provider to load key-values and feature flags from App Configuration store.

+ms.devlang: csharp

+#Customer intent: As an Azure Kubernetes Service user, I want to manage all my app settings in one place using Azure App Configuration.

+# Quickstart: Add feature flags to workloads in Azure Kubernetes Service

+In this quickstart, you'll create a feature flag in Azure App Configuration and use it to dynamically control the visibility of a new web page in an ASP.NET Core app running in AKS without restarting or redeploying it.

+## Prerequisites

+Follow the documents to use dynamic configuration in Azure Kubernetes Service.

+* [Quickstart: Use Azure App Configuration in Azure Kubernetes Service](./quickstart-azure-kubernetes-service.md)

+* [Tutorial: Use dynamic configuration in Azure Kubernetes Service](./enable-dynamic-configuration-azure-kubernetes-service.md)

+## Create a feature flag

+Add a feature flag called *Beta* to the App Configuration store and leave **Label** and **Description** with their default values. For more information about how to add feature flags to a store using the Azure portal or the CLI, go to [Create a feature flag](./quickstart-azure-app-configuration-create.md#create-a-feature-flag).

+> [!div class="mx-imgBorder"]

+> 

+## Use a feature flag

+In this section, you will use feature flags in a simple ASP.NET web application and run it in Azure Kubernetes Service (AKS).

+1. Navigate into the project's directory you created in the [Quickstart](./quickstart-azure-kubernetes-service.md), and run the following command to add a reference to the [Microsoft.FeatureManagement.AspNetCore](https://www.nuget.org/packages/Microsoft.FeatureManagement.AspNetCore) NuGet package version 3.2.0 or later.

+ ```dotnetcli

+ dotnet add package Microsoft.FeatureManagement.AspNetCore

+ ```

+1. Open *program.cs*, and add feature management to the service collection of your app by calling `AddFeatureManagement`.

+ ```csharp

+ // Existing code in Program.cs

+ // ... ...

+ // Add a JSON configuration source

+ builder.Configuration.AddJsonFile("config/mysettings.json", reloadOnChange: true, optional: false);

+ // Add feature management to the container of services.

+ builder.Services.AddFeatureManagement();

+ var app = builder.Build();

+ // The rest of existing code in program.cs

+ // ... ...

+ ```

+

+ Add `using Microsoft.FeatureManagement;` at the top of the file if it's not present.

+1. Add a new empty Razor page named **Beta** under the *Pages* directory. It includes two files *Beta.cshtml* and *Beta.cshtml.cs*.

+ Open *Beta.cshtml*, and update it with the following markup:

+ ```cshtml

+ @page

+ @model MyWebApp.Pages.BetaModel

+ @{

+ ViewData["Title"] = "Beta Page";

+ }

+ <h1>This is the beta website.</h1>

+ ```

+ Open *Beta.cshtml.cs*, and add `FeatureGate` attribute to the `BetaModel` class. The `FeatureGate` attribute ensures the *Beta* page is accessible only when the *Beta* feature flag is enabled. If the *Beta* feature flag isn't enabled, the page will return 404 Not Found.

+ ```csharp

+ using Microsoft.AspNetCore.Mvc.RazorPages;

+ using Microsoft.FeatureManagement.Mvc;

+ namespace MyWebApp.Pages

+ {

+ [FeatureGate("Beta")]

+ public class BetaModel : PageModel

+ {

+ public void OnGet()

+ {

+ }

+ }

+ }

+ ```

+1. Open *Pages/_ViewImports.cshtml*, and register the feature manager Tag Helper using an `@addTagHelper` directive:

+ ```cshtml

+ @addTagHelper *, Microsoft.FeatureManagement.AspNetCore

+ ```

+ The preceding code allows the `<feature>` Tag Helper to be used in the project's *.cshtml* files.

+1. Open *_Layout.cshtml* in the *Pages*\\*Shared* directory. Insert a new `<feature>` tag in between the *Home* and *Privacy* navbar items, as shown in the highlighted lines below.

+ :::code language="html" source="../../includes/azure-app-configuration-navbar.md" range="22-36" highlight="6-10":::

+ The `<feature>` tag ensures the *Beta* menu item is shown only when the *Beta* feature flag is enabled.

+1. [Containerize the application](./quickstart-azure-kubernetes-service.md#containerize-the-application) and [Push the image to Azure Container Registry](./quickstart-azure-kubernetes-service.md#push-the-image-to-azure-container-registry).

+1. [Deploy the application](./quickstart-azure-kubernetes-service.md#deploy-the-application). Refresh the browser and the web page will look like this:

+ 

+## Use Kubernetes Provider to load feature flags

+1. Update the *appConfigurationProvider.yaml* file located in the *Deployment* directory with the following content.

+

+ ```yaml

+ apiVersion: azconfig.io/v1

+ kind: AzureAppConfigurationProvider

+ metadata:

+ name: appconfigurationprovider-sample

+ spec:

+ endpoint: <your-app-configuration-store-endpoint>

+ target:

+ configMapName: configmap-created-by-appconfig-provider

+ configMapData:

+ type: json

+ key: mysettings.json

+ auth:

+ workloadIdentity:

+ managedIdentityClientId: <your-managed-identity-client-id>

+ featureFlag:

+ selectors:

+ - keyFilter: 'Beta'

+ refresh:

+ enabled: true

+ ```

+ > [!TIP]

+ > When no `selectors` are specified in `featureFlag` section, the Kubernetes Provider will not load feature flags from your App Configuration store. The default refresh interval of feature flags is 30 seconds when `featureFlag.refresh` enabled. You can customize this behavior via the `featureFlag.refresh.interval` parameter.

+1. Run the following command to apply the changes.

+ ```console

+ kubectl apply -f ./Deployment -n appconfig-demo

+ ```

+1. Update the **Beta** feature flag in your App Configuration store. Enable the flag by selecting the checkbox under **Enabled**.

+1. After refreshing the browser multiple times, the updated content will become visible once the ConfigMap has been updated within 30 seconds.

+ 

+1. Select the **Beta** menu. It will bring you to the beta website that you enabled dynamically.

+ 

+## Clean up resources

+Uninstall the App Configuration Kubernetes Provider from your AKS cluster if you want to keep the AKS cluster.

+```console

+helm uninstall azureappconfiguration.kubernetesprovider --namespace azappconfig-system

+```

+## Next steps

+In this quickstart, you:

+* Added feature management capability to an ASP.NET Core app running in Azure Kubernetes Service (AKS).

+* Connected your AKS cluster to your App Configuration store using the App Configuration Kubernetes Provider.

+* Created a ConfigMap with key-values and feature flags from your App Configuration store.

+* Ran the application with dynamic configuration from your App Configuration store without changing your application code.

+To learn more about the Azure App Configuration Kubernetes Provider, see [Azure App Configuration Kubernetes Provider reference](./reference-kubernetes-provider.md).

+To learn more about feature management capability, continue to the following tutorial.

+> [!div class="nextstepaction"]

+> [Enable features for targeted audiences](./howto-targetingfilter-aspnet-core.md)

+> [!div class="nextstepaction"]

+> [Use feature filters for conditional feature flags](./howto-feature-filters-aspnet-core.md)

+ public Task SendMessage([SignalRTrigger]InvocationContext invocationContext, string message, ILogger logger)

+public static Task Run([SignalRTrigger("SignalRTest", "messages", "SendMessage", parameterNames: new string[] {"message"})]InvocationContext invocationContext, string message, ILogger logger)

+public static Task Run([SignalRTrigger("SignalRTest", "messages", "SendMessage")]InvocationContext invocationContext, [SignalRParameter]string message, ILogger logger)

+module.exports = function (context, invocation) {

+[Azure Cosmos DB](../cosmos-db/introduction.md) is a fully managed NoSQL, relational, and vector database for modern app development including AI, digital commerce, Internet of Things, booking management, and other types of solutions. It offers single-digit millisecond response times, automatic and instant scalability, and guaranteed speed at any scale. Its various APIs can accommodate all your operational data models, including relational, document, vector, key-value, graph, and table.

+ For example, if you set description contains "this, that" (in the field there is no need to write the apostrophes), then the rule applies only to alerts whose description contains either "this" or "that".

+*What happens if I configure both IncludedTypes and ExcludedTypes settings?*

+* It's best not to set both `ExcludedTypes` and `IncludedTypes` in your configuration to prevent any conflicts and ensure clear telemetry collection settings.

+* Telemetry types that are listed in `ExcludedTypes` are excluded even if they are also set in `IncludedTypes` settings. ExcludedTypes will take precedence over IncludedTypes.

+| Network Devices (Operator Nexus) | [MNFDeviceUpdates](/azure/azure-monitor/reference/tables/MNFDeviceUpdates)<br>[MNFSystemStateMessageUpdates](/azure/azure-monitor/reference/tables/MNFSystemStateMessageUpdates) <br>[MNFSystemSessionHistoryUpdates](/azure/azure-monitor/reference/tables/mnfsystemsessionhistoryupdates) |

+For information on Unicode character support, see [Understand volume languages](understand-volume-languages.md) and [Understand path lengths](understand-path-lengths.md).

+## March 2024

+This section provides information about limits that apply to Azure API Management instances in different [service tiers](../../api-management/api-management-features.md), including the following:

+* [API Management classic tiers](#limitsapi-management-classic-tiers)

+* [API Management v2 tiers](#limitsapi-management-v2-tiers)

+* [Developer portal in API Management v2 tiers](#limitsdeveloper-portal-in-api-management-v2-tiers)

+### Limits - API Management classic tiers

+### Limits - API Management v2 tiers

+### Limits - Developer portal in API Management v2 tiers

+- Strongly typed hub

+- Unified hub name and connection string setting in one place.

+Firstly, define your hub derived from a class `ServerlessHub`:

+ private const string HubName = nameof(Functions); // Used by SignalR trigger only

+Instead of using SignalR input binding `[SignalRConnectionInfoInput]`, negotiation in class-based model can be more flexible. Base class `ServerlessHub` has a method `NegotiateAsync`, which allows users to customize negotiation options such as `userId`, `claims`, etc.

+### Strongly typed Hub

+ private const string HubName = nameof(Functions); // Used by SignalR trigger only

+### Unified hub name and connection string setting in one place

+* The class name of the serverless hub is automatically used as `HubName`.

+* You might have noticed the `SignalRConnection` attribute used on serverless hub classes as follows:

+ ```cs

+ [SignalRConnection("AzureSignalRConnectionString")]

+ public class Functions : ServerlessHub<IChatClient>

+ ```

+ It allows you to customize where the connection string for serverless hub is. If it's absent, the default value `AzureSignalRConnectionString` is used.

+> SignalR triggers and serverless hubs are independent. Therefore, the class name of serverless hub and `SignalRConnection` attribute doesn't change the settings of SignalR triggers, even though you use SignalR triggers inside the serverless hub.

+All functions that want to use the class-based model need to be a method of the class that inherits from **ServerlessHub**. The class name `HubName1` in the sample is the hub name.

+Instead of using SignalR input binding `[SignalR]`, negotiation in class-based model can be more flexible. Base class `ServerlessHub` has a method:

+This feature allows user to customize `userId` or `claims` during the function execution.

+ :::image type="content" source="../sentinel/media/detect-threats-custom/general-tab.png" alt-text="Screenshot showing the Analytic rule wizard for creating a new rule in Microsoft Sentinel.":::

+You can scope access to Azure Web PubSub resources at the following levels, beginning with the narrowest scope:

+This article describes the improved backup and restore performance of Instant Restore capability in Azure Backup.

+## Key capabilities

+The Instant Restore feature provides the following capabilities:

+* Reduces backup and restore times by retaining snapshots locally, for *two days* using Standard policy and for *seven days* using Enhanced policy by default. This default snapshot retention value is configurable to any value between 1 to 5 days for Standard policy and 1 to 30 days for Enhanced policy.

+* Standard policy supports Standard SSD disks along with Standard HDD disks and Premium SSD disks. Enhanced policy supports backup and instant restore of Premium SSD v2 and Ultra Disks, in addition to standard HDD, standard SSD, and Premium SSD v1 disks.

+## How Instant Restore works?

+A backup job consists of two phases:

+A recovery point is created as soon as the snapshot is finished and this recovery point of snapshot type can be used to perform a restore using the same restore flow. You can identify this recovery point in the Azure portal by using *snapshot* as the recovery point type, and after the snapshot is transferred to the vault, the recovery point type changes to *snapshot and vault*.

+* The snapshots are stored along with the disks to boost recovery point creation and to speed up restore operations. As a result, you'll see storage costs that correspond to snapshots taken during this period.

+* For standard policy, all snapshots are incremental in nature and are stored as page blobs. All the users using unmanaged disks are charged for the snapshots stored in their local storage account. Since the restore point collections used by Managed VM backups use blob snapshots at the underlying storage level, for managed disks you'll see costs corresponding to blob snapshot pricing and they're incremental.

+* For premium storage accounts, the snapshots taken for instant recovery points count towards the 10-TB limit of allocated space. For Enhanced policy, only Managed VM backups are supported. The initial snapshot is a full copy of the disk(s). The subsequent snapshots are incremental in nature and occupy only delta changes to disks since the last snapshot.

+ When you use an Instant Restore recovery point, you must restore the VM or disks to a subscription and resource group that don't require CMK-encrypted disks via Azure Policy.

+Instant Restore feature for snapshots (stored along with the disks) boosts recovery point creation and speed up restore operations. This incurs additional storage costs for the corresponding snapshots taken during this period. The snapshot storage cost varies depending on the type of backup policy.

+### Cost impact of standard policy

+Standard policy uses blob snapshots for Instant Restore functionality. All snapshots are incremental in nature and stored in the VM's storage account, which is used for instant recovery. Incremental snapshot means the space occupied by a snapshot is equal to the space occupied by pages that are written after the snapshot was created. Billing is still for the per GB used space occupied by the snapshot as explained in [this section](../storage/blobs/snapshots-overview.md#pricing-and-billing). As an illustration, consider a VM with 100GB in size, change rate of 2% and retention of 5 days for Instant Restore. In this case, the snapshot storage billed will be 10GB (100* 0.02* 5).

+For VMs that use unmanaged disks, the snapshots can be seen in the menu for the VHD file of each disk. For managed disks, snapshots are stored in a restore point collection resource in a designated resource group, and the snapshots themselves aren't directly visible.

+### Cost impact of enhanced policy

+Enhanced policy uses Managed disk snapshots for Instant Restore functionality. The initial snapshot is a full copy of the disk(s). The subsequent snapshots are incremental in nature and occupy only delta changes to disks since the last snapshot. Pricing for managed disk snapshots is explained in [this pricing page](https://azure.microsoft.com/pricing/details/managed-disks/).

+For example, a VM with 100GB in size has a change rate of 2% and retention of 5 days for Instant Restore. In this case, the snapshot storage billed will be 108GB (100 + 100 X 0.02 X 4).

+> Snapshot retention is fixed to 5 days for weekly policies for Standard policy and can vary between 5 to 20 days for enhanced policy.

+For Standard policy, each day a new snapshot is taken, then there are five individual incremental snapshots. The size of the snapshot depends on the data churn, which are in most cases around 2%-7%. For Enhanced policy, the initial snapshot is a full snapshot and subsequent snapshots are incremental in nature.

+For Standard policy, snapshots taken as a part of instant restore capability are incremental snapshots. For Enhanced policy, the initial snapshot is a full snapshot and subsequent snapshots are incremental in nature.

+It depends on the churn of the VM.

+- **Standard policy**: In a steady state, you can assume the increase in cost is = Snapshot retention period daily churn per VM snapshot storage cost per GB.

+- **Enhanced policy**: In a steady state, you can assume the increase in cost is = ((Size of VM) + (Snapshot retention period-1)*daily churn per VM) * snapshot storage cost per GB.

+### What happens if I select retention period of restore point (Tier 2) less than the snapshot (Tier 1) retention period?

+The new model doesn't allow deleting the restore point (Tier 2) unless the snapshot (Tier 1) is deleted. We recommend scheduling restore point (Tier 2) retention period greater than the snapshot retention period.

+In a scenario where a retention policy is set as ΓÇ£1ΓÇ¥, you can find two snapshots. This mandates that at least one latest recovery point always be present, in case all subsequent backups fail due to an issue in the VM. This can cause the presence of two snapshots.<br></br>So, if the policy is for "n" snapshots, you can find ΓÇ£n+1ΓÇ¥ snapshots at times. Further, you can even find ΓÇ£n+1+2ΓÇ¥ snapshots if there's a delay in garbage collection. This can happen at rare times when:

+Yes it's safe, and there's absolutely no impact in data transfer speed.

+| Resource | Resource metrics are based on the CPU, the bandwidth, the memory usage of compute nodes, and the number of nodes.<br><br>These service-defined variables are useful for making adjustments based on node count:<br>- $TargetDedicatedNodes <br>- $TargetLowPriorityNodes <br>- $CurrentDedicatedNodes <br>- $CurrentLowPriorityNodes <br>- $PreemptedNodeCount <br>- $UsableNodeCount <br><br>These service-defined variables are useful for making adjustments based on node resource usage: <br>- $CPUPercent <br>- $WallClockSeconds <br>- $MemoryBytes <br>- $DiskBytes <br>- $DiskReadBytes <br>- $DiskWriteBytes <br>- $DiskReadOps <br>- $DiskWriteOps <br>- $NetworkInBytes <br>- $NetworkOutBytes |

+Delete jobs when they're no longer needed, even if in completed state. Although completed jobs don't count towards

+active job quota, it's beneficial to periodically clean up completed jobs. For example,

+[listing jobs](/rest/api/batchservice/job/list) will be more efficient when the total number of jobs is a smaller

+set (even if proper filters are applied to the request).

+> terminate task request will take effect immediately). And then delete the task 10 minutes later.

+| Customers can deploy a new cloud service directly in Azure Resource Manager and then delete the old cloud service in Azure Service Manager after thorough validation. | The in-place migration tool enables a seamless, platform orchestrated migration of existing Cloud Services (classic) deployments to Cloud Services (extended support). |

+When acknowledging callback events, it's best practice to respond with standard HTTP status codes like 200 OK. Detailed information is unnecessary and is more suitable for your debugging processes.

+ Title: Emails opt out management using suppression list within Azure Communication Service Email

+description: Learn about Managing Opt-outs to enhance Email Delivery in your B2C Communications.

+# Overview

+This article provides the Email delivery best practices and how to use the Azure Communication Services Email suppression list feature that allows customers to manage opt-out capabilities for email communications. It also provides information on the features that are important for emails opt out management that helps you improve email complaint management, promote better email practices, and increase your email delivery success, boosting the likelihood of getting to recipients' inboxes efficiently.

+## Opt out or unsubscribe management: Ensuring transparent sender reputation

+It's important to know how interested your customers are in your email communication and to respect their opt-out or unsubscribe requests when they decide not to get emails from you. This helps you keep a good sender reputation. Whether you have a manual or automated process in place for handling unsubscribes, it's important to provide an "unsubscribe" link in the email payload you send. When recipients decide not to receive further emails, they can click on the 'unsubscribe' link and remove their email address from your mailing list.

+The functionality of the links and instructions in the email is vital; they must be working correctly and promptly notify the application mailing list to remove the contact from the appropriate list or lists. A proper unsubscribe mechanism should be explicit and transparent from the subscriber's perspective, ensuring they know precisely which messages they're unsubscribing from. Ideally, they should be offered a preferences center that gives them the option to unsubscribe in cases where they're subscribed to multiple lists within your organization. This process prevents accidental unsubscribes and allows users to manage their opt-in and opt-out preferences effectively through the unsubscribe management process.

+## Managing emails opt out preferences with suppression list in Azure Communication Service Email

+Azure Communication Service Email offers a powerful platform with a centralized managed unsubscribe list with opt out preferences saved to our data store. This feature helps the developers to meet guidelines of email providers, requiring one-click list-unsubscribe implementation in the emails sent from our platform. To proactively identify and avoid significant delivery problems, suppression list features, including but not limited to:

+* Offers domain-level, customer managed lists that provide opt-out capabilities.

+* Provides Azure resources that allow for Create, Read, Update, and Delete (CRUD) operations via Azure portal, Management SDKs, or REST APIs.

+* Apply filters in the sending pipeline, all recipients are filtered against the addresses in the domain suppression lists and email delivery isn't attempted for the recipient addresses.

+* Gives the ability to manage a suppression list for each sender email address, which is used to filter/suppress email recipient addresses when sending emails.

+* Caches suppression list data to reduce expensive database lookups, and this caching is domain-specific based on the frequency of use.

+* Adds Email addresses programmatically for an easy opt-out process for unsubscribing.

+### Benefits of opt out or unsubscribe management

+Using a suppression list in Azure Communication Services offers several benefits:

+* Compliance and Legal Considerations: This feature is crucial for adhering to legal responsibilities defined in local government legislation like the CAN-SPAM Act in the United States. It ensures that customers can easily manage opt-outs and maintain compliance with these regulations.

+* Better Sender Reputation: When emails aren't sent to users who have chosen to opt out, it helps protect the senderΓÇÖs reputation and lowers the chance of being blocked by email providers.

+* Improved User Experience: It respects the preferences of users who don't wish to receive communications, leading to a better user experience and potentially higher engagement rates with recipients who choose to receive emails.

+* Operational Efficiency: Suppression lists can be managed programmatically, allowing for efficient handling of large numbers of opt-out requests without manual intervention.

+* Cost-Effectiveness: By not sending emails to recipients who opted out, it reduces the volume of sent emails, which can lower operational costs associated with email delivery.

+* Data-Driven Decisions: The suppression list feature provides insights into the number of opt-outs, which can be valuable data for making informed decisions about email campaign strategies.

+These benefits contribute to a more efficient, compliant, and user-friendly email communication system when using Azure Communication Services. To enable email logs and monitor your email delivery, follow the steps outlined in [Azure Communication Services email logs Communication Service in Azure Communication Service](../../concepts/analytics/logs/email-logs.md).

