Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
ai-services | Groundedness | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-safety/concepts/groundedness.md | The maximum character limit for the grounding sources is 55,000 characters per A To use this API, you must create your Azure AI Content Safety resource in the supported regions. Currently, it's available in the following Azure regions: - East US 2-- East US (only for non-reasoning)+- East US - West US - Sweden Central If you need a higher rate, [contact us](mailto:contentsafetysupport@microsoft.co Follow the quickstart to get started using Azure AI Content Safety to detect groundedness. > [!div class="nextstepaction"]-> [Groundedness detection quickstart](../quickstart-groundedness.md) +> [Groundedness detection quickstart](../quickstart-groundedness.md) |
ai-services | Concept Composed Models | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-composed-models.md | With the introduction of [**custom classification models**](./concept-custom-cla * With models composed using v2.1 of the API continues to be supported, requiring no updates. -* For custom models, the maximum number that can be composed is 100. +* For custom models, the maximum number that can be composed is 200. ::: moniker-end |
ai-services | Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/managed-identity.md | In the following sections, you'll use the Azure CLI to sign in, and obtain a bea ## Assign yourself to the Cognitive Services User role -Assign yourself the [Cognitive Services User](role-based-access-control.md#cognitive-services-contributor) role to allow you to use your account to make Azure OpenAI API calls rather than having to use key-based auth. After you make this change it can take up to 5 minutes before the change takes effect. +Assign yourself either the [Cognitive Services OpenAI User](role-based-access-control.md#cognitive-services-openai-user) or [Cognitive Services OpenAI Contributor](role-based-access-control.md#cognitive-services-openai-contributor) role to allow you to use your account to make Azure OpenAI inference API calls rather than having to use key-based auth. After you make this change it can take up to 5 minutes before the change takes effect. ## Sign into the Azure CLI |
ai-services | Role Based Access Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/role-based-access-control.md | If a user were granted role-based access to only this role for an Azure OpenAI r ✅ Ability to view the resource and associated model deployments in Azure OpenAI Studio. <br> ✅ Ability to view what models are available for deployment in Azure OpenAI Studio. <br> ✅ Use the Chat, Completions, and DALL-E (preview) playground experiences to generate text and images with any models that have already been deployed to this Azure OpenAI resource. <br>+✅ Make inference API calls with Microsoft Entra ID. A user with only this role assigned would be unable to: This role is typically granted access at the resource group level for a user in A user with only this role assigned would be unable to: ❌ Access quota <br>+❌ Make inference API calls with Microsoft Entra ID. ### Cognitive Services Usages Reader All the capabilities of Cognitive Services Contributor plus the ability to: |Create customized content filters|❌|❌|✅| ➖ | |Add a data source for the “on your data” feature|❌|❌|✅| ➖ | |Access quota|❌|❌|❌|✅|-+|Make inference API calls with Microsoft Entra ID| ✅ | ✅ | ❌ | ➖ | ## Common Issues ### Unable to view Azure Cognitive Search option in Azure OpenAI Studio |
ai-services | Speech Synthesis Markup Pronunciation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-synthesis-markup-pronunciation.md | The speech synthesis engine speaks the following example as "World Wide Web Cons The Mathematical Markup Language (MathML) is an XML-compliant markup language that describes mathematical content and structure. The Speech service can use the MathML as input text to properly pronounce mathematical notations in the output audio. > [!NOTE]-> The MathML elements (tags) are currently supported by all neural voices in the `en-US` and `en-AU` locales. +> The MathML elements (tags) are currently supported in the following locales: `de-DE`, `en-AU`, `en-GB`, `en-US`, `es-ES`, `es-MX`, `fr-CA`, `fr-FR`, `it-IT`, `ja-JP`, `ko-KR`, `pt-BR`, and `zh-CN`. All elements from the [MathML 2.0](https://www.w3.org/TR/MathML2/) and [MathML 3.0](https://www.w3.org/TR/MathML3/) specifications are supported, except the MathML 3.0 [Elementary Math](https://www.w3.org/TR/MathML3/chapter3.html#presm.elementary) elements. |
ai-services | What Is Text To Speech Avatar | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/text-to-speech-avatar/what-is-text-to-speech-avatar.md | Azure AI text to speech avatar feature capabilities include: With text to speech avatar's advanced neural network models, the feature empowers you to deliver lifelike and high-quality synthetic talking avatar videos for various applications while adhering to responsible AI practices. > [!TIP]-> To convert text to speech with a no-code approach, try the [Text to speech avatar tool in Speech Studio](https://aka.ms/speechstudio/talkingavatar). +> To convert text to speech with a no-code approach, try the [Text to speech avatar tool in Speech Studio](https://speech.microsoft.com/portal/talkingavatar). ## Avatar voice and language -You can choose from a range of prebuilt voices for the avatar. The language support for text to speech avatar is the same as the language support for text to speech. For details, see [Language and voice support for the Speech service](../language-support.md?tabs=tts). Prebuilt text to speech avatars can be accessed through the [Speech Studio portal](https://aka.ms/speechstudio/talkingavatar) or via API. +You can choose from a range of prebuilt voices for the avatar. The language support for text to speech avatar is the same as the language support for text to speech. For details, see [Language and voice support for the Speech service](../language-support.md?tabs=tts). Prebuilt text to speech avatars can be accessed through the [Speech Studio portal](https://speech.microsoft.com/portal/talkingavatar) or via API. The voice in the synthetic video could be a prebuilt neural voice available on Azure AI Speech or the [custom neural voice](../custom-neural-voice.md) of voice talent selected by you. |
aks | Access Control Managed Azure Ad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/access-control-managed-azure-ad.md | description: Learn how to access clusters when integrating Microsoft Entra ID in Last updated 04/20/2023+++ Make sure the admin of the security group has given your account an *Active* ass [az-role-assignment-create]: /cli/azure/role/assignment#az_role_assignment_create [aad-assignments]: ../active-directory/privileged-identity-management/groups-assign-member-owner.md#assign-an-owner-or-member-of-a-group [az-aks-create]: /cli/azure/aks#az_aks_create+ |
aks | Access Private Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/access-private-cluster.md | In this article, you learned how to access a private cluster and run commands on <!-- links - internal --> [command-invoke-troubleshoot]: /troubleshoot/azure/azure-kubernetes/resolve-az-aks-command-invoke-failures+ |
aks | Active Active Solution | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/active-active-solution.md | If you're considering a different solution, see the following articles: - [Active passive disaster recovery solution overview for Azure Kubernetes Service (AKS)](./active-passive-solution.md) - [Passive cold solution overview for Azure Kubernetes Service (AKS)](./passive-cold-solution.md)+ |
aks | Active Passive Solution | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/active-passive-solution.md | If you're considering a different solution, see the following articles: - [Active active high availability solution overview for Azure Kubernetes Service (AKS)](./active-active-solution.md) - [Passive cold solution overview for Azure Kubernetes Service (AKS)](./passive-cold-solution.md)+ |
aks | Ai Toolchain Operator | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/ai-toolchain-operator.md | description: Learn how to enable the AI toolchain operator add-on on Azure Kuber Last updated 02/28/2024+++ # Deploy an AI model on Azure Kubernetes Service (AKS) with the AI toolchain operator (preview) For more inference model options, see the [KAITO GitHub repository](https://gith [az-feature-register]: /cli/azure/feature#az_feature_register [az-feature-show]: /cli/azure/feature#az_feature_show [az-provider-register]: /cli/azure/provider#az_provider_register+ |
aks | Aks Diagnostics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/aks-diagnostics.md | Title: Azure Kubernetes Service (AKS) Diagnose and Solve Problems Overview description: Learn about self-diagnosing clusters in Azure Kubernetes Service. -++ Last updated 03/10/2023 Deploying applications on AKS requires adherence to best practices to guarantee * Read the [triage practices section](/azure/architecture/operator-guides/aks/aks-triage-practices) of the AKS day-2 operations guide. * Post your questions or feedback at [UserVoice](https://feedback.azure.com/d365community/forum/aabe212a-f724-ec11-b6e6-000d3a4f0da0) by adding "[Diag]" in the title.+ |
aks | Aks Support Help | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/aks-support-help.md | Title: Support and troubleshooting for Azure Kubernetes Service (AKS) description: This article provides support and troubleshooting options for Azure Kubernetes Service (AKS). Last updated 09/27/2023+++ Learn about important product updates, roadmap, and announcements in [Azure Upda ## Next steps Visit the [Azure Kubernetes Service (AKS) documentation](./index.yml).+ |
aks | Api Server Vnet Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/api-server-vnet-integration.md | For associated best practices, see [Best practices for network connectivity and [az-role-assignment-create]: /cli/azure/role/assignment#az-role-assignment-create [ref-support-levels]: /cli/azure/reference-types-and-status [az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials+ |
aks | App Routing Migration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/app-routing-migration.md | After migrating to the application routing add-on, learn how to [monitor Ingress <!-- EXTERNAL LINKS --> [kubectl-get]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get [kubectl-delete]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#delete+ |
aks | App Routing Nginx Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/app-routing-nginx-configuration.md | The application routing add-on uses a Kubernetes [custom resource definition (CR When you enable the application routing add-on with NGINX, it creates an ingress controller called `default` in the `app-routing-namespace` configured with a public facing Azure load balancer. That ingress controller uses an ingress class name of `webapprouting.kubernetes.azure.com`. -You can modify the configuration of the default ingress controller by editing its configuration. --```bash -kubectl edit nginxingresscontroller default -n app-routing-system -``` - ### Create another public facing NGINX ingress controller To create another NGINX ingress controller with a public facing Azure Load Balancer: |
aks | App Routing Nginx Prometheus | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/app-routing-nginx-prometheus.md | Then upload the desired dashboard file and click on **Load**. [kubectl-apply]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply [grafana-nginx-dashboard]: https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/grafana/dashboards/nginx.json [grafana-nginx-request-performance-dashboard]: https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/grafana/dashboards/request-handling-performance.json+ |
aks | App Routing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/app-routing.md | For other configurations, see: * [Application routing add-on configuration][custom-ingress-configurations] * [Configure internal NGIX ingress controller for Azure private DNS zone][create-nginx-private-controller]. -With the retirement of [Open Service Mesh][open-service-mesh-docs] (OSM) by the Cloud Native Computing Foundation (CNCF), using the application routing add-on is the default method for all AKS clusters. +With the retirement of [Open Service Mesh][open-service-mesh-docs] (OSM) by the Cloud Native Computing Foundation (CNCF), using the application routing add-on with OSM is not recommended. ## Prerequisites With the retirement of [Open Service Mesh][open-service-mesh-docs] (OSM) by the - The application routing add-on supports up to five Azure DNS zones. - All global Azure DNS zones integrated with the add-on have to be in the same resource group. - All private Azure DNS zones integrated with the add-on have to be in the same resource group.-- Editing any resources in the `app-routing-system` namespace, including the Ingress-nginx ConfigMap, isn't supported.+- Editing the ingress-nginx `ConfigMap` in the `app-routing-system` namespace isn't supported. ## Enable application routing using Azure CLI When the application routing add-on is disabled, some Kubernetes resources might [kubectl]: https://kubernetes.io/docs/reference/kubectl/ [kubectl-apply]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply [ingress-backend]: https://release-v1-2.docs.openservicemesh.io/docs/guides/traffic_management/ingress/#ingressbackend-api+ |
aks | Artifact Streaming | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/artifact-streaming.md | This article described how to enable Artifact Streaming on your AKS node pools t [az-acr-artifact-streaming-create]: /cli/azure/acr/artifact-streaming#az-acr-artifact-streaming-create [az-acr-manifest-list-referrers]: /cli/azure/acr/manifest#az-acr-manifest-list-referrers [az-aks-nodepool-show]: /cli/azure/aks/nodepool#az-aks-nodepool-show+ |
aks | Auto Upgrade Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/auto-upgrade-cluster.md | For a detailed discussion of upgrade best practices and other considerations, se [pdb-best-practices]: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ [release-tracker]: release-tracker.md [k8s-deprecation]: https://kubernetes.io/blog/2022/11/18/upcoming-changes-in-kubernetes-1-26/#:~:text=A%20deprecated%20API%20is%20one%20that%20has%20been,point%20you%20must%20migrate%20to%20using%20the%20replacement-[unattended-upgrades]: https://help.ubuntu.com/community/AutomaticSecurityUpdates +[unattended-upgrades]: https://help.ubuntu.com/community/AutomaticSecurityUpdates |
aks | Auto Upgrade Node Os Image | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/auto-upgrade-node-os-image.md | For a detailed discussion of upgrade best practices and other considerations, se [az-aks-update]: /cli/azure/aks#az-aks-update <!-- LINKS - external -->-[Blog]: https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/increased-security-and-resiliency-of-canonical-workloads-on/ba-p/3970623 +[Blog]: https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/increased-security-and-resiliency-of-canonical-workloads-on/ba-p/3970623 |
aks | Automated Deployments | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/automated-deployments.md | Learn more about [GitHub Actions for Kubernetes][kubernetes-action]. <!-- LINKS --> [kubernetes-action]: kubernetes-action.md+ |
aks | Availability Zones | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/availability-zones.md | description: Learn how to create a cluster that distributes nodes across availab Last updated 12/06/2023+++ # Create an Azure Kubernetes Service (AKS) cluster that uses availability zones This article described how to create an AKS cluster using availability zones. Fo <!-- LINKS - external --> [kubectl-describe]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#describe [kubectl-well_known_labels]: https://kubernetes.io/docs/reference/labels-annotations-taints/+ |
aks | Azure Ad Integration Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-ad-integration-cli.md | Title: Integrate Microsoft Entra ID with Azure Kubernetes Service (AKS) (legacy) description: Learn how to use the Azure CLI to create and Microsoft Entra ID-enabled Azure Kubernetes Service (AKS) cluster (legacy)-+ For best practices on identity and resource control, see [Best practices for aut [managed-aad]: managed-azure-ad.md [managed-aad-migrate]: managed-azure-ad.md#migrate-a-legacy-azure-ad-cluster-to-integration [az-aks-show]: /cli/azure/aks#az_aks_show+ |
aks | Azure Blob Csi | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-blob-csi.md | To have a storage volume persist for your workload, you can use a StatefulSet. T [azure-disk-csi-driver]: azure-disk-csi.md [azure-files-csi-driver]: azure-files-csi.md [install-azure-cli]: /cli/azure/install-azure-cli+ |
aks | Azure Cni Overlay | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-cni-overlay.md | To learn how to utilize AKS with your own Container Network Interface (CNI) plug [az-aks-update]: /cli/azure/aks#az-aks-update [az-extension-add]: /cli/azure/extension#az-extension-add [az-extension-update]: /cli/azure/extension#az-extension-update+ |
aks | Azure Cni Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-cni-overview.md | Learn more about networking in AKS in the following articles: [azure-cni-overlay]: azure-cni-overlay.md [configure-azure-cni-dynamic-ip-allocation]: configure-azure-cni-dynamic-ip-allocation.md [configure-azure-cni-static-block-allocation]: configure-azure-cni-static-block-allocation.md+ |
aks | Azure Cni Powered By Cilium | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-cni-powered-by-cilium.md | Learn more about networking in AKS in the following articles: <!-- LINKS - Internal --> [aks-ingress-basic]: ingress-basic.md+ |
aks | Azure Csi Disk Storage Provision | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-csi-disk-storage-provision.md | kubectl delete -f azure-pvc.yaml [azure-disk-write-accelerator]: ../virtual-machines/windows/how-to-enable-write-accelerator.md [on-demand-bursting]: ../virtual-machines/disk-bursting.md [customer-usage-attribution]: ../marketplace/azure-partner-customer-usage-attribution.md+ |
aks | Azure Csi Files Storage Provision | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-csi-files-storage-provision.md | For associated best practices, see [Best practices for storage and backups in AK [tag-resources]: ../azure-resource-manager/management/tag-resources.md [azure-files-usage]: ../storage/files/understand-performance.md#choosing-a-performance-tier-based-on-usage-patterns [az-storage-account-create]: /cli/azure/storage/account#az-storage-account-create+ |
aks | Azure Disk Csi | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-disk-csi.md | The output of the command resembles the following example: [az-premium-ssd]: ../virtual-machines/disks-types.md#premium-ssds [general-purpose-machine-sizes]: ../virtual-machines/sizes-general.md [disk-based-solutions]: /azure/cloud-adoption-framework/scenarios/app-platform/aks/storage#disk-based-solutions+ |
aks | Azure Disk Customer Managed Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-disk-customer-managed-keys.md | Review [best practices for AKS cluster security][best-practices-security] [customer-managed-keys-windows]: ../virtual-machines/disk-encryption.md#customer-managed-keys [customer-managed-keys-linux]: ../virtual-machines/disk-encryption.md#customer-managed-keys [key-vault-generate]: ../key-vault/general/manage-with-cli2.md+ |
aks | Azure Files Csi | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-files-csi.md | The output of the commands resembles the following example: [azure-private-endpoint-dns]: ../private-link/private-endpoint-dns.md#azure-services-dns-zone-configuration [azure-netapp-files-mount-options-best-practices]: ../azure-netapp-files/performance-linux-mount-options.md#rsize-and-wsize [nfs-file-share-mount-options]: ../storage/files/storage-files-how-to-mount-nfs-shares.md#mount-options+ |
aks | Azure Hpc Cache | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-hpc-cache.md | az feature show --namespace "Microsoft.StorageCache" [az-hpc-cache-blob-storage-target-add]: /cli/azure/hpc-cache/blob-storage-target#az_hpc_cache_blob_storage_target_add [az-network-private-dns-zone-create]: /cli/azure/network/private-dns/zone#az_network_private_dns_zone_create [az-network-private-dns-link-vnet-create]: /cli/azure/network/private-dns/link/vnet#az_network_private_dns_link_vnet_create-[az-network-private-dns-record-set-a-create]: /cli/azure/network/private-dns/record-set/a#az_network_private_dns_record_set_a_create +[az-network-private-dns-record-set-a-create]: /cli/azure/network/private-dns/record-set/a#az_network_private_dns_record_set_a_create |
aks | Azure Hybrid Benefit | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-hybrid-benefit.md | To learn more about Windows containers on AKS, see the following resources: * [Learn how to deploy, manage, and monitor Windows containers on AKS](/training/paths/deploy-manage-monitor-wincontainers-aks). * Open an issue or provide feedback in the [Windows containers GitHub repository](https://github.com/microsoft/Windows-Containers/issues). * Review the [third-party partner solutions for Windows on AKS](windows-aks-partner-solutions.md).+ |
aks | Azure Linux Aks Partner Solutions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-linux-aks-partner-solutions.md | For more information, see [CloudCasa by Catalogic Solutions](https://cloudcasa.i ## Next steps [Learn more about the Azure Linux Container Host on AKS](../azure-linux/intro-azure-linux.md).+ |
aks | Azure Netapp Files Dual Protocol | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-netapp-files-dual-protocol.md | Astra Trident supports many features with Azure NetApp Files. For more informati [azure-netapp-smb]: azure-netapp-files-smb.md [azure-netapp-files]: azure-netapp-files.md [azure-netapp-files-volume-dual-protocol]: ../azure-netapp-files/create-volumes-dual-protocol.md+ |
aks | Azure Netapp Files Nfs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-netapp-files-nfs.md | Astra Trident supports many features with Azure NetApp Files. For more informati [install-azure-cli]: /cli/azure/install-azure-cli [use-tags]: use-tags.md [azure-ad-app-registration]: ../active-directory/develop/howto-create-service-principal-portal.md+ |
aks | Azure Netapp Files Smb | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-netapp-files-smb.md | Astra Trident supports many features with Azure NetApp Files. For more informati [install-azure-cli]: /cli/azure/install-azure-cli [use-tags]: use-tags.md [azure-ad-app-registration]: ../active-directory/develop/howto-create-service-principal-portal.md+ |
aks | Azure Netapp Files | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-netapp-files.md | Astra Trident supports many features with Azure NetApp Files. For more informati [install-azure-cli]: /cli/azure/install-azure-cli [use-tags]: use-tags.md [azure-ad-app-registration]: ../active-directory/develop/howto-create-service-principal-portal.md+ |
aks | Azure Nfs Volume | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-nfs-volume.md | ls -l [azure-linux-vm]: ../virtual-machines/linux/endorsed-distros.md [linux-create]: ../virtual-machines/linux/tutorial-manage-vm.md [azure-files-overview]: ../storage/files/storage-files-introduction.md+ |
aks | Best Practices App Cluster Reliability | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/best-practices-app-cluster-reliability.md | This article focused on best practices for deployment and cluster reliability fo * [High availability and disaster recovery overview for AKS](./ha-dr-overview.md) * [Run AKS clusters at scale](./best-practices-performance-scale-large.md) * [Baseline architecture for an AKS cluster](/azure/architecture/reference-architectures/containers/aks/baseline-aks)+ |
aks | Best Practices Cost | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/best-practices-cost.md | Cost optimization is an ongoing and iterative effort. Learn more by reviewing th * [Optimize Compute Costs on AKS](/training/modules/aks-optimize-compute-costs/) * [AKS Cost Optimization Techniques](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/azure-kubernetes-service-aks-cost-optimization-techniques/ba-p/3652908) * [What is FinOps?](/azure/cost-management-billing/finops/)+ |
aks | Best Practices Performance Scale Large | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/best-practices-performance-scale-large.md | As you scale your AKS clusters to larger scale points, keep the following node p <!-- LINKS - External --> [throttling-policies]: https://azure.microsoft.com/blog/api-management-advanced-caching-and-throttling-policies/+ |
aks | Best Practices Performance Scale | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/best-practices-performance-scale.md | Ephemeral OS disks can provide dynamic IOPS and throughput for your application, ### Pod scheduling The memory and CPU resources allocated to a VM have a direct impact on the performance of the pods running on the VM. When a pod is created, it's assigned a certain amount of memory and CPU resources, which are used to run the application. If the VM doesn't have enough memory or CPU resources available, it can cause the pods to slow down or even crash. If the VM has too much memory or CPU resources available, it can cause the pods to run inefficiently, wasting resources and increasing costs. We recommend monitoring the total pod requests across your workloads against the total allocatable resources for best scheduling predictability and performance. You can also set the maximum pods per node based on your capacity planning using `--max-pods`.+ |
aks | Cis Azure Linux | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cis-azure-linux.md | For more information about Azure Linux Container Host security, see the followin [cis-benchmarks]: /compliance/regulatory/offering-CIS-Benchmark [linux-security-baseline]: ../governance/policy/samples/guest-configuration-baseline-linux.md [linux-container-host-aks]: ../azure-linux/intro-azure-linux.md+ |
aks | Cis Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cis-windows.md | description: Learn how AKS applies the CIS benchmark to Windows Server 2022 imag Last updated 09/27/2023+++ # Azure Kubernetes Service (AKS) Windows image alignment with Center for Internet Security (CIS) benchmark For more information about AKS security, see the following articles: <!-- INTERNAL LINKS --> [cis-benchmarks]: /compliance/regulatory/offering-CIS-Benchmark [security-concepts-aks-apps-clusters]: concepts-security.md-[windows-security-baseline]: ../governance/policy/samples/guest-configuration-baseline-windows.md +[windows-security-baseline]: ../governance/policy/samples/guest-configuration-baseline-windows.md |
aks | Cluster Autoscaler Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cluster-autoscaler-overview.md | Depending on how long the scaling operations have been experiencing failures, it <!-- LINKS > [vertical-pod-autoscaler]: vertical-pod-autoscaler.md [horizontal-pod-autoscaler]:concepts-scale.md#horizontal-pod-autoscaler+ |
aks | Cluster Autoscaler | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cluster-autoscaler.md | description: Learn how to use the cluster autoscaler to automatically scale your Last updated 01/11/2024+++ # Use the cluster autoscaler in Azure Kubernetes Service (AKS) To further help improve cluster resource utilization and free up CPU and memory [az-aks-nodepool-update]: https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview#enable-cluster-auto-scaler-for-a-node-pool [kubernetes-faq]: https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#ca-doesnt-work-but-it-used-to-work-yesterday-why [kubernetes-cluster-autoscaler]: https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler+ |
aks | Cluster Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cluster-configuration.md | description: Learn how to configure a cluster in Azure Kubernetes Service (AKS) Last updated 06/20/2023+++ # Configure an AKS cluster az aks update -n aksTest -g aksTest --nrg-lockdown-restriction-level Unrestricte [az-aks-nodepool-add]: /cli/azure/aks/nodepool#az_aks_nodepool_add [az-aks-nodepool-show]: /cli/azure/aks/nodepool#az_aks_nodepool_show [az-vm-list]: /cli/azure/vm#az_vm_list+ |
aks | Cluster Extensions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cluster-extensions.md | You can also [select and deploy Kubernetes applications available through Market <!-- EXTERNAL --> [arc-k8s-regions]: https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc®ions=all+ |
aks | Concepts Clusters Workloads | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/concepts-clusters-workloads.md | description: Learn about the core components that make up workloads and clusters Last updated 01/16/2024+++ # Core Kubernetes concepts for Azure Kubernetes Service This article covers some of the core Kubernetes components and how they apply to [aks-tags]: use-tags.md [aks-support]: support-policies.md#user-customization-of-agent-nodes [intro-azure-linux]: ../azure-linux/intro-azure-linux.md+ |
aks | Concepts Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/concepts-identity.md | For more information on core Kubernetes and AKS concepts, see the following arti [aks-concepts-network]: concepts-network.md [operator-best-practices-identity]: operator-best-practices-identity.md [upgrade-per-cluster]: ../azure-monitor/containers/container-insights-update-metrics.md#upgrade-per-cluster-using-azure-cli+ |
aks | Concepts Network | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/concepts-network.md | Title: Concepts - Networking in Azure Kubernetes Services (AKS) description: Learn about networking in Azure Kubernetes Service (AKS), including kubenet and Azure CNI networking, ingress controllers, load balancers, and static IP addresses. Last updated 03/26/2024+++ For more information on core Kubernetes and AKS concepts, see the following arti [azure-cni-powered-by-cilium]: azure-cni-powered-by-cilium.md [azure-cni-powered-by-cilium-limitations]: azure-cni-powered-by-cilium.md#limitations [use-byo-cni]: use-byo-cni.md+ |
aks | Concepts Scale | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/concepts-scale.md | Title: Concepts - Scale applications in Azure Kubernetes Services (AKS) description: Learn about scaling in Azure Kubernetes Service (AKS), including the horizontal pod autoscaler, cluster autoscaler, and Azure Container Instances. Last updated 03/18/2024+++ # Scaling options for applications in Azure Kubernetes Service (AKS) For more information on core Kubernetes and AKS concepts, see the following arti [aks-concepts-identity]: concepts-identity.md [aks-concepts-network]: concepts-network.md [virtual-nodes-cli]: virtual-nodes-cli.md-[keda-overview]: keda-about.md +[keda-overview]: keda-about.md |
aks | Concepts Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/concepts-security.md | For more information on core Kubernetes and AKS concepts, see: [microsoft-vulnerability-management-aks]: concepts-vulnerability-management.md [aks-vulnerability-management-nodes]: concepts-vulnerability-management.md#worker-nodes [manage-ssh-access]: manage-ssh-node-access.md-[trusted-launch]: use-trusted-launch.md +[trusted-launch]: use-trusted-launch.md |
aks | Concepts Storage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/concepts-storage.md | Title: Concepts - Storage in Azure Kubernetes Services (AKS) description: Learn about storage in Azure Kubernetes Service (AKS), including volumes, persistent volumes, storage classes, and claims. Last updated 03/19/2024+++ For more information on core Kubernetes and AKS concepts, see the following arti [azure-disk-customer-managed-key]: azure-disk-customer-managed-keys.md [azure-aks-storage-considerations]: /azure/cloud-adoption-framework/scenarios/app-platform/aks/storage [azure-container-storage]: ../storage/container-storage/container-storage-introduction.md+ |
aks | Concepts Sustainable Software Engineering | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/concepts-sustainable-software-engineering.md | Title: Concepts - Sustainable software engineering in Azure Kubernetes Services description: Learn about sustainable software engineering in Azure Kubernetes Service (AKS). Last updated 06/20/2023+++ # Sustainable software engineering practices in Azure Kubernetes Service (AKS) Many attacks on cloud infrastructure seek to misuse deployed resources for the a > [!div class="nextstepaction"] > [Azure Well-Architected Framework review of AKS](/azure/architecture/framework/services/compute/azure-kubernetes-service/azure-kubernetes-service)+ |
aks | Confidential Containers Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/confidential-containers-overview.md | description: Learn about Confidential Containers (preview) on an Azure Kubernete Last updated 03/18/2024+++ # Confidential Containers (preview) with Azure Kubernetes Service (AKS) With the local container filesystem backed by VM memory, writing to the containe [azure-dedicated-hosts]: ../virtual-machines/dedicated-hosts.md [deploy-confidential-containers-default-aks]: deploy-confidential-containers-default-policy.md [confidential-containers-security-policy]: ../confidential-computing/confidential-containers-aks-security-policy.md+ |
aks | Configure Azure Cni Dynamic Ip Allocation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/configure-azure-cni-dynamic-ip-allocation.md | Learn more about networking in AKS in the following articles: [azure-cni-prereq]: ./configure-azure-cni.md#prerequisites [azure-cni-deployment-parameters]: ./azure-cni-overview.md#deployment-parameters [az-aks-enable-addons]: /cli/azure/aks#az_aks_enable_addons+ |
aks | Configure Azure Cni Static Block Allocation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/configure-azure-cni-static-block-allocation.md | Learn more about networking in AKS in the following articles: [azure-cni-prereq]: ./configure-azure-cni.md#prerequisites [azure-cni-deployment-parameters]: ./azure-cni-overview.md#deployment-parameters [az-aks-enable-addons]: /cli/azure/aks#az_aks_enable_addons+ |
aks | Configure Azure Cni | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/configure-azure-cni.md | az aks create \ To configure Azure CNI networking with dynamic IP allocation and enhanced subnet support, see [Configure Azure CNI networking for dynamic allocation of IPs and enhanced subnet support in AKS](configure-azure-cni-dynamic-ip-allocation.md). + |
aks | Configure Kube Proxy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/configure-kube-proxy.md | This article covered how to configure `kube-proxy` in Azure Kubernetes Service ( [az-extension-update]: /cli/azure/extension#az-extension-update [az-aks-create]: /cli/azure/aks#az-aks-create [az-aks-update]: /cli/azure/aks#az-aks-update+ |
aks | Configure Kubenet Dual Stack | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/configure-kubenet-dual-stack.md | Once the cluster has been created, you can deploy your workloads. This article w [az-group-create]: /cli/azure/group#az_group_create [az-aks-create]: /cli/azure/aks#az_aks_create [az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials+ |
aks | Configure Kubenet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/configure-kubenet.md | This article showed you how to deploy your AKS cluster into your existing virtua [custom-route-table]: ../virtual-network/manage-route-table.md [Create an AKS cluster with user-assigned managed identity]: configure-kubenet.md#create-an-aks-cluster-with-user-assigned-managed-identity [bring-your-own-control-plane-managed-identity]: ../aks/use-managed-identity.md#bring-your-own-managed-identity+ |
aks | Control Plane Metrics Default List | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/control-plane-metrics-default-list.md | description: This article describes the minimal ingestion profile metrics for Az Last updated 01/31/2024+++ The following are metrics that are allow-listed with `minimalingestionprofile=tr <!-- INTERNAL LINKS --> [azure-monitor-prometheus-metrics-scrape-config-minimal]: ../azure-monitor/containers/prometheus-metrics-scrape-configuration-minimal.md+ |
aks | Coredns Custom | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/coredns-custom.md | To learn more about core network concepts, see [Network concepts for application [aks-quickstart-cli]: ./learn/quick-kubernetes-deploy-cli.md [aks-quickstart-portal]: ./learn/quick-kubernetes-deploy-portal.md [aks-quickstart-powershell]: ./learn/quick-kubernetes-deploy-powershell.md+ |
aks | Cost Analysis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cost-analysis.md | See the following guide to troubleshoot [AKS cost analysis add-on issues](/troub ## Learn more -Visibility is one element of cost management. Refer to [Optimize Costs in Azure Kubernetes Service (AKS)](./best-practices-cost.md) for other best practices on how to gain control over your kubernetes cost. +Visibility is one element of cost management. Refer to [Optimize Costs in Azure Kubernetes Service (AKS)](./best-practices-cost.md) for other best practices on how to gain control over your kubernetes cost. |
aks | Create Nginx Ingress Private Controller | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/create-nginx-ingress-private-controller.md | For other configuration information related to SSL encryption other advanced NGI [az-network-private-dns-zone-create]: /cli/azure/network/private-dns/zone?#az-network-private-dns-zone-create [az-network-private-dns-link-vnet-create]: /cli/azure/network/private-dns/link/vnet#az-network-private-dns-link-vnet-create [az-network-private-dns-record-set-a-list]: /cli/azure/network/private-dns/record-set/a#az-network-private-dns-record-set-a-list+ |
aks | Create Node Pools | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/create-node-pools.md | description: Learn how to create multiple node pools for a cluster in Azure Kube Last updated 12/08/2023+++ In this article, you learned how to create multiple node pools in an AKS cluster [use-system-pool]: use-system-pools.md [restricted-vm-sizes]: ../virtual-machines/sizes.md [aks-taints]: manage-node-pools.md#set-node-pool-taints+ |
aks | Csi Secrets Store Configuration Options | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-secrets-store-configuration-options.md | To learn more about the Azure Key Vault provider for Secrets Store CSI Driver, s <!-- LINKS EXTERNAL --> [reloader]: https://github.com/stakater/Reloader+ |
aks | Csi Secrets Store Driver | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-secrets-store-driver.md | In this article, you learned how to use the Azure Key Vault provider for Secrets <!-- LINKS EXTERNAL --> [kube-csi]: https://kubernetes-csi.github.io/docs/ [kubernetes-version-support]: ./supported-kubernetes-versions.md?tabs=azure-cli#kubernetes-version-support-policy+ |
aks | Csi Secrets Store Identity Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-secrets-store-identity-access.md | In this article, you learned how to create and provide an identity to access you [az-identity-create]: /cli/azure/identity#az-identity-create [az-role-assignment-create]: /cli/azure/role/assignment#az-role-assignment-create [az-aks-disable-addons]: /cli/azure/aks#az-aks-disable-addons+ |
aks | Csi Secrets Store Nginx Tls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-secrets-store-nginx-tls.md | We can now deploy a Kubernetes ingress resource referencing the secret. <!-- LINKS EXTERNAL --> [kubernetes-ingress-tls]: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls+ |
aks | Csi Storage Drivers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-storage-drivers.md | Title: Container Storage Interface (CSI) drivers on Azure Kubernetes Service (AK description: Learn about and deploy the Container Storage Interface (CSI) drivers for Azure Disks and Azure Files in an Azure Kubernetes Service (AKS) cluster Last updated 03/14/2024+++ To review the migration options for your storage classes and upgrade your cluste [azure-policy-aks-definition]: ../governance/policy/samples/built-in-policies.md#kubernetes [encrypt-managed-disks-customer-managed-keys]: ../virtual-machines/disks-cross-tenant-customer-managed-keys.md [azure-disk-customer-managed-keys]: azure-disk-customer-managed-keys.md+ |
aks | Custom Certificate Authority | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/custom-certificate-authority.md | For more information on AKS security best practices, see [Best practices for clu [az-feature-show]: /cli/azure/feature#az-feature-show [az-feature-register]: /cli/azure/feature#az-feature-register [az-provider-register]: /cli/azure/provider#az-provider-register+ |
aks | Custom Node Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/custom-node-configuration.md | The settings below can be used to tune the operation of the virtual memory (VM) [az-feature-register]: /cli/azure/feature#az-feature-register [az-feature-show]: /cli/azure/feature#az-feature-show [az-provider-register]: /cli/azure/provider#az-provider-register+ |
aks | Dapr Migration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/dapr-migration.md | Learn more about [Dapr][dapr-overview] and [how to use it][dapr-howto]. <!-- LINKS EXTERNAL --> [dapr-prod-guidelines]: https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-production/#enabling-high-availability-in-an-existing-dapr-deployment+ |
aks | Dapr Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/dapr-settings.md | Once you have successfully provisioned Dapr in your AKS cluster, try deploying a [dapr-troubleshooting]: https://docs.dapr.io/operations/troubleshooting/common_issues/ [supported-cloud-regions]: https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc [dapr-mariner]: https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-deploy/#using-mariner-based-images+ |
aks | Dapr Workflow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/dapr-workflow.md | Notice that the workflow status is marked as completed. [deployment-yaml]: https://github.com/Azure/dapr-workflows-aks-sample/blob/main/Deploy/deployment.yaml [docker]: https://docs.docker.com/get-docker/ [helm]: https://helm.sh/docs/intro/install/+ |
aks | Dapr | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/dapr.md | az k8s-extension delete --resource-group myResourceGroup --cluster-name myAKSClu [dapr-supported-version]: https://docs.dapr.io/operations/support/support-release-policy/#supported-versions [dapr-troubleshooting]: https://docs.dapr.io/operations/troubleshooting/common_issues/ [supported-cloud-regions]: https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc+ |
aks | Deploy Application Az Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/deploy-application-az-cli.md | To deploy the application (extension) through Azure CLI, follow the steps outlin - Learn about [Kubernetes applications available through Marketplace](deploy-marketplace.md). - Learn about [cluster extensions](cluster-extensions.md).+ |
aks | Deploy Application Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/deploy-application-template.md | Once you've accepted the terms, you can deploy your ARM template. For instructio - Learn about [Kubernetes applications available through Marketplace](deploy-marketplace.md). - Learn about [cluster extensions](cluster-extensions.md).+ |
aks | Deploy Confidential Containers Default Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/deploy-confidential-containers-default-policy.md | Title: Deploy an AKS cluster with Confidential Containers (preview) description: Learn how to create an Azure Kubernetes Service (AKS) cluster with Confidential Containers (preview) and a default security policy by using the Azure CLI. Last updated 01/10/2024+++ kubectl delete pod pod-name [az-attestation-show]: /cli/azure/attestation#az-attestation-show [attestation-quickstart-azure-cli]: ../attestation/quickstart-azure-cli.md [symptom-role-assignment-changes-are-not-being-detected]: ../role-based-access-control/troubleshooting.md#symptomrole-assignment-changes-are-not-being-detected+ |
aks | Deploy Extensions Az Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/deploy-extensions-az-cli.md | az k8s-extension delete --name azureml --cluster-name <clusterName> --resource-g [use-managed-identity]: ./use-managed-identity.md [workload-identity-overview]: workload-identity-overview.md [use-azure-ad-pod-identity]: use-azure-ad-pod-identity.md+ |
aks | Deploy Marketplace | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/deploy-marketplace.md | If you experience issues, see the [troubleshooting checklist for failed deployme [marketplace-troubleshoot]: /troubleshoot/azure/azure-kubernetes/troubleshoot-failed-kubernetes-deployment-offer + |
aks | Deployment Safeguards | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/deployment-safeguards.md | To learn more, see [workload validation in Gatekeeper](https://open-policy-agent [Azure-Policy-built-in-definition-docs]: /azure/aks/policy-reference#policy-definitions [Azure-Policy-compliance-portal]: https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Compliance [Azure-Policy-RBAC-permissions]: /azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy+ |
aks | Developer Best Practices Resource Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/developer-best-practices-resource-management.md | To implement some of these best practices, see [Develop with Bridge to Kubernete [btk]: /visualstudio/containers/overview-bridge-to-kubernetes [operator-best-practices-isolation]: operator-best-practices-cluster-isolation.md [resource-quotas]: operator-best-practices-scheduler.md#enforce-resource-quotas+ |
aks | Devops Pipeline | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/devops-pipeline.md | You're now ready to create a release, which means to start the process of runnin 1. In the pipeline view, choose the status link in the stages of the pipeline to see the logs and agent output. ::: zone-end+ |
aks | Draft Devx Extension Aks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/draft-devx-extension-aks.md | In this article, you learned how to use Draft and the DevX extension for Visual [aks-acr-authenticate]: ../aks/cluster-container-registry-integration.md [devx-extension]: https://marketplace.visualstudio.com/items?itemName=ms-kubernetes-tools.aks-devx-tools [draft]: https://github.com/Azure/draft+ |
aks | Draft | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/draft.md | After you create your artifacts and set up GitHub OIDC, you can use `draft gener [az-aks-draft-create]: /cli/azure/aks/draft#az-aks-draft-create [az-aks-draft-setup-gh]: /cli/azure/aks/draft#az-aks-draft-setup-gh [az-aks-draft-generate-workflow]: /cli/azure/aks/draft#az-aks-draft-generate-workflow+ |
aks | Edge Zones | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/edge-zones.md | After deploying your AKS cluster in an Edge Zone, learn about how you can [confi [az-aks-create]: /cli/azure/aks#az_aks_create [preset-config]: ./quotas-skus-regions.md#cluster-configuration-presets-in-the-azure-portal+ |
aks | Egress Outboundtype | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/egress-outboundtype.md | az aks update -g <resourceGroup> -n <clusterName> --outbound-type userAssignedNA [az-feature-show]: /cli/azure/feature#az_feature_show [az-provider-register]: /cli/azure/provider#az_provider_register [az-aks-update]: /cli/azure/aks#az_aks_update+ |
aks | Egress Udr | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/egress-udr.md | For more information on user-defined routes and Azure networking, see: * [Azure networking UDR overview](../virtual-network/virtual-networks-udr-overview.md) * [How to create, change, or delete a route table](../virtual-network/manage-route-table.md).+ |
aks | Enable Fips Nodes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/enable-fips-nodes.md | To learn more about AKS security, see [Best practices for cluster security and u [install-azure-cli]: /cli/azure/install-azure-cli [node-image-upgrade]: node-image-upgrade.md [errors-mount-file-share-fips]: /troubleshoot/azure/azure-kubernetes/fail-to-mount-azure-file-share#fipsnodepool+ |
aks | Enable Host Encryption | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/enable-host-encryption.md | description: Learn how to configure a host-based encryption in an Azure Kubernet Last updated 07/17/2023 +++ ms.devlang: azurecli Before you begin, review the following prerequisites and limitations. [akv-built-in-roles]: ../key-vault/general/rbac-guide.md#azure-built-in-roles-for-key-vault-data-plane-operations [az-aks-create]: /cli/azure/aks#az-aks-create [az-aks-nodepool-add]: /cli/azure/aks/nodepool#az-aks-nodepool-add+ |
aks | Events | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/events.md | Now that you understand Kubernetes events, you can continue your monitoring and [aks-azure-monitor]: ./monitor-aks.md [container-insights]: ../azure-monitor/containers/container-insights-enable-aks.md [k8s-events]: https://kubernetes.io/docs/reference/kubernetes-api/cluster-resources/event-v1/+ |
aks | Free Standard Pricing Tiers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/free-standard-pricing-tiers.md | Title: Azure Kubernetes Service (AKS) Free, Standard and Premium pricing tiers f description: Learn about the Azure Kubernetes Service (AKS) Free, Standard, and Premium pricing plans and what features, deployment patterns, and recommendations to consider between each plan. Last updated 04/07/2023+++ This process takes several minutes to complete. You shouldn't experience any dow [long-term-support]: long-term-support.md [long-term-support-update]: long-term-support.md#enable-lts-on-an-existing-cluster [install-azure-cli]: /cli/azure/install-azure-cli+ |
aks | Gpu Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/gpu-cluster.md | To see the GPU in action, you can schedule a GPU-enabled workload with the appro [az-extension-add]: /cli/azure/extension#az-extension-add [az-extension-update]: /cli/azure/extension#az-extension-update [NVadsA10]: /azure/virtual-machines/nva10v5-series+ |
aks | Ha Dr Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/ha-dr-overview.md | For more information, see the following articles: - [About AKS backup using Azure Backup (preview)](../backup/azure-kubernetes-service-backup-overview.md) - [Back up AKS using Azure Backup (preview)](../backup/azure-kubernetes-service-cluster-backup.md)+ |
aks | Howto Deploy Java Liberty App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/howto-deploy-java-liberty-app.md | Title: Deploy a Java application with Open Liberty/WebSphere Liberty on an Azure Kubernetes Service (AKS) cluster recommendations: false description: Deploy a Java application with Open Liberty/WebSphere Liberty on an Azure Kubernetes Service (AKS) cluster-+ Previously updated : 04/02/2024 Last updated : 01/16/2024 keywords: java, jakartaee, javaee, microprofile, open-liberty, websphere-liberty, aks, kubernetes The Open Liberty Operator simplifies the deployment and management of applicatio For more information on Open Liberty, see [the Open Liberty project page](https://openliberty.io/). For more information on IBM WebSphere Liberty, see [the WebSphere Liberty product page](https://www.ibm.com/cloud/websphere-liberty). -This article uses the Azure Marketplace offer for Open/WebSphere Liberty to accelerate your journey to AKS. The offer automatically provisions a number of Azure resources including an Azure Container Registry (ACR) instance, an AKS cluster, an Azure App Gateway Ingress Controller (AGIC) instance, the Liberty Operators, and optionally a container image including Liberty and your application. To see the offer, visit the [Azure portal](https://aka.ms/liberty-aks). If you prefer manual step-by-step guidance for running Liberty on AKS that doesn't utilize the automation enabled by the offer, see [Manually deploy a Java application with Open Liberty or WebSphere Liberty on an Azure Kubernetes Service (AKS) cluster](/azure/developer/java/ee/howto-deploy-java-liberty-app-manual). +This article uses the Azure Marketplace offer for Open/WebSphere Liberty to accelerate your journey to AKS. The offer automatically provisions a number of Azure resources including an Azure Container Registry (ACR) instance, an AKS cluster, an Azure App Gateway Ingress Controller (AGIC) instance, the Liberty Operator, and optionally a container image including Liberty and your application. To see the offer, visit the [Azure portal](https://aka.ms/liberty-aks). If you prefer manual step-by-step guidance for running Liberty on AKS that doesn't utilize the automation enabled by the offer, see [Manually deploy a Java application with Open Liberty or WebSphere Liberty on an Azure Kubernetes Service (AKS) cluster](/azure/developer/java/ee/howto-deploy-java-liberty-app-manual). This article is intended to help you quickly get to deployment. Before going to production, you should explore [Tuning Liberty](https://www.ibm.com/docs/was-liberty/base?topic=tuning-liberty). [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)] +* You can use Azure Cloud Shell or a local terminal. + [!INCLUDE [azure-cli-prepare-your-environment.md](~/reusable-content/azure-cli/azure-cli-prepare-your-environment.md)] +* This article requires at least version 2.31.0 of Azure CLI. If using Azure Cloud Shell, the latest version is already installed. + > [!NOTE] > You can also execute this guidance from the [Azure Cloud Shell](/azure/cloud-shell/quickstart). This approach has all the prerequisite tools pre-installed, with the exception of Docker. > > :::image type="icon" source="~/reusable-content/ce-skilling/azure/media/cloud-shell/launch-cloud-shell-button.png" alt-text="Button to launch the Azure Cloud Shell." border="false" link="https://shell.azure.com"::: -* Prepare a local machine with a Unix-like operating system installed (for example, Ubuntu, macOS, Windows Subsystem for Linux). -* This article requires at least version 2.31.0 of Azure CLI. -* Install a Java SE implementation, version 17 or later. (for example, [Eclipse Open J9](https://www.eclipse.org/openj9/)). -* Install [Maven](https://maven.apache.org/download.cgi) 3.5.0 or higher. -* Install [Docker](https://docs.docker.com/get-docker/) for your OS. +* If running the commands in this guide locally (instead of Azure Cloud Shell): + * Prepare a local machine with Unix-like operating system installed (for example, Ubuntu, Azure Linux, macOS, Windows Subsystem for Linux). + * Install a Java SE implementation, version 17 or later. (for example, [Eclipse Open J9](https://www.eclipse.org/openj9/)). + * Install [Maven](https://maven.apache.org/download.cgi) 3.5.0 or higher. + * Install [Docker](https://docs.docker.com/get-docker/) for your OS. * Make sure you're assigned either the `Owner` role or the `Contributor` and `User Access Administrator` roles in the subscription. You can verify it by following steps in [List role assignments for a user or group](../role-based-access-control/role-assignments-list-portal.md#list-role-assignments-for-a-user-or-group). ## Create a Liberty on AKS deployment using the portal You can learn more from the following references: * [Open Liberty](https://openliberty.io/) * [Open Liberty Operator](https://github.com/OpenLiberty/open-liberty-operator) * [Open Liberty Server Configuration](https://openliberty.io/docs/ref/config/)+ |
aks | Howto Deploy Java Quarkus App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/howto-deploy-java-quarkus-app.md | Title: "Deploy Quarkus on Azure Kubernetes Service" description: Shows how to quickly stand up Quarkus on Azure Kubernetes Service.-+ You may also want to use `docker rmi` to delete the container images `postgres` - [Deploy serverless Java apps with Quarkus on Azure Functions](/azure/azure-functions/functions-create-first-quarkus) - [Quarkus](https://quarkus.io/) - [Jakarta EE on Azure](/azure/developer/java/ee)+ |
aks | Howto Deploy Java Wls App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/howto-deploy-java-wls-app.md | Title: "Deploy WebLogic Server on Azure Kubernetes Service using the Azure portal" description: Shows how to quickly stand up WebLogic Server on Azure Kubernetes Service.-+ Last updated 02/09/2024 Learn more about running WLS on AKS or virtual machines by following these links > [!div class="nextstepaction"] > [WLS on virtual machines](/azure/virtual-machines/workloads/oracle/oracle-weblogic)+ |
aks | Http Application Routing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/http-application-routing.md | For information on how to install an HTTPS-secured ingress controller in AKS, se [kubectl-logs]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#logs [ingress]: https://kubernetes.io/docs/concepts/services-networking/ingress/ [ingress-resource]: https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource+ |
aks | Http Proxy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/http-proxy.md | For more information regarding the network requirements of AKS clusters, see [co [az-extension-add]: /cli/azure/extension#az_extension_add [az-extension-update]: /cli/azure/extension#az-extension-update [install-azure-cli]: /cli/azure/install-azure-cli+ |
aks | Image Cleaner | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/image-cleaner.md | The `eraser-aks-xxxxx` pod deletes within 10 minutes after work completion. You [az-aks-update]: /cli/azure/aks#az_aks_update [trivy]: https://github.com/aquasecurity/trivy [az-aks-show]: /cli/azure/aks#az_aks_show+ |
aks | Image Integrity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/image-integrity.md | In this article, you learned how to use Image Integrity to validate signed image <! External links -> [ratify]: https://github.com/deislabs/ratify [image-integrity-policy]: https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcf426bb8-b320-4321-8545-1b784a5df3a4+ |
aks | Ingress Basic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/ingress-basic.md | This article included some external components to AKS. To learn more about these [acr-helm]: ../container-registry/container-registry-helm-repos.md [azure-powershell-install]: /powershell/azure/install-az-ps [aks-app-add-on]: app-routing.md+ |
aks | Ingress Tls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/ingress-tls.md | You can also: [new-az-public-ip-address]: /powershell/module/az.network/new-azpublicipaddress [aks-app-add-on]: app-routing.md [parameter-targettag]: /powershell/module/az.containerregistry/import-azcontainerregistryimage+ |
aks | Integrations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/integrations.md | description: Learn about the add-ons, extensions, and open-source integrations y Last updated 05/22/2023+++ # Add-ons, extensions, and other integrations with Azure Kubernetes Service (AKS) For more information, see [Windows AKS partner solutions][windows-aks-partner-so [github-actions-aks]: kubernetes-action.md [az-aks-enable-addons]: /cli/azure/aks#az-aks-enable-addons [windows-aks-partner-solutions]: windows-aks-partner-solutions.md+ |
aks | Internal Lb | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/internal-lb.md | To learn more about Kubernetes services, see the [Kubernetes services documentat [get-azvirtualnetworksubnetconfig]: /powershell/module/az.network/get-azvirtualnetworksubnetconfig [az-network-private-link-service-list]: /cli/azure/network/private-link-service#az_network_private_link_service_list [az-network-private-endpoint-create]: /cli/azure/network/private-endpoint#az_network_private_endpoint_create+ |
aks | Intro Kubernetes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/intro-kubernetes.md | description: Learn the features and benefits of Azure Kubernetes Service to depl Last updated 05/02/2023+++ # What is Azure Kubernetes Service? Learn more about deploying and managing AKS. [helm]: quickstart-helm.md [aks-best-practices]: best-practices.md [intro-azure-linux]: ../azure-linux/intro-azure-linux.md+ |
aks | Istio About | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/istio-about.md | Istio-based service mesh add-on for AKS has the following limitations: [azure-cni-cilium]: azure-cni-powered-by-cilium.md [open-service-mesh-about]: open-service-mesh-about.md -[istio-deploy-addon]: istio-deploy-addon.md +[istio-deploy-addon]: istio-deploy-addon.md |
aks | Istio Deploy Addon | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/istio-deploy-addon.md | az group delete --name ${RESOURCE_GROUP} --yes --no-wait [istio-deploy-ingress]: istio-deploy-ingress.md [az-aks-mesh-get-revisions]: /cli/azure/aks/mesh#az-aks-mesh-get-revisions(aks-preview) [bicep-aks-resource-definition]: /azure/templates/microsoft.containerservice/managedclusters+ |
aks | Istio Deploy Ingress | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/istio-deploy-ingress.md | az group delete --name ${RESOURCE_GROUP} --yes --no-wait ``` [istio-deploy-addon]: istio-deploy-addon.md+ |
aks | Istio Meshconfig | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/istio-meshconfig.md | Fields present in [open source MeshConfig reference documentation][istio-meshcon [istio-meshconfig]: https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/ [istio-sidecar-race-condition]: https://istio.io/latest/docs/ops/common-problems/injection/#pod-or-containers-start-with-network-issues-if-istio-proxy-is-not-ready+ |
aks | Istio Plugin Ca | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/istio-plugin-ca.md | You may need to periodically rotate the certificate authorities for security or [az-aks-mesh-disable]: /cli/azure/aks/mesh#az-aks-mesh-disable [istio-generate-certs]: https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/#plug-in-certificates-and-key-into-the-cluster [istio-mtls-reference]: https://istio.io/latest/docs/concepts/security/#mutual-tls-authentication+ |
aks | Istio Upgrade | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/istio-upgrade.md | The following example illustrates how to upgrade from revision `asm-1-18` to `as [istio-canary-upstream]: https://istio.io/latest/docs/setup/upgrade/canary/ [meshconfig]: ./istio-meshconfig.md [meshconfig-canary-upgrade]: ./istio-meshconfig.md#mesh-configuration-and-upgrades+ |
aks | Keda About | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/keda-about.md | For GA Kubernetes versions, AKS offers full support of the corresponding KEDA mi [keda-scalers]: https://keda.sh/docs/scalers/ [keda-http-add-on]: https://github.com/kedacore/http-add-on [keda-cosmos-db-scaler]: https://github.com/kedacore/external-scaler-azure-cosmos-db-[azure-support-faq]: https://azure.microsoft.com/support/legal/faq/ +[azure-support-faq]: https://azure.microsoft.com/support/legal/faq/ |
aks | Keda Deploy Add On Arm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/keda-deploy-add-on-arm.md | To learn more, view the [upstream KEDA docs][keda]. [keda-scalers]: https://keda.sh/docs/scalers/ [keda-sample]: https://github.com/kedacore/sample-dotnet-worker-servicebus-queue [keda]: https://keda.sh/docs/2.12/+ |
aks | Keda Deploy Add On Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/keda-deploy-add-on-cli.md | To learn more, view the [upstream KEDA docs][keda]. [kubectl]: https://kubernetes.io/docs/user-guide/kubectl [keda-sample]: https://github.com/kedacore/sample-dotnet-worker-servicebus-queue [keda]: https://keda.sh/docs/2.12/+ |
aks | Keda Integrations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/keda-integrations.md | You can also install external scalers to autoscale on other Azure [keda-sample]: https://github.com/kedacore/sample-dotnet-worker-servicebus-queue [prometheus-scaler]: https://keda.sh/docs/2.11/scalers/prometheus/ [keda]: https://keda.sh/docs/2.12/+ |
aks | Kubelet Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/kubelet-logs.md | description: Learn how to view troubleshooting information in the kubelet logs f Last updated 05/09/2023+++ #Customer intent: As a cluster operator, I want to view the logs for the kubelet that runs on each node in an AKS cluster to troubleshoot problems. If you need more troubleshooting information for the Kubernetes main, see [view [aks-quickstart-portal]: ./learn/quick-kubernetes-deploy-portal.md [aks-quickstart-powershell]: ./learn/quick-kubernetes-deploy-powershell.md [azure-container-logs]: ../azure-monitor/containers/container-insights-overview.md+ |
aks | Kubernetes Action | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/kubernetes-action.md | Title: Build, test, and deploy containers to Azure Kubernetes Service (AKS) usin description: Learn how to use GitHub Actions to build, test, and deploy containers to Azure Kubernetes Service (AKS). Last updated 09/12/2023+++ Review the following starter workflows for AKS. For more information, see [Using [gh-azure-vote]: https://github.com/Azure-Samples/azure-voting-app-redis [actions/checkout]: https://github.com/actions/checkout [az-ad-sp-create-for-rbac]: /cli/azure/ad/sp#az-ad-sp-create-for-rbac+ |
