+ Title: Export cost savings in Azure Advisor

+description: Export cost savings in Azure Advisor and calculate the aggregated potential yearly savings by using the cost savings amount for each recommendation.

+# Export cost savings

+To calculate aggregated potential yearly savings, follow these steps:

+1. Sign in to the [**Azure portal**](https://portal.azure.com).

+1. Search for and select [**Advisor**](https://aka.ms/azureadvisordashboard) from any page.\

+The Advisor **Overview** page opens.

+1. Export cost recommendations by navigating to the **Cost** tab on the left navigation menu and choosing **Download as CSV**.

+1. Use the cost savings amount for each recommendation to calculate aggregated potential yearly savings.

+ [](./media/advisor-how-to-calculate-total-cost-savings.png#lightbox)

+> [!NOTE]

+> Recommendations show savings individually, and may overlap with the savings shown in other recommendations, for example ΓÇô you can only benefit from savings plans for compute or reservations for virtual machines, but not from both.

+### Migrate Azure Front Door (classic) to Standard/Premium tier

+On 31 March 2027, Azure Front Door (classic) will be retired for the public cloud, and youΓÇÖll need to migrate to Front Door Standard or Premium by that date.

+Beginning 1 April 2025, youΓÇÖll no longer be able to create new Front Door (classic) resources via the Azure portal, Terraform, or any command line tools. However, you can continue to make modifications to existing resources until Front Door (classic) is fully retired.

+Azure Front Door Standard and Premium combine the capabilities of static and dynamic content delivery with turnkey security, enhanced DevOps experiences, simplified pricing, and better Azure integrations

+Learn more about [Azure Front Door (classic) will be retired on 31 March 2027](https://azure.microsoft.com/updates/azure-front-door-classic-will-be-retired-on-31-march-2027/).

+> [!IMPORTANT]

+> After you deploy a customized model, if at any time the deployment remains inactive for greater than fifteen (15) days,

+> the deployment is deleted. The deployment of a customized model is _inactive_ if the model was deployed more than fifteen (15) days ago

+> and no completions or chat completions calls were made to it during a continuous 15-day period.

+>

+> The deletion of an inactive deployment doesn't delete or affect the underlying customized model,

+> and the customized model can be redeployed at any time.

+>

+> Each customized (fine-tuned) model that's deployed incurs an hourly hosting cost regardless of whether completions

+> or chat completions calls are being made to the model. .

+Azure AI Services and Azure OpenAI provide control plane endpoints for operations such as listing model deployments. These endpoints are secured using a separate Azure role-based access control (Azure RBAC) configuration than the one used for Azure AI hub.

+## Attribute-based access control

+Each AI hub you create has a default storage account. Each child AI project of the AI hub inherits the storage account of the AI hub. The storage account is used to store data and artifacts.

+To secure the shared storage account, Azure AI Studio uses both Azure RBAC and Azure attribute-based access control (Azure ABAC). Azure ABAC is a security model that defines access control based on attributes associated with the user, resource, and environment. Each AI project has:

+- A service principal that is assigned the Storage Blob Data Contributor role on the storage account.

+- A unique ID (workspace ID).

+- A set of containers in the storage account. Each container has a prefix that corresponds to the workspace ID value for the AI project.

+The role assignment for each AI project's service principal has a condition that only allows the service principal access to containers with the matching prefix value. This condition ensures that each AI project can only access its own containers.

+> [!NOTE]

+> For data encryption in the storage account, the scope is the entire storage and not per-container. So all containers are encrypted using the same key (provided either by Microsoft or by the customer).

+For more information on Azure access-based control, see [What is Azure attribute-based access control](/azure/role-based-access-control/conditions-overview).

+Azure AI Studio uses encryption to protect data at rest and in transit. By default, Microsoft-managed keys are used for encryption. However you can use your own encryption keys. For more information, see [Customer-managed keys](../../ai-services/encryption/cognitive-services-encryption-keys-portal.md?context=/azure/ai-studio/context/context).

+Microsoft manages host OS virtual machine (VM) images for compute instances and serverless compute clusters. The update frequency is monthly and includes the following details:

+* In addition to patches that the original publisher applies, Microsoft updates system packages when updates are available.

+* Microsoft checks and validates any machine learning packages that might require an upgrade. In most circumstances, new VM images contain the latest package versions.

+* All VM images are built on secure subscriptions that run vulnerability scanning regularly. Microsoft flags any unaddressed vulnerabilities and fixes them within the next release.

+* The frequency is a monthly interval for most images. For compute instances, the image release is aligned with the release cadence of the Azure AI SDK that's preinstalled in the environment.

+In addition to the regular release cadence, Microsoft applies hotfixes if vulnerabilities surface. Microsoft rolls out hotfixes within 72 hours for serverless compute clusters and within a week for compute instances.

+[Base docker images](https://github.com/Azure/AzureML-Containers) that Microsoft maintains for Azure AI Studio get security patches frequently to address newly discovered vulnerabilities.

+Microsoft releases updates for supported images every two weeks to address vulnerabilities. As a commitment, we aim to have no vulnerabilities older than 30 days in the latest version of supported images.

+Although Microsoft patches base images with each release, whether you use the latest image might be tradeoff between reproducibility and vulnerability management. It's your responsibility to choose the environment version that you use for your jobs or model deployments.

+Associated with your AI hub resource is an Azure Container Registry instance that functions as a cache for container images. Any image that materializes is pushed to the container registry. The AI hub uses it when deployment is triggered for the corresponding environment.

+Although OS VM images are regularly patched, Microsoft doesn't actively scan compute nodes for vulnerabilities while they're in use. For an extra layer of protection, consider network isolation of your computes.

+We have two network isolation aspects. One is the network isolation to access an Azure AI. Another is the network isolation of computing resources in your Azure AI and Azure AI projects such as Compute Instance, Serverless and Managed Online Endpoint. This document explains the former highlighted in the diagram. You can use private link to establish the private connection to your Azure AI and its default resources. This article is for Azure AI. For information on Azure AI Services, see the [Azure AI Services documentation](/azure/ai-services/cognitive-services-virtual-networks).

+ Title: How to deploy Cohere Command models with Azure AI Studio

+description: Learn how to deploy Cohere Command models with Azure AI Studio.

+# How to deploy Cohere Command models with Azure AI Studio

+In this article, you learn how to use Azure AI Studio to deploy the Cohere Command models as a service with pay-as you go billing.

+Cohere offers two Command models in [Azure AI Studio](https://ai.azure.com). These models are available with pay-as-you-go token based billing with Models as a Service.

+* Cohere Command R

+* Cohere Command R+

+You can browse the Cohere family of models in the [Model Catalog](model-catalog.md) by filtering on the Cohere collection.

+## Models

+In this article, you learn how to use Azure AI Studio to deploy the Cohere models as a service with pay-as-you-go billing.

+### Cohere Command R

+Command R is a highly performant generative large language model, optimized for various use cases including reasoning, summarization, and question answering.

+*Model Architecture:* An auto-regressive language model that uses an optimized transformer architecture. After pretraining, this model uses supervised fine-tuning (SFT) and preference training to align model behavior to human preferences for helpfulness and safety.

+*Languages covered:* The model is optimized to perform well in the following languages: English, French, Spanish, Italian, German, Brazilian Portuguese, Japanese, Korean, Simplified Chinese, and Arabic.

+Pre-training data additionally included the following 13 languages: Russian, Polish, Turkish, Vietnamese, Dutch, Czech, Indonesian, Ukrainian, Romanian, Greek, Hindi, Hebrew, Persian.

+*Context length:* Command R supports a context length of 128K.

+*Input:* Models input text only.

+*Output:* Models generate text only.

+

+### Cohere Command R+

+Command R+ is a highly performant generative large language model, optimized for various use cases including reasoning, summarization, and question answering.

+*Model Architecture:* An auto-regressive language model that uses an optimized transformer architecture. After pretraining, this model uses supervised fine-tuning (SFT) and preference training to align model behavior to human preferences for helpfulness and safety.

+*Languages covered:* The model is optimized to perform well in the following languages: English, French, Spanish, Italian, German, Brazilian Portuguese, Japanese, Korean, Simplified Chinese, and Arabic.

+Pre-training data additionally included the following 13 languages: Russian, Polish, Turkish, Vietnamese, Dutch, Czech, Indonesian, Ukrainian, Romanian, Greek, Hindi, Hebrew, Persian.

+*Context length:* Command R+ supports a context length of 128K.

+*Input:* Models input text only.

+*Output:* Models generate text only.

+## Deploy with pay-as-you-go

+Certain models in the model catalog can be deployed as a service with pay-as-you-go, providing a way to consume them as an API without hosting them on your subscription, while keeping the enterprise security and compliance organizations need. This deployment option doesn't require quota from your subscription.

+The previously mentioned Cohere models can be deployed as a service with pay-as-you-go, and are offered by Cohere through the Microsoft Azure Marketplace. Cohere can change or update the terms of use and pricing of this model.

+### Prerequisites

+- An Azure subscription with a valid payment method. Free or trial Azure subscriptions won't work. If you don't have an Azure subscription, create a [paid Azure account](https://azure.microsoft.com/pricing/purchase-options/pay-as-you-go) to begin.

+- An [Azure AI hub resource](../how-to/create-azure-ai-resource.md).

+ > [!IMPORTANT]

+ > For Cohere family models, the pay-as-you-go model deployment offering is only available with AI hubs created in EastUS, EastUS2 or Sweden Central regions.

+- An [Azure AI project](../how-to/create-projects.md) in Azure AI Studio.

+- Azure role-based access controls (Azure RBAC) are used to grant access to operations in Azure AI Studio. To perform the steps in this article, your user account must be assigned the __Azure AI Developer role__ on the resource group. For more information on permissions, see [Role-based access control in Azure AI Studio](../concepts/rbac-ai-studio.md).

+### Create a new deployment

+To create a deployment:

+1. Sign in to [Azure AI Studio](https://ai.azure.com).

+1. Select **Model catalog** from the **Explore** tab and search for *Cohere*.

+ Alternatively, you can initiate a deployment by starting from your project in AI Studio. From the **Build** tab of your project, select **Deployments** > **+ Create**.

+1. In the model catalog, on the model's **Details** page, select **Deploy** and then **Pay-as-you-go**.

+ :::image type="content" source="../media/deploy-monitor/cohere-command/command-r-deploy-pay-as-you-go.png" alt-text="A screenshot showing how to deploy a model with the pay-as-you-go option." lightbox="../media/deploy-monitor/cohere-command/command-r-deploy-pay-as-you-go.png":::

+1. Select the project in which you want to deploy your model. To deploy the model your project must be in the EastUS, EastUS2 or Sweden Central regions.

+1. In the deployment wizard, select the link to **Azure Marketplace Terms** to learn more about the terms of use.

+1. You can also select the **Marketplace offer details** tab to learn about pricing for the selected model.

+1. If this is your first time deploying the model in the project, you have to subscribe your project for the particular offering. This step requires that your account has the **Azure AI Developer role** permissions on the Resource Group, as listed in the prerequisites. Each project has its own subscription to the particular Azure Marketplace offering of the model, which allows you to control and monitor spending. Select **Subscribe and Deploy**. Currently you can have only one deployment for each model within a project.

+ :::image type="content" source="../media/deploy-monitor/cohere-command/command-r-marketplace-terms.png" alt-text="A screenshot showing the terms and conditions of a given model." lightbox="../media/deploy-monitor/cohere-command/command-r-marketplace-terms.png":::

+1. Once you subscribe the project for the particular Azure Marketplace offering, subsequent deployments of the _same_ offering in the _same_ project don't require subscribing again. If this scenario applies to you, there's a **Continue to deploy** option to select (Currently you can have only one deployment for each model within a project).

+ :::image type="content" source="../media/deploy-monitor/cohere-command/command-r-existing-subscription.png" alt-text="A screenshot showing a project that is already subscribed to the offering." lightbox="../media/deploy-monitor/cohere-command/command-r-existing-subscription.png":::

+1. Give the deployment a name. This name becomes part of the deployment API URL. This URL must be unique in each Azure region.

+ :::image type="content" source="../media/deploy-monitor/cohere-command/command-r-deployment-name.png" alt-text="A screenshot showing how to indicate the name of the deployment you want to create." lightbox="../media/deploy-monitor/cohere-command/command-r-deployment-name.png":::

+1. Select **Deploy**. Wait until the deployment is ready and you're redirected to the Deployments page.

+1. Select **Open in playground** to start interacting with the model.

+1. You can return to the Deployments page, select the deployment, and note the endpoint's **Target** URL and the Secret **Key**. For more information on using the APIs, see the [reference](#chat-api-reference-for-cohere-models-deployed-as-a-service) section.

+1. You can always find the endpoint's details, URL, and access keys by navigating to the **Build** tab and selecting **Deployments** from the Components section.

+To learn about billing for the Cohere models deployed with pay-as-you-go, see [Cost and quota considerations for Cohere models deployed as a service](#cost-and-quota-considerations-for-models-deployed-as-a-service).

+### Consume the Cohere models as a service

+These models can be consumed using the chat API.

+1. On the **Build** page, select **Deployments**.

+1. Find and select the deployment you created.

+1. Copy the **Target** URL and the **Key** value.

+1. Cohere exposes two routes for inference with the Command R and Command R+ models. `v1/chat/completions` adheres to the Azure AI Generative Messages API schema, and `v1/chat` supports Cohere's native API schema.

+For more information on using the APIs, see the [reference](#chat-api-reference-for-cohere-models-deployed-as-a-service) section.

+## Chat API reference for Cohere models deployed as a service

+### v1/chat/completions

+#### Request

+```

+ POST /v1/chat/completions HTTP/1.1

+ Host: <DEPLOYMENT_URI>

+ Authorization: Bearer <TOKEN>

+ Content-type: application/json

+```

+#### v1/chat/completions request schema

+Cohere Command R and Command R+ accept the following parameters for a `v1/chat/completions` response inference call:

+| Property | Type | Default | Description |

+| | | | |

+| `messages` | `array` | `None` | Text input for the model to respond to. |

+| `max_tokens` | `integer` | `None` | The maximum number of tokens the model generates as part of the response. Note: Setting a low value might result in incomplete generations. If not specified, generates tokens until end of sequence. |

+| `stop` | `array of strings` | `None` | The generated text is cut at the end of the earliest occurrence of a stop sequence. The sequence is included in the text.|

+| `stream` | `boolean` | `False` | When `true`, the response is a JSON stream of events. The final event contains the complete response, and has an `event_type` of `"stream-end"`. Streaming is beneficial for user interfaces that render the contents of the response piece by piece, as it gets generated. |

+| `temperature` | `float` | `0.3` |Use a lower value to decrease randomness in the response. Randomness can be further maximized by increasing the value of the `p` parameter. Min value is 0, and max is 2. |

+| `top_p` | `float` |`0.75` |Use a lower value to ignore less probable options. Set to 0 or 1.0 to disable. If both p and k are enabled, p acts after k. min value of 0.01, max value of 0.99.|

+| `frequency_penalty` | `float` | `0` |Used to reduce repetitiveness of generated tokens. The higher the value, the stronger a penalty is applied to previously present tokens, proportional to how many times they have already appeared in the prompt or prior generation. Min value of 0.0, max value of 1.0.|

+| `presence_penalty` | `float` |`0` |Used to reduce repetitiveness of generated tokens. Similar to `frequency_penalty`, except that this penalty is applied equally to all tokens that have already appeared, regardless of their exact frequencies. Min value of 0.0, max value of 1.0.|

+| `seed` | `integer` |`None` |If specified, the backend makes a best effort to sample tokens deterministically, such that repeated requests with the same seed and parameters should return the same result. However, determinism can't be guaranteed.|

+| `tools` | `list[Tool]` | `None` | A list of available tools (functions) that the model might suggest invoking before producing a text response. |

+`response_format` and `tool_choice` aren't yet supported parameters for the Command R and Command R+ models.

+A System or User Message supports the following properties:

+| Property | Type | Default | Description |

+| | | | |

+| `role` | `enum` | Required | `role=system` or `role=user`. |

+|`content` |`string` |Required |Text input for the model to respond to. |

+An Assistant Message supports the following properties:

+| Property | Type | Default | Description |

+| | | | |

+| `role` | `enum` | Required | `role=assistant`|

+|`content` |`string` |Required |The contents of the assistant message. |

+|`tool_calls` |`array` |None |The tool calls generated by the model, such as function calls. |

+A Tool Message supports the following properties:

+| Property | Type | Default | Description |

+| | | | |

+| `role` | `enum` | Required | `role=tool`|

+|`content` |`string` |Required |The contents of the tool message. |

+|`tool_call_id` |`string` |None |Tool call that this message is responding to. |

+#### v1/chat/completions response schema

+The response payload is a dictionary with the following fields:

+| Key | Type | Description |

+| | | |

+| `id` | `string` | A unique identifier for the completion. |

+| `choices` | `array` | The list of completion choices the model generated for the input messages. |

+| `created` | `integer` | The Unix timestamp (in seconds) of when the completion was created. |

+| `model` | `string` | The model_id used for completion. |

+| `object` | `string` | chat.completion. |

+| `usage` | `object` | Usage statistics for the completion request. |

+The `choices` object is a dictionary with the following fields:

+| Key | Type | Description |

+| | | |

+| `index` | `integer` | Choice index. |

+| `messages` or `delta` | `string` | Chat completion result in messages object. When streaming mode is used, delta key is used. |

+| `finish_reason` | `string` | The reason the model stopped generating tokens. |

+The `usage` object is a dictionary with the following fields:

+| Key | Type | Description |

+| | | |

+| `prompt_tokens` | `integer` | Number of tokens in the prompt. |

+| `completion_tokens` | `integer` | Number of tokens generated in the completion. |

+| `total_tokens` | `integer` | Total tokens. |

+#### Examples

+Request:

+```json

+ "messages": [

+ {

+ "role": "user",

+ "content": "What is the weather like in Boston?"

+ },

+ {

+ "role": "assistant",

+ "tool_calls": [

+ {

+ "id": "call_ceRrx0tP7bYPTClugKrOgvh4",

+ "type": "function",

+ "function": {

+ "name": "get_current_weather",

+ "arguments": "{\"location\":\"Boston\"}"

+ }

+ }

+ ]

+ },

+ {

+ "role": "tool",

+ "content": "{\"temperature\":30}",

+ "tool_call_id": "call_ceRrx0tP7bYPTClugKrOgvh4"

+ }

+ ]

+```

+Response:

+```json

+ {

+ "id": "df23b9f7-e6bd-493f-9437-443c65d428a1",

+ "choices": [

+ {

+ "index": 0,

+ "finish_reason": "stop",

+ "message": {

+ "role": "assistant",

+ "content": "Right now, the weather in Boston is cool, with temperatures of around 30┬░F. Stay warm!"

+ }

+ }

+ ],

+ "created": 1711734274,

+ "model": "command-r",

+ "object": "chat.completion",

+ "usage": {

+ "prompt_tokens": 744,

+ "completion_tokens": 23,

+ "total_tokens": 767

+ }

+ }

+```

+### v1/chat

+#### Request

+```

+ POST /v1/chat HTTP/1.1

+ Host: <DEPLOYMENT_URI>

+ Authorization: Bearer <TOKEN>

+ Content-type: application/json

+```

+#### v1/chat request schema

+Cohere Command R and Command R+ accept the following parameters for a `v1/chat` response inference call:

+|Key |Type |Default |Description |

+|||||

+|`message` |`string` |Required |Text input for the model to respond to. |

+|`chat_history` |`array of messages` |`None` |A list of previous messages between the user and the model, meant to give the model conversational context for responding to the user's message. |

+|`documents` |`array` |`None ` |A list of relevant documents that the model can cite to generate a more accurate reply. Each document is a string-string dictionary. Keys and values from each document are serialized to a string and passed to the model. The resulting generation includes citations that reference some of these documents. Some suggested keys are "text", "author", and "date". For better generation quality, it's recommended to keep the total word count of the strings in the dictionary to under 300 words. An `_excludes` field (array of strings) can be optionally supplied to omit some key-value pairs from being shown to the model. The omitted fields still show up in the citation object. The "_excludes" field aren't passed to the model. See [Document Mode](https://docs.cohere.com/docs/retrieval-augmented-generation-rag#document-mode) guide from Cohere docs. |

+|`search_queries_only` |`boolean` |`false` |When `true`, the response only contains a list of generated search queries, but no search takes place, and no reply from the model to the user's `message` is generated.|

+|`stream` |`boolean` |`false` |When `true`, the response is a JSON stream of events. The final event contains the complete response, and has an `event_type` of `"stream-end"`. Streaming is beneficial for user interfaces that render the contents of the response piece by piece, as it gets generated.|

+|`max_tokens` |`integer` |None |The maximum number of tokens the model generates as part of the response. Note: Setting a low value might result in incomplete generations. If not specified, generates tokens until end of sequence.|

+|`temperature` |`float` |`0.3` |Use a lower value to decrease randomness in the response. Randomness can be further maximized by increasing the value of the `p` parameter. Min value is 0, and max is 2. |

+|`p` |`float` |`0.75` |Use a lower value to ignore less probable options. Set to 0 or 1.0 to disable. If both p and k are enabled, p acts after k. min value of 0.01, max value of 0.99.|

+|`k` |`float` |`0` |Specify the number of token choices the model uses to generate the next token. If both p and k are enabled, p acts after k. Min value is 0, max value is 500.|

+|`prompt_truncation` |`enum string` |`OFF` |Accepts `AUTO_PRESERVE_ORDER`, `AUTO`, `OFF`. Dictates how the prompt is constructed. With `prompt_truncation` set to `AUTO_PRESERVE_ORDER`, some elements from `chat_history` and `documents` are dropped to construct a prompt that fits within the model's context length limit. During this process the order of the documents and chat history are preserved. With `prompt_truncation` set to "OFF", no elements are dropped.|

+|`stop_sequences` |`array of strings` |`None` |The generated text is cut at the end of the earliest occurrence of a stop sequence. The sequence is included the text. |

+|`frequency_penalty` |`float` |`0` |Used to reduce repetitiveness of generated tokens. The higher the value, the stronger a penalty is applied to previously present tokens, proportional to how many times they have already appeared in the prompt or prior generation. Min value of 0.0, max value of 1.0.|

+|`presence_penalty` |`float` |`0` |Used to reduce repetitiveness of generated tokens. Similar to `frequency_penalty`, except that this penalty is applied equally to all tokens that have already appeared, regardless of their exact frequencies. Min value of 0.0, max value of 1.0.|

+|`seed` |`integer` |`None` |If specified, the backend makes a best effort to sample tokens deterministically, such that repeated requests with the same seed and parameters should return the same result. However, determinism can't be guaranteed.|

+|`return_prompt` |`boolean ` |`false ` |Returns the full prompt that was sent to the model when `true`. |

+|`tools` |`array of objects` |`None` |_Field is subject to changes._ A list of available tools (functions) that the model might suggest invoking before producing a text response. When `tools` is passed (without `tool_results`), the `text` field in the response is `""` and the `tool_calls` field in the response is populated with a list of tool calls that need to be made. If no calls need to be made, the `tool_calls` array is empty.|

+|`tool_results` |`array of objects` |`None` |_Field is subject to changes._ A list of results from invoking tools recommended by the model in the previous chat turn. Results are used to produce a text response and is referenced in citations. When using `tool_results`, `tools` must be passed as well. Each tool_result contains information about how it was invoked, and a list of outputs in the form of dictionaries. Cohere's unique fine-grained citation logic requires the output to be a list. In case the output is just one item, for example, `{"status": 200}`, still wrap it inside a list. |

+The `chat_history` object requires the following fields:

+|Key |Type |Description |

+||||

+|`role` |`enum string` |Takes `USER`, `SYSTEM`, or `CHATBOT`. |

+|`message` |`string` |Text contents of the message. |

+The `documents` object has the following optional fields:

+|Key |Type |Default| Description |

+|||||

+|`id` |`string` |`None` |Can be supplied to identify the document in the citations. This field isn't passed to the model. |

+|`_excludes` |`array of strings` |`None`| Can be optionally supplied to omit some key-value pairs from being shown to the model. The omitted fields still show up in the citation object. The `_excludes` field isn't passed to the model. |

+#### v1/chat response schema

+Response fields are fully documented on [Cohere's Chat API reference](https://docs.cohere.com/reference/chat). The response object always contains:

+|Key |Type |Description |

+||||

+|`response_id` |`string` |Unique identifier for chat completion. |

+|`generation_id` |`string` |Unique identifier for chat completion, used with Feedback endpoint on Cohere's platform. |

+|`text` |`string` |Model's response to chat message input. |

+|`finish_reason` |`enum string` |Why the generation was completed. Can be any of the following values: `COMPLETE`, `ERROR`, `ERROR_TOXIC`, `ERROR_LIMIT`, `USER_CANCEL` or `MAX_TOKENS` |

+|`token_count` |`integer` |Count of tokens used. |

+|`meta` |`string` |API usage data, including current version and billable tokens. |

+<br/>

+#### Documents

+If `documents` are specified in the request, there are two other fields in the response:

+|Key |Type |Description |

+||||

+|`documents ` |`array of objects` |Lists the documents that were cited in the response. |

+|`citations` |`array of objects` |Specifies which part of the answer was found in a given document. |

+`citations` is an array of objects with the following required fields:

+|Key |Type |Description |

+||||

+|`start` |`integer` |The index of text that the citation starts at, counting from zero. For example, a generation of `Hello, world!` with a citation on `world` would have a start value of `7`. This is because the citation starts at `w`, which is the seventh character. |

+|`end` |`integer` |The index of text that the citation ends after, counting from zero. For example, a generation of `Hello, world!` with a citation on `world` would have an end value of `11`. This is because the citation ends after `d`, which is the eleventh character. |

+|`text` |`string` |The text of the citation. For example, a generation of `Hello, world!` with a citation of `world` would have a text value of `world`. |

+|`document_ids` |`array of strings` |Identifiers of documents cited by this section of the generated reply. |

+#### Tools

+If `tools` are specified and invoked by the model, there's another field in the response:

+|Key |Type |Description |

+||||

+|`tool_calls ` |`array of objects` |Contains the tool calls generated by the model. Use it to invoke your tools. |

+`tool_calls` is an array of objects with the following fields:

+|Key |Type |Description |

+||||

+|`name` |`string` |Name of the tool to call. |

+|`parameters` |`object` |The name and value of the parameters to use when invoking a tool. |

+#### Search_queries_only

+If `search_queries_only=TRUE` is specified in the request, there are two other fields in the response:

+|Key |Type |Description |

+||||

+|`is_search_required` |`boolean` |Instructs the model to generate a search query. |

+|`search_queries` |`array of objects` |Object that contains a list of search queries. |

+`search_queries` is an array of objects with the following fields:

+|Key |Type |Description |

+||||

+|`text` |`string` |The text of the search query. |

+|`generation_id` |`string` |Unique identifier for the generated search query. Useful for submitting feedback. |

+#### Examples

+##### Chat - Completions

+The following example is a sample request call to get chat completions from the Cohere Command model. Use when generating a chat completion.

+Request:

+```json

+ {

+ "chat_history": [

+ {"role":"USER", "message": "What is an interesting new role in AI if I don't have an ML background"},

+ {"role":"CHATBOT", "message": "You could explore being a prompt engineer!"}

+ ],

+ "message": "What are some skills I should have"

+ }

+```

+Response:

+```json

+ {

+ "response_id": "09613f65-c603-41e6-94b3-a7484571ac30",

+ "text": "Writing skills are very important for prompt engineering. Some other key skills are:\n- Creativity\n- Awareness of biases\n- Knowledge of how NLP models work\n- Debugging skills\n\nYou can also have some fun with it and try to create some interesting, innovative prompts to train an AI model that can then be used to create various applications.",

+ "generation_id": "6d31a57f-4d94-4b05-874d-36d0d78c9549",

+ "finish_reason": "COMPLETE",

+ "token_count": {

+ "prompt_tokens": 99,

+ "response_tokens": 70,

+ "total_tokens": 169,

+ "billed_tokens": 151

+ },

+ "meta": {

+ "api_version": {

+ "version": "1"

+ },

+ "billed_units": {

+ "input_tokens": 81,

+ "output_tokens": 70

+ }

+ }

+ }

+```

+##### Chat - Grounded generation and RAG capabilities

+Command R and Command R+ are trained for RAG via a mixture of supervised fine-tuning and preference fine-tuning, using a specific prompt template. We introduce that prompt template via the `documents` parameter. The document snippets should be chunks, rather than long documents, typically around 100-400 words per chunk. Document snippets consist of key-value pairs. The keys should be short descriptive strings. The values can be text or semi-structured.

+Request:

+```json

+ {

+ "message": "Where do the tallest penguins live?",

+ "documents": [

+ {

+ "title": "Tall penguins",

+ "snippet": "Emperor penguins are the tallest."

+ },

+ {

+ "title": "Penguin habitats",

+ "snippet": "Emperor penguins only live in Antarctica."

+ }

+ ]

+ }

+```

+Response:

+```json

+ {

+ "response_id": "d7e72d2e-06c0-469f-8072-a3aa6bd2e3b2",

+ "text": "Emperor penguins are the tallest species of penguin and they live in Antarctica.",

+ "generation_id": "b5685d8d-00b4-48f1-b32f-baebabb563d8",

+ "finish_reason": "COMPLETE",

+ "token_count": {

+ "prompt_tokens": 615,

+ "response_tokens": 15,

+ "total_tokens": 630,

+ "billed_tokens": 22

+ },

+ "meta": {

+ "api_version": {

+ "version": "1"

+ },

+ "billed_units": {

+ "input_tokens": 7,

+ "output_tokens": 15

+ }

+ },

+ "citations": [

+ {

+ "start": 0,

+ "end": 16,

+ "text": "Emperor penguins",

+ "document_ids": [

+ "doc_0"

+ ]

+ },

+ {

+ "start": 69,

+ "end": 80,

+ "text": "Antarctica.",

+ "document_ids": [

+ "doc_1"

+ ]

+ }

+ ],

+ "documents": [

+ {

+ "id": "doc_0",

+ "snippet": "Emperor penguins are the tallest.",

+ "title": "Tall penguins"

+ },

+ {

+ "id": "doc_1",

+ "snippet": "Emperor penguins only live in Antarctica.",

+ "title": "Penguin habitats"

+ }

+ ]

+ }

+```

+##### Chat - Tool Use

+If invoking tools or generating a response based on tool results, use the following parameters.

+Request:

+```json

+ {

+ "message":"I'd like 4 apples and a fish please",

+ "tools":[

+ {

+ "name":"personal_shopper",

+ "description":"Returns items and requested volumes to purchase",

+ "parameter_definitions":{

+ "item":{

+ "description":"the item requested to be purchased, in all caps eg. Bananas should be BANANAS",

+ "type": "str",

+ "required": true

+ },

+ "quantity":{

+ "description": "how many of the items should be purchased",

+ "type": "int",

+ "required": true

+ }

+ }

+ }

+ ],

+

+ "tool_results": [

+ {

+ "call": {

+ "name": "personal_shopper",

+ "parameters": {

+ "item": "Apples",

+ "quantity": 4

+ },

+ "generation_id": "cb3a6e8b-6448-4642-b3cd-b1cc08f7360d"

+ },

+ "outputs": [

+ {

+ "response": "Sale completed"

+ }

+ ]

+ },

+ {

+ "call": {

+ "name": "personal_shopper",

+ "parameters": {

+ "item": "Fish",

+ "quantity": 1

+ },

+ "generation_id": "cb3a6e8b-6448-4642-b3cd-b1cc08f7360d"

+ },

+ "outputs": [

+ {

+ "response": "Sale not completed"

+ }

+ ]

+ }

+ ]

+ }

+```

+Response:

+```json

+ {

+ "response_id": "fa634da2-ccd1-4b56-8308-058a35daa100",

+ "text": "I've completed the sale for 4 apples. \n\nHowever, there was an error regarding the fish; it appears that there is currently no stock.",

+ "generation_id": "f567e78c-9172-4cfa-beba-ee3c330f781a",

+ "chat_history": [

+ {

+ "message": "I'd like 4 apples and a fish please",

+ "response_id": "fa634da2-ccd1-4b56-8308-058a35daa100",

+ "generation_id": "a4c5da95-b370-47a4-9ad3-cbf304749c04",

+ "role": "User"

+ },

+ {

+ "message": "I've completed the sale for 4 apples. \n\nHowever, there was an error regarding the fish; it appears that there is currently no stock.",

+ "response_id": "fa634da2-ccd1-4b56-8308-058a35daa100",

+ "generation_id": "f567e78c-9172-4cfa-beba-ee3c330f781a",

+ "role": "Chatbot"

+ }

+ ],

+ "finish_reason": "COMPLETE",

+ "token_count": {

+ "prompt_tokens": 644,

+ "response_tokens": 31,

+ "total_tokens": 675,

+ "billed_tokens": 41

+ },

+ "meta": {

+ "api_version": {

+ "version": "1"

+ },

+ "billed_units": {

+ "input_tokens": 10,

+ "output_tokens": 31

+ }

+ },

+ "citations": [

+ {

+ "start": 5,

+ "end": 23,

+ "text": "completed the sale",

+ "document_ids": [

+ ""

+ ]

+ },

+ {

+ "start": 113,

+ "end": 132,

+ "text": "currently no stock.",

+ "document_ids": [

+ ""

+ ]

+ }

+ ],

+ "documents": [

+ {

+ "response": "Sale completed"

+ }

+ ]

+ }

+```

+Once you run your function and received tool outputs, you can pass them back to the model to generate a response for the user.