+## Next steps

+The following documents may be interesting to you:

+- Familiarize yourself with the [Email client library](../email/sdk-features.md)

+- How to send emails with custom verified domains? [Add custom domains](../../quickstarts/email/add-custom-verified-domains.md)

+- How to send emails with Azure Managed Domains? [Add Azure Managed domains](../../quickstarts/email/add-azure-managed-domains.md)

+> [!Note]

+> Advanced Messaging for WhatsApp is only available in the following Regions.

+- Asia Pacific

+- Australia

+- Europe

+- United Kingdom

+- United States

+- In-band Dual-tone multi-frequency (DTMF) isn't supported. Use RFC 2833 DTMF instead.

+- Multiple IP addresses mapped with the same FQDN on the SBC side aren't supported.

+- Maximum call duration is 30 hours.

+ Title: Device and permission issues - askDevicePermission API takes too long

+description: Learn how to troubleshoot when askDevicePermission API takes too long.

+# The askDevicePermission API takes too long

+The [`askDevicePermission`](/javascript/api/%40azure/communication-react/calladapterdevicemanagement?view=azure-node-latest&preserve-view=true#@azure-communication-react-calladapterdevicemanagement-askdevicepermission) API prompts the end user via the browser asking if they allow permission to use camera or microphone.

+If the end user approves camera or microphone usage, then those devices are available to be used in a call. The devices availability is reflected in available device list.

+User taking a long time to approve the permission can cause delay in the API response.

+Occasionally, the device list update step can take a long time.

+A delay in the driver layer is usually the cause of the issue. The issue can happen with some virtual audio devices in particular. [Chromium Issue 1402866](https://bugs.chromium.org/p/chromium/issues/detail?id=1402866&no_tracker_redirect=1)

+## How to detect using the SDK

+To detect this issue, you can measure the time difference between when you call the [`askDevicePermission`](/javascript/api/%40azure/communication-react/calladapterdevicemanagement?view=azure-node-latest&preserve-view=true#@azure-communication-react-calladapterdevicemanagement-askdevicepermission) API and when the promise resolves or rejects.

+## How to mitigate or resolve

+If the [`askDevicePermission`](/javascript/api/%40azure/communication-react/calladapterdevicemanagement?view=azure-node-latest&preserve-view=true#@azure-communication-react-calladapterdevicemanagement-askdevicepermission) API fails due to the user not responding to the UI permission prompt,

+the application can retry the API again and the user should see the UI permission prompt.

+As for other reasons, such as the device list updating taking too long to complete, the user should check their devices and see if there's any device that could potentially be causing this issue.

+They may need to update or remove the problematic device to resolve the issue.

+ Title: Device and permission issues - getMicrophones API doesn't return detailed microphone list

+description: Learn how to troubleshoot when getMicrophones API doesn't return detailed microphone list.

+# The getMicrophones API doesn't return detailed microphone list

+If a user reports they can't see the detailed microphone list,

+it's likely because the user didn't grant permission to access the microphone.

+When the permission state is `prompt` or `denied`, the browser doesn't provide detailed information about the microphone devices.

+In this scenario, the [`DeviceManager.getMicrophones`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getmicrophones) API returns an array with one object, where the `id` is set to `microphone:` and the name is set to an empty string.

+It's important to note that this scenario differs from the scenario where a user doesn't have any microphone on their device. If a device doesn't have any microphones the [`DeviceManager.getMicrophones`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getmicrophones) API returns an empty array, indicating that there's no available microphone devices on the user's system.

+## How to detect using the SDK

+[`DeviceManager.getMicrophones`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getmicrophones) API returns an empty array or an array with an object, where the `id` is set to `microphone:` and the name is set to an empty string.

+Additionally, to detect the scenario where the user removes the microphone during the call and there are no available microphones in the system,

+the application can listen to the [`noMicrophoneDevicesEnumerated`](/javascript/api/azure-communication-services/@azure/communication-calling/latestmediadiagnostics?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-latestmediadiagnostics-nomicrophonedevicesenumerated) event being raised to true in the [User Facing Diagnostics Feature](../../../../concepts/voice-video-calling/user-facing-diagnostics.md).

+This event can help the application understand the current situation, so it can show a warning message on its UI accordingly.

+## How to mitigate or resolve

+Your application should always call the [`DeviceManager.askDevicePermission`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-askdevicepermission) API to ensure that the required permissions are granted.

+If the user doesn't grant the microphone permission, your application should display a warning message on its user interface.

+Additionally, your application should listen to the [`noMicrophoneDevicesEnumerated`](/javascript/api/azure-communication-services/@azure/communication-calling/latestmediadiagnostics?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-latestmediadiagnostics-nomicrophonedevicesenumerated) event and show a message when there are no available microphone devices.

+If the application provides a device selection page before the call,

+it can also check whether the microphone list is empty and shows a warning accordingly indicating no mic devices available.

+ Title: Device and permission issues - getSpeakers API doesn't return detailed speaker list

+description: Learn how to troubleshoot when getSpeakers API doesn't return detailed speaker list.

+# The getSpeakers API doesn't return detailed speaker list

+If a user reports that they can't see the detailed speaker list, it could be because the application doesn't have permission to access the microphone.

+Alternatively, the platform may not support speaker enumeration.

+The way browsers currently work may seem counterintuitive, as the permission to access the microphone can interfere with the enumeration of speakers.

+The speaker and microphone enumeration shares the same permission information.

+When the microphone permission state is `prompt` or `denied`, the browser doesn't provide detailed information about the microphone devices and speaker devices.

+In this scenario, [`DeviceManager.getSpeakers`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getspeakers) API returns an array with one object, where the `id` is set to `speaker:` and the name is set to an empty string.

+Some platforms, such as iOS Safari, macOS Safari, or earlier versions of Firefox don't support speaker enumeration.

+It's important to note that this scenario is different from the scenario where a user doesn't have any audio output device.

+In the latter case, the [`DeviceManager.getSpeakers`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getspeakers) API only returns an empty array, indicating that there's no available audio output device in the user's system.

+## How to detect using the SDK

+[`DeviceManager.getSpeakers`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getspeakers) API returns an empty array or an array with an object, where the `id` is set to `speaker:` and the name is set to an empty string.

+Additionally, to detect the scenario where the user removes the speaker during the call and there are no available audio output devices in the system, the application can listen to the `noSpeakerDevicesEnumerated` event being raised to true in the [User Facing Diagnostics Feature](../../../../concepts/voice-video-calling/user-facing-diagnostics.md). This event can help the application understand the current situation, and show the warning message on its UI accordingly.

+For the platform that doesn't support speaker enumeration, you get an error when calling [`DeviceManager.getSpeakers`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getspeakers) API.

+The error code/subcode is

+| error | Details |

+||-|

+| code | 405 (Method Not Allowed) |

+| subcode | 40606 |

+| message | This device doesn't support speaker enumeration. |

+| resultCategories | Expected |

+## How to mitigate or resolve

+The application should always call the `DeviceManager.askDevicePermission` API to ensure that the required permissions are granted.

+If the user doesn't grant the microphone permission, the application should show a warning on its user interface, so the user knows that they aren't able to see the speaker device list.

+The application should also check whether the speaker list is empty or handle the error when calling [`DeviceManager.getSpeakers`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getspeakers) API, and show a warning accordingly.

+Additionally, the application should listen to the `noSpeakerDevicesEnumerated` event and show a message when there are no available speaker devices.

+ Title: Device and permission issues - no permission prompt after calling askDevicePermission

+description: Learn why there's no permission prompt after calling askDevicePermission.

+# No permission prompt shows when calling askDevicePermission

+If a user reports that they don't see any permission prompts, it may be because they previously granted or denied permission and the browser caches the result.

+Not showing the permission prompt isn't a problem if the browser has the required permission.

+However, if the user can't see the device list, it could be because they denied permission before.

+Another possible reason for the lack of a permission prompt is that the user's system doesn't have any microphone or camera devices available,

+causing the browser to skip the prompt even if the permission state is set to `prompt`.

+## How to detect using the SDK

+We can't detect whether the permission prompt actually shows or not, as this browser behavior can't be detected at JavaScript layer.

+## How to mitigate or resolve

+The application should check the result of [`DeviceManager.askDevicePermission`](/javascript/api/%40azure/communication-react/calladapterdevicemanagement?view=azure-node-latest&preserve-view=true#@azure-communication-react-calladapterdevicemanagement-askdevicepermission) API.

+If the result is false, it may indicate that user denied the permission now or previously.

+The application should show a warning message and ask the user to check their browser settings to ensure that correct permissions were granted.

+They also need to verify that their system has the necessary devices installed and configured properly.

+ Title: Device and permission issues - Overview

+description: Overview of device and permission issues

+# Overview of device and permission issues

+In the WebJS calling SDK, there are two types of permissions: browser permissions and system permissions.

+When an application needs to access a user's audio or video input device, it requires permissions granted at both the browser and system level.

+If an application doesn't have the required permission, it can't access the device,

+which means that other participants in the call are unable to see or hear the user.

+To avoid these issues, it's important for users to grant the necessary permissions when prompted by the browser.

+If a user accidentally denies permission or needs to change their permissions later, they can usually do so through the browser settings.

+The permission is also necessary for the application to retrieve detailed device list information.

+The application can call [`DeviceManager.askDevicePermission`](/javascript/api/%40azure/communication-react/calladapterdevicemanagement?view=azure-node-latest&preserve-view=true#@azure-communication-react-calladapterdevicemanagement-askdevicepermission) to trigger the permission prompt UI.

+However, the browser may cache the permission result and return it without showing the permission prompt UI.

+If the permission result is `denied`, the user needs to update the permission through the browser settings.

+## Common issues related to the device and permission

+Here are some common issues related to devices and permissions, along with their potential causes:

+### The getMicrophones API returns an empty array or doesn't return detailed microphone list

+* The microphone device isn't available in the system.

+* The microphone permission isn't granted.

+### The getSpeakers API returns an empty array or doesn't return detailed speaker list

+* The speaker device isn't available in the system.

+* The browser doesn't support speaker enumeration.

+* The microphone permission isn't granted.

+### No permission prompt shows when calling askDevicePermission

+* The browser caches the permission result granted or denied previously and returns it without prompting the user.

+* The microphone device isn't available when requesting microphone permission.

+* The camera device isn't available when requesting camera permission.

+### The askDevicePermission API takes too long

+* The user doesn't grant or deny the permission prompt.

+* The device driver layer responds slowly.

+## Next steps

+This overview article provides basic information on device and permission issues you may encounter when using the WebJS calling SDK.

+For more detailed guidance, follow the links to the pages listed within the `Device and permission issues` section of this troubleshooting guide.

+| Consumption | Consumption |4 | 8 | - | Consumption | per replica |

+- Free 40,000 [RU/s](request-units.md) of Azure Cosmos DB throughput (equivalent of up to $6,000) for 90 days.

+Free tier lasts indefinitely for the lifetime of the account and it comes with all the [benefits and features](introduction.md#an-ai-database-with-unmatched-reliability-and-flexibility) of a regular Azure Cosmos DB account. These benefits include unlimited storage and throughput (RU/s), SLAs, high availability, turnkey global distribution in all Azure regions, and more.

+ Title: Unified AI Database

+description: Database for AI Era - Azure Cosmos DB is a NoSQL, relational, and vector database that provides unmatched reliability and flexibility for your operational data needs.

+# Database for AI Era

+> "OpenAI relies on Cosmos DB to dynamically scale their ChatGPT service ΓÇô one of the fastest-growing consumer apps ever ΓÇô enabling high reliability and low maintenance." ΓÇô Satya Nadella, Microsoft chairman and chief executive officer

+The surge of AI-powered applications created another layer of complexity, because many of these applications integrate a multitude of data stores. For example, some organizations built applications that simultaneously connect to MongoDB, Postgres, Redis, and Gremlin. These databases differ in implementation workflow and operational performances, posing extra complexity for scaling applications.

+Azure Cosmos DB simplifies and expedites your application development by being the single database for your operational data needs, from caching to backup to vector search. It provides the data infrastructure for modern applications like AI, digital commerce, Internet of Things, and booking management. It can accommodate all your operational data models, including relational, document, vector, key-value, graph, and table.

+## An AI database providing industry-leading capabilities... for free

+Azure Cosmos DB is a fully managed NoSQL, relational, and vector database. It offers single-digit millisecond response times, automatic and instant scalability, along with guaranteed speed at any scale. Business continuity is assured with [SLA-backed](https://azure.microsoft.com/support/legal/sla/cosmos-db) availability and enterprise-grade security.

+- SDKs for popular languages

+- AI database functionalities like integrated vector database or seamless integration with Azure AI Services to support Retrieval Augmented Generation

+- Query Copilot for generating NoSQL queries based on your natural language prompts [(preview)](nosql/query/how-to-enable-use-copilot.md)

+As a fully managed service, Azure Cosmos DB takes database administration off your hands with automatic management, updates, and patching. It also handles capacity management with cost-effective serverless and automatic scaling options that respond to application needs to match capacity with demand.

+If you're an existing Azure AI or GitHub Copilot customer, you may try Azure Cosmos DB for free with 40,000 [RU/s](request-units.md) of throughput for 90 days under the Azure AI Advantage offer.

+If you aren't an Azure customer, you may use the [30-day Free Trial without an Azure subscription](https://azure.microsoft.com/try/cosmosdb/). No commitment follows the end of your trial period.

+Alternatively, you may use the [Azure Cosmos DB lifetime free tier](free-tier.md) with the first 1000 [RU/s](request-units.md) of throughput and 25 GB of storage free.

+## An AI database for more than just AI apps

+Besides AI, Azure Cosmos DB should also be your goto database for web, mobile, gaming, and IoT applications. Azure Cosmos DB is well positioned for solutions that handle massive amounts of data, reads, and writes at a global scale with near-real response times. Azure Cosmos DB's guaranteed high availability, high throughput, low latency, and tunable consistency are huge advantages when building these types of applications. Learn about how Azure Cosmos DB can be used to build IoT and telematics, retail and marketing, gaming and web and mobile applications.

+## An AI database with unmatched reliability and flexibility

+Build fast with open-source APIs, multiple SDKs, schemaless data, and no-ETL analytics over operational data.

+- Build apps on API for NoSQL using the languages of your choice with SDKs for .NET, Java, Node.js, and Python. Or your choice of drivers for any of the other database APIs.

+End-to-end database management, with serverless and automatic scaling matching your application and total cost of ownership (TCO) needs.

+ Title: Open-source vector databases

+description: Open-source vector databases

+# Open-source vector databases

+When developers select vector databases, the open-source options provide numerous benefits. "Open source" means that the software's source code is available freely, enabling users to customize the database according to their specific needs. This flexibility is beneficial for organizations that are subject to unique regulatory requirements on data, such as companies in the financial services industry.

+Another advantage of open-source vector databases is the strong community support they enjoy. Active user communities often contribute to the development of these databases, provide support, and share best practices, promoting innovation.

+Some individuals opt for open-source vector databases because they are "free," meaning there's no cost to acquire or use the software. An alternative is using the free tiers offered by managed vector database services. These managed services provide not only cost-free access up to a certain usage limit but also simplify the operational burden by handling maintenance, updates, and scalability. Therefore, by using the free tier of managed vector database services, users can achieve cost savings while reducing management overhead. This approach allows users to focus more on their core activities rather than on database administration.

+## Working mechanism of open-source vector databases

+Open-source vector databases are designed to store and manage vector embeddings, which are mathematical representations of data in a high-dimensional space. In this space, each dimension corresponds to a feature of the data, and tens of thousands of dimensions might be used to represent sophisticated data. A vector's position in this space represents its characteristics. Words, phrases, or entire documents, and images, audio, and other types of data can all be vectorized. These vector embeddings are used in similarity search, multi-modal search, recommendations engines, large languages models (LLMs), etc.

+These databases' architecture typically includes a storage engine and an indexing mechanism. The storage engine optimizes the storage of vector data for efficient retrieval and manipulation, while the indexing mechanism organizes the data for fast searching and retrieval operations.

+In a vector database, embeddings are indexed and queried through vector search algorithms based on their vector distance or similarity. A robust mechanism is necessary to identify the most relevant data. Some well-known vector search algorithms include Hierarchical Navigable Small World (HNSW), Inverted File (IVF), etc.

+Vector databases are used in numerous domains and situations across analytical and generative AI, including natural language processing, video and image recognition, recommendation system, search, etc. For example, you can use a vector database to:

+- Identify similar images, documents, and songs based on their contents, themes, sentiments, and styles

+- Identify similar products based on their characteristics, features, and user groups

+- Recommend contents, products, or services based on individuals' preferences

+- Recommend contents, products, or services based on user groups' similarities

+- Identify the best-fit potential options from a large pool of choices to meet complex requirements

+- Identify data anomalies or fraudulent activities that are dissimilar from predominant or normal patterns

+- Implement persistent memory for AI agents

+- Enable retrieval-augmented generation (RAG)

+## Selecting the best open-source vector database

+Choosing the best open-source vector database requires considering several factors. Performance and scalability of the database are crucial, as they impact whether the database can handle your specific workload requirements. Databases with efficient indexing and querying capabilities usually offer optimal performance. Another factor is the community support and documentation available for the database. A robust community and ample documentation can provide valuable assistance. Here are some popular open-source vector databases:

+- Chroma

+- Milvus

+- Qdrant

+- Weaviate

+>[!NOTE]

+>The most popular option may not be the best option for you. To find the best fit for your needs, you should compare different options based on features, supported data types, compatibility with existing tools and frameworks you use. Ease of installation, configuration, and maintenance should also be considered to ensure smooth integration into your workflow.

+## Challenges with open-source vector databases

+Open-source vector databases pose challenges that are typical of open-source software:

+- Setup: Users need in-depth knowledge to install, configure, and operate, especially for complex deployments. Optimizing resources and configuration while scaling up operation requires close monitoring and adjustments.

+- Maintenance: Users must manage their own updates, patches, and maintenance. Thus, ML expertise wouldn't suffice; users must also have extensive experience in database administration.

+- Support: Official support can be limited compared to managed services, relying more on community assistance.

+Therefore, while free initially, open-source vector databases incur significant costs when scaling up. Expanding operations necessitates more hardware, skilled IT staff, and advanced infrastructure management, leading to higher expenses in hardware, personnel, and operational costs. Scaling open-source vector databases can be financially demanding despite the lack of licensing fees.

+## Addressing the challenges

+A fully managed database service helps developers avoid the hassles from setting up, maintaining, and relying on community assistance for an open-source vector database. The Integrated Vector Database in Azure Cosmos DB for MongoDB vCore offers a life-time free tier. It allows developers to enjoy the same financial benefit associated with open-source vector databases, while the service provider handles maintenance, updates, and scalability. When itΓÇÖs time to scale up operations, upgrading is quick and easy while keeping a low [total cost of ownership (TCO)](introduction.md#low-total-cost-of-ownership-tco).

+## Next steps

+> [!div class="nextstepaction"]

+> [Create a lifetime free-tier vCore cluster for Azure Cosmos DB for MongoDB](free-tier.md)

+- [.NET RAG Pattern retail reference solution](https://github.com/Azure/Vector-Search-AI-Assistant-MongoDBvCore)

+- [.NET tutorial - recipe chatbot](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples/tree/main/C%23/CosmosDB-MongoDBvCore)

+- [C# RAG pattern - Integrate Open AI Services with Cosmos](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples/tree/main/C%23/CosmosDB-MongoDBvCore)

+- [Python RAG pattern - Azure product chatbot](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples/tree/main/Python/CosmosDB-MongoDB-vCore)

+- [Python notebook tutorial - Vector database integration through LangChain](https://python.langchain.com/docs/integrations/vectorstores/azure_cosmos_db)

+- [Python notebook tutorial - LLM Caching integration through LangChain](https://python.langchain.com/docs/integrations/llms/llm_caching#azure-cosmos-db-semantic-cache)

+- [Python - LlamaIndex integration](https://docs.llamaindex.ai/en/stable/examples/vector_stores/AzureCosmosDBMongoDBvCoreDemo.html)

+- [Python - Semantic Kernel memory integration](https://github.com/microsoft/semantic-kernel/tree/main/python/semantic_kernel/connectors/memory/azure_cosmosdb)

+> [Create a lifetime free-tier vCore cluster for Azure Cosmos DB for MongoDB](free-tier.md)

+| **Python SDK** | >= [v4.5.2b5](https://pypi.org/project/azure-cosmos/4.5.2b5/) | Computed properties are currently under preview version. |

+### [Python](#tab/python)

+You can define multiple computed properties in a list and then add them to the container properties. Python SDK currently doesn't support computed properties on existing containers.

+```python

+computed_properties = [{'name': "cp_lower", 'query': "SELECT VALUE LOWER(c.db_group) FROM c"},

+ {'name': "cp_power", 'query': "SELECT VALUE POWER(c.val, 2) FROM c"},

+ {'name': "cp_str_len", 'query': "SELECT VALUE LENGTH(c.stringProperty) FROM c"}]

+container_with_computed_props = db.create_container_if_not_exists(

+ "myContainer", PartitionKey(path="/pk"), computed_properties=computed_properties)

+```

+Computed properties can be used like any other property in queries. For example, you can use the computed property `cp_lower` in a query like this:

+```python

+queried_items = list(

+ container_with_computed_props.query_items(query='Select * from c Where c.cp_power = 25', partition_key="test"))

+```

+### [Python](#tab/python)

+Updating computed properties on an existing container is not supported in Python SDK. You can only define computed properties when creating a new container. This is a work in progress currently.

+Free tier lasts indefinitely for the lifetime of the account and comes with all the [benefits and features](introduction.md#an-ai-database-with-unmatched-reliability-and-flexibility) of a regular Azure Cosmos DB account, including unlimited storage and throughput (RU/s), SLAs, high availability, turnkey global distribution in all Azure regions, and more. You can create a free tier account using Azure portal, CLI, PowerShell, and a Resource Manager template. To learn more, see how to [create a free tier account](free-tier.md) article and the [pricing page](https://azure.microsoft.com/pricing/details/cosmos-db/).