aks | Kubernetes Helm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/kubernetes-helm.md | Title: Install existing applications with Helm in Azure Kubernetes Service (AKS) description: Learn how to use the Helm packaging tool to deploy containers in an Azure Kubernetes Service (AKS) cluster-+ Last updated 05/09/2023-+ #Customer intent: As a cluster operator or developer, I want to learn how to deploy Helm into an AKS cluster and then install and manage applications using Helm charts. For more information about managing Kubernetes application deployments with Helm [aks-quickstart-portal]: ./learn/quick-kubernetes-deploy-portal.md [aks-quickstart-powershell]: ./learn/quick-kubernetes-deploy-powershell.md [taints]: operator-best-practices-advanced-scheduler.md+ |
aks | Kubernetes Service Principal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/kubernetes-service-principal.md | description: Learn how to create and manage a Microsoft Entra service principal Last updated 06/27/2023+++ #Customer intent: As a cluster operator, I want to understand how to create a service principal and delegate permissions for AKS to access required resources. In large enterprise environments, the user that deploys the cluster (or CI/CD system), may not have permissions to create this service principal automatically when the cluster is created. For information on how to update the credentials, see [Update or rotate the cred [remove-azadserviceprincipal]: /powershell/module/az.resources/remove-azadserviceprincipal [use-managed-identity]: use-managed-identity.md [managed-identity-resources-overview]: ..//active-directory/managed-identities-azure-resources/overview.md+ |
aks | Quick Kubernetes Deploy Azd | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-kubernetes-deploy-azd.md | To learn more about AKS and walk through a complete code-to-deployment example, [kubernetes-concepts]: ../concepts-clusters-workloads.md [aks-solution-guidance]: /azure/architecture/reference-architectures/containers/aks-start-here?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json [baseline-reference-architecture]: /azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json+ |
aks | Quick Kubernetes Deploy Bicep Extensibility Kubernetes Provider | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-kubernetes-deploy-bicep-extensibility-kubernetes-provider.md | description: Learn how to quickly deploy a Kubernetes cluster using the Bicep ex Last updated 01/11/2024+++ #Customer intent: As a developer or cluster operator, I want to quickly deploy an AKS cluster and deploy an application so that I can see how to run applications using the managed Kubernetes service in Azure. To learn more about AKS and walk through a complete code-to-deployment example, [az-sshkey-create]: /cli/azure/sshkey#az_sshkey_create [baseline-reference-architecture]: /azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json [aks-solution-guidance]: /azure/architecture/reference-architectures/containers/aks-start-here?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json+ |
aks | Quick Kubernetes Deploy Bicep | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-kubernetes-deploy-bicep.md | Title: 'Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using Bicep description: Learn how to quickly deploy a Kubernetes cluster using a Bicep file and deploy an application in Azure Kubernetes Service (AKS). Last updated 12/27/2023+++ #Customer intent: As a developer or cluster operator, I want to quickly deploy an AKS cluster and deploy an application so that I can see how to run applications using the managed Kubernetes service in Azure. To learn more about AKS and walk through a complete code-to-deployment example, [az-sshkey-create]: /cli/azure/sshkey#az_sshkey_create [baseline-reference-architecture]: /azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json [aks-solution-guidance]: /azure/architecture/reference-architectures/containers/aks-start-here?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json+ |
aks | Quick Kubernetes Deploy Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-kubernetes-deploy-cli.md | Title: 'Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using Azure description: Learn how to quickly deploy a Kubernetes cluster and deploy an application in Azure Kubernetes Service (AKS) using Azure CLI. Last updated 01/10/2024+++ #Customer intent: As a developer or cluster operator, I want to deploy an AKS cluster and deploy an application so I can see how to run applications using the managed Kubernetes service in Azure. To learn more about AKS and walk through a complete code-to-deployment example, [kubernetes-deployment]: ../concepts-clusters-workloads.md#deployments-and-yaml-manifests [aks-solution-guidance]: /azure/architecture/reference-architectures/containers/aks-start-here?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json [baseline-reference-architecture]: /azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json+ |
aks | Quick Kubernetes Deploy Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-kubernetes-deploy-powershell.md | Title: 'Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using Azure description: Learn how to quickly deploy a Kubernetes cluster and deploy an application in Azure Kubernetes Service (AKS) using PowerShell. Last updated 01/11/2024+++ #Customer intent: As a developer or cluster operator, I want to quickly deploy an AKS cluster and deploy an application so that I can see how to run applications using the managed Kubernetes service in Azure. To learn more about AKS and walk through a complete code-to-deployment example, [azure-resource-group]: ../../azure-resource-manager/management/overview.md [baseline-reference-architecture]: /azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json [aks-solution-guidance]: /azure/architecture/reference-architectures/containers/aks-start-here?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json+ |
aks | Quick Kubernetes Deploy Rm Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-kubernetes-deploy-rm-template.md | Title: 'Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using an AR description: Learn how to quickly deploy a Kubernetes cluster using an Azure Resource Manager template and deploy an application in Azure Kubernetes Service (AKS). Last updated 01/12/2024+++ #Customer intent: As a developer or cluster operator, I want to quickly deploy an AKS cluster and deploy an application so that I can see how to run applications using the managed Kubernetes service in Azure. To learn more about AKS and walk through a complete code-to-deployment example, [ssh-keys]: ../../virtual-machines/linux/create-ssh-keys-detailed.md [baseline-reference-architecture]: /azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json [aks-solution-guidance]: /azure/architecture/reference-architectures/containers/aks-start-here?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json+ |
aks | Quick Kubernetes Deploy Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-kubernetes-deploy-terraform.md | To learn more about AKS and walk through a complete code-to-deployment example, [azd-hooks]: /azure/developer/azure-developer-cli/reference#azd-hooks [azd-overview]: /azure/developer/azure-developer-cli [aks-home]: /azure/aks+ |
aks | Quick Windows Container Deploy Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-windows-container-deploy-cli.md | description: Learn how to quickly deploy a Kubernetes cluster and deploy an appl Last updated 01/11/2024+++ #Customer intent: As a developer or cluster operator, I want to quickly deploy an AKS cluster and deploy a Windows Server container so that I can see how to run applications running on a Windows Server container using the managed Kubernetes service in Azure. To learn more about AKS, and to walk through a complete code-to-deployment examp [windows-server-password]: /windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements#reference [win-faq-change-admin-creds]: ../windows-faq.md#how-do-i-change-the-administrator-password-for-windows-server-nodes-on-my-cluster [baseline-reference-architecture]: /azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json+ |
aks | Quick Windows Container Deploy Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-windows-container-deploy-powershell.md | Title: Deploy a Windows Server container on an Azure Kubernetes Service (AKS) cl description: Learn how to quickly deploy a Kubernetes cluster and deploy an application in a Windows Server container in Azure Kubernetes Service (AKS) using PowerShell. Last updated 01/11/2024+++ #Customer intent: As a developer or cluster operator, I want to quickly deploy an AKS cluster and deploy a Windows Server container so that I can see how to run applications running on a Windows Server container using the managed Kubernetes service in Azure. To learn more about AKS, and to walk through a complete code-to-deployment examp [new-azaksnodepool]: /powershell/module/az.aks/new-azaksnodepool [baseline-reference-architecture]: /azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json [win-faq-change-admin-creds]: ../windows-faq.md#how-do-i-change-the-administrator-password-for-windows-server-nodes-on-my-cluster+ |
aks | Limit Egress Traffic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/limit-egress-traffic.md | For information on how to override Azure's default system routes or add addition This section covers three network rules and an application rule you can use to configure on your firewall. You may need to adapt these rules based on your deployment. * The first network rule allows access to port 9000 via TCP.-* The second network rule allows access to port 1194 via UDP. If you're deploying to Microsoft Azure operated by 21Vianet, see the [Azure operated by 21Vianet required network rules](./outbound-rules-control-egress.md#microsoft-azure-operated-by-21vianet-required-network-rules). Both these rules will only allow traffic destined to the Azure Region CIDR in this article, which is East US. +* The second network rule allows access to port 1194 and 123 via UDP. If you're deploying to Microsoft Azure operated by 21Vianet, see the [Azure operated by 21Vianet required network rules](./outbound-rules-control-egress.md#microsoft-azure-operated-by-21vianet-required-network-rules). Both these rules will only allow traffic destined to the Azure Region CIDR in this article, which is East US. +* The third network rule opens port 123 to `ntp.ubuntu.com` FQDN via UDP. Adding an FQDN as a network rule is one of the specific features of Azure Firewall, so you'll need to adapt it when using your own options. * The fourth and fifth network rules allow access to pull containers from GitHub Container Registry (ghcr.io) and Docker Hub (docker.io). 1. Create the network rules using the [`az network firewall network-rule create`][az-network-firewall-network-rule-create] command. This section covers three network rules and an application rule you can use to c az network firewall network-rule create -g $RG -f $FWNAME --collection-name 'aksfwnr' -n 'apitcp' --protocols 'TCP' --source-addresses '*' --destination-addresses "AzureCloud.$LOC" --destination-ports 9000 + az network firewall network-rule create -g $RG -f $FWNAME --collection-name 'aksfwnr' -n 'time' --protocols 'UDP' --source-addresses '*' --destination-fqdns 'ntp.ubuntu.com' --destination-ports 123 + az network firewall network-rule create -g $RG -f $FWNAME --collection-name 'aksfwnr' -n 'ghcr' --protocols 'TCP' --source-addresses '*' --destination-fqdns ghcr.io pkg-containers.githubusercontent.com --destination-ports '443' az network firewall network-rule create -g $RG -f $FWNAME --collection-name 'aksfwnr' -n 'docker' --protocols 'TCP' --source-addresses '*' --destination-fqdns docker.io registry-1.docker.io production.cloudflare.docker.com --destination-ports '443' In this article, you learned how to secure your outbound traffic using Azure Fir [Use a pre-created kubelet managed identity]: use-managed-identity.md#use-a-pre-created-kubelet-managed-identity [az-identity-create]: /cli/azure/identity#az_identity_create [az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials+ |
aks | Load Balancer Standard | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/load-balancer-standard.md | To learn more about using internal load balancer for inbound traffic, see the [A [maxsurge]: ./upgrade-aks-cluster.md#customize-node-surge-upgrade [az-lb]: ../load-balancer/load-balancer-overview.md [alb-outbound-rules]: ../load-balancer/outbound-rules.md+ |
aks | Long Term Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/long-term-support.md | az aks upgrade --resource-group myResourceGroup --name myAKSCluster --kubernetes > [!NOTE] > Kubernetes 1.30.2 is used as an example version in this article. Check the [AKS release tracker](release-tracker.md) for available Kubernetes releases.+ |
aks | Manage Abort Operations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/manage-abort-operations.md | Title: Abort an Azure Kubernetes Service (AKS) long running operation description: Learn how to terminate a long running operation on an Azure Kubernetes Service cluster at the node pool or cluster level. Last updated 3/23/2023+++ Learn more about [Container insights](../azure-monitor/containers/container-insi <!-- LINKS - internal --> [install-azure-cli]: /cli/azure/install-azure-cli+ |
aks | Manage Azure Rbac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/manage-azure-rbac.md | To learn more about AKS authentication, authorization, Kubernetes RBAC, and Azur [az-role-definition-create]: /cli/azure/role/definition#az-role-definition-create [az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials [kubernetes-rbac]: /azure/aks/concepts-identity#azure-rbac-for-kubernetes-authorization+ |
aks | Manage Local Accounts Managed Azure Ad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/manage-local-accounts-managed-azure-ad.md | description: Learn how to managed local accounts when integrating Microsoft Entr Last updated 04/20/2023+++ You can disable local accounts using the parameter `disable-local-accounts`. The [az-aks-update]: /cli/azure/aks#az_aks_update [az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials [azure-rbac-integration]: manage-azure-rbac.md+ |
aks | Manage Node Pools | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/manage-node-pools.md | description: Learn how to manage node pools for a cluster in Azure Kubernetes Se Last updated 07/19/2023+++ When you use an Azure Resource Manager template to create and manage resources, [use-tags]: use-tags.md [az-extension-add]: /cli/azure/extension#az_extension_add [az-extension-update]: /cli/azure/extension#az_extension_update+ |
aks | Manage Ssh Node Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/manage-ssh-node-access.md | To help troubleshoot any issues with SSH connectivity to your clusters nodes, yo [az-aks-nodepool-upgrade]: /cli/azure/aks/nodepool#az-aks-nodepool-upgrade [network-security-group-rules-overview]: concepts-security.md#azure-network-security-groups [kubelet-debug-node-access]: node-access.md-[run-command-invoke]: /cli/azure/vmss/run-command#az-vmss-run-command-invoke +[run-command-invoke]: /cli/azure/vmss/run-command#az-vmss-run-command-invoke |
aks | Monitor Aks Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/monitor-aks-reference.md | Title: Monitor AKS data reference description: Important reference material needed when you monitor AKS Last updated 08/01/2023+++ For more information on the schema of Activity Log entries, see [Activity Log s - See [Monitoring Azure AKS](monitor-aks.md) for a description of monitoring Azure AKS. - See [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md) for details on monitoring Azure resources.+ |
aks | Monitor Aks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/monitor-aks.md | Title: Monitor Azure Kubernetes Service (AKS) description: Start here to learn how to monitor Azure Kubernetes Service (AKS).-+ When the [Network Observability](/azure/aks/network-observability-overview) add- <!-- Add additional links. You can change the wording of these and add more if useful. --> - See [Monitoring AKS data reference](monitor-aks-reference.md) for a reference of the metrics, logs, and other important values created by AKS.+ |
aks | Monitor Control Plane Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/monitor-control-plane-metrics.md | After evaluating this preview feature, [share your feedback][share-feedback]. We [list-of-default-metrics-aks-control-plane]: control-plane-metrics-default-list.md [az-feature-unregister]: /cli/azure/feature#az-feature-unregister [release-tracker]: https://releases.aks.azure.com/#tabversion+ |
aks | Nat Gateway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/nat-gateway.md | For more information on Azure NAT Gateway, see [Azure NAT Gateway][nat-docs]. [az-network-vnet-create]: /cli/azure/network/vnet#az_network_vnet_create [az-aks-nodepool-add]: /cli/azure/aks/nodepool#az_aks_nodepool_add [az-provider-register]: /cli/azure/provider#az_provider_register+ |
aks | Network Observability Byo Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/network-observability-byo-cli.md | In this how-to article, you learned how to install and enable AKS Network Observ - For more information about AKS Network Observability, see [What is Azure Kubernetes Service (AKS) Network Observability?](network-observability-overview.md). - To create an AKS cluster with Network Observability and managed Prometheus and Grafana, see [Setup Network Observability for Azure Kubernetes Service (AKS) Azure managed Prometheus and Grafana](network-observability-managed-cli.md).+ |
aks | Network Observability Managed Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/network-observability-managed-cli.md | In this how-to article, you learned how to install and enable AKS Network Observ - For more information about AKS Network Observability, see [What is Azure Kubernetes Service (AKS) Network Observability?](network-observability-overview.md). - To create an AKS cluster with Network Observability and BYO Prometheus and Grafana, see [Setup Network Observability for Azure Kubernetes Service (AKS) BYO Prometheus and Grafana](network-observability-byo-cli.md).+ |
aks | Network Observability Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/network-observability-overview.md | Certain scale limitations apply when you use Azure managed Prometheus and Grafan - To create an AKS cluster with Network Observability and Azure managed Prometheus and Grafana, see [Setup Network Observability for Azure Kubernetes Service (AKS) Azure managed Prometheus and Grafana](network-observability-managed-cli.md). - To create an AKS cluster with Network Observability and BYO Prometheus and Grafana, see [Setup Network Observability for Azure Kubernetes Service (AKS) BYO Prometheus and Grafana](network-observability-byo-cli.md).+ |
aks | Node Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/node-access.md | description: Learn how to connect to Azure Kubernetes Service (AKS) cluster node Last updated 01/08/2024+++ #Customer intent: As a cluster operator, I want to learn how to connect to virtual machines in an AKS cluster to perform maintenance or troubleshoot a problem. To learn about managing your SSH keys, see [Manage SSH configuration][manage-ssh [agent-pool-rest-api]: /rest/api/aks/agent-pools/get#agentpool [manage-ssh-node-access]: manage-ssh-node-access.md [azure-bastion-linux]:../bastion/bastion-connect-vm-ssh-linux.md+ |
aks | Node Auto Repair | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/node-auto-repair.md | Title: Automatically repair Azure Kubernetes Service (AKS) nodes description: Learn about node auto-repair functionality and how AKS fixes broken worker nodes. Last updated 05/30/2023+++ # Azure Kubernetes Service (AKS) node auto-repair Use [availability zones][availability-zones] to increase high availability with [vm-updates]: ../virtual-machines/maintenance-and-updates.md [scheduled-events]: ../virtual-machines/linux/scheduled-events.md [spot-node-pools]: spot-node-pool.md+ |
aks | Node Image Upgrade | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/node-image-upgrade.md | az aks nodepool show \ [az-aks-upgrade]: /cli/azure/aks#az_aks_upgrade [az-aks-show]: /cli/azure/aks#az_aks_show [upgrade-operators-guide]: /azure/architecture/operator-guides/aks/aks-upgrade-practices+ |
aks | Node Pool Snapshot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/node-pool-snapshot.md | az aks create --name myAKSCluster2 --resource-group myResourceGroup --snapshot-i [az-feature-register]: /cli/azure/feature#az_feature_register [az-aks-install-cli]: /cli/azure/aks#az_aks_install_cli [az-provider-register]: /cli/azure/provider#az_provider_register+ |
aks | Node Problem Detector | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/node-problem-detector.md | Title: Node Problem Detector (NPD) in Azure Kubernetes Service (AKS) nodes description: Learn about how AKS uses Node Problem Detector to expose issues with the node. Last updated 05/31/2023+++ # Node Problem Detector (NPD) in Azure Kubernetes Service (AKS) nodes problem_gauge{reason="VMEventScheduled",type="VMEventScheduled"} 0 ## Next steps For more information on NPD, see [kubernetes/node-problem-detector](https://github.com/kubernetes/node-problem-detector).+ |
aks | Node Updates Kured | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/node-updates-kured.md | For a detailed discussion of upgrade best practices and other considerations, se [nodepool-upgrade]: manage-node-pools.md#upgrade-a-single-node-pool [node-image-upgrade]: node-image-upgrade.md [upgrade-operators-guide]: /azure/architecture/operator-guides/aks/aks-upgrade-practices+ |
aks | Node Upgrade Github Actions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/node-upgrade-github-actions.md | For a detailed discussion of upgrade best practices and other considerations, se [azure-rbac-scope-levels]: ../role-based-access-control/scope-overview.md#scope-format [az-ad-sp-create-for-rbac]: /cli/azure/ad/sp#az-ad-sp-create-for-rbac [upgrade-operators-guide]: /azure/architecture/operator-guides/aks/aks-upgrade-practices+ |
aks | Open Ai Secure Access Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/open-ai-secure-access-quickstart.md | For more information on Microsoft Entra Workload ID, see [Microsoft Entra Worklo [kubectl-get-pods]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get [kubectl-logs]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#logs [kubectl-describe-pod]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#describe+ |
aks | Open Service Mesh About | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/open-service-mesh-about.md | After enabling the OSM add-on using the [Azure CLI][osm-azure-cli] or a [Bicep t [osm-nginx]: https://release-v1-2.docs.openservicemesh.io/docs/demos/ingress_k8s_nginx [app-routing]: app-routing.md [istio-about]: istio-about.md+ |
aks | Open Service Mesh Istio Migration Guidance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/open-service-mesh-istio-migration-guidance.md | You should now see both the `bookbuyer` and `bookthief` UI incrementing for the ## Summary We hope this walk-through provided the necessary guidance on how to migrate your current OSM policies to Istio policies. Take time and review the [Istio Concepts](https://istio.io/latest/docs/concepts/) and walking through [Istio's own Getting Started guide](https://istio.io/latest/docs/setup/getting-started/) to learn how to use the Istio service mesh to manage your applications.+ |
aks | Open Service Mesh Uninstall Add On | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/open-service-mesh-uninstall-add-on.md | description: How to uninstall the Open Service Mesh on Azure Kubernetes Service Last updated 06/19/2023+++ # Uninstall the Open Service Mesh (OSM) add-on from your Azure Kubernetes Service (AKS) cluster Learn more about [Open Service Mesh][osm]. <!-- LINKS - Internal --> [az-aks-disable-addon]: /cli/azure/aks#az_aks_disable_addons [osm]: ./open-service-mesh-about.md+ |
aks | Openfaas | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/openfaas.md | Continue to learn with the [OpenFaaS workshop][openfaas-workshop], which include [az-group-create]: /cli/azure/group#az_group_create [az-cosmosdb-create]: /cli/azure/cosmosdb#az_cosmosdb_create [az-cosmosdb-list]: /cli/azure/cosmosdb#az_cosmosdb_list+ |
aks | Supported Kubernetes Versions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/supported-kubernetes-versions.md | For the past release history, see [Kubernetes history](https://github.com/kubern | K8s version | Upstream release | AKS preview | AKS GA | End of life | Platform support | |--|-|--||-|--|-| 1.25 | Aug 2022 | Oct 2022 | Dec 2022 | Jan 14, 2024 | Until 1.29 GA | | 1.26 | Dec 2022 | Feb 2023 | Apr 2023 | Mar 2024 | Until 1.30 GA | | 1.27* | Apr 2023 | Jun 2023 | Jul 2023 | Jul 2024, LTS until Jul 2025 | Until 1.31 GA | | 1.28 | Aug 2023 | Sep 2023 | Nov 2023 | Nov 2024 | Until 1.32 GA| | 1.29 | Dec 2023 | Feb 2024 | Mar 2024 | | Until 1.33 GA |+| 1.30 | Apr 2024 | May 2024 | Jun 2024 | | Until 1.34 GA | *\* Indicates the version is designated for Long Term Support* Note the following important changes before you upgrade to any of the available |Kubernetes Version | AKS Managed Addons | AKS Components | OS components | Breaking Changes | Notes |--||-||-||-| 1.25 | Azure policy 1.0.1<br>Metrics-Server 0.6.3<br>KEDA 2.9.3<br>Open Service Mesh 1.2.3<br>Core DNS V1.9.4<br>Overlay VPA 0.11.0<br>Azure-Keyvault-SecretsProvider 1.4.1<br>Application Gateway Ingress Controller (AGIC) 1.5.3<br>Image Cleaner v1.1.1<br>Azure Workload identity v1.0.0<br>MDC Defender 1.0.56<br>Azure Active Directory Pod Identity 1.8.13.6<br>GitOps 1.7.0<br>KMS 0.5.0| Cilium 1.12.8<br>CNI 1.4.44<br> Cluster Autoscaler 1.8.5.3<br> | OS Image Ubuntu 18.04 Cgroups V1 <br>ContainerD 1.7<br>Azure Linux 2.0<br>Cgroups V1<br>ContainerD 1.6<br>| Ubuntu 22.04 by default with cgroupv2 and Overlay VPA 0.13.0 |CgroupsV2 - If you deploy Java applications with the JDK, prefer to use JDK 11.0.16 and later or JDK 15 and later, which fully support cgroup v2 | 1.26 | Azure policy 1.3.0<br>Metrics-Server 0.6.3<br>KEDA 2.10.1<br>Open Service Mesh 1.2.3<br>Core DNS V1.9.4<br>Overlay VPA 0.11.0<br>Azure-Keyvault-SecretsProvider 1.4.1<br>Application Gateway Ingress Controller (AGIC) 1.5.3<br>Image Cleaner v1.2.3<br>Azure Workload identity v1.0.0<br>MDC Defender 1.0.56<br>Azure Active Directory Pod Identity 1.8.13.6<br>GitOps 1.7.0<br>KMS 0.5.0<br>azurefile-csi-driver 1.26.10<br>| Cilium 1.12.8<br>CNI 1.4.44<br> Cluster Autoscaler 1.8.5.3<br> | OS Image Ubuntu 22.04 Cgroups V2 <br>ContainerD 1.7<br>Azure Linux 2.0<br>Cgroups V1<br>ContainerD 1.6<br>|azurefile-csi-driver 1.26.10 |None | 1.27 | Azure policy 1.3.0<br>azuredisk-csi driver v1.28.5<br>azurefile-csi driver v1.28.7<br>blob-csi v1.22.4<br>csi-attacher v4.3.0<br>csi-resizer v1.8.0<br>csi-snapshotter v6.2.2<br>snapshot-controller v6.2.2<br>Metrics-Server 0.6.3<br>Keda 2.11.2<br>Open Service Mesh 1.2.3<br>Core DNS V1.9.4<br>Overlay VPA 0.11.0<br>Azure-Keyvault-SecretsProvider 1.4.1<br>Application Gateway Ingress Controller (AGIC) 1.7.2<br>Image Cleaner v1.2.3<br>Azure Workload identity v1.0.0<br>MDC Defender 1.0.56<br>Azure Active Directory Pod Identity 1.8.13.6<br>GitOps 1.7.0<br>azurefile-csi-driver 1.28.7<br>KMS 0.5.0<br>CSI Secret store driver 1.3.4-1<br>|Cilium 1.13.10-1<br>CNI 1.4.44<br> Cluster Autoscaler 1.8.5.3<br> | OS Image Ubuntu 22.04 Cgroups V2 <br>ContainerD 1.7 for Linux and 1.6 for Windows<br>Azure Linux 2.0<br>Cgroups V1<br>ContainerD 1.6<br>|Keda 2.11.2<br>Cilium 1.13.10-1<br>azurefile-csi-driver 1.28.7<br>azuredisk-csi driver v1.28.5<br>blob-csi v1.22.4<br>csi-attacher v4.3.0<br>csi-resizer v1.8.0<br>csi-snapshotter v6.2.2<br>snapshot-controller v6.2.2|Because of Ubuntu 22.04 FIPS certification status, we'll switch AKS FIPS nodes from 18.04 to 20.04 from 1.27 onwards. | 1.28 | Azure policy 1.3.0<br>azurefile-csi-driver 1.29.2<br>csi-node-driver-registrar v2.9.0<br>csi-livenessprobe 2.11.0<br>azuredisk-csi-linux v1.29.2<br>azuredisk-csi-windows v1.29.2<br>csi-provisioner v3.6.2<br>csi-attacher v4.5.0<br>csi-resizer v1.9.3<br>csi-snapshotter v6.2.2<br>snapshot-controller v6.2.2<br>Metrics-Server 0.6.3<br>KEDA 2.11.2<br>Open Service Mesh 1.2.7<br>Core DNS V1.9.4<br>Overlay VPA 0.13.0<br>Azure-Keyvault-SecretsProvider 1.4.1<br>Application Gateway Ingress Controller (AGIC) 1.7.2<br>Image Cleaner v1.2.3<br>Azure Workload identity v1.2.0<br>MDC Defender Security Publisher 1.0.68<br>CSI Secret store driver 1.3.4-1<br>MDC Defender Old File Cleaner 1.3.68<br>MDC Defender Pod Collector 1.0.78<br>MDC Defender Low Level Collector 1.3.81<br>Azure Active Directory Pod Identity 1.8.13.6<br>GitOps 1.8.1|Cilium 1.13.10-1<br>CNI v1.4.43.1 (Default)/v1.5.11 (Azure CNI Overlay)<br> Cluster Autoscaler 1.27.3<br>Tigera-Operator 1.28.13| OS Image Ubuntu 22.04 Cgroups V2 <br>ContainerD 1.7.5 for Linux and 1.7.1 for Windows<br>Azure Linux 2.0<br>Cgroups V1<br>ContainerD 1.6<br>|azurefile-csi-driver 1.29.2<br>csi-resizer v1.9.3<br>csi-attacher v4.4.2<br>csi-provisioner v4.4.2<br>blob-csi v1.23.2<br>azurefile-csi driver v1.29.2<br>azuredisk-csi driver v1.29.2<br>csi-livenessprobe v2.11.0<br>csi-node-driver-registrar v2.9.0|None New Supported Version List Platform support policy is a reduced support plan for certain unsupported Kubernetes versions. During platform support, customers only receive support from Microsoft for AKS/Azure platform related issues. Any issues related to Kubernetes functionality and components aren't supported. -Platform support policy applies to clusters in an n-3 version (where n is the latest supported AKS GA minor version), before the cluster drops to n-4. For example, Kubernetes v1.25 is considered platform support when v1.28 is the latest GA version. However, during the v1.29 GA release, v1.25 will then auto-upgrade to v1.26. If you are a running an n-2 version, the moment it becomes n-3 it also becomes deprecated, and you enter into the platform support policy. +Platform support policy applies to clusters in an n-3 version (where n is the latest supported AKS GA minor version), before the cluster drops to n-4. For example, Kubernetes v1.26 is considered platform support when v1.29 is the latest GA version. However, during the v1.30 GA release, v1.26 will then auto-upgrade to v1.27. If you are a running an n-2 version, the moment it becomes n-3 it also becomes deprecated, and you enter into the platform support policy. AKS relies on the releases and patches from [Kubernetes](https://kubernetes.io/releases/), which is an Open Source project that only supports a sliding window of three minor versions. AKS can only guarantee [full support](#kubernetes-version-support-policy) while those versions are being serviced upstream. Since there's no more patches being produced upstream, AKS can either leave those versions unpatched or fork. Due to this limitation, platform support doesn't support anything from relying on Kubernetes upstream. |
api-management | Add Api Manually | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/add-api-manually.md | |
api-management | Api Management Api Import Restrictions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-api-import-restrictions.md | |
api-management | Api Management Authenticate Authorize Azure Openai | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-authenticate-authorize-azure-openai.md | |
api-management | Api Management Capacity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-capacity.md | |
api-management | Api Management Configuration Repository Git | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-configuration-repository-git.md | This article describes how to enable and use Git to manage your service configur > [!IMPORTANT] > This feature is designed to work with small to medium API Management service configurations, such as those with an exported size less than 10 MB, or with fewer than 10,000 entities. Services with a large number of entities (products, APIs, operations, schemas, and so on) may experience unexpected failures when processing Git commands. If you encounter such failures, please reduce the size of your service configuration and try again. Contact Azure Support if you need assistance. --- ## Access Git configuration in your service 1. Navigate to your API Management instance in the [Azure portal](https://portal.azure.com/). |
api-management | Api Management Debug Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-debug-policies.md | This article describes how to debug API Management policies using the [Azure API ## Restrictions and limitations -* This feature is only available in the **Developer** tier of API Management. Each API Management instance supports only one concurrent debugging session. - * This feature uses the built-in (service-level) all-access subscription (display name "Built-in all-access subscription") for debugging. The [**Allow tracing**](api-management-howto-api-inspector.md#verify-allow-tracing-setting) setting must be enabled in this subscription. [!INCLUDE [api-management-tracing-alert](../../includes/api-management-tracing-alert.md)] |
api-management | Api Management Error Handling Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-error-handling-policies.md | |
api-management | Api Management Features | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-features.md | -Each API Management [pricing tier](https://aka.ms/apimpricing) offers a distinct set of features and per unit [capacity](api-management-capacity.md). The following table summarizes the key features available in each of the tiers. Some features might work differently or have different capabilities depending on the tier. In such cases the differences are called out in the documentation articles describing these individual features. ++Each API Management [pricing tier](api-management-key-concepts.md#api-management-tiers) offers a distinct set of features and per unit [capacity](api-management-capacity.md). The following table summarizes the key features available in each of the tiers. Some features might work differently or have different capabilities depending on the tier. In such cases the differences are called out in the documentation articles describing these individual features. > [!IMPORTANT] > * The Developer tier is for non-production use cases and evaluations. It doesn't offer SLA.-> * The Consumption tier isn't available in the US Government cloud or the Microsoft Azure operated by 21Vianet cloud. -> * API Management **v2 tiers** are now in preview, with updated feature availability. [Learn more](v2-service-tiers-overview.md). ---| Feature | Consumption | Developer | Basic | Standard | Premium | -| -- | -- | | -- | -- | - | -| Microsoft Entra integration<sup>1</sup> | No | Yes | No | Yes | Yes | -| Virtual Network (VNet) support | No | Yes | No | No | Yes | -| Private endpoint support for inbound connections | No | Yes | Yes | Yes | Yes | -| Multi-region deployment | No | No | No | No | Yes | -| Availability zones | No | No | No | No | Yes | -| Multiple custom domain names | No | Yes | No | No | Yes | -| Developer portal<sup>2</sup> | No | Yes | Yes | Yes | Yes | -| Built-in cache | No | Yes | Yes | Yes | Yes | -| Built-in analytics | No | Yes | Yes | Yes | Yes | -| [Self-hosted gateway](self-hosted-gateway-overview.md)<sup>3</sup> | No | Yes | No | No | Yes | -| [Workspaces](workspaces-overview.md) | No | No | No | No | Yes | -| [TLS settings](api-management-howto-manage-protocols-ciphers.md) | Yes | Yes | Yes | Yes | Yes | -| [External cache](./api-management-howto-cache-external.md) | Yes | Yes | Yes | Yes | Yes | -| [Client certificate authentication](api-management-howto-mutual-certificates-for-clients.md) | Yes | Yes | Yes | Yes | Yes | -| [Policies](api-management-howto-policies.md)<sup>4</sup> | Yes | Yes | Yes | Yes | Yes | -| [API credentials](credentials-overview.md) | Yes | Yes | Yes | Yes | Yes | -| [Backup and restore](api-management-howto-disaster-recovery-backup-restore.md) | No | Yes | Yes | Yes | Yes | -| [Management over Git](api-management-configuration-repository-git.md) | No | Yes | Yes | Yes | Yes | -| Direct management API | No | Yes | Yes | Yes | Yes | -| Azure Monitor metrics | Yes | Yes | Yes | Yes | Yes | -| Azure Monitor and Log Analytics request logs | No | Yes | Yes | Yes | Yes | -| Application Insights request logs | Yes | Yes | Yes | Yes | Yes | -| Static IP | No | Yes | Yes | Yes | Yes | -| [Pass-through WebSocket APIs](websocket-api.md) | No | Yes | Yes | Yes | Yes | -| [Pass-through GraphQL APIs](graphql-apis-overview.md) | Yes | Yes | Yes | Yes | Yes | -| [Synthetic GraphQL APIs](graphql-apis-overview.md) | Yes | Yes | Yes | Yes | Yes | -| [Pass-through gRPC APIs](grpc-api.md) (preview) | No | Yes | No | No | Yes | +> * The Consumption tier isn't available in the US Government cloud or the Microsoft Azure operated by 21Vianet cloud. +> * For information about APIs supported in the API Management gateway available in different tiers, see [API Management gateways overview](api-management-gateways-overview.md#backend-apis). +++| Feature | Consumption | Developer | Basic | Basic v2 |Standard | Standard v2 | Premium | +| -- | -- | | | | -- | -- | - | +| Microsoft Entra integration<sup>1</sup> | No | Yes | No | Yes | Yes | Yes | Yes | +| Virtual Network (VNet) injection support | No | Yes | No | No | No | No | Yes | +| Private endpoint support for inbound connections | No | Yes | Yes | No | Yes | No | Yes | +| Outbound virtual network integration support | No | No | No | No | No | Yes | No | +| Multi-region deployment | No | No | No | No | No | No | Yes | +| Availability zones | No | No | No | No | No | No | Yes | +| Multiple custom domain names for gateway | No | Yes | No | No | No | No | Yes | +| Developer portal<sup>2</sup> | No | Yes | Yes | Yes | Yes | Yes | Yes | +| Built-in cache | No | Yes | Yes | Yes | Yes | Yes | Yes | +| [External cache](./api-management-howto-cache-external.md) | Yes | Yes | Yes | Yes | Yes | Yes |Yes | +| Autoscaling | No | No | Yes | No | Yes | No |Yes | +| API analytics | No | Yes | Yes | Yes | Yes | Yes | Yes | +| [Self-hosted gateway](self-hosted-gateway-overview.md)<sup>3</sup> | No | Yes | No | No | No | No | Yes | +| [Workspaces](workspaces-overview.md) | No | No | No | No | No | No | Yes | +| [TLS settings](api-management-howto-manage-protocols-ciphers.md) | Yes | Yes | Yes | Yes | Yes | Yes | Yes | +| [Client certificate authentication](api-management-howto-mutual-certificates-for-clients.md) | Yes | Yes | Yes | Yes | Yes | Yes |Yes | +| [Policies](api-management-howto-policies.md)<sup>4</sup> | Yes | Yes | Yes | Yes | Yes | Yes | Yes | +| [Credential manager](credentials-overview.md) | Yes | Yes | Yes | Yes | Yes | Yes | Yes | +| [Backup and restore](api-management-howto-disaster-recovery-backup-restore.md) | No | Yes | Yes | No | Yes | No | Yes | +| [Management over Git](api-management-configuration-repository-git.md) | No | Yes | Yes |No | Yes | No | Yes | +| Direct management API | No | Yes | Yes | No | Yes |No | Yes | +| Azure Monitor metrics | Yes | Yes | Yes | Yes | Yes | Yes | Yes | +| Azure Monitor and Log Analytics request logs | No | Yes | Yes | Yes | Yes | Yes |Yes | +| Application Insights request logs | Yes | Yes | Yes | Yes | Yes | Yes |Yes | +| Static IP | No | Yes | Yes | No |Yes | No | Yes | <sup>1</sup> Enables the use of Microsoft Entra ID (and Azure AD B2C) as an identity provider for user sign in on the developer portal.<br/> <sup>2</sup> Including related functionality such as users, groups, issues, applications, and email templates and notifications.<br/> <sup>3</sup> See [Gateway overview](api-management-gateways-overview.md#feature-comparison-managed-versus-self-hosted-gateways) for a feature comparison of managed versus self-hosted gateways. In the Developer tier self-hosted gateways are limited to a single gateway node. <br/>-<sup>4</sup> See [Gateway overview](api-management-gateways-overview.md#policies) for differences in policy support in the dedicated, consumption, and self-hosted gateways. <br/> +<sup>4</sup> See [Gateway overview](api-management-gateways-overview.md#policies) for differences in policy support in the classic, v2, consumption, and self-hosted gateways. <br/> |
api-management | Api Management Gateways Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-gateways-overview.md | -* For more information about the API Management service tiers and features, see [Feature-based comparison of the Azure API Management tiers](api-management-features.md). -+* For more information about the API Management service tiers and features, see: + * [API Management tiers](api-management-key-concepts.md#api-management-tiers) + * [Feature-based comparison of the Azure API Management tiers](api-management-features.md). ## Role of the gateway API Management offers both managed and self-hosted gateways: * **Managed** - The managed gateway is the default gateway component that is deployed in Azure for every API Management instance in every service tier. With the managed gateway, all API traffic flows through Azure regardless of where backends implementing the APIs are hosted. > [!NOTE]- > Because of differences in the underlying service architecture, the Consumption tier gateway currently lacks some capabilities of the dedicated gateway. For details, see the section [Feature comparison: Managed versus self-hosted gateways](#feature-comparison-managed-versus-self-hosted-gateways). + > Because of differences in the underlying service architecture, the gateways provided in the different API Management service tiers have some differences in capabilities. For details, see the section [Feature comparison: Managed versus self-hosted gateways](#feature-comparison-managed-versus-self-hosted-gateways). > -* **Self-hosted** - The [self-hosted gateway](self-hosted-gateway-overview.md) is an optional, containerized version of the default managed gateway. It's useful for hybrid and multicloud scenarios where there's a requirement to run the gateways off of Azure in the same environments where API backends are hosted. The self-hosted gateway enables customers with hybrid IT infrastructure to manage APIs hosted on-premises and across clouds from a single API Management service in Azure. +* **Self-hosted** - The [self-hosted gateway](self-hosted-gateway-overview.md) is an optional, containerized version of the default managed gateway that is available in select service tiers. It's useful for hybrid and multicloud scenarios where there's a requirement to run the gateways off of Azure in the same environments where API backends are hosted. The self-hosted gateway enables customers with hybrid IT infrastructure to manage APIs hosted on-premises and across clouds from a single API Management service in Azure. * The self-hosted gateway is [packaged](self-hosted-gateway-overview.md#packaging) as a Linux-based Docker container and is commonly deployed to Kubernetes, including to [Azure Kubernetes Service](how-to-deploy-self-hosted-gateway-azure-kubernetes-service.md) and [Azure Arc-enabled Kubernetes](how-to-deploy-self-hosted-gateway-azure-arc.md). API Management offers both managed and self-hosted gateways: ## Feature comparison: Managed versus self-hosted gateways -The following table compares features available in the managed gateway versus the features in the self-hosted gateway. Differences are also shown between the managed gateway for dedicated service tiers (Developer, Basic, Standard, Premium) and for the Consumption tier. +The following tables compare features available in the following API Management gateways: ++* **Classic** - the managed gateway available in the Developer, Basic, Standard, and Premium service tiers (formerly grouped as *dedicated* tiers) +* **V2** - the managed gateway available in the Basic v2 and Standard v2 tiers +* **Consumption** - the managed gateway available in the Consumption tier +* **Self-hosted** - the optional self-hosted gateway available in select service tiers > [!NOTE] > * Some features of managed and self-hosted gateways are supported only in certain [service tiers](api-management-features.md) or with certain [deployment environments](self-hosted-gateway-overview.md#packaging) for self-hosted gateways. The following table compares features available in the managed gateway versus th ### Infrastructure -| Feature support | Managed (Dedicated) | Managed (Consumption) | Self-hosted | -| | -- | -- | - | -| [Custom domains](configure-custom-domain.md) | ✔️ | ✔️ | ✔️ | -| [Built-in cache](api-management-howto-cache.md) | ✔️ | ❌ | ❌ | -| [External Redis-compatible cache](api-management-howto-cache-external.md) | ✔️ | ✔️ | ✔️ | -| [Virtual network injection](virtual-network-concepts.md) | Developer, Premium | ❌ | ✔️<sup>1,2</sup> | -| [Private endpoints](private-endpoint.md) | ✔️ | ❌ | ❌ | -| [Availability zones](zone-redundancy.md) | Premium | ❌ | ✔️<sup>1</sup> | -| [Multi-region deployment](api-management-howto-deploy-multi-region.md) | Premium | ❌ | ✔️<sup>1</sup> | -| [CA root certificates](api-management-howto-ca-certificates.md) for certificate validation | ✔️ | ❌ | ✔️<sup>3</sup> | -| [Managed domain certificates](configure-custom-domain.md?tabs=managed#domain-certificate-options) | ✔️ | ✔️ | ❌ | -| [TLS settings](api-management-howto-manage-protocols-ciphers.md) | ✔️ | ✔️ | ✔️ | -| **HTTP/2** (Client-to-gateway) | ✔️<sup>4</sup> | ❌ | ✔️ | -| **HTTP/2** (Gateway-to-backend) | ❌ | ❌ | ✔️ | -| API threat detection with [Defender for APIs](protect-with-defender-for-apis.md) | ✔️ | ❌ | ❌ | +| Feature support | Classic | V2 | Consumption | Self-hosted | +| | | -- | -- | - | +| [Custom domains](configure-custom-domain.md) | ✔️ | ✔️ | ✔️ | ✔️ | +| [Built-in cache](api-management-howto-cache.md) | ✔️ | ✔️ | ❌ | ❌ | +| [External Redis-compatible cache](api-management-howto-cache-external.md) | ✔️ | ✔️ |✔️ | ✔️ | +| [Virtual network injection](virtual-network-concepts.md) | Developer, Premium | ❌ | ❌ | ✔️<sup>1,2</sup> | +| [Inbound private endpoints](private-endpoint.md) | Developer, Basic, Standard, Premium | ❌ | ❌ | ❌ | +| [Outbound virtual network integration](integrate-vnet-outbound.md) | ❌ | Standard V2 | ❌ | ❌ | +| [Availability zones](zone-redundancy.md) | Premium | ❌ | ❌ | ✔️<sup>1</sup> | +| [Multi-region deployment](api-management-howto-deploy-multi-region.md) | Premium | ❌ | ❌ | ✔️<sup>1</sup> | +| [CA root certificates](api-management-howto-ca-certificates.md) for certificate validation | ✔️ | ✔️ | ❌ | ✔️<sup>3</sup> | +| [CA root certificates](api-management-howto-ca-certificates.md) for certificate validation | ✔️ | ✔️ | ❌ | ✔️<sup>3</sup> | +| [Managed domain certificates](configure-custom-domain.md?tabs=managed#domain-certificate-options) | Developer, Basic, Standard, Premium | ✔️ | ✔️ | ❌ | +| [TLS settings](api-management-howto-manage-protocols-ciphers.md) | ✔️ | ✔️ | ✔️ | ✔️ | +| **HTTP/2** (Client-to-gateway) | ✔️<sup>4</sup> | ✔️<sup>4</sup> |❌ | ✔️ | +| **HTTP/2** (Gateway-to-backend) | ❌ | ❌ | ❌ | ✔️ | +| API threat detection with [Defender for APIs](protect-with-defender-for-apis.md) | ✔️ | ✔️ | ❌ | ❌ | <sup>1</sup> Depends on how the gateway is deployed, but is the responsibility of the customer.<br/> <sup>2</sup> Connectivity to the self-hosted gateway v2 [configuration endpoint](self-hosted-gateway-overview.md#fqdn-dependencies) requires DNS resolution of the endpoint hostname.<br/> The following table compares features available in the managed gateway versus th ### Backend APIs -| API | Managed (Dedicated) | Managed (Consumption) | Self-hosted | -| | -- | -- | - | -| [OpenAPI specification](import-api-from-oas.md) | ✔️ | ✔️ | ✔️ | -| [WSDL specification](import-soap-api.md) | ✔️ | ✔️ | ✔️ | -| WADL specification | ✔️ | ✔️ | ✔️ | -| [Logic App](import-logic-app-as-api.md) | ✔️ | ✔️ | ✔️ | -| [App Service](import-app-service-as-api.md) | ✔️ | ✔️ | ✔️ | -| [Function App](import-function-app-as-api.md) | ✔️ | ✔️ | ✔️ | -| [Container App](import-container-app-with-oas.md) | ✔️ | ✔️ | ✔️ | -| [Service Fabric](../service-fabric/service-fabric-api-management-overview.md) | Developer, Premium | ❌ | ❌ | -| [Pass-through GraphQL](graphql-apis-overview.md) | ✔️ | ✔️ | ✔️ | -| [Synthetic GraphQL](graphql-apis-overview.md)| ✔️ | ✔️<sup>1</sup> | ✔️<sup>1</sup> | -| [Pass-through WebSocket](websocket-api.md) | ✔️ | ❌ | ✔️ | -| [Pass-through gRPC](grpc-api.md) | ❌ | ❌ | ✔️ | -| [Azure OpenAI](azure-openai-api-from-specification.md) | ✔️ | ✔️ | ✔️ | -| [Circuit breaker in backend](backends.md#circuit-breaker-preview) | ✔️ | ❌ | ✔️ | -| [Load-balanced backend pool](backends.md#load-balanced-pool-preview) | ✔️ | ✔️ | ✔️ | +| Feature support | Classic | V2 | Consumption | Self-hosted | +| | | -- | -- | - | +| [OpenAPI specification](import-api-from-oas.md) | ✔️ | ✔️ | ✔️ | ✔️ | +| [WSDL specification](import-soap-api.md) | ✔️ | ✔️ | ✔️ | ✔️ | +| WADL specification | ✔️ | ✔️ | ✔️ | ✔️ | +| [Logic App](import-logic-app-as-api.md) | ✔️ | ✔️ | ✔️ |✔️ | +| [App Service](import-app-service-as-api.md) | ✔️ | ✔️ | ✔️ | ✔️ | +| [Function App](import-function-app-as-api.md) | ✔️ | ✔️ | ✔️ | ✔️ | +| [Container App](import-container-app-with-oas.md) | ✔️ | ✔️ | ✔️ | ✔️ | +| [Service Fabric](../service-fabric/service-fabric-api-management-overview.md) | Developer, Premium | ❌ |❌ | ❌ | +| [Pass-through GraphQL](graphql-apis-overview.md) | ✔️ | ✔️ |✔️ | ✔️ | +| [Synthetic GraphQL](graphql-apis-overview.md)| ✔️ | ✔️ | ✔️<sup>1</sup> | ✔️<sup>1</sup> | +| [Pass-through WebSocket](websocket-api.md) | ✔️ | ✔️ | ❌ | ✔️ | +| [Pass-through gRPC](grpc-api.md) (preview) | ❌ | ❌ | ❌ | ✔️ | +| [OData](import-api-from-odata.md) (preview) | ✔️ | ✔️ | ✔️ | ✔️ | +| [Pass-through GraphQL](graphql-apis-overview.md) | ✔️ | ✔️ |✔️ | ✔️ | +| [Azure OpenAI](azure-openai-api-from-specification.md) | ✔️ | ✔️ | ✔️ | ✔️ | +| [Circuit breaker in backend](backends.md#circuit-breaker-preview) (preview) | ✔️ | ✔️ | ❌ | ✔️ | +| [Load-balanced backend pool](backends.md#load-balanced-pool-preview) (preview) | ✔️ | ✔️ | ✔️ | ✔️ | <sup>1</sup> Synthetic GraphQL subscriptions (preview) aren't supported. The following table compares features available in the managed gateway versus th Managed and self-hosted gateways support all available [policies](api-management-policies.md) in policy definitions with the following exceptions. -| Policy | Managed (Dedicated) | Managed (Consumption) | Self-hosted<sup>1</sup> | -| | -- | -- | - | -| [Dapr integration](api-management-policies.md#dapr-integration-policies) | ❌ | ❌ | ✔️ | -| [GraphQL resolvers](api-management-policies.md#graphql-resolver-policies) and [GraphQL validation](api-management-policies.md#validation-policies)| ✔️ | ✔️ | ❌ | -| [Get authorization context](get-authorization-context-policy.md) | ✔️ | ✔️ | ❌ | -| [Quota and rate limit](api-management-policies.md#access-restriction-policies) | ✔️ | ✔️<sup>2</sup> | ✔️<sup>3</sup> +| Feature support | Classic | V2 | Consumption | Self-hosted<sup>1</sup> | +| | | -- | -- | - | +| [Dapr integration](api-management-policies.md#integration-and-external-communication) | ❌ | ❌ |❌ | ✔️ | +| [GraphQL resolvers](api-management-policies.md#graphql-resolvers) and [GraphQL validation](api-management-policies.md#content-validation)| ✔️ | ✔️ |✔️ | ❌ | +| [Get authorization context](get-authorization-context-policy.md) | ✔️ | ✔️ |✔️ | ❌ | +| [Quota and rate limit](api-management-policies.md#rate-limiting-and-quotas) | ✔️ | ✔️<sup>2</sup> | ✔️<sup>3</sup> | ✔️<sup>4</sup> | <sup>1</sup> Configured policies that aren't supported by the self-hosted gateway are skipped during policy execution.<br/>+<sup>2</sup> The quota by key policy isn't available in the v2 tiers.<br/> <sup>2</sup> The rate limit by key and quota by key policies aren't available in the Consumption tier.<br/> <sup>3</sup> [!INCLUDE [api-management-self-hosted-gateway-rate-limit](../../includes/api-management-self-hosted-gateway-rate-limit.md)] [Learn more](how-to-self-hosted-gateway-on-kubernetes-in-production.md#request-throttling) Managed and self-hosted gateways support all available [policies](api-management For details about monitoring options, see [Observability in Azure API Management](observability.md). -| Feature | Managed (Dedicated) | Managed (Consumption) | Self-hosted | -| | -- | -- | - | -| [API analytics](howto-use-analytics.md) | ✔️ | ❌ | ❌ | -| [Application Insights](api-management-howto-app-insights.md) | ✔️ | ✔️ | ✔️ | -| [Logging through Event Hubs](api-management-howto-log-event-hubs.md) | ✔️ | ✔️ | ✔️ | -| [Metrics in Azure Monitor](api-management-howto-use-azure-monitor.md#view-metrics-of-your-apis) | ✔️ | ✔️ | ✔️ | -| [OpenTelemetry Collector](how-to-deploy-self-hosted-gateway-kubernetes-opentelemetry.md) | ❌ | ❌ | ✔️ | -| [Request logs in Azure Monitor and Log Analytics](api-management-howto-use-azure-monitor.md#resource-logs) | ✔️ | ❌ | ❌<sup>1</sup> | -| [Local metrics and logs](how-to-configure-local-metrics-logs.md) | ❌ | ❌ | ✔️ | -| [Request tracing](api-management-howto-api-inspector.md) | ✔️ | ✔️ | ✔️ | --<sup>1</sup> The self-hosted gateway currently doesn't send resource logs (diagnostic logs) to Azure Monitor. Optionally [send metrics](how-to-configure-cloud-metrics-logs.md) to Azure Monitor, or [configure and persist logs locally](how-to-configure-local-metrics-logs.md) where the self-hosted gateway is deployed. +| Feature support | Classic | V2 | Consumption | Self-hosted | +| | | -- | -- | - | +| [API analytics](howto-use-analytics.md) | ✔️ | ✔️<sup>1</sup> | ❌ | ❌ | +| [Application Insights](api-management-howto-app-insights.md) | ✔️ | ✔️ | ✔️ | ✔️ | +| [Logging through Event Hubs](api-management-howto-log-event-hubs.md) | ✔️ | ✔️ | ✔️ | ✔️ | +| [Metrics in Azure Monitor](api-management-howto-use-azure-monitor.md#view-metrics-of-your-apis) | ✔️ | ✔️ |✔️ | ✔️ | +| [OpenTelemetry Collector](how-to-deploy-self-hosted-gateway-kubernetes-opentelemetry.md) | ❌ | ❌ | ❌ | ✔️ | +| [Request logs in Azure Monitor and Log Analytics](api-management-howto-use-azure-monitor.md#resource-logs) | ✔️ | ✔️ | ❌ | ❌<sup>2</sup> | +| [Local metrics and logs](how-to-configure-local-metrics-logs.md) | ❌ | ❌ | ❌ | ✔️ | +| [Request tracing](api-management-howto-api-inspector.md) | ✔️ | ❌<sup>3</sup> | ✔️ | ✔️ | ++<sup>1</sup> The v2 tiers support Azure Monitor-based analytics.<br/> +<sup>2</sup> The self-hosted gateway currently doesn't send resource logs (diagnostic logs) to Azure Monitor. Optionally [send metrics](how-to-configure-cloud-metrics-logs.md) to Azure Monitor, or [configure and persist logs locally](how-to-configure-local-metrics-logs.md) where the self-hosted gateway is deployed.<br/> +<sup>3</sup> Tracing is currently unavailable in the v2 tiers. ### Authentication and authorization Managed and self-hosted gateways support all available [API authentication and authorization options](authentication-authorization-overview.md) with the following exceptions. -| Feature | Managed (Dedicated) | Managed (Consumption) | Self-hosted | -| | -- | -- | - | -| [Credential manager](credentials-overview.md) | ✔️ | ✔️ | ❌ | +| Feature support | Classic | V2 | Consumption | Self-hosted | +| | | -- | -- | - | +| [Credential manager](credentials-overview.md) | ✔️ | ✔️ | ✔️ | ❌ | ## Gateway throughput and scaling For estimated maximum gateway throughput in the API Management service tiers, se > [!IMPORTANT] > Throughput figures are presented for information only and must not be relied upon for capacity and budget planning. See [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/) for details. -* **Dedicated service tiers** +* **Classic tiers** * Scale gateway capacity by adding and removing scale [units](upgrade-and-scale.md), or upgrade the service tier. (Scaling not available in the Developer tier.)- * In the Standard and Premium tiers, optionally configure [Azure Monitor autoscale](api-management-howto-autoscale.md). + * In the Basic, Standard, and Premium tiers, optionally configure [Azure Monitor autoscale](api-management-howto-autoscale.md). * In the Premium tier, optionally add and distribute gateway capacity across multiple [regions](api-management-howto-deploy-multi-region.md). +* **v2 tiers** + * Scale gateway capacity by adding and removing scale [units](upgrade-and-scale.md), or upgrade the service tier. + * **Consumption tier** * API Management instances in the Consumption tier scale automatically based on the traffic. |
api-management | Api Management Get Started Publish Versions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-get-started-publish-versions.md | |
api-management | Api Management Get Started Revise Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-get-started-revise-api.md | |
api-management | Api Management Howto Aad B2c | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-aad-b2c.md | For an overview of options to secure the developer portal, see [Secure access to > * This article has been updated with steps to configure an Azure AD B2C app using the Microsoft Authentication Library ([MSAL](../active-directory/develop/msal-overview.md)). > * If you previously configured an Azure AD B2C app for user sign-in using the Azure AD Authentication Library (ADAL), we recommend that you [migrate to MSAL](#migrate-to-msal). ## Prerequisites |
api-management | Api Management Howto Aad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-aad.md | Although a new account will automatically be created when a new user signs in wi [Publish a product]: api-management-howto-add-products.md#publish-product [Get started with Azure API Management]: get-started-create-service-instance.md [API Management policy reference]: ./api-management-policies.md-[Caching policies]: ./api-management-policies.md#caching-policies +[Caching policies]: ./api-management-policies.md#caching [Create an API Management service instance]: get-started-create-service-instance.md [https://oauth.net/2/]: https://oauth.net/2/ |
api-management | Api Management Howto Add Products | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-add-products.md | ms.devlang: azurecli # Tutorial: Create and publish a product + In Azure API Management, a [*product*](api-management-terminology.md#term-definitions) contains one or more APIs, a usage quota, and the terms of use. After a product is published, developers can [subscribe](api-management-subscriptions.md) to the product and begin to use the product's APIs. In this tutorial, you learn how to: |
api-management | Api Management Howto Api Inspector | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-api-inspector.md | In this tutorial, you learn how to: :::image type="content" source="media/api-management-howto-api-inspector/api-inspector-002.png" alt-text="Screenshot showing the API inspector." lightbox="media/api-management-howto-api-inspector/api-inspector-002.png"::: + ## Prerequisites + Learn the [Azure API Management terminology](api-management-terminology.md). |
api-management | Api Management Howto App Insights | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-app-insights.md | |
api-management | Api Management Howto Autoscale | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-autoscale.md | -# Automatically scale an Azure API Management instance +# Automatically scale an Azure API Management instance -An Azure API Management service instance can scale automatically based on a set of rules. This behavior can be enabled and configured through [Azure Monitor autoscale](../azure-monitor/autoscale/autoscale-overview.md#supported-services-for-autoscale) and is currently supported only in the **Basic**, **Standard**, and **Premium** tiers of the Azure API Management service. ++An Azure API Management service instance can scale automatically based on a set of rules. This behavior can be enabled and configured through [Azure Monitor autoscale](../azure-monitor/autoscale/autoscale-overview.md#supported-services-for-autoscale). The article walks through the process of configuring autoscale and suggests optimal configuration of autoscale rules. To follow the steps from this article, you must: + Understand the concept of [capacity](api-management-capacity.md) of an API Management instance. + Understand [manual scaling](upgrade-and-scale.md) of an API Management instance, including cost consequences. - ## Azure API Management autoscale limitations Certain limitations and consequences of scaling decisions need to be considered before configuring autoscale behavior. |
api-management | Api Management Howto Ca Certificates | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-ca-certificates.md | CA certificates uploaded to API Management can only be used for certificate vali [!INCLUDE [updated-for-az](../../includes/updated-for-az.md)] ## <a name="step1"> </a>Upload a CA certificate |
api-management | Api Management Howto Cache External | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-cache-external.md | Using an external cache allows you to overcome a few limitations of the built-in * Use caching with the Consumption tier of API Management * Enable caching in the [API Management self-hosted gateway](self-hosted-gateway-overview.md) -For more detailed information about caching, see [API Management caching policies](api-management-caching-policies.md) and [Custom caching in Azure API Management](api-management-sample-cache-by-key.md). +For more detailed information about caching, see [API Management caching policies](api-management-policies.md#caching) and [Custom caching in Azure API Management](api-management-sample-cache-by-key.md). ![Bring your own cache to APIM](media/api-management-howto-cache-external/overview.png) The **Use from** setting in the configuration specifies the location of your API ## Use the external cache -After adding a Redis-compatible cache, configure [caching policies](api-management-caching-policies.md) to enable response caching, or caching of values by key, in the external cache. +After adding a Redis-compatible cache, configure [caching policies](api-management-policies.md#caching) to enable response caching, or caching of values by key, in the external cache. For a detailed example, see [Add caching to improve performance in Azure API Management](api-management-howto-cache.md). For a detailed example, see [Add caching to improve performance in Azure API Man * To cache items by key using policy expressions, see [Custom caching in Azure API Management](api-management-sample-cache-by-key.md). [API Management policy reference]: ./api-management-policies.md-[Caching policies]: ./api-management-caching-policies.md +[Caching policies]: ./api-management-policies.md#caching |
api-management | Api Management Howto Cache | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-cache.md | -For more detailed information about caching, see [API Management caching policies](api-management-caching-policies.md) and [Custom caching in Azure API Management](api-management-sample-cache-by-key.md). +For more detailed information about caching, see [API Management caching policies](api-management-policies.md#caching) and [Custom caching in Azure API Management](api-management-sample-cache-by-key.md). ![cache policies](media/api-management-howto-cache/cache-policies.png) What you'll learn: > * Add response caching for your API > * Verify caching in action -## Availability > [!NOTE]-> Internal cache is not available in the **Consumption** tier of Azure API Management. You can [use an external Azure Cache for Redis](api-management-howto-cache-external.md) instead. +> Internal cache is not available in the **Consumption** tier of Azure API Management. You can [use an external Azure Cache for Redis](api-management-howto-cache-external.md) instead. You can also configure an external cache in other API Management service tiers. > -> For feature availability in the v2 tiers (preview), see the [v2 tiers overview](v2-service-tiers-overview.md). + ## Prerequisites With caching policies shown in this example, the first request to the **GetSpeak **Duration** specifies the expiration interval of the cached responses. In this example, the interval is **20** seconds. > [!TIP]-> If you are using an external cache, as described in [Use an external Azure Cache for Redis in Azure API Management](api-management-howto-cache-external.md), you may want to specify the `caching-type` attribute of the caching policies. See [API Management caching policies](api-management-caching-policies.md) for more details. +> If you are using an external cache, as described in [Use an external Azure Cache for Redis in Azure API Management](api-management-howto-cache-external.md), you may want to specify the `caching-type` attribute of the caching policies. See [API Management caching policies](api-management-policies.md#caching) for more details. ## <a name="test-operation"> </a>Call an operation and test the caching To see the caching in action, call the operation from the developer portal. To see the caching in action, call the operation from the developer portal. [Get started with Azure API Management]: get-started-create-service-instance.md [API Management policy reference]: ./api-management-policies.md-[Caching policies]: ./api-management-caching-policies.md +[Caching policies]: ./api-management-policies.md#caching [Create an API Management service instance]: get-started-create-service-instance.md |