+Request:

+```json

+ {

+ "message":"I'd like 4 apples and a fish please",

+ "tools":[

+ {

+ "name":"personal_shopper",

+ "description":"Returns items and requested volumes to purchase",

+ "parameter_definitions":{

+ "item":{

+ "description":"the item requested to be purchased, in all caps eg. Bananas should be BANANAS",

+ "type": "str",

+ "required": true

+ },

+ "quantity":{

+ "description": "how many of the items should be purchased",

+ "type": "int",

+ "required": true

+ }

+ }

+ }

+ ],

+

+ "tool_results": [

+ {

+ "call": {

+ "name": "personal_shopper",

+ "parameters": {

+ "item": "Apples",

+ "quantity": 4

+ },

+ "generation_id": "cb3a6e8b-6448-4642-b3cd-b1cc08f7360d"

+ },

+ "outputs": [

+ {

+ "response": "Sale completed"

+ }

+ ]

+ },

+ {

+ "call": {

+ "name": "personal_shopper",

+ "parameters": {

+ "item": "Fish",

+ "quantity": 1

+ },

+ "generation_id": "cb3a6e8b-6448-4642-b3cd-b1cc08f7360d"

+ },

+ "outputs": [

+ {

+ "response": "Sale not completed"

+ }

+ ]

+ }

+ ]

+ }

+```

+Response:

+```json

+ {

+ "response_id": "fa634da2-ccd1-4b56-8308-058a35daa100",

+ "text": "I've completed the sale for 4 apples. \n\nHowever, there was an error regarding the fish; it appears that there is currently no stock.",

+ "generation_id": "f567e78c-9172-4cfa-beba-ee3c330f781a",

+ "chat_history": [

+ {

+ "message": "I'd like 4 apples and a fish please",

+ "response_id": "fa634da2-ccd1-4b56-8308-058a35daa100",

+ "generation_id": "a4c5da95-b370-47a4-9ad3-cbf304749c04",

+ "role": "User"

+ },

+ {

+ "message": "I've completed the sale for 4 apples. \n\nHowever, there was an error regarding the fish; it appears that there is currently no stock.",

+ "response_id": "fa634da2-ccd1-4b56-8308-058a35daa100",

+ "generation_id": "f567e78c-9172-4cfa-beba-ee3c330f781a",

+ "role": "Chatbot"

+ }

+ ],

+ "finish_reason": "COMPLETE",

+ "token_count": {

+ "prompt_tokens": 644,

+ "response_tokens": 31,

+ "total_tokens": 675,

+ "billed_tokens": 41

+ },

+ "meta": {

+ "api_version": {

+ "version": "1"

+ },

+ "billed_units": {

+ "input_tokens": 10,

+ "output_tokens": 31

+ }

+ },

+ "citations": [

+ {

+ "start": 5,

+ "end": 23,

+ "text": "completed the sale",

+ "document_ids": [

+ ""

+ ]

+ },

+ {

+ "start": 113,

+ "end": 132,

+ "text": "currently no stock.",

+ "document_ids": [

+ ""

+ ]

+ }

+ ],

+ "documents": [

+ {

+ "response": "Sale completed"

+ }

+ ]

+ }

+```

+##### Chat - Search queries

+If you're building a RAG agent, you can also use Cohere's Chat API to get search queries from Command. Specify `search_queries_only=TRUE` in your request.

+Request:

+```json

+ {

+ "message": "Which lego set has the greatest number of pieces?",

+ "search_queries_only": true

+ }

+```

+Response:

+```json

+ {

+ "response_id": "5e795fe5-24b7-47b4-a8bc-b58a68c7c676",

+ "text": "",

+ "finish_reason": "COMPLETE",

+ "meta": {

+ "api_version": {

+ "version": "1"

+ }

+ },

+ "is_search_required": true,

+ "search_queries": [

+ {

+ "text": "lego set with most pieces",

+ "generation_id": "a086696b-ad8e-4d15-92e2-1c57a3526e1c"

+ }

+ ]

+ }

+```

+##### More inference examples

+| **Sample Type** | **Sample Notebook** |

+|-|-|

+| CLI using CURL and Python web requests - Command R | [command-r.ipynb](https://aka.ms/samples/cohere-command-r/webrequests)|

+| CLI using CURL and Python web requests - Command R+ | [command-r-plus.ipynb](https://aka.ms/samples/cohere-command-r-plus/webrequests)|

+| OpenAI SDK (experimental) | [openaisdk.ipynb](https://aka.ms/samples/cohere-command/openaisdk) |

+| LangChain | [langchain.ipynb](https://aka.ms/samples/cohere/langchain) |

+| Cohere SDK | [cohere-sdk.ipynb](https://aka.ms/samples/cohere-python-sdk) |

+## Cost and quotas

+### Cost and quota considerations for models deployed as a service

+Cohere models deployed as a service are offered by Cohere through the Azure Marketplace and integrated with Azure AI Studio for use. You can find the Azure Marketplace pricing when deploying the model.

+Each time a project subscribes to a given offer from the Azure Marketplace, a new resource is created to track the costs associated with its consumption. The same resource is used to track costs associated with inference; however, multiple meters are available to track each scenario independently.

+For more information on how to track costs, see [monitor costs for models offered throughout the Azure Marketplace](./costs-plan-manage.md#monitor-costs-for-models-offered-through-the-azure-marketplace).

+Quota is managed per deployment. Each deployment has a rate limit of 200,000 tokens per minute and 1,000 API requests per minute. However, we currently limit one deployment per model per project. Contact Microsoft Azure Support if the current rate limits aren't sufficient for your scenarios.

+## Content filtering

+Models deployed as a service with pay-as-you-go are protected by [Azure AI Content Safety](../../ai-services/content-safety/overview.md). With Azure AI content safety, both the prompt and completion pass through an ensemble of classification models aimed at detecting and preventing the output of harmful content. The content filtering system detects and takes action on specific categories of potentially harmful content in both input prompts and output completions. Learn more about [content filtering here](../concepts/content-filtering.md).

+## Next steps

+- [What is Azure AI Studio?](../what-is-ai-studio.md)

+- [Azure AI FAQ article](../faq.yml)

+ Title: How to deploy Cohere Embed models with Azure AI Studio

+description: Learn how to deploy Cohere Embed models with Azure AI Studio.

+# How to deploy Cohere Embed models with Azure AI Studio

+In this article, you learn how to use Azure AI Studio to deploy the Cohere Embed models as a service with pay-as you go billing.

+Cohere offers two Embed models in [Azure AI Studio](https://ai.azure.com). These models are available with pay-as-you-go token based billing with Models as a Service.

+* Cohere Embed v3 - English

+* Cohere Embed v3 - Multilingual

+You can browse the Cohere family of models in the [Model Catalog](model-catalog.md) by filtering on the Cohere collection.

+## Models

+In this article, you learn how to use Azure AI Studio to deploy the Cohere Embed models as a service with pay-as-you-go billing.

+### Cohere Embed v3 - English

+Cohere Embed English is the market's leading text representation model used for semantic search, retrieval-augmented generation (RAG), classification, and clustering. Embed English has top performance on the HuggingFace MTEB benchmark and performs well on various industries such as Finance, Legal, and General-Purpose Corpora.

+* Embed English has 1,024 dimensions.

+* Context window of the model is 512 tokens

+### Cohere Embed v3 - Multilingual

+Cohere Embed Multilingual is the market's leading text representation model used for semantic search, retrieval-augmented generation (RAG), classification, and clustering. Embed Multilingual supports 100+ languages and can be used to search within a language (for example, search with a French query on French documents) and across languages (for example, search with an English query on Chinese documents). Embed multilingual has SOTA performance on multilingual benchmarks such as Miracl.

+* Embed Multilingual has 1,024 dimensions.

+* Context window of the model is 512 tokens

+## Deploy with pay-as-you-go

+Certain models in the model catalog can be deployed as a service with pay-as-you-go, providing a way to consume them as an API without hosting them on your subscription, while keeping the enterprise security and compliance organizations need. This deployment option doesn't require quota from your subscription.

+The previously mentioned Cohere models can be deployed as a service with pay-as-you-go, and are offered by Cohere through the Microsoft Azure Marketplace. Cohere can change or update the terms of use and pricing of this model.

+### Prerequisites

+- An Azure subscription with a valid payment method. Free or trial Azure subscriptions won't work. If you don't have an Azure subscription, create a [paid Azure account](https://azure.microsoft.com/pricing/purchase-options/pay-as-you-go) to begin.

+- An [Azure AI hub resource](../how-to/create-azure-ai-resource.md).

+ > [!IMPORTANT]

+ > For Cohere family models, the pay-as-you-go model deployment offering is only available with AI hubs created in EastUS, EastUS2 or Sweden Central regions.

+- An [Azure AI project](../how-to/create-projects.md) in Azure AI Studio.

+- Azure role-based access controls are used to grant access to operations in Azure AI Studio. To perform the steps in this article, your user account must be assigned the __Azure AI Developer role__ on the resource group. For more information on permissions, see [Role-based access control in Azure AI Studio](../concepts/rbac-ai-studio.md).

+### Create a new deployment

+To create a deployment:

+1. Sign in to [Azure AI Studio](https://ai.azure.com).

+1. Select **Model catalog** from the **Explore** tab and search for *Cohere*.

+ Alternatively, you can initiate a deployment by starting from your project in AI Studio. From the **Build** tab of your project, select **Deployments** > **+ Create**.

+1. In the model catalog, on the model's **Details** page, select **Deploy** and then **Pay-as-you-go**.

+ :::image type="content" source="../media/deploy-monitor/cohere-embed/embed-english-deploy-pay-as-you-go.png" alt-text="A screenshot showing how to deploy a model with the pay-as-you-go option." lightbox="../media/deploy-monitor/cohere-embed/embed-english-deploy-pay-as-you-go.png":::

+1. Select the project in which you want to deploy your model. To deploy the model, your project must be in the EastUS, EastUS2 or Sweden Central regions.

+1. In the deployment wizard, select the link to **Azure Marketplace Terms** to learn more about the terms of use.

+1. You can also select the **Marketplace offer details** tab to learn about pricing for the selected model.

+1. If it is your first time deploying the model in the project, you have to subscribe your project for the particular offering. This step requires that your account has the **Azure AI Developer role** permissions on the Resource Group, as listed in the prerequisites. Each project has its own subscription to the particular Azure Marketplace offering of the model, which allows you to control and monitor spending. Select **Subscribe and Deploy**. Currently you can have only one deployment for each model within a project.

+ :::image type="content" source="../media/deploy-monitor/cohere-embed/embed-english-marketplace-terms.png" alt-text="A screenshot showing the terms and conditions of a given model." lightbox="../media/deploy-monitor/cohere-embed/embed-english-marketplace-terms.png":::

+1. Once you subscribe the project for the particular Azure Marketplace offering, subsequent deployments of the _same_ offering in the _same_ project don't require subscribing again. If this scenario applies to you, there's a **Continue to deploy** option to select (Currently you can have only one deployment for each model within a project).

+ :::image type="content" source="../media/deploy-monitor/cohere-embed/embed-english-existing-subscription.png" alt-text="A screenshot showing a project that is already subscribed to the offering." lightbox="../media/deploy-monitor/cohere-embed/embed-english-existing-subscription.png":::

+1. Give the deployment a name. This name becomes part of the deployment API URL. This URL must be unique in each Azure region.

+ :::image type="content" source="../media/deploy-monitor/cohere-embed/embed-english-deployment-name.png" alt-text="A screenshot showing how to indicate the name of the deployment you want to create." lightbox="../media/deploy-monitor/cohere-embed/embed-english-deployment-name.png":::

+1. Select **Deploy**. Wait until the deployment is ready and you're redirected to the Deployments page.

+1. Select **Open in playground** to start interacting with the model.

+1. You can return to the Deployments page, select the deployment, and note the endpoint's **Target** URL and the Secret **Key**. For more information on using the APIs, see the [reference](#embed-api-reference-for-cohere-embed-models-deployed-as-a-service) section.

+1. You can always find the endpoint's details, URL, and access keys by navigating to the **Build** tab and selecting **Deployments** from the Components section.

+To learn about billing for the Cohere models deployed with pay-as-you-go, see [Cost and quota considerations for Cohere models deployed as a service](#cost-and-quota-considerations-for-models-deployed-as-a-service).

+### Consume the Cohere Embed models as a service

+These models can be consumed using the embed API.

+1. On the **Build** page, select **Deployments**.

+1. Find and select the deployment you created.

+1. Copy the **Target** URL and the **Key** value.

+1. Cohere exposes two routes for inference with the Embed v3 - English and Embed v3 - Multilingual models. `v1/embeddings` adheres to the Azure AI Generative Messages API schema, and `v1/embed` supports Cohere's native API schema.

+ For more information on using the APIs, see the [reference](#embed-api-reference-for-cohere-embed-models-deployed-as-a-service) section.

+## Embed API reference for Cohere Embed models deployed as a service

+### v1/embeddings

+#### Request

+```

+ POST /v1/embeddings HTTP/1.1

+ Host: <DEPLOYMENT_URI>

+ Authorization: Bearer <TOKEN>

+ Content-type: application/json

+```

+#### v1/emebeddings request schema

+Cohere Embed v3 - English and Embed v3 - Multilingual accept the following parameters for a `v1/embeddings` API call:

+| Property | Type | Default | Description |

+| | | | |

+|`input` |`array of strings` |Required |An array of strings for the model to embed. Maximum number of texts per call is 96. We recommend reducing the length of each text to be under 512 tokens for optimal quality. |

+#### v1/emebeddings response schema

+The response payload is a dictionary with the following fields:

+| Key | Type | Description |

+| | | |

+| `id` | `string` | A unique identifier for the completion. |

+| `object` | `enum`|The object type, which is always `list` |

+| `data` | `array` | The Unix timestamp (in seconds) of when the completion was created. |

+| `model` | `string` | The model_id used for creating the embeddings. |

+| `usage` | `object` | Usage statistics for the completion request. |

+The `data` object is a dictionary with the following fields:

+| Key | Type | Description |

+| | | |

+| `index` | `integer` |The index of the embedding in the list of embeddings. |

+| `object` | `enum` | The object type, which is always "embedding". |

+| `embedding` | `array` | The embedding vector, which is a list of floats. |

+The `usage` object is a dictionary with the following fields:

+| Key | Type | Description |

+| | | |

+| `prompt_tokens` | `integer` | Number of tokens in the prompt. |

+| `completion_tokens` | `integer` | Number of tokens generated in the completion. |

+| `total_tokens` | `integer` | Total tokens. |

+### v1/embeddings examples

+Request:

+```json

+ {

+ "input": ["hi"]

+ }

+```

+Response:

+```json

+ {

+ "id": "87cb11c5-2316-4c88-af3c-4b2b77ed58f3",

+ "object": "list",

+ "data": [

+ {

+ "index": 0,

+ "object": "embedding",

+ "embedding": [

+ 1.1513672,

+ 1.7060547,

+ ...

+ ]

+ }

+ ],

+ "model": "tmp",

+ "usage": {

+ "prompt_tokens": 1,

+ "completion_tokens": 0,

+ "total_tokens": 1

+ }

+ }

+```

+### v1/embed

+#### Request

+```

+ POST /v1/embed HTTP/1.1

+ Host: <DEPLOYMENT_URI>

+ Authorization: Bearer <TOKEN>

+ Content-type: application/json

+```

+#### v1/embed request schema

+Cohere Embed v3 - English and Embed v3 - Multilingual accept the following parameters for a `v1/embed` API call:

+|Key |Type |Default |Description |

+|||||

+|`texts` |`array of strings` |Required |An array of strings for the model to embed. Maximum number of texts per call is 96. We recommend reducing the length of each text to be under 512 tokens for optimal quality. |

+|`input_type` |`enum string` |Required |Prepends special tokens to differentiate each type from one another. You shouldn't mix different types together, except when mixing types for for search and retrieval. In this case, embed your corpus with the `search_document` type and embedded queries with type `search_query` type. <br/> `search_document` ΓÇô In search use-cases, use search_document when you encode documents for embeddings that you store in a vector database. <br/> `search_query` ΓÇô Use search_query when querying your vector database to find relevant documents. <br/> `classification` ΓÇô Use classification when using embeddings as an input to a text classifier. <br/> `clustering` ΓÇô Use clustering to cluster the embeddings.|

+|`truncate` |`enum string` |`NONE` |`NONE` ΓÇô Returns an error when the input exceeds the maximum input token length. <br/> `START` ΓÇô Discards the start of the input. <br/> `END` ΓÇô Discards the end of the input. |

+|`embedding_types` |`array of strings` |`float` |Specifies the types of embeddings you want to get back. Can be one or more of the following types. `float`, `int8`, `uint8`, `binary`, `ubinary` |

+#### v1/embed response schema

+Cohere Embed v3 - English and Embed v3 - Multilingual include the following fields in the response:

+|Key |Type |Description |

+||||

+|`response_type` |`enum` |The response type. Returns `embeddings_floats` when `embedding_types` isn't specified, or returns `embeddings_by_type` when `embeddings_types` is specified. |

+|`id` |`integer` |An identifier for the response. |

+|`embeddings` |`array` or `array of objects` |An array of embeddings, where each embedding is an array of floats with 1,024 elements. The length of the embeddings array is the same as the length of the original texts array.|

+|`texts` |`array of strings` |The text entries for which embeddings were returned. |

+|`meta` |`string` |API usage data, including current version and billable tokens. |

+For more information, see [https://docs.cohere.com/reference/embed](https://docs.cohere.com/reference/embed).

+### v1/embed examples

+#### embeddings_floats Response

+Request:

+```json

+ {

+ "input_type": "clustering",

+ "truncate": "START",

+ "texts":["hi", "hello"]

+ }

+```

+Response:

+```json

+ {

+ "id": "da7a104c-e504-4349-bcd4-4d69dfa02077",

+ "texts": [

+ "hi",

+ "hello"

+ ],

+ "embeddings": [

+ [

+ ...

+ ],

+ [

+ ...

+ ]

+ ],

+ "meta": {

+ "api_version": {

+ "version": "1"

+ },

+ "billed_units": {

+ "input_tokens": 2

+ }

+ },

+ "response_type": "embeddings_floats"

+ }

+```

+#### Embeddings_by_types response

+Request:

+```json

+ {

+ "input_type": "clustering",

+ "embedding_types": ["int8", "binary"],

+ "truncate": "START",

+ "texts":["hi", "hello"]

+ }

+```

+Response:

+```json

+ {

+ "id": "b604881a-a5e1-4283-8c0d-acbd715bf144",

+ "texts": [

+ "hi",

+ "hello"

+ ],

+ "embeddings": {

+ "binary": [

+ [

+ ...

+ ],

+ [

+ ...

+ ]

+ ],

+ "int8": [

+ [

+ ...

+ ],

+ [

+ ...

+ ]

+ ]

+ },

+ "meta": {

+ "api_version": {

+ "version": "1"

+ },

+ "billed_units": {

+ "input_tokens": 2

+ }

+ },

+ "response_type": "embeddings_by_type"

+ }

+```

+#### More inference examples

+| **Sample Type** | **Sample Notebook** |

+|-|-|

+| CLI using CURL and Python web requests | [cohere-embed.ipynb](https://aka.ms/samples/embed-v3/webrequests)|

+| OpenAI SDK (experimental) | [openaisdk.ipynb](https://aka.ms/samples/cohere-embed/openaisdk) |

+| LangChain | [langchain.ipynb](https://aka.ms/samples/cohere-embed/langchain) |

+| Cohere SDK | [cohere-sdk.ipynb](https://aka.ms/samples/cohere-embed/cohere-python-sdk) |

+## Cost and quotas

+### Cost and quota considerations for models deployed as a service

+Cohere models deployed as a service are offered by Cohere through the Azure Marketplace and integrated with Azure AI Studio for use. You can find the Azure Marketplace pricing when deploying the model.

+Each time a project subscribes to a given offer from the Azure Marketplace, a new resource is created to track the costs associated with its consumption. The same resource is used to track costs associated with inference; however, multiple meters are available to track each scenario independently.

+For more information on how to track costs, see [monitor costs for models offered throughout the Azure Marketplace](./costs-plan-manage.md#monitor-costs-for-models-offered-through-the-azure-marketplace).

+Quota is managed per deployment. Each deployment has a rate limit of 200,000 tokens per minute and 1,000 API requests per minute. However, we currently limit one deployment per model per project. Contact Microsoft Azure Support if the current rate limits aren't sufficient for your scenarios.

+## Content filtering

+Models deployed as a service with pay-as-you-go are protected by [Azure AI Content Safety](../../ai-services/content-safety/overview.md). With Azure AI content safety, both the prompt and completion pass through an ensemble of classification models aimed at detecting and preventing the output of harmful content. The content filtering system detects and takes action on specific categories of potentially harmful content in both input prompts and output completions. Learn more about [content filtering here](../concepts/content-filtering.md).

+## Next steps

+- [What is Azure AI Studio?](../what-is-ai-studio.md)

+- [Azure AI FAQ article](../faq.yml)

+$ kubectl apply -f pod.yml

+$ kubectl apply -f pod.yml

+[add-ons]: integrations.md#add-ons

+| 1.25 | Aug 2022 | Oct 2022 | Dec 2022 | Jan 14, 2024 | Until 1.29 GA |

+| 1.25 | Azure policy 1.0.1<br>Metrics-Server 0.6.3<br>KEDA 2.9.3<br>Open Service Mesh 1.2.3<br>Core DNS V1.9.4<br>Overlay VPA 0.11.0<br>Azure-Keyvault-SecretsProvider 1.4.1<br>Application Gateway Ingress Controller (AGIC) 1.5.3<br>Image Cleaner v1.1.1<br>Azure Workload identity v1.0.0<br>MDC Defender 1.0.56<br>Azure Active Directory Pod Identity 1.8.13.6<br>GitOps 1.7.0<br>KMS 0.5.0| Cilium 1.12.8<br>CNI 1.4.44<br> Cluster Autoscaler 1.8.5.3<br> | OS Image Ubuntu 18.04 Cgroups V1 <br>ContainerD 1.7<br>Azure Linux 2.0<br>Cgroups V1<br>ContainerD 1.6<br>| Ubuntu 22.04 by default with cgroupv2 and Overlay VPA 0.13.0 |CgroupsV2 - If you deploy Java applications with the JDK, prefer to use JDK 11.0.16 and later or JDK 15 and later, which fully support cgroup v2

+Platform support policy applies to clusters in an n-3 version (where n is the latest supported AKS GA minor version), before the cluster drops to n-4. For example, Kubernetes v1.25 is considered platform support when v1.28 is the latest GA version. However, during the v1.29 GA release, v1.25 will then auto-upgrade to v1.26. If you are a running an n-2 version, the moment it becomes n-3 it also becomes deprecated, and you enter into the platform support policy.

+[az-acr-build]: /cli/azure/acr#az_acr_build

+[azd]: /azure/developer/azure-developer-cli/install-azd

+[aks-two-resource-groups]: faq.md#why-are-two-resource-groups-created-with-aks

+For more information visit [MicrosoftΓÇÖs E+D Windows AKS customer story](https://customers.microsoft.com/story/1536483517282553662-modernizing-microsoft-365-windows-containers-azure-kubernetes-service).

+To explore more about their guidance on Windows container migration, along with valuable migration learnings and insights for modernization plans, you can [explore their article](https://techcommunity.microsoft.com/t5/containers/unifycloud-modernizing-your-net-apps-to-windows-containers-on/ba-p/4037872).

+This guide provides key concepts and instructions for containerization of Linux apps in App Service. If you've never used Azure App Service, follow the [custom container quickstart](quickstart-custom-container.md) and [tutorial](tutorial-custom-container.md) first. There's also a [multi-container app quickstart](quickstart-multi-container.md) and [tutorial](tutorial-multi-container-app.md). For sidecar containers (preview), see [Tutorial: Configure a sidecar container for custom container in Azure App Service (preview)](tutorial-custom-container-sidecar.md).

+For *\<username>* and *\<password>*, supply the sign-in credentials for your private registry account.

+Use the following steps to configure your web app to pull from ACR using managed identity. The steps use system-assigned managed identity, but you can use user-assigned managed identity as well.

+ Replace `<app-name>` with the name you used in the previous step. The output of the command (filtered by the `--query` and `--output` arguments) is the service principal ID of the assigned identity, which you use shortly.

+ Replace `<registry-name>` with the name of your registry. The output of the command (filtered by the `--query` and `--output` arguments) is the resource ID of the Azure Container Registry.

+ > If you are using PowerShell console to run the commands, you need to escape the strings in the `--generic-configurations` argument in this and the next step. For example: `--generic-configurations '{\"acrUseManagedIdentityCreds\": true'`

+1. (Optional) If your app uses a [user-assigned managed identity](overview-managed-identity.md#add-a-user-assigned-identity), make sure this is configured on the web app and then set the `acrUserManagedIdentityID` property to specify its client ID:

+You're all set, and the web app now uses managed identity to pull from Azure Container Registry.

+To connect and pull from a registry inside a virtual network or on-premises, your app must integrate with a virtual network. This is also needed for Azure Container Registry with private endpoint. When your network and DNS resolution is configured, you enable the routing of the image pull through the virtual network by configuring the `vnetImagePullEnabled` site setting:

+The first time you run a custom Docker image in App Service, App Service does a `docker pull` and pulls all image layers. These layers are stored on disk, like if you were using Docker on-premises. Each time the app restarts, App Service does a `docker pull`, but only pulls layers that have changed. If there are no changes, App Service uses existing layers on the local disk.

+If the app changes compute instances for any reason, such as scaling up and down the pricing tiers, App Service must pull down all layers again. The same is true if you scale out to add more instances. There are also rare cases where the app instances might change without a scale operation.

+When persistent storage is disabled, then writes to the `C:\home` directory aren't persisted across app restarts or across multiple instances. When persistent storage is enabled, all writes to the `C:\home` directory are persisted and can be accessed by all instances of a scaled-out app. Additionally, any contents inside the `C:\home` directory of the container are overwritten by any existing files already present on the persistent storage when the container starts.

+The only exception is the `C:\home\LogFiles` directory, which is used to store the container and application logs. This folder always persists upon app restarts if [application logging is enabled](troubleshoot-diagnostic-logs.md?#enable-application-logging-windows) with the **File System** option, independently of the persistent storage being enabled or disabled. In other words, enabling or disabling the persistent storage doesn't affect the application logging behavior.

+You can use the */home* directory in your custom container file system to persist files across restarts and share them across instances. The `/home` directory is provided to enable your custom container to access persistent storage. Saving data within `/home` contributes to the [storage space quota](../azure-resource-manager/management/azure-subscription-service-limits.md#app-service-limits) included with your App Service Plan.

+When persistent storage is disabled, then writes to the `/home` directory aren't persisted across app restarts or across multiple instances. When persistent storage is enabled, all writes to the `/home` directory are persisted and can be accessed by all instances of a scaled-out app. Additionally, any contents inside the `/home` directory of the container are overwritten by any existing files already present on the persistent storage when the container starts.

+The only exception is the `/home/LogFiles` directory, which is used to store the container and application logs. This folder always persists upon app restarts if [application logging is enabled](troubleshoot-diagnostic-logs.md#enable-application-logging-linuxcontainer) with the **File System** option, independently of the persistent storage being enabled or disabled. In other words, enabling or disabling the persistent storage doesn't affect the application logging behavior.

+It's recommended to write data to `/home` or a [mounted Azure storage path](configure-connect-to-azure-storage.md?tabs=portal&pivots=container-linux). Data written outside these paths isn't persistent during restarts and is saved to platform-managed host disk space separate from the App Service Plans file storage quota.

+The front ends are located inside Azure data centers. If you use TLS/SSL with your app, your traffic across the Internet is always safely encrypted.

+You can connect to your Windows container directly for diagnostic tasks by navigating to `https://<app-name>.scm.azurewebsites.net/` and choosing the SSH option. A direct SSH session with your container is established in which you can run commands inside your container.

+App Service logs actions by the Docker host and activities from within the container. Logs from the Docker host (platform logs) are shipped by default, but application logs or web server logs from within the container need to be enabled manually. For more information, see [Enable application logging](troubleshoot-diagnostic-logs.md#enable-application-logging-linuxcontainer) and [Enable web server logging](troubleshoot-diagnostic-logs.md#enable-web-server-logging).

+Docker logs are displayed in the portal, in the **Container Settings** page of your app. The logs are truncated, but you can download all the logs selecting **Download**.

+Navigate to `https://<app-name>.scm.azurewebsites.net/DebugConsole` and select the **LogFiles** folder to see the individual log files. To download the entire **LogFiles** directory, select the **Download** icon to the left of the directory name. You can also access this folder using an FTP client.

+In the SSH terminal, you can't access the `C:\home\LogFiles` folder by default because persistent shared storage isn't enabled. To enable this behavior in the console terminal, [enable persistent shared storage](#use-persistent-shared-storage).

+The value is defined in MB and must be less and equal to the total physical memory of the host. For example, in an App Service plan with 8GB RAM, the cumulative total of `WEBSITE_MEMORY_LIMIT_MB` for all the apps must not exceed 8 GB. Information on how much memory is available for each pricing tier can be found in [App Service pricing](https://azure.microsoft.com/pricing/details/app-service/windows/), in the **Premium v3 service plan** section.

+App Service considers a container to be successfully started when the container starts and responds to an HTTP ping. The health ping request contains the header `User-Agent= "App Service Hyper-V Container Availability Check"`. If the container starts but doesn't respond to a ping after a certain amount of time, App Service logs an event in the Docker log, saying that the container didn't start.

+2. Create an entrypoint script with the name `entrypoint.sh` (or change any existing entrypoint file) and add the command to start the SSH service, along with the application startup command. The following example demonstrates starting a Python application. Replace the last command according to the project language/stack:

+3. Add to the Dockerfile the following instructions according to the base image distribution. These instructions copy the new files, install OpenSSH server, set proper permissions and configure the custom entrypoint, and expose the ports required by the application and SSH server, respectively:

+ > The root password must be exactly `Docker!` as it's used by App Service to let you access the SSH session with the container. This configuration doesn't allow external connections to the container. Port 2222 of the container is accessible only within the bridge network of a private virtual network and isn't accessible to an attacker on the internet.

+Further troubleshooting information is available at the Azure App Service OSS blog: [Enabling SSH on Linux Web App for Containers](https://azureossd.github.io/2022/04/27/2022-Enabling-SSH-on-Linux-Web-App-for-Containers/https://docsupdatetracker.net/index.html#troubleshooting)

+Multi-container is currently in preview. The following App Service platform features aren't supported:

+- Virtual network integration isn't supported for Docker Compose scenarios

+Or, see more resources:

+> [!NOTE]

+> Sidecar containers (preview) will succeed multi-container (Docker Compose) apps in App Service. To get started, see [Tutorial: Configure a sidecar container for custom container in Azure App Service (preview)](tutorial-custom-container-sidecar.md).

+az rest --method get --uri "${ASE_ID}/configurations/networking?api-version=2022-03-01" --query properties.windowsOutboundIpAddresses

+| **Custom containers** |- [Multi-container](./quickstart-multi-container.md)<br>- [Sidecar containers](tutorial-custom-container-sidecar.md)|

+The virtual network integration feature supports two virtual interfaces per worker. Two virtual interfaces per worker mean two virtual network integrations per App Service plan. In other words, an App Service plan can have virtual network integrations with up to two subnets/virtual networks. The apps in the same App Service plan can only use one of the virtual network integrations to a specific subnet, meaning an app can only have a single virtual network integration at a given time.

+Because subnet size can't be changed after assignment, use a subnet that's large enough to accommodate whatever scale your app might reach. You should also reserve IP addresses for platform upgrades. To avoid any issues with subnet capacity, use a `/26` with 64 addresses. When you're creating subnets in Azure portal as part of integrating with the virtual network, a minimum size of `/27` is required. If the subnet already exists before integrating through the portal, you can use a `/28` subnet.

+With multi plan subnet join (MPSJ) you can join multiple App Service plans in to the same subnet. All App Service plans must be in the same subscription but the virtual network/subnet can be in a different subscription. Each instance from each App Service plan requires an IP address from the subnet and to use MPSJ a minimum size of `/26` subnet is required. If you plan to join many and/or large scale plans, you should plan for larger subnet ranges.

+>[!NOTE]

+> Multi plan subnet join is currently in public preview. During preview the following known limitations should be observed:

+>

+> * The minimum requirement for subnet size of `/26` is currently not enforced, but will be enforced at GA.

+> * There is currently no validation if the subnet has available IPs, so you might be able to join N+1 plan, but the instances will not get an IP. You can view available IPs in the Virtual network integration page in Azure portal in apps that are already connected to the subnet.

+* The feature requires an unused subnet that's an IPv4 `/28` block or larger in an Azure Resource Manager virtual network. MPSJ requires a `/26` block or larger.

+* **Containerization and Docker** - Dockerize your app and host a custom Windows or Linux container in App Service. Run sidecar containers of your choice. Migrate your Docker skills directly to App Service.

+> Sidecar containers (preview) will succeed multi-container apps in App Service. To get started, see [Tutorial: Configure a sidecar container for custom container in Azure App Service (preview)](tutorial-custom-container-sidecar.md).

+ Title: 'Tutorial: Configure a sidecar container'

+description: Add sidecar containers to your custom container in Azure App Service. Add or update services to your application without changing your application container.

+keywords: azure app service, web app, linux, windows, docker, container, sidecar

+# Tutorial: Configure a sidecar container for custom container in Azure App Service (preview)

+In this tutorial, you add OpenTelemetry collector as a sidecar container to a Linux custom container app in Azure App Service.