+- Python: [v4.5.2b2](https://pypi.org/project/azure-cosmos/4.5.2b2/) or later. Available only in preview version.

+- [C# RAG pattern - Integrate Open AI Services with Cosmos](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples/tree/main/C%23/CosmosDB-MongoDBvCore)

+- [Python RAG pattern - Azure product chatbot](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples/tree/main/Python/CosmosDB-MongoDB-vCore)

+- Purchase Azure services, including reservations/savings plans.

+- View and manage all reservation/savings plan orders and reservations/savings plans that apply to the Enterprise Agreement.

+ - Enterprise administrator (read-only) can view reservation/savings plan orders and reservations/savings plans. They can't manage them.

+- Purchase Azure services, including reservations/savings plans.

+- View and manage all reservation/savings plan orders and reservations/savings plans that apply to the Enterprise Agreement.

+|Purchase reservations/savings plans|✔|✘⁶|✔|✘|✘|✘|✘|

+- ⁶ A subscription owner, reservation purchaser or savings plan purchaser can purchase and manage reservations and savings plans within the subscription, and only if permitted by the reservation/savings plan purchase-enabled flags. Enterprise administrators can purchase and manage reservations and savings plans across the billing account. Enterprise administrators (read-only) can view all purchased reservations and savings plans. The reservation/savings plan purchase-enabled flags don't affect the EA administrator roles. The Enterprise Admin (read-only) role holder isn't permitted to make purchases. However, if a user with that role also holds either a subscription owner, reservation purchaser or savings plan purchaser permission, the user can purchase reservations and/or savings plans, regardless of the flags.

+Saving plan purchasing for Enterprice Agreement (EA) customers is limited to the following:

+- EA admins with write permissions can purchase savings plans from **Cost Management + Billing** > **Savings plan**. No subscription-specific permissions are needed.

+- Users with Subscription owner or Savings plan purchaser roles in at least one subscription in the enrollment account can purchase savings plans from **Home** > **Savings plan**.

+EA customers can limit savings plan purchases to only EA admins by disabling the Add Savings Plan option in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_GTM/ModernBillingMenuBlade/BillingAccounts). Navigate to the **Policies** menu to change settings.

+Saving plan purchasing for Microsoft Customer Agreement (MCA) customers is limited to the following:

+- Users with billing profile contributor permissions or higher can purchase savings plans from **Cost Management + Billing** > **Savings plan** experience. No subscription-specific permissions are needed.

+- Users with Subscription owner or Savings plan purchaser roles in at least one subscription in the billing profile can purchase savings plans from **Home** > **Savings plan**.

+MCA customers can limit savings plan purchases to users with billing profile contributor permissions or higher by disabling the Add Savings Plan option in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_GTM/ModernBillingMenuBlade/BillingAccounts). Navigate to the **Policies** menu to change settings.

+- You must have the Savings plan purchaser role within, or be an Owner of, the subscription that you plan to use, specified as `billingScopeId`.

+To download your EA price sheet via Azure portal, do the following tasks.

+To download your MCA price sheet via Azure portal, do the following tasks.

+## Download price sheet using APIs

+To learn more about downloading your price sheet using price sheet APIs, see the following articles:

+ - [Learn more about EA price sheet](/rest/api/cost-management/price-sheet).

+ - [Learn more about MCA price sheet](/rest/api/consumption/price-sheet).

+ - [Learn more about retail price sheet](/rest/api/cost-management/retail-prices/azure-retail-prices).

+ - Java Runtime (JRE) is version 11 or greater, from a JRE provider such as [Microsoft OpenJDK 11](https://aka.ms/download-jdk/microsoft-jdk-11.0.19-windows-x64.msi) or [Eclipse Temurin 11](https://adoptium.net/temurin/releases/?version=11). Ensure that the JAVA_HOME system environment variable is set to the JDK folder (not just the JRE folder) you may also need to add the bin folder to your system's PATH environment variable.

+These are the new recommendations that report on runtime container vulnerabilities and registry image vulnerabilities. They are currently in preview, but are intended to replace the old recommendations. These new recommendations do not count toward secure score while in preview. The scan engine for both sets of recommendations is the same.

+| Recommendation | Description | Assessment Key|

+|--|--|--|

+| [[Preview] Container images in AWS registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/2a139383-ec7e-462a-90ac-b1b60e87d576) | Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards. | 2a139383-ec7e-462a-90ac-b1b60e87d576 |

+| [[Preview] Containers running in AWS should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/d5d1e526-363a-4223-b860-f4b6e710859f)ΓÇ»| Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards. | d5d1e526-363a-4223-b860-f4b6e710859f |

+These are the older recommendations that are currently on a retirement path:

+| Recommendation | Description | Assessment Key|

+|--|--|--|

+| [AWS registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainerRegistryRecommendationDetailsBlade/assessmentKey/c27441ae-775c-45be-8ffa-655de37362ce) | Scans your AWS registries container images for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c27441ae-775c-45be-8ffa-655de37362ce |

+| [AWS running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainersRuntimeRecommendationDetailsBlade/assessmentKey/682b2595-d045-4cff-b5aa-46624eb2dd8f)ΓÇ»| Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Elastic Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | 682b2595-d045-4cff-b5aa-46624eb2dd8f |

+ - Vulnerability reports for registry container images are provided as a [recommendation](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/2a139383-ec7e-462a-90ac-b1b60e87d576).

+- For customers using either [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or [inventory collected via the Defender sensor running on EKS nodes](defender-for-containers-enable.md#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/d5d1e526-363a-4223-b860-f4b6e710859f) for remediating vulnerabilities for vulnerable images running on an EKS cluster. For customers using only [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours.

+These are the new recommendations that report on runtime container vulnerabilities and registry image vulnerabilities. They are currently in preview, but are intended to replace the old recommendations. These new recommendations do not count toward secure score while in preview. The scan engine for both sets of recommendations is the same.

+| Recommendation | Description | Assessment Key |

+|--|--|--|

+| [[Preview] Container images in Azure registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/33422d8f-ab1e-42be-bc9a-38685bb567b9) | Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards. | 33422d8f-ab1e-42be-bc9a-38685bb567b9 |

+| [[Preview] Containers running in Azure should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e9acaf48-d2cf-45a3-a6e7-3caa2ef769e0)  | Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards. | e9acaf48-d2cf-45a3-a6e7-3caa2ef769e0 |

+These are the older recommendations that are currently on a retirement path:

+| Recommendation | Description | Assessment Key|

+|--|--|--|

+| [Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AzureContainerRegistryRecommendationDetailsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c0b7cfc6-3172-465a-b378-53c7ff2cc0d5 |

+| [Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/ContainersRuntimeRecommendationDetailsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5)  | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5 |

+ - Vulnerability reports for registry container images are provided as a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AzureContainerRegistryRecommendationDetailsBlade/assessmentKey/33422d8f-ab1e-42be-bc9a-38685bb567b9).

+- For customers using either [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or [inventory collected via the Defender sensor running on AKS nodes](defender-for-containers-enable.md#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/ContainersRuntimeRecommendationDetailsBlade/assessmentKey/e9acaf48-d2cf-45a3-a6e7-3caa2ef769e0) for remediating vulnerabilities for vulnerable images running on an AKS cluster. For customers using only [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours.

+These are the new recommendations that report on runtime container vulnerabilities and registry image vulnerabilities. They are currently in preview, but are intended to replace the old recommendations. These new recommendations do not count toward secure score while in preview. The scan engine for both sets of recommendations is the same.

+| Recommendation | Description | Assessment Key|

+|--|--|--|

+| [[Preview] Container images in GCP registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/24e37609-dcf5-4a3b-b2b0-b7d76f2e4e04) | Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards. | 24e37609-dcf5-4a3b-b2b0-b7d76f2e4e04 |

+| [[Preview] Containers running in GCP should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c7c1d31d-a604-4b86-96df-63448618e165)ΓÇ»| Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards. | c7c1d31d-a604-4b86-96df-63448618e165 |

+These are the older recommendations that are currently on a retirement path:

+| Recommendation | Description | Assessment Key|

+|--|--|--|

+| [GCP registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainerRegistryRecommendationDetailsBlade/assessmentKey/5cc3a2c1-8397-456f-8792-fe9d0d4c9145) | Scans your GCP registries container images for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c27441ae-775c-45be-8ffa-655de37362ce |

+| [GCP running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainersRuntimeRecommendationDetailsBlade/assessmentKey/e538731a-80c8-4317-a119-13075e002516)ΓÇ»| Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Google Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | 5cc3a2c1-8397-456f-8792-fe9d0d4c9145 |

+ - Vulnerability reports for registry container images are provided as a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainerRegistryRecommendationDetailsBlade/assessmentKey/24e37609-dcf5-4a3b-b2b0-b7d76f2e4e04).

+- For customers using either [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or [inventory collected via the Defender sensor running on GKE nodes](defender-for-containers-enable.md#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainersRuntimeRecommendationDetailsBlade/assessmentKey/c7c1d31d-a604-4b86-96df-63448618e165) for remediating vulnerabilities for vulnerable images running on a GKE cluster. For customers using only [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours.

+ Title: Retrieve attack path data with API

+description: Learn how to Retrieve attack path data with APIs in Microsoft Defender for Cloud and enhance the security of your environment.

+#customer intent: As a developer, I want to learn how to retrieve attack path data with APIs in Microsoft Defender for Cloud so that I can enhance the security of my environment.

+# Retrieve attack path data with API

+You can consume attack path data programmatically by querying Azure Resource Graph (ARG) API.

+Learn [how to query ARG API](/rest/api/azureresourcegraph/resourcegraph(2020-04-01-preview)/resources/resources?source=recommendations&tabs=HTTP).

+## Consume attack path data programmatically using API

+The following examples show sample ARG queries that you can run:

+**Get all attack paths in subscription ΓÇÿXΓÇÖ**:

+```kusto

+securityresources

+| where type == "microsoft.security/attackpaths"

+| where subscriptionId == <SUBSCRIPTION_ID>

+```

+**Get all instances for a specific attack path**:

+For example, `Internet exposed VM with high severity vulnerabilities and read permission to a Key Vault`.

+```kusto

+securityresources

+| where type == "microsoft.security/attackpaths"

+| where subscriptionId == "212f9889-769e-45ae-ab43-6da33674bd26"

+| extend AttackPathDisplayName = tostring(properties["displayName"])

+| where AttackPathDisplayName == "<DISPLAY_NAME>"

+```

+### API response schema

+The following table lists the data fields returned from the API response:

+| Field | Description |

+|--|--|

+| ID | The Azure resource ID of the attack path instance|

+| Name | The Unique identifier of the attack path instance|

+| Type | The Azure resource type, always equals `microsoft.security/attackpaths`|

+| Tenant ID | The tenant ID of the attack path instance |

+| Location | The location of the attack path |

+| Subscription ID | The subscription of the attack path |

+| Properties.description | The description of the attack path |

+| Properties.displayName | The display name of the attack path |

+| Properties.attackPathType | The type of the attack path|

+| Properties.manualRemediationSteps | Manual remediation steps of the attack path |

+| Properties.refreshInterval | The refresh interval of the attack path |

+| Properties.potentialImpact | The potential impact of the attack path being breached |

+| Properties.riskCategories | The categories of risk of the attack path |

+| Properties.entryPointEntityInternalID | The internal ID of the entry point entity of the attack path |

+| Properties.targetEntityInternalID | The internal ID of the target entity of the attack path |

+| Properties.assessments | Mapping of entity internal ID to the security assessments on that entity |

+| Properties.graphComponent | List of graph components representing the attack path |

+| Properties.graphComponent.insights | List of insights graph components related to the attack path |

+| Properties.graphComponent.entities | List of entities graph components related to the attack path |

+| Properties.graphComponent.connections | List of connections graph components related to the attack path |

+| Properties.AttackPathID | The unique identifier of the attack path instance |

+## Next step

+> [!div class="nextstepaction"]

+> [build queries with cloud security explorer](how-to-manage-cloud-security-explorer.md).

+ Title: Regulatory compliance in Defender for Cloud

+description: Learn about regulatory compliance standards and certification in Microsoft Defender for Cloud, and how it helps ensure compliance with industry regulations.

+#customer intent: As a cloud security professional, I want to understand how Defender for Cloud helps me meet regulatory compliance standards, so that I can ensure my organization is compliant with industry standards and regulations.

+# Regulatory compliance standards in Microsoft Defender for Cloud

+## Available regulatory standards

+The following regulatory standards are available in Defender for Cloud:

+| Standards for Azure subscriptions | Standards for AWS accounts | Standards for GCP projects |

+|--|--|--|

+| Australian Government ISM Protected | AWS Foundational Security Best Practices | Brazilian General Personal Data Protection Law (LGPD)|

+| Canada Federal PBMM | AWS Well-Architected Framework | California Consumer Privacy Act (CCPA)|

+| CIS Azure Foundations | Brazilian General Personal Data Protection Law (LGPD) | CIS Controls|

+| CMMC | California Consumer Privacy Act (CCPA) | CIS GCP Foundations|

+| FedRAMP ΓÇÿHΓÇÖ & ΓÇÿMΓÇÖ | CIS AWS Foundations | CIS Google Cloud Platform Foundation Benchmark|

+| HIPAA/HITRUST | CRI Profile | CIS Google Kubernetes Engine (GKE) Benchmark|

+| ISO/IEC 27001 | CSA Cloud Controls Matrix (CCM) | CRI Profile|

+| New Zealand ISM Restricted | GDPR | CSA Cloud Controls Matrix (CCM)|

+| NIST SP 800-171 | ISO/IEC 27001 | Cybersecurity Maturity Model Certification (CMMC)|

+| NIST SP 800-53 | ISO/IEC 27002 | FFIEC Cybersecurity Assessment Tool (CAT)|

+| PCI DSS | NIST Cybersecurity Framework (CSF) | GDPR|

+| RMIT Malaysia | NIST SP 800-172 | ISO/IEC 27001|

+| SOC 2 | PCI DSS | ISO/IEC 27002|

+| SWIFT CSP CSCF | | ISO/IEC 27017|

+| UK OFFICIAL and UK NHS | | NIST Cybersecurity Framework (CSF)|

+| | | NIST SP 800-53 |

+| | | NIST SP 800-171|

+| | | NIST SP 800-172|

+| | | PCI DSS|

+| | | Sarbanes Oxley Act (SOX)|

+| | | SOC 2|

+## Related content

+ Title: What is Defender for open-source databases

+#customer intent: As a reader, I want to understand the purpose and features of Microsoft Defender for open-source relational databases so that I can make informed decisions about its usage.

+# What is Microsoft Defender for open-source relational databases

+Check out the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/) for pricing information for Microsoft Defender for open-source relational databases.

+Defender for open-source relational database is supported on PaaS environments and not on Azure Arc-enabled machines.

+**Protected versions of PostgreSQL include**:

+- Single Server - General Purpose and Memory Optimized. Learn more in [PostgreSQL Single Server pricing tiers](../postgresql/concepts-pricing-tiers.md).

+- Flexible Server - all pricing tiers.

+**Protected versions of MySQL include**:

+- Single Server - General Purpose and Memory Optimized. Learn more in [MySQL pricing tiers](../mysql/concepts-pricing-tiers.md).

+- Flexible Server - all pricing tiers.

+**Protected versions of MariaDB include**:

+- General Purpose and Memory Optimized. Learn more in [MariaDB pricing tiers](../mariadb/concepts-pricing-tiers.md).

+View [cloud availability](support-matrix-cloud-environment.md#cloud-support) for Defender for open-source relational databases

+- **Anomalous database access and query patterns** - For example, an abnormally high number of failed sign-in attempts with different credentials (a brute force attempt).

+- **Suspicious database activities** - For example, a legitimate user accessing an SQL Server from a breached computer which communicated with a crypto-mining C&C server.

+- **Brute-force attacks** ΓÇô With the ability to separate simple brute force or a successful brute force.

+## Related articles

+- [Enable Microsoft Defender for open-source relational databases and respond to alerts](defender-for-databases-usage.md)

+- [Common questions about Defender for Databases](faq-defender-for-databases.yml)

+ Title: Microsoft Defender for open-source relational databases

+description: Configure Microsoft Defender for open-source relational databases to detect potential security threats.

+#customer intent: As a reader, I want to learn how to configure Microsoft Defender for open-source relational databases to enhance the security of my databases.

+ :::image type="content" source="media/defender-for-databases-usage/specific-alert-details.png" alt-text="Screenshot that shows the details of a specific alert." lightbox="media/defender-for-databases-usage/specific-alert-details.png":::

+## Next step

+> [!div class="nextstepaction"]

+> [Automate responses to Defender for Cloud triggers](workflow-automation.md)

+ Title: Creating exemptions and disabling vulnerabilities (Secure score)

+description: Learn how to create exemptions and disable vulnerabilities (Secure score)

+# Create exemptions and disable vulnerability assessment findings on Container registry images and running images (Secure score)

+>[!NOTE]

+>You can customize your vulnerability assessment experience by exempting management groups, subscriptions, or specific resources from your secure score. Learn how to [create an exemption](exempt-resource.md) for a resource or subscription.

+If you have an organizational need to ignore a finding, rather than remediate it, you can optionally disable it. Disabled findings don't affect your secure score or generate unwanted noise.

+When a finding matches the criteria you defined in your disable rules, it doesn't appear in the list of findings. Typical scenario examples include:

+- Disable findings with severity below medium

+- Disable findings for images that the vendor won't fix

+> [!IMPORTANT]

+> To create a rule, you need permissions to edit a policy in Azure Policy.

+> Learn more in [Azure RBAC permissions in Azure Policy](../governance/policy/overview.md#azure-rbac-permissions-in-azure-policy).

+You can use a combination of any of the following criteria:

+- **CVE** - Enter the CVEs of the findings you want to exclude. Ensure the CVEs are valid. Separate multiple CVEs with a semicolon. For example, CVE-2020-1347; CVE-2020-1346.

+- **Image digest** - Specify images for which vulnerabilities should be excluded based on the image digest. Separate multiple digests with a semicolon, for example: `sha256:9b920e938111710c2768b31699aac9d1ae80ab6284454e8a9ff42e887fa1db31;sha256:ab0ab32f75988da9b146de7a3589c47e919393ae51bbf2d8a0d55dd92542451c`

+- **OS version** - Specify images for which vulnerabilities should be excluded based on the image OS. Separate multiple versions with a semicolon, for example: ubuntu_linux_20.04;alpine_3.17

+- **Minimum Severity** - Select low, medium, high, or critical to exclude vulnerabilities less than the specified severity level.

+- **Fix status** - Select the option to exclude vulnerabilities based on their fix status.

+Disable rules apply per recommendation, for example, to disable [CVE-2017-17512](https://github.com/advisories/GHSA-fc69-2v7r-7r95) both on the registry images and runtime images, the disable rule has to be configured in both places.

+> [!NOTE]

+> The [Azure Preview Supplemental Terms](//azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+ To create a rule:

+1. From the recommendations detail page for [Container registry images should have vulnerability findings resolved powered by Microsoft Defender Vulnerability Management](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5) or [Running container images should have vulnerability findings resolved powered by Microsoft Defender Vulnerability Management

+](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5), select **Disable rule**.

+1. Select the relevant scope.

+1. Define your criteria. You can use any of the following criteria:

+ - **CVE** - Enter the CVEs of the findings you want to exclude. Ensure the CVEs are valid. Separate multiple CVEs with a semicolon. For example, CVE-2020-1347; CVE-2020-1346.

+ - **Image digest** - Specify images for which vulnerabilities should be excluded based on the image digest. Separate multiple digests with a semicolon, for example: `sha256:9b920e938111710c2768b31699aac9d1ae80ab6284454e8a9ff42e887fa1db31;sha256:ab0ab32f75988da9b146de7a3589c47e919393ae51bbf2d8a0d55dd92542451c`

+ - **OS version** - Specify images for which vulnerabilities should be excluded based on the image OS. Separate multiple versions with a semicolon, for example: ubuntu_linux_20.04;alpine_3.17

+ - **Minimum Severity** - Select low, medium, high, or critical to exclude vulnerabilities less than and equal to the specified severity level.

+ - **Fix status** - Select the option to exclude vulnerabilities based on their fix status.

+1. In the justification text box, add your justification for why a specific vulnerability was disabled. This provides clarity and understanding for anyone reviewing the rule.

+1. Select **Apply rule**.

+ :::image type="content" source="./media/disable-vulnerability-findings-containers/disable-rules-secure-score.png" alt-text="Screenshot showing where to create a disable rule for vulnerability findings on registry images." lightbox="media/disable-vulnerability-findings-containers/disable-rules.png":::

+ > [!IMPORTANT]

+ > Changes might take up to 24 hours to take effect.

+**To view, override, or delete a rule:**

+1. From the recommendations detail page, select **Disable rule**.

+1. From the scope list, subscriptions with active rules show as **Rule applied**.

+1. To view or delete the rule, select the ellipsis menu ("...").

+1. Do one of the following:

+ - To view or override a disable rule - select **View rule**, make any changes you want, and select **Override rule**.

+ - To delete a disable rule - select **Delete rule**.

+ :::image type="content" source="./media/disable-vulnerability-findings-containers/override-rules.png" alt-text="Screenshot showing where to view, delete or override a rule for vulnerability findings on registry images." lightbox="media/disable-vulnerability-findings-containers/override-rules.png":::

+## Next steps

+- Learn how to [view and remediate vulnerability assessment findings for registry images](view-and-remediate-vulnerability-assessment-findings.md).

+- Learn about [agentless container posture](concept-agentless-containers.md).

+## To create a rule

+1. From the recommendations detail page for [Container registry images should have vulnerability findings resolved powered by Microsoft Defender Vulnerability Management](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/33422d8f-ab1e-42be-bc9a-38685bb567b9) or [Containers running in Azure should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e9acaf48-d2cf-45a3-a6e7-3caa2ef769e0), select **Disable rule**.

+## To view, override, or delete a rule

+ Title: Identify and remediate attack paths

+description: Learn how to identify and remediate attack paths in Microsoft Defender for Cloud and enhance the security of your environment.