api-management | Api Management Howto Configure Custom Domain Gateway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-configure-custom-domain-gateway.md | -When you provision a [self-hosted Azure API Management gateway](self-hosted-gateway-overview.md), it is not assigned a host name and has to be referenced by its IP address. This article shows how to map an existing custom DNS name (also referred to as hostname) to a self-hosted gateway. - [!INCLUDE [api-management-availability-premium-dev](../../includes/api-management-availability-premium-dev.md)] +When you provision a [self-hosted Azure API Management gateway](self-hosted-gateway-overview.md), it is not assigned a host name and has to be referenced by its IP address. This article shows how to map an existing custom DNS name (also referred to as hostname) to a self-hosted gateway. + ## Prerequisites To perform the steps described in this article, you must have: |
api-management | Api Management Howto Configure Notifications | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-configure-notifications.md | |
api-management | Api Management Howto Create Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-create-groups.md | This guide shows how administrators of an API Management instance can add new gr In addition to creating and managing groups in the Azure portal, you can create and manage your groups using the API Management REST API [Group](/rest/api/apimanagement/apimanagementrest/azure-api-management-rest-api-group-entity) entity. - ## Prerequisites Complete tasks in this article: [Create an Azure API Management instance](get-started-create-service-instance.md). |
api-management | Api Management Howto Create Or Invite Developers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-create-or-invite-developers.md | -In API Management, developers are the users of the APIs that you expose using API Management. This guide shows how to create and invite developers to use the APIs and products that you make available to them with your API Management instance. For information on managing user accounts programmatically, see the [User entity](/rest/api/apimanagement/current-ga/user) documentation in the [API Management REST](/rest/api/apimanagement/) reference. +In API Management, developers are the users of the APIs that you expose using API Management. This guide shows how to create and invite developers to use the APIs and products that you make available to them with your API Management instance. For information on managing user accounts programmatically, see the [User entity](/rest/api/apimanagement/current-ga/user) documentation in the [API Management REST](/rest/api/apimanagement/) reference. ## Prerequisites |
api-management | Api Management Howto Create Subscriptions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-create-subscriptions.md | To take the steps in this article, the prerequisites are as follows: 1. Optionally, select **Allow tracing** to enable tracing for debugging and troubleshooting APIs. [Learn more](api-management-howto-api-inspector.md) [!INCLUDE [api-management-tracing-alert](../../includes/api-management-tracing-alert.md)]++ [!INCLUDE [api-management-availability-tracing-v2-tiers](../../includes/api-management-availability-tracing-v2-tiers.md)] + 1. Select a **Scope** of the subscription from the dropdown list. [Learn more](api-management-subscriptions.md#scope-of-subscriptions) 1. Optionally, choose if the subscription should be associated with a **User** and whether to send a notification for use with the developer portal. 1. Select **Create**. |
api-management | Api Management Howto Deploy Multi Region | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-deploy-multi-region.md | When adding a region, you configure: >[!IMPORTANT] > The feature to enable storing customer data in a single region is currently only available in the Southeast Asia Region (Singapore) of the Asia Pacific Geo. For all other regions, customer data is stored in Geo. - ## About multi-region deployment [!INCLUDE [api-management-multi-region-concepts](../../includes/api-management-multi-region-concepts.md)] |
api-management | Api Management Howto Developer Portal Customize | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-developer-portal-customize.md | -In this tutorial, you'll get started with customizing the API Management *developer portal*. The developer portal is an automatically generated, fully customizable website with the documentation of your APIs. It's where API consumers can discover your APIs, learn how to use them, and request access. +The *developer portal* is an automatically generated, fully customizable website with the documentation of your APIs. It is where API consumers can discover your APIs, learn how to use them, and request access. In this tutorial, you learn how to: For more information about developer portal features and options, see [Azure API - Complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md). - [Import and publish](import-and-publish.md) an API. + ## Access the portal as an administrator |
api-management | Api Management Howto Disaster Recovery Backup Restore | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-disaster-recovery-backup-restore.md | This article shows how to automate backup and restore operations of your API Man [!INCLUDE [updated-for-az](../../includes/updated-for-az.md)] - ## Prerequisites * An API Management service instance. If you don't have one, see [Create an API Management service instance](get-started-create-service-instance.md). |
api-management | Api Management Howto Integrate Internal Vnet Appgateway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md | For architectural guidance, see: > [!NOTE] > This article has been updated to use the [Application Gateway WAF_v2 SKU](../application-gateway/application-gateway-autoscaling-zone-redundant.md). - ## Prerequisites [!INCLUDE [updated-for-az](../../includes/updated-for-az.md)] |
api-management | Api Management Howto Ip Addresses | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-ip-addresses.md | API Management uses a public IP address for a connection outside the VNet or a p * When API management is deployed in an external or internal virtual network and API management connects to private (intranet-facing) backends, internal IP addresses (dynamic IP, or DIP addresses) from the subnet are used for the runtime API traffic. When a request is sent from API Management to a private backend, a private IP address will be visible as the origin of the request. - Therefore, if IP restriction lists secure resources within the VNet or a peered VNet, it is recommended to use the whole API Management [subnet range](virtual-network-concepts.md#subnet-size) with an IP rule - and (in internal mode) not just the private IP address associated with the API Management resource. + Therefore, if IP restriction lists secure resources within the VNet or a peered VNet, it is recommended to use the whole API Management [subnet range](virtual-network-injection-resources.md#subnet-size) with an IP rule - and (in internal mode) not just the private IP address associated with the API Management resource. * When a request is sent from API Management to a public (internet-facing) backend, a public IP address will always be visible as the origin of the request. ## IP addresses of Consumption, Basic v2, and Standard v2 tier API Management service -If your API Management instance is created in a service tier that runs on a shared infrastructure, it doesn't have a dedicated IP address. Currently, instances in the following service tiers run on a shared infrastructure and without a deterministic IP address: Consumption, Basic v2 (preview), Standard v2 (preview). +If your API Management instance is created in a service tier that runs on a shared infrastructure, it doesn't have a dedicated IP address. Currently, instances in the following service tiers run on a shared infrastructure and without a deterministic IP address: Consumption, Basic v2, Standard v2. If you need to add the outbound IP addresses used by your Consumption, Basic v2, or Standard v2 tier instance to an allowlist, you can add the instance's data center (Azure region) to an allowlist. You can [download a JSON file that lists IP addresses for all Azure data centers](https://www.microsoft.com/download/details.aspx?id=56519). Then find the JSON fragment that applies to the region that your instance runs in. |
api-management | Api Management Howto Log Event Hubs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-log-event-hubs.md | |
api-management | Api Management Howto Manage Protocols Ciphers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-manage-protocols-ciphers.md | By default, API Management enables TLS 1.2 for client and backend connectivity a :::image type="content" source="media/api-management-howto-manage-protocols-ciphers/api-management-protocols-ciphers.png" alt-text="Screenshot of managing protocols and ciphers in the Azure portal."::: - > [!NOTE] > * If you're using the self-hosted gateway, see [self-hosted gateway security](self-hosted-gateway-overview.md#security) to manage TLS protocols and cipher suites.-> * Currently, API Management doesn't support TLS 1.3. -> * The Consumption tier doesn't support changes to the default cipher configuration. +> * The following tiers don't support changes to the default cipher configuration: **Consumption**, **Basic v2**, **Standard v2**. ## Prerequisites |
api-management | Api Management Howto Migrate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-migrate.md | To move API Management instances from one Azure region to another, use the servi > [!NOTE] > API Management also supports [multi-region deployment](api-management-howto-deploy-multi-region.md), which distributes a single Azure API management service across multiple Azure regions. Multi-region deployment helps reduce request latency perceived by geographically distributed API consumers and improves service availability if one region goes offline. - ## Considerations * Choose the same API Management pricing tier in the source and target regions. |
api-management | Api Management Howto Mutual Certificates For Clients | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-mutual-certificates-for-clients.md | Using key vault certificates is recommended because it helps improve API Managem ### Developer, Basic, Standard, or Premium tier -To receive and verify client certificates over HTTP/2 in the Developer, Basic, Standard, or Premium tiers, you must enable the **Negotiate client certificate** setting on the **Custom domain** blade as shown below. +To receive and verify client certificates over HTTP/2 in the Developer, Basic, Basic v2, Standard, Standard v2, or Premium tiers, you must enable the **Negotiate client certificate** setting on the **Custom domain** blade as shown below. ![Negotiate client certificate](./media/api-management-howto-mutual-certificates-for-clients/negotiate-client-certificate.png) You can also create policy expressions with the [`context` variable](api-managem > [!IMPORTANT] > * Starting May 2021, the `context.Request.Certificate` property only requests the certificate when the API Management instance's [`hostnameConfiguration`](/rest/api/apimanagement/current-ga/api-management-service/create-or-update#hostnameconfiguration) sets the `negotiateClientCertificate` property to True. By default, `negotiateClientCertificate` is set to False. > * If TLS renegotiation is disabled in your client, you may see TLS errors when requesting the certificate using the `context.Request.Certificate` property. If this occurs, enable TLS renegotiation settings in the client. +> * Certification renegotiation is not supported in the API Management v2 tiers. ### Checking the issuer and subject |
api-management | Api Management Howto Mutual Certificates | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-mutual-certificates.md | To delete a certificate, select it and then select **Delete** from the context m [Publish a product]: api-management-howto-add-products.md#publish-product [Get started with Azure API Management]: get-started-create-service-instance.md [API Management policy reference]: ./api-management-policies.md-[Caching policies]: ./api-management-policies.md#caching-policies +[Caching policies]: ./api-management-policies.md#caching [Create an API Management service instance]: get-started-create-service-instance.md -[Azure API Management REST API Certificate entity]: ./api-management-caching-policies.md [WebApp-GraphAPI-DotNet]: https://github.com/AzureADSamples/WebApp-GraphAPI-DotNet [to configure certificate authentication in Azure WebSites refer to this article]: ../app-service/app-service-web-configure-tls-mutual-auth.md |
api-management | Api Management Howto Oauth2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-oauth2.md | This article shows you how to configure your API Management service instance to If you haven't yet created an API Management service instance, see [Create an API Management service instance][Create an API Management service instance]. ## Scenario overview For more information about using OAuth 2.0 and API Management, see [Protect a we [Publish a product]: api-management-howto-add-products.md#publish-product [Get started with Azure API Management]: get-started-create-service-instance.md [API Management policy reference]: ./api-management-policies.md-[Caching policies]: ./api-management-policies.md#caching-policies +[Caching policies]: ./api-management-policies.md#caching [Create an API Management service instance]: get-started-create-service-instance.md [https://oauth.net/2/]: https://oauth.net/2/ |
api-management | Api Management Howto Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-policies.md | Unless the policy specifies otherwise, [policy expressions](api-management-polic Each expression has access to the implicitly provided `context` variable and an allowed subset of .NET Framework types. -Policy expressions provide a sophisticated means to control traffic and modify API behavior without requiring you to write specialized code or modify backend services. Some policies are based on policy expressions, such as [Control flow][Control flow] and [Set variable][Set variable]. For more information, see [Advanced policies][Advanced policies]. +Policy expressions provide a sophisticated means to control traffic and modify API behavior without requiring you to write specialized code or modify backend services. Some policies are based on policy expressions, such as [Control flow][Control flow] and [Set variable][Set variable]. ## Scopes The following example uses [policy expressions][Policy expressions] and the [`se [API]: api-management-howto-add-products.md [Operation]: ./mock-api-responses.md -[Advanced policies]: ./api-management-advanced-policies.md +[Policy control and flow policies]: ./api-management-policies.md#policy-control-and-flow [Control flow]: choose-policy.md [Set variable]: set-variable-policy.md [Policy expressions]: ./api-management-policy-expressions.md |
api-management | Api Management Howto Properties | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-properties.md | |
api-management | Api Management Howto Protect Backend With Aad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-protect-backend-with-aad.md | |
api-management | Api Management Howto Provision Self Hosted Gateway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-provision-self-hosted-gateway.md | -Provisioning a gateway resource in your Azure API Management instance is a prerequisite for deploying a self-hosted gateway. This article walks through the steps to provision a gateway resource in API Management. - [!INCLUDE [api-management-availability-premium-dev](../../includes/api-management-availability-premium-dev.md)] +Provisioning a gateway resource in your Azure API Management instance is a prerequisite for deploying a self-hosted gateway. This article walks through the steps to provision a gateway resource in API Management. + ## Prerequisites Complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md) |
api-management | Api Management Howto Setup Delegation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-setup-delegation.md | -Delegation enables your website to own the user data and perform custom validation. With delegation, you can handle developer sign-in/sign-up (and related account management operations) and product subscription using your existing website, instead of the developer portal's built-in functionality. - [!INCLUDE [premium-dev-standard-basic.md](../../includes/api-management-availability-premium-dev-standard-basic.md)] +Delegation enables your website to own the user data and perform custom validation. With delegation, you can handle developer sign-in/sign-up (and related account management operations) and product subscription using your existing website, instead of the developer portal's built-in functionality. + ## Delegating developer sign-in and sign-up To delegate developer sign-in and sign-up and developer account management options to your existing website, create a special delegation endpoint on your site. This special delegation acts as the entry-point for any sign-in/sign-up and related requests initiated from the API Management developer portal. |
api-management | Api Management Howto Use Azure Monitor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-use-azure-monitor.md | |
api-management | Api Management Howto Use Managed Service Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-use-managed-service-identity.md | |
api-management | Api Management In Workspace | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-in-workspace.md | Last updated 03/10/2023 # Manage APIs and other resources in your API Management workspace -This article is an introduction to managing APIs, products, subscriptions, and other API Management resources in a *workspace*. A workspace is a place where a development team can own, manage, update, and productize their own APIs, while a central API platform team manages the API Management infrastructure. Learn about the [workspace features](workspaces-overview.md) - [!INCLUDE [api-management-availability-premium](../../includes/api-management-availability-premium.md)] +This article is an introduction to managing APIs, products, subscriptions, and other API Management resources in a *workspace*. A workspace is a place where a development team can own, manage, update, and productize their own APIs, while a central API platform team manages the API Management infrastructure. Learn about the [workspace features](workspaces-overview.md) + > [!NOTE] > * Workspaces are a preview feature of API Management and subject to certain [limitations](workspaces-overview.md#preview-limitations). > * Workspaces are supported in API Management REST API version 2022-09-01-preview or later. |
api-management | Api Management Key Concepts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-key-concepts.md | Common scenarios include: ## API Management components -Azure API Management is made up of an API *gateway*, a *management plane*, and a *developer portal*. These components are Azure-hosted and fully managed by default. API Management is available in various [tiers](api-management-features.md) differing in capacity and features. +Azure API Management is made up of an API *gateway*, a *management plane*, and a *developer portal*. These components are Azure-hosted and fully managed by default. API Management is available in various [tiers](#api-management-tiers) differing in capacity and features. :::image type="content" source="media/api-management-key-concepts-experiment/api-management-components.png" alt-text="Diagram showing key components of Azure API Management."::: Using the developer portal, developers can: * Download API definitions * Manage API keys +## API Management tiers ++API Management is offered in a variety of pricing tiers to meet the needs of different customers. Each tier offers a distinct combination of features, performance, capacity limits, scalability, SLA, and pricing for different scenarios. The tiers are grouped as follows: ++* **Classic** - The original API Management offering, including the Developer, Basic, Standard, and Premium tiers. The Premium tier is designed for enterprises requiring access to private backends, enhanced security features, multi-region deployments, availability zones, and high scalability. The Developer tier is an economical option for non-production use, while the Basic, Standard, and Premium tiers are production-ready tiers. +* **V2** - A new set of tiers that offer fast provisioning and scaling, including Basic v2 for development and testing, and Standard v2 for production workloads. Standard v2 supports simplified connection to network-isolated backends. +* **Consumption** - The Consumption tier is a serverless gateway for managing APIs that scales based on demand and billed per execution. It is designed for applications with serverless compute, microservices-based architectures, and those with variable traffic patterns. ++**More information**: +* [Feature-based comparison of the Azure API Management tiers](api-management-features.md) +* [V2 service tiers](v2-service-tiers-overview.md) +* [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/) + ## Integration with Azure services API Management integrates with many complementary Azure services to create enterprise solutions, including: API Management integrates with many complementary Azure services to create enter * [Basic enterprise integration](/azure/architecture/reference-architectures/enterprise-integration/basic-enterprise-integration?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json) * [Landing zone accelerator](/azure/cloud-adoption-framework/scenarios/app-platform/api-management/landing-zone-accelerator?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json) - ## Key concepts ### APIs |
api-management | Api Management Kubernetes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-kubernetes.md | |
api-management | Api Management Log To Eventhub Sample | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-log-to-eventhub-sample.md | Last updated 01/23/2018 # Monitor your APIs with Azure API Management, Event Hubs, and Moesif++ The [API Management service](api-management-key-concepts.md) provides many capabilities to enhance the processing of HTTP requests sent to your HTTP API. However, the existence of the requests and responses is transient. The request is made and it flows through the API Management service to your backend API. Your API processes the request and a response flows back through to the API consumer. The API Management service keeps some important statistics about the APIs for display in the Azure portal dashboard, but beyond that, the details are gone. By using the log-to-eventhub policy in the API Management service, you can send any details from the request and response to an [Azure Event Hub](../event-hubs/event-hubs-about.md). There are a variety of reasons why you may want to generate events from HTTP messages being sent to your APIs. Some examples include audit trail of updates, usage analytics, exception alerting, and third-party integrations. |
api-management | Api Management Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-policies.md | -This section provides links to reference articles for all API Management policies. +++This section provides brief descriptions and links to reference articles for all API Management policies. The API Management [gateways](api-management-gateways-overview.md) that support each policy are indicated. For detailed policy settings and examples, see the linked reference articles. More information about policies: More information about policies: > [!IMPORTANT] > [Limit call rate by subscription](rate-limit-policy.md) and [Set usage quota by subscription](quota-policy.md) have a dependency on the subscription key. A subscription key isn't required when other policies are applied. -## Access restriction policies -- [Check HTTP header](check-header-policy.md) - Enforces existence and/or value of an HTTP Header.-- [Get authorization context](get-authorization-context-policy.md) - Gets the authorization context of a specified [connection](credentials-overview.md) to a credential provider configured in the API Management instance.-- [Limit call rate by subscription](rate-limit-policy.md) - Prevents API usage spikes by limiting call rate, on a per subscription basis.-- [Limit call rate by key](rate-limit-by-key-policy.md) - Prevents API usage spikes by limiting call rate, on a per key basis.-- [Restrict caller IPs](ip-filter-policy.md) - Filters (allows/denies) calls from specific IP addresses and/or address ranges.-- [Set usage quota by subscription](quota-policy.md) - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per subscription basis.-- [Set usage quota by key](quota-by-key-policy.md) - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per key basis.-- [Validate Microsoft Entra token](validate-azure-ad-token-policy.md) - Enforces existence and validity of a Microsoft Entra JWT extracted from either a specified HTTP header, query parameter, or token value.-- [Validate JWT](validate-jwt-policy.md) - Enforces existence and validity of a JWT extracted from either a specified HTTP Header, query parameter, or token value.-- [Validate client certificate](validate-client-certificate-policy.md) - Enforces that a certificate presented by a client to an API Management instance matches specified validation rules and claims.--## Advanced policies -- [Control flow](choose-policy.md) - Conditionally applies policy statements based on the results of the evaluation of Boolean [expressions](api-management-policy-expressions.md).-- [Emit metrics](emit-metric-policy.md) - Sends custom metrics to Application Insights at execution.-- [Forward request](forward-request-policy.md) - Forwards the request to the backend service.-- [Include fragment](include-fragment-policy.md) - Inserts a policy fragment in the policy definition.-- [Limit concurrency](limit-concurrency-policy.md) - Prevents enclosed policies from executing by more than the specified number of requests at a time.-- [Log to event hub](log-to-eventhub-policy.md) - Sends messages in the specified format to an event hub defined by a Logger entity.-- [Mock response](mock-response-policy.md) - Aborts pipeline execution and returns a mocked response directly to the caller.-- [Retry](retry-policy.md) - Retries execution of the enclosed policy statements, if and until the condition is met. Execution will repeat at the specified time intervals and up to the specified retry count.-- [Return response](return-response-policy.md) - Aborts pipeline execution and returns the specified response directly to the caller.-- [Send one way request](send-one-way-request-policy.md) - Sends a request to the specified URL without waiting for a response.-- [Send request](send-request-policy.md) - Sends a request to the specified URL.-- [Set HTTP proxy](proxy-policy.md) - Allows you to route forwarded requests via an HTTP proxy.-- [Set request method](set-method-policy.md) - Allows you to change the HTTP method for a request.-- [Set status code](set-status-policy.md) - Changes the HTTP status code to the specified value.-- [Set variable](set-variable-policy.md) - Persists a value in a named [context](api-management-policy-expressions.md#ContextVariables) variable for later access.-- [Trace](trace-policy.md) - Adds custom traces into the [request tracing](./api-management-howto-api-inspector.md) output in the test console, Application Insights telemetries, and resource logs.-- [Wait](wait-policy.md) - Waits for enclosed [Send request](send-request-policy.md), [Get value from cache](cache-lookup-value-policy.md), or [Control flow](choose-policy.md) policies to complete before proceeding.--## Authentication policies -- [Authenticate with Basic](authentication-basic-policy.md) - Authenticate with a backend service using Basic authentication.-- [Authenticate with client certificate](authentication-certificate-policy.md) - Authenticate with a backend service using client certificates.-- [Authenticate with managed identity](authentication-managed-identity-policy.md) - Authenticate with a backend service using a [managed identity](../active-directory/managed-identities-azure-resources/overview.md).--## Caching policies -- [Get from cache](cache-lookup-policy.md) - Perform cache lookup and return a valid cached response when available.-- [Store to cache](cache-store-policy.md) - Caches response according to the specified cache control configuration.-- [Get value from cache](cache-lookup-value-policy.md) - Retrieve a cached item by key.-- [Store value in cache](cache-store-value-policy.md) - Store an item in the cache by key.-- [Remove value from cache](cache-remove-value-policy.md) - Remove an item in the cache by key.--## Cross-domain policies -- [Allow cross-domain calls](cross-domain-policy.md) - Makes the API accessible from Adobe Flash and Microsoft Silverlight browser-based clients.-- [CORS](cors-policy.md) - Adds cross-origin resource sharing (CORS) support to an operation or an API to allow cross-domain calls from browser-based clients.-- [JSONP](jsonp-policy.md) - Adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients.--## Dapr integration policies -- [Send request to a service](set-backend-service-dapr-policy.md): Uses Dapr runtime to locate and reliably communicate with a Dapr microservice. To learn more about service invocation in Dapr, see the description in this [README](https://github.com/dapr/docs/blob/master/README.md#service-invocation) file.-- [Send message to Pub/Sub topic](publish-to-dapr-policy.md): Uses Dapr runtime to publish a message to a Publish/Subscribe topic. To learn more about Publish/Subscribe messaging in Dapr, see the description in this [README](https://github.com/dapr/docs/blob/master/README.md) file.-- [Trigger output binding](invoke-dapr-binding-policy.md): Uses Dapr runtime to invoke an external system via output binding. To learn more about bindings in Dapr, see the description in this [README](https://github.com/dapr/docs/blob/master/README.md) file.--## GraphQL resolver policies -- [Azure SQL data source for resolver](sql-data-source-policy.md) - Configures the Azure SQL request and optional response to resolve data for an object type and field in a GraphQL schema.-- [Cosmos DB data source for resolver](cosmosdb-data-source-policy.md) - Configures the Cosmos DB request and optional response to resolve data for an object type and field in a GraphQL schema.-- [HTTP data source for resolver](http-data-source-policy.md) - Configures the HTTP request and optionally the HTTP response to resolve data for an object type and field in a GraphQL schema.-- [Publish event to GraphQL subscription](publish-event-policy.md) - Publishes an event to one or more subscriptions specified in a GraphQL API schema. Configure the policy in a GraphQL resolver for a related field in the schema for another operation type such as a mutation. --## Transformation policies -- [Convert JSON to XML](json-to-xml-policy.md) - Converts request or response body from JSON to XML.-- [Convert XML to JSON](xml-to-json-policy.md) - Converts request or response body from XML to JSON.-- [Find and replace string in body](find-and-replace-policy.md) - Finds a request or response substring and replaces it with a different substring.-- [Mask URLs in content](redirect-content-urls-policy.md) - Rewrites (masks) links in the response body so that they point to the equivalent link via the gateway.-- [Set backend service](set-backend-service-policy.md) - Changes the backend service base URL of an incoming request to a URL or a [backend](backends.md). Referencing a backend resource allows you to manage the backend service base URL and other settings in a single place. Also implement [load balancing of traffic across a pool of backend services](backends.md#load-balanced-pool-preview) and [circuit breaker rules](backends.md#circuit-breaker-preview) to protect the backend from too many requests.-- [Set body](set-body-policy.md) - Sets the message body for a request or response.-- [Set HTTP header](set-header-policy.md) - Assigns a value to an existing response and/or request header or adds a new response and/or request header.-- [Set query string parameter](set-query-parameter-policy.md) - Adds, replaces value of, or deletes request query string parameter.-- [Rewrite URL](rewrite-uri-policy.md) - Converts a request URL from its public form to the form expected by the web service.-- [Transform XML using an XSLT](xsl-transform-policy.md) - Applies an XSL transformation to XML in the request or response body.--## Validation policies --- [Validate content](validate-content-policy.md) - Validates the size or content of a request or response body against one or more API schemas. The supported schema formats are JSON and XML.-- [Validate GraphQL request](validate-graphql-request-policy.md) - Validates and authorizes a request to a GraphQL API. -- [Validate OData request](validate-odata-request-policy.md) - Validates a request to an OData API to ensure conformance with the OData specification.-- [Validate parameters](validate-parameters-policy.md) - Validates the request header, query, or path parameters against the API schema.-- [Validate headers](validate-headers-policy.md) - Validates the response headers against the API schema.-- [Validate status code](validate-status-code-policy.md) - Validates the HTTP status codes in responses against the API schema.+## Rate limiting and quotas ++|Policy |Description |Classic | V2 | Consumption | Self-hosted | +||||||--| +| [Limit call rate by subscription](rate-limit-policy.md) | Prevents API usage spikes by limiting call rate, on a per subscription basis. | Yes | Yes | Yes | Yes | +| [Limit call rate by key](rate-limit-by-key-policy.md) | Prevents API usage spikes by limiting call rate, on a per key basis. | Yes | Yes | No | Yes | +| [Set usage quota by subscription](quota-policy.md) | Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per subscription basis. | Yes | Yes | Yes | Yes +| [Set usage quota by key](quota-by-key-policy.md) | Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per key basis. | Yes | No | No | Yes | +| [Limit concurrency](limit-concurrency-policy.md) | Prevents enclosed policies from executing by more than the specified number of requests at a time. | Yes | Yes | Yes | Yes | ++## Authentication and authorization ++|Policy |Description | Classic | V2 | Consumption |Self-hosted | +||||||--| +| [Check HTTP header](check-header-policy.md) | Enforces existence and/or value of an HTTP header. | Yes | Yes | Yes | Yes | +| [Get authorization context](get-authorization-context-policy.md) | Gets the authorization context of a specified [connection](credentials-overview.md) to a credential provider configured in the API Management instance. | Yes | Yes | Yes | No | +| [Restrict caller IPs](ip-filter-policy.md) | Filters (allows/denies) calls from specific IP addresses and/or address ranges. | Yes | Yes | Yes | Yes | +| [Validate Microsoft Entra token](validate-azure-ad-token-policy.md) | Enforces existence and validity of a Microsoft Entra (formerly called Azure Active Directory) JWT extracted from either a specified HTTP header, query parameter, or token value. | Yes | Yes | Yes | Yes | +| [Validate JWT](validate-jwt-policy.md) | Enforces existence and validity of a JWT extracted from either a specified HTTP header, query parameter, or token value. | Yes | Yes | Yes | Yes | +| [Validate client certificate](validate-client-certificate-policy.md) |Enforces that a certificate presented by a client to an API Management instance matches specified validation rules and claims. | Yes | Yes | Yes | Yes | +| [Authenticate with Basic](authentication-basic-policy.md) | Authenticates with a backend service using Basic authentication. | Yes | Yes | Yes | Yes | +| [Authenticate with client certificate](authentication-certificate-policy.md) | Authenticates with a backend service using client certificates. | Yes | Yes | Yes | Yes | +| [Authenticate with managed identity](authentication-managed-identity-policy.md) | Authenticates with a backend service using a [managed identity](../active-directory/managed-identities-azure-resources/overview.md). | Yes | Yes | Yes | Yes | ++## Content validation ++|Policy |Description | Classic | V2 | Consumption |Self-hosted | +||||||--| +| [Validate content](validate-content-policy.md) | Validates the size or content of a request or response body against one or more API schemas. The supported schema formats are JSON and XML. | Yes | Yes | Yes | Yes | +| [Validate GraphQL request](validate-graphql-request-policy.md) | Validates and authorizes a request to a GraphQL API. | Yes | Yes | Yes | Yes | +| [Validate OData request](validate-odata-request-policy.md) | Validates a request to an OData API to ensure conformance with the OData specification. | Yes | Yes | Yes | Yes | +| [Validate parameters](validate-parameters-policy.md) | Validates the request header, query, or path parameters against the API schema. | Yes | Yes | Yes | Yes | +| [Validate headers](validate-headers-policy.md) | Validates the response headers against the API schema. | Yes | Yes | Yes | Yes | +| [Validate status code](validate-status-code-policy.md) | Validates the HTTP status codes in responses against the API schema. | Yes | Yes | Yes | Yes | ++## Routing ++|Policy |Description | Classic | V2 | Consumption |Self-hosted | +||||||--| +| [Forward request](forward-request-policy.md) | Forwards the request to the backend service. | Yes | Yes | Yes | Yes | +| [Set backend service](set-backend-service-policy.md) | Changes the backend service base URL of an incoming request to a URL or a [backend](backends.md). Referencing a backend resource allows you to manage the backend service base URL and other settings in a single place. Also implement [load balancing of traffic across a pool of backend services](backends.md#load-balanced-pool-preview) and [circuit breaker rules](backends.md#circuit-breaker-preview) to protect the backend from too many requests. | Yes | Yes | Yes | Yes | +| [Set HTTP proxy](proxy-policy.md) | Allows you to route forwarded requests via an HTTP proxy. | Yes | Yes | Yes | Yes | ++## Caching ++|Policy |Description | Classic | V2 | Consumption |Self-hosted | +||||||--| +| [Get from cache](cache-lookup-policy.md) | Performs cache lookup and return a valid cached response when available. | Yes | Yes | Yes | Yes | +| [Store to cache](cache-store-policy.md) | Caches response according to the specified cache control configuration. | Yes | Yes | Yes | Yes | +| [Get value from cache](cache-lookup-value-policy.md) | Retrieves a cached item by key. | Yes | Yes | Yes | Yes | +| [Store value in cache](cache-store-value-policy.md) | Stores an item in the cache by key. | Yes | Yes | Yes | Yes | +| [Remove value from cache](cache-remove-value-policy.md) | Removes an item in the cache by key. | Yes | Yes | Yes | Yes | ++## Transformation ++|Policy |Description | Classic | V2 | Consumption |Self-hosted | +||||||--| +| [Set request method](set-method-policy.md) | Allows you to change the HTTP method for a request. | Yes | Yes | Yes | Yes | +| [Set status code](set-status-policy.md) | Changes the HTTP status code to the specified value. | Yes | Yes | Yes | Yes | +| [Set variable](set-variable-policy.md) | Persists a value in a named [context](api-management-policy-expressions.md#ContextVariables) variable for later access. | Yes | Yes | Yes | Yes | +| [Set body](set-body-policy.md) | Sets the message body for a request or response. | Yes | Yes | Yes | Yes | +| [Set HTTP header](set-header-policy.md) | Assigns a value to an existing response and/or request header or adds a new response and/or request header. | Yes | Yes | Yes | Yes | +| [Set query string parameter](set-query-parameter-policy.md) | Adds, replaces value of, or deletes request query string parameter. | Yes | Yes | Yes | Yes | +| [Rewrite URL](rewrite-uri-policy.md) | Converts a request URL from its public form to the form expected by the web service. | Yes | Yes | Yes | Yes | +| [Convert JSON to XML](json-to-xml-policy.md) | Converts request or response body from JSON to XML. | Yes | Yes | Yes | Yes | +| [Convert XML to JSON](xml-to-json-policy.md) | Converts request or response body from XML to JSON. | Yes | Yes | Yes | Yes | +| [Find and replace string in body](find-and-replace-policy.md) | Finds a request or response substring and replaces it with a different substring. | Yes | Yes | Yes | Yes | +| [Mask URLs in content](redirect-content-urls-policy.md) | Rewrites (masks) links in the response body so that they point to the equivalent link via the gateway. | Yes | Yes | Yes | Yes | +| [Transform XML using an XSLT](xsl-transform-policy.md) | Applies an XSL transformation to XML in the request or response body. | Yes | Yes | Yes | Yes | +| [Return response](return-response-policy.md) | Aborts pipeline execution and returns the specified response directly to the caller. | Yes | Yes | Yes | Yes | +| [Mock response](mock-response-policy.md) | Aborts pipeline execution and returns a mocked response directly to the caller. | Yes | Yes | Yes | Yes | ++## Cross-domain ++|Policy |Description | Classic | V2 | Consumption |Self-hosted | +||||||--| +| [Allow cross-domain calls](cross-domain-policy.md) | Makes the API accessible from Adobe Flash and Microsoft Silverlight browser-based clients. | Yes | Yes | Yes | Yes | +| [CORS](cors-policy.md) | Adds cross-origin resource sharing (CORS) support to an operation or an API to allow cross-domain calls from browser-based clients. | Yes | Yes | Yes | Yes | +| [JSONP](jsonp-policy.md) | Adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients. | Yes | Yes | Yes | Yes | ++## Integration and external communication ++|Policy |Description | Classic | V2 | Consumption |Self-hosted | +||||||--| + | [Send request](send-request-policy.md) | Sends a request to the specified URL. | Yes | Yes | Yes | Yes | + | [Send one way request](send-one-way-request-policy.md) | Sends a request to the specified URL without waiting for a response. | Yes | Yes | Yes | Yes | +| [Log to event hub](log-to-eventhub-policy.md) | Sends messages in the specified format to an event hub defined by a Logger entity.| Yes | Yes | Yes | Yes | +| [Send request to a service (Dapr)](set-backend-service-dapr-policy.md)| Uses Dapr runtime to locate and reliably communicate with a Dapr microservice. To learn more about service invocation in Dapr, see the description in this [README](https://github.com/dapr/docs/blob/master/README.md#service-invocation) file. | No | No | No | Yes | +| [Send message to Pub/Sub topic (Dapr)](publish-to-dapr-policy.md) | Uses Dapr runtime to publish a message to a Publish/Subscribe topic. To learn more about Publish/Subscribe messaging in Dapr, see the description in this [README](https://github.com/dapr/docs/blob/master/README.md) file. | No | No | No | Yes | +| [Trigger output binding (Dapr)](invoke-dapr-binding-policy.md) | Uses Dapr runtime to invoke an external system via output binding. To learn more about bindings in Dapr, see the description in this [README](https://github.com/dapr/docs/blob/master/README.md) file. | No | No | No | Yes | ++## Logging ++|Policy |Description | Classic | V2 | Consumption |Self-hosted | +||||||--| +| [Trace](trace-policy.md) | Adds custom traces into the [request tracing](./api-management-howto-api-inspector.md) output in the test console, Application Insights telemetries, and resource logs. | Yes | Yes<sup>1</sup> | Yes | Yes | +| [Emit metrics](emit-metric-policy.md) | Sends custom metrics to Application Insights at execution. | Yes | Yes | Yes | Yes | ++<sup>1</sup> In the V2 gateway, the `trace` policy currently does not add tracing output in the test console. ++## GraphQL resolvers ++|Policy |Description | Classic | V2 | Consumption |Self-hosted | +||||||--| +| [Azure SQL data source for resolver](sql-data-source-policy.md) | Configures the Azure SQL request and optional response to resolve data for an object type and field in a GraphQL schema. | Yes | Yes | No | No | +| [Cosmos DB data source for resolver](cosmosdb-data-source-policy.md) | Configures the Cosmos DB request and optional response to resolve data for an object type and field in a GraphQL schema. | Yes | Yes | No | No | +| [HTTP data source for resolver](http-data-source-policy.md) | Configures the HTTP request and optionally the HTTP response to resolve data for an object type and field in a GraphQL schema. | Yes | Yes | Yes | No | +| [Publish event to GraphQL subscription](publish-event-policy.md) | Publishes an event to one or more subscriptions specified in a GraphQL API schema. Configure the policy in a GraphQL resolver for a related field in the schema for another operation type such as a mutation. | Yes | Yes | Yes | No | ++## Policy control and flow ++|Policy |Description | Classic | V2 | Consumption |Self-hosted | +||||||--| +| [Control flow](choose-policy.md) | Conditionally applies policy statements based on the results of the evaluation of Boolean [expressions](api-management-policy-expressions.md). | Yes | Yes | Yes | Yes | +| [Include fragment](include-fragment-policy.md) | Inserts a policy fragment in the policy definition. | Yes | Yes | Yes | Yes | +| [Retry](retry-policy.md) | Retries execution of the enclosed policy statements, if and until the condition is met. Execution will repeat at the specified time intervals and up to the specified retry count. | Yes | Yes | Yes | Yes | + | [Wait](wait-policy.md) | Waits for enclosed [Send request](send-request-policy.md), [Get value from cache](cache-lookup-value-policy.md), or [Control flow](choose-policy.md) policies to complete before proceeding. | Yes | Yes | Yes | Yes | [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Api Management Policy Expressions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-policy-expressions.md | Last updated 03/07/2023 # API Management policy expressions++ This article discusses policy expressions syntax in C# 7. Each expression has access to: * The implicitly provided [context](api-management-policy-expressions.md#ContextVariables) variable. * An allowed [subset](api-management-policy-expressions.md#CLRTypes) of .NET Framework types. |
api-management | Api Management Revisions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-revisions.md | |
api-management | Api Management Role Based Access Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-role-based-access-control.md | |
api-management | Api Management Sample Cache By Key | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-sample-cache-by-key.md | |
api-management | Api Management Sample Flexible Throttling | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-sample-flexible-throttling.md | Rate throttling capabilities that are scoped to a particular subscription are us ## Custom key-based throttling > [!NOTE]-> The `rate-limit-by-key` and `quota-by-key` policies are not available when in the Consumption tier of Azure API Management. +> The `rate-limit-by-key` and `quota-by-key` policies are not available when in the Consumption tier of Azure API Management. The `quota-by-key` policy is also currently not available in the v2 tiers. The [rate-limit-by-key](rate-limit-by-key-policy.md) and [quota-by-key](quota-by-key-policy.md) policies provide a more flexible solution to traffic control. These policies allow you to define expressions to identify the keys that are used to track traffic usage. The way this works is easiest illustrated with an example. |
api-management | Api Management Sample Send Request | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-sample-send-request.md | There are certain tradeoffs when using a fire-and-forget style of request. If fo The `send-request` policy enables using an external service to perform complex processing functions and return data to the API management service that can be used for further policy processing. ### Authorizing reference tokens-A major function of API Management is protecting backend resources. If the authorization server used by your API creates [JWT tokens](../active-directory/develop/security-tokens.md#json-web-tokens-and-claims) as part of its OAuth2 flow, as [Microsoft Entra ID](../active-directory/hybrid/whatis-hybrid-identity.md) does, then you can use the `validate-jwt` policy to verify the validity of the token. Some authorization servers create what are called [reference tokens](https://leastprivilege.com/2015/11/25/reference-tokens-and-introspection/) that cannot be verified without making a callback to the authorization server. +A major function of API Management is protecting backend resources. If the authorization server used by your API creates [JWT tokens](../active-directory/develop/security-tokens.md#json-web-tokens-and-claims) as part of its OAuth2 flow, as [Microsoft Entra ID](../active-directory/hybrid/whatis-hybrid-identity.md) does, then you can use the `validate-jwt` policy or `validate-azure-ad-token` policy to verify the validity of the token. Some authorization servers create what are called [reference tokens](https://leastprivilege.com/2015/11/25/reference-tokens-and-introspection/) that cannot be verified without making a callback to the authorization server. ### Standardized introspection In the past, there has been no standardized way of verifying a reference token with an authorization server. However a recently proposed standard [RFC 7662](https://tools.ietf.org/html/rfc7662) was published by the IETF that defines how a resource server can verify the validity of a token. |
api-management | Api Management Subscriptions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-subscriptions.md | |
api-management | Api Management Terminology | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-terminology.md | |
api-management | Api Management Troubleshoot Cannot Add Custom Domain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-troubleshoot-cannot-add-custom-domain.md | |
api-management | Api Management Using With Internal Vnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-using-with-internal-vnet.md | -Azure API Management can be deployed (injected) inside an Azure virtual network (VNet) to access backend services within the network. For VNet connectivity options, requirements, and considerations, see [Using a virtual network with Azure API Management](virtual-network-concepts.md). ++Azure API Management can be deployed (injected) inside an Azure virtual network (VNet) to access backend services within the network. For VNet connectivity options, requirements, and considerations, see: ++* [Using a virtual network with Azure API Management](virtual-network-concepts.md) +* [Network resource requirements for API Management injection into a virtual network](virtual-network-injection-resources.md) This article explains how to set up VNet connectivity for your API Management instance in the *internal* mode. In this mode, you can only access the following API Management endpoints within a VNet whose access you control. * The API gateway For configurations specific to the *external* mode, where the API Management end [!INCLUDE [updated-for-az](../../includes/updated-for-az.md)] - [!INCLUDE [api-management-virtual-network-prerequisites](../../includes/api-management-virtual-network-prerequisites.md)] ## Enable VNet connection |
api-management | Api Management Using With Vnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-using-with-vnet.md | -Azure API Management can be deployed (injected) inside an Azure virtual network (VNet) to access backend services within the network. For VNet connectivity options, requirements, and considerations, see [Using a virtual network with Azure API Management](virtual-network-concepts.md). ++Azure API Management can be deployed (injected) inside an Azure virtual network (VNet) to access backend services within the network. For VNet connectivity options, requirements, and considerations, see: ++* [Using a virtual network with Azure API Management](virtual-network-concepts.md) +* [Network resource requirements for API Management injection into a virtual network](virtual-network-injection-resources.md) This article explains how to set up VNet connectivity for your API Management instance in the *external* mode, where the developer portal, API gateway, and other API Management endpoints are accessible from the public internet, and backend services are located in the network. For configurations specific to the *internal* mode, where the endpoints are acce [!INCLUDE [updated-for-az](../../includes/updated-for-az.md)] - [!INCLUDE [api-management-virtual-network-prerequisites](../../includes/api-management-virtual-network-prerequisites.md)] ## Enable VNet connection For configurations specific to the *internal* mode, where the endpoints are acce 7. In the top navigation bar, select **Save**, then select **Apply network configuration**. -It can take 15 to 45 minutes to update the API Management instance. The Developer tier has downtime during the process. The Basic and higher SKUs don't have downtime during the process. +It can take 15 to 45 minutes to update the API Management instance. Instances in the Developer tier have downtime during the process. Instances in the Premium tier don't have downtime during the process. ### Enable connectivity using a Resource Manager template (`stv2` compute platform) |
api-management | Api Management Versions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-versions.md | |
api-management | Authentication Authorization Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/authentication-authorization-overview.md | |
api-management | Authentication Basic Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/authentication-basic-policy.md | Use the `authentication-basic` policy to authenticate with a backend service usi - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes Use the `authentication-basic` policy to authenticate with a backend service usi ## Related policies -* [API Management authentication policies](api-management-authentication-policies.md) +* [Authentication and authorization](api-management-policies.md#authentication-and-authorization) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Authentication Certificate Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/authentication-certificate-policy.md | +- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Examples -* [API Management authentication policies](api-management-authentication-policies.md) +* [Authentication and authorization](api-management-policies.md#authentication-and-authorization) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Authentication Managed Identity Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/authentication-managed-identity-policy.md | Both system-assigned identity and any of the multiple user-assigned identities c - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Examples Both system-assigned identity and any of the multiple user-assigned identities c ## Related policies -* [API Management authentication policies](api-management-authentication-policies.md) +* [Authentication and authorization](api-management-policies.md#authentication-and-authorization) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Automate Portal Deployments | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/automate-portal-deployments.md | |
api-management | Automation Manage Api Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/automation-manage-api-management.md | Last updated 02/13/2018 # Managing Azure API Management using Azure Automation++ This guide introduces you to the Azure Automation service, and how it can be used to simplify management of Azure API Management. ## What is Azure Automation? |
api-management | Azure Openai Api From Specification | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/azure-openai-api-from-specification.md | |
api-management | Backends | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/backends.md | |
api-management | Api Version Retirement Sep 2023 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/api-version-retirement-sep-2023.md | |
api-management | Captcha Endpoint Change Sep 2025 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/captcha-endpoint-change-sep-2025.md | |
api-management | Identity Provider Adal Retirement Sep 2025 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/identity-provider-adal-retirement-sep-2025.md | |
api-management | Legacy Portal Retirement Oct 2023 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/legacy-portal-retirement-oct-2023.md | |
api-management | Metrics Retirement Aug 2023 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/metrics-retirement-aug-2023.md | |
api-management | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/overview.md | |
api-management | Rp Source Ip Address Change Mar 2023 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/rp-source-ip-address-change-mar-2023.md | |
api-management | Rp Source Ip Address Change Sep 2023 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/rp-source-ip-address-change-sep-2023.md | |
api-management | Self Hosted Gateway V0 V1 Retirement Oct 2023 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/self-hosted-gateway-v0-v1-retirement-oct-2023.md | |
api-management | Stv1 Platform Retirement August 2024 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/stv1-platform-retirement-august-2024.md | |
api-management | Workspaces Breaking Changes June 2024 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/workspaces-breaking-changes-june-2024.md | |
api-management | Cache Lookup Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/cache-lookup-policy.md | Use the `cache-lookup` policy to perform cache lookup and return a valid cached - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes For more information, see [Policy expressions](api-management-policy-expressions ## Related policies -* [API Management caching policies](api-management-caching-policies.md) +* [Caching](api-management-policies.md#caching) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Cache Lookup Value Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/cache-lookup-value-policy.md | Use the `cache-lookup-value` policy to perform cache lookup by key and return a - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Example For more information and examples of this policy, see [Custom caching in Azure A ## Related policies -* [API Management caching policies](api-management-caching-policies.md) +* [Caching](api-management-policies.md#caching) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Cache Remove Value Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/cache-remove-value-policy.md | The `cache-remove-value` deletes a cached item identified by its key. The key ca - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Example For more information and examples of this policy, see [Custom caching in Azure A ## Related policies -* [API Management caching policies](api-management-caching-policies.md) +* [Caching](api-management-policies.md#caching) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Cache Store Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/cache-store-policy.md | The `cache-store` policy caches responses according to the specified cache setti - [**Policy sections:**](./api-management-howto-policies.md#sections) outbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes For more information, see [Policy expressions](api-management-policy-expressions ## Related policies -* [API Management caching policies](api-management-caching-policies.md) +* [Caching](api-management-policies.md#caching) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Cache Store Value Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/cache-store-value-policy.md | The `cache-store-value` performs cache storage by key. The key can have an arbit - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Example For more information and examples of this policy, see [Custom caching in Azure A ## Related policies -* [API Management caching policies](api-management-caching-policies.md) +* [Caching](api-management-policies.md#caching) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Check Header Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/check-header-policy.md | Use the `check-header` policy to enforce that a request has a specified HTTP he - **[Policy sections:](./api-management-howto-policies.md#sections)** inbound - **[Policy scopes:](./api-management-howto-policies.md#scopes)** global, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Example Use the `check-header` policy to enforce that a request has a specified HTTP he ## Related policies -* [API Management access restriction policies](api-management-access-restriction-policies.md) +* [Authentication and authorization](api-management-policies.md#authentication-and-authorization) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Choose Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/choose-policy.md | The `choose` policy must contain at least one `<when/>` element. The `<otherwise - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Examples This example shows how to perform content filtering by removing data elements fr ## Related policies -* [API Management advanced policies](api-management-advanced-policies.md) +* [Policy control and flow](api-management-policies.md#policy-control-and-flow) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Compute Infrastructure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/compute-infrastructure.md | Title: Azure API Management compute platform -description: Learn about the compute platform used to host your API Management service instance. Instances in the dedicated service tiers of API Management are hosted on the stv1 or stv2 compute platform. +description: Learn about the compute platform used to host your API Management service instance. Instances in the classic service tiers of API Management are hosted on the stv1 or stv2 compute platform. -# Compute platform for Azure API Management +# Compute platform for Azure API Management - Classic tiers + As a cloud platform-as-a-service (PaaS), Azure API Management abstracts many details of the infrastructure used to host and run your service. You can create, manage, and scale most aspects of your API Management instance without needing to know about its underlying resources. Most new instances created in service tiers other than the Consumption tier are ## What are the compute platforms for API Management? -The following table summarizes the compute platforms currently used in the **Consumption**, **Developer**, **Basic**, **Standard**, and **Premium** tiers of API Management. This table doesn't apply to the [v2 pricing tiers (preview)](#what-about-the-v2-pricing-tiers). +The following table summarizes the compute platforms currently used in the **Consumption**, **Developer**, **Basic**, **Standard**, and **Premium** tiers of API Management. This table doesn't apply to the [v2 pricing tiers](#what-about-the-v2-pricing-tiers). | Version | Description | Architecture | Tiers | | -| -| -- | - | Migration steps depend on features enabled in your API Management instance. If t ## What about the v2 pricing tiers? -The v2 pricing tiers are a new set of tiers for API Management currently in preview. Hosted on a new, highly scalable and available Azure infrastructure that's different from the `stv1` and `stv2` compute platforms, the v2 tiers aren't affected by the retirement of the `stv1` platform. +The v2 pricing tiers are a new set of tiers for API Management. Hosted on a new, highly scalable and available Azure infrastructure that's different from the `stv1` and `stv2` compute platforms, the v2 tiers aren't affected by the retirement of the `stv1` platform. The v2 tiers are designed to make API Management accessible to a broader set of customers and offer flexible options for a wider variety of scenarios. For more information, see [v2 tiers overview](v2-service-tiers-overview.md). |