+In Azure App Service, you can add up to 4 sidecar containers for each sidecar-enabled custom container app. Sidecar containers let you deploy extra services and features to your container application without making them tightly coupled to your main application container. For example, you can add monitoring, logging, configuration, and networking services as sidecar containers. An OpenTelemetry collector sidecar is one such monitoring example.

+For more information about sidecars, see [Sidecar pattern](/azure/architecture/patterns/sidecar).

+> [!NOTE]

+> For the preview period, sidecar support must be enabled at app creation. There's currently no way to enable sidecar support for an existing app.

+## 1. Set up the needed resources

+First you create the resources that the tutorial uses (for more information, see [Cloud Shell Overview](../cloud-shell/overview.md)). They're used for this particular scenario and aren't required for sidecar containers in general.

+1. In the [Azure Cloud Shell](https://shell.azure.com), run the following commands:

+ ```azurecli-interactive

+ git clone https://github.com/Azure-Samples/app-service-sidecar-tutorial-prereqs

+ cd app-service-sidecar-tutorial-prereqs

+ azd provision

+ ```

+1. When prompted, supply the environment name, subscription, and region you want. For example:

+ - Environment name: *my-sidecar-env*

+ - Subscription: your subscription

+ - Region: *(Europe) West Europe*

+ When deployment completes, you should see the following output:

+ <pre>

+ APPLICATIONINSIGHTS_CONNECTION_STRING = <b>InstrumentationKey=...;IngestionEndpoint=...;LiveEndpoint=...</b>

+ Open resource group in the portal: <b>https://portal.azure.com/#@/resource/subscriptions/.../resourceGroups/...</b>

+ </pre>

+1. Open the resource group link in a browser tab. You'll need to use the connection string later.

+ > [!NOTE]

+ > `azd provision` uses the included templates to create the following Azure resources:

+ >

+ > - A resource group

+ > - A [container registry](../container-registry/container-registry-intro.md) with two images deployed:

+ > - An Nginx image with the OpenTelemetry module.

+ > - An OpenTelemetry collector image, configured to export to [Azure Monitor](../azure-monitor/overview.md).

+ > - A [log analytics workspace](../azure-monitor/logs/log-analytics-overview.md)

+ > - An [Application Insights](../azure-monitor/app/app-insights-overview.md) component

+

+## 2. Create a sidecar-enabled app

+1. In the resource group's management page, select **Create**.

+1. Search for *web app*, then select the down arrow on **Create** and select **Web App**.

+ :::image type="content" source="media/tutorial-custom-container-sidecar/create-web-app.png" alt-text="Screenshot showing the Azure Marketplace page with the web app being searched and create web app buttons being clicked.":::

+1. Configure the **Basics** panel as follows:

+ - **Name**: A unique name

+ - **Publish**: **Container**

+ - **Operating System**: **Linux**

+ - **Region**: Same region as the one you chose with `azd provision`

+ - **Linux Plan**: A new App Service plan

+ :::image type="content" source="media/tutorial-custom-container-sidecar/create-wizard-basics-panel.png" alt-text="Screenshot showing the web app create wizard and settings for a Linux custom container app highlighted.":::

+1. Select **Container**. Configure the **Container** panel as follows:

+ - **Sidecar support**: **Enabled**

+ - **Image Source**: **Azure Container Registry**

+ - **Registry**: The registry created by `azd provision`

+ - **Image**: **nginx**

+ - **Tag**: **latest**

+ - **Port**: **80**

+ :::image type="content" source="media/tutorial-custom-container-sidecar/create-wizard-container-panel.png" alt-text="Screenshot showing the web app create wizard and settings for the container image and the sidecar support highlighted.":::

+ > [!NOTE]

+ > These settings are configured differently in sidecar-enabled apps. For more information, see [Differences for sidecar-enabled apps](#differences-for-sidecar-enabled-apps).

+1. Select **Review + create**, then select **Create**.

+1. Once the deployment completes, select **Go to resource**.

+1. In a new browser tab, navigate to `https://<app-name>.azurewebsites.net` and see the default Nginx page.

+## 3. Add a sidecar container

+In this section, you add a sidecar container to your custom container app.

+1. In the app's management page, from the left menu, select **Deployment Center**.

+ The deployment center shows you all the containers in the app. Right now, it only has the main container.

+1. Select **Add** and configure the new container as follows:

+ - **Name**: *otel-collector*

+ - **Image source**: **Azure Container Registry**

+ - **Registry**: The registry created by `azd provision`

+ - **Image**: **otel-collector**

+ - **Tag**: **latest**

+ - **Port**: **4317**

+ Port 4317 is the default port used by the sample container to receive OpenTelemetry data. It's accessible from any other container in the app at `localhost:4317`. This is exactly how the Nginx container sends data to the sidecar (see the [OpenTelemetry module configuration for the sample Nginx image](https://github.com/Azure-Samples/app-service-sidecar-tutorial-prereqs/blob/main/images/nginx/opentelemetry_module.conf)).

+1. Select **Apply**.

+ :::image type="content" source="media/tutorial-custom-container-sidecar/add-sidecar-container.png" alt-text="Screenshot showing how to configure a sidecar container in a web app's deployment center.":::

+ You should now see two containers in the deployment center. The main container is marked **Main**, and the sidecar container is marked **Sidecar**. Each app must have one main container but can have multiple sidecar containers.

+## 4. Configure environment variables

+For the sample scenario, the otel-collector sidecar is configured to export the OpenTelemetry data to Azure Monitor, but it needs the connection string as an environment variable (see the [OpenTelemetry configuration file for the otel-collector image](https://github.com/Azure-Samples/app-service-sidecar-tutorial-prereqs/blob/main/images/otel-collector/otel-collector-config.yaml)).

+You configure environment variables for the containers like any App Service app, by configuring [app settings](configure-common.md#configure-app-settings). The app settings are accessible to all the containers in the app.

+1. In the app's management page, from the left menu, select **Configuration**.

+1. Add an app setting by selecting **New application setting** and configure it as follows:

+ - **Name**: *APPLICATIONINSIGHTS_CONNECTION_STRING*

+ - **Value**: The connection string in the output of `azd provision`

+1. Select **Save**, then select **Continue**.

+ :::image type="content" source="media/tutorial-custom-container-sidecar/configure-app-settings.png" alt-text="Screenshot showing a web app's Configuration page with two app settings added.":::

+> [!NOTE]

+> Certain app settings don't apply to sidecar-enabled apps. For more information, see [Differences for sidecar-enabled apps](#differences-for-sidecar-enabled-apps)

+## 5. Verify in Application Insights

+The otel-collector sidecar should export data to Application Insights now.

+1. Back in the browser tab for `https://<app-name>.azurewebsites.net`, refresh the page a few times to generate some web requests.

+1. Go back to the resource group overview page, select the Application Insights resource. You should now see some data in the default charts.

+ :::image type="content" source="media/tutorial-custom-container-sidecar/app-insights-view.png" alt-text="Screenshot of the Application Insights page showing data in the default charts.":::

+> [!NOTE]

+> In this very common monitoring scenario, Application Insights is just one of the OpenTelemetry targets you can use, such as Jaeger, Prometheus, and Zipkin.

+## Clean up resources

+When you no longer need the environment, you can delete the resource group, App service, and all related resources. Just run this command in the Cloud Shell, in the cloned repository:

+```azurecli-interactive

+azd down

+```

+## Differences for sidecar-enabled apps

+You configure sidecar-enabled apps differently than apps that aren't sidecar-enabled. Specifically, you don't configure the main container and sidecars with app settings, but directly in the resource properties. These app settings don't apply for sidecar-enabled apps:

+- Registry authentication settings: `DOCKER_REGISTRY_SERVER_URL`, `DOCKER_REGISTRY_SERVER_USERNAME` and `DOCKER_REGISTRY_SERVER_PASSWORD`.

+- Container port: `WEBSITES_PORT`

+## More resources

+- [Configure custom container](configure-custom-container.md)

+- [Deploy custom containers with GitHub Actions](deploy-container-github-action.md)

+- [OpenTelemetry](https://opentelemetry.io/)

+> [!div class="nextstepaction"]

+> [Configure sidecar](configure-custom-container.md)

+> [Tutorial: Configure a sidecar container for custom container in Azure App Service (preview)](tutorial-custom-container-sidecar.md)

+> Sidecar containers (preview) will succeed multi-container apps in App Service. To get started, see [Tutorial: Configure a sidecar container for custom container in Azure App Service (preview)](tutorial-custom-container-sidecar.md).

+> [!NOTE]

+> WebJobs for **Windows container**, **Linux code**, and **Linux container** is in preview. WebJobs for Windows code is generally available and not in preview.

+WebJobs is a feature of [Azure App Service](index.yml) that enables you to run a program or script in the same instance as a web app. There's no extra cost to use WebJobs.

+You can use the Azure WebJobs SDK with WebJobs to simplify many programming tasks. For more information, see [What is the WebJobs SDK](https://github.com/Azure/azure-webjobs-sdk/wiki).

+### <a name="acceptablefiles"></a>Supported file types for scripts or programs

+### [Windows code](#tab/windowscode)

+The following file types are supported:<br>

+**.cmd**, **.bat**, **.exe** (using Windows cmd)<br>**.ps1** (using PowerShell)<br>**.sh** (using Bash)<br>**.php** (using PHP)<br>**.py** (using Python)<br>**.js** (using Node.js)<br>**.jar** (using Java)<br><br>The necessary runtimes to run these file types are already installed on the web app instance.

+### [Windows container](#tab/windowscontainer)

+> [!NOTE]

+> WebJobs for Windows container is in preview.

+>

+The following file types are supported:<br>

+**.cmd**, **.bat**, **.exe** (using Windows cmd)<br><br>In addition to these file types, WebJobs written in the language runtime of the Windows container app.<br>Example: .jar and .war scripts if the container is a Java app.

+### [Linux code](#tab/linuxcode)

+> [!NOTE]

+> WebJobs for Linux code is in preview.

+>

+**.sh** scripts are supported.<br><br>In addition to shell scripts, WebJobs written in the language of the selected runtime are also supported.<br>Example: Python (.py) scripts if the main site is a Python code app.

+### [Linux container](#tab/linuxcontainer)

+> [!NOTE]

+> WebJobs for Linux container is in preview.

+>

+**.sh** scripts are supported. <br><br>In addition to shell scripts, WebJobs written in the language runtime of the Linux container app are also supported. <br>Example: Node (.js) scripts if the site is a Node.js app.

+### Continuous vs. triggered WebJobs

+The following table describes the differences between *continuous* and *triggered* WebJobs:

+ | **Scale** | Multi Instance | Available only for Continuous WebJobs. Determines whether the program or script runs on all instances or one instance. The option to run on multiple instances doesn't apply to the Free or Shared [pricing tiers](https://azure.microsoft.com/pricing/details/app-service/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio). |

+You can manage the running state individual WebJobs running in your site in the [Azure portal](https://portal.azure.com). Go to **Settings** > **WebJobs**, choose the WebJob, and you can start and stop the WebJob. You can also view and modify the password of the webhook that runs the WebJob.

+The following is a list of common WebJob statuses:

+- **Initializing** The app has started and the WebJob is going through its initialization process.

+- **Aborted** This can occur for many of reasons, such as when a long-running WebJob reaches the timeout marker.

+- For Python 2.7, Windows Hybrid Runbook Workers are supported with [python 2.7](https://www.python.org/downloads/release/python-270/) installed.

+On a Windows 64-bit machine with [Python2.7](https://www.python.org/downloads/release/python-270/) and [pip](https://pip.pypa.io/en/stable/) installed, run the following command to download a package and all its dependencies:

+For examples of using other Node.js clients, see the individual documentation for the Node.js clients listed at [Node.js Redis clients](https://redis.io/docs/connect/clients/nodejs/).

+In addition to Azure Stack Hub, which is intended for on-premises deployment (for example, in a data center), a ruggedized and field-deployable version called [Tactical Azure Stack Hub](https://www.dell.com/support/manuals/en-us/cloud-for-microsoft-azure-stack14g/cas_pub_tech_book/dell-integrated-system-for-microsoft-azure-stack-hub-tactical?guid=guid-3b3ec158-8940-45e4-b637-3d761cfe4a14&lang=en-us) is also available to address tactical edge deployments for limited or no connectivity, fully mobile requirements, and harsh conditions requiring military specification solutions.

+[Tactical Azure Stack Hub](https://www.dell.com/support/manuals/en-us/cloud-for-microsoft-azure-stack14g/cas_pub_tech_book/dell-integrated-system-for-microsoft-azure-stack-hub-tactical?guid=guid-3b3ec158-8940-45e4-b637-3d761cfe4a14&lang=en-us) is also available to address tactical edge deployments for limited or no connectivity, fully mobile requirements, and harsh conditions requiring military specification solutions. Figure 8 depicts key enabling services that you can provision to accommodate various workloads on Azure.

+- In addition to Azure Stack Hub, which is intended for on-premises deployment (for example, in a data center), a ruggedized and field-deployable version called [Tactical Azure Stack Hub](https://www.dell.com/support/manuals/en-us/cloud-for-microsoft-azure-stack14g/cas_pub_tech_book/dell-integrated-system-for-microsoft-azure-stack-hub-tactical?guid=guid-3b3ec158-8940-45e4-b637-3d761cfe4a14&lang=en-us) is also available to address tactical edge deployments for limited or no connectivity, fully mobile requirements, and harsh conditions requiring military specification solutions.

+- **Non-traditional cloud service needs:** What options does Microsoft provide for periodically internet free/disconnected environments? **Answer:** In addition to [Azure Stack Hub](https://azure.microsoft.com/products/azure-stack/hub/), which is intended for on-premises deployment and disconnected scenarios, a ruggedized and field-deployable version called [Tactical Azure Stack Hub](https://www.dell.com/support/manuals/en-us/cloud-for-microsoft-azure-stack14g/cas_pub_tech_book/dell-integrated-system-for-microsoft-azure-stack-hub-tactical?guid=guid-3b3ec158-8940-45e4-b637-3d761cfe4a14&lang=en-us) is also available to address tactical edge deployments for limited or no connectivity, fully mobile requirements, and harsh conditions requiring military specification solutions.

+The following table provides the full list of values for zoom levels where the tile size is **256** pixels square:

+ Title: Configure Argo CD integration for Prometheus metrics in Azure Monitor

+description: Describes how to configure Argo CD monitoring using Prometheus metrics in Azure Monitor to Kubernetes cluster.

+# Argo CD

+Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD follows the GitOps pattern of using Git repositories as the source of truth for defining the desired application state. It automates the deployment of the desired application states in the specified target environments. Application deployments can track updates to branches, tags, or pinned to a specific version of manifests at a Git commit.

+This article describes how to configure Azure Managed Prometheus with Azure Kubernetes Service(AKS) to monitor Argo CD by scraping prometheus metrics.

+## Prerequisites

+### Deploy Service Monitors

+Deploy the following service monitors to configure Azure managed prometheus addon to scrape prometheus metrics from the argocd workload.

+> [!NOTE]

+> Please specify the right labels in the matchLabels for the service monitors if they do not match the configured ones in the sample.

+```yaml

+apiVersion: azmonitoring.coreos.com/v1

+kind: ServiceMonitor

+metadata:

+ name: azmon-argocd-metrics

+spec:

+ labelLimit: 63

+ labelNameLengthLimit: 511

+ labelValueLengthLimit: 1023

+ selector:

+ matchLabels:

+ app.kubernetes.io/name: argocd-metrics

+ namespaceSelector:

+ any: true

+ endpoints:

+ - port: metrics

+apiVersion: azmonitoring.coreos.com/v1

+kind: ServiceMonitor

+metadata:

+ name: azmon-argocd-repo-server-metrics

+spec:

+ labelLimit: 63

+ labelNameLengthLimit: 511

+ labelValueLengthLimit: 1023

+ selector:

+ matchLabels:

+ app.kubernetes.io/name: argocd-repo-server

+ namespaceSelector:

+ any: true

+ endpoints:

+ - port: metrics

+apiVersion: azmonitoring.coreos.com/v1

+kind: ServiceMonitor

+metadata:

+ name: azmon-argocd-server-metrics

+spec:

+ labelLimit: 63

+ labelNameLengthLimit: 511

+ labelValueLengthLimit: 1023

+ selector:

+ matchLabels:

+ app.kubernetes.io/name: argocd-server-metrics

+ namespaceSelector:

+ any: true

+ endpoints:

+ - port: metrics

+ ```

+> [!NOTE]

+> If you want to configure any other service or pod monitors, please follow the instructions [here](prometheus-metrics-scrape-crd.md#create-a-pod-or-service-monitor).

+### Deploy Rules

+1. Download the template and parameter files

+ **Alerting Rules**

+ - [Template file](https://github.com/Azure/prometheus-collector/blob/main/Azure-ARM-templates/Workload-Rules/Argo/argocd-alerting-rules.json)

+ - [Parameter file](https://github.com/Azure/prometheus-collector/blob/main/Azure-ARM-templates/Workload-Rules/Alert-Rules-Parameters.json)

+2. Edit the following values in the parameter files. Retrieve the resource ID of the resources from the **JSON View** of their **Overview** page.

+ | Parameter | Value |

+ |:|:|

+ | `azureMonitorWorkspace` | Resource ID for the Azure Monitor workspace. Retrieve from the **JSON view** on the **Overview** page for the Azure Monitor workspace. |

+ | `location` | Location of the Azure Monitor workspace. Retrieve from the **JSON view** on the **Overview** page for the Azure Monitor workspace. |

+ | `clusterName` | Name of the AKS cluster. Retrieve from the **JSON view** on the **Overview** page for the cluster. |

+ | `actionGroupId` | Resource ID for the alert action group. Retrieve from the **JSON view** on the **Overview** page for the action group. Learn more about [action groups](../alerts/action-groups.md) |

+3. Deploy the template by using any standard methods for installing ARM templates. For guidance, see [ARM template samples for Azure Monitor](../resource-manager-samples.md).

+4. Once deployed, you can view the rules in the Azure portal as described in - [Prometheus Alerts](../essentials/prometheus-rule-groups.md#view-prometheus-rule-groups)

+> [!Note]

+> Review the alert thresholds to make sure it suits your cluster/workloads and update it accordingly.

+>

+> Please note that the above rules are not scoped to a cluster. If you would like to scope the rules to a specific cluster, see [Limiting rules to a specific cluster](../essentials/prometheus-rule-groups.md#limiting-rules-to-a-specific-cluster) for more details.

+>

+> Learn more about [Prometheus Alerts](../essentials/prometheus-rule-groups.md).

+>

+> If you want to use any other OSS prometheus alerting/recording rules please use the converter here to create the azure equivalent prometheus rules [az-prom-rules-converter](https://aka.ms/az-prom-rules-converter)

+### Import the Grafana Dashboard

+To import the grafana dashboards using the ID or JSON, follow the instructions to [Import a dashboard from Grafana Labs](../../managed-grafan#import-a-grafana-dashboard). </br>

+[ArgoCD](https://grafana.com/grafana/dashboards/14584-argocd/)(ID-14191)

+### Troubleshooting

+When the service monitors is successfully applied, if you want to make sure that the service monitor targets get picked up by the addon, follow the instructions [here](prometheus-metrics-troubleshoot.md#prometheus-interface).

+ Title: Configure Elasticsearch integration for Prometheus metrics in Azure Monitor

+description: Describes how to configure Elasticsearch monitoring using Prometheus metrics in Azure Monitor to Kubernetes cluster.

+# Elasticsearch

+Elasticsearch is the distributed search and analytics engine at the heart of the Elastic Stack. It is where the indexing, search, and analysis magic happen.

+This article describes how to configure Azure Managed Prometheus with Azure Kubernetes Service(AKS) to monitor elastic search clusters by scraping prometheus metrics.

+## Prerequisites

+### Install Elasticsearch Exporter

+Install the [Elasticsearch exporter](https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-elasticsearch-exporter) using the helm chart.

+```bash

+helm install azmon-elasticsearch-exporter --version 5.7.0 prometheus-community/prometheus-elasticsearch-exporter --set es.uri="https://username:password@elasticsearch-service.namespace:9200" --set podMonitor.enabled=true --set podMonitor.apiVersion=azmonitoring.coreos.com/v1

+```

+> [!NOTE]

+> Managed prometheus pod/service monitor configuration with helm chart installation is only supported with the helm chart version >=5.7.0.

+>

+> The [prometheus-elasticsearch-exporter](https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-elasticsearch-exporter) helm chart can be configured with [values](https://github.com/prometheus-community/helm-charts/blob/main/charts/prometheus-elasticsearch-exporter/values.yaml) yaml.

+Please specify the right server address where the Elasticsearch server can be reached. Based on your configuration set the username,password or certs used to authenticate with the Elasticsearch server. Set the address where Elasticsearch is reachable using the argument "es.uri" ex - .

+>

+> You could also use service monitor, instead of pod monitor by using the **--set serviceMonitor.enabled=true** helm chart paramaters. Make sure to use the api version supported by Azure Managed Prometheus using the parameter **serviceMonitor.apiVersion=azmonitoring.coreos.com/v1**.

+>

+> If you want to configure any other service or pod monitors, please follow the instructions [here](prometheus-metrics-scrape-crd.md#create-a-pod-or-service-monitor).

+### Deploy Rules

+1. Download the template and parameter files

+ **Recording Rules**

+ - [Template file](https://github.com/Azure/prometheus-collector/blob/main/Azure-ARM-templates/Workload-Rules/ElasticSearch/elasticsearch-recording-rules.json)

+ - [Parameter file](https://github.com/Azure/prometheus-collector/blob/main/Azure-ARM-templates/Workload-Rules/Recording-Rules-Parameters.json)

+ **Alerting Rules**

+ - [Template file](https://github.com/Azure/prometheus-collector/blob/main/Azure-ARM-templates/Workload-Rules/ElasticSearch/elasticsearch-alerting-rules.json)

+ - [Parameter file](https://github.com/Azure/prometheus-collector/blob/main/Azure-ARM-templates/Workload-Rules/Alert-Rules-Parameters.json)

+2. Edit the following values in the parameter files. Retrieve the resource ID of the resources from the **JSON View** of their **Overview** page.

+ | Parameter | Value |

+ |:|:|

+ | `azureMonitorWorkspace` | Resource ID for the Azure Monitor workspace. Retrieve from the **JSON view** on the **Overview** page for the Azure Monitor workspace. |

+ | `location` | Location of the Azure Monitor workspace. Retrieve from the **JSON view** on the **Overview** page for the Azure Monitor workspace. |

+ | `clusterName` | Name of the AKS cluster. Retrieve from the **JSON view** on the **Overview** page for the cluster. |

+ | `actionGroupId` | Resource ID for the alert action group. Retrieve from the **JSON view** on the **Overview** page for the action group. Learn more about [action groups](../alerts/action-groups.md) |

+3. Deploy the template by using any standard methods for installing ARM templates. For guidance, see [ARM template samples for Azure Monitor](../resource-manager-samples.md).

+4. Once deployed, you can view the rules in the Azure portal as described in - [Prometheus Alerts](../essentials/prometheus-rule-groups.md#view-prometheus-rule-groups)

+> [!Note]

+> Review the alert thresholds to make sure it suits your cluster/worklaods and update it accordingly.

+>

+> Please note that the above rules are not scoped to a cluster. If you would like to scope the rules to a specific cluster, see [Limiting rules to a specific cluster](../essentials/prometheus-rule-groups.md#limiting-rules-to-a-specific-cluster) for more details.

+>

+> Learn more about [Prometheus Alerts](../essentials/prometheus-rule-groups.md).

+>

+> If you want to use any other OSS prometheus alerting/recording rules please use the converter here to create the azure equivalent prometheus rules [az-prom-rules-converter](https://aka.ms/az-prom-rules-converter)

+### Import the Grafana Dashboard

+Follow the instructions on [Import a dashboard from Grafana Labs](../../managed-grafan#import-a-grafana-dashboard) to import the grafana dashboards using the ID or JSON.</br>

+[Elastic Search Overview](https://github.com/grafana/jsonnet-libs/blob/master/elasticsearch-mixin/dashboards/elasticsearch-overview.json)(ID-2322)</br>

+[Elasticsearch Exporter Quickstart and Dashboard](https://grafana.com/grafana/dashboards/14191-elasticsearch-overview/)(ID-14191)

+### Troubleshooting

+When the service monitors is successfully applied, if you want to make sure that the service monitor targets get picked up by the addon, follow the instructions [here](prometheus-metrics-troubleshoot.md#prometheus-interface).

+ Title: Configure Kafka integration for Prometheus metrics in Azure Monitor

+description: Describes how to configure Kafka monitoring using Prometheus metrics in Azure Monitor to Kubernetes cluster.

+# Apache Kafka

+Apache Kafka is an open-source distributed event streaming platform used by high-performance data pipelines, streaming analytics, data integration, and mission-critical applications.

+This article describes how to configure Azure Managed Prometheus with Azure Kubernetes Service(AKS) to monitor kafka clusters by scraping prometheus metrics.

+## Prerequisites

+### Install Kafka Exporter

+Install the [Kafka Exporter](https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-kafka-exporter) using the helm chart.

+```bash

+helm install azmon-kafka-exporter --namespace=azmon-kafka-exporter --create-namespace --version 2.10.0 prometheus-community/prometheus-kafka-exporter --set kafkaServer="{kafka-server.namespace.svc:9092,.....}" --set prometheus.serviceMonitor.enabled=true --set prometheus.serviceMonitor.apiVersion=azmonitoring.coreos.com/v1

+```

+> [!NOTE]

+> Managed prometheus pod/service monitor configuration with helm chart installation is only supported with the helm chart version >=2.10.0.

+>

+> The [prometheus kafka exporter](https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-kafka-exporter) helm chart can be configured with [values](https://github.com/prometheus-community/helm-charts/blob/main/charts/prometheus-kafka-exporter/values.yaml) yaml.

+Please specify the right server addresses where the kafka servers can be reached. Set the server address(es) using the argument "kafkaServer".

+>

+> If you want to configure any other service or pod monitors, please follow the instructions [here](prometheus-metrics-scrape-crd.md#create-a-pod-or-service-monitor).

+### Import the Grafana Dashboard

+To import the Grafana Dashboards using the ID or JSON, follow the instructions to [Import a dashboard from Grafana Labs](../../managed-grafan#import-a-grafana-dashboard). </br>

+[Kafka Exporter Grafana Dashboard](https://grafana.com/grafana/dashboards/7589-kafka-exporter-overview/)(ID-7589)

+### Deploy Rules

+1. Download the template and parameter files

+ **Alerting Rules**

+ - [Template file](https://github.com/Azure/prometheus-collector/blob/main/Azure-ARM-templates/Workload-Rules/Kafka/kafka-alerting-rules.json)

+ - [Parameter file](https://github.com/Azure/prometheus-collector/blob/main/Azure-ARM-templates/Workload-Rules/Alert-Rules-Parameters.json)

+2. Edit the following values in the parameter files. Retrieve the resource ID of the resources from the **JSON View** of their **Overview** page.

+ | Parameter | Value |

+ |:|:|

+ | `azureMonitorWorkspace` | Resource ID for the Azure Monitor workspace. Retrieve from the **JSON view** on the **Overview** page for the Azure Monitor workspace. |

+ | `location` | Location of the Azure Monitor workspace. Retrieve from the **JSON view** on the **Overview** page for the Azure Monitor workspace. |

+ | `clusterName` | Name of the AKS cluster. Retrieve from the **JSON view** on the **Overview** page for the cluster. |

+ | `actionGroupId` | Resource ID for the alert action group. Retrieve from the **JSON view** on the **Overview** page for the action group. Learn more about [action groups](../alerts/action-groups.md) |

+3. Deploy the template by using any standard methods for installing ARM templates. For guidance, see [ARM template samples for Azure Monitor](../resource-manager-samples.md).

+4. Once deployed, you can view the rules in the Azure portal as described in - [Prometheus Alerts](../essentials/prometheus-rule-groups.md#view-prometheus-rule-groups)

+> [!Note]

+> Review the alert thresholds to make sure it suits your cluster/workloads and update it accordingly.

+>

+> Please note that the above rules are not scoped to a cluster. If you would like to scope the rules to a specific cluster, see [Limiting rules to a specific cluster](../essentials/prometheus-rule-groups.md#limiting-rules-to-a-specific-cluster) for more details.

+>

+> Learn more about [Prometheus Alerts](../essentials/prometheus-rule-groups.md).

+>

+> If you want to use any other OSS prometheus alerting/recording rules please use the converter here to create the azure equivalent prometheus rules [az-prom-rules-converter](https://aka.ms/az-prom-rules-converter)

+### More jmx_exporter metrics using strimzi

+If you are using the [strimzi operator](https://github.com/strimzi/strimzi-kafka-operator.git) for deploying the kafka clusters, deploy the pod monitors to get more jmx_exporter metrics.

+> [!Note]

+> Metrics need to be exposed by the kafka cluster deployments like the examples [here](https://github.com/strimzi/strimzi-kafka-operator/tree/main/examples/metrics). Refer to the kafka-.*-metrics.yaml files to configure metrics to be exposed.

+>

+>The pod monitors here also assume that the namespace where the kafka workload is deployed in 'kafka'. Update it accordingly if the workloads are deployed in another namespace.

+```yaml

+apiVersion: azmonitoring.coreos.com/v1

+kind: PodMonitor

+metadata:

+ name: azmon-cluster-operator-metrics

+ labels:

+ app: strimzi

+spec:

+ selector:

+ matchLabels:

+ strimzi.io/kind: cluster-operator

+ namespaceSelector:

+ matchNames:

+ - kafka

+ podMetricsEndpoints:

+ - path: /metrics

+ port: http

+apiVersion: azmonitoring.coreos.com/v1

+kind: PodMonitor

+metadata:

+ name: azmon-entity-operator-metrics

+ labels:

+ app: strimzi

+spec:

+ selector:

+ matchLabels:

+ app.kubernetes.io/name: entity-operator

+ namespaceSelector:

+ matchNames:

+ - kafka

+ podMetricsEndpoints:

+ - path: /metrics

+ port: healthcheck

+apiVersion: azmonitoring.coreos.com/v1

+kind: PodMonitor

+metadata:

+ name: azmon-bridge-metrics

+ labels:

+ app: strimzi

+spec:

+ selector:

+ matchLabels:

+ strimzi.io/kind: KafkaBridge

+ namespaceSelector:

+ matchNames:

+ - kafka

+ podMetricsEndpoints:

+ - path: /metrics

+ port: rest-api

+apiVersion: azmonitoring.coreos.com/v1

+kind: PodMonitor

+metadata:

+ name: azmon-kafka-resources-metrics

+ labels:

+ app: strimzi

+spec:

+ selector:

+ matchExpressions:

+ - key: "strimzi.io/kind"

+ operator: In

+ values: ["Kafka", "KafkaConnect", "KafkaMirrorMaker", "KafkaMirrorMaker2"]

+ namespaceSelector:

+ matchNames:

+ - kafka

+ podMetricsEndpoints:

+ - path: /metrics

+ port: tcp-prometheus

+ relabelings:

+ - separator: ;

+ regex: __meta_kubernetes_pod_label_(strimzi_io_.+)

+ replacement: $1

+ action: labelmap

+ - sourceLabels: [__meta_kubernetes_namespace]

+ separator: ;

+ regex: (.*)

+ targetLabel: namespace

+ replacement: $1

+ action: replace

+ - sourceLabels: [__meta_kubernetes_pod_name]

+ separator: ;

+ regex: (.*)

+ targetLabel: kubernetes_pod_name

+ replacement: $1

+ action: replace

+ - sourceLabels: [__meta_kubernetes_pod_node_name]

+ separator: ;

+ regex: (.*)

+ targetLabel: node_name

+ replacement: $1

+ action: replace

+ - sourceLabels: [__meta_kubernetes_pod_host_ip]

+ separator: ;

+ regex: (.*)

+ targetLabel: node_ip

+ replacement: $1

+ action: replace

+```

+#### Alerts with strimzi

+Rich set of alerts based off of strimzi metrics can also be configured by refering to the [examples](https://github.com/strimzi/strimzi-kafka-operator/blob/main/examples/metrics/prometheus-install/prometheus-rules.yaml).

+> [!NOTE]

+> If using any other way of exposing the jmx_exporter on your kafka cluster, please follow the instructions [here](prometheus-metrics-scrape-crd.md) on how to configure the pod or service monitors accordingly.

+### Grafana Dashboards for more jmx metrics with strimzi

+Please also see the [grafana-dashboards-for-strimzi](https://github.com/strimzi/strimzi-kafka-operator/tree/main/examples/metrics/grafana-dashboards) to view dashboards for metrics exposed by strimzi operator.

+### Troubleshooting

+When the service monitors or pod monitors are successfully applied, if you want to make sure that the service monitor targets get picked up by the addon, follow the instructions [here](prometheus-metrics-troubleshoot.md#prometheus-interface).

+The **Appearance + startup views** pane has two sections. The **Appearance** section lets you choose menu behavior, your color theme, and whether to use a high-contrast theme.

+After making the desired changes to your language and regional format settings, select **Apply**.

+The email address you provide here is used when we need to contact you for updates on Azure services, billing, support, or security issues. You can change this address at any time.

+You can also indicate whether you'd like to receive additional emails about Microsoft Azure and other Microsoft products and services. If you select the checkbox to receive these emails, you'll be prompted to select the country/region in which you'll receive these emails. Note that certain countries/regions may not be available. You only need to specify a country/region if you want to receive these additional emails; selecting a country/region isn't required in order to receive emails about your Azure account at the address you provide in this section.

+If you've made changes to the Azure portal settings and want to discard them, select **Restore default settings** from the top of the **My information** pane. You'll be prompted to confirm this action. If you do so, any changes you've made to your Azure portal settings are lost. This option doesn't affect dashboard customizations.

+| Microsoft.ContainerRegistry/registries | listBuildSourceUploadUrl |

+| Microsoft.ContainerRegistry/registries | listBuildSourceUploadUrl |

+- Germany West Central (on AV36, and AV36P)

+ Title: Configure CMK encryption at rest in Azure VMware Solution

+description: Learn how to encrypt data in Azure VMware Solution with customer-managed keys by using Azure Key Vault.

+This article illustrates how to encrypt VMware vSAN key encryption keys (KEKs) with customer-managed keys (CMKs) managed by a customer-owned Azure Key Vault instance.

+When CMK encryptions are enabled on your Azure VMware Solution private cloud, Azure VMware Solution uses the CMK from your key vault to encrypt the vSAN KEKs. Each ESXi host that participates in the vSAN cluster uses randomly generated disk encryption keys (DEKs) that ESXi uses to encrypt disk data at rest. vSAN encrypts all DEKs with a KEK provided by the Azure VMware Solution key management system. The Azure VMware Solution private cloud and the key vault don't need to be in the same subscription.

+When you manage your own encryption keys, you can:

+- Revoke Azure access to the KEK.

+The CMKs feature supports the following key types and their key sizes:

+- **RSA**: 2048, 3072, 4096

+- **RSA-HSM**: 2048, 3072, 4096

+The following diagram shows how Azure VMware Solution uses Microsoft Entra ID and a key vault to deliver the CMK.

+Before you begin to enable CMK functionality, ensure that the following requirements are met:

+- You need a key vault to use CMK functionality. If you don't have a key vault, you can create one by using [Quickstart: Create a key vault using the Azure portal](../key-vault/general/quick-create-portal.md).

+- If you enabled restricted access to Key Vault, you need to allow Microsoft Trusted Services to bypass the Key Vault firewall. Go to [Configure Azure Key Vault networking settings](../key-vault/general/how-to-azure-key-vault-network-security.md?tabs=azure-portal) to learn more.

+ >After firewall rules are in effect, users can only perform Key Vault [data plane](../key-vault/general/security-features.md#privileged-access) operations when their requests originate from allowed VMs or IPv4 address ranges. This restriction also applies to accessing Key Vault from the Azure portal. It also affects the Key Vault Picker by Azure VMware Solution. Users might be able to see a list of key vaults, but not list keys, if firewall rules prevent their client machine or the user doesn't have list permission in Key Vault.

+- Enable System Assigned identity on your Azure VMware Solution private cloud if you didn't enable it during software-defined datacenter (SDDC) provisioning.

+ To enable System Assigned identity:

+ 1. Sign in to the Azure portal.

+ 1. Go to **Azure VMware Solution** and locate your SDDC.

+ 1. On the leftmost pane, open **Manage** and select **Identity**.

+ 1. In **System Assigned**, select **Enable** > **Save**.

+ **System Assigned identity** should now be enabled.

+ After System Assigned identity is enabled, you see the tab for **Object ID**. Make a note of the Object ID for use later.

+ Get the private cloud resource ID and save it to a variable. You need this value in the next step to update the resource with System Assigned identity.

+ To configure the system-assigned identity on Azure VMware Solution private cloud with the Azure CLI, call [az-resource-update](/cli/azure/resource?view=azure-cli-latest#az-resource-update&preserve-view=true) and provide the variable for the private cloud resource ID that you previously retrieved.

+- Configure the key vault access policy to grant permissions to the managed identity. You use it to authorize access to the key vault.

+ 1. Sign in to the Azure portal.

+ 1. Go to **Key vaults** and locate the key vault you want to use.

+ 1. On the leftmost pane, underΓÇ»**Settings**, selectΓÇ»**Access policies**.

+ 1. InΓÇ»**Access policies**, selectΓÇ»**Add Access Policy** and then:

+ 1. In the **Key Permissions** dropdown, choose **Select**, **Get**, **Wrap Key**, and **Unwrap Key**.

+ 1. Under **Select principal**, select **None selected**. A new **Principal** window with a search box opens.

+ 1. In the search box, paste the **Object ID** from the previous step. Or search for the private cloud name you want to use. Choose **Select** when you're finished.

+ 1. Verify that the new policy appears under the current policy's Application section.

+ Get the principal ID for the system-assigned managed identity and save it to a variable. You need this value in the next step to create the key vault access policy.

+ To configure the key vault access policy with the Azure CLI, call [az keyvault set-policy](/cli/azure/keyvault#az-keyvault-set-policy). Provide the variable for the principal ID that you previously retrieved for the managed identity.

+ Learn more about how to [assign a Key Vault access policy](../key-vault/general/assign-access-policy.md?tabs=azure-portal).

+You can change the CMK by creating a new version of the key. The creation of a new version doesn't interrupt the virtual machine (VM) workflow.

+In Azure VMware Solution, CMK key version rotation depends on the key selection setting that you chose during CMK setup.

+### Key selection setting 1

+A customer enables CMK encryption without supplying a specific key version for CMK. Azure VMware Solution selects the latest key version for CMK from the customer's key vault to encrypt the vSAN KEKs. Azure VMware Solution tracks the CMK for version rotation. When a new version of the CMK key in Key Vault is created, it gets captured by Azure VMware Solution automatically to encrypt vSAN KEKs.

+>Azure VMware Solution can take up to 10 minutes to detect a new autorotated key version.

+### Key selection setting 2

+> Ensure that Key Vault is in the same region as the Azure VMware Solution private cloud.

+Go to your Key Vault instance and provide access to the SDDC on Key Vault by using the principal ID captured on the **Enable MSI** tab.

+1. From your Azure VMware Solution private cloud, under **Manage**, select **Encryption**. Then select **Customer-managed keys (CMKs)**.

+1. CMK provides two options for **Key Selection** from Key Vault:

+ Option 1:

+ 1. Under **Encryption key**, choose **select from Key Vault**.

+ 1. Select the encryption type. Then select the **Select Key Vault and key** option.

+ 1. Select the **Key Vault and key** from the dropdown. Then choose **Select**.

+ Option 2:

+ 1. Under **Encryption key**, select **Enter key from URI**.

+ 1. Enter a specific Key URI in the **Key URI** box.

+ > If you want to select a specific key version instead of the automatically selected latest version, you need to specify the Key URI with the key version. This choice affects the CMK key version lifecycle.

+ The Key Vault Managed Hardware Security Module (HSM) option is only supported with the Key URI option.

+To configure CMKs for an Azure VMware Solution private cloud with automatic updating of the key version, call [az vmware private-cloud add-cmk-encryption](/cli/azure/vmware/private-cloud?view=azure-cli-latest#az-vmware-private-cloud-add-cmk-encryption&preserve-view=true). Get the key vault URL and save it to a variable. You need this value in the next step to enable CMK.

+### Option 1

+### Option 2

+Supply the key version as an argument to use CMKs with a specific key version, as previously mentioned in the Azure portal option 2. The following example shows the customer providing a specific key version.

+## Change from a customer-managed key to a Microsoft managed key

+When a customer wants to change from a CMK to a Microsoft-managed key (MMK), the VM workload isn't interrupted. To make the change from a CMK to an MMK:

+1. Under **Manage**, select **Encryption** from your Azure VMware Solution private cloud.

+1. Select **Microsoft-managed keys (MMK)**.

+1. Select **Save**.

+Key Vault must be configured as recoverable. You need to:

+- Configure Key Vault with the **Soft Delete** option.

+Here are troubleshooting tips for some common issues you might encounter and also best practices to follow.

+### Accidental deletion of a key

+If you accidentally delete your key in the key vault, the private cloud can't perform some cluster modification operations. To avoid this scenario, we recommend that you keep soft deletes enabled in the key vault. This option ensures that if a key is deleted, it can be recovered within a 90-day period as part of the default soft-delete retention. If you're within the 90-day period, you can restore the key to resolve the issue.

+### Restore key vault permission

+If you have a private cloud that has lost access to the CMK, check if Managed System Identity (MSI) requires permissions in the key vault. The error notification returned from Azure might not correctly indicate MSI requiring permissions in the key vault as the root cause. Remember, the required permissions are `get`, `wrapKey`, and `unwrapKey`. See step 4 in [Prerequisites](#prerequisites).

+### Fix an expired key

+If you aren't using the autorotate function and the CMK expired in Key Vault, you can change the expiration date on the key.

+### Restore key vault access

+Ensure that the MSI is used for providing private cloud access to the key vault.

+### Deletion of MSI

+If you accidentally delete the MSI associated with a private cloud, you need to disable the CMK. Then follow the steps to enable the CMK from the start.

+## Next steps

+- Learn about [Azure Key Vault backup and restore](../key-vault/general/backup.md?tabs=azure-cli).

+- Learn about [Azure Key Vault recovery](../key-vault/general/key-vault-recovery.md?tabs=azure-portal#list-recover-or-purge-a-soft-deleted-key-vault).

+You can cancel, exchange, or refund reservations with certain limitations. For more information, see [Self-service exchanges and refunds for Azure Reservations (Note: Azure VMware Solution reservations do not fall into his category and therefore the new exchange rules donΓÇÖt apply).](../cost-management-billing/reservations/exchange-and-refund-azure-reservations.md)

+In this article, you learn how to rotate the cloudadmin credentials (vCenter Server and VMware NSX cloudadmin credentials) for your Azure VMware Solution private cloud. Although the password for this account doesn't expire, you can generate a new one at any time.

+>If you use your cloudadmin credentials to connect services to vCenter Server or NSX in your private cloud, those connections stop working after you rotate your password. Those connections also lock out the cloudadmin account unless you stop those services before you rotate the password.

+Consider and determine which services connect to vCenter Server as `cloudadmin@vsphere.local` or NSX as cloudadmin before you rotate the password. Services can include VMware services like HCX, vRealize Orchestrator, vRealize Operations Manager, VMware Horizon, or other non-Microsoft tools that are used for monitoring or provisioning.

+One way to determine which services authenticate to vCenter Server with the cloudadmin user is to inspect vSphere events by using the vSphere Client for your private cloud. After you identify such services, and before you rotate the password, you must stop these services. Otherwise, the services won't work after you rotate the password. You can also experience temporary locks on your vCenter Server cloudadmin account. Locks occur because these services continuously attempt to authenticate by using a cached version of the old credentials.

+Instead of using the cloudadmin user to connect services to vCenter Server or NSX, we recommend that you use individual accounts for each service. For more information about setting up separate accounts for connected services, see [Access and identity architecture](./architecture-identity.md).

+To begin using the Azure CLI:

+1. Update your vCenter Server cloudadmin credentials. Remember to replace `{SubscriptionID}`, `{ResourceGroup}`, and `{PrivateCloudName}` with your private cloud information.

+### Update HCX Connector

+1. Go to the on-premises HCX Connector and sign in by using the new credentials.

+ Be sure to use port **443**.

+1. On the VMware HCX dashboard, select **Site Pairing**.

+ :::image type="content" source="media/tutorial-vmware-hcx/site-pairing-complete.png" alt-text="Screenshot that shows the VMware HCX dashboard with Site Pairing highlighted.":::

+1. Select the correct connection to Azure VMware Solution and select **Edit Connection**.

+1. Provide the new vCenter Server user credentials. Select **Edit** to save the credentials. Save should show as successful.

+1. Under NSX Manager credentials, select **Generate new password**.

+Now that you've learned how to reset your vCenter Server and NSX Manager credentials for Azure VMware Solution, consider learning more about:

+It's important to take proper measures to secure your Azure VMware Solution deployments. Use the information in this article as a high-level guide to achieve your security goals.

+| Recommendation | Comments |

+| Review and follow VMware Security Best Practices. | It's important to stay updated on Azure security practices and [VMware Security Best Practices](https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-412EF981-D4F1-430B-9D09-A4679C2D04E7.html). |

+| Keep up to date on VMware Security Advisories. | Subscribe to VMware notifications in `my.vmware.com`. Regularly review and remediate any [VMware Security Advisories](https://www.vmware.com/security/advisories.html). |

+| Enable Microsoft Defender for Cloud. | [Microsoft Defender for Cloud](../defender-for-cloud/index.yml) provides unified security management and advanced threat protection across hybrid cloud workloads. |

+| Follow the Microsoft Security Response Center blog. | [Microsoft Security Response Center](https://msrc-blog.microsoft.com/) |

+| Review and implement recommendations within the Azure security baseline for Azure VMware Solution. | [Azure security baseline for VMware Solution](/security/benchmark/azure/baselines/vmware-solution-security-baseline/) |

+The following recommendations for network-related security apply to Azure VMware Solution.

+| Recommendation | Comments |

+| Only allow trusted networks. | Only allow access to your environments over Azure ExpressRoute or other secured networks. Avoid exposing your management services like vCenter Server, for example, on the internet. |

+| Use Azure Firewall Premium. | If you must expose management services on the internet, use [Azure Firewall Premium](../firewall/premium-migrate.md) with both intrusion detection and detention system (IDPS) Alert and Deny mode along with Transport Layer Security (TLS) inspection for proactive threat detection. |

+| Deploy and configure network security groups on a virtual network. | Ensure that any deployed virtual network has [network security groups](../virtual-network/network-security-groups-overview.md) configured to control ingress and egress to your environment. |

+| Review and implement recommendations within the Azure security baseline for Azure VMware Solution. | [Azure security baseline for Azure VMware Solution](/security/benchmark/azure/baselines/vmware-solution-security-baseline/) |

+| Recommendation | Comments |

+| Stay current with VMware HCX service updates. | VMware HCX service updates can include new features, software fixes, and security patches. To apply service updates during a maintenance window where no new VMware HCX operations are queued up, follow [these steps](https://docs.vmware.com/en/VMware-HCX/4.1/hcx-user-guide/GUID-F4AEAACB-212B-4FB6-AC36-9E5106879222.html). |

+ Title: Azure VMware Solution addresses vulnerabilities in the infrastructure

+description: Learn about the process that Azure VMware Solution follows to address security vulnerabilities.

+# Azure VMware Solution addresses vulnerabilities in the infrastructure

+At a high level, Azure VMware Solution is an Azure service, so it must follow all the same policies and requirements that Azure follows. Azure policies and procedures dictate that Azure VMware Solution must follow the [Security Development Lifecycle (SDL)](https://www.microsoft.com/securityengineering/sdl) and must meet several regulatory requirements as promised by Azure.

+Azure VMware Solution takes an in-depth approach to vulnerability and risk management. We follow the [SDL](https://www.microsoft.com/securityengineering/sdl) to ensure that we're building securely from the start. This focus on security includes working with any third-party solutions. Our services are continually assessed through automatic and manual reviews on a regular basis. We also partner with third-party partners on security hardening and early notifications of vulnerabilities within their solutions.

+- Engineering and security teams triage any signal of vulnerabilities.

+- Details within the signal are adjudicated and assigned a Common Vulnerability Scoring System (CVSS) score and risk rating according to compensating controls within the service.

+- The risk rating is used against internal bug bars, internal policies, and regulations to establish a timeline for implementing a fix.

+- Internal engineering teams partner with appropriate parties to qualify and roll out any fixes, patches, and other configuration updates necessary.

+> Communications are surfaced through [Azure Service Health portal](/azure/service-health/service-health-portal-update), [known issues](/azure/azure-vmware/azure-vmware-solution-known-issues), or email.

+Azure VMware Solution is in scope for the following certifications and regulatory requirements. The regulations listed aren't a complete list of certifications that Azure VMware Solution holds. Instead, it's a list with specific requirements around vulnerability management. These regulations don't rely on other regulations for the same purpose. For example, certain regional certifications might point to ISO requirements for vulnerability management.

+> You must be an active Microsoft customer to access the following audit reports hosted in the Service Trust Portal:

+- [PCI](https://servicetrust.microsoft.com/viewpage/PCI): See the packages for DSS and 3DS for audit information.

+- [Azure VMware Solution security recommendations](/azure/azure-vmware/concepts-security-recommendations)

+- [Azure VMware Solution security baseline](/security/benchmark/azure/baselines/azure-vmware-solution-security-baseline?toc=%2Fazure%2Fazure-vmware%2Ftoc.json)

+- [Azure defense in-depth approach to cloud vulnerabilities](https://azure.microsoft.com/blog/microsoft-azures-defense-in-depth-approach-to-cloud-vulnerabilities/)

+- [Azure compliance offerings](/azure/compliance/)

+- [Azure Service Health portal](/azure/service-health/service-health-portal-update)

+ Title: Restore VMs by using the Azure portal using Azure Backup

+## Assign network access settings during restore (preview)

+Azure Backup also allows you to configure the access options for the restored disks once the restore operation is complete. You can set the disk access preferences at the time of initiating the restore.

+>[!Note]

+>This feature is currently in preview and is available only for backed-up VMs that use private endpoint-enabled disks.

+To enable disk access on restored disks during [VM restore](#choose-a-vm-restore-configuration), choose one of the following options:

+- **Use the same network configurations as the source disk(s)**: This option allows the restored disks to use the disk access and network configurations same as that of the source disks.

+- **Enable public access from all networks**: This option allows the restored disk to be publicly accessible from all networks.

+- **Disable public access and enable private access (using disk access)**: This option allows you to disable the public access and assign disk access to the restored disks for private access.

+ :::image type="content" source="./media/backup-azure-arm-restore-vms/restored-disk-access-configuration-options.png" alt-text="Screenshot shows the access configuration options for restored disks." lightbox="./media/backup-azure-arm-restore-vms/restored-disk-access-configuration-options.png":::

+Disks enabled for access with a private endpoint | Supported.

+**Supported scenarios**:

+- Operational backup supports block blobs in standard general-purpose v2 storage accounts only. Storage accounts with hierarchical namespace enabled (that is, ADLS Gen2 accounts) aren't supported. <br><br> Also, any page blobs, append blobs, and premium blobs in your storage account won't be restored and only block blobs will be restored.

+- Blob backup is also supported when the storage account has private endpoints.

+**Other limitations**:

+To learn about Microsoft BareMetal hardware pricing, and to purchase Nutanix software, go to [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/nutanixinc.nc2_azure?tab=Overview).

+- Experiment data will appear in ARG even after using CMK. This is a known issue, but the visbility is limited to only the active subcription using CMK.

+- **Customer-Managed Keys** You need to use our 2023-10-27-preview REST API via a CLI to create CMK-enabled experiments. We don't support portal UI experiments using CMK at this time. Experiment info will appear in ARG within the subscription - this is a known issue today, but is limited to only ARG and only viewable by the subscription.

+description: Open-source vector database functionalities, examples, challenges, and solutions.

+A fully managed database service helps developers avoid the hassles from setting up, maintaining, and relying on community assistance for an open-source vector database; moreover, some managed vector database services offer a life-time free tier. An example is the Integrated Vector Database in Azure Cosmos DB for MongoDB. It allows developers to enjoy the same financial benefit associated with open-source vector databases, while the service provider handles maintenance, updates, and scalability. When itΓÇÖs time to scale up operations, upgrading is quick and easy while keeping a low [total cost of ownership (TCO)](introduction.md#low-total-cost-of-ownership-tco).

+description: Vector database functionalities, implementation, and comparison.

+### Integrated vector database vs pure vector database

+There are two common types of vector database implementations - pure vector database and integrated vector database in a NoSQL or relational database.

+A pure vector database is designed to efficiently store and manage vector embeddings, along with a small amount of metadata; it is separate from the data source from which the embeddings are derived.

+A vector database that is integrated in a highly performant NoSQL or relational database provides additional capabilities. The integrated vector database converts the existing data in a NoSQL or relational database into embeddings and stores them alongside the original data. This approach eliminates the extra cost of replicating data in a separate pure vector database. Moreover, this architecture keeps the vector embeddings and original data together, which better facilitates multi-modal data operations, and enables greater data consistency, scale, and performance.

+This capability is a part of the FinOps Framework by the FinOps Foundation, a non-profit organization dedicated to advancing cloud cost management and optimization. For more information about FinOps, including useful playbooks, training and certification programs, and more, see the [Budget management](https://www.finops.org/framework/capabilities/budgeting/) article in the FinOps Framework documentation.

+This capability is a part of the FinOps Framework by the FinOps Foundation, a non-profit organization dedicated to advancing cloud cost management and optimization. For more information about FinOps, including useful playbooks, training and certification programs, and more, see the [Workload Optimization](https://www.finops.org/framework/capabilities/workload-optimization/) article in the FinOps Framework documentation.

+| MCA - Enterprise | EA | ΓÇó The transfer isnΓÇÖt supported by Microsoft, so you must move resources yourself. For more information, see [Move resources to a new resource group or subscription](../../azure-resource-manager/management/move-resource-group-and-subscription.md).<br><br> ΓÇó Reservations and savings plans don't automatically transfer and transferring them isn't supported. |

+ - Data Box Disk can store a maximum of 100,000 files

+The compliance dashboard gives you a view of your overall compliance standing. Security for non-Azure platforms follows the same cloud-neutral security principles as Azure. Each control within the benchmark provides the same granularity and scope of technical guidance across Azure and other cloud resources.

+- Have an [application registry in ServiceNow](https://docs.servicenow.com/bundle/utah-employee-service-management/page/product/meeting-extensibility/task/create-app-registry-meeting-extensibility.html).

+ - To create the integration: Security Admin, Contributor, or Owner.

+## Connect a ServiceNow account to Defender for Cloud

+ - When an Azure DevOps environment is onboarded to Microsoft Defender for Cloud, the Microsoft Defender for DevOps Container Mapping will be automatically shared and installed in all connected Azure DevOps organizations. This will automatically inject tasks into all Azure Pipelines to collect data for container mapping.

+- For Azure DevOps, [Microsoft Security DevOps (MSDO) Extension](azure-devops-extension.md) installed on the Azure DevOps organization.

+- For GitHub, [Microsoft Security DevOps (MSDO) Action](github-action.md) configured in your GitHub repositories. Additionally, the GitHub Workflow must have "**id-token: write"** permissions for federation with Defender for Cloud. For an example, see [this YAML](https://github.com/microsoft/security-devops-action/blob/7e3060ae1e6a9347dd7de6b28195099f39852fe2/.github/workflows/on-push-verification.yml).

+1. Create one or more policy definitions in the [Azure Policy portal](../governance/policy/tutorials/create-custom-policy-definition.md), or [programmatically](../governance/policy/how-to/programmatically-create.md).

+The integration of ServiceNow and Defender for Cloud allow you to create governance rules that automatically open tickets in ServiceNow for specific recommendations or severity levels. ServiceNow tickets can be created, viewed, and linked to recommendations directly from Defender for Cloud, enabling seamless collaboration between the two platforms and facilitating efficient incident management.

+- Have an [application registry in ServiceNow](https://docs.servicenow.com/bundle/utah-employee-service-management/page/product/meeting-extensibility/task/create-app-registry-meeting-extensibility.html).

+ - To create an assignment: Admin permissions to ServiceNow.

+# Create a ticket in Defender for Cloud

+- Have an [application registry in ServiceNow](https://docs.servicenow.com/bundle/utah-employee-service-management/page/product/meeting-extensibility/task/create-app-registry-meeting-extensibility.html).

+ - To create an assignment: Admin permissions to ServiceNow.

+Extended Berkeley Packet Filter [What is eBPF?](https://ebpf.io/)

+- Single Server - General Purpose and Memory Optimized. Learn more in [PostgreSQL Single Server pricing tiers](../postgresql/concepts-pricing-tiers.md).

+- Be a [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) customer.

+- [Have write access (owner/contributer) to the Azure subscription](../active-directory/privileged-identity-management/pim-how-to-activate-role.md).

+1. Locate the Build Validation section.

+1. Select **Save**.

+You can do this programmatically by calling the Update Azure DevOps Resource API exposed the Microsoft. Security

+**Description**: Category of Findings that will be annotated on pull requests.

+**Description**: The minimum severity of a finding that will be considered when creating PR annotations.

+The endpoint detection and response recommendations allow you to:

+- You must have either of the following plans enabled on Defender for Cloud enabled on your subscription:

+ - [Defender for Servers plan 2](tutorial-enable-servers-plan.md)

+ - [Defender Cloud Security Posture Management (CSPM)](tutorial-enable-cspm-plan.md)

+> Learn more about the migration and the [deprecation process of the endpoint protection related recommendations](prepare-deprecation-log-analytics-mma-agent.md#endpoint-protection-recommendations-experience).

+1. Select the affected machine.

+1. Follow the instructions to troubleshoot Microsoft Defender for Endpoint onboarding issues for [Windows](/microsoft-365/security/defender-endpoint/troubleshoot-onboarding) or [Linux](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux).

+After the process is completed, it can take up to 24 hours until your machine appears in the Healthy resources tab.

+description: Design a solution to protect on-premises and multicloud servers with Microsoft Defender for Servers.

+- [Container images in Azure registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/33422d8f-ab1e-42be-bc9a-38685bb567b9)

+- [Containers running in Azure should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e9acaf48-d2cf-45a3-a6e7-3caa2ef769e0)

+- [Container images in AWS registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/2a139383-ec7e-462a-90ac-b1b60e87d576)

+- [Containers running in AWS should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/d5d1e526-363a-4223-b860-f4b6e710859f)

+- [Container images in GCP registry should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/24e37609-dcf5-4a3b-b2b0-b7d76f2e4e04)

+- [Containers running in GCP should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c7c1d31d-a604-4b86-96df-63448618e165)

+- [Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5)

+- [Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5)

+description: Upcoming changes to Microsoft Defender for Cloud that you might need to be aware of and for which you might need to plan.

+Azure Disk Encryption (ADE) and EncryptionAtHost provide encryption at rest coverage, as described in [Overview of managed disk encryption options - Azure Virtual Machines](/azure/virtual-machines/disk-encryption-overview), and we recommend enabling either of these on virtual machines.

+The recommendations depend on [Guest Configuration](/azure/governance/machine-configuration/overview). Prerequisites to onboard to Guest configuration should be enabled on virtual machines for the recommendations to complete compliance scans as expected.

+These recommendations will replace the recommendation "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources."

+Defender for Cloud offers customers the capability to remediate vulnerabilities in container images while they're still stored in the registry. Additionally, it conducts contextual analysis of the vulnerabilities in your environment, aiding in prioritizing remediation efforts based on the risk level associated with each vulnerability.

+|**Time drift detected** |Occurs when the UTC time of the sensor isn't synchronized with Defender for IoT on the Azure portal.<br><br>In this case, configure a Network Time Protocol (NTP) server to synchronize the sensor in UTC time.<br><br>For more information, see [Configure OT sensor settings from the Azure portal](configure-sensor-settings-portal.md#ntp). |

+| 24.1.3 |04/2024 | Major |03/2025 |

+### Version 24.1.3

+**Release date**: 04/2024

+- [Sensor time drift detection](whats-new.md#sensor-time-drift-detection)

+- Bug fixes for stability improvements

+### Version 24.1.2

+**Release date**: 02/2024

+**Supported until**: 01/2025

+This version includes the following updates and enhancements:

+## March 2024

+|Service area |Updates |

+|||

+| **OT networks** | [Sensor time drift detection](#sensor-time-drift-detection) |

+### Sensor time drift detection

+This version introduces a new troubleshooting test in the connectivity tool feature, specifically designed to identify time drift issues.

+One common challenge when connecting sensors to Defender for IoT in the Azure portal arises from discrepancies in the sensorΓÇÖs UTC time, which can lead to connectivity problems. To address this issue, we recommend that you configure a Network Time Protocol (NTP) server [in the sensor settings](configure-sensor-settings-portal.md#ntp).

+1. Select the **Resource Sharing(CORS)** tab.

+1. In the Resource Sharing(CORS) tab, select **Allowed Origins**.

+1. There can be upto 5 **Allowed Origins** added for a given instance.

+1. If you explicitly want to have ***(Wildcard)**, then in the allowed origin * can be added.

+1. If no setting is enabled on CORS page it's defaulted to Wildcard*, allow all.

+1. The other values of CORS policy like **Allowed Methods**, **Allowed Headers**, **Exposed Headers**, **Max age in seconds** are set with default values displayed on the screen.

+1. Next, select ΓÇ£**Review+Create**ΓÇ¥ after completing other tabs.

+1. Select the "**Create**" button.

+1. An **Azure Data Manager for Energy** instance is created with CORS policy.

+1. Next, once the instance is created the CORS policy set can be viewed in instance **overview** page.

+1. You can navigate to **Resource Sharing(CORS)** and see that CORS is enabled with required **Allowed Origins**.

+ [](media/how-to-enable-cors/enable-cors-4.png#lightbox)

+1. You can modify the Allowed Origins in CORS page at any time after Azure data manager for Energy instance is provisioned.

+ 1. For adding a new origin type on the box below.

+ [](media/how-to-enable-cors/enable-cors-5.png#lightbox)

+ 1. For deleting an existing allowed origin use the icon.

+ [](media/how-to-enable-cors/enable-cors-6.png#lightbox)

+ 1. If * ( wildcard all) is added in any of the allowed origins then please ensure to delete all the other individual allowed origins.

+1. Once the Allowed origin is added, the state of resource provisioning is in ΓÇ£AcceptedΓÇ¥ and during this time further modifications of CORS policy will not be possible. It takes 15 mins for CORS policies to be updated before update CORS window is available again for modifications.

+ [](media/how-to-enable-cors/enable-cors-7.png#lightbox)

+| Amsterdam Metro | Amsterdam<br>Amsterdam2 | Equinix AM5<br>Digital Realty AMS8 | 1 | West Europe | &check; | Megaport<br>Equinix<sup>1</sup><br>Colt<sup>1</sup><br>Console Connect<sup>1</sup><br>Digital Realty<sup>1</sup> |

+> To use the **Web Category Check** feature, the user must have an access of Microsoft.Network/azureWebCategories/* for **subscription** level, not resource group level.

+Note that one override can be used to replace the effect of many policies by specifying multiple values in the policyDefinitionReferenceId array. A single override can be used for up to 50 policyDefinitionReferenceIds, and a single policy assignment can contain up to 10 overrides, evaluated in the order in which they're specified. Before the assignment is created, the effect chosen in the override is validated against the policy rule and parameter allowed value list (in cases where the effect is [parameterized](./definition-structure-parameters.md)).

+[policy definition or initiative definition](./definition-structure-parameters.md). This design

+ Title: Details of the policy definition structure aliases

+description: Describes how policy definition aliases are used to establish conventions for Azure resources in your organization.

+# Azure Policy definition structure aliases

+You use property aliases to access specific properties for a resource type. Aliases enable you to restrict what values or conditions are allowed for a property on a resource. Each alias maps to paths in different API versions for a given resource type. During policy evaluation, the policy engine gets the property path for that API version.

+The list of aliases is always growing. To find which aliases Azure Policy supports, use one of the following methods:

+- Azure Policy extension for Visual Studio Code (recommended)

+ Use the [Azure Policy extension for Visual Studio Code](../how-to/extension-for-vscode.md) to view and discover aliases for resource properties.

+ :::image type="content" source="../media/extension-for-vscode/extension-hover-shows-property-alias.png" alt-text="Screenshot of the Azure Policy extension for Visual Studio Code hovering over a property to display the alias names.":::

+- Azure PowerShell

+ ```azurepowershell-interactive

+ # Login first with Connect-AzAccount if not using Cloud Shell

+ # Use Get-AzPolicyAlias to list available providers

+ Get-AzPolicyAlias -ListAvailable

+ # Use Get-AzPolicyAlias to list aliases for a Namespace (such as Azure Compute -- Microsoft.Compute)

+ (Get-AzPolicyAlias -NamespaceMatch 'compute').Aliases

+ ```

+ > [!NOTE]

+ > To find aliases that can be used with the [modify](./effects.md#modify) effect, use the

+ > following command in Azure PowerShell **4.6.0** or higher:

+ >

+ > ```azurepowershell-interactive

+ > Get-AzPolicyAlias | Select-Object -ExpandProperty 'Aliases' | Where-Object { $_.DefaultMetadata.Attributes -eq 'Modifiable' }

+ > ```

+- Azure CLI

+ ```azurecli-interactive

+ # Login first with az login if not using Cloud Shell

+ # List namespaces

+ az provider list --query [*].namespace

+ # Get Azure Policy aliases for a specific Namespace (such as Azure Compute -- Microsoft.Compute)

+ az provider show --namespace Microsoft.Compute --expand "resourceTypes/aliases" --query "resourceTypes[].aliases[].name"

+ ```

+- REST API