+#customer intent: As a security analyst, I want to learn how to identify and remediate attack paths in Microsoft Defender for Cloud so that I can enhance the security of my environment.

+By default attack paths are organized by their risk level. The risk level is determined by a context-aware risk-prioritization engine that considers the risk factors of each resource. Learn more about how Defender for Cloud [prioritizes security recommendations](risk-prioritization.md).

+## Prerequisites

+You must [enable Defender Cloud Security Posture Management (CSPM)](enable-enhanced-security.md) and have [agentless scanning](enable-vulnerability-assessment-agentless.md) enabled.

+- You must enable [Defender for Server P1 (which includes MDVM)](defender-for-servers-introduction.md) or [Defender for Server P2 (which includes MDVM and Qualys)](defender-for-servers-introduction.md).

+**To view attack paths that are related to containers**:

+- You must [enable agentless container posture extension](tutorial-enable-cspm-plan.md) in Defender CSPM

+ or

+- You can [enable Defender for Containers](defender-for-containers-enable.md), and install the relevant agents in order to view attack paths that are related to containers. This also gives you the ability to [query](how-to-manage-cloud-security-explorer.md#build-a-query-with-the-cloud-security-explorer) containers data plane workloads in security explorer.

+- **Required roles and permissions**: Security Reader, Security Admin, Reader, Contributor or Owner.

+## Identify attack paths

+The attack path page shows you an overview of all of your attack paths. You can also see your affected resources and a list of active attack paths.

+**To identify attack paths**:

+ :::image type="content" source="media/how-to-manage-attack-path/node-select.png" alt-text="Screenshot of the attack path screen that shows you where the nodes are located for selection." lightbox="media/how-to-manage-attack-path/node-select.png":::

+ :::image type="content" source="media/how-to-manage-attack-path/insights.png" alt-text="Screenshot of the insights tab for a specific node." lightbox="media/how-to-manage-attack-path/insights.png":::

+ :::image type="content" source="media/how-to-manage-attack-path/attack-path-recommendations.png" alt-text="Screenshot that shows you where to select recommendations on the screen." lightbox="media/how-to-manage-attack-path/attack-path-recommendations.png":::

+1. [Remediate the recommendation](implement-security-recommendations.md).

+## Remediate attack paths

+Once you have investigated an attack path and reviewed all of the associated findings and recommendations, you can start to remediate the attack path.

+**To remediate an attack path**:

+1. Navigate to **Microsoft Defender for Cloud** > **Attack path analysis**.

+1. Select an attack path.

+1. Select **Remediation**.

+ :::image type="content" source="media/how-to-manage-attack-path/recommendations-tab.png" alt-text="Screenshot of the attack path that shows you where to select remediation." lightbox="media/how-to-manage-attack-path/recommendations-tab.png":::

+1. Select a recommendation.

+1. [Remediate the recommendation](implement-security-recommendations.md).

+## Remediate all recommendations within an attack path

+Attack path analysis grants you the ability to see all recommendations by attack path without having to check each node individually. You can resolve all recommendations without having to view each node individually.

+ :::image type="content" source="media/how-to-manage-attack-path/bulk-recommendations.png" alt-text="Screenshot that shows where to select on the screen to see the attack paths full list of recommendations." lightbox="media/how-to-manage-attack-path/bulk-recommendations.png":::

+1. Expand **Additional recommendations**.

+1. [Remediate the recommendation](implement-security-recommendations.md).

+## Next Step

+> [!div class="nextstepaction"]

+> [build queries with cloud security explorer](how-to-manage-cloud-security-explorer.md).

+ Title: Build queries with cloud security explorer

+description: Learn how to build queries with cloud security explorer in Microsoft Defender for Cloud to proactively identify security risks in your cloud environment.

+ai-usage: ai-assisted

+# Customer Intent: As a security professional, I want to learn how to build queries with cloud security explorer in Microsoft Defender for Cloud so that I can proactively identify security risks in my cloud environment and improve my security posture.

+Use the cloud security explorer, to proactively identify security risks in your cloud environment by running graph-based queries on the cloud security graph, which is Defender for Cloud's context engine. You can prioritize your security team's concerns, while taking your organization's specific context and conventions into account.

+- You must [enable Defender CSPM](enable-enhanced-security.md)

+ - You must [enable agentless scanning](enable-vulnerability-assessment-agentless.md).

+

+ For agentless container posture, you must enable the following extensions:

+ - [Agentless discovery for Kubernetes](tutorial-enable-cspm-plan.md#enable-the-components-of-the-defender-cspm-plan)

+ - [Agentless container vulnerability assessment](tutorial-enable-cspm-plan.md#enable-the-components-of-the-defender-cspm-plan)

+ > [!NOTE]

+ > If you only have [Defender for Servers P2](tutorial-enable-servers-plan.md) plan 2 enabled, you can use the cloud security explorer to query for keys and secrets, but you must have Defender CSPM enabled to get the full value of the explorer.

+## Next step

+> [!div class="nextstepaction"]

+> [Learn about the cloud security graph, attack path analysis, and the cloud security explorer](concept-attack-path.md)

+ Title: Remediate recommendations

+description: Remediate security recommendations in Microsoft Defender for Cloud to improve the security posture of your environments.

+ai-usage: ai-assisted

+#customer intent: As a security professional, I want to understand how to remediate security recommendations in Microsoft Defender for Cloud so that I can improve my security posture.

+# Remediate recommendations

+This article describes how to remediate security recommendations in your Defender for Cloud deployment.

+## Remediate a recommendation

+Recommendations are prioritized based on the risk level of the security issue by default.

+ :::image type="content" source="media/implement-security-recommendations/recommendations-page.png" alt-text="Screenshot of the recommendations page that shows all of the affected resources by their risk level." lightbox="media/implement-security-recommendations/recommendations-page.png":::

+1. Select a recommendation.

+ :::image type="content" source="./media/implement-security-recommendations/remediate-recommendation.png" alt-text="This screenshot shows manual remediation steps for a recommendation." lightbox="./media/implement-security-recommendations/remediate-recommendation.png":::

+To simplify the remediation process, a Fix button may appear in a recommendation. The Fix button helps you quickly remediate a recommendation on multiple resources. If the Fix button is not present in the recommendation, then there is no option to apply a quick fix, and you must follow the presented remediation steps to address the recommendation.

+## Next step

+> [!div class="nextstepaction"]

+> [Governance rules in your remediation processes](governance-rules.md)

+### [[Preview] Container images in AWS registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/2a139383-ec7e-462a-90ac-b1b60e87d576)

+**Description**: Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards.

+**Severity**: High

+**Type**: Vulnerability Assessment

+### [[Preview] Containers running in AWS should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/d5d1e526-363a-4223-b860-f4b6e710859f)

+**Description**: Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards.

+**Severity**: High

+**Type**: Vulnerability Assessment

+**Description**: This check identifies Elastic Load Balancers (ELB) which are using ACM certificates expired or expiring in 90 days. AWS Certificate Manager (ACM) is the preferred tool to provision, manage, and deploy your server certificates. With ACM, you can request a certificate or deploy an existing ACM or external certificate to AWS resources. As a best practice, it's recommended to reimport expiring/expired certificates while preserving the ELB associations of the original certificate.

+**Description**: Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses [Zelkova](https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova), an automated reasoning engine, to validate and warn you about policies that might grant broad access to your secrets across AWS accounts. This control fails if the "kms:Decrypt" or "kms:ReEncryptFrom" actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It doesn't check inline policies or AWS managed policies.

+### [[Preview] Container images in GCP registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/24e37609-dcf5-4a3b-b2b0-b7d76f2e4e04)

+**Description**: Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards.

+**Severity**: High

+**Type**: Vulnerability Assessment

+### [[Preview] Containers running in GCP should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c7c1d31d-a604-4b86-96df-63448618e165)

+**Description**: Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards.

+**Severity**: High

+**Type**: Vulnerability Assessment

+### [EDR solution should be installed on Virtual Machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/06e3a6db-6c0c-4ad9-943f-31d9d73ecf6c)

+### [[Preview] Container images in Azure registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/33422d8f-ab1e-42be-bc9a-38685bb567b9)

+**Description**: Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards.

+**Severity**: High

+**Type**: Vulnerability Assessment

+### [[Preview] Containers running in Azure should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e9acaf48-d2cf-45a3-a6e7-3caa2ef769e0)

+**Description**: Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards.

+**Severity**: High

+**Type**: Vulnerability Assessment

+> [!IMPORTANT]

+> This recommendation is on a retirement path. It is being replaced by the recommendation [[[Preview] Container images in Azure registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/33422d8f-ab1e-42be-bc9a-38685bb567b9)](#preview-container-images-in-azure-registry-should-have-vulnerability-findings-resolvedhttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey33422d8f-ab1e-42be-bc9a-38685bb567b9).

+> [!IMPORTANT]

+> This recommendation is on a retirement path. It is being replaced by the recommendation [[[Preview] Containers running in Azure should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e9acaf48-d2cf-45a3-a6e7-3caa2ef769e0)](#preview-containers-running-in-azure-should-have-vulnerability-findings-resolvedhttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkeye9acaf48-d2cf-45a3-a6e7-3caa2ef769e0).

+|Date | Update |

+|--|--|

+| April 3 | [Risk prioritization is now the default experience in Defender for Cloud](#risk-prioritization-is-now-the-default-experience-in-defender-for-cloud) |

+| April 3 | [New container vulnerability assessment recommendations](#new-container-vulnerability-assessment-recommendations) |

+| April 3 | [Defender for open-source relational databases updates](#defender-for-open-source-relational-databases-updates) |

+### Risk prioritization is now the default experience in Defender for Cloud

+April 3, 2024

+Risk prioritization is now the default experience in Defender for Cloud. This feature helps you to focus on the most critical security issues in your environment by prioritizing recommendations based on the risk factors of each resource. The risk factors include the potential impact of the security issue being breached, the categories of risk, and the attack path that the security issue is part of.

+Learn more about [risk prioritization](risk-prioritization.md).

+### New container vulnerability assessment recommendations

+April 3, 2024

+To support the new [risk-based prioritization](risk-prioritization.md) experience for recommendations, we've created new recommendations for container vulnerability assessments in Azure, AWS, and GCP. They report on container images for registry and container workloads for runtime:

+- [[Container images in Azure registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/33422d8f-ab1e-42be-bc9a-38685bb567b9)](recommendations-reference.md#container-images-in-azure-registry-should-have-vulnerability-findings-resolvedhttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey33422d8f-ab1e-42be-bc9a-38685bb567b9)

+- [[Containers running in Azure should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e9acaf48-d2cf-45a3-a6e7-3caa2ef769e0)](recommendations-reference.md#containers-running-in-azure-should-have-vulnerability-findings-resolvedhttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkeye9acaf48-d2cf-45a3-a6e7-3caa2ef769e0)

+- [[Container images in AWS registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/2a139383-ec7e-462a-90ac-b1b60e87d576)](recommendations-reference-aws.md#container-images-in-aws-registry-should-have-vulnerability-findings-resolvedhttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey2a139383-ec7e-462a-90ac-b1b60e87d576)

+- [[Containers running in AWS should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/d5d1e526-363a-4223-b860-f4b6e710859f)](recommendations-reference-aws.md#containers-running-in-aws-should-have-vulnerability-findings-resolvedhttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkeyd5d1e526-363a-4223-b860-f4b6e710859f)

+- [[Container images in GCP registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/24e37609-dcf5-4a3b-b2b0-b7d76f2e4e04)](recommendations-reference-gcp.md#container-images-in-gcp-registry-should-have-vulnerability-findings-resolvedhttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey24e37609-dcf5-4a3b-b2b0-b7d76f2e4e04)

+- [[Containers running in GCP should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c7c1d31d-a604-4b86-96df-63448618e165)](recommendations-reference-gcp.md#containers-running-in-gcp-should-have-vulnerability-findings-resolvedhttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkeyc7c1d31d-a604-4b86-96df-63448618e165)

+The previous container vulnerability assessment recommendations are on a retirement path and will be removed when the new recommendations are generally available.

+- [[Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5)](recommendations-reference.md#azure-registry-container-images-should-have-vulnerabilities-resolved-powered-by-microsoft-defender-vulnerability-managementhttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkeyc0b7cfc6-3172-465a-b378-53c7ff2cc0d5)

+- [[Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5)](recommendations-reference.md#azure-running-container-images-should-have-vulnerabilities-resolved-powered-by-microsoft-defender-vulnerability-managementhttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkeyc609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5)

+- [AWS registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainerRegistryRecommendationDetailsBlade/assessmentKey/c27441ae-775c-45be-8ffa-655de37362ce)

+- [AWS running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainersRuntimeRecommendationDetailsBlade/assessmentKey/682b2595-d045-4cff-b5aa-46624eb2dd8f)

+- [GCP registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainerRegistryRecommendationDetailsBlade/assessmentKey/5cc3a2c1-8397-456f-8792-fe9d0d4c9145)

+- [GCP running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainersRuntimeRecommendationDetailsBlade/assessmentKey/e538731a-80c8-4317-a119-13075e002516)

+> [!NOTE]

+> The new recommendations are currently in public preview and will not be used for secure score calculation.

+### Defender for open-source relational databases updates

+April 3, 2024

+**Defender for PostgreSQL Flexible Servers post-GA updates** - The update enables customers to enforce protection for existing PostgreSQL flexible servers at the subscription level, allowing complete flexibility to enable protection on a per-resource basis or for automatic protection of all resources at the subscription level.

+**Defender for MySQL Flexible Servers Availability and GA** - Defender for Cloud expanded its support for Azure open-source relational databases by incorporating MySQL Flexible Servers.

+This release includes:

+- Alert compatibility with existing alerts for Defender for MySQL Single Servers.

+- Enablement of individual resources.

+- Enablement at the subscription level.

+If you're already protecting your subscription with Defender for open-source relational databases, your flexible server resources are automatically enabled, protected, and billed.

+Specific billing notifications have been sent via email for affected subscriptions.

+Learn more about [Microsoft Defender for open-source relational databases](defender-for-databases-introduction.md).

+> [!NOTE]

+> Updates for Azure Database for MySQL flexible servers are rolling out over the next few weeks. If you see the error message `The server <servername> is not compatible with Advanced Threat Protection`, you can either wait for the update to roll out, or open a support ticket to update the server sooner to a supported version.

+Based on customer feedback, we've added compliance standards in preview to Defender for Cloud.

+Check out the [full list of supported compliance standards](concept-regulatory-compliance-standards.md#available-regulatory-standards)

+Learn more about [risk prioritization](implement-security-recommendations.md).

+ Title: Review resources exempted from recommendations

+#customer intent: As a user, I want to learn how to exempt recommendations in Microsoft Defender for Cloud so that I can customize the security recommendations for my environment.

+Once a resource has been exempted it will no longer be taken into account for security recommendation. You can review the exempted resources and manage each one in the Defender for Cloud portal.

+### Review exempted resources on the recommendations page

+**To review exempted resources**:

+1. Select **Recommendation status**.

+1. Select **Exempted**.

+ :::image type="content" source="media/review-exemptions/exempted-resources.png" alt-text="Screenshot of the recommendations page that shows where the recommendation status, exempted and apply button are located." lightbox="media/review-exemptions/exempted-resources.png":::

+1. Select a resource to review it.

+### Review exempted resources on the inventory page

+1. Navigate to **Defender for Cloud** > **Inventory**.

+ Title: Review security recommendations

+description: Learn how to review security recommendations in Microsoft Defender for Cloud and improve the security posture of your environments.

+#customer intent: As a security analyst, I want to learn how to review security recommendations in Microsoft Defender for Cloud so that I can improve the security posture of my environments.

+Defender for Cloud proactively utilizes a dynamic engine which assesses the risks in your environment while taking into account the potential for the exploitation and the potential business impact to your organization. The engine [prioritizes security recommendations based on the risk factors](risk-prioritization.md) of each resource, which are determined by the context of the environment, including the resource's configuration, network connections, and security posture.

+## Prerequisites

+- You must [enable Defender CSPM](enable-enhanced-security.md) on your environment.

+> [!NOTE]

+> Recommendations are included by default with Defender for Cloud, but you will not be able to see risk prioritization without Defender CSPM enabled on your environment.

+ - **Risk level** - The exploitability and the business impact of the underlying security issue, taking into account environmental resource context such as: Internet exposure, sensitive data, lateral movement, and more.

+ - **Risk factors** - Environmental factors of the resource affected by the recommendation, which influence the exploitability and the business impact of the underlying security issue. Examples for risk factors include internet exposure, sensitive data, lateral movement potential.

+ - **Resource** - The name of the affected resource.

+ - **Status** - The status of the recommendation. For example, unassigned, on time, overdue.

+1. In **Findings**, you can review affiliated findings by severity.

+ :::image type="content" source="media/review-security-recommendations/recommendation-findings.png" alt-text="Screenshot of the findings tab in a recommendation that shows all of the attack paths for that recommendation." lightbox="media/review-security-recommendations/recommendation-findings.png":::

+1. Select a node to view additional details.

+ :::image type="content" source="media/review-security-recommendations/select-node.png" alt-text="Screenshot of a node located in the graph tab that is selected and showing the additional details." lightbox="media/review-security-recommendations/select-node.png":::

+1. Select **Insights**.

+1. In the vulnerability dropdown menu, select a vulnerability to view the details.

+ :::image type="content" source="media/review-security-recommendations/insights.png" alt-text="Screenshot of the insights tab for a specific node." lightbox="media/review-security-recommendations/insights.png":::

+1. (Optional) Select **Open the vulnerability page** to view the associated recommendation page.

+1. [Remediate the recommendation](implement-security-recommendations.md).

+## Group recommendations by title

+Defender for Cloud's recommendation page allows you to group recommendations by title. This feature is useful when you want to remediate a recommendation that is affecting multiple resources caused by a specific security issue.

+**To group recommendations by title**:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Navigate to **Defender for Cloud** > **Recommendations**.

+1. Select **Group by title**.

+ :::image type="content" source="media/review-security-recommendations/group-by-title.png" alt-text="Screenshot of the recommendations page that shows where the group by title toggle is located on the screen." lightbox="media/review-security-recommendations/group-by-title.png":::

+## Next step

+> [!div class="nextstepaction"]

+> [Remediate security recommendations](implement-security-recommendations.md)

+> [!NOTE]

+> Recommendations are included with the [Foundational CSPM plan](concept-cloud-security-posture-management.md#plan-availability) which is included with Defender for Cloud. However, risk prioritization and governance is supported only with the [Defender CSPM plan](concept-cloud-security-posture-management.md#plan-availability).

+>

+> If your environment is not protected by the Defender CSPM plan the columns with the risk prioritization features will appear blurred out.

+- **Attack paths** - The number of attack paths that the recommendation is part of based on the security engine's search for all potential attack paths based on the resources that exist in the environment and relationship that exists between them. Each environment will present its own unique attack paths.

+ :::image type="content" source="media/risk-prioritization/recommendations-dashboard.png" alt-text="Screenshot of the recommendations dashboard which shows recommendations prioritized by their risk." lightbox="media/risk-prioritization/recommendations-dashboard.png":::

+- [Automate remediation responses](workflow-automation.md)

+The MCSB issues recommendations based on assessment findings. Only built-in recommendations from the MCSB affect the secure score. Currently, [risk prioritization](risk-prioritization.md) doesn't affect the secure score.

+> [!IMPORTANT]

+> [Risk prioritization](risk-prioritization.md) doesn't affect the secure score.

+description: This article provides an overview of the supported features and plans for Defender for Cloud in Azure commercial cloud and government clouds.

+| [Attack path](concept-attack-path.md) | GA | NA | NA |

+| Operating systems | **Supported** <br> ΓÇó Alpine Linux 3.12-3.19 <br> ΓÇó Red Hat Enterprise Linux 6-9 <br> ΓÇó CentOS 6-9<br> ΓÇó Oracle Linux 6-9 <br> ΓÇó Amazon Linux 1, 2 <br> ΓÇó openSUSE Leap, openSUSE Tumbleweed <br> ΓÇó SUSE Enterprise Linux 11-15 <br> ΓÇó Debian GNU/Linux 7-12 <br> ΓÇó Google Distroless (based on Debian GNU/Linux 7-12) <br> ΓÇó Ubuntu 12.04-22.04 <br> ΓÇó Fedora 31-37<br> ΓÇó Mariner 1-2<br> ΓÇó Windows Server 2016, 2019, 2022|

+| where assessmentKey == "c0b7cfc6-3172-465a-b378-53c7ff2cc0d5"

+| [Deprecation of encryption recommendation](#deprecation-of-encryption-recommendation) | April 3, 2024 | May 2024 |

+## Deprecation of encryption recommendation

+**Announcement date: April 3, 2024**

+**Estimated date for change: May 2024**

+the recommendation ### [Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/d57a4221-a804-52ca-3dea-768284f06bb7) is set to be deprecated.

+ Title: Assess vulnerabilities for containers running on your Kubernetes clusters

+description: Learn how to view and remediate runtime threat findings for containers running on your Kubernetes clusters.

+# View and remediate vulnerabilities for containers running on your Kubernetes clusters (Risk based)

+> [!NOTE]

+> This page describes the new risk-based approach to vulnerability management in Defender for Cloud. Defender for CSPM customers should use this method. To use the classic secure score approach, see [View and remediate vulnerabilities for images running on your Kubernetes clusters (Secure Score)](view-and-remediate-vulnerabilities-for-images-secure-score.md).

+Defender for Cloud gives its customers the ability to prioritize the remediation of vulnerabilities containers running on your Kubernetes clusters based on contextual risk analysis of the vulnerabilities in your cloud environment. In this article, we review the [Containers running in Azure should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e9acaf48-d2cf-45a3-a6e7-3caa2ef769e0) recommendation. For the other clouds, see the parallel recommendations in [Vulnerability assessments for AWS with Microsoft Defender Vulnerability Management](agentless-vulnerability-assessment-aws.md) and [Vulnerability assessments for GCP with Microsoft Defender Vulnerability Management](agentless-vulnerability-assessment-gcp.md).