api-management | Configure Credential Connection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/configure-credential-connection.md | |
api-management | Configure Custom Domain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/configure-custom-domain.md | API Management offers a free, managed TLS certificate for your domain, if you do * Not supported in the following Azure regions: France South and South Africa West * Currently available only in the Azure cloud * Does not support root domain names (for example, `contoso.com`). Requires a fully qualified name such as `api.contoso.com`.+* Supports only public domain names * Can only be configured when updating an existing API Management instance, not when creating an instance |
api-management | Configure Graphql Resolver | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/configure-graphql-resolver.md | You can define the resolver as follows: For more resolver examples, see: -* [GraphQL resolver policies](api-management-policies.md#graphql-resolver-policies) +* [GraphQL resolver policies](api-management-policies.md#graphql-resolvers) * [Sample APIs for Azure API Management](https://github.com/Azure-Samples/api-management-sample-apis) |
api-management | Cors Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/cors-policy.md | The `cors` policy adds cross-origin resource sharing (CORS) support to an operat - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes * You may configure the `cors` policy at more than one scope (for example, at the product scope and the global scope). Ensure that the `base` element is configured at the operation, API, and product scopes to inherit needed policies at the parent scopes. This example demonstrates how to support [preflight requests](https://developer. ## Related policies -* [API Management cross-domain policies](api-management-cross-domain-policies.md) +* [Cross-domain](api-management-policies.md#cross-domain) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Cosmosdb Data Source Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/cosmosdb-data-source-policy.md | Use the policy to configure a single query request, read request, delete request ## Usage - [**Policy scopes:**](./api-management-howto-policies.md#scopes) GraphQL resolver-- [**Gateways:**](api-management-gateways-overview.md) dedicated+- [**Gateways:**](api-management-gateways-overview.md) classic, v2 ### Usage notes type Query { ## Related policies -* [GraphQL resolver policies](api-management-policies.md#graphql-resolver-policies) +* [GraphQL resolvers](api-management-policies.md#graphql-resolvers) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Credentials Configure Common Providers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/credentials-configure-common-providers.md | |
api-management | Credentials How To Azure Ad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/credentials-how-to-azure-ad.md | The preceding policy definition consists of two parts: ## Related content -* Learn more about [access restriction policies](api-management-access-restriction-policies.md) +* Learn more about [authentication and authorization policies](api-management-policies.md#authentication-and-authorization) in Azure API Management. * Learn more about [scopes and permissions](../active-directory/develop/scopes-oidc.md) in Microsoft Entra ID. |
api-management | Credentials How To Github | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/credentials-how-to-github.md | The preceding policy definition consists of three parts: ## Related content -* Learn more about [access restriction policies](api-management-access-restriction-policies.md). +* Learn more about [authentication and authorization policies](api-management-policies.md#authentication-and-authorization) * Learn more about GitHub's [REST API](https://docs.github.com/en/rest?apiVersion=2022-11-28) |
api-management | Credentials How To User Delegated | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/credentials-how-to-user-delegated.md | In the preceding policy definition, replace: ## Related content -* Learn more about [access restriction policies](api-management-access-restriction-policies.md) +* Learn more about [authentication and authorization policies](api-management-policies.md#authentication-and-authorization) * Learn more about [scopes and permissions](../active-directory/develop/scopes-oidc.md) in Microsoft Entra ID. |
api-management | Credentials Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/credentials-overview.md | All underlying connections and access policies are also deleted. ### Are the access tokens cached by API Management? -In the dedicated service tiers, the access token is cached by the API Management instance until 3 minutes before the token expiration time. If the access token is less than 3 minutes away from expiration, the cached time will be until the access token expires. +In the classic and v2 service tiers, the access token is cached by the API Management instance until 3 minutes before the token expiration time. If the access token is less than 3 minutes away from expiration, the cached time will be until the access token expires. Access tokens aren't cached in the Consumption tier. |
api-management | Credentials Process Flow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/credentials-process-flow.md | |
api-management | Cross Domain Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/cross-domain-policy.md | Child elements must conform to the [Adobe cross-domain policy file specification - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Example Child elements must conform to the [Adobe cross-domain policy file specification ## Related policies -* [API Management cross-domain policies](api-management-cross-domain-policies.md) +* [Cross-domain](api-management-policies.md#cross-domain) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Developer Portal Alternative Processes Self Host | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-alternative-processes-self-host.md | |
api-management | Developer Portal Basic Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-basic-authentication.md | For an overview of options to secure the developer portal, see [Secure access to - Complete the [Create an Azure API Management instance](get-started-create-service-instance.md) quickstart. - [!INCLUDE [api-management-navigate-to-instance.md](../../includes/api-management-navigate-to-instance.md)] |
api-management | Developer Portal Extend Custom Functionality | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-extend-custom-functionality.md | -The following table summarizes three options, with links to more detail. +The following table summarizes two options, with links to more detail. |Method |Description | ||| |[Custom HTML code widget](#use-custom-html-code-widget) | - Lightweight solution for API publishers to add custom logic for basic use cases<br/><br/>- Copy and paste custom HTML code into a form, and developer portal renders it in an iframe | |[Create and upload custom widget](#create-and-upload-custom-widget) | - Developer solution for more advanced widget use cases<br/><br/>- Requires local implementation in React, Vue, or plain TypeScript<br/><br/>- Widget scaffold and tools provided to help developers create widget and upload to developer portal<br/><br/>- Widget creation, testing, and deployment can be scripted through open source [React Component Toolkit](#create-custom-widgets-using-open-source-react-component-toolkit)<br/><br/>- Supports workflows for source control, versioning, and code reuse |-|[Self-host developer portal](developer-portal-self-host.md) | - Legacy extensibility option for customers who need to customize source code of the entire portal core<br/><br/> - Gives complete flexibility for customizing portal experience<br/><br/>- Requires advanced configuration<br/><br/>- Customer responsible for managing complete code lifecycle: fork code base, develop, deploy, host, patch, and upgrade | ++> [!NOTE] +> [Self-hosting the developer portal](developer-portal-self-host.md) is an extensibility option for customers who need to customize the source code of the entire portal core. It gives complete flexibility for customizing portal experience, but requires advanced configuration. With self-hosting, you're responsible for managing complete code lifecycle: fork code base, develop, deploy, host, patch, and upgrade. +++ ## Use Custom HTML code widget The managed developer portal includes a **Custom HTML code** widget where you can insert HTML code for small portal customizations. For example, use custom HTML to embed a video or to add a form. The portal renders the custom widget in an inline frame (iframe). |
api-management | Developer Portal Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-faq.md | -This article provides answers to frequently asked questions about the [developer portal](developer-portal-overview.md) in Azure API Management. ## What if I need functionality that isn't supported in the portal? You have the following options: -* For small customizations, use a built-in widget to [add custom HTML](developer-portal-extend-custom-functionality.md#use-custom-html-code-widget). +* For small customizations, use a built-in widget to [add custom HTML](developer-portal-extend-custom-functionality.md#use-custom-html-code-widget). Currently, the custom HTML code widget isn't available in the v2 tiers of API Management. -* For larger customizations, [create and upload](developer-portal-extend-custom-functionality.md#create-and-upload-custom-widget) a custom widget to the managed developer portal. +* For larger customizations, [create and upload](developer-portal-extend-custom-functionality.md#create-and-upload-custom-widget) a custom widget to the managed developer portal. Currently, custom widgets aren't available in the v2 tiers of API Management. * [Self-host the developer portal](developer-portal-self-host.md), only if you need to make modifications to the core of the developer portal codebase. |
api-management | Developer Portal Integrate Application Insights | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-integrate-application-insights.md | |
api-management | Developer Portal Integrate Google Tag Manager | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-integrate-google-tag-manager.md | |
api-management | Developer Portal Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-overview.md | |
api-management | Developer Portal Self Host | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-self-host.md | This tutorial describes how to self-host the [API Management developer portal](a If you have already uploaded or modified media files in the managed portal, see [Move from managed to self-hosted](#move-from-managed-to-self-hosted-developer-portal), later in this article. - ## Prerequisites To set up a local development environment, you need to have: |
api-management | Developer Portal Testing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-testing.md | |
api-management | Devops Api Development Templates | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/devops-api-development-templates.md | |
api-management | Diagnose Solve Problems | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/diagnose-solve-problems.md | Title: Azure API Management Diagnose and solve problems description: Learn how to troubleshoot issues with your API in Azure API Management with the Diagnose and Solve tool in the Azure portal. -+ Last updated 02/05/2021-+ # Azure API Management Diagnostics overview + When you build and manage an API in Azure API Management, you want to be prepared for any issues that may arise, from 404 not found errors to 502 bad gateway error. API Management Diagnostics is an intelligent and interactive experience to help you troubleshoot your API published in APIM with no configuration required. When you do run into issues with your published APIs, API Management Diagnostics points out whatΓÇÖs wrong, and guides you to the right information to quickly troubleshoot and resolve the issue. Although this experience is most helpful when you re having issues with your API within the last 24 hours, all the diagnostic graphs are always available for you to analyze. - ## Open API Management Diagnostics To access API Management Diagnostics, navigate to your API Management service instance in the [Azure portal](https://portal.azure.com). In the left navigation, select **Diagnose and solve problems**. |
api-management | Diagnostic Logs Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/diagnostic-logs-reference.md | |
api-management | Edit Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/edit-api.md | |
api-management | Emit Metric Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/emit-metric-policy.md | The `emit-metric` policy sends custom metrics in the specified format to Applica - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes The following example sends a custom metric to count the number of API requests ## Related policies -* [API Management advanced policies](api-management-advanced-policies.md) +* [Logging](api-management-policies.md#logging) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Enable Cors Power Platform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/enable-cors-power-platform.md | |
api-management | Export Api Postman | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/export-api-postman.md | |
api-management | Export Api Power Platform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/export-api-power-platform.md | |
api-management | Find And Replace Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/find-and-replace-policy.md | The `find-and-replace` policy finds a request or response substring and replaces - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Example The `find-and-replace` policy finds a request or response substring and replaces ## Related policies -* [API Management transformation policies](api-management-transformation-policies.md) +* [Transformation](api-management-policies.md#transformation) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Forward Request Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/forward-request-policy.md | The `forward-request` policy forwards the incoming request to the backend servic - [**Policy sections:**](./api-management-howto-policies.md#sections) backend - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Examples This operation level policy doesn't forward requests to the backend service. ## Related policies -* [API Management advanced policies](api-management-advanced-policies.md) +* [Routing](api-management-policies.md#routing) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Front Door Api Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/front-door-api-management.md | |
api-management | Gateway Log Schema Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/gateway-log-schema-reference.md | |
api-management | Get Authorization Context Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/get-authorization-context-policy.md | class Authorization - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption ### Usage notes class Authorization ## Related policies -* [API Management access restriction policies](api-management-access-restriction-policies.md) +* [Authentication and authorization](api-management-policies.md#authentication-and-authorization) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Get Started Create Service Instance Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/get-started-create-service-instance-cli.md | ms.devlang: azurecli # Quickstart: Create a new Azure API Management instance by using the Azure CLI + This quickstart describes the steps for creating a new API Management instance by using Azure CLI commands. After creating an instance, you can use the Azure CLI for common management tasks such as importing APIs in your API Management instance. [!INCLUDE [api-management-quickstart-intro](../../includes/api-management-quickstart-intro.md)] |
api-management | Get Started Create Service Instance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/get-started-create-service-instance.md | |
api-management | Graphql Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/graphql-api.md | If your GraphQL API supports a subscription, you can test it in the test consol ## Secure your GraphQL API -Secure your GraphQL API by applying both existing [access control policies](api-management-policies.md#access-restriction-policies) and a [GraphQL validation policy](validate-graphql-request-policy.md) to protect against GraphQL-specific attacks. +Secure your GraphQL API by applying both existing [authentication and authorization policies](api-management-policies.md#authentication-and-authorization) and a [GraphQL validation policy](validate-graphql-request-policy.md) to protect against GraphQL-specific attacks. [!INCLUDE [api-management-define-api-topics.md](../../includes/api-management-define-api-topics.md)] |
api-management | Graphql Apis Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/graphql-apis-overview.md | |
api-management | Graphql Schema Resolve Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/graphql-schema-resolve-api.md | Last updated 05/31/2023 # Add a synthetic GraphQL API and set up field resolvers [!INCLUDE [api-management-graphql-intro.md](../../includes/api-management-graphql-intro.md)] type User { ## Secure your GraphQL API -Secure your GraphQL API by applying both existing [access control policies](api-management-policies.md#access-restriction-policies) and a [GraphQL validation policy](validate-graphql-request-policy.md) to protect against GraphQL-specific attacks. +Secure your GraphQL API by applying both existing [authentication and authorization policies](api-management-policies.md#authentication-and-authorization) and a [GraphQL validation policy](validate-graphql-request-policy.md) to protect against GraphQL-specific attacks. [!INCLUDE [api-management-define-api-topics.md](../../includes/api-management-define-api-topics.md)] |
api-management | Grpc Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/grpc-api.md | API Management supports pass-through with the following types of gRPC service me > * Importing a gRPC API is in preview. Currently, gRPC APIs are only supported in the self-hosted gateway, not the managed gateway for your API Management instance. > * Currently, testing gRPC APIs isn't supported in the test console of the Azure portal or in the API Management developer portal. - ## Prerequisites * An API Management instance. If you don't already have one, complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md). |
api-management | High Availability | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/high-availability.md | |
api-management | How To Configure Cloud Metrics Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-configure-cloud-metrics-logs.md | |
api-management | How To Configure Local Metrics Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-configure-local-metrics-logs.md | -This article provides details for configuring local metrics and logs for the [self-hosted gateway](./self-hosted-gateway-overview.md) deployed on a Kubernetes cluster. For configuring cloud metrics and logs, see [this article](how-to-configure-cloud-metrics-logs.md). - [!INCLUDE [api-management-availability-premium-dev](../../includes/api-management-availability-premium-dev.md)] +This article provides details for configuring local metrics and logs for the [self-hosted gateway](./self-hosted-gateway-overview.md) deployed on a Kubernetes cluster. For configuring cloud metrics and logs, see [this article](how-to-configure-cloud-metrics-logs.md). + ## Metrics The self-hosted gateway supports [StatsD](https://github.com/statsd/statsd), which has become a unifying protocol for metrics collection and aggregation. This section walks through the steps for deploying StatsD to Kubernetes, configuring the gateway to emit metrics via StatsD, and using [Prometheus](https://prometheus.io/) to monitor the metrics. |
api-management | How To Configure Service Fabric Backend | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-configure-service-fabric-backend.md | |
api-management | How To Create Workspace | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-create-workspace.md | -Set up a [workspace](workspaces-overview.md) (preview) to enable a decentralized API development team to manage and productize their own APIs, while a central API platform team maintains the API Management infrastructure. After you create a workspace and assign permissions, workspace collaborators can create and manage their own APIs, products, subscriptions, and related resources. - [!INCLUDE [api-management-availability-premium](../../includes/api-management-availability-premium.md)] +Set up a [workspace](workspaces-overview.md) (preview) to enable a decentralized API development team to manage and productize their own APIs, while a central API platform team maintains the API Management infrastructure. After you create a workspace and assign permissions, workspace collaborators can create and manage their own APIs, products, subscriptions, and related resources. + > [!NOTE] > * Workspaces are a preview feature of API Management and subject to certain [limitations](workspaces-overview.md#preview-limitations). > * Workspaces are supported in API Management REST API version 2022-09-01-preview or later. |
api-management | How To Deploy Self Hosted Gateway Azure Arc | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-deploy-self-hosted-gateway-azure-arc.md | Last updated 06/12/2023 # Deploy an Azure API Management gateway on Azure Arc (preview) + With the integration between Azure API Management and [Azure Arc on Kubernetes](../azure-arc/kubernetes/overview.md), you can deploy the API Management gateway component as an [extension in an Azure Arc-enabled Kubernetes cluster](../azure-arc/kubernetes/extensions.md). Deploying the API Management gateway on an Azure Arc-enabled Kubernetes cluster expands API Management support for hybrid and multicloud environments. Enable the deployment using a cluster extension to make managing and applying policies to your Azure Arc-enabled cluster a consistent experience. Deploying the API Management gateway on an Azure Arc-enabled Kubernetes cluster > [!NOTE] > You can also deploy the self-hosted gateway [directly to Kubernetes](./how-to-deploy-self-hosted-gateway-azure-kubernetes-service.md). - ## Prerequisites * [Connect your Kubernetes cluster](../azure-arc/kubernetes/quickstart-connect-cluster.md) within a supported Azure Arc region. |
api-management | How To Deploy Self Hosted Gateway Azure Kubernetes Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-deploy-self-hosted-gateway-azure-kubernetes-service.md | Last updated 06/11/2021 -# Deploy to Azure Kubernetes Service +# Deploy an Azure API Management self-hosted gateway to Azure Kubernetes Service + This article provides the steps for deploying self-hosted gateway component of Azure API Management to [Azure Kubernetes Service](https://azure.microsoft.com/services/kubernetes-service/). For deploying self-hosted gateway to a Kubernetes cluster, see the how-to article for deployment by using a [deployment YAML file](how-to-deploy-self-hosted-gateway-kubernetes.md) or [with Helm](how-to-deploy-self-hosted-gateway-kubernetes-helm.md). This article provides the steps for deploying self-hosted gateway component of A > [!NOTE] > You can also deploy self-hosted gateway to an [Azure Arc-enabled Kubernetes cluster](how-to-deploy-self-hosted-gateway-azure-arc.md) as a [cluster extension](../azure-arc/kubernetes/extensions.md). - ## Prerequisites - [Create an Azure API Management instance](get-started-create-service-instance.md) |
api-management | How To Deploy Self Hosted Gateway Container Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-deploy-self-hosted-gateway-container-apps.md | |
api-management | How To Deploy Self Hosted Gateway Docker | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-deploy-self-hosted-gateway-docker.md | This article provides the steps for deploying self-hosted gateway component of A > [!NOTE] > Hosting self-hosted gateway in Docker is best suited for evaluation and development use cases. Kubernetes is recommended for production use. Learn how to [deploy with Helm](how-to-deploy-self-hosted-gateway-kubernetes-helm.md) or using [deployment YAML file](how-to-deploy-self-hosted-gateway-kubernetes.md) to learn how to deploy self-hosted gateway to Kubernetes. - ## Prerequisites - Complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md) |
api-management | How To Deploy Self Hosted Gateway Kubernetes Helm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-deploy-self-hosted-gateway-kubernetes-helm.md | Last updated 12/21/2021 -# Deploy to Kubernetes with Helm +# Deploy self-hosted gateway to Kubernetes with Helm + [Helm][helm] is an open-source packaging tool that helps you install and manage the lifecycle of Kubernetes applications. It allows you to manage Kubernetes charts, which are packages of pre-configured Kubernetes resources. This article provides the steps for deploying self-hosted gateway component of A > [!NOTE] > You can also deploy self-hosted gateway to an [Azure Arc-enabled Kubernetes cluster](how-to-deploy-self-hosted-gateway-azure-arc.md) as a [cluster extension](../azure-arc/kubernetes/extensions.md). - ## Prerequisites - Create a Kubernetes cluster, or have access to an existing one. |
api-management | How To Deploy Self Hosted Gateway Kubernetes Opentelemetry | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-deploy-self-hosted-gateway-kubernetes-opentelemetry.md | Last updated 12/17/2021 # Deploy self-hosted gateway to Kubernetes with OpenTelemetry integration + This article describes the steps for deploying the self-hosted gateway component of Azure API Management to a Kubernetes cluster and automatically send all metrics to an [OpenTelemetry Collector](https://opentelemetry.io/docs/collector/). [!INCLUDE [preview](./includes/preview/preview-callout-self-hosted-gateway-opentelemetry.md)] You learn how to: > * Generate metrics by consuming APIs on the self-hosted gateway. > * Use the metrics from the OpenTelemetry Collector. - ## Prerequisites - [Create an Azure API Management instance](get-started-create-service-instance.md) |
api-management | How To Deploy Self Hosted Gateway Kubernetes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-deploy-self-hosted-gateway-kubernetes.md | Last updated 05/22/2023 # Deploy a self-hosted gateway to Kubernetes with YAML + This article describes the steps for deploying the self-hosted gateway component of Azure API Management to a Kubernetes cluster. [!INCLUDE [preview](./includes/preview/preview-callout-self-hosted-gateway-deprecation.md)] This article describes the steps for deploying the self-hosted gateway component > [!NOTE] > You can also deploy self-hosted gateway to an [Azure Arc-enabled Kubernetes cluster](how-to-deploy-self-hosted-gateway-azure-arc.md) as a [cluster extension](../azure-arc/kubernetes/extensions.md). - ## Prerequisites - Complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md). |
api-management | How To Event Grid | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-event-grid.md | |
api-management | How To Self Hosted Gateway On Kubernetes In Production | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-self-hosted-gateway-on-kubernetes-in-production.md | Last updated 01/17/2023 # Guidance for running self-hosted gateway on Kubernetes in production + In order to run the self-hosted gateway in production, there are various aspects to take in to mind. For example, it should be deployed in a highly available manner, use configuration backups to handle temporary disconnects and many more. This article provides guidance on how to run [self-hosted gateway](./self-hosted-gateway-overview.md) on Kubernetes for production workloads to ensure that it will run smoothly and reliably. [!INCLUDE [preview](./includes/preview/preview-callout-self-hosted-gateway-deprecation.md)] - ## Access token Without a valid access token, a self-hosted gateway can't access and download configuration data from the endpoint of the associated API Management service. The access token can be valid for a maximum of 30 days. It must be regenerated, and the cluster configured with a fresh token, either manually or via automation before it expires. |
api-management | How To Server Sent Events | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-server-sent-events.md | Last updated 02/24/2022 # Configure API for server-sent events + This article provides guidelines for configuring an API in API Management that implements server-sent events (SSE). SSE is based on the HTML5 `EventSource` standard for streaming (pushing) data automatically to a client over HTTP after a client has established a connection. > [!TIP] This article provides guidelines for configuring an API in API Management that i - An existing API Management instance. [Create one if you haven't already](get-started-create-service-instance.md). - An API that implements SSE. [Import and publish](import-and-publish.md) the API to your API Management instance using one of the supported import methods. - ## Guidelines for SSE Follow these guidelines when using API Management to reach a backend API that implements SSE. -* **Choose service tier for long-running HTTP connections** - SSE relies on a long-running HTTP connection. Long-running connections are supported in the dedicated API Management tiers, but not in the Consumption tier. +* **Choose service tier for long-running HTTP connections** - SSE relies on a long-running HTTP connection that is supported in certain API Management [pricing tiers](api-management-key-concepts.md#api-management-tiers). Long-running connections are supported in the classic and v2 API Management tiers, but not in the Consumption tier. * **Keep idle connections alive** - If a connection between client and backend could be idle for 4 minutes or longer, implement a mechanism to keep the connection alive. For example, enable a TCP keepalive signal at the backend of the connection, or send traffic from the client side at least once per 4 minutes. Follow these guidelines when using API Management to reach a backend API that im * **Avoid logging request/response body for Azure Monitor, Application Insights, and Event Hubs** - You can configure API request logging for Azure Monitor or Application Insights using diagnostic settings. The diagnostic settings allow you to log the request/response body at various stages of the request execution. For APIs that implement SSE, this can cause unexpected buffering which can lead to problems. Diagnostic settings for Azure Monitor and Application Insights configured at the global/All APIs scope apply to all APIs in the service. You can override the settings for individual APIs as needed. When logging to Event Hubs, you configure the scope and amount of context information for request/response logging by using the [log-to-eventhubs](api-management-howto-log-event-hubs.md#configure-log-to-eventhub-policy). For APIs that implement SSE, ensure you have disabled request/response body logging for Azure Monitor, Application Insights, and Event Hubs. -* **Disable response caching** - To ensure that notifications to the client are timely, verify that [response caching](api-management-howto-cache.md) isn't enabled. For more information, see [API Management caching policies](api-management-caching-policies.md). +* **Disable response caching** - To ensure that notifications to the client are timely, verify that [response caching](api-management-howto-cache.md) isn't enabled. For more information, see [API Management caching policies](api-management-policies.md#caching). * **Test API under load** - Follow general practices to test your API under load to detect performance or configuration issues before going into production. |
api-management | Howto Protect Backend Frontend Azure Ad B2c | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/howto-protect-backend-frontend-azure-ad-b2c.md | Open the Azure AD B2C blade in the portal and do the following steps. > > We still have no IP security applied, if you have a valid key and OAuth2 token, anyone can call this from anywhere - ideally we want to force all requests to come via API Management. >- > If you're using the API Management Consumption, Basic v2, and Standard v2 tiers then [there isn't a dedicated Azure API Management Virtual IP](./api-management-howto-ip-addresses.md#ip-addresses-of-consumption-basic-v2-and-standard-v2-tier-api-management-service) to allow-list with the functions access-restrictions. In the Azure API Management dedicated tiers [the VIP is single tenant and for the lifetime of the resource](./api-management-howto-ip-addresses.md#changes-to-the-ip-addresses). For the tiers that run on shared infrastructure, you can lock down your API calls via the shared secret function key in the portion of the URI you copied above. Also, for these tiers - steps 12-17 below do not apply. + > If you're using the API Management Consumption, Basic v2, and Standard v2 tiers then [there isn't a dedicated Azure API Management Virtual IP](./api-management-howto-ip-addresses.md#ip-addresses-of-consumption-basic-v2-and-standard-v2-tier-api-management-service) to allow-list with the functions access-restrictions. In the Azure API Management classic (dedicated) tiers [the VIP is single tenant and for the lifetime of the resource](./api-management-howto-ip-addresses.md#changes-to-the-ip-addresses). For the tiers that run on shared infrastructure, you can lock down your API calls via the shared secret function key in the portion of the URI you copied above. Also, for these tiers - steps 12-17 below do not apply. 1. Close the 'Authentication' blade from the App Service / Functions portal. 1. Open the *API Management blade of the portal*, then open *your instance*. |
api-management | Howto Use Analytics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/howto-use-analytics.md | Title: Use API analytics in Azure API Management | Microsoft Docs -description: Use analytics in Azure API Management to help you understand and categorize the usage of your APIs and API performance. +description: Use analytics in Azure API Management to understand and categorize the usage of your APIs and API performance. Analytics is provided using an Azure workbook. Previously updated : 02/23/2022 Last updated : 03/26/2024 + # Get API analytics in Azure API Management -Azure API Management provides built-in analytics for your APIs. Analyze the usage and performance of the APIs in your API Management instance across several dimensions, including: ++Azure API Management provides analytics for your APIs so that you can analyze their usage and performance. Use analytics for high-level monitoring and troubleshooting of your APIs. For other monitoring features, including near real-time metrics and resource logs for diagnostics and auditing, see [Tutorial: Monitor published APIs](api-management-howto-use-azure-monitor.md). ++++## About API analytics ++* API Management provides analytics using an [Azure Monitor-based dashboard](../azure-monitor/visualize/workbooks-overview.md). The dashboard aggregates data in an Azure Log Analytics workspace. ++* In the classic API Management service tiers, your API Management instance also includes legacy *built-in analytics* in the Azure portal, and analytics data can be accessed using the API Management REST API. Equivalent data is shown in the Azure Monitor-based dashboard and built-in analytics. ++> [!IMPORTANT] +> * The Azure Monitor-based dashboard is the recommended way to access analytics data. +> * Legacy built-in analytics isn't available in the v2 tiers. ++With API analytics, analyze the usage and performance of the APIs in your API Management instance across several dimensions, including: * Time * Geography Azure API Management provides built-in analytics for your APIs. Analyze the usag * Requests > [!NOTE]-> * API analytics provides data on requests (including failed and unauthorized requests) that are matched with an API and operation. Other calls aren't reported. +> * API analytics provides data on requests, including failed and unauthorized requests. > * Geography values are approximate based on IP address mapping.+> * There may be a delay of 15 minutes or more in the availability of analytics data. +## Azure Monitor-based dashboard -Use analytics for high-level monitoring and troubleshooting of your APIs. For additional monitoring features, including near real-time metrics and resource logs for diagnostics and auditing, see [Tutorial: Monitor published APIs](api-management-howto-use-azure-monitor.md). +To use the Azure Monitor-based dashboard, you need to configure a Log Analytics workspace as a data source for API Management gateway logs. +If you need to configure one, the following are brief steps to send gateway logs to a Log Analytics workspace. For more information, see [Tutorial: Monitor published APIs](api-management-howto-use-azure-monitor.md#resource-logs). This is a one-time setup. -## Analytics - portal +1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance. +1. In the left-hand menu, under **Monitoring**, select **Diagnostic settings** > **+ Add diagnostic setting**. +1. Enter a descriptive name for the diagnostic setting. +1. In **Logs**, select **Logs related to ApiManagement Gateway**. +1. In **Destination details**, select **Send to Log Analytics** and select a Log Analytics workspace in the same or a different subscription. If you need to create a workspace, see [Create a Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md). +1. Accept defaults for other settings, or customize as needed. Select **Save**. -Use the Azure portal to review analytics data at a glance for your API Management instance. +### Access the dashboard -1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance. -1. In the left-hand menu, under **Monitoring**, select **Analytics**. +After a Log Analytics workspace is configured, access the Azure Monitor-based dashboard to analyze the usage and performance of your APIs. ++1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance. +1. In the left-hand menu, under **Monitoring**, select **Insights**. The analytics dashboard opens. +1. Select a time range for data. +1. Select a report category for analytics data, such as **Timeline**, **Geography**, and so on. ++## Legacy built-in analytics - :::image type="content" source="media/howto-use-analytics/monitoring-menu-analytics.png" alt-text="Select analytics for API Management instance in portal"::: +In certain API Management service tiers, built-in analytics is also available in the Azure portal, and analytics data can be accessed using the API Management REST API. ++### Built-in analytics - portal ++To access the built-in analytics in the Azure portal: ++1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance. +1. In the left-hand menu, under **Monitoring**, select **Analytics**. 1. Select a time range for data, or enter a custom time range. 1. Select a report category for analytics data, such as **Timeline**, **Geography**, and so on. 1. Optionally, filter the report by one or more additional categories. -## Analytics - REST API +### Analytics - REST API -Use [Reports](/rest/api/apimanagement/current-ga/reports) operations in the API Management REST API to retrieve and filter analytics data for your API Management instance. +Use [Reports](/rest/api/apimanagement/reports) operations in the API Management REST API to retrieve and filter analytics data for your API Management instance. Available operations return report records by API, geography, API operations, product, request, subscription, time, or user. -## Next steps +## Related content * For an introduction to Azure Monitor features in API Management, see [Tutorial: Monitor published APIs](api-management-howto-use-azure-monitor.md) * For detailed HTTP logging and monitoring, see [Monitor your APIs with Azure API Management, Event Hubs, and Moesif](api-management-log-to-eventhub-sample.md).-* Learn about integrating [Azure API Management with Azure Application Insights](api-management-howto-app-insights.md). +* Learn about integrating [Azure API Management with Azure Application Insights](api-management-howto-app-insights.md). |
api-management | Http Data Source Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/http-data-source-policy.md | The `http-data-source` resolver policy configures the HTTP request and optionall ## Usage - [**Policy scopes:**](./api-management-howto-policies.md#scopes) GraphQL resolver-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption ### Usage notes For this example, we mock the customer results from an external source, and hard ## Related policies -* [GraphQL resolver policies](api-management-policies.md#graphql-resolver-policies) +* [GraphQL resolvers](api-management-policies.md#graphql-resolvers) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Import And Publish | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/import-and-publish.md | |
api-management | Import Api From Oas | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/import-api-from-oas.md | After importing the API, if needed, you can update the settings by using the [Se ## Validate against an OpenAPI specification -You can configure API Management [validation policies](api-management-policies.md#validation-policies) to validate requests and responses (or elements of them) against the schema in an OpenAPI specification. For example, use the [validate-content](validate-content-policy.md) policy to validate the size or content of a request or response body. +You can configure API Management [validation policies](api-management-policies.md#content-validation) to validate requests and responses (or elements of them) against the schema in an OpenAPI specification. For example, use the [validate-content](validate-content-policy.md) policy to validate the size or content of a request or response body. ## Next steps |
api-management | Import Api From Odata | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/import-api-from-odata.md | |
api-management | Import App Service As Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/import-app-service-as-api.md | |
api-management | Import Container App With Oas | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/import-container-app-with-oas.md | |
api-management | Import Function App As Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/import-function-app-as-api.md | |
api-management | Import Logic App As Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/import-logic-app-as-api.md | |
api-management | Import Soap Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/import-soap-api.md | |
api-management | Include Fragment Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/include-fragment-policy.md | The policy inserts the policy fragment as-is at the location you select in the p - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Example In the following example, the policy fragment named *myFragment* is added in the ## Related policies -* [API Management advanced policies](api-management-advanced-policies.md) +* [Policy control and flow](api-management-policies.md#policy-control-and-flow) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Integrate Vnet Outbound | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/integrate-vnet-outbound.md | -# Integrate an Azure API Management instance with a private VNet for outbound connections (preview) +# Integrate an Azure API Management instance with a private VNet for outbound connections + This article guides you through the process of configuring *VNet integration* for your Azure API Management instance so that your API Management instance can make outbound requests to API backends that are isolated in the network. When an API Management instance is integrated with a virtual network for outboun :::image type="content" source="./media/integrate-vnet-outbound/vnet-integration.svg" alt-text="Diagram of integrating API Management instance with a delegated subnet." ::: - ## Prerequisites - An Azure API Management instance in the [Standard v2](v2-service-tiers-overview.md) pricing tier |
api-management | Invoke Dapr Binding Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/invoke-dapr-binding-policy.md | The "backend" section is empty and the request is not forwarded to the backend. ## Related policies -* [API Management Dapr integration policies](api-management-dapr-policies.md) +* [Integration and external communication](api-management-policies.md#integration-and-external-communication) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Ip Filter Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/ip-filter-policy.md | The `ip-filter` policy filters (allows/denies) calls from specific IP addresses - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes In the following example, the policy only allows requests coming either from the ## Related policies -* [API Management access restriction policies](api-management-access-restriction-policies.md) +* [Authentication and authorization](api-management-policies.md#authentication-and-authorization) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Json To Xml Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/json-to-xml-policy.md | The `json-to-xml` policy converts a request or response body from JSON to XML. - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Example The XML response to the client will be: ## Related policies -* [API Management transformation policies](api-management-transformation-policies.md) +* [Transformation](api-management-policies.md#transformation) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Jsonp Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/jsonp-policy.md | The `jsonp` policy adds JSON with padding (JSONP) support to an operation or an - [**Policy sections:**](./api-management-howto-policies.md#sections) outbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes If you add the callback parameter `?cb=XXX`, it will return a JSONP result, wrap ## Related policies -* [API Management cross-domain policies](api-management-cross-domain-policies.md) +* [Cross-domain](api-management-policies.md#cross-domain) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Limit Concurrency Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/limit-concurrency-policy.md | The `limit-concurrency` policy prevents enclosed policies from executing by more - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Example The following example demonstrates how to limit number of requests forwarded to ## Related policies -* [API Management advanced policies](api-management-advanced-policies.md) +* [Rate limiting and quotas](api-management-policies.md#rate-limiting-and-quotas) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Log To Eventhub Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/log-to-eventhub-policy.md | The `log-to-eventhub` policy sends messages in the specified format to an event - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes Any string can be used as the value to be logged in Event Hubs. In this example ## Related policies -* [API Management advanced policies](api-management-advanced-policies.md) +* [Integration and external communication](api-management-policies.md#integration-and-external-communication) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Migrate Stv1 To Stv2 No Vnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/migrate-stv1-to-stv2-no-vnet.md | If you need to migrate a *VNnet-injected* API Management hosted on the `stv1` pl > * Depending on your migration process, you might have temporary downtime during migration, and you might need to update your network dependencies after migration to reach your API Management instance. Plan your migration accordingly. > * Migration to `stv2` is not reversible. - ## What happens during migration? API Management platform migration from `stv1` to `stv2` involves updating the underlying compute alone and has no impact on the service/API configuration persisted in the storage layer. For an instance that's not deployed in a VNet: |
api-management | Migrate Stv1 To Stv2 Vnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/migrate-stv1-to-stv2-vnet.md | If you need to migrate a *non-VNnet-injected* API Management hosted on the `stv1 > * The VIP address of your instance will change. After migration, you'll need to update any network dependencies including DNS, firewall rules, and VNets to use the new VIP address. Plan your migration accordingly. > * Migration to `stv2` is not reversible. - ## What happens during migration? API Management platform migration from `stv1` to `stv2` involves updating the underlying compute alone and has no impact on the service/API configuration persisted in the storage layer. |
api-management | Migrate Stv1 To Stv2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/migrate-stv1-to-stv2.md | |
api-management | Mitigate Owasp Api Threats | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/mitigate-owasp-api-threats.md | More information about this threat: [API2:2019 Broken User Authentication](https Use API Management for user authentication and authorization: -* **Authentication** - API Management supports the following [authentication methods](api-management-authentication-policies.md): +* **Authentication** - API Management supports the following [authentication methods](api-management-policies.md#authentication-and-authorization): * [Basic authentication](authentication-basic-policy.md) policy - Username and password credentials. Use API Management for user authentication and authorization: More recommendations: -* Use [access restriction policies](api-management-access-restriction-policies.md) in API Management to increase security. For example, [call rate limiting](rate-limit-policy.md) slows down bad actors using brute force attacks to compromise credentials. +* Use policies in API Management to increase security. For example, [call rate limiting](rate-limit-policy.md) slows down bad actors using brute force attacks to compromise credentials. * APIs should use TLS/SSL (transport security) to protect the credentials or tokens. Credentials and tokens should be sent in request headers and not as query parameters. More information about this threat: [API3:2019 Excessive Data Exposure](https:// * [Versions](api-management-versions.md) for breaking changes, for example, the removal of a field from an interface. -* If it's not possible to alter the backend interface design and excessive data is a concern, use API Management [transformation policies](transform-api.md) to rewrite response payloads and mask or filter data. For example, [remove unneeded JSON properties](./policies/filter-response-content.md) from a response body. +* If it's not possible to alter the backend interface design and excessive data is a concern, use API Management [transformation policies](api-management-policies.md#transformation) to rewrite response payloads and mask or filter data. For example, [remove unneeded JSON properties](./policies/filter-response-content.md) from a response body. * [Response content validation](validate-content-policy.md) in API Management can be used with an XML or JSON schema to block responses with undocumented properties or improper values. The policy also supports blocking responses exceeding a specified size. More information about this threat: [API6:2019 Mass assignment](https://github.c * Precisely define XML and JSON contracts in the API schema and use [validate content](validate-content-policy.md) and [validate parameters](validate-parameters-policy.md) policies to block requests and responses with undocumented properties. Blocking requests with undocumented properties mitigates attacks, while blocking responses with undocumented properties makes it harder to reverse-engineer potential attack vectors. -* If the backend interface can't be changed, use [transformation policies](transform-api.md) to rewrite request and response payloads and decouple the API contracts from backend contracts. For example, mask or filter data or [remove unneeded JSON properties](./policies/filter-response-content.md). +* If the backend interface can't be changed, use [transformation policies](api-management-policies.md#transformation) to rewrite request and response payloads and decouple the API contracts from backend contracts. For example, mask or filter data or [remove unneeded JSON properties](./policies/filter-response-content.md). ## Security misconfiguration More information about this threat: [API7:2019 Security misconfiguration](https: * Configure the [CORS](cors-policy.md) policy and don't use wildcard `*` for any configuration option. Instead, explicitly list allowed values. - * Set [validation policies](validation-policies.md) to `prevent` in production environments to validate JSON and XML schemas, headers, query parameters, and status codes, and to enforce the maximum size for request or response. + * Set [validation policies](api-management-policies.md#content-validation) to `prevent` in production environments to validate JSON and XML schemas, headers, query parameters, and status codes, and to enforce the maximum size for request or response. * If API Management is outside a network boundary, client IP validation is still possible using the [restrict caller IPs](ip-filter-policy.md) policy. Ensure that it uses an allowlist, not a blocklist. More information about this threat: [API8:2019 Injection](https://github.com/OWA > [!IMPORTANT] > Ensure that a bad actor can't bypass the gateway hosting the WAF and connect directly to the API Management gateway or backend API itself. Possible mitigations include: [network ACLs](../virtual-network/network-security-groups-overview.md), using API Management policy to [restrict inbound traffic by client IP](ip-filter-policy.md), removing public access where not required, and [client certificate authentication](api-management-howto-mutual-certificates-for-clients.md) (also known as mutual TLS or mTLS). -* Use schema and parameter [validation](validation-policies.md) policies, where applicable, to further constrain and validate the request before it reaches the backend API service. +* Use schema and parameter [validation](api-management-policies.md#content-validation) policies, where applicable, to further constrain and validate the request before it reaches the backend API service. The schema supplied with the API definition should have a regex pattern constraint applied to vulnerable fields. Each regex should be tested to ensure that it constrains the field sufficiently to mitigate common injection attempts. |
api-management | Mock Api Responses | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/mock-api-responses.md | |
api-management | Mock Response Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/mock-response-policy.md | The `mock-response` policy, as the name implies, is used to mock APIs and operat - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes The `mock-response` policy, as the name implies, is used to mock APIs and operat ## Related policies -* [API Management advanced policies](api-management-advanced-policies.md) +* [Transformation](api-management-policies.md#transformation) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Monetization Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/monetization-overview.md | |
api-management | Monetization Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/monetization-support.md | |
api-management | Observability | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/observability.md | Azure API Management allows you to choose to use the managed gateway or [self-ho The table below summarizes all the observability capabilities supported by API Management to operate APIs and what deployment models they support. These capabilities can be used by API publishers and others who have permissions to operate or manage the API Management instance. > [!NOTE]-> For API consumers who use the developer portal, a built-in API report is available. It only provides information about their individual API usage during the preceding 90 days. +> For API consumers who use the developer portal, a built-in API report is available. It only provides information about their individual API usage during the preceding 90 days. Currently, the built-in API report is not available in the developer portal for the v2 service tiers. > | Tool | Useful for | Data lag | Retention | Sampling | Data kind | Supported Deployment Model(s) | |:- |:-|:- |:-|:- |: |:- | |
api-management | Plan Manage Costs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/plan-manage-costs.md | Last updated 06/11/2021 # Plan and manage costs for API Management + This article describes how you plan for and manage costs for Azure API Management. First, you use the Azure pricing calculator to help plan for API Management costs before you add any resources for the service to estimate costs. After you've started using API Management resources, use Cost Management features to set budgets and monitor costs. You can also review forecasted costs and identify spending trends to identify areas where you might want to act. Costs for API Management are only a portion of the monthly costs in your Azure bill. Although this article explains how to plan for and manage costs for API Management, you're billed for all Azure services and resources used in your Azure subscription, including the third-party services. When you create or use Azure resources with API Management, you'll get charged b | Tiers | Description | | -- | -- | | Consumption | Incurs no fixed costs. You are billed based on the number of API calls to the service above a certain threshold. |-| Developer, Basic, Standard, and Premium | Incur monthly costs, based on the number of [units](./api-management-capacity.md) and [self-hosted gateways](./self-hosted-gateway-overview.md). Self-hosted gateways are free for the Developer tier. [Upgrade](./upgrade-and-scale.md) to a different service tier at any time. | +| Developer, Basic, Basic v2, Standard, Standard v2, and Premium | Incur monthly costs, based on the number of [units](./api-management-capacity.md) and [self-hosted gateways](./self-hosted-gateway-overview.md). Self-hosted gateways are free for the Developer tier. Different [upgrade](./upgrade-and-scale.md) options are available, depending on your service tier. | You may also incur additional charges when you use other Azure resources with API Management, like virtual networks, availability zones, and multi-region writes. At the end of your billing cycle, the charges for each meter are summed. Your bill or invoice shows a section for all API Management costs. There's a separate line item for each meter. |
api-management | Policy Fragments | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/policy-fragments.md | |
api-management | Policy Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/policy-reference.md | |
api-management | Powershell Create Service Instance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/powershell-create-service-instance.md | |
api-management | Private Endpoint | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/private-endpoint.md | Last updated 03/20/2023 # Connect privately to API Management using an inbound private endpoint + You can configure an inbound [private endpoint](../private-link/private-endpoint-overview.md) for your API Management instance to allow clients in your private network to securely access the instance over [Azure Private Link](../private-link/private-link-overview.md). * The private endpoint uses an IP address from an Azure VNet in which it's hosted. You can configure an inbound [private endpoint](../private-link/private-endpoint [!INCLUDE [api-management-private-endpoint](../../includes/api-management-private-endpoint.md)] -- ## Limitations * Only the API Management instance's Gateway endpoint supports inbound Private Link connections. |
api-management | Protect With Ddos Protection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/protect-with-ddos-protection.md | |
api-management | Protect With Defender For Apis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/protect-with-defender-for-apis.md | Capabilities of Defender for APIs include: This article shows how to use the Azure portal to enable Defender for APIs from your API Management instance and view a summary of security recommendations and alerts for onboarded APIs. - ## Plan limitations * Currently, Defender for APIs discovers and analyzes REST APIs only. |
api-management | Proxy Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/proxy-policy.md | The `proxy` policy allows you to route requests forwarded to backends via an HTT - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Example In this example, [named values](api-management-howto-properties.md) are used for ## Related policies -* [API Management advanced policies](api-management-advanced-policies.md) +* [Routing](api-management-policies.md#routing) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Publish Event Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/publish-event-policy.md | The `publish-event` policy publishes an event to one or more subscriptions speci - [**Policy sections:**](./api-management-howto-policies.md#sections) `http-response` element in `http-data-source` resolver - [**Policy scopes:**](./api-management-howto-policies.md#scopes) GraphQL resolver only-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption ### Usage notes type Subscription { ## Related policies -* [GraphQL resolver policies](api-management-policies.md#graphql-resolver-policies) +* [GraphQL resolvers](api-management-policies.md#graphql-resolvers) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Publish To Dapr Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/publish-to-dapr-policy.md | The "backend" section is empty and the request is not forwarded to the backend. ## Related policies -* [API Management Dapr integration policies](api-management-dapr-policies.md) +* [Integration and external communication](api-management-policies.md#integration-and-external-communication) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Quickstart Arm Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/quickstart-arm-template.md | More Azure API Management template samples can be found in [Azure Quickstart Tem - **Region**: select a location for the resource group. Example: **Central US**. - **Publisher Email**: enter an email address to receive notifications. - **Publisher Name**: enter a name you choose for the API publisher.- - **Sku**: accept the default value of **Developer**. + - **Sku**: accept the default value of **Developer**. Alternatively, choose another value. - **Sku Count**: accept the default value. - **Location**: accept the generated location for the API Management service. More Azure API Management template samples can be found in [Azure Quickstart Tem 1. Select **Review + Create**, then review the terms and conditions. If you agree, select **Create**. > [!TIP]- > It can take between 30 and 40 minutes to create and activate an API Management service in the Developer tier. + > It can take between 30 and 40 minutes to create and activate an API Management service in the Developer tier. Times vary by tier. 1. After the instance has been created successfully, you get a notification: |
api-management | Quickstart Bicep | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/quickstart-bicep.md | tags: azure-resource-manager, bicep Previously updated : 12/12/2023 Last updated : 03/25/2024 # Quickstart: Create a new Azure API Management service instance using Bicep + This quickstart describes how to use a Bicep file to create an Azure API Management instance. You can also use Bicep for common management tasks such as importing APIs in your API Management instance. [!INCLUDE [api-management-quickstart-intro](../../includes/api-management-quickstart-intro.md)] The following resource is defined in the Bicep file: - **[Microsoft.ApiManagement/service](/azure/templates/microsoft.apimanagement/service)** -In this example, the Bicep file configures the API Management instance in the Developer tier, an economical option to evaluate Azure API Management. This tier isn't for production use. +In this example, the Bicep file by default configures the API Management instance in the Developer tier, an economical option to evaluate Azure API Management. This tier isn't for production use. More Azure API Management Bicep samples can be found in [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/?resourceType=Microsoft.Apimanagement&pageNumber=1&sort=Popular). You can use Azure CLI or Azure PowerShell to deploy the Bicep file. For more in When the deployment finishes, you should see a message indicating the deployment succeeded. + > [!TIP] + > It can take between 30 and 40 minutes to create and activate an API Management service in the Developer tier. Times vary by tier. + ## Review deployed resources Use the Azure portal, Azure CLI or Azure PowerShell to list the deployed App Configuration resource in the resource group. |