+ ```http

+ GET https://management.azure.com/providers/?api-version=2019-10-01&$expand=resourceTypes/aliases

+ ```

+## Understanding the array alias

+Several of the aliases that are available have a version that appears as a _normal_ name and another that has `[*]` attached to it, which is an array alias. For example:

+- `Microsoft.Storage/storageAccounts/networkAcls.ipRules`

+- `Microsoft.Storage/storageAccounts/networkAcls.ipRules[*]`

+- The _normal_ alias represents the field as a single value. This field is for exact match comparison scenarios when the entire set of values must be exactly as defined.

+- The array alias `[*]` represents a collection of values selected from the elements of an array resource property. For example:

+| Alias | Selected values |

+|:|:|

+| `Microsoft.Storage/storageAccounts/networkAcls.ipRules[*]` | The elements of the `ipRules` array. |

+| `Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].action` | The values of the `action` property from each element of the `ipRules` array. |

+When used in a [field](./definition-structure-policy-rule.md#fields) condition, array aliases make it possible to compare each individual array element to a target value. When used with [count](./definition-structure-policy-rule.md#count) expression, it's possible to:

+- Check the size of an array.

+- Check if all\any\none of the array elements meet a complex condition.

+- Check if exactly `n` array elements meet a complex condition.

+For more information and examples, see [Referencing array resource properties](../how-to/author-policies-for-arrays.md#referencing-array-resource-properties).

+## Next steps

+- For more information about policy definition structure, go to [basics](./definition-structure-basics.md), [parameters](./definition-structure-parameters.md), and [policy rule](./definition-structure-policy-rule.md).

+- For initiatives, go to [initiative definition structure](./initiative-definition-structure.md).

+- Review examples at [Azure Policy samples](../samples/index.md).

+- Review [Understanding policy effects](effects.md).

+- Understand how to [programmatically create policies](../how-to/programmatically-create.md).

+- Learn how to [get compliance data](../how-to/get-compliance-data.md).

+- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).

+- Review what a management group is with [Organize your resources with Azure management groups](../../management-groups/overview.md).

+ Title: Details of the policy definition structure basics

+description: Describes how policy definition basics are used to establish conventions for Azure resources in your organization.

+# Azure Policy definition structure basics

+Azure Policy definitions describe resource compliance [conditions](./definition-structure-policy-rule.md#conditions) and the effect to take if a condition is met. A condition compares a resource property [field](./definition-structure-policy-rule.md#fields) or a [value](./definition-structure-policy-rule.md#value) to a required value. Resource property fields are accessed by using [aliases](./definition-structure-alias.md). When a resource property field is an array, a special [array alias](./definition-structure-alias.md#understanding-the-array-alias) can be used to select values from all array members and apply a condition to each one. Learn more about [conditions](./definition-structure-policy-rule.md#conditions).

+By using policy assignments, you can control costs and manage your resources. For example, you can specify that only certain types of virtual machines are allowed. Or, you can require that resources have a particular tag. Assignments at a scope apply to all resources at that scope and below. If a policy assignment is applied to a resource group, it's applicable to all the resources in that resource group.

+You use JSON to create a policy definition that contains elements for:

+- `displayName`

+- `description`

+- `mode`

+- `metadata`

+- `parameters`

+- `policyRule`

+ - logical evaluations

+ - `effect`

+For example, the following JSON shows a policy that limits where resources are deployed:

+```json

+{

+ "properties": {

+ "displayName": "Allowed locations",

+ "description": "This policy enables you to restrict the locations your organization can specify when deploying resources.",

+ "mode": "Indexed",

+ "metadata": {

+ "version": "1.0.0",

+ "category": "Locations"

+ },

+ "parameters": {

+ "allowedLocations": {

+ "type": "array",

+ "metadata": {

+ "description": "The list of locations that can be specified when deploying resources",

+ "strongType": "location",

+ "displayName": "Allowed locations"

+ },

+ "defaultValue": [

+ "westus2"

+ ]

+ }

+ },

+ "policyRule": {

+ "if": {

+ "not": {

+ "field": "location",

+ "in": "[parameters('allowedLocations')]"

+ }

+ },

+ "then": {

+ "effect": "deny"

+ }

+ }

+ }

+}

+```

+For more information, go to the [policy definition schema](https://schema.management.azure.com/schemas/2020-10-01/policyDefinition.json). Azure Policy built-ins and patterns are at [Azure Policy samples](../samples/index.md).

+## Display name and description

+You use `displayName` and `description` to identify the policy definition and provide context for when the definition is used. The `displayName` has a maximum length of _128_ characters and `description` a maximum length of _512_ characters.

+> [!NOTE]

+> During the creation or updating of a policy definition, `id`, `type`, and `name` are defined

+> by properties external to the JSON and aren't necessary in the JSON file. Fetching the policy

+> definition via SDK returns the `id`, `type`, and `name` properties as part of the JSON, but

+> each are read-only information related to the policy definition.

+## Policy type

+While the `policyType` property can't be set, there are three values returned by SDK and visible in the portal:

+- `Builtin`: Microsoft provides and maintains these policy definitions.

+- `Custom`: All policy definitions created by customers have this value.

+- `Static`: Indicates a [Regulatory Compliance](./regulatory-compliance.md) policy definition with

+ Microsoft **Ownership**. The compliance results for these policy definitions are the results of

+ non-Microsoft audits of Microsoft infrastructure. In the Azure portal, this value is sometimes

+ displayed as **Microsoft managed**. For more information, see

+ [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md).

+## Mode

+The `mode` is configured depending on if the policy is targeting an Azure Resource Manager property or a Resource Provider property.

+### Resource Manager modes

+The `mode` determines which resource types are evaluated for a policy definition. The supported modes are:

+- `all`: evaluate resource groups, subscriptions, and all resource types

+- `indexed`: only evaluate resource types that support tags and location

+For example, resource `Microsoft.Network/routeTables` supports tags and location and is evaluated in both modes. However, resource `Microsoft.Network/routeTables/routes` can't be tagged and isn't evaluated in `Indexed` mode.

+We recommend that you set `mode` to `all` in most cases. All policy definitions created through the portal use the `all` mode. If you use PowerShell or Azure CLI, you can specify the `mode` parameter manually. If the policy definition doesn't include a `mode` value, it defaults to `all` in Azure PowerShell and to `null` in Azure CLI. A `null` mode is the same as using `indexed` to support backward compatibility.

+`indexed` should be used when creating policies that enforce tags or locations. While not required, it prevents resources that don't support tags and locations from showing up as non-compliant in the compliance results. The exception is resource groups and subscriptions. Policy definitions that enforce location or tags on a resource group or subscription should set `mode` to `all` and specifically target the `Microsoft.Resources/subscriptions/resourceGroups` or `Microsoft.Resources/subscriptions` type. For an example, see [Pattern: Tags - Sample #1](../samples/pattern-tags.md). For a list of resources that support tags, see [Tag support for Azure resources](../../../azure-resource-manager/management/tag-support.md).

+### Resource Provider modes

+The following Resource Provider modes are fully supported:

+- `Microsoft.Kubernetes.Data` for managing Kubernetes clusters and components such as pods, containers, and ingresses. Supported for Azure Kubernetes Service clusters and [Azure Arc-enabled Kubernetes clusters](../../../aks/intro-kubernetes.md). Definitions using this Resource Provider mode use the effects _audit_, _deny_, and _disabled_.

+- `Microsoft.KeyVault.Data` for managing vaults and certificates in [Azure Key Vault](../../../key-vault/general/overview.md). For more information on these policy definitions, see [Integrate Azure Key Vault with Azure Policy](../../../key-vault/general/azure-policy.md).

+- `Microsoft.Network.Data` for managing [Azure Virtual Network Manager](../../../virtual-network-manager/overview.md) custom membership policies using Azure Policy.

+The following Resource Provider modes are currently supported as a [preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/):

+- `Microsoft.ManagedHSM.Data` for managing [Managed Hardware Security Module (HSM)](../../../key-vault/managed-hsm/azure-policy.md) keys using Azure Policy.

+- `Microsoft.DataFactory.Data` for using Azure Policy to deny [Azure Data Factory](../../../data-factory/introduction.md) outbound traffic domain names not specified in an allowlist. This Resource Provider mode is enforcement only and doesn't report compliance in public preview.

+- `Microsoft.MachineLearningServices.v2.Data` for managing [Azure Machine Learning](../../../machine-learning/overview-what-is-azure-machine-learning.md) model deployments. This Resource Provider mode reports compliance for newly created and updated components. During public preview, compliance records remain for 24 hours. Model deployments that exist before these policy definitions are assigned don't report compliance.

+> [!NOTE]

+>Unless explicitly stated, Resource Provider modes only support built-in policy definitions, and exemptions are not supported at the component-level.

+## Metadata

+The optional `metadata` property stores information about the policy definition. Customers can define any properties and values useful to their organization in `metadata`. However, there are some _common_ properties used by Azure Policy and in built-ins. Each `metadata` property has a limit of 1,024 characters.

+### Common metadata properties

+- `version` (string): Tracks details about the version of the contents of a policy definition.

+- `category` (string): Determines under which category in the Azure portal the policy definition is displayed.

+- `preview` (boolean): True or false flag for if the policy definition is _preview_.

+- `deprecated` (boolean): True or false flag for if the policy definition is marked as _deprecated_.

+- `portalReview` (string): Determines whether parameters should be reviewed in the portal, regardless of the required input.

+> [!NOTE]

+> The Azure Policy service uses `version`, `preview`, and `deprecated` properties to convey level of

+> change to a built-in policy definition or initiative and state. The format of `version` is:

+> `{Major}.{Minor}.{Patch}`. Specific states, such as _deprecated_ or _preview_, are appended to the

+> `version` property or in another property as a **boolean**. For more information about the way

+> Azure Policy versions built-ins, see

+> [Built-in versioning](https://github.com/Azure/azure-policy/blob/master/built-in-policies/README.md).

+> To learn more about what it means for a policy to be _deprecated_ or in _preview_, see [Preview and deprecated policies](https://github.com/Azure/azure-policy/blob/master/built-in-policies/README.md#preview-and-deprecated-policies).

+## Definition location

+While creating an initiative or policy, it's necessary to specify the definition location. The definition location must be a management group or a subscription. This location determines the scope to which the initiative or policy can be assigned. Resources must be direct members of or children within the hierarchy of the definition location to target for assignment.

+If the definition location is a:

+- **Subscription** - Only resources within that subscription can be assigned the policy definition.

+- **Management group** - Only resources within child management groups and child subscriptions can be assigned the policy definition. If you plan to apply the policy definition to several subscriptions, the location must be a management group that contains each subscription.

+For more information, see [Understand scope in Azure Policy](./scope.md#definition-location).

+## Next steps

+- For more information about policy definition structure, go to [parameters](./definition-structure-parameters.md), [policy rule](./definition-structure-policy-rule.md), and [alias](./definition-structure-alias.md).

+- For initiatives, go to [initiative definition structure](./initiative-definition-structure.md).

+- Review examples at [Azure Policy samples](../samples/index.md).

+- Review [Understanding policy effects](effects.md).

+- Understand how to [programmatically create policies](../how-to/programmatically-create.md).

+- Learn how to [get compliance data](../how-to/get-compliance-data.md).

+- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).

+- Review what a management group is with [Organize your resources with Azure management groups](../../management-groups/overview.md).

+ Title: Details of the policy definition structure parameters

+description: Describes how policy definition parameters are used to establish conventions for Azure resources in your organization.

+# Azure Policy definition structure parameters

+Parameters help simplify your policy management by reducing the number of policy definitions. Think of parameters like the fields on a form: `name`, `address`, `city`, `state`. These parameters always stay the same but their values change based on the individual filling out the form. Parameters work the same way when building policies. By including parameters in a policy definition, you can reuse that policy for different scenarios by using different values.

+## Adding or removing parameters

+Parameters might be added to an existing and assigned definition. The new parameter must include the `defaultValue` property. This property prevents existing assignments of the policy or initiative from indirectly being made invalid.

+Parameters can't be removed from a policy definition because there might be an assignment that sets the parameter value, and that reference would become broken. Some built-in policy definitions deprecate parameters using metadata `"deprecated": true`, which hides the parameter when assigning the definition in Azure portal. While this method isn't supported for custom policy definitions, another option is to duplicate and create a new custom policy definition without the parameter.

+## Parameter properties

+A parameter uses the following properties in a policy definition:

+- `name`: The name of your parameter. Used by the `parameters` deployment function within the policy rule. For more information, see [using a parameter value](#using-a-parameter-value).

+- `type`: Determines if the parameter is a `string`, `array`, `object`, `boolean`, `integer`, `float`, or `dateTime`.

+- `metadata`: Defines subproperties primarily used by the Azure portal to display user-friendly information:

+ - `description`: The explanation of what the parameter is used for. Can be used to provide examples of acceptable values.

+ - `displayName`: The friendly name shown in the portal for the parameter.

+ - `strongType`: (Optional) Used when assigning the policy definition through the portal. Provides a context aware list. For more information, see [strongType](#strongtype).

+ - `assignPermissions`: (Optional) Set as _true_ to have Azure portal create role assignments during policy assignment. This property is useful in case you wish to assign permissions outside the assignment scope. There's one role assignment per role definition in the policy (or per role definition in all of the initiative's policies). The parameter value must be a valid resource or scope.

+ - `deprecated`: A boolean flag to indicate whether a parameter is deprecated in a built-in definition.

+- `defaultValue`: (Optional) Sets the value of the parameter in an assignment if no value is given. Required when updating an existing policy definition that is assigned. For oject-type parameters, the value must match the appropriate schema.

+- `allowedValues`: (Optional) Provides an array of values that the parameter accepts during assignment.

+ - Case sensitivity: Allowed value comparisons are case-sensitive when assigning a policy, meaning that the selected parameter values in the assignment must match the casing of values in the `allowedValues` array in the definition. However, once values are selected for the assignment, evaluation of string comparisons might be case insensitive depending on the [condition](./definition-structure-policy-rule.md#conditions) used. For example, if the parameter specifies `Dev` as an allowed tag value in an assignment, and this value is compared to an input string using the `equals` condition, then Azure Policy would later evaluate a tag value of `dev` as a match even though it's lowercase because `notEquals` is case insensitive.

+ - For object-type parameters, the values must match the appropriate schema.

+- `schema`: (Optional) Provides validation of parameter inputs during assignment using a self-defined JSON schema. This property is only supported for object-type parameters and follows the [Json.NET Schema](https://www.newtonsoft.com/jsonschema) 2019-09 implementation. You can learn more about using schemas at https://json-schema.org/ and test draft schemas at https://www.jsonschemavalidator.net/.

+## Sample parameters

+### Example 1

+As an example, you could define a policy definition to limit the locations where resources can be deployed. A parameter for that policy definition could be `allowedLocations` and used by each assignment of the policy definition to limit the accepted values. The use of `strongType` provides an enhanced experience when completing the assignment through the portal:

+```json

+"parameters": {

+ "allowedLocations": {

+ "type": "array",

+ "metadata": {

+ "description": "The list of allowed locations for resources.",

+ "displayName": "Allowed locations",

+ "strongType": "location"

+ },

+ "defaultValue": [

+ "westus2"

+ ],

+ "allowedValues": [

+ "eastus2",

+ "westus2",

+ "westus"

+ ]

+ }

+}

+```

+A sample input for this array-type parameter (without `strongType`) at assignment time might be `["westus", "eastus2"]`.

+### Example 2

+In a more advanced scenario, you could define a policy that requires Kubernetes cluster pods to use specified labels. A parameter for that policy definition could be `labelSelector` and used by each assignment of the policy definition to specify Kubernetes resources in question based on label keys and values:

+```json

+"parameters": {

+ "labelSelector": {

+ "type": "Object",

+ "metadata": {

+ "displayName": "Kubernetes label selector",

+ "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."

+ },

+ "defaultValue": {},

+ "schema": {

+ "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",

+ "type": "object",

+ "properties": {

+ "matchLabels": {

+ "description": "matchLabels is a map of {key,value} pairs.",

+ "type": "object",

+ "additionalProperties": {

+ "type": "string"

+ },

+ "minProperties": 1

+ },

+ "matchExpressions": {

+ "description": "matchExpressions is a list of values, a key, and an operator.",

+ "type": "array",

+ "items": {

+ "type": "object",

+ "properties": {

+ "key": {

+ "description": "key is the label key that the selector applies to.",

+ "type": "string"

+ },

+ "operator": {

+ "description": "operator represents a key's relationship to a set of values.",

+ "type": "string",

+ "enum": [

+ "In",

+ "NotIn",

+ "Exists",

+ "DoesNotExist"

+ ]

+ },

+ "values": {

+ "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",

+ "type": "array",

+ "items": {

+ "type": "string"

+ }

+ }

+ },

+ "required": [

+ "key",

+ "operator"

+ ],

+ "additionalProperties": false

+ },

+ "minItems": 1

+ }

+ },

+ "additionalProperties": false

+ }

+ },

+}

+```

+A sample input for this object-type parameter at assignment time would be in JSON format, validated by the specified schema, and might be:

+```json

+{

+ "matchLabels": {

+ "poolID": "abc123",

+ "nodeGroup": "Group1",

+ "region": "southcentralus"

+ },

+ "matchExpressions": [

+ {

+ "key": "name",

+ "operator": "In",

+ "values": [

+ "payroll",

+ "web"

+ ]

+ },

+ {

+ "key": "environment",

+ "operator": "NotIn",

+ "values": [

+ "dev"

+ ]

+ }

+ ]

+}

+```

+## Using a parameter value

+In the policy rule, you reference parameters with the following `parameters` function syntax:

+```json

+{

+ "field": "location",

+ "in": "[parameters('allowedLocations')]"

+}

+```

+This sample references the `allowedLocations` parameter that was demonstrated in [parameter properties](#parameter-properties).

+## strongType

+Within the `metadata` property, you can use `strongType` to provide a multiselect list of options within the Azure portal. `strongType` can be a supported _resource type_ or an allowed value. To determine whether a _resource type_ is valid for `strongType`, use [Get-AzResourceProvider](/powershell/module/az.resources/get-azresourceprovider). The format for a _resource type_ `strongType` is `<Resource Provider>/<Resource Type>`. For example, `Microsoft.Network/virtualNetworks/subnets`.

+Some _resource types_ not returned by `Get-AzResourceProvider` are supported. Those types are:

+- `Microsoft.RecoveryServices/vaults/backupPolicies`

+The non _resource type_ allowed values for `strongType` are:

+- `location`

+- `resourceTypes`

+- `storageSkus`

+- `vmSKUs`

+- `existingResourceGroups`

+## Next steps

+- For more information about policy definition structure, go to [basics](./definition-structure-basics.md), [policy rule](./definition-structure-policy-rule.md), and [alias](./definition-structure-alias.md).

+- For initiatives, go to [initiative definition structure](./initiative-definition-structure.md).

+- Review examples at [Azure Policy samples](../samples/index.md).

+- Review [Understanding policy effects](effects.md).

+- Understand how to [programmatically create policies](../how-to/programmatically-create.md).

+- Learn how to [get compliance data](../how-to/get-compliance-data.md).

+- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).

+- Review what a management group is with [Organize your resources with Azure management groups](../../management-groups/overview.md).

+ Title: Details of the policy definition structure policy rules

+description: Describes how policy definition policy rules are used to establish conventions for Azure resources in your organization.

+# Azure Policy definition structure policy rule

+The policy rule consists of `if` and `then` blocks. In the `if` block, you define one or more conditions that specify when the policy is enforced. You can apply logical operators to these conditions to precisely define the scenario for a policy.

+For complete details on each effect, order of evaluation, properties, and examples, see [Understanding Azure Policy Effects](effects.md).

+In the `then` block, you define the effect that happens when the `if conditions are fulfilled.

+```json

+{

+ "if": {

+ <condition> | <logical operator>

+ },

+ "then": {

+ "effect": "deny | audit | modify | denyAction | append | auditIfNotExists | deployIfNotExists | disabled"

+ }

+}

+```

+For more information about _policyRule_, go to the [policy definition schema](https://schema.management.azure.com/schemas/2020-10-01/policyDefinition.json).

+### Logical operators

+Supported logical operators are:

+- `"not": {condition or operator}`

+- `"allOf": [{condition or operator},{condition or operator}]`

+- `"anyOf": [{condition or operator},{condition or operator}]`

+The `not` syntax inverts the result of the condition. The `allOf` syntax (similar to the logical `and` operation) requires all conditions to be true. The `anyOf` syntax (similar to the logical `or` operation) requires one or more conditions to be true.

+You can nest logical operators. The following example shows a `not` operation that is nested within an `allOf` operation.

+```json

+"if": {

+ "allOf": [

+ {

+ "not": {

+ "field": "tags",

+ "containsKey": "application"

+ }

+ },

+ {

+ "field": "type",

+ "equals": "Microsoft.Storage/storageAccounts"

+ }

+ ]

+},

+```

+## Conditions

+A condition evaluates whether a value meets certain criteria. The supported conditions are:

+- `"equals": "stringValue"`

+- `"notEquals": "stringValue"`

+- `"like": "stringValue"`

+- `"notLike": "stringValue"`

+- `"match": "stringValue"`

+- `"matchInsensitively": "stringValue"`

+- `"notMatch": "stringValue"`

+- `"notMatchInsensitively": "stringValue"`

+- `"contains": "stringValue"`

+- `"notContains": "stringValue"`

+- `"in": ["stringValue1","stringValue2"]`

+- `"notIn": ["stringValue1","stringValue2"]`

+- `"containsKey": "keyName"`

+- `"notContainsKey": "keyName"`

+- `"less": "dateValue"` | `"less": "stringValue"` | `"less": intValue`

+- `"lessOrEquals": "dateValue"` | `"lessOrEquals": "stringValue"` | `"lessOrEquals": intValue`

+- `"greater": "dateValue"` | `"greater": "stringValue"` | `"greater": intValue`

+- `"greaterOrEquals": "dateValue"` | `"greaterOrEquals": "stringValue"` |

+ `"greaterOrEquals": intValue`

+- `"exists": "bool"`

+For `less`, `lessOrEquals`, `greater`, and `greaterOrEquals`, if the property type doesn't match the condition type, an error is thrown. String comparisons are made using `InvariantCultureIgnoreCase`.

+When using the `like` and `notLike` conditions, you provide a wildcard character (`*`) in the value. The value shouldn't have more than one wildcard character.

+When using the `match` and `notMatch` conditions, provide a hashtag (`#`) to match a digit, question mark (`?`) for a letter, and a dot (`.`) to match any character, and any other character to match that actual character. While `match` and `notMatch` are case-sensitive, all other conditions that evaluate a `stringValue` are case-insensitive. Case-insensitive alternatives are available in `matchInsensitively` and `notMatchInsensitively`.

+## Fields

+Conditions that evaluate whether the values of properties in the resource request payload meet certain criteria can be formed using a `field` expression. The following fields are supported:

+- `name`

+- `fullName`

+ - Returns the full name of the resource. The full name of a resource is the resource name prepended by any parent resource names (for example `myServer/myDatabase`).

+- `kind`

+- `type`

+- `location`

+ - Location fields are normalized to support various formats. For example, `East US 2` is considered equal to `eastus2`.

+ - Use **global** for resources that are location agnostic.

+- `id`

+ - Returns the resource ID of the resource that is being evaluated.

+ - Example: `/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/myRG/providers/Microsoft.KeyVault/vaults/myVault`

+- `identity.type`

+ - Returns the type of

+ [managed identity](../../../active-directory/managed-identities-azure-resources/overview.md)

+ enabled on the resource.

+- `tags`

+- `tags['<tagName>']`

+ - This bracket syntax supports tag names that have punctuation such as a hyphen, period, or space.

+ - Where `tagName` is the name of the tag to validate the condition for.

+ - Examples: `tags['Acct.CostCenter']` where `Acct.CostCenter` is the name of the tag.

+- `tags['''<tagName>''']`

+ - This bracket syntax supports tag names that have apostrophes in it by escaping with double apostrophes.

+ - Where `tagName` is the name of the tag to validate the condition for.

+ - Example: `tags['''My.Apostrophe.Tag''']` where `'My.Apostrophe.Tag'` is the name of the tag.

+ > [!NOTE]

+ > `tags.<tagName>`, `tags[tagName]`, and `tags[tag.with.dots]` are still acceptable ways of

+ > declaring a tags field. However, the preferred expressions are those listed above.

+- property aliases - for a list, see [Aliases](./definition-structure-alias.md).

+ > [!NOTE]

+ > In `field` expressions referring to array alias `[*]` each element in the array is evaluated

+ > individually with logical `and` between elements. For more information, see

+ > [Referencing array resource properties](../how-to/author-policies-for-arrays.md#referencing-array-resource-properties).

+Conditions that use `field` expressions can replace the legacy policy definition syntax `"source": "action"`, which used to work for write operations. For example, this is no longer supported:

+```json

+{

+ "source": "action",

+ "like": "Microsoft.Network/publicIPAddresses/*"

+}

+```

+But the desired behavior can be achieved using `field` logic:

+```json

+{

+ "field": "type",

+ "equals": "Microsoft.Network/publicIPAddresses"

+}

+```

+### Use tags with parameters

+A parameter value can be passed to a tag field. Passing a parameter to a tag field increases the flexibility of the policy definition during policy assignment.

+In the following example, `concat` is used to create a tags field lookup for the tag named the value of the `tagName` parameter. If that tag doesn't exist, the `modify` effect is used to add the tag using the value of the same named tag set on the audited resources parent resource group by using the `resourcegroup()` lookup function.

+```json

+{

+ "if": {

+ "field": "[concat('tags[', parameters('tagName'), ']')]",

+ "exists": "false"

+ },

+ "then": {

+ "effect": "modify",

+ "details": {

+ "operations": [

+ {

+ "operation": "add",

+ "field": "[concat('tags[', parameters('tagName'), ']')]",

+ "value": "[resourcegroup().tags[parameters('tagName')]]"

+ }

+ ],

+ "roleDefinitionIds": [

+ "/providers/microsoft.authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f"

+ ]

+ }

+ }

+}

+```

+## Value

+Conditions that evaluate whether a value meets certain criteria can be formed using a `value` expression. Values can be literals, the values of [parameters](./definition-structure-parameters.md), or the returned values of any [supported template functions](#policy-functions).

+> [!WARNING]

+> If the result of a _template function_ is an error, policy evaluation fails. A failed evaluation

+> is an implicit `deny`. For more information, see

+> [avoiding template failures](#avoiding-template-failures). Use

+> [enforcementMode](./assignment-structure.md#enforcement-mode) of `doNotEnforce` to prevent

+> impact of a failed evaluation on new or updated resources while testing and validating a new

+> policy definition.

+### Value examples

+This policy rule example uses `value` to compare the result of the `resourceGroup()` function and the returned `name` property to a `like` condition of `*netrg`. The rule denies any resource not of the `Microsoft.Network/*` `type` in any resource group whose name ends in `*netrg`.

+```json

+{

+ "if": {

+ "allOf": [

+ {

+ "value": "[resourceGroup().name]",

+ "like": "*netrg"

+ },

+ {

+ "field": "type",

+ "notLike": "Microsoft.Network/*"

+ }

+ ]

+ },

+ "then": {

+ "effect": "deny"

+ }

+}

+```

+This policy rule example uses `value` to check if the result of multiple nested functions `equals` `true`. The rule denies any resource that doesn't have at least three tags.

+```json

+{

+ "mode": "indexed",

+ "policyRule": {

+ "if": {

+ "value": "[less(length(field('tags')), 3)]",

+ "equals": "true"

+ },

+ "then": {

+ "effect": "deny"

+ }

+ }

+}

+```

+### Avoiding template failures

+The use of _template functions_ in `value` allows for many complex nested functions. If the result of a _template function_ is an error, policy evaluation fails. A failed evaluation is an implicit `deny`. An example of a `value` that fails in certain scenarios:

+```json

+{

+ "policyRule": {

+ "if": {

+ "value": "[substring(field('name'), 0, 3)]",

+ "equals": "abc"

+ },

+ "then": {

+ "effect": "audit"

+ }

+ }

+}

+```

+The example policy rule above uses [substring()](../../../azure-resource-manager/templates/template-functions-string.md#substring) to compare the first three characters of `name` to `abc`. If `name` is shorter than three characters, the `substring()` function results in an error. This error causes the policy to become a `deny` effect.

+Instead, use the [if()](../../../azure-resource-manager/templates/template-functions-logical.md#if) function to check if the first three characters of `name` equal `abc` without allowing a `name` shorter than three characters to cause an error:

+```json

+{

+ "policyRule": {

+ "if": {

+ "value": "[if(greaterOrEquals(length(field('name')), 3), substring(field('name'), 0, 3), 'not starting with abc')]",

+ "equals": "abc"

+ },

+ "then": {

+ "effect": "audit"

+ }

+ }

+}

+```

+With the revised policy rule, `if()` checks the length of `name` before trying to get a `substring()` on a value with fewer than three characters. If `name` is too short, the value "not starting with abc" is returned instead and compared to `abc`. A resource with a short name that doesn't begin with `abc` still fails the policy rule, but no longer causes an error during evaluation.

+## Count

+Conditions that count how many members of an array meet certain criteria can be formed using a `count` expression. Common scenarios are checking whether 'at least one of', 'exactly one of', 'all of', or 'none of' the array members satisfy a condition. The `count` evaluates each array member for a condition expression and sums the _true_ results, which is then compared to the expression operator.

+### Field count

+Count how many members of an array in the request payload satisfy a condition expression. The structure of `field count` expressions is:

+```json

+{

+ "count": {

+ "field": "<[*] alias>",

+ "where": {

+ /* condition expression */

+ }

+ },

+ "<condition>": "<compare the count of true condition expression array members to this value>"

+}

+```

+The following properties are used with `field count`:

+- `count.field` (required): Contains the path to the array and must be an array alias.

+- `count.where` (optional): The condition expression to individually evaluate for each [array alias](./definition-structure-alias.md#understanding-the-array-alias) array member of `count.field`. If this property isn't provided, all array members with the path of 'field' are evaluated to _true_. Any [condition](#conditions) can be used inside this property. [Logical operators](#logical-operators) can be used inside this property to create complex evaluation requirements.

+- `condition` (required): The value is compared to the number of items that met the

+ `count.where` condition expression. A numeric [condition](#conditions) should be used.

+For more details on how to work with array properties in Azure Policy, including detailed explanation on how the `field count` expression is evaluated, see [Referencing array resource properties](../how-to/author-policies-for-arrays.md#referencing-array-resource-properties).

+### Value count

+Count how many members of an array satisfy a condition. The array can be a literal array or a [reference to array parameter](./definition-structure-parameters.md#using-a-parameter-value). The structure of `value count` expressions is:

+```json

+{

+ "count": {

+ "value": "<literal array | array parameter reference>",

+ "name": "<index name>",

+ "where": {

+ /* condition expression */

+ }

+ },

+ "<condition>": "<compare the count of true condition expression array members to this value>"

+}

+```

+The following properties are used with `value count`:

+- `count.value` (required): The array to evaluate.

+- `count.name` (required): The index name, composed of English letters and digits. Defines a name for the value of the array member evaluated in the current iteration. The name is used for referencing the current value inside the `count.where` condition. Optional when the `count` expression isn't in a child of another `count` expression. When not provided, the index name is implicitly set to `"default"`.

+- `count.where` (optional): The condition expression to individually evaluate for each array member of `count.value`. If this property isn't provided, all array members are evaluated to _true_. Any [condition](#conditions) can be used inside this property. [Logical operators](#logical-operators) can be used inside this property to create complex evaluation requirements. The value of the currently enumerated array member can be accessed by calling the [current](#the-current-function) function.

+- `condition` (required): The value is compared to the number of items that met the `count.where` condition expression. A numeric [condition](#conditions) should be used.

+### The current function

+The `current()` function is only available inside the `count.where` condition. It returns the value of the array member that is currently enumerated by the `count` expression evaluation.

+**Value count usage**

+- `current(<index name defined in count.name>)`. For example: `current('arrayMember')`.

+- `current()`. Allowed only when the `value count` expression isn't a child of another `count` expression. Returns the same value as above.

+If the value returned by the call is an object, property accessors are supported. For example: `current('objectArrayMember').property`.

+**Field count usage**

+- `current(<the array alias defined in count.field>)`. For example,

+ `current('Microsoft.Test/resource/enumeratedArray[*]')`.

+- `current()`. Allowed only when the `field count` expression isn't a child of another `count` expression. Returns the same value as above.

+- `current(<alias of a property of the array member>)`. For example,

+ `current('Microsoft.Test/resource/enumeratedArray[*].property')`.

+### Field count examples

+Example 1: Check if an array is empty

+```json

+{

+ "count": {

+ "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]"

+ },

+ "equals": 0

+}

+```

+Example 2: Check for only one array member to meet the condition expression

+```json

+{

+ "count": {

+ "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",

+ "where": {

+ "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].description",

+ "equals": "My unique description"

+ }

+ },

+ "equals": 1

+}

+```

+Example 3: Check for at least one array member to meet the condition expression

+```json

+{

+ "count": {

+ "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",

+ "where": {

+ "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].description",

+ "equals": "My common description"

+ }

+ },

+ "greaterOrEquals": 1

+}

+```

+Example 4: Check that all object array members meet the condition expression

+```json

+{

+ "count": {

+ "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",

+ "where": {

+ "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].description",

+ "equals": "description"

+ }

+ },

+ "equals": "[length(field('Microsoft.Network/networkSecurityGroups/securityRules[*]'))]"

+}

+```

+Example 5: Check that at least one array member matches multiple properties in the condition expression

+```json

+{

+ "count": {

+ "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",

+ "where": {

+ "allOf": [

+ {

+ "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction",

+ "equals": "Inbound"

+ },

+ {

+ "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access",

+ "equals": "Allow"

+ },

+ {

+ "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange",

+ "equals": "3389"

+ }

+ ]

+ }

+ },

+ "greater": 0

+}

+```

+Example 6: Use `current()` function inside the `where` conditions to access the value of the currently enumerated array member in a template function. This condition checks whether a virtual network contains an address prefix that isn't under the 10.0.0.0/24 CIDR range.

+```json

+{

+ "count": {

+ "field": "Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]",

+ "where": {

+ "value": "[ipRangeContains('10.0.0.0/24', current('Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]'))]",

+ "equals": false

+ }

+ },

+ "greater": 0

+}

+```

+Example 7: Use `field()` function inside the `where` conditions to access the value of the currently enumerated array member. This condition checks whether a virtual network contains an address prefix that isn't under the 10.0.0.0/24 CIDR range.

+```json

+{

+ "count": {

+ "field": "Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]",

+ "where": {

+ "value": "[ipRangeContains('10.0.0.0/24', first(field(('Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]')))]",

+ "equals": false

+ }

+ },

+ "greater": 0

+}

+```

+### Value count examples

+Example 1: Check if resource name matches any of the given name patterns.

+```json

+{

+ "count": {

+ "value": [

+ "prefix1_*",

+ "prefix2_*"

+ ],

+ "name": "pattern",

+ "where": {

+ "field": "name",

+ "like": "[current('pattern')]"

+ }

+ },

+ "greater": 0

+}

+```

+Example 2: Check if resource name matches any of the given name patterns. The `current()` function doesn't specify an index name. The outcome is the same as the previous example.

+```json

+{

+ "count": {

+ "value": [

+ "prefix1_*",

+ "prefix2_*"

+ ],

+ "where": {

+ "field": "name",

+ "like": "[current()]"

+ }

+ },

+ "greater": 0

+}

+```

+Example 3: Check if resource name matches any of the given name patterns provided by an array parameter.

+```json

+{

+ "count": {

+ "value": "[parameters('namePatterns')]",

+ "name": "pattern",

+ "where": {

+ "field": "name",

+ "like": "[current('pattern')]"

+ }

+ },

+ "greater": 0

+}

+```

+Example 4: Check if any of the virtual network address prefixes isn't under the list of approved prefixes.

+```json

+{

+ "count": {

+ "field": "Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]",

+ "where": {

+ "count": {

+ "value": "[parameters('approvedPrefixes')]",

+ "name": "approvedPrefix",

+ "where": {

+ "value": "[ipRangeContains(current('approvedPrefix'), current('Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]'))]",

+ "equals": true

+ },

+ },

+ "equals": 0

+ }

+ },

+ "greater": 0

+}

+```

+Example 5: Check that all the reserved NSG rules are defined in an NSG. The properties of the reserved NSG rules are defined in an array parameter containing objects.

+Parameter value:

+```json

+[

+ {

+ "priority": 101,

+ "access": "deny",

+ "direction": "inbound",

+ "destinationPortRange": 22

+ },

+ {

+ "priority": 102,

+ "access": "deny",

+ "direction": "inbound",

+ "destinationPortRange": 3389

+ }

+]

+```

+Policy:

+```json

+{

+ "count": {

+ "value": "[parameters('reservedNsgRules')]",

+ "name": "reservedNsgRule",

+ "where": {

+ "count": {

+ "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",

+ "where": {

+ "allOf": [

+ {

+ "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].priority",

+ "equals": "[current('reservedNsgRule').priority]"

+ },

+ {

+ "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access",

+ "equals": "[current('reservedNsgRule').access]"

+ },

+ {

+ "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction",

+ "equals": "[current('reservedNsgRule').direction]"

+ },

+ {

+ "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange",

+ "equals": "[current('reservedNsgRule').destinationPortRange]"

+ }

+ ]

+ }

+ },

+ "equals": 1

+ }

+ },

+ "equals": "[length(parameters('reservedNsgRules'))]"

+}

+```

+## Policy functions

+Functions can be used to introduce additional logic into a policy rule. They are resolved within the policy rule of a policy definition and within [parameter values assigned to policy definitions in an initiative](initiative-definition-structure.md#passing-a-parameter-value-to-a-policy-definition).

+All [Resource Manager template functions](../../../azure-resource-manager/templates/template-functions.md) are available to use within a policy rule, except the following functions and user-defined functions:

+- `copyIndex()`

+- `dateTimeAdd()`

+- `dateTimeFromEpoch`

+- `dateTimeToEpoch`

+- `deployment()`

+- `environment()`

+- `extensionResourceId()`

+- `lambda()` For more information, go to [lambda](../../../azure-resource-manager/templates/template-functions-lambda.md)

+- `listAccountSas()`

+- `listKeys()`

+- `listSecrets()`

+- `list*`

+- `managementGroup()`

+- `newGuid()`

+- `pickZones()`

+- `providers()`

+- `reference()`

+- `resourceId()`

+- `subscriptionResourceId()`

+- `tenantResourceId()`

+- `tenant()`

+- `variables()`

+> [!NOTE]

+> These functions are still available within the `details.deployment.properties.template` portion of

+> the template deployment in a `deployIfNotExists` policy definition.

+The following function is available to use in a policy rule, but differs from use in an Azure Resource Manager template (ARM template):

+- `utcNow()` - Unlike an ARM template, this property can be used outside _defaultValue_.

+ - Returns a string that is set to the current date and time in Universal ISO 8601 DateTime format `yyyy-MM-ddTHH:mm:ss.fffffffZ`.

+The following functions are only available in policy rules:

+- `addDays(dateTime, numberOfDaysToAdd)`

+ - `dateTime`: [Required] string - String in the Universal ISO 8601 DateTime format 'yyyy-MM-ddTHH:mm:ss.FFFFFFFZ'

+ - `numberOfDaysToAdd`: [Required] integer - Number of days to add

+- `field(fieldName)`

+ - `fieldName`: [Required] string - Name of the [field](./definition-structure-policy-rule.md#fields) to retrieve

+ - Returns the value of that field from the resource that is being evaluated by the If condition.

+ - `field` is primarily used with `auditIfNotExists` and `deployIfNotExists` to reference fields on the resource that are being evaluated. An example of this use can be seen in the [DeployIfNotExists example](effects.md#deployifnotexists-example).

+- `requestContext().apiVersion`

+ - Returns the API version of the request that triggered policy evaluation (example: `2021-09-01`). This value is the API version that was used in the PUT/PATCH request for evaluations on resource creation/update. The latest API version is always used during compliance evaluation on existing resources.

+- `policy()`

+ - Returns the following information about the policy that is being evaluated. Properties can be accessed from the returned object (example: `[policy().assignmentId]`).