+To provide findings for the recommendation, Defender for Cloud uses [agentless discovery for Kubernetes](defender-for-containers-introduction.md) or the [Defender sensor](tutorial-enable-containers-azure.md#deploy-the-defender-sensor-in-azure) to create a full inventory of your Kubernetes clusters and their workloads and correlates that inventory with the vulnerability reports created for your registry images. The recommendation shows your running containers with the vulnerabilities associated with the images that are used by each container and remediation steps.

+Defender for Cloud presents the findings and related information as recommendations, including related information such as remediation steps and relevant CVEs. You can view the identified vulnerabilities for one or more subscriptions, or for a specific resource.

+## View vulnerabilities for a container

+**To view vulnerabilities for a container, do the following:**

+1. In Defender for Cloud, open the **Recommendations** page. If you're not on the new risk-based page, select **Recommendations by risk** on the top menu. If issues were found, you'll see the recommendation [Containers running in Azure should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e9acaf48-d2cf-45a3-a6e7-3caa2ef769e0). Select the recommendation.

+ :::image type="content" source="media/view-and-remediate-vulnerabilities-for-images-running-on-aks/running-image-recommendation-line.png" alt-text="Screenshot showing the recommendation line for running container images should have vulnerability findings resolved." lightbox="media/view-and-remediate-vulnerabilities-for-images-running-on-aks/running-image-recommendation-line.png":::

+1. The recommendation details page opens with additional information. This information includes details about your vulnerable container and the remediation steps.

+ :::image type="content" source="media/view-and-remediate-vulnerabilities-for-images-running-on-aks/running-select-cluster.png" alt-text="Screenshot showing the affected clusters for the recommendation." lightbox="media/view-and-remediate-vulnerabilities-for-images-running-on-aks/running-select-cluster.png":::

+1. Select the **Findings** tab to see the list of vulnerabilities impacting the container.

+ :::image type="content" source="media/view-and-remediate-vulnerabilities-for-images-running-on-aks/running-select-container.png" alt-text="Screenshot showing the findings tab containing the vulnerabilities." lightbox="media/view-and-remediate-vulnerabilities-for-images-running-on-aks/running-select-container.png":::

+1. Select each vulnerability for a detailed description of the vulnerability, additional containers affected by that vulnerability, information on the software version that contributes to resolving the vulnerability, and links to external resources to help with patching the vulnerability.

+ :::image type="content" source="media/view-and-remediate-vulnerabilities-for-images-running-on-aks/running-list-vulnerabilities.png" alt-text="Screenshot showing the container vulnerabilities." lightbox="media/view-and-remediate-vulnerabilities-for-images-running-on-aks/running-list-vulnerabilities.png":::

+To find all containers impacted by a specific vulnerability, group recommendations by title. For more information, see [Group recommendations by title](review-security-recommendations.md#group-recommendations-by-title).

+For information on how to remediate the vulnerabilities, see [Remediate recommendations](implement-security-recommendations.md).

+## Next step

+- Learn how to [view and remediate vulnerabilities for registry images](view-and-remediate-vulnerability-assessment-findings.md).

+ Title: Assess vulnerabilities for images running on your Kubernetes clusters (Secure Score)

+description: Learn how to view and remediate vulnerabilities for images running on your Kubernetes clusters (Secure Score).

+# View and remediate vulnerabilities for images running on your Kubernetes clusters (Secure Score)

+> [!NOTE]

+> This page describes the classic secure score approach to vulnerability management in Defender for Cloud. Customers using Defender CSPM should use the new risk-based approach: [View and remediate vulnerabilities for images running on your Kubernetes clusters (Risk based)](view-and-remediate-vulnerabilities-for-images.md).

+Defender for Cloud gives its customers the ability to prioritize the remediation of vulnerabilities in images that are currently being used within their environment using the [Running container images should have vulnerability findings resolved](https://portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/KubernetesRuntimeVisibilityRecommendationDetailsBlade/assessmentKey/41503391-efa5-47ee-9282-4eff6131462ce) recommendation.

+To provide findings for the recommendation, Defender for Cloud uses [agentless discovery for Kubernetes](defender-for-containers-introduction.md) or the [Defender sensor](tutorial-enable-containers-azure.md#deploy-the-defender-sensor-in-azure) to create a full inventory of your Kubernetes clusters and their workloads and correlates that inventory with the vulnerability reports created for your registry images. The recommendation shows your running containers with the vulnerabilities associated with the images that are used by each container and remediation steps.

+Defender for Cloud presents the findings and related information as recommendations, including related information such as remediation steps and relevant CVEs. You can view the identified vulnerabilities for one or more subscriptions, or for a specific resource.

+Within each recommendation, resources are grouped into tabs:

+- **Healthy resources** ΓÇô relevant resources, which either aren't impacted or on which you've already remediated the issue.

+- **Unhealthy resources** ΓÇô resources that are still impacted by the identified issue.

+- **Not applicable resources** ΓÇô resources for which the recommendation can't give a definitive answer. The not applicable tab also includes reasons for each resource.

+## View vulnerabilities on a specific cluster

+**To view vulnerabilities for a specific cluster, do the following:**

+1. Open the **Recommendations** page. If you are on the new risk-based page, select **Switch to classic view** in the menu item on the top of the page. Use the **>** arrow to open the sub-levels. If issues were found, you'll see the recommendation [Running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5). Select the recommendation.

+ :::image type="content" source="media/view-and-remediate-vulnerabilities-for-images-secure-score/running-image-recommendation-line.png" alt-text="Screenshot showing the recommendation line for running container images should have vulnerability findings resolved." lightbox="media/view-and-remediate-vulnerabilities-for-images-secure-score/running-image-recommendation-line.png":::

+1. The recommendation details page opens showing the list of Kubernetes clusters ("affected resources") and categorizes them as healthy, unhealthy and not applicable, based on the images used by your workloads. Select the relevant cluster for which you want to remediate vulnerabilities.

+ :::image type="content" source="media/view-and-remediate-vulnerabilities-for-images-secure-score/running-select-cluster.png" alt-text="Screenshot showing the affected clusters for the recommendation." lightbox="media/view-and-remediate-vulnerabilities-for-images-secure-score/running-select-cluster.png":::

+1. The cluster details page opens. It lists all currently running containers categorized into three tabs based on the vulnerability assessments of the images used by those containers. Select the specific container you want to explore.

+ :::image type="content" source="media/view-and-remediate-vulnerabilities-for-images-secure-score/running-select-container.png" alt-text="Screenshot showing where to select a specific container." lightbox="media/view-and-remediate-vulnerabilities-for-images-secure-score/running-select-container.png":::

+1. This pane includes a list of the container vulnerabilities. Select each vulnerability to [resolve the vulnerability](#remediate-vulnerabilities).

+ :::image type="content" source="media/view-and-remediate-vulnerabilities-for-images-secure-score/running-list-vulnerabilities.png" alt-text="Screenshot showing the list of container vulnerabilities." lightbox="media/view-and-remediate-vulnerabilities-for-images-secure-score/running-list-vulnerabilities.png":::

+## View container images affected by a specific vulnerability

+**To view findings for a specific vulnerability, do the following:**

+1. Open the **Recommendations** page, using the **>** arrow to open the sub-levels. If issues were found, you'll see the recommendation [Running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5). Select the recommendation.

+ :::image type="content" source="media/view-and-remediate-vulnerabilities-for-images-secure-score/running-image-recommendation-line.png" alt-text="Screenshot showing the recommendation line for running container images should have vulnerability findings resolved." lightbox="media/view-and-remediate-vulnerabilities-for-images-secure-score/running-image-recommendation-line.png":::

+1. The recommendation details page opens with additional information. This information includes the list of vulnerabilities impacting the clusters. Select the specific vulnerability.

+ :::image type="content" source="media/view-and-remediate-vulnerabilities-for-images-secure-score/running-select-vulnerability.png" alt-text="Screenshot showing the list of vulnerabilities impacting the container clusters." lightbox="media/view-and-remediate-vulnerabilities-for-images-secure-score/running-select-vulnerability.png":::

+1. The vulnerability details pane opens. This pane includes a detailed description of the vulnerability, images affected by that vulnerability, and links to external resources to help mitigate the threats, affected resources, and information on the software version that contributes to [resolving the vulnerability](#remediate-vulnerabilities).

+ :::image type="content" source="media/view-and-remediate-vulnerabilities-for-images-secure-score/running-containers-affected.png" alt-text="Screenshot showing the list of container images impacted by the vulnerability." lightbox="media/view-and-remediate-vulnerabilities-for-images-secure-score/running-containers-affected.png":::

+## Remediate vulnerabilities

+Use these steps to remediate each of the affected images found either in a specific cluster or for a specific vulnerability:

+1. Follow the steps in the remediation section of the recommendation pane.

+1. When you've completed the steps required to remediate the security issue, replace each affected image in your cluster, or replace each affected image for a specific vulnerability:

+ 1. Build a new image (including updates for each of the packages) that resolves the vulnerability according to the remediation details.

+ 1. Push the updated image and delete the old image. It might take up to 24 hours for the previous image to be removed from the results, and for the new image to be included in the results.

+ 1. Use the new image across all vulnerable workloads.

+1. Check the recommendations page for the recommendation [Running container images should have vulnerability findings resolved](https://portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/KubernetesRuntimeVisibilityRecommendationDetailsBlade/assessmentKey/41503391-efa5-47ee-9282-4eff6131462c).

+1. If the recommendation still appears and the image you've handled still appears in the list of vulnerable images, check the remediation steps again.

+## Next steps

+- Learn how to [view and remediate vulnerabilities for registry images](view-and-remediate-vulnerability-assessment-findings.md).

+- Learn more about the Defender for Cloud [Defender plans](defender-for-cloud-introduction.md#protect-cloud-workloads)

+ Title: How-to view and remediate vulnerability assessment findings for registry images (Secure Score).

+description: Learn how to view and remediate vulnerability assessment findings for registry images (Secure Score).

+# View and remediate vulnerabilities for registry images (Secure Score)

+> [!NOTE]

+> This page describes the classic secure score approach to vulnerability management in Defender for Cloud. Customers using Defender CSPM should use the new risk-based approach: [View and remediate vulnerabilities for images running on your Kubernetes clusters (Risk based)](view-and-remediate-vulnerabilities-for-images.md).

+Defender for Cloud gives its customers the ability to remediate vulnerabilities in container images while still stored in the registry by using the [Container registry images should have vulnerability findings resolved (powered by MDVM)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5) recommendation.

+Within the recommendation, resources are grouped into tabs:

+- **Healthy resources** ΓÇô relevant resources, which either aren't impacted or on which you've already remediated the issue.

+- **Unhealthy resources** ΓÇô resources that are still impacted by the identified issue.

+- **Not applicable resources** ΓÇô resources for which the recommendation can't give a definitive answer. The not applicable tab also includes reasons for each resource.

+## View vulnerabilities on a specific container registry

+1. Open the **Recommendations** page. If you are on the new risk-based page, select **Switch to classic view** in the menu item on the top of the page. Use the **>** arrow to open the sublevels. If issues were found, you'll see the recommendation [Container registry images should have vulnerability findings resolved (powered by MDVM)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5). Select the recommendation.

+ :::image type="content" source="media/view-and-remediate-vulnerability-assessment-findings-secure-score/open-recommendations-page.png" alt-text="Screenshot showing the line for recommendation container registry images should have vulnerability findings resolved." lightbox="media/view-and-remediate-vulnerability-assessment-findings-secure-score/open-recommendations-page.png":::

+1. The recommendation details page opens with additional information. This information includes the list of registries with vulnerable images ("affected resources") and the remediation steps. Select the affected registry.

+ :::image type="content" source="media/view-and-remediate-vulnerability-assessment-findings-secure-score/select-registry.png" alt-text="Screenshot showing the recommendation details and affected registries." lightbox="media/view-and-remediate-vulnerability-assessment-findings-secure-score/select-registry.png":::

+1. This opens the registry details with a list of repositories in it that have vulnerable images. Select the affected repository to see the images in it that are vulnerable.

+ :::image type="content" source="media/view-and-remediate-vulnerability-assessment-findings-secure-score/select-repo.png" alt-text="Screenshot showing where to select the specific repository." lightbox="media/view-and-remediate-vulnerability-assessment-findings-secure-score/select-repo.png":::

+1. The repository details page opens. It lists all vulnerable images on that repository with distribution of the severity of vulnerabilities per image. Select the unhealthy image to see the vulnerabilities.

+ :::image type="content" source="media/view-and-remediate-vulnerability-assessment-findings-secure-score/select-unhealthy-image.png" alt-text="Screenshot showing where to select the unhealthy image." lightbox="media/view-and-remediate-vulnerability-assessment-findings-secure-score/select-unhealthy-image.png":::

+1. The list of vulnerabilities for the selected image opens. To learn more about a finding, select the finding.

+ :::image type="content" source="media/view-and-remediate-vulnerability-assessment-findings-secure-score/select-image-finding.png" alt-text="Screenshot showing the list of findings on the specific image." lightbox="media/view-and-remediate-vulnerability-assessment-findings-secure-score/select-image-finding.png":::

+1. The vulnerabilities details pane opens. This pane includes a detailed description of the issue and links to external resources to help mitigate the threats, affected resources, and information on the software version that contributes to resolving the vulnerability.

+ :::image type="content" source="media/view-and-remediate-vulnerability-assessment-findings-secure-score/image-details.png" alt-text="Screenshot showing the details of the finding on the specific image." lightbox="media/view-and-remediate-vulnerability-assessment-findings-secure-score/image-details.png":::

+## View images affected by a specific vulnerability

+1. Open the **Recommendations** page. If issues were found, you'll see the recommendation [Container registry images should have vulnerability findings resolved (powered by MDVM)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5). Select the recommendation.

+ :::image type="content" source="media/view-and-remediate-vulnerability-assessment-findings-secure-score/open-recommendations-page.png" alt-text="Screenshot showing the line for recommendation container registry images should have vulnerability findings resolved." lightbox="media/view-and-remediate-vulnerability-assessment-findings-secure-score/open-recommendations-page.png":::

+1. The recommendation details page opens with additional information. This information includes the list of vulnerabilities impacting the images. Select the specific vulnerability.

+ :::image type="content" source="media/view-and-remediate-vulnerability-assessment-findings-secure-score/select-specific-vulnerability.png" alt-text="Screenshot showing the list of vulnerabilities impacting the images." lightbox="media/view-and-remediate-vulnerability-assessment-findings-secure-score/select-specific-vulnerability.png":::

+1. The vulnerability finding details pane opens. This pane includes a detailed description of the vulnerability, images affected by that vulnerability, and links to external resources to help mitigate the threats, affected resources, and information on the software version that contributes to [resolving the vulnerability](#remediate-vulnerabilities).

+ :::image type="content" source="media/view-and-remediate-vulnerability-assessment-findings-secure-score/specific-vulnerability-details.png" alt-text="Screenshot showing the list of images impacted by the vulnerability." lightbox="media/view-and-remediate-vulnerability-assessment-findings-secure-score/specific-vulnerability-details.png":::

+## Remediate vulnerabilities

+Use these steps to remediate each of the affected images found either in a specific cluster or for a specific vulnerability:

+1. Follow the steps in the remediation section of the recommendation pane.

+1. When you've completed the steps required to remediate the security issue, replace each affected image in your registry or replace each affected image for a specific vulnerability:

+ 1. Build a new image (including updates for each of the packages) that resolves the vulnerability according to the remediation details.

+ 1. Push the updated image to trigger a scan and delete the old image. It might take up to 24 hours for the previous image to be removed from the results, and for the new image to be included in the results.

+1. Check the recommendations page for the recommendation [Container registry images should have vulnerability findings resolved (powered by MDVM)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5).

+If the recommendation still appears and the image you've handled still appears in the list of vulnerable images, check the remediation steps again.

+## Next steps

+- Learn how to [view and remediate vulnerabilities for images running on Kubernetes clusters](view-and-remediate-vulnerabilities-for-images.md).

+- Learn more about the Defender for Cloud [Defender plans](defender-for-cloud-introduction.md#protect-cloud-workloads).

+ Title: How-to view and remediate vulnerability assessment findings for registry images

+description: Learn how to view and remediate vulnerability assessment findings for registry images.

+# View and remediate vulnerabilities for registry images (Risk based)

+> [!NOTE]

+> This page describes the new risk-based approach to vulnerability management in Defender for Cloud. Defender for CSPM customers should use this method. To use the classic secure score approach, see [View and remediate vulnerabilities for registry images (Secure Score)](view-and-remediate-vulnerability-assessment-findings-secure-score.md).

+Defender for Cloud offers customers the capability to remediate vulnerabilities in container images while they're still stored in the registry. Additionally, it conducts contextual analysis of the vulnerabilities in your environment, aiding in prioritizing remediation efforts based on the risk level associated with each vulnerability.

+In this article, we review the [Container images in Azure registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/33422d8f-ab1e-42be-bc9a-38685bb567b9) recommendation. For the other clouds, see the parallel recommendations in [Vulnerability assessments for AWS with Microsoft Defender Vulnerability Management](agentless-vulnerability-assessment-aws.md) and [Vulnerability assessments for GCP with Microsoft Defender Vulnerability Management](agentless-vulnerability-assessment-gcp.md).

+## View vulnerabilities on a specific container image

+1. In Defender for Cloud, open the **Recommendations** page. If you're not on the new risk-based page, select **Recommendations by risk** on the top menu. If issues were found, you'll see the recommendation [Container images in Azure registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/33422d8f-ab1e-42be-bc9a-38685bb567b9). Select the recommendation.

+ :::image type="content" source="media/view-and-remediate-vulnerability-assessment-findings/open-recommendations-page.png" alt-text="Screenshot showing the line for recommendation container registry images should have vulnerability findings resolved." lightbox="media/view-and-remediate-vulnerability-assessment-findings/open-recommendations-page.png":::

+1. The recommendation details page opens with additional information. This information includes details about your registry image and the remediation steps.

+ :::image type="content" source="media/view-and-remediate-vulnerability-assessment-findings/select-registry.png" alt-text="Screenshot showing the recommendation details and affected registries." lightbox="media/view-and-remediate-vulnerability-assessment-findings/select-registry.png":::

+1. Select the **Findings** tab to see the list of vulnerabilities impacting the registry image.

+ :::image type="content" source="media/view-and-remediate-vulnerability-assessment-findings/select-unhealthy-image.png" alt-text="Screenshot showing the list of vulnerabilities impacting the registry image." lightbox="media/view-and-remediate-vulnerability-assessment-findings/select-unhealthy-image.png":::

+1. Select each vulnerability for a detailed description of the vulnerability, additional images affected by that vulnerability, information on the software version that contributes to resolving the vulnerability, and links to external resources to help with patching the vulnerability.

+ :::image type="content" source="media/view-and-remediate-vulnerability-assessment-findings/select-image-finding.png" alt-text="Screenshot showing the list of findings on the specific image." lightbox="media/view-and-remediate-vulnerability-assessment-findings/select-image-finding.png":::

+To find all images impacted by a specific vulnerability, group recommendations by title. For more information, see [Group recommendations by title](review-security-recommendations.md#group-recommendations-by-title).

+For information on how to remediate the vulnerabilities, see [Remediate recommendations](implement-security-recommendations.md).

+## Next step

+- Learn how to [view and remediate vulnerabilities for images running on Kubernetes clusters](view-and-remediate-vulnerabilities-for-images.md).

+ Title: Frequently Asked Questions

+description: List of Frequently Asked Questions for Azure for Education

+# Azure for Education Frequently Asked Questions

+Discover all you need to know about Azure for Education in our FAQ section. Find answers to common queries on eligibility, benefits, and usage to optimize your experience.

+## Azure for Students

+### What happens after I use my $100 credit or I'm at the end of 12 months?

+If you exhaust your available credit before 12 months and you want to continue to use Azure, you can upgrade to a [pay-as-you-go subscription](../cost-management-billing/manage/upgrade-azure-subscription.md) in the Azure portal. If you do not upgrade, your Azure subscription becomes disabled. If youΓÇÖre at the end of 12 months, you can renew your subscription by signing up again for the offer. To get detailed terms of use for Azure for Students, please visit the [offer terms](https://azure.microsoft.com/offers/ms-azr-0170p/).

+### Who is eligible for Azure for Students?

+Azure for Students is available only to students who meet the following requirements:

+- You must affirm that you attend an accredited, degree-granting, two-year, or four-year educational institution where youΓÇÖre a full-time student.

+- You must verify your academic status through your organization's email address.

+- See the [Azure for Students Offer](https://azure.microsoft.com/offers/ms-azr-0170p/) for detailed terms of use.

+This offer isn't available for use in a massive open online course (MOOC) or in other professional trainings from for-profit organizations.

+This offer is limited to one Azure for Student subscription per eligible customer. It's nontransferable and can't be combined with any other offer, unless otherwise permitted by Microsoft.

+### What products are included in Azure for Students?

+Agents for Visual Studio

+Azure DevOps Server

+Datazen Enterprise Server

+Remote Tools for Visual Studio

+Machine Learning Server

+Microsoft R Client

+Microsoft R Server

+Microsoft Hyper-V

+Skype for Business Server

+SQL Server Developer

+SQL Server Standard

+System Center

+Visio Professional

+Visual Studio Code

+Visual Studio Community

+Visual Studio for Mac

+Windows Server

+### Can I deploy Windows 10 and Windows 11 VMs with my Azure for Students subscription?

+Yes, as a benefit of your Azure for Students subscription, you may use Windows 10 and 11 virtual machines without the need for a Windows 11 Enterprise license.

+### Can I get Azure for Students again next year?

+Yes! You can renew your Azure for Students subscription after one year. We send you emails reminding you to renew just before your anniversary. To renew, simply re-signup for the offer from the Azure for Students [website](https://aka.ms/azure4students)

+### Why did I receive an invoice from Microsoft?