api-management | Quickstart Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/quickstart-terraform.md | ai-usage: ai-assisted # Quickstart: Create an Azure API Management instance using Terraform + This article shows how to use [Terraform](/azure/terraform) to create an API Management instance on Azure. You can also use Terraform for common management tasks such as importing APIs in your API Management instance. [!INCLUDE [api-management-quickstart-intro](../../includes/api-management-quickstart-intro.md)] |
api-management | Quota By Key Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/quota-by-key-policy.md | To understand the difference between rate limits and quotas, [see Rate limits an - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, self-hosted ### Usage notes For more information and examples of this policy, see [Advanced request throttli ## Related policies -* [API Management access restriction policies](api-management-access-restriction-policies.md) +* [Rate limiting and quotas](api-management-policies.md#rate-limiting-and-quotas) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Quota Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/quota-policy.md | To understand the difference between rate limits and quotas, [see Rate limits an - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) product-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes To understand the difference between rate limits and quotas, [see Rate limits an ## Related policies -* [API Management access restriction policies](api-management-access-restriction-policies.md) +* [Rate limiting and quotas](api-management-policies.md#rate-limiting-and-quotas) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Rate Limit By Key Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/rate-limit-by-key-policy.md | To understand the difference between rate limits and quotas, [see Rate limits an - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, self-hosted ### Usage notes For more information and examples of this policy, see [Advanced request throttli ## Related policies -* [API Management access restriction policies](api-management-access-restriction-policies.md) +* [Rate limiting and quotas](api-management-policies.md#rate-limiting-and-quotas) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Rate Limit Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/rate-limit-policy.md | To understand the difference between rate limits and quotas, [see Rate limits an - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes In the following example, the per subscription rate limit is 20 calls per 90 sec ## Related policies -* [API Management access restriction policies](api-management-access-restriction-policies.md) +* [Rate limiting and quotas](api-management-policies.md#rate-limiting-and-quotas) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Redirect Content Urls Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/redirect-content-urls-policy.md | The `redirect-content-urls` policy rewrites (masks) links in the response body s - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes The `redirect-content-urls` policy rewrites (masks) links in the response body s ## Related policies -* [API Management transformation policies](api-management-transformation-policies.md) +* [Transformation](api-management-policies.md#transformation) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Restify Soap Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/restify-soap-api.md | |
api-management | Retry Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/retry-policy.md | The `retry` policy may contain any other policies as its child elements. - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Examples In the following example, sending a request to a URL other than the defined back ## Related policies -* [API Management advanced policies](api-management-advanced-policies.md) +* [Policy control and flow](api-management-policies.md#policy-control-and-flow) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Return Response Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/return-response-policy.md | The `return-response` policy cancels pipeline execution and returns either a def - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes The `return-response` policy cancels pipeline execution and returns either a def ## Related policies -* [API Management advanced policies](api-management-advanced-policies.md) +* [Transformation](api-management-policies.md#transformation) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Rewrite Uri Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/rewrite-uri-policy.md | This policy can be used when a human and/or browser-friendly URL should be trans - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes You can only add query string parameters using the policy. You can't add extra t ## Related policies -- [API Management transformation policies](api-management-transformation-policies.md)+- [Transformation](api-management-policies.md#transformation) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Sap Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/sap-api.md | Last updated 07/21/2023 # Import SAP OData metadata as an API + This article shows how to import an OData service using its metadata description. In this article, [SAP Gateway Foundation](https://help.sap.com/viewer/product/SAP_GATEWAY) serves as an example. In this article, you'll: Choose one of the following methods to import your API to API Management: import :::image type="content" source="media/sap-api/get-root-operation.png" alt-text="Get operation for service root"::: -Also, configure authentication to your backend using an appropriate method for your environment. For examples, see [API Management authentication policies](api-management-authentication-policies.md). +Also, configure authentication to your backend using an appropriate method for your environment. For examples, see [API Management authentication and authorization policies](api-management-policies.md#authentication-and-authorization). ## Test your API |
api-management | Secure Developer Portal Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/secure-developer-portal-access.md | |
api-management | Security Controls Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/security-controls-policy.md | Title: Azure Policy Regulatory Compliance controls for Azure API Management description: Lists Azure Policy Regulatory Compliance controls available for Azure API Management. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/06/2024 Last updated : 03/18/2024 |
api-management | Self Hosted Gateway Arc Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-arc-reference.md | |
api-management | Self Hosted Gateway Enable Azure Ad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-enable-azure-ad.md | |
api-management | Self Hosted Gateway Enable Dapr | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-enable-dapr.md | template: ## Dapr integration policies -API Management provides specific [policies](api-management-policies.md#dapr-integration-policies) to interact with Dapr APIs exposed through the self-hosted gateway. +API Management provides specific [policies](api-management-policies.md#integration-and-external-communication) to interact with Dapr APIs exposed through the self-hosted gateway. ## Next steps |
api-management | Self Hosted Gateway Migration Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-migration-guide.md | |
api-management | Self Hosted Gateway Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-overview.md | |
api-management | Self Hosted Gateway Settings Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-settings-reference.md | |
api-management | Self Hosted Gateway Support Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-support-policies.md | Last updated 05/12/2023 # Support policies for self-hosted gateway + The Azure API Management service, in the Developer and Premium tiers, allows the deployment of the API Management gateway as a container running in on-premises infrastructure, other clouds, and Azure infrastructure options that support containers. This article provides details about technical support policies and limitations for the API Management [self-hosted gateway](self-hosted-gateway-overview.md). [!INCLUDE [preview](./includes/preview/preview-callout-self-hosted-gateway-deprecation.md)] - ## Differences between managed gateway and self-hosted gateway When deploying an instance of the API Management service, you'll always get a managed API gateway as part of the service. This gateway runs in infrastructure managed by Azure, and the software is also managed, updated, and managed by Azure. |
api-management | Send One Way Request Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/send-one-way-request-policy.md | The `send-one-way-request` policy sends the provided request to the specified UR - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Example This example uses the `send-one-way-request` policy to send a message to a Slack ## Related policies -* [API Management advanced policies](api-management-advanced-policies.md) +* [Intergration and external communication](api-management-policies.md#integration-and-external-communication) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Send Request Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/send-request-policy.md | This example shows one way to verify a reference token with an authorization ser ## Related policies -* [API Management advanced policies](api-management-advanced-policies.md) +* [Integration and external communication](api-management-policies.md#integration-and-external-communication) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Set Backend Service Dapr Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/set-backend-service-dapr-policy.md | The `forward-request` policy is shown here for clarity. The policy is typically ## Related policies -* [API Management Dapr integration policies](api-management-dapr-policies.md) +* [Integration and external communication](api-management-policies.md#integration-and-external-communication) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Set Backend Service Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/set-backend-service-policy.md | Referencing a backend entity allows you to manage the backend service base URL a - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, backend - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes Initially the backend service base URL is derived from the API settings. So the When the [<choose\>](choose-policy.md) policy statement is applied the backend service base URL may change again either to `http://contoso.com/api/8.2` or `http://contoso.com/api/9.1`, depending on the value of the version request query parameter. For example, if the value is `"2013-15"` the final request URL becomes `http://contoso.com/api/8.2/partners/15?version=2013-15&subscription-key=abcdef`. -If further transformation of the request is desired, other [Transformation policies](api-management-transformation-policies.md) can be used. For example, to remove the version query parameter now that the request is being routed to a version specific backend, the [Set query string parameter](set-query-parameter-policy.md) policy can be used to remove the now redundant version attribute. +If further transformation of the request is desired, other [Transformation policies](api-management-policies.md#transformation) can be used. For example, to remove the version query parameter now that the request is being routed to a version specific backend, the [Set query string parameter](set-query-parameter-policy.md) policy can be used to remove the now redundant version attribute. ### Route requests to a service fabric backend In this example the policy routes the request to a service fabric backend, using ## Related policies -* [API Management transformation policies](api-management-transformation-policies.md) +* [Routing](api-management-policies.md#routing) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Set Body Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/set-body-policy.md | OriginalUrl. - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes The following example uses the `AsFormUrlEncodedContent()` expression to access ## Related policies -* [API Management transformation policies](api-management-transformation-policies.md) +* [Transformation](api-management-policies.md#transformation) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Set Edit Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/set-edit-policies.md | |
api-management | Set Header Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/set-header-policy.md | The `set-header` policy assigns a value to an existing HTTP response and/or requ - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes This example shows how to apply policy at the API level to supply context inform ## Related policies -- [API Management transformation policies](api-management-transformation-policies.md)+- [Transformation](api-management-policies.md#transformation) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Set Method Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/set-method-policy.md | The value of the element specifies the HTTP method, such as `POST`, `GET`, and s - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Example This example uses the `set-method` policy to send a message to a Slack chat room ## Related policies -* [API Management advanced policies](api-management-advanced-policies.md) +* [Transformation](api-management-policies.md#transformation) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Set Query Parameter Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/set-query-parameter-policy.md | The `set-query-parameter` policy adds, replaces value of, or deletes request que - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, backend - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Examples The `set-query-parameter` policy adds, replaces value of, or deletes request que ## Related policies -- [API Management transformation policies](api-management-transformation-policies.md)+- [Transformation](api-management-policies.md#transformation) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Set Status Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/set-status-policy.md | The `set-status` policy sets the HTTP status code to the specified value. - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Example This example shows how to return a 401 response if the authorization token is in ``` - ## Related policies -* [API Management advanced policies](api-management-advanced-policies.md) +* [Transformation](api-management-policies.md#transformation) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Set Variable Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/set-variable-policy.md | -The `set-variable` policy declares a [context](api-management-policy-expressions.md#ContextVariables) variable and assigns it a value specified via an [expression](api-management-policy-expressions.md) or a string literal. if the expression contains a literal it will be converted to a string and the type of the value will be `System.String`. ++The `set-variable` policy declares a [context](api-management-policy-expressions.md#ContextVariables) variable and assigns it a value specified via an [expression](api-management-policy-expressions.md) or a string literal. If the expression contains a literal it will be converted to a string and the type of the value will be `System.String`. [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)] The `set-variable` policy declares a [context](api-management-policy-expressions - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Allowed types The following example demonstrates a `set-variable` policy in the inbound sectio ## Related policies -* [API Management advanced policies](api-management-advanced-policies.md) +* [Transformation](api-management-policies.md#transformation) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Soft Delete | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/soft-delete.md | Last updated 02/07/2022 # API Management soft-delete (preview) + With API Management soft-delete, you can recover and restore a recently deleted API Management instance. This feature protects against accidental deletion of your API Management instance. Currently, depending on how you delete an API Management instance, the instance is either soft-deleted and recoverable during a retention period, or it's permanently deleted: |
api-management | Sql Data Source Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/sql-data-source-policy.md | The `sql-data-source` resolver policy configures a Transact-SQL (T-SQL) request ## Usage - [**Policy scopes:**](./api-management-howto-policies.md#scopes) GraphQL resolver-- [**Gateways:**](api-management-gateways-overview.md) dedicated+- [**Gateways:**](api-management-gateways-overview.md) classic, v2 ### Usage notes The following example resolves a GraphQL mutation using a T-SQL INSERT statement ## Related policies -* [GraphQL resolver policies](api-management-policies.md#graphql-resolver-policies) +* [GraphQL resolvers](api-management-policies.md#graphql-resolvers) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Trace Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/trace-policy.md | The `trace` policy adds a custom trace into the request tracing output in the te [!INCLUDE [api-management-tracing-alert](../../includes/api-management-tracing-alert.md)] + [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)] ## Policy statement The `trace` policy adds a custom trace into the request tracing output in the te - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Example The `trace` policy adds a custom trace into the request tracing output in the te ## Related policies -* [API Management advanced policies](api-management-advanced-policies.md) +* [Logging](api-management-policies.md#logging) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Transform Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/transform-api.md | |
api-management | Troubleshoot Response Timeout And Errors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/troubleshoot-response-timeout-and-errors.md | For more, see [Add caching to improve performance in Azure API Management](api-m If it makes sense for your business scenario, you can implement access restriction policies for your API Management product. For example, the `rate-limit-by-key` policy can be used to prevent API usage spikes on a per key basis by limiting the call rate per a specified time period. -See [API Management access restriction policies](api-management-access-restriction-policies.md) for more info. +See [Rate limiting and quota policies](api-management-policies.md#rate-limiting-and-quotas) for more info. ## See also |
api-management | Upgrade And Scale | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/upgrade-and-scale.md | -Customers can scale an Azure API Management instance in a dedicated service tier by adding and removing units. A **unit** is composed of dedicated Azure resources and has a certain load-bearing capacity expressed as a number of API calls per second. This number doesn't represent a call limit, but rather an estimated maximum throughput value to allow for rough capacity planning. Actual throughput and latency vary broadly depending on factors such as number and rate of concurrent connections, the kind and number of configured policies, request and response sizes, and backend latency. +Customers can scale an Azure API Management instance in a dedicated service tier by adding and removing units. A **unit** is composed of dedicated Azure resources and has a certain load-bearing capacity expressed as a number of API calls per second. This number doesn't represent a call limit, but rather an estimated maximum throughput value to allow for rough capacity planning. Actual throughput and latency vary broadly depending on factors such as number and rate of concurrent connections, the kind and number of configured policies, request and response sizes, and backend latency. > [!NOTE]-> * In the **Standard** and **Premium** tiers of the API Management service, you can configure an instance to [scale automatically](api-management-howto-autoscale.md) based on a set of rules. +> * In the **Basic**, **Standard**, and **Premium** tiers of the API Management service, you can configure an instance to [scale automatically](api-management-howto-autoscale.md) based on a set of rules. > * API Management instances in the **Consumption** tier scale automatically based on the traffic. Currently, you cannot upgrade from or downgrade to the Consumption tier. The throughput and price of each unit depend on the [service tier](api-management-features.md) in which the unit exists. If you need to increase capacity for a service within a tier, you should add a unit. If the tier that is currently selected in your API Management instance doesn't allow adding more units, you need to upgrade to a higher-level tier. ->[!NOTE] ->See [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio) for features, scale limits, and estimated throughput in each tier. To get more accurate throughput numbers, you need to look at a realistic scenario for your APIs. See [Capacity of an Azure API Management instance](api-management-capacity.md). +> [!NOTE] +> See [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio) for features, scale limits, and estimated throughput in each tier. To get more accurate throughput numbers, you need to look at a realistic scenario for your APIs. See [Capacity of an Azure API Management instance](api-management-capacity.md). ## Prerequisites To follow the steps from this article, you must: ## Upgrade and scale -You can choose between four dedicated tiers: **Developer**, **Basic**, **Standard**, and **Premium**. +You can choose between the following dedicated tiers: **Developer**, **Basic**, **Basic v2**, **Standard**, **Standard v2**, and **Premium**. * The **Developer** tier should be used to evaluate the service; it shouldn't be used for production. The **Developer** tier doesn't have SLA and you can't scale this tier (add/remove units). -* **Basic**, **Standard**, and **Premium** are production tiers that have SLA and can be scaled. For pricing details and scale limits, see [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/#pricing). +* **Basic**, **Basic v2**, **Standard**, **Standard v2**, and **Premium** are production tiers that have SLA and can be scaled. For pricing details and scale limits, see [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/#pricing). * The **Premium** tier enables you to distribute a single Azure API Management instance across any number of desired Azure regions. When you initially create an Azure API Management service, the instance contains only one unit and resides in a single Azure region (the **primary** region). Additional regions can be easily added. When adding a region, you specify the number of units you want to allocate. For example, you can have one unit in the primary region and five units in some other region. You can tailor the number of units to the traffic you have in each region. For more information, see [How to deploy an Azure API Management service instance to multiple Azure regions](api-management-howto-deploy-multi-region.md). -* You can upgrade and downgrade to and from any dedicated service tier. Downgrading can remove some features. For example, downgrading to Standard or Basic from the Premium tier can remove virtual networks or multi-region deployment. +* You can upgrade and downgrade to and from certain dedicated services tiers: + * You can upgrade and downgrade to and from classic tiers (**Developer**, **Basic**, **Standard**, and **Premium**). + + * You can upgrade and downgrade to and from v2 tiers (**Basic v2** and **Standard v2**). ++ Downgrading can remove some features. For example, downgrading to **Standard** or **Basic** from the **Premium** tier can remove virtual networks or multi-region deployment. > [!NOTE]-> The upgrade or scale process can take from 15 to 45 minutes to apply. You get notified when it is done. +> The upgrade or scale process can take up to 15 to 45 minutes to apply. You get notified when it is done. ## Scale your API Management instance +You can use the portal to scale your API Management instance. How you scale depends on the service tier you are using. + ![Scale API Management service in Azure portal](./media/upgrade-and-scale/portal-scale.png) +### Add or remove units - classic service tiers + 1. Navigate to your API Management instance in the [Azure portal](https://portal.azure.com/).-1. Select **Locations** from the menu. +1. Select **Locations** from the left-hand menu. 1. Select the row with the location you want to scale. 1. Specify the new number of **Units** - use the slider if available, or select or type the number. 1. Select **Apply**. > [!NOTE]-> In the Premium service tier, you can optionally configure availability zones and a virtual network in a selected location. For more information, see [Deploy API Management service to an additional location](api-management-howto-deploy-multi-region.md). +> In the **Premium** service tier, you can optionally configure availability zones and a virtual network in a selected location. For more information, see [Deploy API Management service to an additional location](api-management-howto-deploy-multi-region.md). ++### Add or remove units - v2 service tiers ++1. Navigate to your API Management instance in the [Azure portal](https://portal.azure.com/). +1. Select **Scale** from the left-hand menu. +1. Specify the new number of **Units** - use the slider, or select or type the number. +1. Select **Save**. ## Change your API Management service tier You can choose between four dedicated tiers: **Developer**, **Basic**, **Standa 1. Select **Save**. ## Downtime during scaling up and down-If you're scaling from or to the Developer tier, there will be downtime. Otherwise, there is no downtime. +If you're scaling from or to the **Developer** tier, there will be downtime. Otherwise, there is no downtime. ## Compute isolation If your security requirements include [compute isolation](../azure-government/azure-secure-isolation-guidance.md#compute-isolation), you can use the **Isolated** pricing tier. This tier ensures the compute resources of an API Management service instance consume the entire physical host and provide the necessary level of isolation required to support, for example, US Department of Defense Impact Level 5 (IL5) workloads. To get access to the Isolated tier, [create a support request](../azure-portal/supportability/how-to-create-azure-support-request.md). -## Next steps +## Related content - [How to deploy an Azure API Management service instance to multiple Azure regions](api-management-howto-deploy-multi-region.md) - [How to automatically scale an Azure API Management service instance](api-management-howto-autoscale.md) |
api-management | V2 Service Tiers Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/v2-service-tiers-overview.md | Title: Azure API Management - v2 tiers (preview) -description: Introduction to key scenarios, capabilities, and concepts of the v2 tiers (SKUs) of the Azure API Management service. The v2 tiers are in preview. + Title: Azure API Management - v2 tiers +description: Introduction to key scenarios, capabilities, and concepts of the v2 tiers (SKUs) of the Azure API Management service. Previously updated : 01/31/2024 Last updated : 03/21/2024 -# New Azure API Management tiers (preview) +# Azure API Management v2 tiers -We're introducing a new set of pricing tiers (SKUs) for Azure API Management: the *v2 tiers*. The new tiers are built on a new, more reliable and scalable platform and are designed to make API Management accessible to a broader set of customers and offer flexible options for a wider variety of scenarios. -Currently in preview, the following v2 tiers are available: +We're introducing a new set of pricing tiers (SKUs) for Azure API Management: the *v2 tiers*. The new tiers are built on a new, more reliable and scalable platform and are designed to make API Management accessible to a broader set of customers and offer flexible options for a wider variety of scenarios. The v2 tiers are in addition to the existing classic tiers (Developer, Basic, Standard, and Premium) and the Consumption tier. [Learn more](api-management-key-concepts.md#api-management-tiers). -* **Basic v2** - The Basic v2 tier is designed for development and testing scenarios, and is supported with an SLA. In the Basic v2 tier, the developer portal is an optional add-on. +The following v2 tiers are generally available: -* **Standard v2** - Standard v2 is a production-ready tier with support planned for advanced API Management features previously available only in a Premium tier of API Management, including high availability and networking options. +* **Basic v2** - The Basic v2 tier is designed for development and testing scenarios, and is supported with an SLA. ++* **Standard v2** - Standard v2 is a production-ready tier with support for network-isolated backends. ## Key capabilities Currently in preview, the following v2 tiers are available: * **More options for production workloads** - The v2 tiers are all supported with an SLA. Upgrade from Basic v2 to Standard v2 to add more production options. -* **Developer portal options** - Enable the [developer portal](api-management-howto-developer-portal.md) when you're ready to let API consumers discover your APIs. The developer portal is included in the Standard v2 tier, and is an add-on in the Basic v2 tier. +* **Developer portal options** - Enable the [developer portal](api-management-howto-developer-portal.md) when you're ready to let API consumers discover your APIs. ## Networking options -In preview, the v2 tiers currently support the following options to limit network traffic from your API Management instance to protected API backends: ---* **Standard v2** -- **Outbound** - VNet integration to allow your API Management instance to reach API backends that are isolated in a VNet. The API Management gateway, management plane, and developer portal remain publicly accessible from the internet. The VNet must be in the same region as the API Management instance. [Learn more](integrate-vnet-outbound.md). +The Standard v2 tier supports VNet integration to allow your API Management instance to reach API backends that are isolated in a single connected VNet. The API Management gateway, management plane, and developer portal remain publicly accessible from the internet. The VNet must be in the same region as the API Management instance. [Learn more](integrate-vnet-outbound.md). - -## Features and limitations +## Features ### API version -The v2 tiers are supported in API Management API version **2023-03-01-preview** or later. +The v2 tiers are supported in API Management API version **2023-05-01-preview** or later. ### Supported regions--In preview, the v2 tiers are available in the following regions: --* East US +The v2 tiers are available in the following regions: * South Central US * West US * France Central+* Germany West Central * North Europe * West Europe * UK South+* UK West * Brazil South+* Australia Central * Australia East * Australia Southeast * East Asia+* Southeast Asia +* Korea Central ### Feature availability -Most capabilities of the existing (v1) tiers are planned for the v2 tiers. However, the following capabilities aren't supported in the v2 tiers: +Most capabilities of the classic API Management tiers are supported in the v2 tiers. However, the following capabilities aren't supported in the v2 tiers: * API Management service configuration using Git * Back up and restore of API Management instance * Enabling Azure DDoS Protection+* Built-in analytics (replaced with Azure Monitor-based dashboard) -### Preview limitations --Currently, the following API Management capabilities are unavailable in the v2 tiers preview and are planned for later release. Where indicated, certain features are planned only for the Standard v2 tier. Features may be enabled during the preview period. +### Limitations +The following API Management capabilities are currently unavailable in the v2 tiers. **Infrastructure and networking**-* Zone redundancy (*Standard v2*) -* Multi-region deployment (*Standard v2*) -* Multiple custom domain names (*Standard v2*) +* Zone redundancy +* Multi-region deployment +* Multiple custom domain names * Capacity metric * Autoscaling-* Built-in analytics * Inbound connection using a private endpoint+* Injection in a VNet in external mode or internal mode * Upgrade to v2 tiers from v1 tiers -* Workspaces (*Standard v2*) +* Workspaces **Developer portal** * Delegation of user registration and product subscription * Reports+* Custom HTML code widget and custom widget +* Self-hosted developer portal **Gateway**-* Self-hosted gateway (*Standard v2*) -* Management of Websocket APIs -* Rate limit by key and quota by key policies +* Self-hosted gateway +* Quota by key policy * Cipher configuration * Client certificate renegotiation+* Request tracing in the test console * Requests to the gateway over localhost - > [!NOTE] - > Currently the policy document size limit in the v2 tiers is 16 KiB. +## Resource limits ++The following resource limits apply to the v2 tiers. +++## Developer portal limits ++The following limits apply to the developer portal in the v2 tiers. + ## Deployment Deploy an instance of the Basic v2 or Standard v2 tier using the Azure portal, A ### Q: Can I migrate from my existing API Management instance to a new v2 tier instance? -A: No. Currently you can't migrate an existing API Management instance (in the Consumption, Developer, Basic, Standard, or Premium tier) to a new v2 tier instance. Currently the new tiers are available for newly created service instances only. +A: No. Currently you can't migrate an existing API Management instance (in the Consumption, Developer, Basic, Standard, or Premium tier) to a new v2 tier instance. Currently the v2 tiers are available for newly created service instances only. ### Q: What's the relationship between the stv2 compute platform and the v2 tiers? A: Yes, there are no changes to the Basic or Standard tiers. ### Q: What is the difference between VNet integration in Standard v2 tier and VNet support in the Premium tier? -A: A Standard v2 service instance can be integrated with a VNet to provide secure access to the backends residing there. A Standard v2 service instance integrated with a VNet will have a public IP address that can be secured separately, via Private Link, if necessary. The Premium tier supports a [fully private integration](api-management-using-with-internal-vnet.md) with a VNet (often referred to as injection into VNet) without exposing a public IP address. +A: A Standard v2 service instance can be integrated with a VNet to provide secure access to the backends residing there. A Standard v2 service instance integrated with a VNet will have a public IP address. The Premium tier supports a [fully private integration](api-management-using-with-internal-vnet.md) with a VNet (often referred to as injection into VNet) without exposing a public IP address. ### Q: Can I deploy an instance of the Basic v2 or Standard v2 tier entirely in my VNet? A: Yes, a Premium v2 preview is planned and will be announced separately. ## Related content -* Learn more about the API Management [tiers](api-management-features.md). --+* Compare the API Management [tiers](api-management-features.md). +* Learn more about the [API Management gateways](api-management-gateways-overview.md) +* Learn about [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/). |
api-management | Validate Azure Ad Token Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-azure-ad-token-policy.md | -The `validate-azure-ad-token` policy enforces the existence and validity of a JSON web token (JWT) that was provided by the Microsoft Entra service for a specified set of principals in the directory. The JWT can be extracted from a specified HTTP header, query parameter, or value provided using a policy expression or context variable. ++The `validate-azure-ad-token` policy enforces the existence and validity of a JSON web token (JWT) that was provided by the Microsoft Entra (formerly called Azure Active Directory) service for a specified set of principals in the directory. The JWT can be extracted from a specified HTTP header, query parameter, or value provided using a policy expression or context variable. > [!NOTE] > To validate a JWT that was provided by another identity provider, API Management also provides the generic [`validate-jwt`](validate-jwt-policy.md) policy. The `validate-azure-ad-token` policy enforces the existence and validity of a JS - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes For more details on optional claims, read [Provide optional claims to your app]( ## Related policies -* [API Management access restriction policies](api-management-access-restriction-policies.md) +* [Authentication and authorization](api-management-policies.md#authentication-and-authorization) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Validate Client Certificate Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-client-certificate-policy.md | For more information about custom CA certificates and certificate authorities, s - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Example The following example validates a client certificate to match the policy's defau ## Related policies -* [API Management access restriction policies](api-management-access-restriction-policies.md) +* [Authentication and authorization](api-management-policies.md#authentication-and-authorization) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Validate Content Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-content-policy.md | The policy validates the following content in the request or response against th - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted [!INCLUDE [api-management-validation-policy-common](../../includes/api-management-validation-policy-common.md)] In the following example, API Management interprets any request as a request wit ## Related policies -* [API Management validation policies](validation-policies.md) +* [Content validation](api-management-policies.md#content-validation) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Validate Graphql Request Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-graphql-request-policy.md | Available actions are described in the following table. - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes This example applies the following validation and authorization rules to a Graph ## Related policies -* [Validation policies](api-management-policies.md#validation-policies) +* [Content validation](api-management-policies.md#content-validation) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Validate Headers Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-headers-policy.md | The `validate-headers` policy validates the response headers against the API sch - [**Policy sections:**](./api-management-howto-policies.md#sections) outbound, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes The `validate-headers` policy validates the response headers against the API sch ## Related policies -* [API Management validation policies](validation-policies.md) +* [Content validation](api-management-policies.md#content-validation) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Validate Jwt Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-jwt-policy.md | The `validate-jwt` policy enforces existence and validity of a supported JSON we - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes This example shows how to use the `validate-jwt` policy to authorize access to o ``` ## Related policies -* [API Management access restriction policies](api-management-access-restriction-policies.md) +* [Authentication and authorization](api-management-policies.md#authentication-and-authorization) |
api-management | Validate Odata Request Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-odata-request-policy.md | The `validate-odata-request` policy validates the request URL, headers, and para - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes The following example validates a request to an OData API and assumes a default ## Related policies -* [Validation policies](api-management-policies.md#validation-policies) +* [Content validation](api-management-policies.md#content-validation) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Validate Parameters Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-parameters-policy.md | The `validate-parameters` policy validates the header, query, or path parameters - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes In this example, all query and path parameters are validated in the prevention m ## Related policies -* [API Management validation policies](validation-policies.md) +* [Content validation](api-management-policies.md#content-validation) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Validate Service Updates | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-service-updates.md | -*"One of the value propositions of the cloud is that itΓÇÖs continually improving, delivering new capabilities and features, as well as security and reliability enhancements. But since the platform is continuously evolving, change is inevitable." - Mark Russinovich, CTO, Azure* ++*"One of the value propositions of the cloud is that itΓÇÖs continually improving, delivering new capabilities and features, as well as security and reliability enhancements. But since the platform is continuously evolving, change is inevitable."* - Mark Russinovich, CTO, Azure Microsoft uses a safe deployment practices framework to thoroughly test, monitor, and validate service updates, and then deploy them to Azure regions using a phased approach. Even so, service updates that reach your API Management instances could introduce unanticipated risks to your production workloads and disrupt your API consumers. Learn how you can apply our safe deployment approach to reduce risks by validating the updates before they reach your production API Management environments. Here are example strategies to use an API Management instance as a canary deploy * **Deploy duplicate instances in a region** - If your production workload is a Premium tier instance in a specific region, consider deploying a similarly configured instance in a lower tier that receives updates earlier. For example, configure a pre-production instance in the Developer tier to validate updates. -## Next steps +## Related content * Learn [how to monitor](api-management-howto-use-azure-monitor.md) your API Management instance. * Learn about other options to [observe](observability.md) your API Management instance. |
api-management | Validate Status Code Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-status-code-policy.md | The `validate-status-code` policy validates the HTTP status codes in responses a - [**Policy sections:**](./api-management-howto-policies.md#sections) outbound, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes The `validate-status-code` policy validates the HTTP status codes in responses a ## Related policies -* [API Management validation policies](validation-policies.md) +* [Content validation](api-management-policies.md#content-validation) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Virtual Network Concepts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/virtual-network-concepts.md | Title: Azure API Management with an Azure virtual network -description: Learn about scenarios and requirements to secure inbound and outbound traffic for your API Management instance using an Azure virtual network. +description: Learn about scenarios and requirements to secure inbound or outbound traffic for your API Management instance using an Azure virtual network. Previously updated : 09/14/2023 Last updated : 03/26/2024 -# Use a virtual network to secure inbound and outbound traffic for Azure API Management +# Use a virtual network to secure inbound or outbound traffic for Azure API Management -API Management provides several options to secure access to your API Management instance and APIs using an Azure virtual network. API Management supports the following options. Available options depend on the [service tier](api-management-features.md) of your API Management instance. +By default your API Management is accessed from the internet at a public endpoint, and acts as a gateway to public backends. API Management provides several options to secure access to your API Management instance and to backend APIs using an Azure virtual network. Available options depend on the [service tier](api-management-features.md) of your API Management instance. * **Injection** of the API Management instance into a subnet in the virtual network, enabling the gateway to access resources in the network. You can choose one of two injection modes: *external* or *internal*. They differ in whether inbound connectivity to the gateway and other API Management endpoints is allowed from the internet or only from within the virtual network. +* **Integration** of your API Management instance with a subnet in a virtual network so that your API Management gateway can make outbound requests to API backends that are isolated in the network. + * **Enabling secure and private inbound connectivity** to the API Management gateway using a *private endpoint*. The following table compares virtual networking options. For more information, see later sections of this article and links to detailed guidance. |Networking model |Supported tiers |Supported components |Supported traffic |Usage scenario | |||||-|-|**[Virtual network injection - external](#virtual-network-injection)** | Developer, Premium | Developer portal, gateway, management plane, and Git repository | Inbound and outbound traffic can be allowed to internet, peered virtual networks, Express Route, and S2S VPN connections. | External access to private and on-premises backends -|**[Virtual network injection - internal](#virtual-network-injection)** | Developer, Premium | Developer portal, gateway, management plane, and Git repository. | Inbound and outbound traffic can be allowed to peered virtual networks, Express Route, and S2S VPN connections. | Internal access to private and on-premises backends -|**[Inbound private endpoint](#inbound-private-endpoint)** | Developer, Basic, Standard, Premium | Gateway only (managed gateway supported, self-hosted gateway not supported). | Only inbound traffic can be allowed from internet, peered virtual networks, Express Route, and S2S VPN connections. | Secure client connection to API Management gateway | -+|**[Virtual network injection - external](#virtual-network-injection)** | Developer, Premium | Developer portal, gateway, management plane, and Git repository | Inbound and outbound traffic can be allowed to internet, peered virtual networks, Express Route, and S2S VPN connections. | External access to private and on-premises backends | +|**[Virtual network injection - internal](#virtual-network-injection)** | Developer, Premium | Developer portal, gateway, management plane, and Git repository | Inbound and outbound traffic can be allowed to peered virtual networks, Express Route, and S2S VPN connections. | Internal access to private and on-premises backends | +|**[Outbound integration](#outbound-integration)** | Standard v2 | Gateway only | Outbound request traffic can reach APIs hosted in a delegated subnet of a virtual network. | External access to private and on-premises backends | +|**[Inbound private endpoint](#inbound-private-endpoint)** | Developer, Basic, Standard, Premium | Gateway only (managed gateway supported, self-hosted gateway not supported) | Only inbound traffic can be allowed from internet, peered virtual networks, Express Route, and S2S VPN connections. | Secure client connection to API Management gateway | ## Virtual network injection+ With VNet injection, deploy ("inject") your API Management instance in a subnet in a non-internet-routable network to which you control access. In the virtual network, your API Management instance can securely access other networked Azure resources and also connect to on-premises networks using various VPN technologies. To learn more about Azure VNets, start with the information in the [Azure Virtual Network Overview](../virtual-network/virtual-networks-overview.md). You can use the Azure portal, Azure CLI, Azure Resource Manager templates, or other tools for the configuration. You control inbound and outbound traffic into the subnet in which API Management is deployed by using [network security groups](../virtual-network/network-security-groups-overview.md). For detailed deployment steps and network configuration, see: * [Deploy your API Management instance to a virtual network - external mode](./api-management-using-with-vnet.md). * [Deploy your API Management instance to a virtual network - internal mode](./api-management-using-with-internal-vnet.md).+* [Network resource requirements for API Management injection into a virtual network](virtual-network-injection-resources.md). ### Access options Using a virtual network, you can configure the developer portal, API gateway, and other API Management endpoints to be accessible either from the internet (external mode) or only within the VNet (internal mode). Using a virtual network, you can configure the developer portal, API gateway, an * Enable hybrid cloud scenarios by exposing your cloud-based APIs and on-premises APIs through a common gateway. * Manage your APIs hosted in multiple geographic locations, using a single gateway endpoint. +## Outbound integration -### Network resource requirements for injection --The following are virtual network resource requirements for API Management injection into a VNet. Some requirements differ depending on the version (`stv2` or `stv1`) of the [compute platform](compute-infrastructure.md) hosting your API Management instance. --#### [stv2](#tab/stv2) --* An Azure Resource Manager virtual network is required. -* You must provide a Standard SKU [public IPv4 address](../virtual-network/ip-services/public-ip-addresses.md#sku) in addition to specifying a virtual network and subnet. -* The subnet used to connect to the API Management instance may contain other Azure resource types. -* The subnet used to connect to the API Management instance should not have any delegations enabled. The "Delegate subnet to a service" setting for the subnet should be set to "None". -* A [network security group](../virtual-network/network-security-groups-overview.md) attached to the subnet above. A network security group (NSG) is required to explicitly allow inbound connectivity, because the load balancer used internally by API Management is secure by default and rejects all inbound traffic. -* The API Management service, virtual network and subnet, and public IP address resource must be in the same region and subscription. -* For multi-region API Management deployments, configure virtual network resources separately for each location. --#### [stv1](#tab/stv1) --* An Azure Resource Manager virtual network is required. -* The subnet used to connect to the API Management instance must be dedicated to API Management. It can't contain other Azure resource types. -* The subnet used to connect to the API Management instance should not have any delegations enabled. The "Delegate subnet to a service" setting for the subnet should be set to "None". -* The API Management service, virtual network, and subnet resources must be in the same region and subscription. -* For multi-region API Management deployments, configure virtual network resources separately for each location. --+The Standard v2 tier supports VNet integration to allow your API Management instance to reach API backends that are isolated in a single connected VNet. The API Management gateway, management plane, and developer portal remain publicly accessible from the internet. -### Subnet size +Outbound integration enables the API Management instance to reach both public and network-isolated backend services. -The minimum size of the subnet in which API Management can be deployed is /29, which provides three usable IP addresses. Each extra scale [unit](api-management-capacity.md) of API Management requires two more IP addresses. The minimum size requirement is based on the following considerations: -* Azure reserves five IP addresses within each subnet that can't be used. The first and last IP addresses of the subnets are reserved for protocol conformance. Three more addresses are used for Azure services. For more information, see [Are there any restrictions on using IP addresses within these subnets?](../virtual-network/virtual-networks-faq.md#are-there-any-restrictions-on-using-ip-addresses-within-these-subnets). --* In addition to the IP addresses used by the Azure VNet infrastructure, each API Management instance in the subnet uses: - * Two IP addresses per unit of Basic, Standard, or Premium SKU, or - * One IP address for the Developer SKU. --* When deploying into an [internal VNet](./api-management-using-with-internal-vnet.md), the instance requires an extra IP address for the internal load balancer. --#### Examples --* For Basic, Standard, or Premium SKUs: -- * **/29 subnet**: 8 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 0 remaining IP addresses left for scale-out units. - - * **/28 subnet**: 16 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 8 remaining IP addresses left for four scale-out units (2 IP addresses/scale-out unit) for a total of five units. **This subnet efficiently maximizes Basic and Standard SKU scale-out limits.** - - * **/27 subnet**: 32 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 24 remaining IP addresses left for twelve scale-out units (2 IP addresses/scale-out unit) for a total of thirteen units. **This subnet efficiently maximizes the soft-limit Premium SKU scale-out limit.** - - * **/26 subnet**: 64 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 56 remaining IP addresses left for twenty-eight scale-out units (2 IP addresses/scale-out unit) for a total of twenty-nine units. It is possible, with an Azure Support ticket, to scale the Premium SKU past twelve units. If you foresee such high demand, consider the /26 subnet. - - * **/25 subnet**: 128 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 120 remaining IP addresses left for sixty scale-out units (2 IP addresses/scale-out unit) for a total of sixty-one units. This is an extremely large, theoretical number of scale-out units. --> [!IMPORTANT] -> The private IP addresses of internal load balancer and API Management units are assigned dynamically. Therefore, it is impossible to anticipate the private IP of the API Management instance prior to its deployment. Additionally, changing to a different subnet and then returning may cause a change in the private IP address. --### Routing --See the Routing guidance when deploying your API Management instance into an [external VNet](./api-management-using-with-vnet.md#routing) or [internal VNet](./api-management-using-with-internal-vnet.md#routing). --Learn more about the [IP addresses of API Management](api-management-howto-ip-addresses.md). --### DNS --* In external mode, the VNet enables [Azure-provided name resolution](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#azure-provided-name-resolution) by default for your API Management endpoints and other Azure resources. It doesn't provide name resolution for on-premises resources. Optionally, configure your own DNS solution. --* In internal mode, you must provide your own DNS solution to ensure name resolution for API Management endpoints and other required Azure resources. We recommend configuring an Azure [private DNS zone](../dns/private-dns-overview.md). --For more information, see the DNS guidance when deploying your API Management instance into an [external VNet](./api-management-using-with-vnet.md#routing) or [internal VNet](./api-management-using-with-internal-vnet.md#routing). --Related information: -* [Name resolution for resources in Azure virtual networks](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server). -* [Create an Azure private DNS zone](../dns/private-dns-getstarted-portal.md) --> [!IMPORTANT] -> If you plan to use a custom DNS solution for the VNet, set it up **before** deploying an API Management service into it. Otherwise, you'll need to update the API Management service each time you change the DNS server(s) by running the [Apply Network Configuration Operation](/rest/api/apimanagement/current-ga/api-management-service/apply-network-configuration-updates), or by selecting **Apply network configuration** in the service instance's network configuration window in the Azure portal. --### Limitations --Some virtual network limitations differ depending on the version (`stv2` or `stv1`) of the [compute platform](compute-infrastructure.md) hosting your API Management instance. --#### [stv2](#tab/stv2) --* A subnet containing API Management instances can't be moved across subscriptions. -* For multi-region API Management deployments configured in internal VNet mode, users own the routing and are responsible for managing the load balancing across multiple regions. -* To import an API to API Management from an [OpenAPI specification](import-and-publish.md), the specification URL must be hosted at a publicly accessible internet address. --#### [stv1](#tab/stv1) --* A subnet containing API Management instances can't be moved across subscriptions. -* For multi-region API Management deployments configured in internal VNet mode, users own the routing and are responsible for managing the load balancing across multiple regions. -* To import an API to API Management from an [OpenAPI specification](import-and-publish.md), the specification URL must be hosted at a publicly accessible internet address. -* Due to platform limitations, connectivity between a resource in a globally peered VNet in another region and an API Management service in internal mode doesn't work. For more information, see the [virtual network documentation](../virtual-network/virtual-network-manage-peering.md#requirements-and-constraints). --+For more information, see [Integrate an Azure API Management instance with a private VNet for outbound connections](integrate-vnet-outbound.md). ## Inbound private endpoint Virtual network configuration with API Management: * [Deploy your Azure API Management instance to a virtual network - external mode](./api-management-using-with-vnet.md). * [Deploy your Azure API Management instance to a virtual network - internal mode](./api-management-using-with-internal-vnet.md). * [Connect privately to API Management using a private endpoint](private-endpoint.md)+* [Integrate an Azure API Management instance with a private VNet for outbound connections](integrate-vnet-outbound.md) * [Defend your Azure API Management instance against DDoS attacks](protect-with-ddos-protection.md) Related articles: |
api-management | Virtual Network Injection Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/virtual-network-injection-resources.md | + + Title: Azure API Management virtual network integration - network resources +description: Learn about requirements for network resources when you deploy (inject) your API Management instance in an Azure virtual network. ++++ Last updated : 03/26/2024++++# Network resource requirements for API Management injection into a virtual network +++The following are virtual network resource requirements for API Management injection into a virtual network. Some requirements differ depending on the version (`stv2` or `stv1`) of the [compute platform](compute-infrastructure.md) hosting your API Management instance. ++#### [stv2](#tab/stv2) ++* An Azure Resource Manager virtual network is required. +* You must provide a Standard SKU [public IPv4 address](../virtual-network/ip-services/public-ip-addresses.md#sku) in addition to specifying a virtual network and subnet. +* The subnet used to connect to the API Management instance may contain other Azure resource types. +* The subnet used to connect to the API Management instance should not have any delegations enabled. The "Delegate subnet to a service" setting for the subnet should be set to "None". +* A [network security group](../virtual-network/network-security-groups-overview.md) attached to the subnet above. A network security group (NSG) is required to explicitly allow inbound connectivity, because the load balancer used internally by API Management is secure by default and rejects all inbound traffic. +* The API Management service, virtual network and subnet, and public IP address resource must be in the same region and subscription. +* For multi-region API Management deployments, configure virtual network resources separately for each location. ++#### [stv1](#tab/stv1) ++* An Azure Resource Manager virtual network is required. +* The subnet used to connect to the API Management instance must be dedicated to API Management. It can't contain other Azure resource types. +* The subnet used to connect to the API Management instance should not have any delegations enabled. The "Delegate subnet to a service" setting for the subnet should be set to "None". +* The API Management service, virtual network, and subnet resources must be in the same region and subscription. +* For multi-region API Management deployments, configure virtual network resources separately for each location. +++## Subnet size ++The minimum size of the subnet in which API Management can be deployed is /29, which provides three usable IP addresses. Each extra scale [unit](api-management-capacity.md) of API Management requires two more IP addresses. The minimum size requirement is based on the following considerations: ++* Azure reserves five IP addresses within each subnet that can't be used. The first and last IP addresses of the subnets are reserved for protocol conformance. Three more addresses are used for Azure services. For more information, see [Are there any restrictions on using IP addresses within these subnets?](../virtual-network/virtual-networks-faq.md#are-there-any-restrictions-on-using-ip-addresses-within-these-subnets). ++* In addition to the IP addresses used by the Azure virtual network infrastructure, each API Management instance in the subnet uses: + * Two IP addresses per unit of Basic, Standard, or Premium SKU, or + * One IP address for the Developer SKU. ++* When deploying into an [internal virtual network](./api-management-using-with-internal-vnet.md), the instance requires an extra IP address for the internal load balancer. ++### Examples ++* **/29 subnet**: 8 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 0 remaining IP addresses left for scale-out units. + +* **/28 subnet**: 16 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 8 remaining IP addresses left for four scale-out units (2 IP addresses/scale-out unit) for a total of five units. + +* **/27 subnet**: 32 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 24 remaining IP addresses left for 12 scale-out units (2 IP addresses/scale-out unit) for a total of 13 units. + +* **/26 subnet**: 64 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 56 remaining IP addresses left for 28 scale-out units (2 IP addresses/scale-out unit) for a total of 29 units. + +* **/25 subnet**: 128 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 120 remaining IP addresses left for 60 scale-out units (2 IP addresses/scale-out unit) for a total of 61 units. This is a large, theoretical number of scale-out units. ++> [!NOTE] +> It is currently possible to scale the Premium SKU to 31 units. If you foresee demand approaching this limit, consider the /26 subnet or /25 submit. ++> [!IMPORTANT] +> The private IP addresses of internal load balancer and API Management units are assigned dynamically. Therefore, it is impossible to anticipate the private IP of the API Management instance prior to its deployment. Additionally, changing to a different subnet and then returning may cause a change in the private IP address. ++## Routing ++See the Routing guidance when deploying your API Management instance into an [external virtual network](./api-management-using-with-vnet.md#routing) or [internal virtual network](./api-management-using-with-internal-vnet.md#routing). ++Learn more about the [IP addresses of API Management](api-management-howto-ip-addresses.md). ++## DNS ++* In external mode, the virtual network enables [Azure-provided name resolution](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#azure-provided-name-resolution) by default for your API Management endpoints and other Azure resources. It doesn't provide name resolution for on-premises resources. Optionally, configure your own DNS solution. ++* In internal mode, you must provide your own DNS solution to ensure name resolution for API Management endpoints and other required Azure resources. We recommend configuring an Azure [private DNS zone](../dns/private-dns-overview.md). ++For more information, see the DNS guidance when deploying your API Management instance into an [external virtual network](./api-management-using-with-vnet.md#routing) or [internal virtual network](./api-management-using-with-internal-vnet.md#routing). ++Related information: +* [Name resolution for resources in Azure virtual networks](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server). +* [Create an Azure private DNS zone](../dns/private-dns-getstarted-portal.md) ++> [!IMPORTANT] +> If you plan to use a custom DNS solution for the VNet, set it up **before** deploying an API Management service into it. Otherwise, you'll need to update the API Management service each time you change the DNS server(s) by running the [Apply Network Configuration Operation](/rest/api/apimanagement/current-ga/api-management-service/apply-network-configuration-updates), or by selecting **Apply network configuration** in the service instance's network configuration window in the Azure portal. ++## Limitations ++Some virtual network limitations differ depending on the version (`stv2` or `stv1`) of the [compute platform](compute-infrastructure.md) hosting your API Management instance. ++#### [stv2](#tab/stv2) ++* A subnet containing API Management instances can't be moved across subscriptions. +* For multi-region API Management deployments configured in internal virtual network mode, users own the routing and are responsible for managing the load balancing across multiple regions. +* To import an API to API Management from an [OpenAPI specification](import-and-publish.md), the specification URL must be hosted at a publicly accessible internet address. ++#### [stv1](#tab/stv1) ++* A subnet containing API Management instances can't be moved across subscriptions. +* For multi-region API Management deployments configured in internal virtual network mode, users own the routing and are responsible for managing the load balancing across multiple regions. +* To import an API to API Management from an [OpenAPI specification](import-and-publish.md), the specification URL must be hosted at a publicly accessible internet address. +* Due to platform limitations, connectivity between a resource in a globally peered virtual network in another region and an API Management service in internal mode doesn't work. For more information, see the [virtual network documentation](../virtual-network/virtual-network-manage-peering.md#requirements-and-constraints). +++++## Related content ++* [Site-to-site VPN](../vpn-gateway/design.md#s2smulti) +* [Connect virtual networks from different deployment models using PowerShell](../vpn-gateway/vpn-gateway-connect-different-deployment-models-powershell.md) +* [Azure Virtual Network frequently asked questions](../virtual-network/virtual-networks-faq.md) ++++ |