+ ```json

+ {

+ "assignmentId": "/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Authorization/policyAssignments/myAssignment",

+ "definitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",

+ "setDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/42a694ed-f65e-42b2-aa9e-8052e9740a92",

+ "definitionReferenceId": "StorageAccountNetworkACLs"

+ }

+ ```

+- `ipRangeContains(range, targetRange)`

+ - `range`: [Required] string - String specifying a range of IP addresses to check if the _targetRange_ is within.

+ - `targetRange`: [Required] string - String specifying a range of IP addresses to validate as included within the _range_.

+ - Returns a _boolean_ for whether the _range_ IP address range contains the _targetRange_ IP address range. Empty ranges, or mixing between IP families isn't allowed and results in evaluation failure.

+ Supported formats:

+ - Single IP address (examples: `10.0.0.0`, `2001:0DB8::3:FFFE`)

+ - CIDR range (examples: `10.0.0.0/24`, `2001:0DB8::/110`)

+ - Range defined by start and end IP addresses (examples: `192.168.0.1-192.168.0.9`, `2001:0DB8::-2001:0DB8::3:FFFF`)

+- `current(indexName)`

+ - Special function that may only be used inside [count expressions](./definition-structure-policy-rule.md#count).

+### Policy function example

+This policy rule example uses the `resourceGroup` resource function to get the `name` property, combined with the `concat` array and object function to build a `like` condition that enforces the resource name to start with the resource group name.

+```json

+{

+ "if": {

+ "not": {

+ "field": "name",

+ "like": "[concat(resourceGroup().name,'*')]"

+ }

+ },

+ "then": {

+ "effect": "deny"

+ }

+}

+```

+## Policy rule limits

+### Limits enforced during authoring

+Limits to the structure of policy rules are enforced during the authoring or assignment of a policy. Attempts to create or assign policy definitions that exceed these limits will fail.

+| Limit | Value | Additional details |

+|:|:|:|

+| Condition expressions in the `if` condition | 4096 | |

+| Condition expressions in the `then` block | 128 | Applies to the `existenceCondition` of `auditIfNotExists` and `deployIfNotExists` policies |

+| Policy functions per policy rule | 2048 | |

+| Policy function number of parameters | 128 | Example: `[function('parameter1', 'parameter2', ...)]` |

+| Nested policy functions depth | 64 | Example: `[function(nested1(nested2(...)))]` |

+| Policy functions expression string length | 81920 | Example: the length of `"[function(....)]"` |

+| `Field count` expressions per array | 5 | |

+| `Value count` expressions per policy rule | 10 | |

+| `Value count` expression iteration count | 100 | For nested `Value count` expressions, this also includes the iteration count of the parent expression |

+### Limits enforced during evaluation

+Limits to the size of objects that are processed by policy functions during policy evaluation. These limits can't always be enforced during authoring since they depend on the evaluated content. For example:

+```json

+{

+ "field": "name",

+ "equals": "[concat(field('stringPropertyA'), field('stringPropertyB'))]"

+}

+```

+The length of the string created by the `concat()` function depends on the value of properties in the evaluated resource.

+| Limit | Value | Example |

+|:|:|:|

+| Length of string returned by a function | 131072 | `[concat(field('longString1'), field('longString2'))]`|

+| Depth of complex objects provided as a parameter to, or returned by a function | 128 | `[union(field('largeObject1'), field('largeObject2'))]` |

+| Number of nodes of complex objects provided as a parameter to, or returned by a function | 32768 | `[concat(field('largeArray1'), field('largeArray2'))]` |

+> [!WARNING]

+> Policy that exceed the above limits during evaluation will effectively become a `deny` policy and can block incoming requests.

+> When writing policies with complex functions, be mindful of these limits and test your policies against resources that have the potential to exceed them.

+## Next steps

+- For more information about policy definition structure, go to [basics](./definition-structure-basics.md), [parameters](./definition-structure-parameters.md), and [alias](./definition-structure-alias.md).

+- For initiatives, go to [initiative definition structure](./initiative-definition-structure.md).

+- Review examples at [Azure Policy samples](../samples/index.md).

+- Review [Understanding policy effects](effects.md).

+- Understand how to [programmatically create policies](../how-to/programmatically-create.md).

+- Learn how to [get compliance data](../how-to/get-compliance-data.md).

+- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).

+- Review what a management group is with [Organize your resources with Azure management groups](../../management-groups/overview.md).

+[definition structure](./definition-structure-policy-rule.md#fields) for the list of acceptable fields.

+[alias](./definition-structure-alias.md) with an array **value** to set IP rules on a storage

+Example 2: Single **field/value** pair using an `[*]` [alias](./definition-structure-alias.md)

+ other [fields](./definition-structure-policy-rule.md#fields).

+When a policy definition is assigned to a scope, Azure Policy determines which resources in that scope should be considered for compliance evaluation. A resource will only be assessed for compliance if it's considered **applicable** to the given policy assignment.

+- **Conditions** in the `if` block of the [policy rule](../concepts/definition-structure-policy-rule.md#conditions).

+- **Excluded scopes** specified in the assignment.

+- **Resource selectors** specified in the assignment.

+## Resource Manager modes

+## Not Applicable Resources

+policy evaluation, except for subscriptions and resource groups.

+> Replace [Apache Kafka on HDInsight cluster](../../hdinsight/kafk) bootStrapServers with your own brokers for Kafka 3.2

+Based on your usage, update the version of Kafka on `<kafka.version>`.

+ <kafka.version>3.2.0</kafka.version>

+description: Learn how to use Elasticsearch along Apache Flink® on HDInsight on AKS.

+Elasticsearch is a distributed, free, and open search and analytics engine for all types of data, including.

+For more information, see.

+* [Create Flink 1.17.0 cluster](./flink-create-cluster-portal.md)

+* [HDInsight 5.0 - Kafka 3.2.0](../../hdinsight/kafk)

+We use the following command to install Kibana.

+In order to make Kibana accessible from output, need to set network.host to 0.0.0.0.

+Configure `/etc/kibana/kibana.yml` on Ubuntu VM

+We use python output as input to produce the streaming data.

+Now, lets check messages in this topic.

+Let us write maven source code on the Windows VM.

+On [Secure Shell for Flink](./flink-web-ssh-on-portal-to-flink-sql.md), you can use the following commands.

+You can find the job in running state on your Flink Web UI.

+> Setup a HDInsight cluster with [Apache Kafka](../../hdinsight/kafk) and replace broker list with your own list before you get started for both Kafka 3.2.

+ <kafka.version>3.2.0</kafka.version>

+ <kafka.version>3.2.0</kafka.version>

+For more information, see how to [Migrate HDInsight cluster to a newer version](./hdinsight-upgrade-cluster.md).

+## Integrating Third-party applications

+Microsoft will only support machines that are created by the HDInsight service (for example, HDInsight clusters, edge nodes, and worker nodes). We don't support third-party client machines or moving the HDInsight libraries from a supported machine to an external machine.

+While this third-party integration may work for some time, it is not recommended in production environments because the scenario isn't supported.

+When you open a support request for an unsupported scenario, you'll be asked to ***reproduce the problem in a supported scenario*** so we can investigate. Any fixes provided would be for the supported scenario only.

+### Supported ways to integrate third party applications

+* [Install HDInsight applications](hdinsight-apps-install-applications.md): Learn how to install an HDInsight application to your clusters.

+* [Install custom HDInsight applications](hdinsight-apps-install-custom-applications.md): learn how to deploy an unpublished HDInsight application to HDInsight.

+* [Publish HDInsight applications](hdinsight-apps-publish-applications.md): Learn how to publish your custom HDInsight applications to Azure Marketplace.

+In this article, we cover some of the nuances of the RESTful interactions of Azure API for FHIR.

+Delete defined by the FHIR specification requires that after deleting a resource, subsequent nonversion specific reads of a resource returns a 410 HTTP status code. Therefore, the resource is no longer found through searching. Additionally, Azure API for FHIR enables you to fully delete (including all history) the resource. To fully delete the resource, you can pass a parameter settings `hardDelete` to true `(DELETE {{FHIR_URL}}/{resource}/{id}?hardDelete=true)`. If you don't pass this parameter or set `hardDelete` to false, the historic versions of the resource will still be available.

+To delete multiple resources, include `_count=100` parameter. This parameter deletes up to 100 resources that match the search criteria.

+If you don't use the hard delete parameter, then the records in Azure API for FHIR should still exist. The records can be found by doing a history search on the resource and looking for the last version with data.

+> There is no time-based expiration for history/soft delete data. The only way to remove history/soft deleted data is with a hard delete or the purge history operation.

+### Batch bundle parallel processing

+* Set header 'x-bundle-processing-logic' value to 'parallel'.

+* Ensure there's no overlapping resource ID that is executing on DELETE, POST, PUT, or PATCH operations in the same bundle.

+## **March 2024**

+**Batch-bundle parallelization**

+Batch bundles are executed serially in FHIR service by default. To improve throughput with bundle calls, we enabled parallel processing of batch bundles.

+Learn more:

+- [Batch bundle parallelization](././../azure-api-for-fhir/fhir-rest-api-capabilities.md)

+**Bug Fixes**

+- **Fixed: Improve performance for bundle processing**. Updates are made to the task execution method, leading to bundle processing performance improvement. See [PR#3727](https://github.com/microsoft/fhir-server/pull/3727).

+Bug is now fixed and Resource will be updated if matches the Etag header. For details , see [#2877](https://github.com/microsoft/fhir-server/issues/2877)|.

+|Billing for `$convert-data` and `$de-id` |Azure API for FHIR's data conversion and deidentified export features are now Generally Available. Billing for `$convert-data` and `$de-id` operations in Azure API for FHIR has been enabled. Billing meters were turned on March 1, 2022. |

+|Fixed 500 error when `SearchParameter` Code is null |Fixed an issue with `SearchParameter` if it had a null value for Code, the result would be a 500. Now it results in an `InvalidResourceException` like the other values do. [#2343](https://github.com/microsoft/fhir-server/pull/2343) |

+| [$bulk-delete](fhir-bulk-delete.md)|Yes |Yes | |

+## April 2024

+### FHIR service

+#### The bulk delete operation is generally available

+The bulk delete operation allows deletion of FHIR resources across different levels, enabling healthcare organizations to comply with data retention policies while providing asynchronous processing capabilities. The benefits of the bulk delete operation are:

+- **Execute bulk delete at different levels**: The bulk delete operation allows you to delete resources from the FHIR server asynchronously. You can execute bulk delete at different levels:

+ - **System level**: Enables deletion of FHIR resources across all resource types.

+ - **Individual resource type**: Allows deletion of specific FHIR resources.

+- **Customizable**: Query parameters allow filtering of raw resources for targeted deletions.

+- **Async processing**: The operation is asynchronous, providing a polling endpoint to track progress.

+Learn more:

+- [Bulk delete in the FHIR service](./fhir/fhir-bulk-delete.md)

+### FHIR Service

+#### Bundle parallelization (GA)

+Bundles are executed serially in FHIR service by default. To improve throughput with bundle calls, we enabled parallel processing.

+Learn more:

+- [Bundle parallelization](./../healthcare-apis/fhir/fhir-rest-api-capabilities.md)

+#### Import operation accepts multiple resource types in single file

+Import operation allowed to have resource type per input file in the request parameters. With this enhance capability, you can pass multiple resource types in single file.

+#### Bug Fixes

+- **Fixed: Import operation ingest resources with same resource type and lastUpdated field value**. Before this change, resources executed in a batch with same type and lastUpdated field value were not ingested into the FHIR service. This bug fix addresses the issue. See [PR#3768](https://github.com/microsoft/fhir-server/pull/3768).

+- **Fixed: FHIR search with 3 or more custom search parameters**. Before this fix, FHIR search query at the root with three or more custom search parameters resulted in HTTP status code 504. See [PR#3701](https://github.com/microsoft/fhir-server/pull/3701).

+- **Fixed: Improve performance for bundle processing**. Updates are made to the task execution method, leading to bundle processing performance improvement. See [PR#3727](https://github.com/microsoft/fhir-server/pull/3727).

+| Create new container if it doesn't exist | Supported |

+ - `target.fabricOneLake.endpoint`: The endpoint of the Microsoft Fabric OneLake account. You can get the endpoint URL from Microsoft Fabric lakehouse under **Files** > **Properties**. The URL should look like `https://onelake.dfs.fabric.microsoft.com`.

+ - `target.fabricOneLake.names`: The names of the workspace and the lakehouse. Use either this field or `guids`. Don't use both.

+ # Example: https://onelake.dfs.fabric.microsoft.com

+ endpoint: <example-endpoint-url>

+ - `table.tableName`: The name of the table that you want to append to in the lakehouse. The table is created automatically if doesn't exist.

+ - `fabricOneLake`: Specifies the configuration and properties of the Microsoft Fabric OneLake. It has the following subfields:

+ - `names`: Specifies the names of the workspace and the lakehouse. Use either this field or `guids`. Don't use both. It has the following subfields:

+ - `guids`: Specifies the GUIDs of the workspace and the lakehouse. Use either this field or `names`. Don't use both. It has the following subfields:

+ - `fabricPath`: The location of the data in the Fabric workspace. It can be either `tables` or `files`. If it's `tables`, the data is stored in the Fabric OneLake as tables. If it's `files`, the data is stored in the Fabric OneLake as files. If it's `files`, the `databaseFormat` must be `parquet`.

+ mqttSourceTopic: "azure-iot-operations/data/opc-ua-connector-de/thermostat-de"

+ tableName: thermostat

+ - name: externalAssetId

+ mapping: $property.externalAssetId

+ - name: assetName

+ mapping: DataSetWriterName

+ - name: CurrentTemperature

+ format: float32

+ mapping: Payload.temperature.Value

+ - name: Pressure

+ format: float32

+ optional: true

+ mapping: "Payload.Tag 10.Value"

+ - name: Timestamp

+ mapping: $received_time

+Stringified JSON like `"{\"SequenceNumber\": 4697, \"Timestamp\": \"2024-04-02T22:36:03.1827681Z\", \"DataSetWriterName\": \"thermostat-de\", \"MessageType\": \"ua-deltaframe\", \"Payload\": {\"temperature\": {\"SourceTimestamp\": \"2024-04-02T22:36:02.6949717Z\", \"Value\": 5506}, \"Tag 10\": {\"SourceTimestamp\": \"2024-04-02T22:36:02.6949888Z\", \"Value\": 5506}}}"` isn't supported and causes the connector to throw a *convertor found a null value* error. An example message for the `dlc` topic that works with this schema:

+ "SequenceNumber": 4697,

+ "Timestamp": "2024-04-02T22:36:03.1827681Z",

+ "DataSetWriterName": "thermostat-de",

+ "MessageType": "ua-deltaframe",

+ "Payload": {

+ "temperature": {

+ "SourceTimestamp": "2024-04-02T22:36:02.6949717Z",

+ "Value": 5506

+ },

+ "Tag 10": {

+ "SourceTimestamp": "2024-04-02T22:36:02.6949888Z",

+ "Value": 5506

+ }

+| externalAssetId | assetName | CurrentTemperature | Pressure | mqttTopic | timestamp |

+| | | | -- | -- | |

+| 59ad3b8b-c840-43b5-b79d-7804c6f42172 | thermostat-de | 5506 | 5506 | dlc | 2024-04-02T22:36:03.1827681Z |

+To send and receive RosettaNet messages in workflows that you create using Azure Logic Apps, you can use the RosettaNet connector, which provides actions that manage and support communication that follows RosettaNet standards. RosettaNet is a non-profit consortium that has established standard processes for sharing business information. These standards are commonly used for supply chain processes and are widespread in the semiconductor, electronics, and logistics industries. The RosettaNet consortium creates and maintains Partner Interface Processes (PIPs), which provide common business process definitions for all RosettaNet message exchanges. RosettaNet is based on XML and defines message guidelines, interfaces for business processes, and implementation frameworks for communication between companies. For more information, visit the [RosettaNet site](https://www.gs1us.org/resources/rosettanet).

+ PIPs are categorized by a high-level business function, or cluster, and a subfunction, or segment. For example, "3A4" is the PIP for Purchase Order, while "3" is the Order Management function, and "3A" is the Quote & Order Entry subfunction. For more information, visit the [RosettaNet site](https://www.gs1us.org/resources/rosettanet).

+# Forecasting at scale: many models and distributed training

+The many models training component applies AutoML's [model sweeping and selection](concept-automl-forecasting-sweeping.md) independently to each store in this example. This model independence aids scalability and can benefit model accuracy especially when the stores have diverging sales dynamics. However, a single model approach may yield more accurate forecasts when there are common sales dynamics. See the [distributed DNN training](#distributed-dnn-training-preview) section for more details on that case.

+## Distributed DNN training (preview)

+* To learn how distributed training works for forecasting tasks, see our [forecasting at scale article](concept-automl-forecasting-at-scale.md#distributed-dnn-training-preview).

+To learn how distributed training works for forecasting tasks, see our [forecasting at scale](concept-automl-forecasting-at-scale.md#distributed-dnn-training-preview) article. To use distributed training for forecasting, you need to set the `training_mode`, `enable_dnn_training`, `max_nodes`, and optionally the `max_concurrent_trials` properties of the job object.

+Import all the Azure Machine Learning required libraries that you'll need.

+ Title: How to deploy Cohere Command models with Azure Machine Learning studio

+description: Learn how to deploy Cohere Command models with Azure Machine Learning studio.

+#This functionality is also available in Azure AI Studio: /azure/ai-studio/how-to/deploy-models-cohere.md

+# How to deploy Cohere Command models with Azure Machine Learning studio

+Cohere offers two Command models in Azure Machine Learning studio. These models are available with pay-as-you-go token based billing with Models as a Service.

+* Cohere Command R

+* Cohere Command R+

+

+You can browse the Cohere family of models in the model catalog by filtering on the Cohere collection.

+## Models

+In this article, you learn how to use Azure Machine Learning studio to deploy the Cohere Command models as a service with pay-as you go billing.

+### Cohere Command R

+Command R is a highly performant generative large language model, optimized for a variety of use cases including reasoning, summarization, and question answering.

+*Model Architecture:* This is an auto-regressive language model that uses an optimized transformer architecture. After pretraining, this model uses supervised fine-tuning (SFT) and preference training to align model behavior to human preferences for helpfulness and safety.

+*Languages covered:* The model is optimized to perform well in the following languages: English, French, Spanish, Italian, German, Brazilian Portuguese, Japanese, Korean, Simplified Chinese, and Arabic.

+Pre-training data additionally included the following 13 languages: Russian, Polish, Turkish, Vietnamese, Dutch, Czech, Indonesian, Ukrainian, Romanian, Greek, Hindi, Hebrew, Persian.

+*Context length:* Command R supports a context length of 128K.

+*Input:* Models input text only.

+*Output:* Models generate text only.

+

+### Cohere Command R+

+Command R+ is a highly performant generative large language model, optimized for a variety of use cases including reasoning, summarization, and question answering.

+*Model Architecture:* This is an auto-regressive language model that uses an optimized transformer architecture. After pretraining, this model uses supervised fine-tuning (SFT) and preference training to align model behavior to human preferences for helpfulness and safety.

+*Languages covered:* The model is optimized to perform well in the following languages: English, French, Spanish, Italian, German, Brazilian Portuguese, Japanese, Korean, Simplified Chinese, and Arabic.

+Pre-training data additionally included the following 13 languages: Russian, Polish, Turkish, Vietnamese, Dutch, Czech, Indonesian, Ukrainian, Romanian, Greek, Hindi, Hebrew, Persian.

+*Context length:* Command R+ supports a context length of 128K.

+*Input:* Models input text only.

+*Output:* Models generate text only.

+## Deploy with pay-as-you-go

+Certain models in the model catalog can be deployed as a service with pay-as-you-go, providing a way to consume them as an API without hosting them on your subscription, while keeping the enterprise security and compliance organizations need. This deployment option doesn't require quota from your subscription.

+The previously mentioned Cohere models can be deployed as a service with pay-as-you-go, and are offered by Cohere through the Microsoft Azure Marketplace. Cohere can change or update the terms of use and pricing of this model.

+### Prerequisites

+- An Azure subscription with a valid payment method. Free or trial Azure subscriptions won't work. If you don't have an Azure subscription, create a [paid Azure account](https://azure.microsoft.com/pricing/purchase-options/pay-as-you-go) to begin.

+- An Azure Machine Learning workspace. If you don't have these, use the steps in the [Quickstart: Create workspace resources](quickstart-create-resources.md) article to create them.

+ > [!IMPORTANT]

+ > Pay-as-you-go model deployment offering is only available in workspaces created in EastUS, EastUS2 or Sweden Central regions.

+- Azure role-based access controls (Azure RBAC) are used to grant access to operations. To perform the steps in this article, your user account must be assigned the __Azure AI Developer role__ on the Resource Group.

+ For more information on permissions, see [Manage access to an Azure Machine Learning workspace](how-to-assign-roles.md).

+### Create a new deployment

+To create a deployment:

+1. Go to [Azure Machine Learning studio](https://ml.azure.com/home).

+1. Select the workspace in which you want to deploy your models. To use the pay-as-you-go model deployment offering, your workspace must belong to the EastUS, EastUS2 or Sweden Central region.

+1. Choose the model you want to deploy from the [model catalog](https://ml.azure.com/model/catalog).

+ Alternatively, you can initiate deployment by going to your workspace and selecting **Endpoints** > **Serverless endpoints** > **Create**.

+1. On the model's overview page in the model catalog, select **Deploy** and then **Pay-as-you-go**.

+ :::image type="content" source="media/how-to-deploy-models-cohere-command/command-r-deploy-pay-as-you-go.png" alt-text="A screenshot showing how to deploy a model with the pay-as-you-go option." lightbox="media/how-to-deploy-models-cohere-command/command-r-deploy-pay-as-you-go.png":::

+1. In the deployment wizard, select the link to **Azure Marketplace Terms** to learn more about the terms of use.

+1. You can also select the **Marketplace offer details** tab to learn about pricing for the selected model.

+1. If this is your first time deploying the model in the workspace, you have to subscribe your workspace for the particular offering of the model. This step requires that your account has the **Azure AI Developer role** permissions on the Resource Group, as listed in the prerequisites. Each workspace has its own subscription to the particular Azure Marketplace offering, which allows you to control and monitor spending. Select **Subscribe and Deploy**. Currently you can have only one deployment for each model within a workspace.

+ :::image type="content" source="media/how-to-deploy-models-cohere-command/command-r-marketplace-terms.png" alt-text="A screenshot showing the terms and conditions of a given model." lightbox="media/how-to-deploy-models-cohere-command/command-r-marketplace-terms.png":::

+1. Once you subscribe the workspace for the particular Azure Marketplace offering, subsequent deployments of the _same_ offering in the _same_ workspace don't require subscribing again. If this scenario applies to you, there's a **Continue to deploy** option to select.

+ :::image type="content" source="media/how-to-deploy-models-cohere-command/command-r-existing-subscription.png" alt-text="A screenshot showing a project that is already subscribed to the offering." lightbox="media/how-to-deploy-models-cohere-command/command-r-existing-subscription.png":::

+1. Give the deployment a name. This name becomes part of the deployment API URL. This URL must be unique in each Azure region.

+ :::image type="content" source="media/how-to-deploy-models-cohere-command/command-r-deployment-name.png" alt-text="A screenshot showing how to indicate the name of the deployment you want to create." lightbox="media/how-to-deploy-models-cohere-command/command-r-deployment-name.png":::

+1. Select **Deploy**. Wait until the deployment is finished and you're redirected to the serverless endpoints page.

+1. Select the endpoint to open its Details page.

+1. Select the **Test** tab to start interacting with the model.

+1. You can always find the endpoint's details, URL, and access keys by navigating to **Workspace** > **Endpoints** > **Serverless endpoints**.

+1. Take note of the **Target** URL and the **Secret Key**. For more information on using the APIs, see the [reference](#chat-api-reference-for-cohere-command-models-deployed-as-a-service) section.

+To learn about billing for models deployed with pay-as-you-go, see [Cost and quota considerations for Cohere models deployed as a service](#cost-and-quota-considerations-for-models-deployed-as-a-service).

+### Consume the models as a service

+The previously mentioned Cohere models can be consumed using the chat API.

+1. In the **workspace**, select **Endpoints** > **Serverless endpoints**.

+1. Find and select the deployment you created.

+1. Copy the **Target** URL and the **Key** token values.

+1. Cohere exposes two routes for inference with the Command R and Command R+ models. `v1/chat/completions` adheres to the Azure AI Generative Messages API schema, and `v1/chat` supports Cohere's native API schema.

+For more information on using the APIs, see the [reference](#chat-api-reference-for-cohere-command-models-deployed-as-a-service) section.

+## Chat API reference for cohere command models deployed as a service

+### v1/chat/completions

+#### Request

+```

+ POST /v1/chat/completions HTTP/1.1

+ Host: <DEPLOYMENT_URI>

+ Authorization: Bearer <TOKEN>

+ Content-type: application/json

+```

+#### v1/chat/completions request schema

+Cohere Command R and Command R+ accept the following parameters for a `v1/chat/completions` response inference call:

+| Property | Type | Default | Description |

+| | | | |

+| `messages` | `array` | `None` | Text input for the model to respond to. |

+| `max_tokens` | `integer` | `None` | The maximum number of tokens the model generates as part of the response. Note: Setting a low value might result in incomplete generations. If not specified, tokens are generated until end of sequence. |

+| `stop` | `array of strings` | `None` | The generated text is cut at the end of the earliest occurrence of a stop sequence. The sequence is included in the text.|

+| `stream` | `boolean` | `False` | When `true`, the response is a JSON stream of events. The final event contains the complete response, and has an `event_type` of `"stream-end"`. Streaming is beneficial for user interfaces that render the contents of the response piece by piece, as it gets generated. |

+| `temperature` | `float` | `0.3` |Use a lower value to decrease randomness in the response. Randomness can be further maximized by increasing the value of the `p` parameter. Min value is 0, and max is 2. |

+| `top_p` | `float` |`0.75` |Use a lower value to ignore less probable options. Set to 0 or 1.0 to disable. If both p and k are enabled, p acts after k. min value of 0.01, max value of 0.99.|

+| `frequency_penalty` | `float` | `0` |Used to reduce repetitiveness of generated tokens. The higher the value, the stronger a penalty is applied to previously present tokens, proportional to how many times they have already appeared in the prompt or prior generation. Min value of 0.0, max value of 1.0.|

+| `presence_penalty` | `float` |`0` |Used to reduce repetitiveness of generated tokens. Similar to `frequency_penalty`, except that this penalty is applied equally to all tokens that have already appeared, regardless of their exact frequencies. Min value of 0.0, max value of 1.0.|

+| `seed` | `integer` |`None` |If specified, the backend makes a best effort to sample tokens deterministically, such that repeated requests with the same seed and parameters should return the same result. However, determinism can't be guaranteed.|

+| `tools` | `list[Tool]` | `None` | A list of available tools (functions) that the model might suggest invoking before producing a text response. |

+`response_format` and `tool_choice` aren't yet supported parameters for the Command R and Command R+ models.

+<br/>

+A System or User Message supports the following properties:

+| Property | Type | Default | Description |

+| | | | |

+| `role` | `enum` | Required | `role=system` or `role=user`. |

+|`content` |`string` |Required |Text input for the model to respond to. |

+An Assistant Message supports the following properties:

+| Property | Type | Default | Description |

+| | | | |

+| `role` | `enum` | Required | `role=assistant`|

+|`content` |`string` |Required |The contents of the assistant message. |

+|`tool_calls` |`array` |None |The tool calls generated by the model, such as function calls. |

+A Tool Message supports the following properties:

+| Property | Type | Default | Description |

+| | | | |

+| `role` | `enum` | Required | `role=tool`|

+|`content` |`string` |Required |The contents of the tool message. |

+|`tool_call_id` |`string` |None |Tool call that this message is responding to. |

+<br/>

+#### v1/chat/completions response schema

+The response payload is a dictionary with the following fields:

+| Key | Type | Description |

+| | | |

+| `id` | `string` | A unique identifier for the completion. |

+| `choices` | `array` | The list of completion choices the model generated for the input messages. |

+| `created` | `integer` | The Unix timestamp (in seconds) of when the completion was created. |

+| `model` | `string` | The model_id used for completion. |

+| `object` | `string` | chat.completion. |

+| `usage` | `object` | Usage statistics for the completion request. |

+The `choices` object is a dictionary with the following fields:

+| Key | Type | Description |

+| | | |

+| `index` | `integer` | Choice index. |

+| `messages` or `delta` | `string` | Chat completion result in messages object. When streaming mode is used, delta key is used. |

+| `finish_reason` | `string` | The reason the model stopped generating tokens. |

+The `usage` object is a dictionary with the following fields:

+| Key | Type | Description |

+| | | |

+| `prompt_tokens` | `integer` | Number of tokens in the prompt. |

+| `completion_tokens` | `integer` | Number of tokens generated in the completion. |

+| `total_tokens` | `integer` | Total tokens. |

+#### Examples

+Request:

+```json

+ "messages": [

+ {

+ "role": "user",

+ "content": "What is the weather like in Boston?"

+ },

+ {

+ "role": "assistant",

+ "tool_calls": [

+ {

+ "id": "call_ceRrx0tP7bYPTClugKrOgvh4",

+ "type": "function",

+ "function": {

+ "name": "get_current_weather",

+ "arguments": "{\"location\":\"Boston\"}"

+ }

+ }

+ ]

+ },

+ {

+ "role": "tool",

+ "content": "{\"temperature\":30}",

+ "tool_call_id": "call_ceRrx0tP7bYPTClugKrOgvh4"

+ }

+ ]

+```

+Response:

+```json

+ {

+ "id": "df23b9f7-e6bd-493f-9437-443c65d428a1",

+ "choices": [

+ {

+ "index": 0,

+ "finish_reason": "stop",

+ "message": {

+ "role": "assistant",

+ "content": "Right now, the weather in Boston is cool, with temperatures of around 30┬░F. Stay warm!"

+ }

+ }

+ ],

+ "created": 1711734274,

+ "model": "command-r",

+ "object": "chat.completion",

+ "usage": {

+ "prompt_tokens": 744,

+ "completion_tokens": 23,

+ "total_tokens": 767

+ }

+ }

+```

+### v1/chat

+#### Request

+```

+ POST /v1/chat HTTP/1.1

+ Host: <DEPLOYMENT_URI>

+ Authorization: Bearer <TOKEN>

+ Content-type: application/json

+```

+#### v1/chat request schema

+Cohere Command R and Command R+ accept the following parameters for a `v1/chat` response inference call:

+|Key |Type |Default |Description |

+|||||

+|`message` |`string` |Required |Text input for the model to respond to. |

+|`chat_history` |`array of messages` |`None` |A list of previous messages between the user and the model, meant to give the model conversational context for responding to the user's message. |

+|`documents` |`array` |`None ` |A list of relevant documents that the model can cite to generate a more accurate reply. Each document is a string-string dictionary. Keys and values from each document are serialized to a string and passed to the model. The resulting generation includes citations that reference some of these documents. Some suggested keys are "text", "author", and "date". For better generation quality, keep the total word count of the strings in the dictionary to under 300 words. An `_excludes` field (array of strings) can be optionally supplied to omit some key-value pairs from being shown to the model. The omitted fields still show up in the citation object. The "_excludes" field isn't passed to the model. See [Document Mode](https://docs.cohere.com/docs/retrieval-augmented-generation-rag#document-mode) guide from Cohere docs. |

+|`search_queries_only` |`boolean` |`false` |When `true`, the response only contains a list of generated search queries, but no search takes place, and no reply from the model to the user's `message` is generated.|

+|`stream` |`boolean` |`false` |When `true`, the response is a JSON stream of events. The final event contains the complete response, and has an `event_type` of `"stream-end"`. Streaming is beneficial for user interfaces that render the contents of the response piece by piece, as it gets generated.|

+|`max_tokens` |`integer` |None |The maximum number of tokens the model generates as part of the response. Note: Setting a low value might result in incomplete generations. If not specified, generates tokens until end of sequence.|

+|`temperature` |`float` |`0.3` |Use a lower value to decrease randomness in the response. Randomness can be further maximized by increasing the value of the `p` parameter. Min value is 0, and max is 2. |

+|`p` |`float` |`0.75` |Use a lower value to ignore less probable options. Set to 0 or 1.0 to disable. If both p and k are enabled, p acts after k. min value of 0.01, max value of 0.99.|

+|`k` |`float` |`0` |Specify the number of token choices the model uses to generate the next token. If both p and k are enabled, p acts after k. Min value is 0, max value is 500.|

+|`prompt_truncation` |`enum string` |`OFF` |Accepts `AUTO_PRESERVE_ORDER`, `AUTO`, `OFF`. Dictates how the prompt is constructed. With `prompt_truncation` set to `AUTO_PRESERVE_ORDER`, some elements from `chat_history` and `documents` are dropped to construct a prompt that fits within the model's context length limit. During this process the order of the documents and chat history is preserved. With `prompt_truncation` set to "OFF", no elements are dropped.|

+|`stop_sequences` |`array of strings` |`None` |The generated text is cut at the end of the earliest occurrence of a stop sequence. The sequence is included in the text. |

+|`frequency_penalty` |`float` |`0` |Used to reduce repetitiveness of generated tokens. The higher the value, the stronger a penalty is applied to previously present tokens, proportional to how many times they have already appeared in the prompt or prior generation. Min value of 0.0, max value of 1.0.|

+|`presence_penalty` |`float` |`0` |Used to reduce repetitiveness of generated tokens. Similar to `frequency_penalty`, except that this penalty is applied equally to all tokens that have already appeared, regardless of their exact frequencies. Min value of 0.0, max value of 1.0.|

+|`seed` |`integer` |`None` |If specified, the backend makes a best effort to sample tokens deterministically, such that repeated requests with the same seed and parameters should return the same result. However, determinism can't be guaranteed.|

+|`return_prompt` |`boolean ` |`false ` |Returns the full prompt that was sent to the model when `true`. |

+|`tools` |`array of objects` |`None` |_Field is subject to changes._ A list of available tools (functions) that the model might suggest invoking before producing a text response. When `tools` is passed (without `tool_results`), the `text` field in the response is `""` and the `tool_calls` field in the response is populated with a list of tool calls that need to be made. If no calls need to be made, the `tool_calls` array is empty.|

+|`tool_results` |`array of objects` |`None` |_Field is subject to changes._ A list of results from invoking tools recommended by the model in the previous chat turn. Results are used to produce a text response and is referenced in citations. When using `tool_results`, `tools` must be passed as well. Each tool_result contains information about how it was invoked, and a list of outputs in the form of dictionaries. Cohere's unique fine-grained citation logic requires the output to be a list. In case the output is just one item, for example, `{"status": 200}`, still wrap it inside a list. |

+The `chat_history` object requires the following fields:

+|Key |Type |Description |

+||||

+|`role` |`enum string` |Takes `USER`, `SYSTEM`, or `CHATBOT`. |

+|`message` |`string` |Text contents of the message. |

+The `documents` object has the following optional fields:

+|Key |Type |Default| Description |

+|||||

+|`id` |`string` |`None` |Can be supplied to identify the document in the citations. This field isn't passed to the model. |

+|`_excludes` |`array of strings` |`None`| Can be optionally supplied to omit some key-value pairs from being shown to the model. The omitted fields still show up in the citation object. The `_excludes` field isn't passed to the model. |

+#### v1/chat response schema

+Response fields are fully documented on [Cohere's Chat API reference](https://docs.cohere.com/reference/chat). The response object always contains:

+|Key |Type |Description |

+||||

+|`response_id` |`string` |Unique identifier for chat completion. |

+|`generation_id` |`string` |Unique identifier for chat completion, used with Feedback endpoint on Cohere's platform. |

+|`text` |`string` |Model's response to chat message input. |

+|`finish_reason` |`enum string` |Why the generation was completed. Can be any of the following values: `COMPLETE`, `ERROR`, `ERROR_TOXIC`, `ERROR_LIMIT`, `USER_CANCEL` or `MAX_TOKENS` |

+|`token_count` |`integer` |Count of tokens used. |

+|`meta` |`string` |API usage data, including current version and billable tokens. |

+<br/>

+#### Documents

+If `documents` are specified in the request, there are two other fields in the response:

+|Key |Type |Description |

+||||

+|`documents` |`array of objects` |Lists the documents that were cited in the response. |

+|`citations` |`array of objects` |Specifies which part of the answer was found in a given document. |

+`citations` is an array of objects with the following required fields:

+|Key |Type |Description |

+||||

+|`start` |`integer` |The index of text that the citation starts at, counting from zero. For example, a generation of `Hello, world!` with a citation on `world` would have a start value of `7`. This is because the citation starts at `w`, which is the seventh character. |

+|`end` |`integer` |The index of text that the citation ends after, counting from zero. For example, a generation of `Hello, world!` with a citation on `world` would have an end value of `11`. This is because the citation ends after `d`, which is the eleventh character. |

+|`text` |`string` |The text of the citation. For example, a generation of `Hello, world!` with a citation of `world` would have a text value of `world`. |

+|`document_ids` |`array of strings` |Identifiers of documents cited by this section of the generated reply. |

+#### Tools

+If `tools` are specified and invoked by the model, there's another field in the response:

+|Key |Type |Description |

+||||

+|`tool_calls ` |`array of objects` |Contains the tool calls generated by the model. Use it to invoke your tools. |

+`tool_calls` is an array of objects with the following fields:

+|Key |Type |Description |

+||||

+|`name` |`string` |Name of the tool to call. |

+|`parameters` |`object` |The name and value of the parameters to use when invoking a tool. |

+#### Search_queries_only

+If `search_queries_only=TRUE` is specified in the request, there are two other fields in the response:

+|Key |Type |Description |

+||||

+|`is_search_required` |`boolean` |Instructs the model to generate a search query. |

+|`search_queries` |`array of objects` |Object that contains a list of search queries. |

+`search_queries` is an array of objects with the following fields:

+|Key |Type |Description |

+||||

+|`text` |`string` |The text of the search query. |

+|`generation_id` |`string` |Unique identifier for the generated search query. Useful for submitting feedback. |

+#### Examples

+##### Chat - Completions

+The following text is a sample request call to get chat completions from the Cohere Command model. Use when generating a chat completion.

+Request:

+```json

+ {

+ "chat_history": [

+ {"role":"USER", "message": "What is an interesting new role in AI if I don't have an ML background"},

+ {"role":"CHATBOT", "message": "You could explore being a prompt engineer!"}

+ ],

+ "message": "What are some skills I should have"

+ }

+```

+Response:

+```json

+ {

+ "response_id": "09613f65-c603-41e6-94b3-a7484571ac30",

+ "text": "Writing skills are very important for prompt engineering. Some other key skills are:\n- Creativity\n- Awareness of biases\n- Knowledge of how NLP models work\n- Debugging skills\n\nYou can also have some fun with it and try to create some interesting, innovative prompts to train an AI model that can then be used to create various applications.",

+ "generation_id": "6d31a57f-4d94-4b05-874d-36d0d78c9549",

+ "finish_reason": "COMPLETE",

+ "token_count": {

+ "prompt_tokens": 99,

+ "response_tokens": 70,

+ "total_tokens": 169,

+ "billed_tokens": 151

+ },

+ "meta": {

+ "api_version": {

+ "version": "1"

+ },

+ "billed_units": {

+ "input_tokens": 81,

+ "output_tokens": 70

+ }

+ }

+ }

+```

+##### Chat - Grounded generation and RAG capabilities

+Command R and Command R+ are trained for RAG via a mixture of supervised fine-tuning and preference fine-tuning, using a specific prompt template. We introduce that prompt template via the `documents` parameter. The document snippets should be chunks, rather than long documents, typically around 100-400 words per chunk. Document snippets consist of key-value pairs. The keys should be short descriptive strings. The values can be text or semi-structured.

+Request:

+```json

+ {

+ "message": "Where do the tallest penguins live?",

+ "documents": [

+ {

+ "title": "Tall penguins",

+ "snippet": "Emperor penguins are the tallest."

+ },

+ {

+ "title": "Penguin habitats",

+ "snippet": "Emperor penguins only live in Antarctica."

+ }

+ ]

+ }

+```

+Response:

+```json

+ {

+ "response_id": "d7e72d2e-06c0-469f-8072-a3aa6bd2e3b2",

+ "text": "Emperor penguins are the tallest species of penguin and they live in Antarctica.",

+ "generation_id": "b5685d8d-00b4-48f1-b32f-baebabb563d8",

+ "finish_reason": "COMPLETE",

+ "token_count": {

+ "prompt_tokens": 615,

+ "response_tokens": 15,

+ "total_tokens": 630,

+ "billed_tokens": 22

+ },

+ "meta": {

+ "api_version": {

+ "version": "1"

+ },

+ "billed_units": {

+ "input_tokens": 7,

+ "output_tokens": 15

+ }

+ },

+ "citations": [

+ {

+ "start": 0,

+ "end": 16,

+ "text": "Emperor penguins",

+ "document_ids": [

+ "doc_0"

+ ]

+ },

+ {

+ "start": 69,

+ "end": 80,

+ "text": "Antarctica.",

+ "document_ids": [

+ "doc_1"

+ ]

+ }

+ ],

+ "documents": [

+ {

+ "id": "doc_0",

+ "snippet": "Emperor penguins are the tallest.",

+ "title": "Tall penguins"

+ },

+ {

+ "id": "doc_1",

+ "snippet": "Emperor penguins only live in Antarctica.",

+ "title": "Penguin habitats"

+ }

+ ]

+ }

+```

+##### Chat - Tool use

+If invoking tools or generating a response based on tool results, use the following parameters.

+Request:

+```json

+ {

+ "message":"I'd like 4 apples and a fish please",

+ "tools":[

+ {

+ "name":"personal_shopper",

+ "description":"Returns items and requested volumes to purchase",

+ "parameter_definitions":{

+ "item":{

+ "description":"the item requested to be purchased, in all caps eg. Bananas should be BANANAS",

+ "type": "str",

+ "required": true

+ },

+ "quantity":{

+ "description": "how many of the items should be purchased",

+ "type": "int",

+ "required": true

+ }

+ }

+ }

+ ],

+

+ "tool_results": [

+ {

+ "call": {

+ "name": "personal_shopper",

+ "parameters": {

+ "item": "Apples",

+ "quantity": 4

+ },

+ "generation_id": "cb3a6e8b-6448-4642-b3cd-b1cc08f7360d"

+ },

+ "outputs": [

+ {

+ "response": "Sale completed"

+ }

+ ]

+ },

+ {

+ "call": {

+ "name": "personal_shopper",

+ "parameters": {

+ "item": "Fish",

+ "quantity": 1

+ },

+ "generation_id": "cb3a6e8b-6448-4642-b3cd-b1cc08f7360d"

+ },

+ "outputs": [

+ {

+ "response": "Sale not completed"

+ }

+ ]

+ }

+ ]

+ }

+```

+Response:

+```json

+ {

+ "response_id": "fa634da2-ccd1-4b56-8308-058a35daa100",

+ "text": "I've completed the sale for 4 apples. \n\nHowever, there was an error regarding the fish; it appears that there is currently no stock.",

+ "generation_id": "f567e78c-9172-4cfa-beba-ee3c330f781a",

+ "chat_history": [

+ {

+ "message": "I'd like 4 apples and a fish please",

+ "response_id": "fa634da2-ccd1-4b56-8308-058a35daa100",

+ "generation_id": "a4c5da95-b370-47a4-9ad3-cbf304749c04",

+ "role": "User"

+ },

+ {

+ "message": "I've completed the sale for 4 apples. \n\nHowever, there was an error regarding the fish; it appears that there is currently no stock.",

+ "response_id": "fa634da2-ccd1-4b56-8308-058a35daa100",

+ "generation_id": "f567e78c-9172-4cfa-beba-ee3c330f781a",

+ "role": "Chatbot"

+ }

+ ],

+ "finish_reason": "COMPLETE",

+ "token_count": {

+ "prompt_tokens": 644,

+ "response_tokens": 31,

+ "total_tokens": 675,

+ "billed_tokens": 41

+ },

+ "meta": {

+ "api_version": {

+ "version": "1"

+ },

+ "billed_units": {

+ "input_tokens": 10,

+ "output_tokens": 31

+ }

+ },

+ "citations": [

+ {

+ "start": 5,

+ "end": 23,

+ "text": "completed the sale",

+ "document_ids": [

+ ""

+ ]

+ },

+ {

+ "start": 113,

+ "end": 132,

+ "text": "currently no stock.",

+ "document_ids": [

+ ""

+ ]

+ }

+ ],

+ "documents": [

+ {

+ "response": "Sale completed"

+ }

+ ]

+ }

+```

+Once you run your function and received tool outputs, you can pass them back to the model to generate a response for the user.

+Request:

+```json

+ {

+ "message":"I'd like 4 apples and a fish please",

+ "tools":[

+ {