+You may receive an invoice from Microsoft detailing the usage you incurred in the previous month while on Azure for Students. DonΓÇÖt worry, you don't have to pay for that usage ΓÇô itΓÇÖs all covered by the credit provided by Azure for Students. To learn more about invoices and how they work, check out the [article](../cost-management-billing/understand/mca-overview.md) on Microsoft technical documentation.

+### What are subscriptions, and how do they relate to Azure for Students?

+Subscriptions provide access to Azure services. Azure for Students gives you $100 credit for 12 months and includes access to more than 25 free services, including compute, network, storage, and databases. Any charges incurred during this period are deducted from the credit. To continue using Azure services after you've exhausted your $100 credit, you must either renew (if you're 12 months in) or upgrade to a pay-as-you-go subscription.

+### What happens with my Azure services if I don't upgrade?

+If you decide not to upgrade at the end of 12 months or after you've exhausted your $100 credit, whichever occurs first, any products you've deployed are decommissioned and you won't be able to access them. You have 90 days from the end of your free subscription to upgrade to a pay-as-you-go subscription.

+### How do I know how much of the $100 credit I have left?

+You can see your remaining credit on the [Azure Sponsorships portal](https://www.microsoftazuresponsorships.com/).

+### How do I download the software developer tools?

+Your Azure for Students subscription provides you with access to certain software developer tools. You must have a current, active Azure for Students subscription to access and download the software developer tools. Go to the [Education Hub](https://portal.azure.com/#blade/Microsoft_Azure_Education/EducationMenuBlade/software) to download the software developer tools by using your Azure for Students subscription.

+### What is Microsoft Learn training?

+[Microsoft Learn training](/training/) is a free online learning platform that allows you to learn Azure technologies at your own pace. Learning paths combine modules that allow you to start with the basics, then move to advanced methods that address real-world challenges.

+### Can Azure for Students be used for production or only for development?

+Azure for Students provides access to all Azure products that are expressly intended to support education or teaching, non-commercial research, or efforts to design, develop, test, and demonstrate software applications for these purposes.

+### Can I apply any of my $100 credit toward Azure Marketplace offers?

+No. You can't apply your credit to Azure Marketplace offers. However, many Azure Marketplace partners offer free trials or free tier plans for their solutions.

+## Azure for Students Starter

+### What is Azure for Students Starter?

+Azure for Students Starter gets you started with the Azure products you need to develop in the cloud. There's no cost to you. This benefit provides you access to a free tier of the following

+- Azure App Service

+- Azure Functions

+- Azure Notification Hubs

+- Azure Database for MySQL

+- Application Insights

+- Azure DevOps Services (formerly Visual Studio Team Services)

+Azure for Students Starter is available to verified students at no cost and without commitment or time limit. See the [Azure for Students Starter Offer](https://azure.microsoft.com/offers/ms-azr-0144p/) for detailed terms of use.

+### Who is eligible for Azure for Students Starter?

+Azure for Students Starter is available only to students who meet the following requirements:

+- You must affirm that you're age 13 or older if you reside in the United States.

+- You must affirm that you're age 16 or older if you reside in a country/region other than the United States.

+- You must verify your academic status through your organization's email address. You can also use Shibboleth if it's supported by your organization.

+This offer isn't available for use in a massive open online course (MOOC) or in other professional trainings from for-profit organizations.

+This offer is limited to one Azure for Students Starter subscription per eligible customer. It's non-transferable and can't be combined with any other offer, unless otherwise permitted by Microsoft.

+### Will I have to pay something at any point in time?

+A credit card isn't required for the Azure for Students Starter offer. The offer gives you access to a limited set of Azure services. But, at any point in time, you may upgrade to a pay-as-you-go subscription to get access to all Azure services.

+### How do I download the software developer tools?

+Your Azure for Students subscription provides you with access to certain software developer tools that are available to download for free.

+You must have a current, active Azure for Students subscription in order to access the software developer tools.

+You can download this software in the [Education Hub](https://portal.azure.com/#blade/Microsoft_Azure_Education/EducationMenuBlade/software).

+### What is Microsoft Learn training?

+[Microsoft Learn training](/training/) is a free online learning platform that helps you learn Azure technologies at your own pace. Learning paths combine modules to allow you to start with the basics, and then move to advanced methods that address real-world challenges.

+## Azure Academic Grant

+### How do I start using my Azure course credits?

+You can access your Azure course credits by creating a new Microsoft Azure Academic Grant subscription. Select the **Activate** button in the sponsorship approval email.

+You can also convert an existing subscription to the Microsoft Azure Sponsorship Offer to access your credits. Details on how to convert your subscription are in the next question.

+### Can I associate my course credits with an existing subscription?

+You can associate your course credits with an existing subscription on the account that is entitled to the offer. Contact [Azure Support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview) to associate your course credits.

+### Why do I see a $0 balance in the Azure portal?

+When you go to your subscription details in the Azure portal, you'll see $0.00. The offer places a 100% discount off of all services. Therefore, the portal shows you what you will be charged for during your monthly usage period, which should be $0.00.

+To view your balance and sponsorship information, go to [Azure Sponsorships](https://www.microsoftazuresponsorships.com/balance) and sign in to your account.

+### Can I apply my course credits to an existing Enterprise Agreement (EA)?

+You can't associate your course credits offer to any subscription that's on an account under an Enterprise Agreement (EA).

+To apply course credits, you must create a new account that's outside of the EA, which we can then entitle.

+Once the Sponsorship period ends, you can associate that subscription back into the EA.

+> [!WARNING]

+> If you associate the account to your EA prior to the end of the sponsorship, all sponsorship funds will be terminated. Refer to the terms and conditions of the [Azure Sponsorship Offer](https://azure.microsoft.com/offers/ms-azr-0143p/) for more information.

+### Can I apply my course credits to my CSP subscription?

+No, you cannot associate your course credits offer with any Cloud Solution Provider (CSP) subscription.

+### Can I move my course credits to another account?

+Yes, you can move a course credits entitlement to another account. To do so, contact [Azure Support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview).

+### Are Azure Marketplace applications covered by course credits?

+No, third party applications aren't covered by course credits. They'll be charged to the credit card on the account. For more information:

+- View marketplace services at the [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/).

+- Refer to the [Azure Sponsorship offer](https://azure.microsoft.com/offers/ms-azr-0143p/) terms and conditions.

+### I have a previous balance due, can I pay it off with my course credits?

+Azure course credits only cover usage from the time you activate the Azure Sponsorship offer. You're responsible for all charges prior to your offer start date.

+### How do I know if my subscription is on the Azure course credit offer?

+If you look at a specific subscription in the Subscriptions blade in your Azure portal, you will see **Offer Name** as one of the properties. The Offer Name will say **Azure Sponsorship** if it is connected to your course credits. If **Azure Sponsorship** doesn't display, then contact support to get it converted.

+## Azure Dev Tools for Teaching

+### Who is eligible to purchase Microsoft Azure Dev Tools for Teaching?

+Only academic institutions that have purchased a Volume Licensing (VL) agreement with Microsoft are able to enroll into Azure Dev Tools for Teaching. If you're currently a Dev Tools for Teaching customer without a VL agreement, you can continue to renew your subscription. For more information on VL agreements for academic institutions, please visit https://aka.ms/ees

+### What products are included in the Azure Dev Tools for Teaching subscription?

+ :::column span="":::

+ Access<br>

+ Agents for Visual Studio<br>

+ Azure DevOps Server<br>

+ Datazen Enterprise Server<br>

+ Machine Learning Server <br>

+ Microsoft R Client<br>

+ Microsoft R Server<br>

+ Microsoft Hyper-V<br>

+ Project Professional<br>

+ Remote Tools for Visual Studio<br>

+ SharePoint Server<br>

+ Skype for Business Server<br>

+ :::column-end:::

+ :::column span="":::

+ SQL Server Developer<br>

+ SQL Server Standard<br>

+ System Center<br>

+ Visio Professional<br>

+ Visual Studio Code<br>

+ Visual Studio Community<br>

+ Visual Studio Enterprise<br>

+ Visual Studio for Mac<br>

+ Windows 10<br>

+ Windows 11 Education<br>

+ Windows Server<br>

+ :::column-end:::

+### How do I download software?

+Your Microsoft Azure Dev Tools for Teaching subscription provides you with access to certain software developer tools. These tools are available to download for free.

+You can download this software in the [Education Hub Software section](https://portal.azure.com/#blade/Microsoft_Azure_Education/EducationMenuBlade/software).

+### How do we distribute software to our students?

+As an Azure Dev Tools for Teaching subscriber, your school or institution gets access to our Education Hub Store. Your students access their cloud services in the [Education Hub Store](https://azureforeducation.microsoft.com/devtools), which is in the [Azure portal](https://portal.azure.com/).

+Students sign in to the Azure portal with their school (or Azure Dev Tools for Teaching) credentials. Then, students open the Education Hub Store and access the available software downloads.

+### Is Azure Dev Tools for Teaching available internationally?

+Yes, it is available in the more than 140 countries/regions where Azure is commercially available.

+### Which languages are available in the software to end-users?

+The Education Hub Store is available in the following languages: Arabic, Chinese Simplified, Chinese Traditional, Danish, Dutch, English, French, German, Hebrew, Italian, Japanese, Korean, Portuguese, Russian, Spanish, Swedish, and Turkish.

+### If our students download software through the Azure Dev Tools for Teaching program, do they get unlimited use of the software?

+Yes. Students receive unlimited software usage to further their learning and research efforts.

+### If our students create viable apps and products using Azure Dev Tools for Teaching software, can they sell them commercially?

+In general, no. Students cannot sell apps and products made by using Azure Dev Tools for Teaching. However, thanks to a partnership between Azure Dev Tools for Teaching and Microsoft App Store teams, students can create games and applications to sell in the Windows Store.

+### Do I have unlimited use of the software through the Azure Dev Tools for Teaching program?

+Yes. If a faculty member is enrolled in an approved course, they are eligible to install Azure Dev Tools for Teaching software onto their personal computer for non-commercial use.

+### How do I access my Visual Studio Enterprise benefit?

+As an administrator of the Azure Dev Tools for Teaching subscription, you can access your Visual Studio Enterprise subscription by requesting access through the [Azure Dev Tools for Teaching Management portal](https://azureforeducation.microsoft.com/account/Subscriptions). Once approved you'll be able to sign in to the [Visual Studio portal](https://my.visualstudio.com/) and redeem more benefits.

+### Does Microsoft Azure Dev Tools for Teaching include Microsoft Office?

+No. The focus of Microsoft Azure Dev Tools for Teaching is to provide departments, faculty and students with the tools necessary to specifically expand their study of software development and testing. Therefore, we provide technologies such as Windows Server, Visual Studio .NET, SQL Server and Platform SDK.

+### Does Azure Dev Tools for Teaching include Azure Credit?

+No, your Microsoft Azure Dev Tools for Teaching subscription doesn't include Azure credit. But you can sign up for Azure for Students, which gives you $100USD worth of Azure credit to use to pay for Azure services. Go to [Start building the future with Azure for Students!](https://aka.ms/student) for more information.

+### Do students need an Office 365 or Active Directory account to access Azure Dev Tools for Teaching?

+No. Students don't need an Office 365 account. If students have access to your Active Directory account, they use the same credentials to sign in to the software. If students don't use Active Directory, they must create a [Microsoft Account](https://account.microsoft.com/account) (if they don't already have one) using the same email address that you provide them.

+### Why aren't my sign in credentials recognized when I sign in to Azure Dev Tools for Teaching?

+Make sure that you're trying to sign in to Azure Dev Tools for Teaching with your school credentials. It might help to open a private browsing window session. If you're still unable to sign in, contact your subscription admin. To find your subscription admin, [contact us](https://aka.ms/adt4tsupport).

+### How do I find my Subscriber ID?

+- **When you first enroll in the program**: Your Subscriber ID number is in the subscription welcome email that you receive.

+- **If you renewed your subscription**: Your Subscriber ID is in the renewal email that the subscription administrator received.

+Your Subscriber ID is also in the Visual Studio Subscription portal. After you sign in, look under **My Subscription** on the **My Account** page.

+If you need help locating your Subscriber ID, [contact us](https://azureforeducation.microsoft.com/institutions/Contact).

+### Are we automatically enrolled in Azure Dev Tools for Teaching if we receive it as part of our academic volume licensing agreement?

+No, Microsoft doesn't automatically enroll you if you have an academic volume licensing agreement. The academic volume license agreement includes:

+- Enrollment for Education Solutions (EES)

+- Open Value Subscription Agreement for Education Solutions (OVS-ES)

+- Campus Agreement

+- School Agreement

+You must enroll in Azure Dev Tools for Teaching by using the appropriate promotional codes from the subscription welcome email that you receive for your academic volume license.

+You must also renew your subscription when it expires. It doesn't renew automatically.

+If you're unable to locate your promotional code, [contact us](https://azureforeducation.microsoft.com/institutions/Contact).

+### How and when do we renew our Azure Dev Tools for Teaching subscription?

+Sixty days before your membership expires, you'll start receiving email reminders to renew your subscription.

+If you don't receive these reminder emails and are concerned that your subscription is about to expire, [contact us](https://aka.ms/adt4tsupport).

+To check the expiration date of your subscription, go to the [Azure Dev Tools for Teaching Management portal](https://azureforeducation.microsoft.com/account/Subscriptions), and look under **Subscriptions**.

+### What if I need more help?

+[Contact us](https://azureforeducation.microsoft.com/institutions/Contact) by going to our Subscriptions Support page and locating your region.

+### Where is the Azure Dev Tools for Teaching privacy and cookies policy?

+The [Microsoft Privacy Statement](https://privacy.microsoft.com/PrivacyStatement) describes the personal data that Microsoft collects, how it processes that data, and why it shares that data.

+This privacy statement covers a range of Microsoft products including its apps, devices, servers, services, software, and websites. It also provides product-specific information and details its policy for using cookies.

+| Amsterdam Metro | Amsterdam<br>Amsterdam2 | Equinix AM5<br>Digital Realty AMS8 | 1 | West Europe | &check; | Megaport<br>Equinix¹<br>Colt¹<br>Console Connect¹<br>Digital Reality¹ |

+| Zurich Metro | Zurich<br>Zurich2 | Digital Realty ZUR2<br>Equinix ZH5 | 1 | Switzerland North | &check; | Colt¹<br>Digital Realty¹ |

+ Title: Choose the right Azure Firewall version to meet your needs

+description: Learn about the different Azure Firewall versions and how to choose the right one for your needs.

+# Choose the right Azure Firewall version to meet your needs

+Azure Firewall now supports three different versions to cater to a wide range of customer use cases and preferences.

+Take a closer look at the features across the three Azure Firewall versions:

+Customers who are new to Azure Policy often look to find common policy definitions to manage and govern their resources. Azure Policy's **Recommended policies** provides a focused list of common policy definitions to start with. The **Recommended policies** experience for supported resources is embedded within the portal experience for that resource.

+For more Azure Policy built-ins, go to [Azure Policy built-in definitions](../samples/built-in-policies.md).

+The **Recommended policies** for [Azure Virtual Machines](../../../virtual-machines/index.yml) are on the **Overview** page for virtual machines and under the **Capabilities** tab. Select the **Azure Policy** card to open a side pane with the recommended policies. Select the recommended policies to apply to this virtual machine and select **Assign policies** to create an assignment for each policy. **Assign policies** is unavailable, or greyed out, for any policy already assigned to a scope where the virtual machine is a member.

+As an organization reaches maturity with [organizing their resources and resource hierarchy](/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions), the recommendation is to transition these policy assignments from one per resource to the subscription or [management group](../../management-groups/index.yml) level.

+|Name<br />_{(Azure portal)} |Description |Effect |Version<br />_(GitHub) |

+|[Audit virtual machines without disaster recovery configured](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56) |Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit [https://aka.ms/asr-doc](https://aka.ms/asr-doc). |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/RecoveryServices_DisasterRecovery_Audit.json) |

+|[Azure Backup should be enabled for Virtual Machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F013e242c-8828-4970-87b3-ab247555486d) |Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachines_EnableAzureBackup_Audit.json) |

+description: Use Apache Flink DataStream API on HDInsight on AKS with Azure Service Bus.

+- [Flink Cluster 1.17.0 on HDInsight on AKS](./flink-create-cluster-portal.md)

+ <flink.version>1.17.0</flink.version>

+In the below snippet, we use Kafka 2.4.1. Based on your usage, update the version of Kafka on `<kafka.version>`.

+ <kafka.version>3.2.0</kafka.version> //

+ ```

+ package contoso.example;

+

+

+ import org.apache.flink.api.java.utils.ParameterTool;

+ import org.apache.flink.connector.kafka.sink.KafkaRecordSerializationSchema;

+ import org.apache.flink.connector.kafka.sink.KafkaSink;

+

+

+

+ public class AzureEventHubDemo {

+

+ public static void main(String[] args) throws Exception {

+ // 1. get stream execution environment

+ StreamExecutionEnvironment env = StreamExecutionEnvironment.getExecutionEnvironment().setParallelism(1);

+ ParameterTool parameters = ParameterTool.fromArgs(args);

+ String input = parameters.get("input");

+ Properties properties = new Properties();

+ properties.load(new FileReader(input));

+

+ // 2. generate stream input

+ DataStream<String> stream = createStream(env);

+

+ // 3. sink to eventhub

+ KafkaSink<String> sink = KafkaSink.<String>builder().setKafkaProducerConfig(properties)

+ .setRecordSerializer(KafkaRecordSerializationSchema.builder()

+ .setTopic("topic1")

+ .setValueSerializationSchema(new SimpleStringSchema())

+ .build())

+ .build();

+

+ stream.sinkTo(sink);

+

+ // 4. execute the stream

+ env.execute("Produce message to Azure event hub");

+ }

+

+ public static DataStream<String> createStream(StreamExecutionEnvironment env){

+ return env.generateSequence(0, 200)

+ .map(new MapFunction<Long, String>() {

+ @Override

+ public String map(Long in) {

+ return "FLINK PRODUCE " + in;

+ }

+ });

+ }

+ }

+ ```

+

+1. Once the code is executed, the events are stored in the topic **"topic1"**

+On Webssh, upload the jar and submit the jar

+On Flink Dashboard UI

+ <version>${flink.version}</version>

+| [Ubuntu Core ³](https://snapcraft.io/azure-iot-edge) | |  |  | [April 2027](https://ubuntu.com/about/release-cycle) |

+³ Ubuntu Core is fully supported but the automated testing of Snaps currently happens on Ubuntu 22.04 Server LTS.

+ --from-literal=accessToken='sv=2022-11-02&ss=b&srt=c&sp=rwdlax&se=2023-07-22T05:47:40Z&st=2023-07-21T21:47:40Z&spr=https&sig=xDkwJUO....' \

+ -n azure-iot-operations

+ clusterresourceplacement.placement.kubernetes-fleet.io/kuard-demo created

+description: Learn about potential security threats that exist when developing for Azure Machine Learning, mitigations, and best practices.

+# Best practices for secure code

+In Azure Machine Learning, you can upload files and content from any source into Azure. Content within Jupyter notebooks or scripts that you load can potentially read data from your sessions, access sensitive data within your organization in Azure, or run malicious processes on your behalf.

+Development with Azure Machine Learning often involves web-based development environments, such as notebooks or the Azure Machine Learning studio. When you use web-based development environments, the potential threats are:

+* [Cross-site scripting (XSS)](https://owasp.org/www-community/attacks/xss/)

+ * __Access token or cookies__: XSS attacks can also access local storage and browser cookies. Your Microsoft Entra authentication token is stored in local storage. An XSS attack could use this token to make API calls on your behalf, and then send the data to an external system or API.

+* [Cross-site request forgery (CSRF)](https://owasp.org/www-community/attacks/csrf): This attack could replace the URL of an image or link with the URL of a malicious script or API. When the image is loaded, or link clicked, a call is made to the URL.

+Azure Machine Learning studio provides a hosted notebook experience in your browser. Cells in a notebook can output HTML documents or fragments that contain malicious code. When the output is rendered, the code can be executed.

+* Cross-site scripting (XSS)

+* Cross-site request forgery (CSRF)

+* __Image URL__ and __markdown links__ are sent to a Microsoft-owned endpoint, which checks for malicious values. If a malicious value is detected, the endpoint rejects the request.

+* Verify that you trust the contents of files before uploading to the studio. You must acknowledge that you're uploading trusted files.

+* When selecting a link to open an external application, you're prompted to trust the application.

+Azure Machine Learning compute instance hosts Jupyter and JupyterLab. When you use either, code inside notebook cells can output HTML documents or fragments that contain malicious code. When the output is rendered, the code can be executed. The same threats apply when you use RStudio or Posit Workbench (formerly RStudio Workbench) hosted on a compute instance.

+* Cross-site scripting (XSS)

+* Cross-site request forgery (CSRF)

+* None. Jupyter and JupyterLab are open-source applications hosted on the Azure Machine Learning compute instance.

+* Verify that you trust the contents of files before uploading. You must acknowledge that you're uploading trusted files.

+## Report security issues or concerns

+## Related content

+* [Enterprise security and governance for Azure Machine Learning](concept-enterprise-security.md)

+To benefit from this article, you need to:

+ - Complete the [Create resources to get started](quickstart-create-resources.md) tutorial to create a dedicated notebook server preloaded with the SDK and the sample repository.

+First, you need to connect to your Azure Machine Learning workspace. The [Azure Machine Learning workspace](concept-workspace.md) is the top-level resource for the service. It provides you with a centralized place to work with all the artifacts you create when you use Azure Machine Learning.

+The result of running this script is a workspace handle that you use to manage other resources and jobs.

+### Create a compute resource

+To run an Azure Machine Learning job, you need an environment. An Azure Machine Learning [environment](concept-environments.md) encapsulates the dependencies (such as software runtime and libraries) needed to run your machine learning training script on your compute resource. This environment is similar to a Python environment on your local machine.

+In this article, you reuse the curated Azure Machine Learning environment `AzureML-tensorflow-2.7-ubuntu20.04-py38-cuda11-gpu`. You use the latest version of this environment using the `@latest` directive.