api-management | Virtual Network Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/virtual-network-reference.md | -This reference provides detailed network configuration settings for an API Management instance deployed in an Azure virtual network in the [external](api-management-using-with-vnet.md) or [internal](api-management-using-with-internal-vnet.md) mode. ++This reference provides detailed network configuration settings for an API Management instance deployed (injected) in an Azure virtual network in the [external](api-management-using-with-vnet.md) or [internal](api-management-using-with-internal-vnet.md) mode. For VNet connectivity options, requirements, and considerations, see [Using a virtual network with Azure API Management](virtual-network-concepts.md). |
api-management | Visual Studio Code Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/visual-studio-code-tutorial.md | |
api-management | Visualize Using Managed Grafana Dashboard | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/visualize-using-managed-grafana-dashboard.md | |
api-management | Vscode Create Service Instance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/vscode-create-service-instance.md | |
api-management | Wait Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/wait-policy.md | May contain as child elements only `send-request`, `cache-lookup-value`, and `ch - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, backend - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Example In the following example, there are two `choose` policies as immediate child pol ## Related policies -* [API Management advanced policies](api-management-advanced-policies.md) +* [Policy control and flow](api-management-policies.md#policy-control-and-flow) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Websocket Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/websocket-api.md | |
api-management | Workspaces Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/workspaces-overview.md | -In API Management, *workspaces* allow decentralized API development teams to manage and productize their own APIs, while a central API platform team maintains the API Management infrastructure. Each workspace contains APIs, products, subscriptions, and related entities that are accessible only to the workspace collaborators. Access is controlled through Azure role-based access control (RBAC). - [!INCLUDE [api-management-availability-premium](../../includes/api-management-availability-premium.md)] +In API Management, *workspaces* allow decentralized API development teams to manage and productize their own APIs, while a central API platform team maintains the API Management infrastructure. Each workspace contains APIs, products, subscriptions, and related entities that are accessible only to the workspace collaborators. Access is controlled through Azure role-based access control (RBAC). > [!NOTE] > * Workspaces are a preview feature of API Management and subject to certain [limitations](#preview-limitations). |
api-management | Xml To Json Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/xml-to-json-policy.md | The `xml-to-json` policy converts a request or response body from XML to JSON. T - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound, on-error - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ## Example The `xml-to-json` policy converts a request or response body from XML to JSON. T ## Related policies -* [API Management transformation policies](api-management-transformation-policies.md) +* [Transformation](api-management-policies.md#transformation) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
api-management | Xsl Transform Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/xsl-transform-policy.md | The `xsl-transform` policy applies an XSL transformation to XML in the request o - [**Policy sections:**](./api-management-howto-policies.md#sections) inbound, outbound - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation-- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption, self-hosted+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted ### Usage notes The `xsl-transform` policy applies an XSL transformation to XML in the request o ## Related policies -- [API Management transformation policies](api-management-transformation-policies.md)+- [Transformation](api-management-policies.md#transformation) [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)] |
app-service | Configure Language Java | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-language-java.md | This example transform adds a new connector node to `server.xml`. Note the *Iden <!-- This is the new connector --> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" - keystroreFile="${{user.home}}/.keystore" keystorePass="changeit" + keystoreFile="${{user.home}}/.keystore" keystorePass="changeit" clientAuth="false" sslProtocol="TLS" /> </xsl:template> An example xsl file is provided below. The example xsl file adds a new connector <!-- This is the new connector --> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" - keystroreFile="${{user.home}}/.keystore" keystorePass="changeit" + keystoreFile="${{user.home}}/.keystore" keystorePass="changeit" clientAuth="false" sslProtocol="TLS" /> </xsl:template> |
app-service | Quickstart Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/quickstart-python.md | To run the application locally: pip install -r requirements.txt ``` -1. Integrate a database: -- ```Python - - from azure.cosmos.aio import CosmosClient - from azure.cosmos import exceptions - from azure.cosmos.partition_key import PartitionKey -- from configs.credential import HOST, MASTER_KEY, DATABASE_ID --- def get_database_client(): - # Initialize the Cosmos client - client = CosmosClient(HOST, MASTER_KEY) -- # Create or get a reference to a database - try: - database = client.create_database_if_not_exists(id=DATABASE_ID) - print(f'Database "{DATABASE_ID}" created or retrieved successfully.') -- except exceptions.CosmosResourceExistsError: - database = client.get_database_client(DATABASE_ID) - print('Database with id \'{0}\' was found'.format(DATABASE_ID)) -- return database --- def get_container_client(container_id): - database = get_database_client() - # Create or get a reference to a container - try: - container = database.create_container(id=container_id, partition_key=PartitionKey(path='/partitionKey')) - print('Container with id \'{0}\' created'.format(container_id)) -- except exceptions.CosmosResourceExistsError: - container = database.get_container_client(container_id) - print('Container with id \'{0}\' was found'.format(container_id)) -- return container -- async def create_item(container_id, item): - async with CosmosClient(HOST, credential=MASTER_KEY) as client: - database = client.get_database_client(DATABASE_ID) - container = database.get_container_client(container_id) - await container.upsert_item(body=item) -- async def get_items(container_id): - items = [] - try: - async with CosmosClient(HOST, credential=MASTER_KEY) as client: - database = client.get_database_client(DATABASE_ID) - container = database.get_container_client(container_id) - async for item in container.read_all_items(): - items.append(item) - except Exception as e: - print(f"An error occurred: {e}") -- return items - ``` - 1. Run the app: ```Console |
app-service | Quickstart Wordpress | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/quickstart-wordpress.md | description: Create your first WordPress site on Azure App Service in minutes. keywords: app service, azure app service, wordpress, preview, app service on linux, plugins, mysql flexible server, wordpress on linux, php Previously updated : 05/15/2023 Last updated : 03/28/2024 # ms.devlang: wordpress In this quickstart, you'll learn how to create and deploy your first [WordPress] To complete this quickstart, you need an Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs). -> [!IMPORTANT] -> After November 28, 2022, [PHP will only be supported on App Service on Linux.](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/php_support.md#end-of-life-for-php-74). -> -> For migrating WordPress to App Service, visit [Migrating to App Service](migrate-wordpress.md). Additional documentation can be found at [WordPress - App Service on Linux](https://github.com/Azure/wordpress-linux-appservice). -> -> To submit feedback on improving the WordPress experience on App Service, visit [Web Apps Community](https://feedback.azure.com/d365community/forum/b09330d1-c625-ec11-b6e6-000d3a4f0f1c). -> - ## Create WordPress site using Azure portal 1. To start creating the WordPress site, browse to [https://portal.azure.com/#create/WordPress.WordPress](https://portal.azure.com/#create/WordPress.WordPress). |
azure-app-configuration | Quickstart Feature Flag Azure Kubernetes Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/quickstart-feature-flag-azure-kubernetes-service.md | + + Title: Quickstart for using Azure App Configuration Feature Management in Azure Kubernetes Service +description: In this quickstart, create an ASP.NET core web app and use feature flag in it running in AKS and use the Azure App Configuration Kubernetes Provider to load key-values and feature flags from App Configuration store. ++++ms.devlang: csharp ++ Last updated : 02/23/2024++#Customer intent: As an Azure Kubernetes Service user, I want to manage all my app settings in one place using Azure App Configuration. +++# Quickstart: Add feature flags to workloads in Azure Kubernetes Service ++In this quickstart, you'll create a feature flag in Azure App Configuration and use it to dynamically control the visibility of a new web page in an ASP.NET Core app running in AKS without restarting or redeploying it. ++## Prerequisites ++Follow the documents to use dynamic configuration in Azure Kubernetes Service. ++* [Quickstart: Use Azure App Configuration in Azure Kubernetes Service](./quickstart-azure-kubernetes-service.md) +* [Tutorial: Use dynamic configuration in Azure Kubernetes Service](./enable-dynamic-configuration-azure-kubernetes-service.md) ++## Create a feature flag ++Add a feature flag called *Beta* to the App Configuration store and leave **Label** and **Description** with their default values. For more information about how to add feature flags to a store using the Azure portal or the CLI, go to [Create a feature flag](./quickstart-azure-app-configuration-create.md#create-a-feature-flag). ++> [!div class="mx-imgBorder"] +> ![Screenshot showing creating feature flag named Beta.](./media/add-beta-feature-flag.png) ++## Use a feature flag ++In this section, you will use feature flags in a simple ASP.NET web application and run it in Azure Kubernetes Service (AKS). ++1. Navigate into the project's directory you created in the [Quickstart](./quickstart-azure-kubernetes-service.md), and run the following command to add a reference to the [Microsoft.FeatureManagement.AspNetCore](https://www.nuget.org/packages/Microsoft.FeatureManagement.AspNetCore) NuGet package version 3.2.0 or later. ++ ```dotnetcli + dotnet add package Microsoft.FeatureManagement.AspNetCore + ``` ++1. Open *program.cs*, and add feature management to the service collection of your app by calling `AddFeatureManagement`. ++ ```csharp + // Existing code in Program.cs + // ... ... ++ // Add a JSON configuration source + builder.Configuration.AddJsonFile("config/mysettings.json", reloadOnChange: true, optional: false); ++ // Add feature management to the container of services. + builder.Services.AddFeatureManagement(); ++ var app = builder.Build(); ++ // The rest of existing code in program.cs + // ... ... + ``` + + Add `using Microsoft.FeatureManagement;` at the top of the file if it's not present. ++1. Add a new empty Razor page named **Beta** under the *Pages* directory. It includes two files *Beta.cshtml* and *Beta.cshtml.cs*. ++ Open *Beta.cshtml*, and update it with the following markup: ++ ```cshtml + @page + @model MyWebApp.Pages.BetaModel + @{ + ViewData["Title"] = "Beta Page"; + } ++ <h1>This is the beta website.</h1> + ``` ++ Open *Beta.cshtml.cs*, and add `FeatureGate` attribute to the `BetaModel` class. The `FeatureGate` attribute ensures the *Beta* page is accessible only when the *Beta* feature flag is enabled. If the *Beta* feature flag isn't enabled, the page will return 404 Not Found. ++ ```csharp + using Microsoft.AspNetCore.Mvc.RazorPages; + using Microsoft.FeatureManagement.Mvc; ++ namespace MyWebApp.Pages + { + [FeatureGate("Beta")] + public class BetaModel : PageModel + { + public void OnGet() + { + } + } + } + ``` ++1. Open *Pages/_ViewImports.cshtml*, and register the feature manager Tag Helper using an `@addTagHelper` directive: ++ ```cshtml + @addTagHelper *, Microsoft.FeatureManagement.AspNetCore + ``` ++ The preceding code allows the `<feature>` Tag Helper to be used in the project's *.cshtml* files. ++1. Open *_Layout.cshtml* in the *Pages*\\*Shared* directory. Insert a new `<feature>` tag in between the *Home* and *Privacy* navbar items, as shown in the highlighted lines below. ++ :::code language="html" source="../../includes/azure-app-configuration-navbar.md" range="22-36" highlight="6-10"::: ++ The `<feature>` tag ensures the *Beta* menu item is shown only when the *Beta* feature flag is enabled. ++1. [Containerize the application](./quickstart-azure-kubernetes-service.md#containerize-the-application) and [Push the image to Azure Container Registry](./quickstart-azure-kubernetes-service.md#push-the-image-to-azure-container-registry). ++1. [Deploy the application](./quickstart-azure-kubernetes-service.md#deploy-the-application). Refresh the browser and the web page will look like this: ++ ![Screenshot showing Kubernetes Provider after using configMap without feature flag.](./media/quickstarts/kubernetes-provider-feature-flag-no-beta-home.png) ++## Use Kubernetes Provider to load feature flags ++1. Update the *appConfigurationProvider.yaml* file located in the *Deployment* directory with the following content. + + ```yaml + apiVersion: azconfig.io/v1 + kind: AzureAppConfigurationProvider + metadata: + name: appconfigurationprovider-sample + spec: + endpoint: <your-app-configuration-store-endpoint> + target: + configMapName: configmap-created-by-appconfig-provider + configMapData: + type: json + key: mysettings.json + auth: + workloadIdentity: + managedIdentityClientId: <your-managed-identity-client-id> + featureFlag: + selectors: + - keyFilter: 'Beta' + refresh: + enabled: true + ``` ++ > [!TIP] + > When no `selectors` are specified in `featureFlag` section, the Kubernetes Provider will not load feature flags from your App Configuration store. The default refresh interval of feature flags is 30 seconds when `featureFlag.refresh` enabled. You can customize this behavior via the `featureFlag.refresh.interval` parameter. ++1. Run the following command to apply the changes. ++ ```console + kubectl apply -f ./Deployment -n appconfig-demo + ``` ++1. Update the **Beta** feature flag in your App Configuration store. Enable the flag by selecting the checkbox under **Enabled**. ++1. After refreshing the browser multiple times, the updated content will become visible once the ConfigMap has been updated within 30 seconds. ++ ![Screenshot showing Kubernetes Provider after using configMap with feature flag enabled.](./media/quickstarts/kubernetes-provider-feature-flag-home.png) ++1. Select the **Beta** menu. It will bring you to the beta website that you enabled dynamically. ++ ![Screenshot showing beta page Kubernetes Provider after using configMap.](./media/quickstarts/kubernetes-provider-feature-flag-beta-page.png) ++## Clean up resources ++Uninstall the App Configuration Kubernetes Provider from your AKS cluster if you want to keep the AKS cluster. ++```console +helm uninstall azureappconfiguration.kubernetesprovider --namespace azappconfig-system +``` +++## Next steps ++In this quickstart, you: ++* Added feature management capability to an ASP.NET Core app running in Azure Kubernetes Service (AKS). +* Connected your AKS cluster to your App Configuration store using the App Configuration Kubernetes Provider. +* Created a ConfigMap with key-values and feature flags from your App Configuration store. +* Ran the application with dynamic configuration from your App Configuration store without changing your application code. ++To learn more about the Azure App Configuration Kubernetes Provider, see [Azure App Configuration Kubernetes Provider reference](./reference-kubernetes-provider.md). ++To learn more about feature management capability, continue to the following tutorial. ++> [!div class="nextstepaction"] +> [Enable features for targeted audiences](./howto-targetingfilter-aspnet-core.md) ++> [!div class="nextstepaction"] +> [Use feature filters for conditional feature flags](./howto-feature-filters-aspnet-core.md) |
azure-functions | Functions Bindings Signalr Service Trigger | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-signalr-service-trigger.md | See [Class based model](../azure-signalr/signalr-concept-serverless-development- public class HubName1 : ServerlessHub { [FunctionName("SignalRTest")]- public async Task SendMessage([SignalRTrigger]InvocationContext invocationContext, string message, ILogger logger) + public Task SendMessage([SignalRTrigger]InvocationContext invocationContext, string message, ILogger logger) { logger.LogInformation($"Receive {message} from {invocationContext.ConnectionId}."); } Traditional model obeys the convention of Azure Function developed by C#. If you ```cs [FunctionName("SignalRTest")]-public static async Task Run([SignalRTrigger("SignalRTest", "messages", "SendMessage", parameterNames: new string[] {"message"})]InvocationContext invocationContext, string message, ILogger logger) +public static Task Run([SignalRTrigger("SignalRTest", "messages", "SendMessage", parameterNames: new string[] {"message"})]InvocationContext invocationContext, string message, ILogger logger) { logger.LogInformation($"Receive {message} from {invocationContext.ConnectionId}."); } Because it can be hard to use `ParameterNames` in the trigger, the following exa ```cs [FunctionName("SignalRTest")]-public static async Task Run([SignalRTrigger("SignalRTest", "messages", "SendMessage")]InvocationContext invocationContext, [SignalRParameter]string message, ILogger logger) +public static Task Run([SignalRTrigger("SignalRTest", "messages", "SendMessage")]InvocationContext invocationContext, [SignalRParameter]string message, ILogger logger) { logger.LogInformation($"Receive {message} from {invocationContext.ConnectionId}."); } app.generic("function1", Here's the JavaScript code: ```javascript-module.exports = async function (context, invocation) { +module.exports = function (context, invocation) { context.log(`Receive ${context.bindingData.message} from ${invocation.ConnectionId}.`) }; ``` |
azure-functions | Functions Reference Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-reference-python.md | When you deploy your project to a function app in Azure, the entire contents of ## Connect to a database -[Azure Cosmos DB](../cosmos-db/introduction.md) is a fully managed NoSQL and relational database for modern app development including AI, digital commerce, Internet of Things, booking management, and other types of solutions. It offers single-digit millisecond response times, automatic and instant scalability, and guaranteed speed at any scale. Its various APIs can accommodate all your operational data models, including relational, document, vector, key-value, graph, and table. +[Azure Cosmos DB](../cosmos-db/introduction.md) is a fully managed NoSQL, relational, and vector database for modern app development including AI, digital commerce, Internet of Things, booking management, and other types of solutions. It offers single-digit millisecond response times, automatic and instant scalability, and guaranteed speed at any scale. Its various APIs can accommodate all your operational data models, including relational, document, vector, key-value, graph, and table. To connect to Cosmos DB, first [create an account, database, and container](../cosmos-db/nosql/quickstart-portal.md). Then you may connect Functions to Cosmos DB using [trigger and bindings](functions-bindings-cosmosdb-v2.md), like this [example](functions-add-output-binding-cosmos-db-vs-code.md). You may also use the Python library for Cosmos DB, like so: |
azure-monitor | Alerts Processing Rules | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-processing-rules.md | Severity | The rule applies only to alerts with the selected severities. | * If you define multiple filters in a rule, all the rules apply. There's a logical AND between all filters. For example, if you set both `resource type = "Virtual Machines"` and `severity = "Sev0"`, then the rule applies only for `Sev0` alerts on virtual machines in the scope. * Each filter can include up to five values. There's a logical OR between the values. - For example, if you set `description contains "this, that" (in the field there is no need to write the apostrophes), then the rule applies only to alerts whose description contains either `this` or `that`. + For example, if you set description contains "this, that" (in the field there is no need to write the apostrophes), then the rule applies only to alerts whose description contains either "this" or "that". * Notice that you dont have any spaces (before, after or between) the string that is matched it will effect the matching of the filter. ### What should this rule do? |
azure-monitor | Proactive Failure Diagnostics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/proactive-failure-diagnostics.md | Notice that if you delete an Application Insights resource, the associated Failu ## Triage and diagnose an alert -An alert indicates that an abnormal rise in the failed request rate was detected. It's likely that there's some problem with your app or its environment. An alert indicates that an abnormal rise in the failed request rate was detected. It's likely that there's some problem with your app or its environment. To investigate further, click on 'View full details in Application Insights.' The links in this page take you straight to a [search page](../app/diagnostic-search.md) filtered to the relevant requests, exception, dependency, or traces. |
azure-monitor | Sampling Classic Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/sampling-classic-api.md | Use the [examples in the earlier section of this page](#configuring-adaptive-sam * Configuring too high a sampling percentage (not aggressive enough) results in an insufficient reduction in the volume of the collected telemetry. You can still experience telemetry data loss related to throttling, and the cost of using Application Insights might be higher than you planned due to overage charges. +*What happens if I configure both IncludedTypes and ExcludedTypes settings?* ++* It's best not to set both `ExcludedTypes` and `IncludedTypes` in your configuration to prevent any conflicts and ensure clear telemetry collection settings. +* Telemetry types that are listed in `ExcludedTypes` are excluded even if they are also set in `IncludedTypes` settings. ExcludedTypes will take precedence over IncludedTypes. + *On what platforms can I use sampling?* * Ingestion sampling can occur automatically for any telemetry above a certain volume, if the SDK isn't performing sampling. This configuration would work, for example, if you're using an older version of the ASP.NET SDK or Java SDK. |
azure-monitor | Basic Logs Configure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/basic-logs-configure.md | All custom tables created with or migrated to the [data collection rule (DCR)-ba | Media Services | [AMSLiveEventOperations](/azure/azure-monitor/reference/tables/AMSLiveEventOperations)<br>[AMSKeyDeliveryRequests](/azure/azure-monitor/reference/tables/AMSKeyDeliveryRequests)<br>[AMSMediaAccountHealth](/azure/azure-monitor/reference/tables/AMSMediaAccountHealth)<br>[AMSStreamingEndpointRequests](/azure/azure-monitor/reference/tables/AMSStreamingEndpointRequests) | | Microsoft Graph | [MicrosoftGraphActivityLogs](/azure/azure-monitor/reference/tables/microsoftgraphactivitylogs) | | Monitor | [AzureMetricsV2](/azure/azure-monitor/reference/tables/AzureMetricsV2) |-| Network Devices (Operator Nexus) | [MNFDeviceUpdates](/azure/azure-monitor/reference/tables/MNFDeviceUpdates)<br>[MNFSystemStateMessageUpdates](/azure/azure-monitor/reference/tables/MNFSystemStateMessageUpdates) | +| Network Devices (Operator Nexus) | [MNFDeviceUpdates](/azure/azure-monitor/reference/tables/MNFDeviceUpdates)<br>[MNFSystemStateMessageUpdates](/azure/azure-monitor/reference/tables/MNFSystemStateMessageUpdates) <br>[MNFSystemSessionHistoryUpdates](/azure/azure-monitor/reference/tables/mnfsystemsessionhistoryupdates) | | Network Managers | [AVNMConnectivityConfigurationChange](/azure/azure-monitor/reference/tables/AVNMConnectivityConfigurationChange)<br>[AVNMIPAMPoolAllocationChange](/azure/azure-monitor/reference/tables/AVNMIPAMPoolAllocationChange) | | Nexus Clusters | [NCCKubernetesLogs](/azure/azure-monitor/reference/tables/NCCKubernetesLogs)<br>[NCCVMOrchestrationLogs](/azure/azure-monitor/reference/tables/NCCVMOrchestrationLogs) | | Nexus Storage Appliances | [NCSStorageLogs](/azure/azure-monitor/reference/tables/NCSStorageLogs)<br>[NCSStorageAlerts](/azure/azure-monitor/reference/tables/NCSStorageAlerts) | |
azure-netapp-files | Faq Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-integration.md | Using Azure NetApp Files NFS or SMB volumes with AVS for *Guest OS mounts* is su ## Which Unicode Character Encoding does Azure NetApp Files support for the creation and display of file and directory names? -Azure NetApp Files only supports file and directory names that are encoded with the [UTF-8 Unicode Character Encoding](https://en.wikipedia.org/wiki/UTF-8), *C locale* (or _C.UTF-8_) format for both NFS and SMB volumes. Only strict ASCII characters are valid. --If you try to create files or directories using supplementary characters or surrogate pairs such as nonregular characters or emoji unsupported by C.UTF-8, the operation fails. A Windows client produces an error message similar to ΓÇ£The file name you specified is not valid or too long. Specify a different file name.ΓÇ¥ --For more information, see [Understand volume languages](understand-volume-languages.md). +For information on Unicode character support, see [Understand volume languages](understand-volume-languages.md) and [Understand path lengths](understand-path-lengths.md). ## Does Azure Databricks support mounting Azure NetApp Files NFS volumes? |
azure-netapp-files | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/whats-new.md | +## March 2024 + * [Large volumes (Preview) improvement:](large-volumes-requirements-considerations.md) new minimum size of 50 TiB Large volumes support a minimum size of 50 TiB. Large volumes still support a maximum quota of 500 TiB. -## March 2024 - * [Availability zone volume placement](manage-availability-zone-volume-placement.md) is now generally available (GA). You can deploy new volumes in the logical availability zone of your choice to create cross-zone volumes to improve resiliency in case of zonal failures. This feature is available in all availability zone-enabled regions with Azure NetApp Files presence. |
azure-resource-manager | Azure Subscription Service Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/azure-subscription-service-limits.md | The following limits apply when you use Azure Resource Manager and Azure resourc ## API Management limits +This section provides information about limits that apply to Azure API Management instances in different [service tiers](../../api-management/api-management-features.md), including the following: ++* [API Management classic tiers](#limitsapi-management-classic-tiers) +* [API Management v2 tiers](#limitsapi-management-v2-tiers) +* [Developer portal in API Management v2 tiers](#limitsdeveloper-portal-in-api-management-v2-tiers) ++### Limits - API Management classic tiers + [!INCLUDE [api-management-service-limits](../../../includes/api-management-service-limits.md)] +### Limits - API Management v2 tiers +++### Limits - Developer portal in API Management v2 tiers +++ ## App Service limits [!INCLUDE [azure-websites-limits](../../../includes/azure-websites-limits.md)] |
azure-signalr | Signalr Concept Serverless Development Config | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-signalr/signalr-concept-serverless-development-config.md | The class-based model is dedicated for C#. The class-based model provides better programming experience, which can replace SignalR input and output bindings, with the following features: - More flexible negotiation, sending messages and managing groups experience. - More managing functionalities are supported, including closing connections, checking whether a connection, user, or group exists.-- Strongly Typed hub-- Unified connection string setting in one place.+- Strongly typed hub +- Unified hub name and connection string setting in one place. The following code demonstrates how to write SignalR bindings in class-based model: -In the *Functions.cs* file, define your hub, which extends a base class `ServerlessHub`: +Firstly, define your hub derived from a class `ServerlessHub`: ```cs [SignalRConnection("AzureSignalRConnectionString")] public class Functions : ServerlessHub {- private const string HubName = nameof(Functions); + private const string HubName = nameof(Functions); // Used by SignalR trigger only public Functions(IServiceProvider serviceProvider) : base(serviceProvider) { var host = new HostBuilder() ### Negotiation experience in class-based model -Instead of using SignalR input binding `[SignalRConnectionInfoInput]`, negotiation in class-based model can be more flexible. Base class `ServerlessHub` has a method `NegotiateAsync`, which allows user to customize negotiation options such as `userId`, `claims`, etc. +Instead of using SignalR input binding `[SignalRConnectionInfoInput]`, negotiation in class-based model can be more flexible. Base class `ServerlessHub` has a method `NegotiateAsync`, which allows users to customize negotiation options such as `userId`, `claims`, etc. ```cs Task<BinaryData> NegotiateAsync(NegotiationOptions? options = null) You could send messages, manage groups, or manage clients by accessing the membe - `ServerlessHub.UserGroups` for managing users with groups, such as adding users to groups, removing users from groups. - `ServerlessHub.ClientManager` for checking connections existence, closing connections, etc. -### Strongly Typed Hub +### Strongly typed Hub [Strongly typed hub](/aspnet/core/signalr/hubs?#strongly-typed-hubs) allows you to use strongly typed methods when you send messages to clients. To use strongly typed hub in class based model, extract client methods into an interface `T`, and make your hub class derived from `ServerlessHub<T>`. Then you can use the strongly typed methods as follows: [SignalRConnection("AzureSignalRConnectionString")] public class Functions : ServerlessHub<IChatClient> {- private const string HubName = nameof(Functions); + private const string HubName = nameof(Functions); // Used by SignalR trigger only public Functions(IServiceProvider serviceProvider) : base(serviceProvider) { public class Functions : ServerlessHub<IChatClient> > [!NOTE] > You can get a complete project sample from [GitHub](https://github.com/aspnet/AzureSignalR-samples/tree/main/samples/DotnetIsolated-ClassBased/). -### Unified connection string setting in one place +### Unified hub name and connection string setting in one place -You might have noticed the `SignalRConnection` attribute used on serverless hub classes. It looks like this: -```cs -[SignalRConnection("AzureSignalRConnectionString")] -public class Functions : ServerlessHub<IChatClient> -``` --It allows you to customize where the SignalR Service bindings look for connection string. If it's absent, the default value `AzureSignalRConnectionString` is used. +* The class name of the serverless hub is automatically used as `HubName`. +* You might have noticed the `SignalRConnection` attribute used on serverless hub classes as follows: + ```cs + [SignalRConnection("AzureSignalRConnectionString")] + public class Functions : ServerlessHub<IChatClient> + ``` + It allows you to customize where the connection string for serverless hub is. If it's absent, the default value `AzureSignalRConnectionString` is used. > [!IMPORTANT]-> `SignalRConnection` attribute doesn't change the connection string setting of SignalR triggers, even though you use SignalR triggers inside the serverless hub. You should specify the connection string setting for each SignalR trigger if you want to customize it. +> SignalR triggers and serverless hubs are independent. Therefore, the class name of serverless hub and `SignalRConnection` attribute doesn't change the settings of SignalR triggers, even though you use SignalR triggers inside the serverless hub. # [In-process model](#tab/in-process) public class HubName1 : ServerlessHub } ``` -All functions that want to use the class-based model need to be a method of the class that inherits from **ServerlessHub**. The class name `SignalRTestHub` in the sample is the hub name. +All functions that want to use the class-based model need to be a method of the class that inherits from **ServerlessHub**. The class name `HubName1` in the sample is the hub name. ### Define hub method In class based model, `[SignalRParameter]` is unnecessary because all the argume ### Negotiation experience in class-based model -Instead of using SignalR input binding `[SignalR]`, negotiation in class-based model can be more flexible. Base class `ServerlessHub` has a method. +Instead of using SignalR input binding `[SignalR]`, negotiation in class-based model can be more flexible. Base class `ServerlessHub` has a method: ```cs SignalRConnectionInfo Negotiate(string userId = null, IList<Claim> claims = null, TimeSpan? lifeTime = null) ``` -This features user customizes `userId` or `claims` during the function execution. +This feature allows user to customize `userId` or `claims` during the function execution. ## Use `SignalRFilterAttribute` |
azure-vmware | Azure Security Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/azure-security-integration.md | After connecting data sources to Microsoft Sentinel, you can create rules to gen 6. On the **Incident settings** tab, enable **Create incidents from alerts triggered by this analytics rule** and select **Next: Automated response**. - :::image type="content" source="../sentinel/media/tutorial-detect-threats-custom/general-tab.png" alt-text="Screenshot showing the Analytic rule wizard for creating a new rule in Microsoft Sentinel."::: + :::image type="content" source="../sentinel/media/detect-threats-custom/general-tab.png" alt-text="Screenshot showing the Analytic rule wizard for creating a new rule in Microsoft Sentinel."::: 7. Select **Next: Review**. |
azure-web-pubsub | Concept Azure Ad Authorization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/concept-azure-ad-authorization.md | Microsoft Entra authorizes access rights to secured resources through [Azure rol Before assigning an Azure RBAC role to a security principal, it's important to identify the appropriate level of access that the principal should have. It's recommended to grant the role with the narrowest possible scope. Resources located underneath inherit Azure RBAC roles with broader scopes. -You can scope access to Azure SignalR resources at the following levels, beginning with the narrowest scope: +You can scope access to Azure Web PubSub resources at the following levels, beginning with the narrowest scope: - **An individual resource.** |
backup | Backup Instant Restore Capability | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-instant-restore-capability.md | Title: Azure Instant Restore Capability description: Azure Instant Restore Capability and FAQs for VM backup stack, Resource Manager deployment model- Previously updated : 07/20/2023 Last updated : 04/03/2024 # Get improved backup and restore performance with Azure Backup Instant Restore capability -> [!NOTE] -> Based on feedback from users, we've renamed **VM backup stack V2** to **Instant Restore** to reduce confusion with Azure Stack functionality. -> All Azure Backup users have now been upgraded to **Instant Restore**. +This article describes the improved backup and restore performance of Instant Restore capability in Azure Backup. ++## Key capabilities -The new model for Instant Restore provides the following feature enhancements: +The Instant Restore feature provides the following capabilities: * Ability to use snapshots taken as part of a backup job that's available for recovery without waiting for data transfer to the vault to finish. It reduces the wait time for snapshots to copy to the vault before triggering restore.-* Reduces backup and restore times by retaining snapshots locally, for two days by default. This default snapshot retention value is configurable to any value between 1 to 5 days. +* Reduces backup and restore times by retaining snapshots locally, for *two days* using Standard policy and for *seven days* using Enhanced policy by default. This default snapshot retention value is configurable to any value between 1 to 5 days for Standard policy and 1 to 30 days for Enhanced policy. * Supports disk sizes up to 32 TB. Resizing of disks isn't recommended by Azure Backup.-* Supports Standard SSD disks along with Standard HDD disks and Premium SSD disks. +* Standard policy supports Standard SSD disks along with Standard HDD disks and Premium SSD disks. Enhanced policy supports backup and instant restore of Premium SSD v2 and Ultra Disks, in addition to standard HDD, standard SSD, and Premium SSD v1 disks. * Ability to use an unmanaged VMs original storage accounts (per disk), when restoring. This ability exists even when the VM has disks that are distributed across storage accounts. It speeds up restore operations for a wide variety of VM configurations. * For backup of VMs that are using unmanaged premium disks in storage accounts, with Instant Restore, we recommend allocating *50%* free space of the total allocated storage space, which is required **only** for the first backup. The 50% free space isn't a requirement for backups after the first backup is complete. -## What's new in this feature +## How Instant Restore works? -Currently, the backup job consists of two phases: +A backup job consists of two phases: 1. Taking a VM snapshot. 2. Transferring a VM snapshot to the Azure Recovery Services vault. -A recovery point is considered created only after phases 1 and 2 are completed. As a part of this upgrade, a recovery point is created as soon as the snapshot is finished and this recovery point of snapshot type can be used to perform a restore using the same restore flow. You can identify this recovery point in the Azure portal by using ΓÇ£snapshotΓÇ¥ as the recovery point type, and after the snapshot is transferred to the vault, the recovery point type changes to ΓÇ£snapshot and vaultΓÇ¥. --![Backup job in VM backup stack Resource Manager deployment model--storage and vault](./media/backup-azure-vms/instant-rp-flow.png) +A recovery point is created as soon as the snapshot is finished and this recovery point of snapshot type can be used to perform a restore using the same restore flow. You can identify this recovery point in the Azure portal by using *snapshot* as the recovery point type, and after the snapshot is transferred to the vault, the recovery point type changes to *snapshot and vault*. -By default, snapshots are retained for two days. This feature allows restore operation from these snapshots there by cutting down the restore times. It reduces the time required to transform and copy data back from the vault. ## Feature considerations -* Snapshots are stored along with the disks to boost recovery point creation and to speed up restore operations. As a result, you'll see storage costs that correspond to snapshots taken during this period. -* Incremental snapshots are stored as page blobs. All the users using unmanaged disks are charged for the snapshots stored in their local storage account. Since the restore point collections used by Managed VM backups use blob snapshots at the underlying storage level, for managed disks you'll see costs corresponding to blob snapshot pricing and they're incremental. -* For premium storage accounts, the snapshots taken for instant recovery points count towards the 10-TB limit of allocated space. -* You get an ability to configure the snapshot retention based on the restore needs. Depending on the requirement, you can set the snapshot retention to a minimum of one day in the backup policy pane as explained below. This will help you save cost for snapshot retention if you donΓÇÖt perform restores frequently. -* It's a one directional upgrade. Once upgraded to Instant restore, you can't go back. -* When you use an Instant Restore recovery point, you must restore the VM or disks to a subscription and resource group that don't require CMK-encrypted disks via Azure Policy. -->[!NOTE] ->With this instant restore upgrade, the snapshot retention duration of all the customers (**new and existing both included**) will be set to a default value of two days. However, you can set the duration according to your requirement to any value between 1 to 5 days. +* The snapshots are stored along with the disks to boost recovery point creation and to speed up restore operations. As a result, you'll see storage costs that correspond to snapshots taken during this period. +* For standard policy, all snapshots are incremental in nature and are stored as page blobs. All the users using unmanaged disks are charged for the snapshots stored in their local storage account. Since the restore point collections used by Managed VM backups use blob snapshots at the underlying storage level, for managed disks you'll see costs corresponding to blob snapshot pricing and they're incremental. +* For premium storage accounts, the snapshots taken for instant recovery points count towards the 10-TB limit of allocated space. For Enhanced policy, only Managed VM backups are supported. The initial snapshot is a full copy of the disk(s). The subsequent snapshots are incremental in nature and occupy only delta changes to disks since the last snapshot. + When you use an Instant Restore recovery point, you must restore the VM or disks to a subscription and resource group that don't require CMK-encrypted disks via Azure Policy. ## Cost impact -The incremental snapshots are stored in the VM's storage account, which is used for instant recovery. Incremental snapshot means the space occupied by a snapshot is equal to the space occupied by pages that are written after the snapshot was created. Billing is still for the per GB used space occupied by the snapshot, and the price per GB is same as mentioned on the [pricing page](https://azure.microsoft.com/pricing/details/managed-disks/). For VMs that use unmanaged disks, the snapshots can be seen in the menu for the VHD file of each disk. For managed disks, snapshots are stored in a restore point collection resource in a designated resource group, and the snapshots themselves aren't directly visible. +Instant Restore feature for snapshots (stored along with the disks) boosts recovery point creation and speed up restore operations. This incurs additional storage costs for the corresponding snapshots taken during this period. The snapshot storage cost varies depending on the type of backup policy. ++### Cost impact of standard policy ++Standard policy uses blob snapshots for Instant Restore functionality. All snapshots are incremental in nature and stored in the VM's storage account, which is used for instant recovery. Incremental snapshot means the space occupied by a snapshot is equal to the space occupied by pages that are written after the snapshot was created. Billing is still for the per GB used space occupied by the snapshot as explained in [this section](../storage/blobs/snapshots-overview.md#pricing-and-billing). As an illustration, consider a VM with 100GB in size, change rate of 2% and retention of 5 days for Instant Restore. In this case, the snapshot storage billed will be 10GB (100* 0.02* 5). ++For VMs that use unmanaged disks, the snapshots can be seen in the menu for the VHD file of each disk. For managed disks, snapshots are stored in a restore point collection resource in a designated resource group, and the snapshots themselves aren't directly visible. ++### Cost impact of enhanced policy ++Enhanced policy uses Managed disk snapshots for Instant Restore functionality. The initial snapshot is a full copy of the disk(s). The subsequent snapshots are incremental in nature and occupy only delta changes to disks since the last snapshot. Pricing for managed disk snapshots is explained in [this pricing page](https://azure.microsoft.com/pricing/details/managed-disks/). ++For example, a VM with 100GB in size has a change rate of 2% and retention of 5 days for Instant Restore. In this case, the snapshot storage billed will be 108GB (100 + 100 X 0.02 X 4). >[!NOTE]-> Snapshot retention is fixed to 5 days for weekly policies. +> Snapshot retention is fixed to 5 days for weekly policies for Standard policy and can vary between 5 to 20 days for enhanced policy. ## Configure snapshot retention Yes, for premium storage accounts the snapshots taken for instant recovery point ### How does the snapshot retention work during the five-day period? -Each day a new snapshot is taken, then there are five individual incremental snapshots. The size of the snapshot depends on the data churn, which are in most cases around 2%-7%. +For Standard policy, each day a new snapshot is taken, then there are five individual incremental snapshots. The size of the snapshot depends on the data churn, which are in most cases around 2%-7%. For Enhanced policy, the initial snapshot is a full snapshot and subsequent snapshots are incremental in nature. ### Is an instant restore snapshot an incremental snapshot or full snapshot? -Snapshots taken as a part of instant restore capability are incremental snapshots. +For Standard policy, snapshots taken as a part of instant restore capability are incremental snapshots. For Enhanced policy, the initial snapshot is a full snapshot and subsequent snapshots are incremental in nature. ### How can I calculate the approximate cost increase due to instant restore feature? -It depends on the churn of the VM. In a steady state, you can assume the increase in cost is = Snapshot retention period daily churn per VM storage cost per GB. +It depends on the churn of the VM. ++- **Standard policy**: In a steady state, you can assume the increase in cost is = Snapshot retention period daily churn per VM snapshot storage cost per GB. +- **Enhanced policy**: In a steady state, you can assume the increase in cost is = ((Size of VM) + (Snapshot retention period-1)*daily churn per VM) * snapshot storage cost per GB. ### If the recovery type for a restore point is ΓÇ£Snapshot and vaultΓÇ¥ and I perform a restore operation, which recovery type will be used? If the recovery type is ΓÇ£snapshot and vaultΓÇ¥, restore will be automatically done from the local snapshot, which will be much faster compared to the restore done from the vault. -### What happens if I select retention period of restore point (Tier 2) less than the snapshot (Tier1) retention period? +### What happens if I select retention period of restore point (Tier 2) less than the snapshot (Tier 1) retention period? -The new model doesn't allow deleting the restore point (Tier2) unless the snapshot (Tier1) is deleted. We recommend scheduling restore point (Tier2) retention period greater than the snapshot retention period. +The new model doesn't allow deleting the restore point (Tier 2) unless the snapshot (Tier 1) is deleted. We recommend scheduling restore point (Tier 2) retention period greater than the snapshot retention period. ### Why does my snapshot still exist, even after the set retention period in backup policy? If the recovery point has a snapshot and it's the latest recovery point availabl ### Why do I see more snapshots than my retention policy? -In a scenario where a retention policy is set as ΓÇ£1ΓÇ¥, you can find two snapshots. This mandates that at least one latest recovery point always be present, in case all subsequent backups fail due to an issue in the VM. This can cause the presence of two snapshots.<br></br>So, if the policy is for "n" snapshots, you can find ΓÇ£n+1ΓÇ¥ snapshots at times. Further, you can even find ΓÇ£n+1+2ΓÇ¥ snapshots if there is a delay in garbage collection. This can happen at rare times when: +In a scenario where a retention policy is set as ΓÇ£1ΓÇ¥, you can find two snapshots. This mandates that at least one latest recovery point always be present, in case all subsequent backups fail due to an issue in the VM. This can cause the presence of two snapshots.<br></br>So, if the policy is for "n" snapshots, you can find ΓÇ£n+1ΓÇ¥ snapshots at times. Further, you can even find ΓÇ£n+1+2ΓÇ¥ snapshots if there's a delay in garbage collection. This can happen at rare times when: - You clean up snapshots, which are past retention. - The garbage collector (GC) in the backend is under heavy load. Instant restore feature is enabled for everyone and can't be disabled. You can r ### Is it safe to restart the VM during the transfer process (which can take many hours)? Will restarting the VM interrupt or slow down the transfer? -Yes it's safe, and there is absolutely no impact in data transfer speed. +Yes it's safe, and there's absolutely no impact in data transfer speed. |
batch | Batch Automatic Scaling | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/batch-automatic-scaling.md | Title: Autoscale compute nodes in an Azure Batch pool description: Enable automatic scaling on an Azure Batch cloud pool to dynamically adjust the number of compute nodes in the pool. Previously updated : 02/29/2024 Last updated : 04/02/2024 You can use both resource and task metrics when you define a formula. You adjust | Metric | Description | |-|--|-| Resource | Resource metrics are based on the CPU, the bandwidth, the memory usage of compute nodes, and the number of nodes.<br><br>These service-defined variables are useful for making adjustments based on node count:<br>- $TargetDedicatedNodes <br>- $TargetLowPriorityNodes <br>- $CurrentDedicatedNodes <br>- $CurrentLowPriorityNodes <br>- $PreemptedNodeCount <br>- $SampleNodeCount <br><br>These service-defined variables are useful for making adjustments based on node resource usage: <br>- $CPUPercent <br>- $WallClockSeconds <br>- $MemoryBytes <br>- $DiskBytes <br>- $DiskReadBytes <br>- $DiskWriteBytes <br>- $DiskReadOps <br>- $DiskWriteOps <br>- $NetworkInBytes <br>- $NetworkOutBytes | +| Resource | Resource metrics are based on the CPU, the bandwidth, the memory usage of compute nodes, and the number of nodes.<br><br>These service-defined variables are useful for making adjustments based on node count:<br>- $TargetDedicatedNodes <br>- $TargetLowPriorityNodes <br>- $CurrentDedicatedNodes <br>- $CurrentLowPriorityNodes <br>- $PreemptedNodeCount <br>- $UsableNodeCount <br><br>These service-defined variables are useful for making adjustments based on node resource usage: <br>- $CPUPercent <br>- $WallClockSeconds <br>- $MemoryBytes <br>- $DiskBytes <br>- $DiskReadBytes <br>- $DiskWriteBytes <br>- $DiskReadOps <br>- $DiskWriteOps <br>- $NetworkInBytes <br>- $NetworkOutBytes | | Task | Task metrics are based on the status of tasks, such as Active, Pending, and Completed. The following service-defined variables are useful for making pool-size adjustments based on task metrics: <br>- $ActiveTasks <br>- $RunningTasks <br>- $PendingTasks <br>- $SucceededTasks <br>- $FailedTasks | ## Obtain sample data |
batch | Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/best-practices.md | Title: Best practices description: Learn best practices and useful tips for developing your Azure Batch solutions. Previously updated : 02/29/2024 Last updated : 04/02/2024 A job doesn't automatically move to completed state unless explicitly terminated There's a default [active job and job schedule quota](batch-quota-limit.md#resource-quotas). Jobs and job schedules in completed state don't count towards this quota. +Delete jobs when they're no longer needed, even if in completed state. Although completed jobs don't count towards +active job quota, it's beneficial to periodically clean up completed jobs. For example, +[listing jobs](/rest/api/batchservice/job/list) will be more efficient when the total number of jobs is a smaller +set (even if proper filters are applied to the request). + ## Tasks [Tasks](jobs-and-tasks.md#tasks) are individual units of work that comprise a job. Tasks are submitted by the user and scheduled by Batch on to compute nodes. The following sections provide suggestions for designing your tasks to handle issues and perform efficiently. Deleting tasks accomplishes two things: > For tasks just submitted to Batch, the DeleteTask API call takes up to 10 minutes to take effect. Before it takes effect, > other tasks might be prevented from being scheduled. It's because Batch Scheduler still tries to schedule the tasks just > deleted. If you wanted to delete one task shortly after it's submitted, please terminate the task instead (since the-> terminate task will take effect immediately). And then delete the task 10 minutes later. +> terminate task request will take effect immediately). And then delete the task 10 minutes later. ### Submit large numbers of tasks in collection |
cloud-services-extended-support | In Place Migration Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cloud-services-extended-support/in-place-migration-overview.md | The below table highlights comparison between these two options. | Redeploy | In-place migration | |||-| Customers can deploy a new cloud service directly in Azure Resource Manager and then delete the old cloud service in Azure Service Manager thorough validation. | The in-place migration tool enables a seamless, platform orchestrated migration of existing Cloud Services (classic) deployments to Cloud Services (extended support). | +| Customers can deploy a new cloud service directly in Azure Resource Manager and then delete the old cloud service in Azure Service Manager after thorough validation. | The in-place migration tool enables a seamless, platform orchestrated migration of existing Cloud Services (classic) deployments to Cloud Services (extended support). | | Redeploy allows customers to: <br><br> - Define resource names. <br><br> - Organize or reuse resources as preferred. <br><br> - Reuse service configuration and definition files with minimal changes. | For in-place migration, the platform: <br><br> - Defines resource names. <br><br> - Organizes each deployment and related resources in individual Resource Groups. <br><br> - Modifies existing configuration and definition file for Azure Resource Manager. | | Customers need to orchestrate traffic to the new deployment. | Migration retains IP address and data path remains the same. | | Customers need to delete the old cloud services in Azure Resource Manager. | Platform deletes the Cloud Services (classic) resources after migration. | |
communication-services | Call Automation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/call-automation/call-automation.md | The Call Automation events are sent to the web hook callback URI specified when To understand which events are published for different actions, refer to [this guide](../../how-tos/call-automation/actions-for-call-control.md) that provides code samples and sequence diagrams for various call control flows. +When acknowledging callback events, it's best practice to respond with standard HTTP status codes like 200 OK. Detailed information is unnecessary and is more suitable for your debugging processes. + To learn how to secure the callback event delivery, refer to [this guide](../../how-tos/call-automation/secure-webhook-endpoint.md). ### Operation Callback Uri |
communication-services | Email Optout Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/email/email-optout-management.md | + + Title: Emails opt out management using suppression list within Azure Communication Service Email ++description: Learn about Managing Opt-outs to enhance Email Delivery in your B2C Communications. ++++ Last updated : 04/01/2024+++++# Overview +++This article provides the Email delivery best practices and how to use the Azure Communication Services Email suppression list feature that allows customers to manage opt-out capabilities for email communications. It also provides information on the features that are important for emails opt out management that helps you improve email complaint management, promote better email practices, and increase your email delivery success, boosting the likelihood of getting to recipients' inboxes efficiently. ++## Opt out or unsubscribe management: Ensuring transparent sender reputation +It's important to know how interested your customers are in your email communication and to respect their opt-out or unsubscribe requests when they decide not to get emails from you. This helps you keep a good sender reputation. Whether you have a manual or automated process in place for handling unsubscribes, it's important to provide an "unsubscribe" link in the email payload you send. When recipients decide not to receive further emails, they can click on the 'unsubscribe' link and remove their email address from your mailing list. ++The functionality of the links and instructions in the email is vital; they must be working correctly and promptly notify the application mailing list to remove the contact from the appropriate list or lists. A proper unsubscribe mechanism should be explicit and transparent from the subscriber's perspective, ensuring they know precisely which messages they're unsubscribing from. Ideally, they should be offered a preferences center that gives them the option to unsubscribe in cases where they're subscribed to multiple lists within your organization. This process prevents accidental unsubscribes and allows users to manage their opt-in and opt-out preferences effectively through the unsubscribe management process. ++## Managing emails opt out preferences with suppression list in Azure Communication Service Email +Azure Communication Service Email offers a powerful platform with a centralized managed unsubscribe list with opt out preferences saved to our data store. This feature helps the developers to meet guidelines of email providers, requiring one-click list-unsubscribe implementation in the emails sent from our platform. To proactively identify and avoid significant delivery problems, suppression list features, including but not limited to: ++* Offers domain-level, customer managed lists that provide opt-out capabilities. +* Provides Azure resources that allow for Create, Read, Update, and Delete (CRUD) operations via Azure portal, Management SDKs, or REST APIs. +* Apply filters in the sending pipeline, all recipients are filtered against the addresses in the domain suppression lists and email delivery isn't attempted for the recipient addresses. +* Gives the ability to manage a suppression list for each sender email address, which is used to filter/suppress email recipient addresses when sending emails. +* Caches suppression list data to reduce expensive database lookups, and this caching is domain-specific based on the frequency of use. +* Adds Email addresses programmatically for an easy opt-out process for unsubscribing. ++### Benefits of opt out or unsubscribe management +Using a suppression list in Azure Communication Services offers several benefits: +* Compliance and Legal Considerations: This feature is crucial for adhering to legal responsibilities defined in local government legislation like the CAN-SPAM Act in the United States. It ensures that customers can easily manage opt-outs and maintain compliance with these regulations. +* Better Sender Reputation: When emails aren't sent to users who have chosen to opt out, it helps protect the senderΓÇÖs reputation and lowers the chance of being blocked by email providers. +* Improved User Experience: It respects the preferences of users who don't wish to receive communications, leading to a better user experience and potentially higher engagement rates with recipients who choose to receive emails. +* Operational Efficiency: Suppression lists can be managed programmatically, allowing for efficient handling of large numbers of opt-out requests without manual intervention. +* Cost-Effectiveness: By not sending emails to recipients who opted out, it reduces the volume of sent emails, which can lower operational costs associated with email delivery. +* Data-Driven Decisions: The suppression list feature provides insights into the number of opt-outs, which can be valuable data for making informed decisions about email campaign strategies. ++These benefits contribute to a more efficient, compliant, and user-friendly email communication system when using Azure Communication Services. To enable email logs and monitor your email delivery, follow the steps outlined in [Azure Communication Services email logs Communication Service in Azure Communication Service](../../concepts/analytics/logs/email-logs.md). ++## Next steps ++The following documents may be interesting to you: ++- Familiarize yourself with the [Email client library](../email/sdk-features.md) +- How to send emails with custom verified domains? [Add custom domains](../../quickstarts/email/add-custom-verified-domains.md) +- How to send emails with Azure Managed Domains? [Add Azure Managed domains](../../quickstarts/email/add-azure-managed-domains.md) |