+ "name":"personal_shopper",

+ "description":"Returns items and requested volumes to purchase",

+ "parameter_definitions":{

+ "item":{

+ "description":"the item requested to be purchased, in all caps eg. Bananas should be BANANAS",

+ "type": "str",

+ "required": true

+ },

+ "quantity":{

+ "description": "how many of the items should be purchased",

+ "type": "int",

+ "required": true

+ }

+ }

+ }

+ ],

+

+ "tool_results": [

+ {

+ "call": {

+ "name": "personal_shopper",

+ "parameters": {

+ "item": "Apples",

+ "quantity": 4

+ },

+ "generation_id": "cb3a6e8b-6448-4642-b3cd-b1cc08f7360d"

+ },

+ "outputs": [

+ {

+ "response": "Sale completed"

+ }

+ ]

+ },

+ {

+ "call": {

+ "name": "personal_shopper",

+ "parameters": {

+ "item": "Fish",

+ "quantity": 1

+ },

+ "generation_id": "cb3a6e8b-6448-4642-b3cd-b1cc08f7360d"

+ },

+ "outputs": [

+ {

+ "response": "Sale not completed"

+ }

+ ]

+ }

+ ]

+ }

+```

+Response:

+```json

+ {

+ "response_id": "fa634da2-ccd1-4b56-8308-058a35daa100",

+ "text": "I've completed the sale for 4 apples. \n\nHowever, there was an error regarding the fish; it appears that there is currently no stock.",

+ "generation_id": "f567e78c-9172-4cfa-beba-ee3c330f781a",

+ "chat_history": [

+ {

+ "message": "I'd like 4 apples and a fish please",

+ "response_id": "fa634da2-ccd1-4b56-8308-058a35daa100",

+ "generation_id": "a4c5da95-b370-47a4-9ad3-cbf304749c04",

+ "role": "User"

+ },

+ {

+ "message": "I've completed the sale for 4 apples. \n\nHowever, there was an error regarding the fish; it appears that there is currently no stock.",

+ "response_id": "fa634da2-ccd1-4b56-8308-058a35daa100",

+ "generation_id": "f567e78c-9172-4cfa-beba-ee3c330f781a",

+ "role": "Chatbot"

+ }

+ ],

+ "finish_reason": "COMPLETE",

+ "token_count": {

+ "prompt_tokens": 644,

+ "response_tokens": 31,

+ "total_tokens": 675,

+ "billed_tokens": 41

+ },

+ "meta": {

+ "api_version": {

+ "version": "1"

+ },

+ "billed_units": {

+ "input_tokens": 10,

+ "output_tokens": 31

+ }

+ },

+ "citations": [

+ {

+ "start": 5,

+ "end": 23,

+ "text": "completed the sale",

+ "document_ids": [

+ ""

+ ]

+ },

+ {

+ "start": 113,

+ "end": 132,

+ "text": "currently no stock.",

+ "document_ids": [

+ ""

+ ]

+ }

+ ],

+ "documents": [

+ {

+ "response": "Sale completed"

+ }

+ ]

+ }

+```

+##### Chat - Search queries

+If you're building a RAG agent, you can also use Cohere's Chat API to get search queries from Command. Specify `search_queries_only=TRUE` in your request.

+Request:

+```json

+ {

+ "message": "Which lego set has the greatest number of pieces?",

+ "search_queries_only": true

+ }

+```

+Response:

+```json

+ {

+ "response_id": "5e795fe5-24b7-47b4-a8bc-b58a68c7c676",

+ "text": "",

+ "finish_reason": "COMPLETE",

+ "meta": {

+ "api_version": {

+ "version": "1"

+ }

+ },

+ "is_search_required": true,

+ "search_queries": [

+ {

+ "text": "lego set with most pieces",

+ "generation_id": "a086696b-ad8e-4d15-92e2-1c57a3526e1c"

+ }

+ ]

+ }

+```

+##### Additional inference examples

+| **Sample Type** | **Sample Notebook** |

+|-|-|

+| CLI using CURL and Python web requests - Command R | [command-r.ipynb](https://aka.ms/samples/cohere-command-r/webrequests)|

+| CLI using CURL and Python web requests - Command R+ | [command-r-plus.ipynb](https://aka.ms/samples/cohere-command-r-plus/webrequests)|

+| OpenAI SDK (experimental) | [openaisdk.ipynb](https://aka.ms/samples/cohere-command/openaisdk) |

+| LangChain | [langchain.ipynb](https://aka.ms/samples/cohere/langchain) |

+| Cohere SDK | [cohere-sdk.ipynb](https://aka.ms/samples/cohere-python-sdk) |

+## Cost and quotas

+### Cost and quota considerations for models deployed as a service

+Cohere models deployed as a service are offered by Cohere through Azure Marketplace and integrated with Azure Machine Learning studio for use. You can find Azure Marketplace pricing when deploying the models.

+Each time a workspace subscribes to a given model offering from Azure Marketplace, a new resource is created to track the costs associated with its consumption. The same resource is used to track costs associated with inference; however, multiple meters are available to track each scenario independently.

+For more information on how to track costs, see [Monitor costs for models offered through the Azure Marketplace](../ai-studio/how-to/costs-plan-manage.md#monitor-costs-for-models-offered-through-the-azure-marketplace).

+Quota is managed per deployment. Each deployment has a rate limit of 200,000 tokens per minute and 1,000 API requests per minute. However, we currently limit one deployment per model per project. Contact Microsoft Azure Support if the current rate limits aren't sufficient for your scenarios.

+## Content filtering

+Models deployed as a service with pay-as-you-go are protected by Azure AI content safety. With Azure AI content safety enabled, both the prompt and completion pass through an ensemble of classification models aimed at detecting and preventing the output of harmful content. The content filtering system detects and takes action on specific categories of potentially harmful content in both input prompts and output completions. Learn more about [Azure AI Content Safety](/azure/ai-services/content-safety/overview).

+## Related content

+- [Model Catalog and Collections](concept-model-catalog.md)

+- [Deploy and score a machine learning model by using an online endpoint](how-to-deploy-online-endpoints.md)

+- [Plan and manage costs for Azure AI Studio](concept-plan-manage-cost.md)

+ Title: How to deploy Cohere Embed models with Azure Machine Learning studio

+description: Learn how to deploy Cohere Embed models with Azure Machine Learning studio.

+#This functionality is also available in Azure AI Studio: /azure/ai-studio/how-to/deploy-models-cohere.md

+# How to deploy Cohere Embed models with Azure Machine Learning studio

+Cohere offers two Embed models in Azure Machine Learning studio. These models are available with pay-as-you-go token based billing with Models as a Service.

+* Cohere Embed v3 - English

+* Cohere Embed v3 - Multilingual

+

+You can browse the Cohere family of models in the model catalog by filtering on the Cohere collection.

+## Models

+In this article, you learn how to use Azure Machine Learning studio to deploy the Cohere models as a service with pay-as you go billing.

+### Cohere Embed v3 - English

+Cohere Embed English is the market's leading text representation model used for semantic search, retrieval-augmented generation (RAG), classification, and clustering. Embed English has top performance on the HuggingFace MTEB benchmark and performs well on various industries such as Finance, Legal, and General-Purpose Corpora.

+* Embed English has 1,024 dimensions.

+* Context window of the model is 512 tokens.

+### Cohere Embed v3 - Multilingual

+Cohere Embed Multilingual is the market's leading text representation model used for semantic search, retrieval-augmented generation (RAG), classification, and clustering. Embed Multilingual supports 100+ languages and can be used to search within a language (for example, search with a French query on French documents) and across languages (for example, search with an English query on Chinese documents). Embed multilingual has SOTA performance on multilingual benchmarks such as Miracl.

+* Embed Multilingual has 1,024 dimensions.

+* Context window of the model is 512 tokens.

+## Deploy with pay-as-you-go

+Certain models in the model catalog can be deployed as a service with pay-as-you-go, providing a way to consume them as an API without hosting them on your subscription, while keeping the enterprise security and compliance organizations need. This deployment option doesn't require quota from your subscription.

+The previously mentioned Cohere models can be deployed as a service with pay-as-you-go, and are offered by Cohere through the Microsoft Azure Marketplace. Cohere can change or update the terms of use and pricing of this model.

+### Prerequisites

+- An Azure subscription with a valid payment method. Free or trial Azure subscriptions won't work. If you don't have an Azure subscription, create a [paid Azure account](https://azure.microsoft.com/pricing/purchase-options/pay-as-you-go) to begin.

+- An Azure Machine Learning workspace. If you don't have these, use the steps in the [Quickstart: Create workspace resources](quickstart-create-resources.md) article to create them.

+ > [!IMPORTANT]

+ > Pay-as-you-go model deployment offering is only available in workspaces created in EastUS, EastUS2 or Sweden Central regions.

+- Azure role-based access controls (Azure RBAC) are used to grant access to operations. To perform the steps in this article, your user account must be assigned the __Azure AI Developer role__ on the Resource Group.

+ For more information on permissions, see [Manage access to an Azure Machine Learning workspace](how-to-assign-roles.md).

+### Create a new deployment

+To create a deployment:

+1. Go to [Azure Machine Learning studio](https://ml.azure.com/home).

+1. Select the workspace in which you want to deploy your models. To use the pay-as-you-go model deployment offering, your workspace must belong to the EastUS, EastUS2 or Sweden Central region.

+1. Choose the model you want to deploy from the [model catalog](https://ml.azure.com/model/catalog).

+ Alternatively, you can initiate deployment by going to your workspace and selecting **Endpoints** > **Serverless endpoints** > **Create**.

+1. On the model's overview page in the model catalog, select **Deploy** and then **Pay-as-you-go**.

+ :::image type="content" source="media/how-to-deploy-models-cohere-embed/embed-english-deploy-pay-as-you-go.png" alt-text="A screenshot showing how to deploy a model with the pay-as-you-go option." lightbox="media/how-to-deploy-models-cohere-embed/embed-english-deploy-pay-as-you-go.png":::

+1. In the deployment wizard, select the link to **Azure Marketplace Terms** to learn more about the terms of use.

+1. You can also select the **Marketplace offer details** tab to learn about pricing for the selected model.

+1. If this is your first time deploying the model in the workspace, you have to subscribe your workspace for the particular offering of the model. This step requires that your account has the **Azure AI Developer role** permissions on the Resource Group, as listed in the prerequisites. Each workspace has its own subscription to the particular Azure Marketplace offering, which allows you to control and monitor spending. Select **Subscribe and Deploy**. Currently you can have only one deployment for each model within a workspace.

+ :::image type="content" source="media/how-to-deploy-models-cohere-embed/embed-english-marketplace-terms.png" alt-text="A screenshot showing the terms and conditions of a given model." lightbox="media/how-to-deploy-models-cohere-embed/embed-english-marketplace-terms.png":::

+1. Once you subscribe the workspace for the particular Azure Marketplace offering, subsequent deployments of the _same_ offering in the _same_ workspace don't require subscribing again. If this scenario applies to you, there's a **Continue to deploy** option to select.

+ :::image type="content" source="media/how-to-deploy-models-cohere-embed/embed-english-existing-deployment.png" alt-text="A screenshot showing a project that is already subscribed to the offering." lightbox="media/how-to-deploy-models-cohere-embed/embed-english-existing-deployment.png":::

+1. Give the deployment a name. This name becomes part of the deployment API URL. This URL must be unique in each Azure region.

+ :::image type="content" source="media/how-to-deploy-models-cohere-embed/embed-english-deployment-name.png" alt-text="A screenshot showing how to indicate the name of the deployment you want to create." lightbox="media/how-to-deploy-models-cohere-embed/embed-english-deployment-name.png":::

+1. Select **Deploy**. Wait until the deployment is finished and you're redirected to the serverless endpoints page.

+1. Select the endpoint to open its Details page.

+1. Select the **Test** tab to start interacting with the model.

+1. You can always find the endpoint's details, URL, and access keys by navigating to **Workspace** > **Endpoints** > **Serverless endpoints**.

+1. Take note of the **Target** URL and the **Secret Key**. For more information on using the APIs, see the [reference](#embed-api-reference-for-cohere-embed-models-deployed-as-a-service) section.

+To learn about billing for models deployed with pay-as-you-go, see [Cost and quota considerations for Cohere models deployed as a service](#cost-and-quota-considerations-for-models-deployed-as-a-service).

+### Consume the models as a service

+The previously mentioned Cohere models can be consumed using the chat API.

+1. In the **workspace**, select **Endpoints** > **Serverless endpoints**.

+1. Find and select the deployment you created.

+1. Copy the **Target** URL and the **Key** token values.

+1. Cohere exposes two routes for inference with the Embed v3 - English and Embed v3 - Multilingual models. `v1/embeddings` adheres to the Azure AI Generative Messages API schema, and `v1/embed` supports Cohere's native API schema.

+For more information on using the APIs, see the [reference](#embed-api-reference-for-cohere-embed-models-deployed-as-a-service) section.

+## Embed API reference for Cohere Embed models deployed as a service

+### v1/embeddings

+#### Request

+```

+ POST /v1/embeddings HTTP/1.1

+ Host: <DEPLOYMENT_URI>

+ Authorization: Bearer <TOKEN>

+ Content-type: application/json

+```

+#### v1/emebeddings request schema

+Cohere Embed v3 - English and Embed v3 - Multilingual accept the following parameters for a `v1/embeddings` API call:

+| Property | Type | Default | Description |

+| | | | |

+|`input` |`array of strings` |Required |An array of strings for the model to embed. Maximum number of texts per call is 96. We recommend reducing the length of each text to be under 512 tokens for optimal quality. |

+#### v1/emebeddings response schema

+The response payload is a dictionary with the following fields:

+| Key | Type | Description |

+| | | |

+| `id` | `string` | A unique identifier for the completion. |

+| `object` | `enum`|The object type, which is always `list` |

+| `data` | `array` | The Unix timestamp (in seconds) of when the completion was created. |

+| `model` | `string` | The model_id used for creating the embeddings. |

+| `usage` | `object` | Usage statistics for the completion request. |

+The `data` object is a dictionary with the following fields:

+| Key | Type | Description |

+| | | |

+| `index` | `integer` |The index of the embedding in the list of embeddings. |

+| `object` | `enum` | The object type, which is always "embedding." |

+| `embedding` | `array` | The embedding vector, which is a list of floats. |

+The `usage` object is a dictionary with the following fields:

+| Key | Type | Description |

+| | | |

+| `prompt_tokens` | `integer` | Number of tokens in the prompt. |

+| `completion_tokens` | `integer` | Number of tokens generated in the completion. |

+| `total_tokens` | `integer` | Total tokens. |

+### v1/embeddings examples

+Request:

+```json

+ {

+ "input": ["hi"]

+ }

+```

+Response:

+```json

+ {

+ "id": "87cb11c5-2316-4c88-af3c-4b2b77ed58f3",

+ "object": "list",

+ "data": [

+ {

+ "index": 0,

+ "object": "embedding",

+ "embedding": [

+ 1.1513672,

+ 1.7060547,

+ ...

+ ]

+ }

+ ],

+ "model": "tmp",

+ "usage": {

+ "prompt_tokens": 1,

+ "completion_tokens": 0,

+ "total_tokens": 1

+ }

+ }

+```

+### v1/embed

+#### Request

+```

+ POST /v1/embed HTTP/1.1

+ Host: <DEPLOYMENT_URI>

+ Authorization: Bearer <TOKEN>

+ Content-type: application/json

+```

+#### v1/embed request schema

+Cohere Embed v3 - English and Embed v3 - Multilingual accept the following parameters for a `v1/embed` API call:

+|Key |Type |Default |Description |

+|||||

+|`texts` |`array of strings` |Required |An array of strings for the model to embed. Maximum number of texts per call is 96. We recommend reducing the length of each text to be under 512 tokens for optimal quality. |

+|`input_type` |`enum string` |Required |Prepends special tokens to differentiate each type from one another. You shouldn't mix different types together, except when mixing types for for search and retrieval. In this case, embed your corpus with the `search_document` type and embedded queries with type `search_query` type. <br/> `search_document` ΓÇô In search use-cases, use search_document when you encode documents for embeddings that you store in a vector database. <br/> `search_query` ΓÇô Use search_query when querying your vector DB to find relevant documents. <br/> `classification` ΓÇô Use classification when using embeddings as an input to a text classifier. <br/> `clustering` ΓÇô Use clustering to cluster the embeddings.|

+|`truncate` |`enum string` |`NONE` |`NONE` ΓÇô Returns an error when the input exceeds the maximum input token length. <br/> `START` ΓÇô Discards the start of the input. <br/> `END` ΓÇô Discards the end of the input. |

+|`embedding_types` |`array of strings` |`float` |Specifies the types of embeddings you want to get back. Can be one or more of the following types. `float`, `int8`, `uint8`, `binary`, `ubinary` |

+#### v1/embed response schema

+Cohere Embed v3 - English and Embed v3 - Multilingual include the following fields in the response:

+|Key |Type |Description |

+||||

+|`response_type` |`enum` |The response type. Returns `embeddings_floats` when `embedding_types` isn't specified, or returns `embeddings_by_type` when `embeddings_types` is specified. |

+|`id` |`integer` |An identifier for the response. |

+|`embeddings` |`array` or `array of objects` |An array of embeddings, where each embedding is an array of floats with 1,024 elements. The length of the embeddings array is the same as the length of the original texts array.|

+|`texts` |`array of strings` |The text entries for which embeddings were returned. |

+|`meta` |`string` |API usage data, including current version and billable tokens. |

+For more information, see [https://docs.cohere.com/reference/embed](https://docs.cohere.com/reference/embed).

+### v1/embed examples

+#### Embeddings_floats response

+Request:

+```json

+ {

+ "input_type": "clustering",

+ "truncate": "START",

+ "texts":["hi", "hello"]

+ }

+```

+Response:

+```json

+ {

+ "id": "da7a104c-e504-4349-bcd4-4d69dfa02077",

+ "texts": [

+ "hi",

+ "hello"

+ ],

+ "embeddings": [

+ [

+ ...

+ ],

+ [

+ ...

+ ]

+ ],

+ "meta": {

+ "api_version": {

+ "version": "1"

+ },

+ "billed_units": {

+ "input_tokens": 2

+ }

+ },

+ "response_type": "embeddings_floats"

+ }

+```

+#### Embeddings_by_types response

+Request:

+```json

+ {

+ "input_type": "clustering",

+ "embedding_types": ["int8", "binary"],

+ "truncate": "START",

+ "texts":["hi", "hello"]

+ }

+```

+Response:

+```json

+ {

+ "id": "b604881a-a5e1-4283-8c0d-acbd715bf144",

+ "texts": [

+ "hi",

+ "hello"

+ ],

+ "embeddings": {

+ "binary": [

+ [

+ ...

+ ],

+ [

+ ...

+ ]

+ ],

+ "int8": [

+ [

+ ...

+ ],

+ [

+ ...

+ ]

+ ]

+ },

+ "meta": {

+ "api_version": {

+ "version": "1"

+ },

+ "billed_units": {

+ "input_tokens": 2

+ }

+ },

+ "response_type": "embeddings_by_type"

+ }

+```

+#### Additional inference examples

+| **Sample Type** | **Sample Notebook** |

+|-|-|

+| CLI using CURL and Python web requests | [cohere-embed.ipynb](https://aka.ms/samples/embed-v3/webrequests)|

+| OpenAI SDK (experimental) | [openaisdk.ipynb](https://aka.ms/samples/cohere-embed/openaisdk) |

+| LangChain | [langchain.ipynb](https://aka.ms/samples/cohere-embed/langchain) |

+| Cohere SDK | [cohere-sdk.ipynb](https://aka.ms/samples/cohere-embed/cohere-python-sdk) |

+## Cost and quotas

+### Cost and quota considerations for models deployed as a service

+Cohere models deployed as a service are offered by Cohere through Azure Marketplace and integrated with Azure Machine Learning studio for use. You can find Azure Marketplace pricing when deploying the models.

+Each time a workspace subscribes to a given model offering from Azure Marketplace, a new resource is created to track the costs associated with its consumption. The same resource is used to track costs associated with inference; however, multiple meters are available to track each scenario independently.

+For more information on how to track costs, see [Monitor costs for models offered through the Azure Marketplace](../ai-studio/how-to/costs-plan-manage.md#monitor-costs-for-models-offered-through-the-azure-marketplace).

+Quota is managed per deployment. Each deployment has a rate limit of 200,000 tokens per minute and 1,000 API requests per minute. However, we currently limit one deployment per model per project. Contact Microsoft Azure Support if the current rate limits aren't sufficient for your scenarios.

+## Content filtering

+Models deployed as a service with pay-as-you-go are protected by Azure AI content safety. With Azure AI content safety enabled, both the prompt and completion pass through an ensemble of classification models aimed at detecting and preventing the output of harmful content. The content filtering system detects and takes action on specific categories of potentially harmful content in both input prompts and output completions. Learn more about [Azure AI Content Safety](/azure/ai-services/content-safety/overview).

+## Related content

+- [Model Catalog and Collections](concept-model-catalog.md)

+- [Deploy and score a machine learning model by using an online endpoint](how-to-deploy-online-endpoints.md)

+- [Plan and manage costs for Azure AI Studio](concept-plan-manage-cost.md)

+description: Get started with your first Python script in Azure Machine Learning, with SDK v1. This is part 1 of a two-part getting-started series.

+In this tutorial, you run your first Python script in the cloud with Azure Machine Learning. This tutorial is *part 1 of a two-part tutorial series*.

+This tutorial avoids the complexity of training a machine learning model. You'll run a "Hello World" Python script in the cloud. You'll learn how a control script is used to configure and create a run in Azure Machine Learning.

+This tutorial uses the compute instance as your development computer. First create a few folders and the script:

+ :::image type="content" source="./media/tutorial-1st-experiment-hello-world/create-folder.png" alt-text="Screenshot shows create a new folder tool in toolbar.":::

+ :::image type="content" source="./media/tutorial-1st-experiment-hello-world/create-sub-folder.png" alt-text="Screenshot shows create a subfolder menu.":::

+1. Name the new folder **src**. Use the **Edit location** link if the file location isn't correct.

+1. Name your file *hello.py*. Switch the **File type** to *Python (*.py)*.

+You can run your code locally, which in this case means on the compute instance. Running code locally has the benefit of interactive debugging of code.

+You see the output of the script in the terminal window that opens. Close the tab and select **Terminate** to close the session.

+A *control script* allows you to run your `hello.py` script on different compute resources. You use the control script to control how and where your machine learning code is run.

+Select the **...** at the end of **get-started** folder to create a new file. Create a Python file called *run-hello.py* and copy/paste the following code into that file:

+ [ScriptRunConfig](/python/api/azureml-core/azureml.core.scriptrunconfig) wraps your `hello.py` code and passes it to your workspace. As the name suggests, you can use this class to _configure_ how you want your _script_ to _run_ in Azure Machine Learning. It also specifies what compute target the script runs on. In this code, the target is the compute cluster that you created in the [setup tutorial](../quickstart-create-resources.md).

+ Submits your script. This submission is called a [run](/python/api/azureml-core/azureml.core.run%28class%29). In v2, it has been renamed to a job. A run/job encapsulates a single execution of your code. Use a job to monitor the script progress, capture the output, analyze the results, visualize metrics, and more.

+ The `run` object provides a handle on the execution of your code. Monitor its progress from the Azure Machine Learning studio with the URL that prints from the Python script.

+1. In the terminal, you may be asked to sign in to authenticate. Copy the code and follow the link to complete this step.

+1. Once you're authenticated, you see a link in the terminal. Select the link to view the job.

+The output from your script contains a link to the studio that looks something like this:

+Follow the link. At first, you see a status of **Queued** or **Preparing**. The first run takes 5-10 minutes to complete. This is because the following occurs:

+Subsequent jobs are quicker (~15 seconds) as the docker image is cached on the compute. You can test this by resubmitting the code below after the first job has completed.

+Wait about 10 minutes. You see a message that the job has completed. Then use **Refresh** to see the status change to *Completed*. Once the job completes, go to the **Outputs + logs** tab. There you can see a `std_log.txt` file in the `user_logs` folder. The output of your script is in this file.

+The `azureml-logs` and `system-logs` folders contain files that can be useful when you're debugging remote jobs in the cloud.

+## Next step

+> If you want to finish the tutorial series here and not progress to the next step, remember to [clean up your resources](tutorial-1st-experiment-sdk-train.md#clean-up-resources).

+description: How to train a machine learning model in Azure Machine Learning, with SDK v1. This is part 2 of a two-part getting-started series.

+This tutorial shows you how to train a machine learning model in Azure Machine Learning. This tutorial is *part 2 of a two-part tutorial series*.

+ In [Part 1: Run "Hello world!"](tutorial-1st-experiment-hello-world.md) of the series, you learned how to use a control script to run a job in the cloud.

+In this tutorial, you take the next step by submitting a script that trains a machine learning model. This example helps you understand how Azure Machine Learning eases consistent behavior between local debugging and remote runs.

+First you define the neural network architecture in a *model.py* file. All your training code goes into the `src` subdirectory, including *model.py*.

+The training code is taken from [this introductory example](https://pytorch.org/tutorials/beginner/blitz/cifar10_tutorial.html) from PyTorch. The Azure Machine Learning concepts apply to any machine learning code, not just PyTorch.

+1. On the toolbar, select **Save** to save the file. Close the tab if you wish.

+ :::image type="content" source="./media/tutorial-1st-experiment-sdk-train/directory-structure.png" alt-text="Directory structure shows train.py in src subdirectory":::

+After the script completes, select **Refresh** above the file folders. You see the new data folder called **get-started/data** Expand this folder to view the downloaded data.

+Azure Machine Learning provides the concept of an [environment](/python/api/azureml-core/azureml.core.environment.environment) to represent a reproducible, versioned Python environment for running experiments. It's easy to create an environment from a local Conda or pip environment.

+First you create a file with the package dependencies.

+1. On the toolbar, select **Save** to save the file. Close the tab if you wish.

+1. You see a link in the terminal window that opens. Select the link to view the job.

+1. In the page that opens, you see the job status. The first time you run this script, Azure Machine Learning builds a new Docker image from your PyTorch environment. The whole job might take around 10 minutes to complete. This image will be reused in future jobs to make them run much quicker.

+1. You can see view Docker build logs in the Azure Machine Learning studio. to view the build logs:

+ 1. Select the **Outputs + logs** tab.

+ 1. Select **azureml-logs** folder.

+ 1. Select **20_image_build_log.txt**.

+1. Select **user_logs**, then **std_log.txt** to view the output of your job.

+Select the **...** at the end of the folder, then select **Move** to move **data** to the **get-started** folder.

+Select the tab for the *run-pytorch.py* script, then select **Save and run script in terminal** to rerun the *run-pytorch.py* script. Make sure you save your changes to `pytorch-env.yml` first.

+This time when you visit the studio, go to the **Metrics** tab where you can now see live updates on the model training loss! It may take a 1 to 2 minutes before the training begins.

+## Clean up resources

+If you plan to continue now to another tutorial, or to start your own training jobs, skip to [Related resources](#related-resources).

+### Stop compute instance

+If you're not going to use it now, stop the compute instance:

+1. In the studio, on the left, select **Compute**.

+1. In the top tabs, select **Compute instances**

+1. Select the compute instance in the list.

+1. On the top toolbar, select **Stop**.

+### Delete all resources

+You can also keep the resource group but delete a single workspace. Display the workspace properties and select **Delete**.

+## Related resources

+In this session, you upgraded from a basic "Hello world!" script to a more realistic training script that required a specific Python environment to run. You saw how to use curated Azure Machine Learning environments. Finally, you saw how in a few lines of code you can log metrics to Azure Machine Learning.

+There are other ways to create Azure Machine Learning environments, including [from a pip requirements.txt](/python/api/azureml-core/azureml.core.environment.environment#from-pip-requirements-name--file-path-) file or [from an existing local Conda environment](/python/api/azureml-core/azureml.core.environment.environment#from-existing-conda-environment-name--conda-environment-name-).

+**Web apps on Azure** | Assessments to migrate your on-premises Spring Boot apps to Azure Spring Apps or ASP.NET/Java web apps to Azure App Service.

+**Azure App Service** | Assessments to migrate your on-premises ASP.NET web apps, running on IIS web servers, or Java web applications, running on Tomcat servers from your VMware vSphere environment to Azure App Service.

+This article provides an overview of assessments for migrating on-premises ASP.NET/Java web apps to Azure App Service using the [Azure Migrate: Discovery and assessment tool](./migrate-services-overview.md#azure-migrate-discovery-and-assessment-tool).

+**Azure App Service** | Assessments to migrate your on-premises ASP.NET web apps running on IIS web servers or Java web apps running on Tomcat servers to Azure App Service.

+## How do I assess my on-premises ASP.NET/Java web apps?

+ Use more accurate data insights collected via **Azure Migrate appliance** | You need to set up an Azure Migrate appliance for [VMware](how-to-set-up-appliance-vmware.md) or [Hyper-V](how-to-set-up-appliance-hyper-v.md) or [Physical/Bare-metal or other clouds](how-to-set-up-appliance-physical.md). The appliance discovers servers, SQL Server instance and databases, and ASP.NET/Java webapps and sends metadata and performance (resource utilization) data to Azure Migrate. [Learn more](migrate-appliance.md). | Azure recommended to minimize cost, Migrate to all IaaS (Infrastructure as a Service), Modernize to PaaS (Platform as a Service)

+This article shows you how to assess discovered ASP.NET/Java web apps for migration to Azure App Service, using the Azure Migrate: Discovery and assessment tool.

+> Discovery and assessment of ASP.NET/Java web apps is now in preview. If you want to try out this feature in an existing project, please ensure that you have completed the [prerequisites](how-to-discover-sql-existing-project.md) in this article.

+- To create an assessment, you need to set up an Azure Migrate appliance. The [appliance](migrate-appliance.md) discovers on-premises servers, and sends metadata and performance data to Azure Migrate. The same appliance discovers ASP.NET/Java web apps running in your environment.

+**Azure App Service** | Assessments to migrate your on-premises ASP.NET/Java web apps, running on IIS web servers, from your VMware vSphere environment to Azure App Service.

+[Movere](/movere/overview) | Assess VMware VMs, Hyper-V VMs, Xen VMs, physical servers, workstations (including VDI) and other cloud workloads. | N/A

+Azure Migrate provides options to assess discovered ASP.NET/Java web apps for migration to Azure App Service and Azure KubernetesService (AKS) by using the Azure Migrate: Discovery and assessment tool. Refer to the [assessment](tutorial-assess-webapps.md) tutorial to get started.

+ Title: Assess ASP.NET/Java web apps for migration to Azure Kubernetes Service

+zone_pivot_groups: web-apps-assessment-aks

+# Assess web apps for migration to Azure Kubernetes Service (preview)

+This article shows you how to assess Java web apps for migration to [Azure Kubernetes Service (AKS)](../aks/intro-kubernetes.md) using Azure Migrate. Creating an assessment for your Java web app provides key insights such as **app-readiness**, **target right-sizing** and **cost** to host and run these apps month over month.

+> [!div class="checklist"]

+> * Choose a set of discovered Java web apps to assess for migration to AKS.

+> * Provide assessment configurations such as Azure Reserved Instances, target region etc.

+> * Get insights about the migration readiness of their assessed apps.

+> * Get insights on the AKS Node SKUs that can optimally host and run these apps.

+> * Get the estimated cost of running these apps on AKS.

+- Follow [these steps](./how-to-discover-sql-existing-project.md) to discover Java web apps running on your environment.

+1. Sign into the [Azure portal](https://ms.portal.azure.com/#home) and search for Azure Migrate.

+1. On the **Azure Migrate** page, under **Migration goals**, select **Servers, databases and web apps**.

+1. On the **Servers, databases and web apps** page, under **Assessments tools**, select **Web apps on Azure** from the **Assess** dropdown menu.

+1. On the **Create assessment** page, under **Basics** tab, do the following:

+ 1. **Scenario**: Select **Web apps to AKS**.

+ 2. Select **Edit** to modify assessment settings. See the table below to update the various assessment settings.

+ | Environment Type | Production <br> Dev/Test | Allows you to toggle between pay-as-you-go and pay-as-you-go Dev/Test [offers](https://azure.microsoft.com/support/legal/offer-details/). |

+ | Offer/Licensing program | Pay-as-you-go <br> Enterprise Agreement | Allows you to toggle between pay-as-you-go and Enterprise Agreement [offers](https://azure.microsoft.com/support/legal/offer-details/). |

+ | Savings options | 1 year reserved <br> 3 years reserved <br> 1 year savings plan <br> 3 years savings plan <br> None | Select a savings option if you've opted for [Reserved Instances](../cost-management-billing/reservations/save-compute-costs-reservations.md) or [Savings Plan](https://azure.microsoft.com/pricing/offers/savings-plan-compute/). |

+ | Category | All <br> Compute optimized <br> General purpose <br> GPU <br> High performance compute <br> Isolated <br> Memory optimized <br> Storage optimized | Selecting a particular SKU category ensures we recommend the best AKS Node SKUs from that category. |

+1. After reviewing the assessment settings, select **Next: Select servers to assess**.

+1. Under the **Select servers to assess** tab, do the following:

+ - **Assessment name**: Specify a name for the assessment.

+ - **Select or create a group**: Select **Create New** and specify a group name. You can also use an existing group.

+ - **Appliance name**: Select the appliance.

+ ::: zone pivot="asp-net"

+ - **Web app type**: Select **ASP.NET**.

+ ::: zone-end

+ ::: zone pivot="java"

+ - **Web app type**: Select **Java**.

+ ::: zone-end

+ - Select the servers, which host the web apps to be assessed from the table.

+ - Select **Next** to review the high-level assessment details.

+ :::image type="content" source="./media/tutorial-assess-aspnet-aks/create-server-selection.png" alt-text="Screenshot of selecting servers containing the web apps to be assessed.":::

+1. Under **Review + create assessment** tab, review the assessment details, and select **Create assessment** to create the group and run the assessment.

+1. On the **Azure Migrate** page, under **Migration goals**, select **Servers, databases and web apps**.

+1. On the **Servers, databases and web apps** page, under **Assessment tools** > **Assessments**, select the number next to the Web apps on Azure assessment.

+1. On the **Assessments** page, select a desired assessment name to view from the list of assessments.

+2. Use the search bar to filter for your assessment. It should be in the **Ready** state.

+Selecting the recommended cluster for the app opens the **Cluster details** page. This page surfaces details such as the number of system and user node pools, the SKU for each node pool and the web apps recommended for this cluster. Typically, an assessment will only generate a single cluster. The number of clusters increases when the web apps in the assessment start hitting AKS cluster limits.

+- [Review and implement best practices](../aks/best-practices.md) to build and manage apps on AKS.

+zone_pivot_groups: web-apps-assessment-app-service

+# Tutorial: Assess web apps for migration to Azure App Service

+As part of your migration journey to Azure, assess your on-premises workloads to measure cloud readiness, identify risks, and estimate costs and complexity.

+As part of your migration journey to Azure, assess your on-premises workloads to measure cloud readiness, identify risks, and estimate costs and complexity.

+This article shows you how to assess discovered Java web apps running on Tomcat servers in preparation for migration to Azure App Service Code and Azure App Service Containers, using the Azure Migrate: Discovery and assessment tool. [Learn more](../app-service/overview.md) about Azure App Service.

+> * Review an Azure App Service assessment.

+1. Sign into the [Azure portal](https://ms.portal.azure.com/#home) and search for Azure Migrate.

+1. On the **Azure Migrate** page, under **Migration goals**, select **Servers, databases and web apps**.

+2. On the **Servers, databases and web apps** page, under **Assessments tools**, select **Web apps on Azure** from the **Assess** dropdown menu.

+3. On the **Create assessment** page, under **Basics** tab, do the following:

+ 1. The assessment type is pre-selected as **Web apps on Azure** and the discovery source defaulted to **Servers discovered from Azure Migrate appliance**. Select the **Scenario** as **Web apps to App Service**.

+ :::image type="content" source="./media/tutorial-assess-webapps/create-assess-scenario.png" alt-text="Screenshot of Create assessment page for Azure Migrate.":::

+ 1. Select **Edit** to review the assessment properties.

+ The following are included in Azure App Service assessment properties:

+ :::image type="content" source="./media/tutorial-assess-webapps/settings.png" alt-text="Screenshot of assessment settings for Azure Migrate.":::

+ **Property** | **Details**

+ |

+ **Target location** | The Azure region to which you want to migrate. Azure App Service configuration and cost recommendations are based on the location that you specify.

+ **Environment type** | Type of environment in which it's running.

+ **Offer** | The [Azure offer](https://azure.microsoft.com/support/legal/offer-details/) in which you're enrolled. The assessment estimates the cost for that offer.

+ **Currency** | The billing currency for your account.

+ **Discount (%)** | Any subscription-specific discounts that you receive on top of the Azure offer. The default setting is 0%.

+ **EA subscription** | Specifies that an Enterprise Agreement (EA) subscription is used for cost estimation. Takes into account the discount applicable to the subscription. <br/><br/> Retain the default settings for reserved instances and discount (%) properties.

+ **Savings options (Compute)** | The Savings option the assessment must consider.

+ **Isolation required** | Select **Yes** if you want your web apps to run in a private and dedicated environment in an Azure datacenter.

+ 1. Select **Save** if you made any changes.

+1. On the **Create assessment** page, select **Next: Select servers to assess**.

+1. Under the **Select servers to assess** tab, do the following:

+ - **Assessment name**: Specify a name for the assessment.

+ - **Select or create a group**: Select **Create New** and specify a group name. You can also use an existing group.

+ - **Appliance name**: Select the appliance.

+ ::: zone pivot="asp-net"

+ - **Web app type**: Select **ASP.NET**.

+ ::: zone-end

+ ::: zone pivot="java"

+ - **Web app type**: Select **Java**.

+ ::: zone-end

+ - Select the servers that you want to add to the group from the table.

+ - Select **Next**.

+1. Under **Review + create assessment** tab, review the assessment details, and select **Create assessment** to create the group and run the assessment.

+1. On the **Servers, databases and web apps** page, under **Assessment tools** > **Assessments**, select the number next to **Web apps on Azure** in the **Assessment** section.

+1. On the **Azure Migrate** page, under **Migration goals**, select **Servers, databases and web apps**.

+1. On the **Servers, databases and web apps** page, under **Assessment tools** > **Assessments**, select the number next to the Web apps on Azure assessment.

+1. On the **Assessments** page, select a desired assessment name to view from the list of assessments.

+ The **Overview** page contains 3 sections:

+ - **Essentials**: The **Essentials** section displays the group the assessed entity belongs to, its status, the location, discovery source, and currency in US dollars.

+ - **Assessed entities**: This section displays the number of servers selected for the assessments, number of Azure app services in the selected servers, and the number of distinct Sprint Boot app instances that were assessed.

+ - **Migration scenario**: This section provides a pictorial representation of the number of apps that are ready, ready with conditions, and not ready. You can see two graphical representations, one for *All Web applications to App Service Code* and the other for *All Web applications to App Service Containers*. In addition, it also lists the number of apps ready to migrate and the estimated cost for the migration for the apps that are ready to migrate.

+To review the readiness for the web apps, follow these steps:

+1. On **Assessments**, select the name of the assessment that you want to view.

+## Update (April 2024)

+- Public Preview: You now have the capability to assess your Java (Tomcat) web apps to both Azure App Service and Azure Kubernetes Service (AKS).

+**In-place automigration** from Azure Database for MySQL ΓÇô Single Server to Flexible Server is a service-initiated in-place migration during planned maintenance window for Single Server database workloads with **Basic, General Purpose or Memory Optimized SKU**, data storage used **<= 20 GiB** and **no complex features (CMK, AAD, Read Replica, Private Link) enabled**. The eligible servers are identified by the service and are sent an advance notification detailing steps to review migration details.

+> If your Single Server instance has General Purpose V1 storage, your scheduled instance will undergo an additional restart operation 12 hours prior to the scheduled migration time. This restart operation serves to enable the log_bin server parameter needed to upgrade the instance to General Purpose V2 storage before undergoing the in-place auto-migration.

+* If you own a Single Server workload with Basic, General Purpose or Memory Optimized SKU, data storage used <= 20 GiB and no complex features (CMK, AAD, Read Replica, Private Link) enabled, you can now nominate yourself (if not already scheduled by the service) for auto-migration by submitting your server details through this [form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR4lhLelkCklCuumNujnaQ-ZUQzRKSVBBV0VXTFRMSDFKSUtLUDlaNTA5Wi4u).

+|[BUI](https://www.bui.co.za/)|[a2zManaged Cloud Management](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/bui.bui_a2zmanaged)||[BUI Managed Azure vWAN using VMware SD-WAN](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/bui.bui_managed_vwan?tab=Overview)||[BUI CyberSoC](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/bui.bui_mxdr_saas)|

+* System agent pools are designed for hosting critical system pods like CoreDNS and metrics-server.

+* User agent pools are designed for hosting your application pods.

+Application pods can be scheduled on system agent pools if you wish to only have one pool in your Kubernetes cluster. Nexus Kubernetes cluster must have an initial agent pool that includes at least one system agent pool with at least one node.

+* Refer to the Nexus Kubernetes cluster [QuickStart guide](./quickstarts-kubernetes-cluster-deployment-bicep.md) for a comprehensive overview and steps involved.

+* Ensure that you meet the outlined prerequisites to ensure smooth implementation of the guide.

+* You can delete system agent pools, provided you have another system agent pool to take its place in the Nexus Kubernetes cluster.

+* System pools must contain at least one node.

+* You can't change the VM size of an agent pool after you create it.

+* Each Nexus Kubernetes cluster requires at least one system agent pool.

+* Don't run application workloads on Kubernetes control plane nodes, as they're designed only for managing the cluster, and doing so can harm its performance and stability.

+For a system agent pool, Nexus Kubernetes automatically assigns the label `kubernetes.azure.com/mode: system` to its nodes. This label causes Nexus Kubernetes to prefer scheduling system pods on agent pools that contain this label. This label doesn't prevent you from scheduling application pods on system agent pools. However, we recommend you isolate critical system pods from your application pods to prevent misconfigured or rogue application pods from accidentally killing system pods.

+You can enforce this behavior by creating a dedicated system agent pool. Use the `CriticalAddonsOnly=true:NoSchedule` taint to prevent application pods from being scheduled on system agent pools. If you intend to use the system pool for application pods (not dedicated), don't apply any application specific taints to the pool, as applying such taints can lead to cluster creation failures.

+> If you run a single system agent pool for your Nexus Kubernetes cluster in a production environment, we recommend you use at least three nodes for the agent pool.

+Always consider your cluster's resource capacity, the nature of your workloads, and the required level of resiliency when making your decision. By managing and understanding these agent pools effectively, you can optimize your Nexus Kubernetes cluster to best fit your operational needs.

+description: Learn how to connect to Azure Operator Nexus Kubernetes cluster for interacting, troubleshooting, and maintenance tasks.

+Throughout the lifecycle of your Azure Operator Nexus Kubernetes cluster, you eventually need to directly access a cluster node. This access could be for maintenance, log collection, or troubleshooting operations. You access a node through authentication, which methods vary depending on your method of connection. You securely authenticate against cluster nodes through two options discussed in this article. For security reasons, cluster nodes aren't exposed to the internet. Instead, to connect directly to cluster nodes, you need to use either `kubectl debug` or the host's IP address from a jumpbox.

+* To SSH using the node IP address, you must deploy a jumpbox VM on the same Container Network Interface (CNI) network as the cluster nodes.

+## Access to cluster nodes via Azure Arc for servers

+The `az ssh arc` command allows users to remotely access a cluster VM that has been connected to Azure Arc. This method is a secure way to SSH into the cluster node directly from the command line, making it a quick and efficient method for remote management.

+> [!NOTE]

+> Operator Nexus Kubernetes cluster nodes are Arc connected servers by default.

+1. Set the required variables. Replace the placeholders with the actual values relevant to your Azure environment and Nexus Kubernetes cluster.