+In this section, we begin by introducing the data for training. We then cover how to run a training job, using a training script that we've provided. You learn to build the training job by configuring the command for running the training script. Then, you submit the training job to run in Azure Machine Learning.

+During the pipeline run, you use MLFlow to log the parameters and metrics. To learn how to enable MLFlow tracking, see [Track ML experiments and models with MLflow](how-to-use-mlflow-cli-runs.md).

+Now that you have all the assets required to run your job, it's time to build it using the Azure Machine Learning Python SDK v2. For this example, we are creating a `command`.

+You use the general purpose `command` to run the training script and perform your desired tasks. Create a `Command` object to specify the configuration details of your training job.

+Then, you configure sweep on the command job, using some sweep-specific parameters, such as the primary metric to watch and the sampling algorithm to use.

+We also define an early termination policyΓÇöthe `BanditPolicy`. This policy operates by checking the job every two iterations. If the primary metric, `validation_acc`, falls outside the top 10 percent range, Azure Machine Learning terminates the job. This saves the model from continuing to explore hyperparameters that show no promise of helping to reach the target metric.

+After you register your model, you can deploy it as an [online endpoint](concept-endpoints.md)ΓÇöthat is, as a web service in the Azure cloud.

+To deploy a machine learning service, you typically need:

+As a first step to deploying your model, you need to create your online endpoint. The endpoint name must be unique in the entire Azure region. For this article, you create a unique name using a universally unique identifier (UUID).

+Once you create the endpoint, you can retrieve it as follows:

+In the following code, you create a single deployment that handles 100% of the incoming traffic. We use an arbitrary color name (*tff-blue*) for the deployment. You could also use any other name such as *tff-green* or *tff-red* for the deployment.

+After you deploy the model to the endpoint, you can predict the output of the deployed model, using the `invoke` method on the endpoint. To run the inference, use the sample request file `sample-request.json` from the *request* folder.

+|`command_step`| [`command` job](reference-yaml-job-command.md) | [`command` component](reference-yaml-component-command.md)|

+|`data_transfer_step`| None | None |

+|`databricks_step`| None | None |

+|`estimator_step`| [`command` job](reference-yaml-job-command.md) | [`command` component](reference-yaml-component-command.md)|

+|`hyper_drive_step`|[`sweep` job](reference-yaml-job-sweep.md)| None |

+|`module_step`|None| [`command` component](reference-yaml-component-command.md)|

+|`mpi_step`| [`command` job](reference-yaml-job-command.md) | [`command` component](reference-yaml-component-command.md)|

+|`python_script_step`| [`command` job](reference-yaml-job-command.md) | [`command` component](reference-yaml-component-command.md)|

+|`r_script_step`| [`command` job](reference-yaml-job-command.md) | [`command` component](reference-yaml-component-command.md)|

+|`synapse_spark_step`| [`spark` job](reference-yaml-job-spark.md) | [`spark` component](reference-yaml-component-spark.md) |

+To generate models for computer vision tasks with AutoML, you need to bring labeled image data as input for model training in the form of an [Azure Machine Learning TabularDataset](/python/api/azureml-core/azureml.data.tabulardataset).

+If your data doesn't follow any of the previously mentioned formats, you can use your own script to generate JSON Lines files. To generate JSON Lines files, use schemas defined in [Schema for JSONL files for AutoML image experiments](../reference-automl-images-schema.md).

+After your data files are converted to the accepted JSONL format, you can upload them to your storage account on Azure.

+Upload the entire parent directory consisting of images and JSONL files to the default datastore that is automatically created upon workspace creation. This datastore connects to the default Azure blob storage container that was created as part of workspace creation.

+Once the data upload is done, you can create an [Azure Machine Learning TabularDataset.](/python/api/azureml-core/azureml.data.tabulardataset) Then, register the dataset to your workspace for future use as input to your automated ML experiments for computer vision models.

+In this tutorial, you train a machine learning model on remote compute resources. You use the training and deployment workflow for Azure Machine Learning in a Python Jupyter Notebook. You can then use the notebook as a template to train your own machine learning model with your own data.

+Azure Machine Learning includes a cloud notebook server in your workspace for an install-free and preconfigured experience. Use [your own environment](how-to-configure-environment.md) if you prefer to have control over your environment, packages, and dependencies.

+Once the compute instance is running and the kernel appears, add a new code cell to install packages needed for this tutorial.

+You may see a few install warnings. These can safely be ignored.

+> The rest of this article contains the same content as you see in the notebook.

+<!-- nbstart https://raw.githubusercontent.com/Azure/MachineLearningNotebooks/master/tutorials/compute-instance-quickstarts/quickstart-azureml-in-10mins/quickstart-azureml-in-10mins.ipynb -->

+You use Azure Open Datasets to get the raw MNIST data files. Azure Open Datasets are curated public datasets that you can use to add scenario-specific features to machine learning solutions for better models. Each dataset has a corresponding class, `MNIST` in this case, to retrieve the data in different ways.

+Note this step requires a `load_data` function, included in an `utils.py` file. This file is placed in the same folder as this notebook. The `load_data` function simply parses the compressed files into numpy arrays.

+The code displays a random set of images with their labels, similar to this:

+Train the model using the following code. This code uses MLflow autologging to track metrics and log model artifacts.

+> The model training takes approximately 2 minutes to complete.

+In the left-hand menu in Azure Machine Learning studio, select __Jobs__ and then select your job (__azure-ml-in10-mins-tutorial__). A job is a grouping of many runs from a specified script or piece of code. Multiple jobs can be grouped together as an experiment.

+Information for the run is stored under that job. If the name doesn't exist when you submit a job, if you select your run you'll see various tabs containing metrics, logs, explanations, etc.

+You can use model registration to store and version your models in your workspace. Registered models are identified by name and version. Each time you register a model with the same name as an existing one, the registry increments the version. The code below registers and versions the model you trained above. Once you execute the following code cell, you'll see the model in the registry by selecting __Models__ in the left-hand menu in Azure Machine Learning studio.

+In this section, learn how to deploy a model so that an application can consume (inference) the model over REST.

+The code cell gets a _curated environment_, which specifies all the dependencies required to host the model (for example, the packages like scikit-learn). Also, you create a _deployment configuration_, which specifies the amount of compute required to host the model. In this case, the compute has 1CPU and 1-GB memory.

+ name="AzureML-sklearn-1.0"

+> The deployment takes approximately 3 minutes to complete. But it might be longer to until it is available for use, perhaps as long as 15 minutes.**

+The scoring script file referenced in the preceding code can be found in the same folder as this notebook, and has two functions:

+Once the model is successfully deployed, you can view the endpoint by navigating to __Endpoints__ in the left-hand menu in Azure Machine Learning studio. You'll see the state of the endpoint (healthy/unhealthy), logs, and consume (how applications can consume the model).

+If you want to control cost further, stop the compute instance by selecting the "Stop compute" button next to the **Compute** dropdown. Then start the compute instance again the next time you need it.

+<!-- nbend -->

+## Related resources

+- [NSG flow logs](nsg-flow-logs-overview.md) and [Manage NSG flow logs](nsg-flow-logs-portal.md).

+- [VNet flow logs (preview)](vnet-flow-logs-overview.md) and [Manage VNet flow logs](vnet-flow-logs-portal.md).

+> [!IMPORTANT]

+> The VNet flow logs feature is currently in preview. This preview version is provided without a service-level agreement, and we don't recommend it for production workloads. Certain features might not be supported or might have constrained capabilities. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+ Title: Manage VNet flow logs - Azure portal

+description: Learn how to create, change, enable, disable, or delete Azure Network Watcher VNet flow logs using the Azure portal.

+#CustomerIntent: As an Azure administrator, I want to log my virtual network IP traffic using Network Watcher VNet flow logs so that I can analyze it later.

+# Create, change, enable, disable, or delete VNet flow logs using the Azure portal

+Virtual network flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through an Azure virtual network. For more information about virtual network flow logging, see [VNet flow logs overview](vnet-flow-logs-overview.md).

+In this article, you learn how to create, change, enable, disable, or delete a VNet flow log using the Azure portal. You can also learn how to manage a VNet flow log using [Azure PowerShell](vnet-flow-logs-powershell.md) or [Azure CLI](vnet-flow-logs-cli.md).

+> [!IMPORTANT]

+> The VNet flow logs feature is currently in preview. This preview version is provided without a service-level agreement, and we don't recommend it for production workloads. Certain features might not be supported or might have constrained capabilities. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- Insights provider. For more information, see [Register Insights provider](#register-insights-provider).

+- A virtual network. If you need to create a virtual network, see [Create a virtual network using the Azure portal](../virtual-network/quick-create-portal.md?toc=/azure/network-watcher/toc.json).

+- An Azure storage account. If you need to create a storage account, see [Create a storage account using the Azure portal](../storage/common/storage-account-create.md?tabs=azure-portal&toc=/azure/network-watcher/toc.json).

+## Register Insights provider

+*Microsoft.Insights* provider must be registered to successfully log traffic flowing through a virtual network. If you aren't sure if the *Microsoft.Insights* provider is registered, check its status in the Azure portal by following these steps:

+1. In the search box at the top of the portal, enter *subscriptions*. Select **Subscriptions** from the search results.

+ :::image type="content" source="./media/vnet-flow-logs-portal/subscriptions.png" alt-text="Screenshot that shows how to search for Subscriptions in the Azure portal." lightbox="./media/vnet-flow-logs-portal/subscriptions.png":::

+1. Select the Azure subscription that you want to enable the provider for in **Subscriptions**.

+1. Under **Settings**, select **Resource providers**.

+1. Enter *insight* in the filter box.

+1. Confirm the status of the provider displayed is **Registered**. If the status is **NotRegistered**, select the **Microsoft.Insights** provider then select **Register**.

+ :::image type="content" source="./media/vnet-flow-logs-portal/register-microsoft-insights.png" alt-text="Screenshot that shows how to register Microsoft Insights provider in the Azure portal.":::

+## Create a flow log

+Create a flow log for your virtual network, subnet, or network interface. This flow log is saved in an Azure storage account.

+1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** in the search results.

+1. Under **Logs**, select **Flow logs**.

+1. In **Network Watcher | Flow logs**, select **+ Create** or **Create flow log** blue button.

+ :::image type="content" source="./media/vnet-flow-logs-portal/flow-logs.png" alt-text="Screenshot of Network Watcher flow logs in the Azure portal." lightbox="./media/vnet-flow-logs-portal/flow-logs.png":::

+1. On the **Basics** tab of **Create a flow log**, enter or select the following values:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select the Azure subscription of your virtual network that you want to log. |

+ | Flow log type | Select **Virtual Network** then select **+ Select target resource** (available options are: **Virtual network**, **Subnet**, and **Network interface**). <br> Select the resources that you want to flow log, then select **Confirm selection**. |

+ | Flow Log Name | Enter a name for the flow log or leave the default name. Azure portal uses ***{ResourceName}-{ResourceGroupName}-flowlog*** as a default name for the flow log. |

+ | **Instance details** | |

+ | Subscription | Select the Azure subscription of the storage account. |

+ | Storage Accounts | Select the storage account that you want to save the flow logs to. If you want to create a new storage account, select **Create a new storage account**. |

+ | Retention (days) | Enter a retention time for the logs (this option is only available with [Standard general-purpose v2](../storage/common/storage-account-overview.md?toc=/azure/network-watcher/toc.json#types-of-storage-accounts) storage accounts). Enter *0* if you want to retain the flow logs data in the storage account forever (until you manually delete it from the storage account). For information about pricing, see [Azure Storage pricing](https://azure.microsoft.com/pricing/details/storage/). |

+ :::image type="content" source="./media/vnet-flow-logs-portal/create-vnet-flow-log-basics.png" alt-text="Screenshot that shows the Basics tab of creating a VNet flow log in the Azure portal." lightbox="./media/vnet-flow-logs-portal/create-vnet-flow-log-basics.png":::

+ > [!NOTE]

+ > If the storage account is in a different subscription, the resource that you're logging (virtual network, subnet, or network interface) and the storage account must be associated with the same Microsoft Entra tenant. The account you use for each subscription must have the [necessary permissions](required-rbac-permissions.md).

+1. To enable traffic analytics, select **Next: Analytics** button, or select the **Analytics** tab. Enter or select the following values:

+ | Setting | Value |

+ | - | -- |

+ | Enable traffic analytics | Select the checkbox to enable traffic analytics for your flow log. |

+ | Traffic analytics processing interval | Select the processing interval that you prefer, available options are: **Every 1 hour** and **Every 10 mins**. The default processing interval is every one hour. For more information, see [Traffic analytics](traffic-analytics.md). |

+ | Subscription | Select the Azure subscription of your Log Analytics workspace. |

+ | Log Analytics Workspace | Select your Log Analytics workspace. By default, Azure portal creates ***DefaultWorkspace-{SubscriptionID}-{Region}*** Log Analytics workspace in ***defaultresourcegroup-{Region}*** resource group. |

+ :::image type="content" source="./media/vnet-flow-logs-portal/create-vnet-flow-log-analytics.png" alt-text="Screenshot that shows how to enable traffic analytics for a new flow log in the Azure portal.":::

+ > [!NOTE]

+ > To create and select a Log Analytics workspace other than the default one, see [Create a Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md?toc=/azure/network-watcher/toc.json)

+1. Select **Review + create**.

+1. Review the settings, and then select **Create**.

+## Enable or disable traffic analytics

+Enable traffic analytics for a flow log to analyze the flow log data. Traffic analytics provides insights into the traffic patterns of your virtual network. You can enable or disable traffic analytics for a flow log at any time.

+To enable traffic analytics for a flow log, follow these steps:

+1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** in the search results.

+1. Under **Logs**, select **Flow logs**.

+1. In **Network Watcher | Flow logs**, select the flow log that you want to enable traffic analytics for.

+1. In **Flow logs settings**, check the **Enable traffic analytics** checkbox.

+ :::image type="content" source="./media/vnet-flow-logs-portal/enable-traffic-analytics.png" alt-text="Screenshot that shows how to enable traffic analytics for an existing flow log in the Azure portal." lightbox="./media/vnet-flow-logs-portal/enable-traffic-analytics.png":::

+1. Enter or select the following values:

+ | Setting | Value |

+ | - | -- |

+ | Traffic analytics processing interval | Select the processing interval that you prefer, available options are: **Every 1 hour** and **Every 10 mins**. The default processing interval is every one hour. For more information, see [Traffic analytics](traffic-analytics.md). |

+ | Subscription | Select the Azure subscription of your Log Analytics workspace. |

+ | Log Analytics Workspace | Select your Log Analytics workspace. By default, Azure portal creates ***DefaultWorkspace-{SubscriptionID}-{Region}*** Log Analytics workspace in ***defaultresourcegroup-{Region}*** resource group. |

+ :::image type="content" source="./media/vnet-flow-logs-portal/enable-traffic-analytics-settings.png" alt-text="Screenshot that shows configurations of traffic analytics for an existing flow log in the Azure portal." lightbox="./media/vnet-flow-logs-portal/enable-traffic-analytics-settings.png":::

+1. Select **Save** to apply the changes.

+To disable traffic analytics for a flow log, take the previous steps 1-3, then uncheck the **Enable traffic analytics** checkbox and select **Save**.

+## Change a flow log

+You can configure and change a flow log after you create it. For example, you can change the storage account or Log Analytics workspace.

+1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** in the search results.

+1. Under **Logs**, select **Flow logs**.

+1. In **Network Watcher | Flow logs**, select the flow log that you want to change.

+1. In **Flow logs settings**, you can change any of the following settings:

+ - **Storage Account**: Change the storage account that you want to save the flow logs to. If you want to create a new storage account, select **Create a new storage account**. You can also choose a storage account from a different subscription. If the storage account is in a different subscription, the resource that you're logging (virtual network, subnet, or network interface) and the storage account must be associated with the same Microsoft Entra tenant.

+ - **Retention (days)**: Change the retention time in the storage account (this option is only available with [Standard general-purpose v2](../storage/common/storage-account-overview.md#types-of-storage-accounts) storage accounts). Enter *0* if you want to retain the flow logs data in the storage account forever (until you manually delete the data from the storage account).

+ - **Traffic analytics**: Enable or disable traffic analytics for your flow log. For more information, see [Traffic analytics](traffic-analytics.md).

+ - **Traffic analytics processing interval**: Change the processing interval of traffic analytics (if traffic analytics is enabled). Available options are: one hour and 10 minutes. The default processing interval is every one hour. For more information, see [Traffic analytics](traffic-analytics.md).

+ - **Log Analytics Workspace**: Change the Log Analytics workspace that you want to save the flow logs to (if traffic analytics is enabled). For more information, see [Log Analytics workspace overview](../azure-monitor/logs/log-analytics-workspace-overview.md). You can also choose a Log Analytics Workspace from a different subscription.

+ :::image type="content" source="./media/vnet-flow-logs-portal/change-flow-log.png" alt-text="Screenshot that shows how to edit flow log's settings in the Azure portal where you can change some VNet flow log settings." lightbox="./media/vnet-flow-logs-portal/change-flow-log.png":::

+1. Select **Save** to apply the changes.

+## List all flow logs

+You can list all flow logs in a subscription or a group of subscriptions. You can also list all flow logs in a region.

+1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** in the search results.

+1. Under **Logs**, select **Flow logs**.

+1. Select **Subscription equals** filter to choose one or more of your subscriptions. You can apply other filters like **Location equals** to list all the flow logs in a region.

+ :::image type="content" source="./media/vnet-flow-logs-portal/list-flow-logs.png" alt-text="Screenshot that shows how to list existing flow logs in the Azure portal." lightbox="./media/vnet-flow-logs-portal/list-flow-logs.png":::

+## View details of a flow log resource

+You can view the details of a flow log in a subscription or a group of subscriptions. You can also list all flow logs in a region.

+1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** in the search results.

+1. Under **Logs**, select **Flow logs**.

+1. In **Network Watcher | Flow logs**, select the flow log that you want to see.

+1. In **Flow logs settings**, you can view the settings of the flow log resource.

+ :::image type="content" source="./media/vnet-flow-logs-portal/flow-log-settings.png" alt-text="Screenshot of Flow logs settings page in the Azure portal." lightbox="./media/vnet-flow-logs-portal/flow-log-settings.png":::

+1. Select **Discard** to close the settings page without making changes.

+## Download a flow log

+You can download the flow logs data from the storage account that you saved the flow log to.

+1. In the search box at the top of the portal, enter *storage accounts*. Select **Storage accounts** in the search results.

+1. Select the storage account you used to store the logs.

+1. Under **Data storage**, select **Containers**.

+1. Select the **insights-logs-flowlogflowevent** container.

+1. In **insights-logs-flowlogflowevent**, navigate the folder hierarchy until you get to the `PT1H.json` file that you want to download. VNet flow log files follow the following path:

+ ```

+ https://{storageAccountName}.blob.core.windows.net/insights-logs-flowlogflowevent/flowLogResourceID=/{subscriptionID}_NETWORKWATCHERRG/NETWORKWATCHER_{Region}_{ResourceName}-{ResourceGroupName}-FLOWLOGS/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json

+ ```

+1. Select the ellipsis **...** to the right of the `PT1H.json` file, then select **Download**.

+ :::image type="content" source="./media/vnet-flow-logs-portal/flow-log-file-download.png" alt-text="Screenshot shows how to download a VNet flow log data file from the storage account container in the Azure portal." lightbox="./media/vnet-flow-logs-portal/flow-log-file-download.png":::

+> [!NOTE]

+> As an alternative way to access and download flow logs from your storage account, you can use Azure Storage Explorer. For more information, see [Get started with Storage Explorer](../storage/storage-explorer/vs-azure-tools-storage-manage-with-storage-explorer.md).

+For information about the structure of a flow log, see [Log format of VNet flow logs](vnet-flow-logs-overview.md#log-format).

+## Disable a flow log

+You can temporarily disable a VNet flow log without deleting it. Disabling a flow log stops flow logging for the associated virtual network. However, the flow log resource remains with all its settings and associations. You can re-enable it at any time to resume flow logging for the configured virtual network.

+1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** in the search results.

+1. Under **Logs**, select **Flow logs**.

+1. In **Network Watcher | Flow logs**, select the checkbox of the flow log that you want to disable.

+1. Select **Disable**.

+ :::image type="content" source="./media/vnet-flow-logs-portal/disable-flow-log.png" alt-text="Screenshot shows how to disable a flow log in the Azure portal." lightbox="./media/vnet-flow-logs-portal/disable-flow-log.png":::

+> [!NOTE]

+> If traffic analytics is enabled for a flow log, you must disable it before you can disable the flow log. To disable traffic analytics, see [Enable or disable traffic analytics](#enable-or-disable-traffic-analytics).

+## Enable a flow log

+You can enable a VNet flow log that you previously disabled to resume flow logging with the same settings you previously selected.

+1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** in the search results.

+1. Under **Logs**, select **Flow logs**.

+1. In **Network Watcher | Flow logs**, select the checkbox of the flow log that you want to enable.

+1. Select **Enable**.

+ :::image type="content" source="./media/vnet-flow-logs-portal/enable-flow-log.png" alt-text="Screenshot shows how to enable a flow log in the Azure portal." lightbox="./media/vnet-flow-logs-portal/enable-flow-log.png":::

+## Delete a flow log

+You can permanently delete a VNet flow log. Deleting a flow log deletes all its settings and associations. To begin flow logging again for the same virtual network, you must create a new flow log for it.

+1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** in the search results.

+1. Under **Logs**, select **Flow logs**.

+1. In **Network Watcher | Flow logs**, select the checkbox of the flow log that you want to delete.

+1. Select **Delete**.

+ :::image type="content" source="./media/vnet-flow-logs-portal/delete-flow-log.png" alt-text="Screenshot shows how to delete a flow log in the Azure portal." lightbox="./media/vnet-flow-logs-portal/delete-flow-log.png":::

+> [!NOTE]

+> Deleting a flow log doesn't delete the flow log data from the storage account. Flow logs data stored in the storage account follows the configured retention policy or stays stored in the storage account until manually deleted.