communication-services | Email Smtp Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/email/email-smtp-overview.md | |
communication-services | Privacy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/privacy.md | The list of geographies you can choose from includes: - United Kingdom - United States +> [!Note] +> Advanced Messaging for WhatsApp is only available in the following Regions. ++- Asia Pacific +- Australia +- Europe +- United Kingdom +- United States + ## Data collection Azure Communication Services only collects diagnostic data required to deliver the service. |
communication-services | Known Limitations Acs Telephony | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/telephony/known-limitations-acs-telephony.md | This article provides information about limitations and known issues related to - Location-based routing isn't supported. - No quality dashboard is available for customers. - Enhanced 911 isn't supported.-- In-band DTMF is not supported, use RFC 2833 DTMF instead.-- Multiple IP addresses mapped with the same FQDN on the SBC side are not supported.+- In-band Dual-tone multi-frequency (DTMF) isn't supported. Use RFC 2833 DTMF instead. +- Multiple IP addresses mapped with the same FQDN on the SBC side aren't supported. +- Maximum call duration is 30 hours. ## Next steps |
communication-services | Send Email Smtp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/quickstarts/email/send-email-smtp/send-email-smtp.md | |
communication-services | Smtp Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/quickstarts/email/send-email-smtp/smtp-authentication.md | |
communication-services | Ask Device Permission Api Takes Too Long | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/resources/troubleshooting/voice-video-calling/device-issues/ask-device-permission-api-takes-too-long.md | + + Title: Device and permission issues - askDevicePermission API takes too long ++description: Learn how to troubleshoot when askDevicePermission API takes too long. ++++ Last updated : 03/29/2024++++++# The askDevicePermission API takes too long +The [`askDevicePermission`](/javascript/api/%40azure/communication-react/calladapterdevicemanagement?view=azure-node-latest&preserve-view=true#@azure-communication-react-calladapterdevicemanagement-askdevicepermission) API prompts the end user via the browser asking if they allow permission to use camera or microphone. +If the end user approves camera or microphone usage, then those devices are available to be used in a call. The devices availability is reflected in available device list. ++User taking a long time to approve the permission can cause delay in the API response. ++Occasionally, the device list update step can take a long time. +A delay in the driver layer is usually the cause of the issue. The issue can happen with some virtual audio devices in particular. [Chromium Issue 1402866](https://bugs.chromium.org/p/chromium/issues/detail?id=1402866&no_tracker_redirect=1) ++## How to detect using the SDK +To detect this issue, you can measure the time difference between when you call the [`askDevicePermission`](/javascript/api/%40azure/communication-react/calladapterdevicemanagement?view=azure-node-latest&preserve-view=true#@azure-communication-react-calladapterdevicemanagement-askdevicepermission) API and when the promise resolves or rejects. ++## How to mitigate or resolve +If the [`askDevicePermission`](/javascript/api/%40azure/communication-react/calladapterdevicemanagement?view=azure-node-latest&preserve-view=true#@azure-communication-react-calladapterdevicemanagement-askdevicepermission) API fails due to the user not responding to the UI permission prompt, +the application can retry the API again and the user should see the UI permission prompt. ++As for other reasons, such as the device list updating taking too long to complete, the user should check their devices and see if there's any device that could potentially be causing this issue. +They may need to update or remove the problematic device to resolve the issue. |
communication-services | No Enumerated Microphone List | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/resources/troubleshooting/voice-video-calling/device-issues/no-enumerated-microphone-list.md | + + Title: Device and permission issues - getMicrophones API doesn't return detailed microphone list ++description: Learn how to troubleshoot when getMicrophones API doesn't return detailed microphone list. ++++ Last updated : 03/29/2024++++++# The getMicrophones API doesn't return detailed microphone list +If a user reports they can't see the detailed microphone list, +it's likely because the user didn't grant permission to access the microphone. +When the permission state is `prompt` or `denied`, the browser doesn't provide detailed information about the microphone devices. +In this scenario, the [`DeviceManager.getMicrophones`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getmicrophones) API returns an array with one object, where the `id` is set to `microphone:` and the name is set to an empty string. ++It's important to note that this scenario differs from the scenario where a user doesn't have any microphone on their device. If a device doesn't have any microphones the [`DeviceManager.getMicrophones`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getmicrophones) API returns an empty array, indicating that there's no available microphone devices on the user's system. ++## How to detect using the SDK +[`DeviceManager.getMicrophones`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getmicrophones) API returns an empty array or an array with an object, where the `id` is set to `microphone:` and the name is set to an empty string. ++Additionally, to detect the scenario where the user removes the microphone during the call and there are no available microphones in the system, +the application can listen to the [`noMicrophoneDevicesEnumerated`](/javascript/api/azure-communication-services/@azure/communication-calling/latestmediadiagnostics?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-latestmediadiagnostics-nomicrophonedevicesenumerated) event being raised to true in the [User Facing Diagnostics Feature](../../../../concepts/voice-video-calling/user-facing-diagnostics.md). +This event can help the application understand the current situation, so it can show a warning message on its UI accordingly. ++## How to mitigate or resolve +Your application should always call the [`DeviceManager.askDevicePermission`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-askdevicepermission) API to ensure that the required permissions are granted. +If the user doesn't grant the microphone permission, your application should display a warning message on its user interface. ++Additionally, your application should listen to the [`noMicrophoneDevicesEnumerated`](/javascript/api/azure-communication-services/@azure/communication-calling/latestmediadiagnostics?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-latestmediadiagnostics-nomicrophonedevicesenumerated) event and show a message when there are no available microphone devices. +If the application provides a device selection page before the call, +it can also check whether the microphone list is empty and shows a warning accordingly indicating no mic devices available. |
communication-services | No Enumerated Speaker List | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/resources/troubleshooting/voice-video-calling/device-issues/no-enumerated-speaker-list.md | + + Title: Device and permission issues - getSpeakers API doesn't return detailed speaker list ++description: Learn how to troubleshoot when getSpeakers API doesn't return detailed speaker list. ++++ Last updated : 03/28/2024++++++# The getSpeakers API doesn't return detailed speaker list +If a user reports that they can't see the detailed speaker list, it could be because the application doesn't have permission to access the microphone. +Alternatively, the platform may not support speaker enumeration. ++The way browsers currently work may seem counterintuitive, as the permission to access the microphone can interfere with the enumeration of speakers. +The speaker and microphone enumeration shares the same permission information. ++When the microphone permission state is `prompt` or `denied`, the browser doesn't provide detailed information about the microphone devices and speaker devices. +In this scenario, [`DeviceManager.getSpeakers`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getspeakers) API returns an array with one object, where the `id` is set to `speaker:` and the name is set to an empty string. ++Some platforms, such as iOS Safari, macOS Safari, or earlier versions of Firefox don't support speaker enumeration. ++It's important to note that this scenario is different from the scenario where a user doesn't have any audio output device. +In the latter case, the [`DeviceManager.getSpeakers`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getspeakers) API only returns an empty array, indicating that there's no available audio output device in the user's system. ++## How to detect using the SDK +[`DeviceManager.getSpeakers`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getspeakers) API returns an empty array or an array with an object, where the `id` is set to `speaker:` and the name is set to an empty string. ++Additionally, to detect the scenario where the user removes the speaker during the call and there are no available audio output devices in the system, the application can listen to the `noSpeakerDevicesEnumerated` event being raised to true in the [User Facing Diagnostics Feature](../../../../concepts/voice-video-calling/user-facing-diagnostics.md). This event can help the application understand the current situation, and show the warning message on its UI accordingly. ++For the platform that doesn't support speaker enumeration, you get an error when calling [`DeviceManager.getSpeakers`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getspeakers) API. ++The error code/subcode is ++| error | Details | +||-| +| code | 405 (Method Not Allowed) | +| subcode | 40606 | +| message | This device doesn't support speaker enumeration. | +| resultCategories | Expected | ++## How to mitigate or resolve +The application should always call the `DeviceManager.askDevicePermission` API to ensure that the required permissions are granted. +If the user doesn't grant the microphone permission, the application should show a warning on its user interface, so the user knows that they aren't able to see the speaker device list. ++The application should also check whether the speaker list is empty or handle the error when calling [`DeviceManager.getSpeakers`](/javascript/api/azure-communication-services/@azure/communication-calling/devicemanager?view=azure-communication-services-js&preserve-view=true#@azure-communication-calling-devicemanager-getspeakers) API, and show a warning accordingly. +Additionally, the application should listen to the `noSpeakerDevicesEnumerated` event and show a message when there are no available speaker devices. |
communication-services | No Permission Prompt | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/resources/troubleshooting/voice-video-calling/device-issues/no-permission-prompt.md | + + Title: Device and permission issues - no permission prompt after calling askDevicePermission ++description: Learn why there's no permission prompt after calling askDevicePermission. ++++ Last updated : 03/29/2024++++++# No permission prompt shows when calling askDevicePermission +If a user reports that they don't see any permission prompts, it may be because they previously granted or denied permission and the browser caches the result. ++Not showing the permission prompt isn't a problem if the browser has the required permission. +However, if the user can't see the device list, it could be because they denied permission before. ++Another possible reason for the lack of a permission prompt is that the user's system doesn't have any microphone or camera devices available, +causing the browser to skip the prompt even if the permission state is set to `prompt`. ++## How to detect using the SDK +We can't detect whether the permission prompt actually shows or not, as this browser behavior can't be detected at JavaScript layer. ++## How to mitigate or resolve +The application should check the result of [`DeviceManager.askDevicePermission`](/javascript/api/%40azure/communication-react/calladapterdevicemanagement?view=azure-node-latest&preserve-view=true#@azure-communication-react-calladapterdevicemanagement-askdevicepermission) API. +If the result is false, it may indicate that user denied the permission now or previously. ++The application should show a warning message and ask the user to check their browser settings to ensure that correct permissions were granted. +They also need to verify that their system has the necessary devices installed and configured properly. |
communication-services | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/resources/troubleshooting/voice-video-calling/device-issues/overview.md | + + Title: Device and permission issues - Overview ++description: Overview of device and permission issues ++++ Last updated : 03/29/2024++++++# Overview of device and permission issues +In the WebJS calling SDK, there are two types of permissions: browser permissions and system permissions. +When an application needs to access a user's audio or video input device, it requires permissions granted at both the browser and system level. ++If an application doesn't have the required permission, it can't access the device, +which means that other participants in the call are unable to see or hear the user. ++To avoid these issues, it's important for users to grant the necessary permissions when prompted by the browser. +If a user accidentally denies permission or needs to change their permissions later, they can usually do so through the browser settings. ++The permission is also necessary for the application to retrieve detailed device list information. +The application can call [`DeviceManager.askDevicePermission`](/javascript/api/%40azure/communication-react/calladapterdevicemanagement?view=azure-node-latest&preserve-view=true#@azure-communication-react-calladapterdevicemanagement-askdevicepermission) to trigger the permission prompt UI. +However, the browser may cache the permission result and return it without showing the permission prompt UI. +If the permission result is `denied`, the user needs to update the permission through the browser settings. ++## Common issues related to the device and permission +Here are some common issues related to devices and permissions, along with their potential causes: ++### The getMicrophones API returns an empty array or doesn't return detailed microphone list +* The microphone device isn't available in the system. +* The microphone permission isn't granted. ++### The getSpeakers API returns an empty array or doesn't return detailed speaker list +* The speaker device isn't available in the system. +* The browser doesn't support speaker enumeration. +* The microphone permission isn't granted. ++### No permission prompt shows when calling askDevicePermission +* The browser caches the permission result granted or denied previously and returns it without prompting the user. +* The microphone device isn't available when requesting microphone permission. +* The camera device isn't available when requesting camera permission. ++### The askDevicePermission API takes too long +* The user doesn't grant or deny the permission prompt. +* The device driver layer responds slowly. ++## Next steps ++This overview article provides basic information on device and permission issues you may encounter when using the WebJS calling SDK. +For more detailed guidance, follow the links to the pages listed within the `Device and permission issues` section of this troubleshooting guide. |
container-apps | Workload Profiles Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/workload-profiles-overview.md | There are different types and sizes of workload profiles available by region. By | Display name | Name | vCPU | Memory (GiB) | GPU | Category | Allocation | |||||||-| Consumption | consumption |4 | 8 | - | Consumption | per replica | +| Consumption | Consumption |4 | 8 | - | Consumption | per replica | | Dedicated-D4 | D4 | 4 | 16 | - | General purpose | per node | | Dedicated-D8 | D8 | 8 | 32 | - | General purpose | per node | | Dedicated-D16 | D16 | 16 | 64 | - | General purpose | per node | |
cosmos-db | Ai Advantage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/ai-advantage.md | There are many benefits when using Azure Cosmos DB and Azure AI together: The Azure AI Advantage offer is for existing Azure AI and GitHub Copilot customers who want to use Azure Cosmos DB as part of their solution stack. With this offer, you get: -- Free 40,000 RU/s of Azure Cosmos DB throughput for 90 days.+- Free 40,000 [RU/s](request-units.md) of Azure Cosmos DB throughput (equivalent of up to $6,000) for 90 days. - Funding to implement a new AI application using Azure Cosmos DB and/or Azure Kubernetes Service. For more information, speak to your Microsoft representative. |
cosmos-db | Free Tier | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/free-tier.md | Last updated 07/08/2022 Azure Cosmos DB free tier makes it easy to get started, develop, test your applications, or even run small production workloads for free. When free tier is enabled on an account, you'll get the first 1000 RU/s and 25 GB of storage in the account for free. The throughput and storage consumed beyond these limits are billed at regular price. Free tier is available for all API accounts with provisioned throughput, autoscale throughput, single, or multiple write regions. -Free tier lasts indefinitely for the lifetime of the account and it comes with all the [benefits and features](introduction.md#key-benefits) of a regular Azure Cosmos DB account. These benefits include unlimited storage and throughput (RU/s), SLAs, high availability, turnkey global distribution in all Azure regions, and more. +Free tier lasts indefinitely for the lifetime of the account and it comes with all the [benefits and features](introduction.md#an-ai-database-with-unmatched-reliability-and-flexibility) of a regular Azure Cosmos DB account. These benefits include unlimited storage and throughput (RU/s), SLAs, high availability, turnkey global distribution in all Azure regions, and more. You can have up to one free tier Azure Cosmos DB account per an Azure subscription and you must opt in when creating the account. If you don't see the option to apply the free tier discount, another account in the subscription has already been enabled with free tier. If you create an account with free tier and then delete it, you can apply free tier for a new account. When creating a new account, itΓÇÖs recommended to enable the free tier discount if itΓÇÖs available. |
cosmos-db | Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/introduction.md | Title: Azure Cosmos DB – Unified AI Database -description: Azure Cosmos DB is a global multi-model database and ideal database for AI applications requiring speed, elasticity and availability with native support for NoSQL, relational, and vector data. + Title: Unified AI Database ++description: Database for AI Era - Azure Cosmos DB is a NoSQL, relational, and vector database that provides unmatched reliability and flexibility for your operational data needs. Previously updated : 11/02/2023 Last updated : 04/03/2024 adobe-target: true -# Azure Cosmos DB – Unified AI Database +# Database for AI Era [!INCLUDE[NoSQL, MongoDB, Cassandra, Gremlin, Table, PostgreSQL](includes/appliesto-nosql-mongodb-cassandra-gremlin-table-postgresql.md)] -> OpenAI relies on Cosmos DB to dynamically scale their ChatGPT service – one of the fastest-growing consumer apps ever – enabling high reliability and low maintenance.” – Satya Nadella, Microsoft chairman and chief executive officer +> "OpenAI relies on Cosmos DB to dynamically scale their ChatGPT service – one of the fastest-growing consumer apps ever – enabling high reliability and low maintenance." – Satya Nadella, Microsoft chairman and chief executive officer Today's applications are required to be highly responsive and always online. They must respond in real time to large changes in usage at peak hours, store ever increasing volumes of data, and make this data available to users in milliseconds. To achieve low latency and high availability, instances of these applications need to be deployed in datacenters that are close to their users. -Recently, the surge of AI-powered applications created another layer of complexity, because many of these applications currently integrate a multitude of data stores. For example, some teams built applications that simultaneously connect to MongoDB, Postgres, Redis, and Gremlin. These databases differ in implementation workflow and operational performances, posing extra complexity for scaling applications. +The surge of AI-powered applications created another layer of complexity, because many of these applications integrate a multitude of data stores. For example, some organizations built applications that simultaneously connect to MongoDB, Postgres, Redis, and Gremlin. These databases differ in implementation workflow and operational performances, posing extra complexity for scaling applications. -Azure Cosmos DB simplifies and expedites your application development by being the single AI database for your operational data needs, from caching to vector search. It accommodates all your operational data models, including relational, document, vector, key-value, graph, and table. +Azure Cosmos DB simplifies and expedites your application development by being the single database for your operational data needs, from caching to backup to vector search. It provides the data infrastructure for modern applications like AI, digital commerce, Internet of Things, and booking management. It can accommodate all your operational data models, including relational, document, vector, key-value, graph, and table. -Azure Cosmos DB is a fully managed NoSQL, relational, and vector database for AI, digital commerce, Internet of Things, booking management, and other types of modern applications. It offers single-digit millisecond response times, automatic and instant scalability, along with guaranteed speed at any scale. Business continuity is assured with [SLA-backed](https://azure.microsoft.com/support/legal/sla/cosmos-db) availability and enterprise-grade security. +## An AI database providing industry-leading capabilities... for free ++Azure Cosmos DB is a fully managed NoSQL, relational, and vector database. It offers single-digit millisecond response times, automatic and instant scalability, along with guaranteed speed at any scale. Business continuity is assured with [SLA-backed](https://azure.microsoft.com/support/legal/sla/cosmos-db) availability and enterprise-grade security. App development is faster and more productive thanks to: - Turnkey multi-region data distribution anywhere in the world - Open source APIs-- SDKs for popular languages.-- AI database functionalities like native vector search or seamless integration with Azure AI Services to support Retrieval Augmented Generation+- SDKs for popular languages +- AI database functionalities like integrated vector database or seamless integration with Azure AI Services to support Retrieval Augmented Generation +- Query Copilot for generating NoSQL queries based on your natural language prompts [(preview)](nosql/query/how-to-enable-use-copilot.md) -As a fully managed service, Azure Cosmos DB takes database administration off your hands with automatic management, updates and patching. It also handles capacity management with cost-effective serverless and automatic scaling options that respond to application needs to match capacity with demand. +As a fully managed service, Azure Cosmos DB takes database administration off your hands with automatic management, updates, and patching. It also handles capacity management with cost-effective serverless and automatic scaling options that respond to application needs to match capacity with demand. -If you are an existing Azure AI or GitHub Copilot customer, you may try Azure Cosmos DB for free with 40,000 [RU/s](request-units.md) of throughput for 90 days under the Azure AI Advantage offer. +If you're an existing Azure AI or GitHub Copilot customer, you may try Azure Cosmos DB for free with 40,000 [RU/s](request-units.md) of throughput for 90 days under the Azure AI Advantage offer. > [!div class="nextstepaction"] > [90-day Free Trial with Azure AI Advantage](ai-advantage.md) -If you are not an Azure customer, you may use the 30-day Free Trial without an Azure subscription. No commitment follows the end of your trial period. --> [!div class="nextstepaction"] -> [30-day Free Trial without an Azure subscription](https://azure.microsoft.com/try/cosmosdb/) --Alternatively, you may use the Azure Cosmos DB lifetime free tier with the first 1000 [RU/s](request-units.md) of throughput and 25 GB of storage free. +If you aren't an Azure customer, you may use the [30-day Free Trial without an Azure subscription](https://azure.microsoft.com/try/cosmosdb/). No commitment follows the end of your trial period. -> [!div class="nextstepaction"] -> [Azure Cosmos DB lifetime free tier](free-tier.md) +Alternatively, you may use the [Azure Cosmos DB lifetime free tier](free-tier.md) with the first 1000 [RU/s](request-units.md) of throughput and 25 GB of storage free. > [!TIP] > To learn more about Azure Cosmos DB, join us every Thursday at 1PM Pacific on Azure Cosmos DB Live TV. See the [Upcoming session schedule and past episodes](https://gotcosmos.com/tv). -## Azure Cosmos DB is more than an AI database --Besides AI database, Azure Cosmos DB should also be your goto database for web, mobile, gaming, and IoT applications. Azure Cosmos DB is well positioned for solutions that handle massive amounts of data, reads, and writes at a global scale with near-real response times. Azure Cosmos DB's guaranteed high availability, high throughput, low latency, and tunable consistency are huge advantages when building these types of applications. Learn about how Azure Cosmos DB can be used to build IoT and telematics, retail and marketing, gaming and web and mobile applications. +## An AI database for more than just AI apps -## Key Benefits +Besides AI, Azure Cosmos DB should also be your goto database for web, mobile, gaming, and IoT applications. Azure Cosmos DB is well positioned for solutions that handle massive amounts of data, reads, and writes at a global scale with near-real response times. Azure Cosmos DB's guaranteed high availability, high throughput, low latency, and tunable consistency are huge advantages when building these types of applications. Learn about how Azure Cosmos DB can be used to build IoT and telematics, retail and marketing, gaming and web and mobile applications. -Here's some key benefits of using Azure Cosmos DB. +## An AI database with unmatched reliability and flexibility ### Guaranteed speed at any scale Gain unparalleled [SLA-backed](https://azure.microsoft.com/support/legal/sla/cos ### Simplified application development -Build fast with open-source APIs, multiple SDKs, schemaless data and no-ETL analytics over operational data. +Build fast with open-source APIs, multiple SDKs, schemaless data, and no-ETL analytics over operational data. - Deeply integrated with key Azure services used in modern (cloud-native) app development including Azure Functions, IoT Hub, AKS (Azure Kubernetes Service), App Service, and more. - Choose from multiple database APIs including the native API for NoSQL, MongoDB, PostgreSQL, Apache Cassandra, Apache Gremlin, and Table. - Use Azure Cosmos DB as your unified AI database for data models like relational, document, vector, key-value, graph, and table.-- Build apps on API for NoSQL using the languages of your choice with SDKs for .NET, Java, Node.js and Python. Or your choice of drivers for any of the other database APIs.+- Build apps on API for NoSQL using the languages of your choice with SDKs for .NET, Java, Node.js, and Python. Or your choice of drivers for any of the other database APIs. - Change feed makes it easy to track and manage changes to database containers and create triggered events with Azure Functions. - Azure Cosmos DB's schema-less service automatically indexes all your data, regardless of the data model, to deliver blazing fast queries. Guarantee business continuity, 99.999% availability, and enterprise-level securi ### Fully managed and cost-effective -End-to-end database management, with serverless and automatic scaling matching your application and TCO needs +End-to-end database management, with serverless and automatic scaling matching your application and total cost of ownership (TCO) needs. - Fully managed database service. Automatic, no touch, maintenance, patching, and updates, saving developers time and money. - Cost-effective options for unpredictable or sporadic workloads of any size or scale, enabling developers to get started easily without having to plan or manage capacity. |
cosmos-db | Vector Search Ai | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/vcore/vector-search-ai.md | Title: Build AI apps with vector search- -description: Enhance AI-powered applications with Retrieval Augmented Generation (RAG) by using Azure Cosmos DB for MongoDB vCore vector search. + Title: Open-source vector databases ++description: Open-source vector databases Previously updated : 08/28/2023 Last updated : 04/02/2024 -# Build AI apps with Azure Cosmos DB for MongoDB vCore vector search +# Open-source vector databases [!INCLUDE[MongoDB vCore](../../includes/appliesto-mongodb-vcore.md)] -Language models available in Azure OpenAI Service can elevate the capabilities of your AI-driven applications. To fully unleash the potential of language models, you must give them access to timely and relevant data from your application's data store. You can accomplish this process, known as Retrieval Augmented Generation (RAG), by using Azure Cosmos DB. +When developers select vector databases, the open-source options provide numerous benefits. "Open source" means that the software's source code is available freely, enabling users to customize the database according to their specific needs. This flexibility is beneficial for organizations that are subject to unique regulatory requirements on data, such as companies in the financial services industry. -This article delves into the core concepts of RAG. It provides links to tutorials and sample code that exemplify RAG strategies by using vector search in Azure Cosmos DB for MongoDB vCore. +Another advantage of open-source vector databases is the strong community support they enjoy. Active user communities often contribute to the development of these databases, provide support, and share best practices, promoting innovation. -RAG elevates AI-powered applications by incorporating external knowledge and data into model inputs. With vector search in Azure Cosmos DB for MongoDB vCore, this process becomes seamless. You can use it to integrate the most pertinent information into your AI models with minimal effort. +Some individuals opt for open-source vector databases because they are "free," meaning there's no cost to acquire or use the software. An alternative is using the free tiers offered by managed vector database services. These managed services provide not only cost-free access up to a certain usage limit but also simplify the operational burden by handling maintenance, updates, and scalability. Therefore, by using the free tier of managed vector database services, users can achieve cost savings while reducing management overhead. This approach allows users to focus more on their core activities rather than on database administration. -By using [embeddings](../../../ai-services/openai/tutorials/embeddings.md) and vector search, you can provide your AI applications with the context that they need to excel. Through the provided tutorials and code samples, you can become proficient in using RAG to create smarter and more context-aware AI solutions. +## Working mechanism of open-source vector databases -## What is Retrieval Augmented Generation? +Open-source vector databases are designed to store and manage vector embeddings, which are mathematical representations of data in a high-dimensional space. In this space, each dimension corresponds to a feature of the data, and tens of thousands of dimensions might be used to represent sophisticated data. A vector's position in this space represents its characteristics. Words, phrases, or entire documents, and images, audio, and other types of data can all be vectorized. These vector embeddings are used in similarity search, multi-modal search, recommendations engines, large languages models (LLMs), etc. -RAG uses external knowledge and models to efficiently manage custom data or domain-specific expertise. This process involves extracting information from an external data source and integrating it into the model's input through prompt engineering. A robust approach is essential to identify the most pertinent data from the external source within the [token limitations of a request](../../../ai-services/openai/quotas-limits.md). +These databases' architecture typically includes a storage engine and an indexing mechanism. The storage engine optimizes the storage of vector data for efficient retrieval and manipulation, while the indexing mechanism organizes the data for fast searching and retrieval operations. -RAG addresses these limitations by using embeddings, which convert data into vectors. Embeddings capture the semantic essence of the text and enable context comprehension beyond simple keywords. +In a vector database, embeddings are indexed and queried through vector search algorithms based on their vector distance or similarity. A robust mechanism is necessary to identify the most relevant data. Some well-known vector search algorithms include Hierarchical Navigable Small World (HNSW), Inverted File (IVF), etc. -## What is vector search? +Vector databases are used in numerous domains and situations across analytical and generative AI, including natural language processing, video and image recognition, recommendation system, search, etc. For example, you can use a vector database to: -[Vector search](./vector-search.md) is an approach that enables the discovery of analogous items based on shared data characteristics. It deviates from the necessity for precise matches within a property field. +- Identify similar images, documents, and songs based on their contents, themes, sentiments, and styles +- Identify similar products based on their characteristics, features, and user groups +- Recommend contents, products, or services based on individuals' preferences +- Recommend contents, products, or services based on user groups' similarities +- Identify the best-fit potential options from a large pool of choices to meet complex requirements +- Identify data anomalies or fraudulent activities that are dissimilar from predominant or normal patterns +- Implement persistent memory for AI agents +- Enable retrieval-augmented generation (RAG) -This method is invaluable in applications like text similarity searches, image association, recommendation systems, and anomaly detection. Its functionality revolves around the use of vector representations (sequences of numerical values) that are generated from your data via machine learning models or embeddings APIs. Examples of such APIs encompass [Azure OpenAI embeddings](/azure/ai-services/openai/how-to/embeddings) or [Hugging Face on Azure](https://azure.microsoft.com/solutions/hugging-face-on-azure/). +## Selecting the best open-source vector database -The technique gauges the disparity between your query vector and the data vectors. The data vectors that show the closest proximity to your query vector are identified as semantically akin. +Choosing the best open-source vector database requires considering several factors. Performance and scalability of the database are crucial, as they impact whether the database can handle your specific workload requirements. Databases with efficient indexing and querying capabilities usually offer optimal performance. Another factor is the community support and documentation available for the database. A robust community and ample documentation can provide valuable assistance. Here are some popular open-source vector databases: -## How does vector search work in Azure Cosmos DB for MongoDB vCore? +- Chroma +- Milvus +- Qdrant +- Weaviate -You can truly harness the power of RAG through the native vector search capability in Azure Cosmos DB for MongoDB vCore. This feature combines AI-focused applications with stored data in Azure Cosmos DB. +>[!NOTE] +>The most popular option may not be the best option for you. To find the best fit for your needs, you should compare different options based on features, supported data types, compatibility with existing tools and frameworks you use. Ease of installation, configuration, and maintenance should also be considered to ensure smooth integration into your workflow. -Vector search optimally stores, indexes, and searches high-dimensional vector data directly within Azure Cosmos DB for MongoDB vCore, alongside other application data. This capability eliminates the need to migrate data to costlier alternatives for vector search functionality. +## Challenges with open-source vector databases -## Code samples and tutorials +Open-source vector databases pose challenges that are typical of open-source software: -- [.NET tutorial - recipe chatbot](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples/tree/main/C%23/CosmosDB-MongoDBvCore): Walk through creating a recipe chatbot by using .NET, to showcase the application of RAG in a culinary scenario.-- [Python notebook tutorial - Azure product chatbot](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples/tree/main/Python/CosmosDB-MongoDB-vCore): Learn how to construct an Azure product chatbot that highlights the benefits of RAG.+- Setup: Users need in-depth knowledge to install, configure, and operate, especially for complex deployments. Optimizing resources and configuration while scaling up operation requires close monitoring and adjustments. +- Maintenance: Users must manage their own updates, patches, and maintenance. Thus, ML expertise wouldn't suffice; users must also have extensive experience in database administration. +- Support: Official support can be limited compared to managed services, relying more on community assistance. -## Next steps +Therefore, while free initially, open-source vector databases incur significant costs when scaling up. Expanding operations necessitates more hardware, skilled IT staff, and advanced infrastructure management, leading to higher expenses in hardware, personnel, and operational costs. Scaling open-source vector databases can be financially demanding despite the lack of licensing fees. ++## Addressing the challenges -- Learn more about [Azure OpenAI embeddings](../../../ai-services/openai/concepts/understand-embeddings.md)-- Learn how to [generate embeddings using Azure OpenAI](../../../ai-services/openai/tutorials/embeddings.md)+A fully managed database service helps developers avoid the hassles from setting up, maintaining, and relying on community assistance for an open-source vector database. The Integrated Vector Database in Azure Cosmos DB for MongoDB vCore offers a life-time free tier. It allows developers to enjoy the same financial benefit associated with open-source vector databases, while the service provider handles maintenance, updates, and scalability. When itΓÇÖs time to scale up operations, upgrading is quick and easy while keeping a low [total cost of ownership (TCO)](introduction.md#low-total-cost-of-ownership-tco). ++## Next steps +> [!div class="nextstepaction"] +> [Create a lifetime free-tier vCore cluster for Azure Cosmos DB for MongoDB](free-tier.md) |
cosmos-db | Vector Search | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/vcore/vector-search.md | This guide demonstrates how to create a vector index, add documents that have ve ## Related content -- [With Semantic Kernel, orchestrate your data retrieval with Azure Cosmos DB for MongoDB vCore](/semantic-kernel/memories/vector-db#available-connectors-to-vector-databases)+- [.NET RAG Pattern retail reference solution](https://github.com/Azure/Vector-Search-AI-Assistant-MongoDBvCore) +- [.NET tutorial - recipe chatbot](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples/tree/main/C%23/CosmosDB-MongoDBvCore) +- [C# RAG pattern - Integrate Open AI Services with Cosmos](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples/tree/main/C%23/CosmosDB-MongoDBvCore) +- [Python RAG pattern - Azure product chatbot](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples/tree/main/Python/CosmosDB-MongoDB-vCore) +- [Python notebook tutorial - Vector database integration through LangChain](https://python.langchain.com/docs/integrations/vectorstores/azure_cosmos_db) +- [Python notebook tutorial - LLM Caching integration through LangChain](https://python.langchain.com/docs/integrations/llms/llm_caching#azure-cosmos-db-semantic-cache) +- [Python - LlamaIndex integration](https://docs.llamaindex.ai/en/stable/examples/vector_stores/AzureCosmosDBMongoDBvCoreDemo.html) +- [Python - Semantic Kernel memory integration](https://github.com/microsoft/semantic-kernel/tree/main/python/semantic_kernel/connectors/memory/azure_cosmosdb) ## Next step > [!div class="nextstepaction"]-> [Build AI apps with Integrated Vector Database in Azure Cosmos DB for MongoDB vCore](vector-search-ai.md) +> [Create a lifetime free-tier vCore cluster for Azure Cosmos DB for MongoDB](free-tier.md) |
cosmos-db | Computed Properties | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/computed-properties.md | During the preview, computed properties must be created using the .NET v3 or Jav | | | | | **.NET SDK v3** | >= [3.34.0-preview](https://www.nuget.org/packages/Microsoft.Azure.Cosmos/3.34.0-preview) | Computed properties are currently available only in preview package versions. | | **Java SDK v4** | >= [4.46.0](https://mvnrepository.com/artifact/com.azure/azure-cosmos/4.46.0) | Computed properties are currently under preview version. |+| **Python SDK** | >= [v4.5.2b5](https://pypi.org/project/azure-cosmos/4.5.2b5/) | Computed properties are currently under preview version. | ### Create computed properties by using the SDK containerProperties.setComputedProperties(computedProperties); client.getDatabase("myDatabase").createContainer(containerProperties); ``` +### [Python](#tab/python) ++You can define multiple computed properties in a list and then add them to the container properties. Python SDK currently doesn't support computed properties on existing containers. ++```python +computed_properties = [{'name': "cp_lower", 'query': "SELECT VALUE LOWER(c.db_group) FROM c"}, + {'name': "cp_power", 'query': "SELECT VALUE POWER(c.val, 2) FROM c"}, + {'name': "cp_str_len", 'query': "SELECT VALUE LENGTH(c.stringProperty) FROM c"}] ++container_with_computed_props = db.create_container_if_not_exists( + "myContainer", PartitionKey(path="/pk"), computed_properties=computed_properties) +``` +Computed properties can be used like any other property in queries. For example, you can use the computed property `cp_lower` in a query like this: ++```python +queried_items = list( + container_with_computed_props.query_items(query='Select * from c Where c.cp_power = 25', partition_key="test")) +``` ++ Here's an example of how to update computed properties on an existing container: containerProperties.setComputedProperties(modifiedComputedProperites); container.replace(containerProperties); ``` +### [Python](#tab/python) +Updating computed properties on an existing container is not supported in Python SDK. You can only define computed properties when creating a new container. This is a work in progress currently. + > [!TIP] |
cosmos-db | Optimize Dev Test | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/optimize-dev-test.md | This article describes the different options to use Azure Cosmos DB for developm Azure Cosmos DB free tier makes it easy to get started, develop and test your applications, or even run small production workloads for free. When free tier is enabled on an account, you'll get the first 1000 RU/s and 25 GB of storage in the account free. -Free tier lasts indefinitely for the lifetime of the account and comes with all the [benefits and features](introduction.md#key-benefits) of a regular Azure Cosmos DB account, including unlimited storage and throughput (RU/s), SLAs, high availability, turnkey global distribution in all Azure regions, and more. You can create a free tier account using Azure portal, CLI, PowerShell, and a Resource Manager template. To learn more, see how to [create a free tier account](free-tier.md) article and the [pricing page](https://azure.microsoft.com/pricing/details/cosmos-db/). +Free tier lasts indefinitely for the lifetime of the account and comes with all the [benefits and features](introduction.md#an-ai-database-with-unmatched-reliability-and-flexibility) of a regular Azure Cosmos DB account, including unlimited storage and throughput (RU/s), SLAs, high availability, turnkey global distribution in all Azure regions, and more. You can create a free tier account using Azure portal, CLI, PowerShell, and a Resource Manager template. To learn more, see how to [create a free tier account](free-tier.md) article and the [pricing page](https://azure.microsoft.com/pricing/details/cosmos-db/). ## Azure free account |
cosmos-db | Priority Based Execution | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/priority-based-execution.md | To get started using priority-based execution, navigate to the **Features** page - Java v4: [v4.45.0](https://mvnrepository.com/artifact/com.azure/azure-cosmos/4.45.0) or later - Spark 3.2: [v4.19.0](https://central.sonatype.com/artifact/com.azure.cosmos.spark/azure-cosmos-spark_3-2_2-12/4.19.0) or later - JavaScript v4: [v4.0.0](https://www.npmjs.com/package/@azure/cosmos) or later-- Python 4.6.0: [v4.6.0](https://pypi.org/project/azure-cosmos/4.6.0/) or later+- Python: [v4.5.2b2](https://pypi.org/project/azure-cosmos/4.5.2b2/) or later. Available only in preview version. ## Code samples |
cosmos-db | Vector Database | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/vector-database.md | Use the natively [integrated vector database in Azure Cosmos DB for MongoDB vCor - [.NET RAG Pattern retail reference solution](https://github.com/Azure/Vector-Search-AI-Assistant-MongoDBvCore) - [.NET tutorial - recipe chatbot](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples/tree/main/C%23/CosmosDB-MongoDBvCore)-- [Python notebook tutorial - Azure product chatbot](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples/tree/main/Python/CosmosDB-MongoDB-vCore)+- [C# RAG pattern - Integrate Open AI Services with Cosmos](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples/tree/main/C%23/CosmosDB-MongoDBvCore) +- [Python RAG pattern - Azure product chatbot](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples/tree/main/Python/CosmosDB-MongoDB-vCore) - [Python notebook tutorial - Vector database integration through LangChain](https://python.langchain.com/docs/integrations/vectorstores/azure_cosmos_db) - [Python notebook tutorial - LLM Caching integration through LangChain](https://python.langchain.com/docs/integrations/llms/llm_caching#azure-cosmos-db-semantic-cache) - [Python - LlamaIndex integration](https://docs.llamaindex.ai/en/stable/examples/vector_stores/AzureCosmosDBMongoDBvCoreDemo.html) |
cost-management-billing | Understand Ea Roles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/understand-ea-roles.md | Users with this role have the highest level of access to the Enrollment. They ca - Manage other enterprise administrators. - Manage department administrators. - Manage notification contacts.-- Purchase Azure services, including reservations.+- Purchase Azure services, including reservations/savings plans. - View usage across all accounts. - View unbilled charges across all accounts. - Create new subscriptions under active enrollment accounts.-- View and manage all reservation orders and reservations that apply to the Enterprise Agreement.- - Enterprise administrator (read-only) can view reservation orders and reservations. They can't manage them. +- View and manage all reservation/savings plan orders and reservations/savings plans that apply to the Enterprise Agreement. + - Enterprise administrator (read-only) can view reservation/savings plan orders and reservations/savings plans. They can't manage them. You can have multiple enterprise administrators in an enterprise enrollment. You can grant read-only access to enterprise administrators. The enterprise administrator role can be assigned to multiple accounts. Users with this role have permissions to purchase Azure services, but aren't allowed to manage accounts. They can: -- Purchase Azure services, including reservations.+- Purchase Azure services, including reservations/savings plans. - View usage across all accounts. - View unbilled charges across all accounts.-- View and manage all reservation orders and reservations that apply to the Enterprise Agreement.+- View and manage all reservation/savings plan orders and reservations/savings plans that apply to the Enterprise Agreement. The EA purchaser role is currently enabled only for SPN-based access. To learn how to assign the role to a service principal name, see [Assign roles to Azure Enterprise Agreement service principal names](assign-roles-azure-service-principals.md). The following sections describe the limitations and capabilities of each role. |Add or remove Department Administrators|✔|✘|✘|✔|✘|✘|✘| |View Accounts in the enrollment |✔|✔|✔|✔⁵|✔⁵|✘|✔| |Add Accounts to the enrollment and change Account Owner|✔|✘|✘|✔⁵|✘|✘|✘|-|Purchase reservations|✔|✘⁶|✔|✘|✘|✘|✘| +|Purchase reservations/savings plans|✔|✘⁶|✔|✘|✘|✘|✘| |Create and manage subscriptions and subscription permissions|✔|✘|✘|✘|✘|✔|✘| - ⁴ Notification contacts are sent email communications about the Azure Enterprise Agreement. - ⁵ Task is limited to accounts in your department.-- ⁶ A subscription owner or reservation purchaser can purchase and manage reservations and savings plans within the subscription, and only if permitted by the reservation purchase enabled flag. Enterprise administrators can purchase and manage reservations and savings plans across the billing account. Enterprise administrators (read-only) can view all purchased reservations and savings plans. The reservation purchase enabled flag doesn't affect the EA administrator roles. The Enterprise Admin (read-only) role holder isn't permitted to make purchases. However, if a user with that role also holds either a subscription owner or reservation purchaser permission, the user can purchase reservations and savings plans, regardless of the flag.+- ⁶ A subscription owner, reservation purchaser or savings plan purchaser can purchase and manage reservations and savings plans within the subscription, and only if permitted by the reservation/savings plan purchase-enabled flags. Enterprise administrators can purchase and manage reservations and savings plans across the billing account. Enterprise administrators (read-only) can view all purchased reservations and savings plans. The reservation/savings plan purchase-enabled flags don't affect the EA administrator roles. The Enterprise Admin (read-only) role holder isn't permitted to make purchases. However, if a user with that role also holds either a subscription owner, reservation purchaser or savings plan purchaser permission, the user can purchase reservations and/or savings plans, regardless of the flags. ## Add a new enterprise administrator |
cost-management-billing | Buy Savings Plan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/savings-plan/buy-savings-plan.md | Savings plan discounts only apply to resources associated with subscriptions pur > Azure savings plan isn't supported for the China legacy Online Service Premium Agreement (OSPA) platform. ### Enterprise Agreement customers+Saving plan purchasing for Enterprice Agreement (EA) customers is limited to the following: +- EA admins with write permissions can purchase savings plans from **Cost Management + Billing** > **Savings plan**. No subscription-specific permissions are needed. +- Users with Subscription owner or Savings plan purchaser roles in at least one subscription in the enrollment account can purchase savings plans from **Home** > **Savings plan**. -- EA admins with write permissions can directly purchase savings plans from **Cost Management + Billing** > **Savings plan**. No subscription-specific permissions are needed.-- Subscription owners for one of the subscriptions in the enrollment account can purchase savings plans from **Home** > **Savings plan**.--Enterprise Agreement (EA) customers can limit purchases to only EA admins by disabling the Add Savings Plan option in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_GTM/ModernBillingMenuBlade/BillingAccounts). Navigate to the **Policies** menu to change settings. +EA customers can limit savings plan purchases to only EA admins by disabling the Add Savings Plan option in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_GTM/ModernBillingMenuBlade/BillingAccounts). Navigate to the **Policies** menu to change settings. ### Microsoft Customer Agreement (MCA) customers+Saving plan purchasing for Microsoft Customer Agreement (MCA) customers is limited to the following: +- Users with billing profile contributor permissions or higher can purchase savings plans from **Cost Management + Billing** > **Savings plan** experience. No subscription-specific permissions are needed. +- Users with Subscription owner or Savings plan purchaser roles in at least one subscription in the billing profile can purchase savings plans from **Home** > **Savings plan**. -- Customers with billing profile contributor permissions or higher can purchase savings plans from **Cost Management + Billing** > **Savings plan** experience. No subscription-specific permissions are needed.-- Subscription owners for one of the subscriptions in the billing profile can purchase savings plans from **Home** > **Savings plan**.--To disallow savings plan purchases on a billing profile, billing profile contributors can navigate to the **Policies** menu under the billing profile and adjust the Azure Savings Plan option. +MCA customers can limit savings plan purchases to users with billing profile contributor permissions or higher by disabling the Add Savings Plan option in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_GTM/ModernBillingMenuBlade/BillingAccounts). Navigate to the **Policies** menu to change settings. ### Microsoft Partner Agreement partners Buy savings plans by using Azure RBAC permissions or with permissions on your bi #### To purchase using Azure RBAC permissions -- You must be an Owner of the subscription that you plan to use, specified as `billingScopeId`.+- You must have the Savings plan purchaser role within, or be an Owner of, the subscription that you plan to use, specified as `billingScopeId`. - The `billingScopeId` property in the request body must use the `/subscriptions/10000000-0000-0000-0000-000000000000` format. #### To purchase using billing permissions |
cost-management-billing | Download Savings Plan Price Sheet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/savings-plan/download-savings-plan-price-sheet.md | This article explains how you can download the price sheet for an Enterprise Agr ## Download EA price sheet -To download your EA price sheet, do the following tasks. +To download your EA price sheet via Azure portal, do the following tasks. 1. Sign in to the [Azure portal](https://portal.azure.com/). 2. Search for **Cost Management + Billing**. To download your EA price sheet, do the following tasks. ## Download MCA price sheet -To download your MCA price sheet, do the following tasks. +To download your MCA price sheet via Azure portal, do the following tasks. 1. Sign in to the [Azure portal](https://portal.azure.com/). 2. Search for **Cost Management + Billing**. To download your MCA price sheet, do the following tasks. 5. Select **Download Azure price sheet for** _current month and year_. File generation may take a few moments. 6. Open the file and filter on `priceType` to see `SavingsPlan` plan price records. +## Download price sheet using APIs +To learn more about downloading your price sheet using price sheet APIs, see the following articles: + - [Learn more about EA price sheet](/rest/api/cost-management/price-sheet). + - [Learn more about MCA price sheet](/rest/api/consumption/price-sheet). + - [Learn more about retail price sheet](/rest/api/cost-management/retail-prices/azure-retail-prices). ++ ## Need help? Contact us. If you have questions about Azure savings plan for compute, contact your account team or [create a support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest). Temporarily, Microsoft only provides expert support for Azure savings plan for compute in English. |
data-factory | Self Hosted Integration Runtime Troubleshoot Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/self-hosted-integration-runtime-troubleshoot-guide.md | To generate the error report ID for Microsoft Support, follow these instructions > [!NOTE] > The folder is not `C:\Program Files (x86)\Java\` - - JRE 7 and JRE 8 are both compatible for this copy activity. JRE 6 and versions that are earlier than JRE 6 have not been validated for this use. + - Java Runtime (JRE) is version 11 or greater, from a JRE provider such as [Microsoft OpenJDK 11](https://aka.ms/download-jdk/microsoft-jdk-11.0.19-windows-x64.msi) or [Eclipse Temurin 11](https://adoptium.net/temurin/releases/?version=11). Ensure that the JAVA_HOME system environment variable is set to the JDK folder (not just the JRE folder) you may also need to add the bin folder to your system's PATH environment variable. 2. Check the registry for the appropriate settings. To do this, follow these steps: |
defender-for-cloud | Agentless Vulnerability Assessment Aws | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/agentless-vulnerability-assessment-aws.md | Container vulnerability assessment powered by Microsoft Defender Vulnerability M - **Reporting** - Container Vulnerability Assessment for AWS powered by Microsoft Defender Vulnerability Management provides vulnerability reports using following recommendations: - | Recommendation | Description | Assessment Key| - |--|--|--| - | [AWS registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainerRegistryRecommendationDetailsBlade/assessmentKey/c27441ae-775c-45be-8ffa-655de37362ce) | Scans your AWS registries container images for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c27441ae-775c-45be-8ffa-655de37362ce | - | [AWS running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainersRuntimeRecommendationDetailsBlade/assessmentKey/682b2595-d045-4cff-b5aa-46624eb2dd8f)ΓÇ»| Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Elastic Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | 682b2595-d045-4cff-b5aa-46624eb2dd8f | +These are the new recommendations that report on runtime container vulnerabilities and registry image vulnerabilities. They are currently in preview, but are intended to replace the old recommendations. These new recommendations do not count toward secure score while in preview. The scan engine for both sets of recommendations is the same. ++| Recommendation | Description | Assessment Key| +|--|--|--| +| [[Preview] Container images in AWS registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/2a139383-ec7e-462a-90ac-b1b60e87d576) | Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards. | 2a139383-ec7e-462a-90ac-b1b60e87d576 | +| [[Preview] Containers running in AWS should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/d5d1e526-363a-4223-b860-f4b6e710859f)ΓÇ»| Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards. | d5d1e526-363a-4223-b860-f4b6e710859f | ++These are the older recommendations that are currently on a retirement path: ++| Recommendation | Description | Assessment Key| +|--|--|--| +| [AWS registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainerRegistryRecommendationDetailsBlade/assessmentKey/c27441ae-775c-45be-8ffa-655de37362ce) | Scans your AWS registries container images for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c27441ae-775c-45be-8ffa-655de37362ce | +| [AWS running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainersRuntimeRecommendationDetailsBlade/assessmentKey/682b2595-d045-4cff-b5aa-46624eb2dd8f)ΓÇ»| Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Elastic Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | 682b2595-d045-4cff-b5aa-46624eb2dd8f | - **Query vulnerability information via the Azure Resource Graph** - Ability to query vulnerability information via the [Azure Resource Graph](../governance/resource-graph/overview.md#how-resource-graph-complements-azure-resource-manager). Learn how to [query recommendations via ARG](review-security-recommendations.md). A detailed description of the scan process is described as follows: - All newly discovered images are pulled, and an inventory is created for each image. Image inventory is kept to avoid further image pulls, unless required by new scanner capabilities.ΓÇï - Using the inventory, vulnerability reports are generated for new images, and updated for images previously scanned which were either pushed in the last 90 days to a registry, or are currently running. To determine if an image is currently running, Defender for Cloud uses both [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) and [inventory collected via the Defender sensor running on EKS nodes](defender-for-containers-enable.md#enablement-method-per-capability)- - Vulnerability reports for registry container images are provided as a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AwsContainerRegistryRecommendationDetailsBlade/assessmentKey/c27441ae-775c-45be-8ffa-655de37362ce). -- For customers using either [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or [inventory collected via the Defender sensor running on EKS nodes](defender-for-containers-enable.md#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/ContainersRuntimeRecommendationDetailsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5) for remediating vulnerabilities for vulnerable images running on an EKS cluster. For customers using only [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours.+ - Vulnerability reports for registry container images are provided as a [recommendation](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/2a139383-ec7e-462a-90ac-b1b60e87d576). +- For customers using either [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or [inventory collected via the Defender sensor running on EKS nodes](defender-for-containers-enable.md#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/d5d1e526-363a-4223-b860-f4b6e710859f) for remediating vulnerabilities for vulnerable images running on an EKS cluster. For customers using only [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours. > [!NOTE] > For [Defender for Container Registries (deprecated)](defender-for-container-registries-introduction.md), images are scanned once on push, on pull, and rescanned only once a week. |