+## Related content

+- To learn about traffic analytics, see [Traffic analytics](traffic-analytics.md).

+- To learn how to use Azure built-in policies to audit or enable traffic analytics, see [Manage traffic analytics using Azure Policy](traffic-analytics-policy-portal.md).

+> [!IMPORTANT]

+> The VNet flow logs feature is currently in preview. This preview version is provided without a service-level agreement, and we don't recommend it for production workloads. Certain features might not be supported or might have constrained capabilities. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+ Title: Manage permissions to the consumption URL for Azure Operator Insights

+description: Learn how to add and remove user permissions to the consumption URL for Azure Operator Insights.

+Azure Database for PostgreSQL flexible server supports PostgreSQL versions 16, 15, 14, 13, 12, and 11. Postgres community releases a new major version containing new features about once a year. Additionally, major version receives periodic bug fixes in the form of minor releases. Minor version upgrades include changes that are backward-compatible with existing applications. Azure Database for PostgreSQL flexible server periodically updates the minor versions during customerΓÇÖs maintenance window. Major version upgrades are more complicated than minor version upgrades as they can include internal changes and new features that may not be backward-compatible with existing applications.

+- Servers configured with logical replication slots aren't supported.

+|**Database Size (preview)** |`database_size_bytes` |Bytes |Database size in bytes. |Yes |

+> For clients that use **verify-ca** and **verify-full** sslmode configuration settings, i.e. certificate pinning, they have to accept **both** root CA certificates:

+> * For connectivity to servers deployed to Azure government cloud regions (US Gov Virginia, US Gov Texas, US Gov Arizona): [DigiCert Global Root G2](https://www.digicert.com/kb/digicert-root-certificates.htm) and [Microsoft RSA Root Certificate Authority 2017](https://www.microsoft.com/pkiops/docs/repository.htm) root CA certificates, as services are migrating from Digicert to Microsoft CA.

+> * For connectivity to servers deployed to Azure public cloud regions worldwide : [Digicert Global Root CA](https://www.digicert.com/kb/digicert-root-certificates.htm) and [Microsoft RSA Root Certificate Authority 2017](https://www.microsoft.com/pkiops/docs/repository.htm), as services are migrating from Digicert to Microsoft CA.

+### Importing Root CA Certificates in Java Key Store on the client for certificate pinning scenarios

+2. Download following certificates:

+* For connectivity to servers deployed to Azure Government cloud regions (US Gov Virginia, US Gov Texas, US Gov Arizona) download Microsoft RSA Root Certificate Authority 2017 and DigiCert Global Root G2 certificates from following URIs:

+ Microsoft RSA Root Certificate Authority 2017 https://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt,

+ DigiCert Global Root G2 https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem.

+* For connectivity to servers deployed in Azure public regions worldwide download Microsoft RSA Root Certificate Authority 2017 and DigiCert Global Root CA certificates from following URIs:

+Microsoft RSA Root Certificate Authority 2017 https://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt, Digicert Global Root CA https://cacerts.digicert.com/DigiCertGlobalRootCA.crt

+4. Generate a combined CA certificate store with both Root CA certificates are included. Example below shows using DefaultJavaSSLFactory for PostgreSQL JDBC users.

+ * For connectivity to servers deployed to Azure Government cloud regions (US Gov Virginia, US Gov Texas, US Gov Arizona)

+ * For connectivity to servers deployed in Azure public regions worldwide

+```powershell

+ keytool -importcert -alias PostgreSQLServerCACert -file D:\ DigiCertGlobalRootCA.crt.pem -keystore truststore -storepass password -noprompt

+keytool -importcert -alias PostgreSQLServerCACert2 -file "D:\ Microsoft ECC Root Certificate Authority 2017.crt.pem" -keystore truststore -storepass password -noprompt

+```

+For more information on configuring client certificates with PostgreSQL JDBC driver, see this [documentation](https://jdbc.postgresql.org/documentation/ssl/)

+### Updating Root CA certificates when using clients in Azure App Services with Azure Database for PostgreSQL - Flexible Server for certificate pinning scenarios

+ ### Updating Root CA certificates when using clients in Azure Kubernetes Service (AKS) with Azure Database for PostgreSQL - Flexible Server for certificate pinning scenarios

+### Updating Root CA certificates for For .NET (Npgsql) users on Windows with Azure Database for PostgreSQL - Flexible Server for certificate pinning scenarios

+For .NET (Npgsql) users on Windows, connecting to Azure Database for PostgreSQL - Flexible Servers deployed in Azure Government cloud regions (US Gov Virginia, US Gov Texas, US Gov Arizona) make sure **both** Microsoft RSA Root Certificate Authority 2017 and DigiCert Global Root G2 both exist in Windows Certificate Store, Trusted Root Certification Authorities. If any certificates don't exist, import the missing certificate.

+For .NET (Npgsql) users on Windows, connecting to Azure Database for PostgreSQL - Flexible Servers deployed in Azure pubiic regions worldwide make sure **both** Microsoft RSA Root Certificate Authority 2017 and DigiCert Global Root CA **both** exist in Windows Certificate Store, Trusted Root Certification Authorities. If any certificates don't exist, import the missing certificate.

+### Updating Root CA certificates for other clients for certificate pinning scenarios

+For other PostgreSQL client users, you can merge two CA certificate files like this format below:

+--BEGIN CERTIFICATE--

+(Root CA1: DigiCertGlobalRootCA.crt.pem)

+--END CERTIFICATE--

+--BEGIN CERTIFICATE--

+(Root CA2: Microsoft ECC Root Certificate Authority 2017.crt.pem)

+--END CERTIFICATE--

+### Read Replicas with certificate pinning scenarios

+With Root CA migration to [Microsoft RSA Root Certificate Authority 2017](https://www.microsoft.com/pkiops/docs/repository.htm) it's feasible for newly created replicas to be on a newer Root CA certificate than primary server created earlier.

+Therefore, for clients that use **verify-ca** and **verify-full** sslmode configuration settings, i.e. certificate pinning, is imperative for interrupted connectivity to accept **both** root CA certificates:

+ * For connectivity to servers deployed to Azure Government cloud regions (US Gov Virginia, US Gov Texas, US Gov Arizona): [DigiCert Global Root G2](https://www.digicert.com/kb/digicert-root-certificates.htm) and [Microsoft RSA Root Certificate Authority 2017](https://www.microsoft.com/pkiops/docs/repository.htm) root CA certificates, as services are migrating from Digicert to Microsoft CA.

+ * For connectivity to servers deployed to Azure public cloud regions worldwide: [Digicert Global Root CA](https://www.digicert.com/kb/digicert-root-certificates.htm) and [Microsoft RSA Root Certificate Authority 2017](https://www.microsoft.com/pkiops/docs/repository.htm), as services are migrating from Digicert to Microsoft CA.

+Before trying to access your SSL enabled server from client application, make sure you can get to it via psql. You should see output similar to the following if you established an SSL connection.

+After the read replica is created, the properties of all servers which are replicas of a primary replica can be obtained by using the [`az postgres flexible-server replica create`](/cli/azure/postgres/flexible-server/replica#az-postgres-flexible-server-replica-list) command.

+```azurecli-interactive

+az postgres flexible-server replica list \

+ --name <source-server-name> \

+ --resource-group <resource-group>

+```

+Replace `<source-server-name>`, and `<resource-group>` with your specific values.

+Initiate an `HTTP PUT` request by using the [servers create API](/rest/api/postgresql/flexibleserver/servers/create):

+After the read replica is created, the properties of all servers which are replicas of a primary replica can be obtained by initiating an `HTTP GET` request by using [replicas list by server API](/rest/api/postgresql/flexibleserver/replicas/list-by-server):

+```http

+GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DBForPostgreSql/flexibleServers/{sourceserverName}/replicas?api-version=2022-12-01

+```

+Here, you need to replace `{subscriptionId}`, `{resourceGroupName}`, and `{sourceserverName}` with your specific Azure subscription ID, the name of your resource group, and the name you assigned to your primary replica, respectively.

+```json

+[

+ {

+ "administratorLogin": null,

+ "administratorLoginPassword": null,

+ "authConfig": null,

+ "availabilityZone": null,

+ "backup": {

+ "backupRetentionDays": null,

+ "earliestRestoreDate": "2023-11-23T12:55:33.3443218+00:00",

+ "geoRedundantBackup": "Disabled"

+ },

+ "createMode": null,

+ "dataEncryption": {

+ "geoBackupEncryptionKeyStatus": null,

+ "geoBackupKeyUri": null,

+ "geoBackupUserAssignedIdentityId": null,

+ "primaryEncryptionKeyStatus": null,

+ "primaryKeyUri": null,

+ "primaryUserAssignedIdentityId": null,

+ "type": "SystemManaged"

+ },

+ "fullyQualifiedDomainName": null,

+ "highAvailability": null,

+ "id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DBforPostgreSQL/flexibleServers/{replicaserverName}",

+ "identity": null,

+ "location": "eastus",

+ "maintenanceWindow": {

+ "customWindow": "Disabled",

+ "dayOfWeek": 0,

+ "startHour": 0,

+ "startMinute": 0

+ },

+ "minorVersion": null,

+ "name": "{replicaserverName}",

+ "network": {

+ "delegatedSubnetResourceId": null,

+ "privateDnsZoneArmResourceId": null,

+ "publicNetworkAccess": "Disabled"

+ },

+ "pointInTimeUtc": null,

+ "privateEndpointConnections": null,

+ "replica": {

+ "capacity": null,

+ "promoteMode": null,

+ "promoteOption": null,

+ "replicationState": "Active",

+ "role": "AsyncReplica"

+ },

+ "replicaCapacity": null,

+ "replicationRole": "AsyncReplica",

+ "resourceGroup": "{resourceGroupName}",

+ "sku": {

+ "name": "",

+ "tier": null

+ },

+ "sourceServerResourceId": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DBforPostgreSQL/flexibleServers/{serverName}",

+ "state": "Ready",

+ "storage": {

+ "autoGrow": "Disabled",

+ "iops": null,

+ "storageSizeGb": 0,

+ "throughput": null,

+ "tier": null,

+ "type": null

+ },

+ "systemData": {

+ "createdAt": "2023-11-22T17:11:42.2461489Z",

+ "createdBy": null,

+ "createdByType": null,

+ "lastModifiedAt": null,

+ "lastModifiedBy": null,

+ "lastModifiedByType": null

+ },

+ "tags": null,

+ "type": "Microsoft.DBforPostgreSQL/flexibleServers",

+ "version": null

+ }

+]

+```

+You can create a secondary read replica by using the [servers create API](/rest/api/postgresql/flexibleserver/servers/create):

+To delete a primary or replica server, use the [servers delete API](/rest/api/postgresql/flexibleserver/servers/delete). If server has read replicas then read replicas should be deleted first before deleting the primary server.

+To delete a primary or replica server, use the [servers delete API](/rest/api/postgresql/flexibleserver/servers/delete). If server has read replicas then read replicas should be deleted first before deleting the primary server.

+* Public preview of [real-time language translations](generative-ai-azure-cognitive.md#language-translation) with azure_ai extension on Azure Database for PostgreSQL flexible server.

+* Public preview of [real-time machine learning predictions](generative-ai-azure-machine-learning.md) with azure_ai extension on Azure Database for PostgreSQL flexible server.

+* General availability of version 0.6.0 of [vector](how-to-use-pgvector.md) extension on Azure Database for PostgreSQL flexible server.

+- Azure Database for PostgreSQL - Flexible Server does not support the creation of custom tablespaces due to superuser privilege restrictions. During migration, data from custom tablespaces in the source PostgreSQL instance is migrated into the default tablespaces of the target Azure Database for PostgreSQL - Flexible Server.

+The migration service automatically provides the following built-in capabilities for the Azure Database for PostgreSQL single server as the source and data migration.

+ Title: Service limits and resource usage

+description: Learn about the limits and resource usage of your Azure Private 5G Core deployment when running on an Azure Stack Edge device.

+# Service limits and resource usage

+This article describes the maximum supported limits of the Azure Private 5G Core solution and the hardware resources required. You should use this information to help choose the appropriate AP5GC service package and Azure Stack Edge hardware for your needs. Refer to [Azure Private 5G Core pricing](https://azure.microsoft.com/pricing/details/private-5g-core/) and [Azure Stack Edge pricing](https://azure.microsoft.com/pricing/details/azure-stack/edge/) for the package options and overage rates.

+## Service limits

+The following table lists the maximum supported limits for a range of parameters in an Azure Private 5G Core deployment. These limits have been confirmed through testing, but other factors may affect what is achievable in a given scenario. For example, usage patterns, UE types and third-party network elements may impact one or more of these parameters. It is important to test the limits of your deployment before launching a live service.

+| Element | Maximum supported |

+||-|

+| PDU sessions | Enterprise radios typically support up to 1000 simultaneous PDU sessions per radio |

+| Bandwidth | Over 25 Gbps per ASE |

+| RAN nodes (eNB/gNB) | 200 per packet core |

+| UEs | 10,000 per deployment (all sites) |

+| SIMs | 1000 per ASE |

+| SIM provisioning | 1000 per API call |

+Your chosen service package may define lower limits, with overage charges for exceeding them - see [Azure Private 5G Core pricing](https://azure.microsoft.com/pricing/details/private-5g-core/) for details. If you require higher throughput for your use case, please contact us to discuss your needs.

+## Azure Stack Edge virtual machine sizing

+Packet capture for control or data plane packets is performed using the **MEC-Dataplane Trace** tool. MEC-Dataplane (MEC-DP) Trace is similar to **tcpdump**, a data-network packet analyzer computer program that runs on a command line interface (CLI). You can use MEC-DP Trace to monitor and record packets on any user plane interface on the access network (N3 interface) or data network (N6 interface) on your device, as well as the control plane (N2 interface). You can access MEC-DP Trace using the Azure portal or the Azure CLI.

+1. In a command line with kubectl access to the Azure Arc-enabled Kubernetes cluster, enter the MEC-DP troubleshooter pod:

+ kubectl exec -it -n core core-mec-dp-0 -c troubleshooter -- bash

+ mect list

+1. Run `mectdump` with any parameters that you would usually pass to tcpdump. In particular, `-i` to specify the interface, and `-w` to specify where to write to. Close the tool when finished by pressing <kbd>Ctrl + C</kbd>. The following examples are common use cases:

+ - To run capture packets on all interfaces, run `mectdump -i any -w any.pcap`

+ - To run capture packets for the N3 interface and the N6 interface for a single data network, enter the MEC-DP troubleshooter pod in two separate windows. In one window run `mectdump -i n3trace -w n3.pcap` and in the other window run `mectdump -i <N6 interface> -w n6.pcap` (use the N6 interface for the data network as identified in step 2).

+ kubectl cp -n core core-mec-dp-0:<path to output file> <location to copy to> -c troubleshooter

+ kubectl exec -it -n core core-mec-dp-0 -c troubleshooter -- rm <path to output file>

+1. In a command line with kubectl access to the Azure Arc-enabled Kubernetes cluster, enter the MEC-DP troubleshooter pod:

+ kubectl exec -it -n core core-mec-dp-0 -c troubleshooter -- bash

+ mect list

+Indexers are one of the few subsystems that make overt outbound calls to other Azure resources. In terms of Azure roles, indexers don't have separate identities: a connection from the search engine to another Azure resource is made using the [system or user-assigned managed identity](search-howto-managed-identities-data-sources.md) of a search service. If the indexer connects to an Azure resource on a virtual network, you should create a [shared private link](search-indexer-howto-access-private.md) for that connection. For more information about secure connections, see the [Security in Azure AI Search](search-security-overview.md).

+| [Azure OpenAI embedding skill](cognitive-search-skill-azure-openai-embedding.md) | Yes | Yes |

+| [Azure OpenAI vectorizer](vector-search-how-to-configure-vectorizer.md) | Yes | Yes |

+ | Embedding data (vectorizing) using Azure OpenAI embedding models | Add **Cognitive Services OpenAI User** |

+[**Azure OpenAI embedding skill**](cognitive-search-skill-azure-openai-embedding.md) and [**Azure OpenAI vectorizer:**](vector-search-how-to-configure-vectorizer.md)

+ An Azure OpenAI embedding skill and vectorizer in AI Search target the endpoint of an Azure OpenAI service hosting an embedding model. The endpoint is specified in the [Azure OpenAI embedding skill definition](cognitive-search-skill-azure-openai-embedding.md) and/or in the [Azure OpenAI vectorizer definition](vector-search-how-to-configure-vectorizer.md). The system-managed identity is used if configured and if the "apikey" and "authIdentity" are empty. The "authIdentity" property is used for user-assigned managed identity only.

+

+```json

+{

+ "@odata.type": "#Microsoft.Skills.Text.AzureOpenAIEmbeddingSkill",

+ "description": "Connects a deployed embedding model.",

+ "resourceUri": "https://url.openai.azure.com/",

+ "deploymentId": "text-embedding-ada-002",

+ "inputs": [

+ {

+ "name": "text",

+ "source": "/document/content"

+ }

+ ],

+ "outputs": [

+ {

+ "name": "embedding"

+ }

+ ]

+}

+```

+```json

+ "vectorizers": [

+ {

+ "name": "my_azure_open_ai_vectorizer",

+ "kind": "azureOpenAI",

+ "azureOpenAIParameters": {

+ "resourceUri": "https://url.openai.azure.com",

+ "deploymentId": "text-embedding-ada-002"

+ }

+ }

+ ]

+```

+## How indexers connect to Azure resources

+Indexers are one of the few subsystems that make overt outbound calls to other Azure resources. In terms of Azure roles, indexers don't have separate identities: a connection from the search engine to another Azure resource is made using the [system or user-assigned managed identity](search-howto-managed-identities-data-sources.md) of a search service. If the indexer connects to an Azure resource on a virtual network, you should create a [shared private link](search-indexer-howto-access-private.md) for that connection. For more information about secure connections, see the [Security in Azure AI Search](search-security-overview.md).

+### Internal traffic

+Internal requests are secured and managed by Microsoft. You can't configure or control these connections. If you're locking down network access, no action on your part is required because internal traffic isn't customer-configurable.

+Internal traffic consists of:

+Outbound requests can be secured and managed by you. Outbound requests originate from a search service to other applications. These requests are typically made by indexers for text-based indexing, skills-based AI enrichment, and vectorizations at query time. Outbound requests include both read and write operations.

+The following list is a full enumeration of the outbound requests for which you can configure secure connections. A search service makes requests on its own behalf, and on the behalf of an indexer or custom skill.

+| Indexers and [integrated vectorization](vector-search-integrated-vectorization.md) | Connect to Azure OpenAI and a deployed embedding model, or it goes through a custom skill to connect to an embedding model that you provide. The search service sends text to embedding models for vectorization during indexing. |

+| Vectorizers | Connect to Azure OpenAI or other embedding models at query time to [convert user text strings to vectors](vector-search-how-to-configure-vectorizer.md) for vector search. |

+| Search service | Connect to Azure Key Vault for [customer-managed encyrption keys](search-security-manage-encryption-keys.md), used to encrypt and decrypt sensitive data. |

+To reach Azure resources behind a firewall, [create inbound rules on other Azure resources that admit search service requests](search-indexer-howto-access-ip-restricted.md).

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), select the **Configuration** > **Automation** page. For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Configuration** > **Automation**.

+1. Under **Conditions**, if you see the **Incident provider** and **Analytics rule name** conditions, leave them as they are. These conditions aren't available if your workspace is onboarded to the unified security operations platform. In either case, we'll add more conditions later in this process.

+For example, the following tabs show samples from a workspace that's onboarded to the unified security operations platform, in either the Azure or Defender portals, and a workspace that isn't:

+### [Onboarded workspaces](#tab/after-onboarding)

+### [Workspaces that aren't onboarded](#tab/before-onboarding)

+ Title: Add entities to threat intelligence

+description: Learn how to add a malicious entity discovered in an incident investigation to your threat intelligence in Microsoft Sentinel.

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+#Customer intent: As a security analyst, I want to quickly add relevant threat intelligence from my investigation for myself and others so I don't lose important information.

+During an investigation, you examine entities and their context as an important part of understanding the scope and nature of an incident. When you discover an entity as a malicious domain name, URL, file, or IP address in the incident, it should be labeled and tracked as an indicator of compromise (IOC) in your threat intelligence.

+For example, you discover an IP address performing port scans across your network, or functioning as a command and control node, sending and/or receiving transmissions from large numbers of nodes in your network.

+Microsoft Sentinel allows you to flag these types of entities right from within your incident investigation, and add it to your threat intelligence. You are able to view the added indicators both in **Logs** and **Threat Intelligence**, and use them across your Microsoft Sentinel workspace.

+## Add an entity to your threat intelligence

+## Related content

+[Back to UEBA anomalies list](#ueba-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)

+[Back to UEBA anomalies list](#ueba-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)

+[Back to UEBA anomalies list](#ueba-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)

+[Back to UEBA anomalies list](#ueba-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)

+[Back to UEBA anomalies list](#ueba-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)

+[Back to UEBA anomalies list](#ueba-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)

+[Back to UEBA anomalies list](#ueba-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)

+[Back to UEBA anomalies list](#ueba-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)

+[Back to UEBA anomalies list](#ueba-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)

+[Back to UEBA anomalies list](#ueba-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)

+[Back to UEBA anomalies list](#ueba-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)

+[Back to Machine learning-based anomalies list](#machine-learning-based-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)

+[Back to Machine learning-based anomalies list](#machine-learning-based-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)

+[Back to Machine learning-based anomalies list](#machine-learning-based-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)

+[Back to Machine learning-based anomalies list](#machine-learning-based-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)

+[Back to Machine learning-based anomalies list](#machine-learning-based-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)

+[Back to Machine learning-based anomalies list](#machine-learning-based-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)

+[Back to Machine learning-based anomalies list](#machine-learning-based-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)

+[Back to Machine learning-based anomalies list](#machine-learning-based-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)

+[Back to Machine learning-based anomalies list](#machine-learning-based-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)

+[Back to Machine learning-based anomalies list](#machine-learning-based-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)