defender-for-cloud | Agentless Vulnerability Assessment Azure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/agentless-vulnerability-assessment-azure.md | Container vulnerability assessment powered by Microsoft Defender Vulnerability M - **Exploitability information** - Each vulnerability report is searched through exploitability databases to assist our customers with determining actual risk associated with each reported vulnerability. - **Reporting** - Container Vulnerability Assessment for Azure powered by Microsoft Defender Vulnerability Management provides vulnerability reports using following recommendations: - | Recommendation | Description | Assessment Key | - |--|--|--| - | [Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AzureContainerRegistryRecommendationDetailsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c0b7cfc6-3172-465a-b378-53c7ff2cc0d5 | - | [Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/ContainersRuntimeRecommendationDetailsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5)  | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5 | +These are the new recommendations that report on runtime container vulnerabilities and registry image vulnerabilities. They are currently in preview, but are intended to replace the old recommendations. These new recommendations do not count toward secure score while in preview. The scan engine for both sets of recommendations is the same. ++| Recommendation | Description | Assessment Key | +|--|--|--| +| [[Preview] Container images in Azure registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/33422d8f-ab1e-42be-bc9a-38685bb567b9) | Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards. | 33422d8f-ab1e-42be-bc9a-38685bb567b9 | +| [[Preview] Containers running in Azure should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e9acaf48-d2cf-45a3-a6e7-3caa2ef769e0)  | Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards. | e9acaf48-d2cf-45a3-a6e7-3caa2ef769e0 | ++These are the older recommendations that are currently on a retirement path: ++| Recommendation | Description | Assessment Key| +|--|--|--| +| [Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AzureContainerRegistryRecommendationDetailsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c0b7cfc6-3172-465a-b378-53c7ff2cc0d5 | +| [Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/ContainersRuntimeRecommendationDetailsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5)  | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5 | - **Query vulnerability information via the Azure Resource Graph** - Ability to query vulnerability information via the [Azure Resource Graph](../governance/resource-graph/overview.md#how-resource-graph-complements-azure-resource-manager). Learn how to [query recommendations via ARG](review-security-recommendations.md). - **Query scan results via REST API** - Learn how to query scan results via [REST API](subassessment-rest-api.md). A detailed description of the scan process is described as follows: - All newly discovered images are pulled, and an inventory is created for each image. Image inventory is kept to avoid further image pulls, unless required by new scanner capabilities.​ - Using the inventory, vulnerability reports are generated for new images, and updated for images previously scanned which were either pushed in the last 90 days to a registry, or are currently running. To determine if an image is currently running, Defender for Cloud uses both [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) and [inventory collected via the Defender sensor running on AKS nodes](defender-for-containers-enable.md#enablement-method-per-capability)- - Vulnerability reports for registry container images are provided as a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AzureContainerRegistryRecommendationDetailsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5). -- For customers using either [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or [inventory collected via the Defender sensor running on AKS nodes](defender-for-containers-enable.md#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/ContainersRuntimeRecommendationDetailsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5) for remediating vulnerabilities for vulnerable images running on an AKS cluster. For customers using only [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours.+ - Vulnerability reports for registry container images are provided as a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/AzureContainerRegistryRecommendationDetailsBlade/assessmentKey/33422d8f-ab1e-42be-bc9a-38685bb567b9). +- For customers using either [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or [inventory collected via the Defender sensor running on AKS nodes](defender-for-containers-enable.md#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/ContainersRuntimeRecommendationDetailsBlade/assessmentKey/e9acaf48-d2cf-45a3-a6e7-3caa2ef769e0) for remediating vulnerabilities for vulnerable images running on an AKS cluster. For customers using only [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours. > [!NOTE] > For [Defender for Container Registries (deprecated)](defender-for-container-registries-introduction.md), images are scanned once on push, on pull, and rescanned only once a week. |
defender-for-cloud | Agentless Vulnerability Assessment Gcp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/agentless-vulnerability-assessment-gcp.md | Container vulnerability assessment powered by Microsoft Defender Vulnerability M - **Reporting** - Container Vulnerability Assessment for GCP powered by Microsoft Defender Vulnerability Management provides vulnerability reports using following recommendations: - | Recommendation | Description | Assessment Key| - |--|--|--| - | [GCP registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainerRegistryRecommendationDetailsBlade/assessmentKey/5cc3a2c1-8397-456f-8792-fe9d0d4c9145) | Scans your GCP registries container images for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c27441ae-775c-45be-8ffa-655de37362ce | - | [GCP running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainersRuntimeRecommendationDetailsBlade/assessmentKey/e538731a-80c8-4317-a119-13075e002516)ΓÇ»| Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Google Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | 5cc3a2c1-8397-456f-8792-fe9d0d4c9145 | +These are the new recommendations that report on runtime container vulnerabilities and registry image vulnerabilities. They are currently in preview, but are intended to replace the old recommendations. These new recommendations do not count toward secure score while in preview. The scan engine for both sets of recommendations is the same. ++| Recommendation | Description | Assessment Key| +|--|--|--| +| [[Preview] Container images in GCP registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/24e37609-dcf5-4a3b-b2b0-b7d76f2e4e04) | Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards. | 24e37609-dcf5-4a3b-b2b0-b7d76f2e4e04 | +| [[Preview] Containers running in GCP should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c7c1d31d-a604-4b86-96df-63448618e165)ΓÇ»| Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards. | c7c1d31d-a604-4b86-96df-63448618e165 | ++These are the older recommendations that are currently on a retirement path: ++| Recommendation | Description | Assessment Key| +|--|--|--| +| [GCP registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainerRegistryRecommendationDetailsBlade/assessmentKey/5cc3a2c1-8397-456f-8792-fe9d0d4c9145) | Scans your GCP registries container images for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c27441ae-775c-45be-8ffa-655de37362ce | +| [GCP running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainersRuntimeRecommendationDetailsBlade/assessmentKey/e538731a-80c8-4317-a119-13075e002516)ΓÇ»| Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Google Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | 5cc3a2c1-8397-456f-8792-fe9d0d4c9145 | - **Query vulnerability information via the Azure Resource Graph** - Ability to query vulnerability information via the [Azure Resource Graph](../governance/resource-graph/overview.md#how-resource-graph-complements-azure-resource-manager). Learn how to [query recommendations via ARG](review-security-recommendations.md). A detailed description of the scan process is described as follows: - All newly discovered images are pulled, and an inventory is created for each image. Image inventory is kept to avoid further image pulls, unless required by new scanner capabilities.ΓÇï - Using the inventory, vulnerability reports are generated for new images, and updated for images previously scanned which were either pushed in the last 90 days to a registry, or are currently running. To determine if an image is currently running, Defender for Cloud uses both [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) and [inventory collected via the Defender sensor running on GKE nodes](defender-for-containers-enable.md#enablement-method-per-capability)- - Vulnerability reports for registry container images are provided as a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainerRegistryRecommendationDetailsBlade/assessmentKey/5cc3a2c1-8397-456f-8792-fe9d0d4c9145). -- For customers using either [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or [inventory collected via the Defender sensor running on GKE nodes](defender-for-containers-enable.md#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainersRuntimeRecommendationDetailsBlade/assessmentKey/e538731a-80c8-4317-a119-13075e002516) for remediating vulnerabilities for vulnerable images running on a GKE cluster. For customers using only [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours.+ - Vulnerability reports for registry container images are provided as a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainerRegistryRecommendationDetailsBlade/assessmentKey/24e37609-dcf5-4a3b-b2b0-b7d76f2e4e04). +- For customers using either [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability) or [inventory collected via the Defender sensor running on GKE nodes](defender-for-containers-enable.md#enablement-method-per-capability), Defender for Cloud also creates a [recommendation](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/GcpContainersRuntimeRecommendationDetailsBlade/assessmentKey/c7c1d31d-a604-4b86-96df-63448618e165) for remediating vulnerabilities for vulnerable images running on a GKE cluster. For customers using only [Agentless discovery for Kubernetes](defender-for-containers-enable.md#enablement-method-per-capability), the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the [Defender sensor](defender-for-containers-enable.md#enablement-method-per-capability) benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours. > [!NOTE] > For [Defender for Container Registries (deprecated)](defender-for-container-registries-introduction.md), images are scanned once on push, on pull, and rescanned only once a week. |
defender-for-cloud | Attack Path Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/attack-path-api.md | + + Title: Retrieve attack path data with API +description: Learn how to Retrieve attack path data with APIs in Microsoft Defender for Cloud and enhance the security of your environment. +++ Last updated : 03/03/2024+#customer intent: As a developer, I want to learn how to retrieve attack path data with APIs in Microsoft Defender for Cloud so that I can enhance the security of my environment. +++# Retrieve attack path data with API ++You can consume attack path data programmatically by querying Azure Resource Graph (ARG) API. +Learn [how to query ARG API](/rest/api/azureresourcegraph/resourcegraph(2020-04-01-preview)/resources/resources?source=recommendations&tabs=HTTP). ++## Consume attack path data programmatically using API ++The following examples show sample ARG queries that you can run: ++**Get all attack paths in subscription ΓÇÿXΓÇÖ**: ++```kusto +securityresources +| where type == "microsoft.security/attackpaths" +| where subscriptionId == <SUBSCRIPTION_ID> +``` ++**Get all instances for a specific attack path**: +For example, `Internet exposed VM with high severity vulnerabilities and read permission to a Key Vault`. ++```kusto +securityresources +| where type == "microsoft.security/attackpaths" +| where subscriptionId == "212f9889-769e-45ae-ab43-6da33674bd26" +| extend AttackPathDisplayName = tostring(properties["displayName"]) +| where AttackPathDisplayName == "<DISPLAY_NAME>" +``` ++### API response schema ++The following table lists the data fields returned from the API response: ++| Field | Description | +|--|--| +| ID | The Azure resource ID of the attack path instance| +| Name | The Unique identifier of the attack path instance| +| Type | The Azure resource type, always equals `microsoft.security/attackpaths`| +| Tenant ID | The tenant ID of the attack path instance | +| Location | The location of the attack path | +| Subscription ID | The subscription of the attack path | +| Properties.description | The description of the attack path | +| Properties.displayName | The display name of the attack path | +| Properties.attackPathType | The type of the attack path| +| Properties.manualRemediationSteps | Manual remediation steps of the attack path | +| Properties.refreshInterval | The refresh interval of the attack path | +| Properties.potentialImpact | The potential impact of the attack path being breached | +| Properties.riskCategories | The categories of risk of the attack path | +| Properties.entryPointEntityInternalID | The internal ID of the entry point entity of the attack path | +| Properties.targetEntityInternalID | The internal ID of the target entity of the attack path | +| Properties.assessments | Mapping of entity internal ID to the security assessments on that entity | +| Properties.graphComponent | List of graph components representing the attack path | +| Properties.graphComponent.insights | List of insights graph components related to the attack path | +| Properties.graphComponent.entities | List of entities graph components related to the attack path | +| Properties.graphComponent.connections | List of connections graph components related to the attack path | +| Properties.AttackPathID | The unique identifier of the attack path instance | ++## Next step ++> [!div class="nextstepaction"] +> [build queries with cloud security explorer](how-to-manage-cloud-security-explorer.md). |
defender-for-cloud | Concept Regulatory Compliance Standards | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/concept-regulatory-compliance-standards.md | Title: Regulatory compliance standards in Microsoft Defender for Cloud -description: Learn about regulatory compliance standards in Microsoft Defender for Cloud - Previously updated : 11/27/2023+ Title: Regulatory compliance in Defender for Cloud +description: Learn about regulatory compliance standards and certification in Microsoft Defender for Cloud, and how it helps ensure compliance with industry regulations. +++ Last updated : 03/31/2024+#customer intent: As a cloud security professional, I want to understand how Defender for Cloud helps me meet regulatory compliance standards, so that I can ensure my organization is compliant with industry standards and regulations. -# Regulatory compliance standards +# Regulatory compliance standards in Microsoft Defender for Cloud Microsoft Defender for Cloud streamlines the regulatory compliance process by helping you to identify issues that are preventing you from meeting a particular compliance standard, or achieving compliance certification. By default, when you enable Defender for Cloud, the following standards are enab - For **AWS**: [Microsoft Cloud Security Benchmark (MCSB)](concept-regulatory-compliance.md) and [AWS Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html). - For **GCP**: [Microsoft Cloud Security Benchmark (MCSB)](concept-regulatory-compliance.md) and **GCP Default**. -## Next steps +## Available regulatory standards ++The following regulatory standards are available in Defender for Cloud: ++| Standards for Azure subscriptions | Standards for AWS accounts | Standards for GCP projects | +|--|--|--| +| Australian Government ISM Protected | AWS Foundational Security Best Practices | Brazilian General Personal Data Protection Law (LGPD)| +| Canada Federal PBMM | AWS Well-Architected Framework | California Consumer Privacy Act (CCPA)| +| CIS Azure Foundations | Brazilian General Personal Data Protection Law (LGPD) | CIS Controls| +| CMMC | California Consumer Privacy Act (CCPA) | CIS GCP Foundations| +| FedRAMP ΓÇÿHΓÇÖ & ΓÇÿMΓÇÖ | CIS AWS Foundations | CIS Google Cloud Platform Foundation Benchmark| +| HIPAA/HITRUST | CRI Profile | CIS Google Kubernetes Engine (GKE) Benchmark| +| ISO/IEC 27001 | CSA Cloud Controls Matrix (CCM) | CRI Profile| +| New Zealand ISM Restricted | GDPR | CSA Cloud Controls Matrix (CCM)| +| NIST SP 800-171 | ISO/IEC 27001 | Cybersecurity Maturity Model Certification (CMMC)| +| NIST SP 800-53 | ISO/IEC 27002 | FFIEC Cybersecurity Assessment Tool (CAT)| +| PCI DSS | NIST Cybersecurity Framework (CSF) | GDPR| +| RMIT Malaysia | NIST SP 800-172 | ISO/IEC 27001| +| SOC 2 | PCI DSS | ISO/IEC 27002| +| SWIFT CSP CSCF | | ISO/IEC 27017| +| UK OFFICIAL and UK NHS | | NIST Cybersecurity Framework (CSF)| +| | | NIST SP 800-53 | +| | | NIST SP 800-171| +| | | NIST SP 800-172| +| | | PCI DSS| +| | | Sarbanes Oxley Act (SOX)| +| | | SOC 2| ++## Related content - [Assign regulatory compliance standards](update-regulatory-compliance-packages.md)-- [Improve regulatory compliance](regulatory-compliance-dashboard.md) |
defender-for-cloud | Defender For Databases Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-databases-introduction.md | Title: Microsoft Defender for open-source relational databases + Title: What is Defender for open-source databases description: Learn about the benefits and features of Microsoft Defender for open-source relational databases such as PostgreSQL, MySQL, and MariaDB Previously updated : 06/19/2022 Last updated : 04/02/2024 +#customer intent: As a reader, I want to understand the purpose and features of Microsoft Defender for open-source relational databases so that I can make informed decisions about its usage. -# Overview of Microsoft Defender for open-source relational databases +# What is Microsoft Defender for open-source relational databases This plan brings threat protections for the following open-source relational databases: Defender for Cloud detects anomalous activities indicating unusual and potential ## Availability -| Aspect | Details | -|--|:-| -| Release state: | General availability (GA) | -| Pricing: | **Microsoft Defender for open-source relational databases** is billed as shown on the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/) | -| Supported environments:|:::image type="icon" source="./media/icons/yes-icon.png"::: PaaS<br>:::image type="icon" source="./media/icons/no-icon.png"::: Azure Arc-enabled machines | -| Protected versions of PostgreSQL: | Single Server - General Purpose and Memory Optimized. Learn more in [PostgreSQL Single Server pricing tiers](../postgresql/concepts-pricing-tiers.md). Flexible Server - all pricing tiers (enablement is currently only supported at resource level).| -| Protected versions of MySQL: | Single Server - General Purpose and Memory Optimized. Learn more in [MySQL pricing tiers](../mysql/concepts-pricing-tiers.md). | -| Protected versions of MariaDB: | General Purpose and Memory Optimized. Learn more in [MariaDB pricing tiers](../mariadb/concepts-pricing-tiers.md). | -| Clouds: | :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br> :::image type="icon" source="./media/icons/yes-icon.png"::: Azure Government<br>:::image type="icon" source="./media/icons/no-icon.png"::: Microsoft Azure operated by 21Vianet | +Check out the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/) for pricing information for Microsoft Defender for open-source relational databases. ++Defender for open-source relational database is supported on PaaS environments and not on Azure Arc-enabled machines. ++**Protected versions of PostgreSQL include**: +- Single Server - General Purpose and Memory Optimized. Learn more in [PostgreSQL Single Server pricing tiers](../postgresql/concepts-pricing-tiers.md). +- Flexible Server - all pricing tiers. ++**Protected versions of MySQL include**: +- Single Server - General Purpose and Memory Optimized. Learn more in [MySQL pricing tiers](../mysql/concepts-pricing-tiers.md). +- Flexible Server - all pricing tiers. ++**Protected versions of MariaDB include**: +- General Purpose and Memory Optimized. Learn more in [MariaDB pricing tiers](../mariadb/concepts-pricing-tiers.md). ++View [cloud availability](support-matrix-cloud-environment.md#cloud-support) for Defender for open-source relational databases ## What are the benefits of Microsoft Defender for open-source relational databases? These alerts appear in Defender for Cloud's security alerts page and include: Threat intelligence enriched security alerts are triggered when there are: -- **Anomalous database access and query patterns** - For example, an abnormally high number of failed sign-in attempts with different credentials (a brute force attempt)-- **Suspicious database activities** - For example, a legitimate user accessing an SQL Server from a breached computer which communicated with a crypto-mining C&C server-- **Brute-force attacks** ΓÇô With the ability to separate simple brute force from brute force on a valid user or a successful brute force+- **Anomalous database access and query patterns** - For example, an abnormally high number of failed sign-in attempts with different credentials (a brute force attempt). +- **Suspicious database activities** - For example, a legitimate user accessing an SQL Server from a breached computer which communicated with a crypto-mining C&C server. +- **Brute-force attacks** ΓÇô With the ability to separate simple brute force or a successful brute force. > [!TIP] > View the full list of security alerts for database servers [in the alerts reference page](alerts-reference.md#alerts-for-open-source-relational-databases). -## Next steps --In this article, you learned about Microsoft Defender for open-source relational databases. +## Related articles -> [!div class="nextstepaction"] -> [Enable enhanced protections](enable-enhanced-security.md) +- [Enable Microsoft Defender for open-source relational databases and respond to alerts](defender-for-databases-usage.md) +- [Common questions about Defender for Databases](faq-defender-for-databases.yml) |
defender-for-cloud | Defender For Databases Usage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-databases-usage.md | Title: Setting up and responding to alerts from Microsoft Defender for open-source relational databases -description: Learn how to configure Microsoft Defender for open-source relational databases to detect anomalous database activities indicating potential security threats to the database. Previously updated : 11/09/2021+ Title: Microsoft Defender for open-source relational databases +description: Configure Microsoft Defender for open-source relational databases to detect potential security threats. Last updated : 04/02/2024 +#customer intent: As a reader, I want to learn how to configure Microsoft Defender for open-source relational databases to enhance the security of my databases. + # Enable Microsoft Defender for open-source relational databases and respond to alerts Microsoft Defender for Cloud detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases for the following Defender for Cloud sends email notifications when it detects anomalous database 1. For additional details and recommended actions for investigating the current threat and remediating future threats, select a specific alert. - :::image type="content" source="media/defender-for-databases-usage/specific-alert-details.png" alt-text="Details of a specific alert." lightbox="media/defender-for-databases-usage/specific-alert-details.png"::: + :::image type="content" source="media/defender-for-databases-usage/specific-alert-details.png" alt-text="Screenshot that shows the details of a specific alert." lightbox="media/defender-for-databases-usage/specific-alert-details.png"::: > [!TIP] > For a detailed tutorial on how to handle your alerts, see [Manage and respond to alerts](tutorial-security-incident.md). -## Next steps +## Next step -- [Automate responses to Defender for Cloud triggers](workflow-automation.md)-- [Stream alerts to a SIEM, SOAR, or ITSM solution](export-to-siem.md)-- [Suppress alerts from Defender for Cloud](alerts-suppression-rules.md)+> [!div class="nextstepaction"] +> [Automate responses to Defender for Cloud triggers](workflow-automation.md) |
defender-for-cloud | Disable Vulnerability Findings Containers Secure Score | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/disable-vulnerability-findings-containers-secure-score.md | + + Title: Creating exemptions and disabling vulnerabilities (Secure score) +description: Learn how to create exemptions and disable vulnerabilities (Secure score) + Last updated : 07/09/2023+++# Create exemptions and disable vulnerability assessment findings on Container registry images and running images (Secure score) ++>[!NOTE] +>You can customize your vulnerability assessment experience by exempting management groups, subscriptions, or specific resources from your secure score. Learn how to [create an exemption](exempt-resource.md) for a resource or subscription. ++If you have an organizational need to ignore a finding, rather than remediate it, you can optionally disable it. Disabled findings don't affect your secure score or generate unwanted noise. ++When a finding matches the criteria you defined in your disable rules, it doesn't appear in the list of findings. Typical scenario examples include: ++- Disable findings with severity below medium +- Disable findings for images that the vendor won't fix ++> [!IMPORTANT] +> To create a rule, you need permissions to edit a policy in Azure Policy. +> Learn more in [Azure RBAC permissions in Azure Policy](../governance/policy/overview.md#azure-rbac-permissions-in-azure-policy). ++You can use a combination of any of the following criteria: ++- **CVE** - Enter the CVEs of the findings you want to exclude. Ensure the CVEs are valid. Separate multiple CVEs with a semicolon. For example, CVE-2020-1347; CVE-2020-1346. +- **Image digest** - Specify images for which vulnerabilities should be excluded based on the image digest. Separate multiple digests with a semicolon, for example: `sha256:9b920e938111710c2768b31699aac9d1ae80ab6284454e8a9ff42e887fa1db31;sha256:ab0ab32f75988da9b146de7a3589c47e919393ae51bbf2d8a0d55dd92542451c` +- **OS version** - Specify images for which vulnerabilities should be excluded based on the image OS. Separate multiple versions with a semicolon, for example: ubuntu_linux_20.04;alpine_3.17 +- **Minimum Severity** - Select low, medium, high, or critical to exclude vulnerabilities less than the specified severity level. +- **Fix status** - Select the option to exclude vulnerabilities based on their fix status. ++Disable rules apply per recommendation, for example, to disable [CVE-2017-17512](https://github.com/advisories/GHSA-fc69-2v7r-7r95) both on the registry images and runtime images, the disable rule has to be configured in both places. ++> [!NOTE] +> The [Azure Preview Supplemental Terms](//azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. ++ To create a rule: ++1. From the recommendations detail page for [Container registry images should have vulnerability findings resolved powered by Microsoft Defender Vulnerability Management](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5) or [Running container images should have vulnerability findings resolved powered by Microsoft Defender Vulnerability Management +](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5), select **Disable rule**. ++1. Select the relevant scope. ++1. Define your criteria. You can use any of the following criteria: ++ - **CVE** - Enter the CVEs of the findings you want to exclude. Ensure the CVEs are valid. Separate multiple CVEs with a semicolon. For example, CVE-2020-1347; CVE-2020-1346. + - **Image digest** - Specify images for which vulnerabilities should be excluded based on the image digest. Separate multiple digests with a semicolon, for example: `sha256:9b920e938111710c2768b31699aac9d1ae80ab6284454e8a9ff42e887fa1db31;sha256:ab0ab32f75988da9b146de7a3589c47e919393ae51bbf2d8a0d55dd92542451c` + - **OS version** - Specify images for which vulnerabilities should be excluded based on the image OS. Separate multiple versions with a semicolon, for example: ubuntu_linux_20.04;alpine_3.17 + - **Minimum Severity** - Select low, medium, high, or critical to exclude vulnerabilities less than and equal to the specified severity level. + - **Fix status** - Select the option to exclude vulnerabilities based on their fix status. ++1. In the justification text box, add your justification for why a specific vulnerability was disabled. This provides clarity and understanding for anyone reviewing the rule. ++1. Select **Apply rule**. ++ :::image type="content" source="./media/disable-vulnerability-findings-containers/disable-rules-secure-score.png" alt-text="Screenshot showing where to create a disable rule for vulnerability findings on registry images." lightbox="media/disable-vulnerability-findings-containers/disable-rules.png"::: ++ > [!IMPORTANT] + > Changes might take up to 24 hours to take effect. ++**To view, override, or delete a rule:** ++1. From the recommendations detail page, select **Disable rule**. +1. From the scope list, subscriptions with active rules show as **Rule applied**. +1. To view or delete the rule, select the ellipsis menu ("..."). +1. Do one of the following: + - To view or override a disable rule - select **View rule**, make any changes you want, and select **Override rule**. + - To delete a disable rule - select **Delete rule**. ++ :::image type="content" source="./media/disable-vulnerability-findings-containers/override-rules.png" alt-text="Screenshot showing where to view, delete or override a rule for vulnerability findings on registry images." lightbox="media/disable-vulnerability-findings-containers/override-rules.png"::: ++## Next steps ++- Learn how to [view and remediate vulnerability assessment findings for registry images](view-and-remediate-vulnerability-assessment-findings.md). +- Learn about [agentless container posture](concept-agentless-containers.md). |
defender-for-cloud | Disable Vulnerability Findings Containers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/disable-vulnerability-findings-containers.md | Disable rules apply per recommendation, for example, to disable [CVE-2017-17512] > [!NOTE] > The [Azure Preview Supplemental Terms](//azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. - To create a rule: +## To create a rule -1. From the recommendations detail page for [Container registry images should have vulnerability findings resolved powered by Microsoft Defender Vulnerability Management](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5) or [Running container images should have vulnerability findings resolved powered by Microsoft Defender Vulnerability Management -](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5), select **Disable rule**. +1. From the recommendations detail page for [Container registry images should have vulnerability findings resolved powered by Microsoft Defender Vulnerability Management](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/33422d8f-ab1e-42be-bc9a-38685bb567b9) or [Containers running in Azure should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e9acaf48-d2cf-45a3-a6e7-3caa2ef769e0), select **Disable rule**. 1. Select the relevant scope. Disable rules apply per recommendation, for example, to disable [CVE-2017-17512] > [!IMPORTANT] > Changes might take up to 24 hours to take effect. -**To view, override, or delete a rule:** +## To view, override, or delete a rule 1. From the recommendations detail page, select **Disable rule**. 1. From the scope list, subscriptions with active rules show as **Rule applied**. |
defender-for-cloud | How To Manage Attack Path | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/how-to-manage-attack-path.md | Title: Identify and remediate attack paths in Microsoft Defender for Cloud -description: Learn how to identify and remediate attack paths in Microsoft Defender for Cloud + Title: Identify and remediate attack paths +++description: Learn how to identify and remediate attack paths in Microsoft Defender for Cloud and enhance the security of your environment. - Previously updated : 12/06/2023 Last updated : 03/05/2024+#customer intent: As a security analyst, I want to learn how to identify and remediate attack paths in Microsoft Defender for Cloud so that I can enhance the security of my environment. # Identify and remediate attack paths Defender for Cloud's contextual security capabilities assists security teams in Attack path analysis helps you to address the security issues that pose immediate threats with the greatest potential of being exploited in your environment. Defender for Cloud analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. It also highlights the security recommendations that need to be resolved in order to mitigate it. -## Availability +By default attack paths are organized by their risk level. The risk level is determined by a context-aware risk-prioritization engine that considers the risk factors of each resource. Learn more about how Defender for Cloud [prioritizes security recommendations](risk-prioritization.md). -| Aspect | Details | -|--|--| -| Release state | GA (General Availability) | -| Prerequisites | - [Enable agentless scanning](enable-vulnerability-assessment-agentless.md), or [Enable Defender for Server P1 (which includes MDVM)](defender-for-servers-introduction.md) or [Defender for Server P2 (which includes MDVM and Qualys)](defender-for-servers-introduction.md). <br> - [Enable Defender CSPM](enable-enhanced-security.md) <br> - Enable agentless container posture extension in Defender CSPM, or [Enable Defender for Containers](defender-for-containers-enable.md), and install the relevant agents in order to view attack paths that are related to containers. This also gives you the ability to [query](how-to-manage-cloud-security-explorer.md#build-a-query-with-the-cloud-security-explorer) containers data plane workloads in security explorer. | -| Required plans | - Defender Cloud Security Posture Management (CSPM) enabled | -| Required roles and permissions: | - **Security Reader** <br> - **Security Admin** <br> - **Reader** <br> - **Contributor** <br> - **Owner** | -| Clouds: | :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds (Azure, AWS, GCP) <br>:::image type="icon" source="./media/icons/no-icon.png"::: National (Azure Government, Azure China 21Vianet) | +## Prerequisites -## Features of the attack path overview page +You must [enable Defender Cloud Security Posture Management (CSPM)](enable-enhanced-security.md) and have [agentless scanning](enable-vulnerability-assessment-agentless.md) enabled. -The attack path page shows you an overview of all of your attack paths. You can also see your affected resources and a list of active attack paths. +- You must enable [Defender for Server P1 (which includes MDVM)](defender-for-servers-introduction.md) or [Defender for Server P2 (which includes MDVM and Qualys)](defender-for-servers-introduction.md). +**To view attack paths that are related to containers**: -On this page you can organize your attack paths based on risk level, name, environment, paths count, risk factors, entry point, target, the number of affected resources, or the number of active recommendations. +- You must [enable agentless container posture extension](tutorial-enable-cspm-plan.md) in Defender CSPM + or +- You can [enable Defender for Containers](defender-for-containers-enable.md), and install the relevant agents in order to view attack paths that are related to containers. This also gives you the ability to [query](how-to-manage-cloud-security-explorer.md#build-a-query-with-the-cloud-security-explorer) containers data plane workloads in security explorer. -For each attack path, you can see all of risk factors and any affected resources. +- **Required roles and permissions**: Security Reader, Security Admin, Reader, Contributor or Owner. -The potential risk factors include credentials exposure, compute abuse, data exposure, subscription and account takeover. +## Identify attack paths -Learn more about [the cloud security graph, attack path analysis, and the cloud security explorer?](concept-attack-path.md). +The attack path page shows you an overview of all of your attack paths. You can also see your affected resources and a list of active attack paths. -## Investigate and remediate attack paths You can use Attack path analysis to locate the biggest risks to your environment and to remediate them. -**To investigate and remediate an attack path**: +**To identify attack paths**: 1. Sign in to the [Azure portal](https://portal.azure.com). You can use Attack path analysis to locate the biggest risks to your environmen 1. Select a node. - :::image type="content" source="media/how-to-manage-cloud-map/node-select.png" alt-text="Screenshot of the attack path screen that shows you where the nodes are located for selection." lightbox="media/how-to-manage-cloud-map/node-select.png"::: + :::image type="content" source="media/how-to-manage-attack-path/node-select.png" alt-text="Screenshot of the attack path screen that shows you where the nodes are located for selection." lightbox="media/how-to-manage-attack-path/node-select.png"::: 1. Select **Insight** to view the associated insights for that node. - :::image type="content" source="media/how-to-manage-cloud-map/insights.png" alt-text="Screenshot of the insights tab for a specific node." lightbox="media/how-to-manage-cloud-map/insights.png"::: + :::image type="content" source="media/how-to-manage-attack-path/insights.png" alt-text="Screenshot of the insights tab for a specific node." lightbox="media/how-to-manage-attack-path/insights.png"::: 1. Select **Recommendations**. - :::image type="content" source="media/how-to-manage-cloud-map/attack-path-recommendations.png" alt-text="Screenshot that shows you where to select recommendations on the screen." lightbox="media/how-to-manage-cloud-map/attack-path-recommendations.png"::: + :::image type="content" source="media/how-to-manage-attack-path/attack-path-recommendations.png" alt-text="Screenshot that shows you where to select recommendations on the screen." lightbox="media/how-to-manage-attack-path/attack-path-recommendations.png"::: 1. Select a recommendation. -1. Follow the remediation steps to remediate the recommendation. +1. [Remediate the recommendation](implement-security-recommendations.md). ++## Remediate attack paths ++Once you have investigated an attack path and reviewed all of the associated findings and recommendations, you can start to remediate the attack path. ++**To remediate an attack path**: ++1. Navigate to **Microsoft Defender for Cloud** > **Attack path analysis**. ++1. Select an attack path. -1. Select other nodes as necessary and view their insights and recommendations as necessary. +1. Select **Remediation**. ++ :::image type="content" source="media/how-to-manage-attack-path/recommendations-tab.png" alt-text="Screenshot of the attack path that shows you where to select remediation." lightbox="media/how-to-manage-attack-path/recommendations-tab.png"::: ++1. Select a recommendation. ++1. [Remediate the recommendation](implement-security-recommendations.md). Once an attack path is resolved, it can take up to 24 hours for an attack path to be removed from the list. -## View all recommendations with attack path +## Remediate all recommendations within an attack path -Attack path analysis also gives you the ability to see all recommendations by attack path without having to check each node individually. You can resolve all recommendations without having to view each node individually. +Attack path analysis grants you the ability to see all recommendations by attack path without having to check each node individually. You can resolve all recommendations without having to view each node individually. The remediation path contains two types of recommendation: The remediation path contains two types of recommendation: 1. Select **Remediation**. - :::image type="content" source="media/how-to-manage-cloud-map/bulk-recommendations.png" alt-text="Screenshot that shows where to select on the screen to see the attack paths full list of recommendations." lightbox="media/how-to-manage-cloud-map/bulk-recommendations.png"::: + :::image type="content" source="media/how-to-manage-attack-path/bulk-recommendations.png" alt-text="Screenshot that shows where to select on the screen to see the attack paths full list of recommendations." lightbox="media/how-to-manage-attack-path/bulk-recommendations.png"::: ++1. Expand **Additional recommendations**. 1. Select a recommendation. -1. Follow the remediation steps to remediate the recommendation. +1. [Remediate the recommendation](implement-security-recommendations.md). Once an attack path is resolved, it can take up to 24 hours for an attack path to be removed from the list. -## Consume attack path data programmatically using API --You can consume attack path data programmatically by querying Azure Resource Graph (ARG) API. -Learn [how to query ARG API](/rest/api/azureresourcegraph/resourcegraph(2020-04-01-preview)/resources/resources?source=recommendations&tabs=HTTP). --The following examples show sample ARG queries that you can run: --**Get all attack paths in subscription ΓÇÿXΓÇÖ**: --```kusto -securityresources -| where type == "microsoft.security/attackpaths" -| where subscriptionId == <SUBSCRIPTION_ID> -``` --**Get all instances for a specific attack path**: -For example, `Internet exposed VM with high severity vulnerabilities and read permission to a Key Vault`. --```kusto -securityresources -| where type == "microsoft.security/attackpaths" -| where subscriptionId == "212f9889-769e-45ae-ab43-6da33674bd26" -| extend AttackPathDisplayName = tostring(properties["displayName"]) -| where AttackPathDisplayName == "<DISPLAY_NAME>" -``` --### API response schema --The following table lists the data fields returned from the API response: --| Field | Description | -|--|--| -| ID | The Azure resource ID of the attack path instance| -| Name | The Unique identifier of the attack path instance| -| Type | The Azure resource type, always equals `microsoft.security/attackpaths`| -| Tenant ID | The tenant ID of the attack path instance | -| Location | The location of the attack path | -| Subscription ID | The subscription of the attack path | -| Properties.description | The description of the attack path | -| Properties.displayName | The display name of the attack path | -| Properties.attackPathType | The type of the attack path| -| Properties.manualRemediationSteps | Manual remediation steps of the attack path | -| Properties.refreshInterval | The refresh interval of the attack path | -| Properties.potentialImpact | The potential impact of the attack path being breached | -| Properties.riskCategories | The categories of risk of the attack path | -| Properties.entryPointEntityInternalID | The internal ID of the entry point entity of the attack path | -| Properties.targetEntityInternalID | The internal ID of the target entity of the attack path | -| Properties.assessments | Mapping of entity internal ID to the security assessments on that entity | -| Properties.graphComponent | List of graph components representing the attack path | -| Properties.graphComponent.insights | List of insights graph components related to the attack path | -| Properties.graphComponent.entities | List of entities graph components related to the attack path | -| Properties.graphComponent.connections | List of connections graph components related to the attack path | -| Properties.AttackPathID | The unique identifier of the attack path instance | --## Next Steps --Learn how to [build queries with cloud security explorer](how-to-manage-cloud-security-explorer.md). +## Next Step ++> [!div class="nextstepaction"] +> [build queries with cloud security explorer](how-to-manage-cloud-security-explorer.md). |
defender-for-cloud | How To Manage Cloud Security Explorer | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/how-to-manage-cloud-security-explorer.md | Title: Build queries with cloud security explorer in Microsoft Defender for Cloud -description: Learn how to build queries with cloud security explorer in Microsoft Defender for Cloud + Title: Build queries with cloud security explorer +description: Learn how to build queries with cloud security explorer in Microsoft Defender for Cloud to proactively identify security risks in your cloud environment. Previously updated : 11/01/2023 Last updated : 02/29/2024+++ai-usage: ai-assisted +# Customer Intent: As a security professional, I want to learn how to build queries with cloud security explorer in Microsoft Defender for Cloud so that I can proactively identify security risks in my cloud environment and improve my security posture. # Build queries with cloud security explorer Defender for Cloud's contextual security capabilities assists security teams in reducing the risk of impactful breaches. Defender for Cloud uses environmental context to perform a risk assessment of your security issues, identifies the biggest security risks, and distinguishes them from less risky issues. -Use the cloud security explorer, to proactively identify security risks in your cloud environment by running graph-based queries on the cloud security graph, which is Defender for Cloud's context engine. You can prioritize your security team's concerns, while taking your organization's specific context and conventions into account. +Use the cloud security explorer, to proactively identify security risks in your cloud environment by running graph-based queries on the cloud security graph, which is Defender for Cloud's context engine. You can prioritize your security team's concerns, while taking your organization's specific context and conventions into account. With the cloud security explorer, you can query all of your security issues and environment context such as assets inventory, exposure to internet, permissions, and lateral movement between resources and across multiple clouds (Azure AWS, and GCP). -Learn more about [the cloud security graph, attack path analysis, and the cloud security explorer](concept-attack-path.md). --## Availability --| Aspect | Details | -|--|--| -| Release state | GA (General Availability) | -| Required plans | - Defender Cloud Security Posture Management (CSPM) enabled<br>- Defender for Servers P2 customers can use the explorer UI to query for keys and secrets, but must have Defender CSPM enabled to get the full value of the Explorer. | -| Required roles and permissions: | - **Security Reader** <br> - **Security Admin** <br> - **Reader** <br> - **Contributor** <br> - **Owner** | -| Clouds: | :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds (Azure, AWS, GCP) <br>:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds <br>:::image type="icon" source="./media/icons/no-icon.png"::: National (Azure Government, Microsoft Azure operated by 21Vianet) | - ## Prerequisites -- You must [enable Defender CSPM](enable-enhanced-security.md).- - For agentless container posture, you must enable the following extensions: - - Agentless discovery for Kubernetes (preview) - - Container registries vulnerability assessments (preview) +- You must [enable Defender CSPM](enable-enhanced-security.md) + - You must [enable agentless scanning](enable-vulnerability-assessment-agentless.md). + + For agentless container posture, you must enable the following extensions: + - [Agentless discovery for Kubernetes](tutorial-enable-cspm-plan.md#enable-the-components-of-the-defender-cspm-plan) + - [Agentless container vulnerability assessment](tutorial-enable-cspm-plan.md#enable-the-components-of-the-defender-cspm-plan) -- You must [enable agentless scanning](enable-vulnerability-assessment-agentless.md).+ > [!NOTE] + > If you only have [Defender for Servers P2](tutorial-enable-servers-plan.md) plan 2 enabled, you can use the cloud security explorer to query for keys and secrets, but you must have Defender CSPM enabled to get the full value of the explorer. - Required roles and permissions: - Security Reader Use the query link to share a query with other people. After creating a query, s :::image type="content" source="media/how-to-manage-cloud-security/cloud-security-explorer-share-query.png" alt-text="Screenshot showing the Share Query Link icon." lightbox="media/how-to-manage-cloud-security/cloud-security-explorer-share-query.png"::: -## Next steps --View the [reference list of attack paths and cloud security graph components](attack-path-reference.md). +## Next step -Learn about the [Defender CSPM plan options](concept-cloud-security-posture-management.md). +> [!div class="nextstepaction"] +> [Learn about the cloud security graph, attack path analysis, and the cloud security explorer](concept-attack-path.md) |
defender-for-cloud | Implement Security Recommendations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/implement-security-recommendations.md | Title: Remediate security recommendations in Microsoft Defender for Cloud -description: Learn how to remediate security recommendations in Microsoft Defender for Cloud. + Title: Remediate recommendations +description: Remediate security recommendations in Microsoft Defender for Cloud to improve the security posture of your environments. -- Previously updated : 03/05/2024++ Last updated : 03/07/2024+ai-usage: ai-assisted +#customer intent: As a security professional, I want to understand how to remediate security recommendations in Microsoft Defender for Cloud so that I can improve my security posture. -# Remediate security recommendations +# Remediate recommendations Resources and workloads protected by Microsoft Defender for Cloud are assessed against built-in and custom security standards enabled in your Azure subscriptions, AWS accounts, and GCP projects. Based on those assessments, security recommendations provide practical steps to remediate security issues, and improve security posture. -This article describes how to remediate security recommendations in your Defender for Cloud deployment using the latest version of the portal experience. --## Before you start +This article describes how to remediate security recommendations in your Defender for Cloud deployment. Before you attempt to remediate a recommendation you should review it in detail. Learn how to [review security recommendations](review-security-recommendations.md). -> [!IMPORTANT] -> This page discusses how to use the new recommendations experience where you have the ability to prioritize your recommendations by their effective risk level. To view this experience, you must select **Try it now**. -> -> :::image type="content" source="media/review-security-recommendations/try-it-now.png" alt-text="Screenshot that shows where the try it now button is located on the recommendations page." lightbox="media/review-security-recommendations/try-it-now.png"::: --## Group recommendations by risk level --Before you start remediating, we recommend grouping your recommendations by risk level in order to remediate the most critical recommendations first. --1. Sign in to the [Azure portal](https://portal.azure.com). --1. Navigate to **Microsoft Defender for Cloud** > **Recommendations**. --1. Select **Group by** > **Primary grouping** > **Risk level** > **Apply**. -- :::image type="content" source="media/implement-security-recommendations/group-by-risk-level.png" alt-text="Screenshot of the recommendations page that shows how to group your recommendations." lightbox="media/implement-security-recommendations/group-by-risk-level.png"::: -- Recommendations are displayed in groups of risk levels. --You can now review critical and other recommendations to understand the recommendation and remediation steps. Use the graph to understand the risk to your business, including which resources are exploitable, and the effect that the recommendation has on your business. +## Remediate a recommendation -## Remediate recommendations --After reviewing recommendations by risk, decide which one to remediate first. +Recommendations are prioritized based on the risk level of the security issue by default. In addition to risk level, we recommend that you prioritize the security controls in the default [Microsoft Cloud Security Benchmark (MCSB)](concept-regulatory-compliance.md) standard in Defender for Cloud, since these controls affect your [secure score](secure-score-security-controls.md). In addition to risk level, we recommend that you prioritize the security control 1. Navigate to **Microsoft Defender for Cloud** > **Recommendations**. -1. Select a recommendation to remediate. + :::image type="content" source="media/implement-security-recommendations/recommendations-page.png" alt-text="Screenshot of the recommendations page that shows all of the affected resources by their risk level." lightbox="media/implement-security-recommendations/recommendations-page.png"::: ++1. Select a recommendation. 1. Select **Take action**. 1. Locate the Remediate section and follow the remediation instructions. - :::image type="content" source="./media/implement-security-recommendations/security-center-remediate-recommendation.png" alt-text="This screenshot shows manual remediation steps for a recommendation." lightbox="./media/implement-security-recommendations/security-center-remediate-recommendation.png"::: + :::image type="content" source="./media/implement-security-recommendations/remediate-recommendation.png" alt-text="This screenshot shows manual remediation steps for a recommendation." lightbox="./media/implement-security-recommendations/remediate-recommendation.png"::: ## Use the Fix option -To simplify remediation and improve your environment's security (and increase your secure score), many recommendations include a **Fix** option to help you quickly remediate a recommendation on multiple resources. If the Fix button isn't present in the recommendation, then there's no option to apply a quick fix. +To simplify the remediation process, a Fix button may appear in a recommendation. The Fix button helps you quickly remediate a recommendation on multiple resources. If the Fix button is not present in the recommendation, then there is no option to apply a quick fix, and you must follow the presented remediation steps to address the recommendation. **To remediate a recommendation with the Fix button**: Security admins can fix issues at scale with automatic script generation in AWS Copy and run the script to remediate the recommendation. -## Next steps +## Next step -Learn about [using governance rules in your remediation processes](governance-rules.md). +> [!div class="nextstepaction"] +> [Governance rules in your remediation processes](governance-rules.md) |
defender-for-cloud | Recommendations Reference Aws | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/recommendations-reference-aws.md | To learn more about the supported runtimes that this control checks for the supp ## AWS Container recommendations +### [[Preview] Container images in AWS registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/2a139383-ec7e-462a-90ac-b1b60e87d576) ++**Description**: Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards. ++**Severity**: High ++**Type**: Vulnerability Assessment ++### [[Preview] Containers running in AWS should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/d5d1e526-363a-4223-b860-f4b6e710859f) ++**Description**: Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards. ++**Severity**: High ++**Type**: Vulnerability Assessment + ### [EKS clusters should grant the required AWS permissions to Microsoft Defender for Cloud](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/7d3a977e-46f1-419a-9046-4bd44db80aac) **Description**: Microsoft Defender for Containers provides protections for your EKS clusters. Enabling managed platform updates ensures that the latest available platform fix ### [Elastic Load Balancer shouldn't have ACM certificate expired or expiring in 90 days.](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/a5e0d700-3de1-469a-96d2-6536d9a92604) -**Description**: This check identifies Elastic Load Balancers (ELB) which are using ACM certificates expired or expiring in 90 days. AWS Certificate Manager (ACM) is the preferred tool to provision, manage, and deploy your server certificates. With ACM. you can request a certificate or deploy an existing ACM or external certificate to AWS resources. As a best practice, it's recommended to reimport expiring/expired certificates while preserving the ELB associations of the original certificate. +**Description**: This check identifies Elastic Load Balancers (ELB) which are using ACM certificates expired or expiring in 90 days. AWS Certificate Manager (ACM) is the preferred tool to provision, manage, and deploy your server certificates. With ACM, you can request a certificate or deploy an existing ACM or external certificate to AWS resources. As a best practice, it's recommended to reimport expiring/expired certificates while preserving the ELB associations of the original certificate. **Severity**: High IAM database authentication allows authentication to database instances with an ### [IAM customer managed policies should not allow decryption actions on all KMS keys](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/d088fb9f-11dc-451e-8f79-393916e42bb2) -**Description**: Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses [Zelkova](https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova), an automated reasoning engine, to validate and warn you about policies that might grant broad access to your secrets across AWS accounts.This control fails if the "kms:Decrypt" or "kms:ReEncryptFrom" actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It doesn't check inline policies or AWS managed policies. +**Description**: Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses [Zelkova](https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova), an automated reasoning engine, to validate and warn you about policies that might grant broad access to your secrets across AWS accounts. This control fails if the "kms:Decrypt" or "kms:ReEncryptFrom" actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It doesn't check inline policies or AWS managed policies. With AWS KMS, you control who can use your KMS keys and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, AWS recommends that you allow least privilege. In other words, you should grant to identities only the "kms:Decrypt" or "kms:ReEncryptFrom" permissions and only for the keys that are required to perform a task. Otherwise, the user might use keys that aren't appropriate for your data. Instead of granting permissions for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow users to use only those keys. For example, don't allow "kms:Decrypt" permission on all KMS keys. Instead, allow "kms:Decrypt" only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data. |
defender-for-cloud | Recommendations Reference Gcp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/recommendations-reference-gcp.md | At least business critical VMs should have VM disks encrypted with CSEK. ## GCP Container recommendations +### [[Preview] Container images in GCP registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/24e37609-dcf5-4a3b-b2b0-b7d76f2e4e04) ++**Description**: Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards. ++**Severity**: High ++**Type**: Vulnerability Assessment ++### [[Preview] Containers running in GCP should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c7c1d31d-a604-4b86-96df-63448618e165) ++**Description**: Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards. ++**Severity**: High ++**Type**: Vulnerability Assessment + ### [Advanced configuration of Defender for Containers should be enabled on GCP connectors](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/b7683ca3-3a11-49b6-b9d4-a112713edfa3) **Description**: Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. To ensure you the solution is provisioned properly, and the full set of capabilities are available, enable all advanced configuration settings. |
defender-for-cloud | Recommendations Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/recommendations-reference.md | When you restore from a recovery point, you can restore the whole VM or specific **Severity**: Low -### [EDR solution should be installed on Virtual Machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/06e3a6db-6c0c-4ad9-943f-31d9d73ecf6c) +### [EDR solution should be installed on Virtual Machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/06e3a6db-6c0c-4ad9-943f-31d9d73ecf6c) **Description**: Installing an Endpoint Detection and Response (EDR) solution on virtual machines is important for protection against advanced threats. EDRs aid in preventing, detecting, investigating, and responding to these threats. Microsoft Defender for Servers can be used to deploy Microsoft Defender for Endpoint. If a resource is classified as "Unhealthy", it indicates the absence of a supported EDR solution. If an EDR solution is installed but not discoverable by this recommendation, it can be exempted. Without an EDR solution, the virtual machines are at risk of advanced threats. Learn more about [Trusted launch for Azure virtual machines](../virtual-machines ## Container recommendations +### [[Preview] Container images in Azure registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/33422d8f-ab1e-42be-bc9a-38685bb567b9) ++**Description**: Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards. ++**Severity**: High ++**Type**: Vulnerability Assessment ++### [[Preview] Containers running in Azure should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e9acaf48-d2cf-45a3-a6e7-3caa2ef769e0) ++**Description**: Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards. ++**Severity**: High ++**Type**: Vulnerability Assessment + ### [(Enable if required) Container registries should be encrypted with a customer-managed key (CMK)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/af560c4d-9c05-e073-b9f1-f7a94958ff25) **Description**: Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements. Privileged containers have all of the root capabilities of a host machine. They ### [Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5) +> [!IMPORTANT] +> This recommendation is on a retirement path. It is being replaced by the recommendation [[[Preview] Container images in Azure registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/33422d8f-ab1e-42be-bc9a-38685bb567b9)](#preview-container-images-in-azure-registry-should-have-vulnerability-findings-resolvedhttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey33422d8f-ab1e-42be-bc9a-38685bb567b9). + **Description**: Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. (Related policy: [Vulnerabilities in Azure Container Registry images should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f5f0f936f-2f01-4bf5-b6be-d423792fa562)). Privileged containers have all of the root capabilities of a host machine. They **Type**: Vulnerability Assessment -### [Azure running container images should have vulnerabilities resolved - (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/41503391-efa5-47ee-9282-4eff6131462c) --**Description**: Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. -(No related policy) --**Severity**: High --**Type**: Vulnerability Assessment - ### [Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5) +> [!IMPORTANT] +> This recommendation is on a retirement path. It is being replaced by the recommendation [[[Preview] Containers running in Azure should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e9acaf48-d2cf-45a3-a6e7-3caa2ef769e0)](#preview-containers-running-in-azure-should-have-vulnerability-findings-resolvedhttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkeye9acaf48-d2cf-45a3-a6e7-3caa2ef769e0). + **Description**: Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. **Severity**: High |
defender-for-cloud | Release Notes |