+ ```bash

+ RESOURCE_GROUP="myResourceGroup" # Resource group where the Nexus Kubernetes cluster is deployed

+ CLUSTER_NAME="myNexusK8sCluster" # Name of the Nexus Kubernetes cluster

+ SUBSCRIPTION_ID="<Subscription ID>" # Azure subscription ID

+ ADMIN_USERNAME="azureuser" # Username for the cluster administrator (--admin-username parameter value used during cluster creation)

+ SSH_PRIVATE_KEY_FILE="<vm_ssh_id_rsa>" # Path to the SSH private key file

+ MANAGED_RESOURCE_GROUP=$(az networkcloud kubernetescluster show -n $CLUSTER_NAME -g $RESOURCE_GROUP --subscription $SUBSCRIPTION_ID --output tsv --query managedResourceGroupConfiguration.name)

+ ```

+2. Get the available cluster node names.

+ ```azurecli-interactive

+ az networkcloud kubernetescluster show --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP --subscription $SUBSCRIPTION_ID -o json | jq '.nodes[].name'

+3. Sample output:

+ ```bash

+ "mynexusk8scluster-0b32128d-agentpool1-md-7h9t4"

+ "mynexusk8scluster-0b32128d-agentpool1-md-c6xbs"

+ "mynexusk8scluster-0b32128d-control-plane-qq5jm"

+4. Set the cluster node name to the VM_NAME variable.

+ VM_NAME="mynexusk8scluster-0b32128d-agentpool1-md-7h9t4"

+5. Run the following command to SSH into the cluster node.

+ ```azurecli-interactive

+ az ssh arc --subscription $SUBSCRIPTION_ID \

+ --resource-group $MANAGED_RESOURCE_GROUP \

+ --name $VM_NAME \

+ --local-user $ADMIN_USERNAME \

+ --private-key-file $SSH_PRIVATE_KEY_FILE

+ ```

+## Access nodes using the Kubernetes API

+This method requires usage of `kubectl debug` command. This method is limited to containers and may miss wider system issues, unlike SSH (using 'az ssh arc' or direct IP), which offers full node access and control.

+### Access to Kubernetes API via Azure Arc for Kubernetes

+### Access to cluster nodes via Azure Arc for Kubernetes

+Once you're connected to a cluster via Arc for Kubernetes, you can connect to individual Kubernetes node using the `kubectl debug` command to run a privileged container on your node.

+1. List the nodes in your Nexus Kubernetes cluster:

+ ```console

+ $> kubectl get nodes

+ NAME STATUS ROLES AGE VERSION

+ mynexusk8scluster-0b32128d-agentpool1-md-7h9t4 Ready <none> 125m v1.24.9

+ mynexusk8scluster-0b32128d-agentpool1-md-c6xbs Ready <none> 125m v1.24.9

+ mynexusk8scluster-0b32128d-control-plane-qq5jm Ready <none> 124m v1.24.9

+2. Start a privileged container on your node and connect to it:

+ ```console

+ $> kubectl debug node/mynexusk8scluster-0b32128d-agentpool1-md-7h9t4 -it --image=mcr.microsoft.com/cbl-mariner/base/core:2.0

+ Creating debugging pod node-debugger-mynexusk8scluster-0b32128d-agentpool1-md-7h9t4-694gg with container debugger on node mynexusk8scluster-0b32128d-agentpool1-md-7h9t4.

+ If you don't see a command prompt, try pressing enter.

+ root [ / ]#

+ This privileged container gives access to the node. Execute commands on the cluster node by running `chroot /host` at the command line.

+3. When you're done with a debugging pod, enter the `exit` command to end the interactive shell session. After exiting the shell, make sure to delete the pod:

+ ```bash

+ kubectl delete pod node-debugger-mynexusk8scluster-0b32128d-agentpool1-md-7h9t4-694gg

+## Create an interactive shell connection to a node using the IP address

+### Connect to the cluster node from Azure jumpbox

+Another option for securely connecting to an Azure Operator Nexus Kubernetes cluster node is to set up a direct access to the cluster's CNI network from Azure jumpbox VM. Using this approach, you can SSH into the cluster nodes, also execute `kubectl` commands against the cluster using the `kubeconfig` file.

+Reach out to your network administrator to set up a direct connection from Azure jumpbox VM to the cluster's CNI network.

+### Connect to the cluster node from on-premises jumpbox

+Establish direct access to the cluster's CNI (Container Network Interface) from within your on-premises jumpbox. This direct access enables you to SSH into the cluster nodes, and lets you execute `kubectl` commands using the `kubeconfig` file.

+ ```azurecli-interactive

+## Create isolation domains

+The isolation-domains enable communication between workloads hosted in the same rack (intra-rack communication) or different racks (inter-rack communication). You can find more details about creating isolation domains [here](./howto-configure-isolation-domain.md).

+## Create networks for tenant workloads

+### Create an L2 network

+Gather the resource ID of the L2 isolation domain that you created to configure the VLAN for this network.

+#### [Azure CLI](#tab/azure-cli)

+#### [Azure PowerShell](#tab/azure-powershell)

+### Create an L3 network

+- The `resourceID` value of the L3 isolation domain that you created to configure the VLAN for this network.

+#### [Azure CLI](#tab/azure-cli)

+#### [Azure PowerShell](#tab/azure-powershell)

+### Create a trunked network

+#### [Azure CLI](#tab/azure-cli)

+#### [Azure PowerShell](#tab/azure-powershell)

+## Create a cloud services network

+>

+> In addition, if your ACR has dedicated data endpoints enabled, you will need to add all the new data-endpoints to the egress allow list. To find all the possible endpoints for your ACR follow the instruction [here](../container-registry/container-registry-dedicated-data-endpoints.md#dedicated-data-endpoints).

+### Use the proxy to reach outside of the virtual machine

+After a payment HSM is provisioned, the HSM device is connected directly to a customer's virtual network, with full remote HSM management capabilities, through Thales payShield Manager and the payShield Trusted Management Device (TMD).

+With the Azure Payment HSM provisioning service, customers have native access to two host network interfaces and one management interface on the payment HSM. This screenshot displays the Azure Payment HSM resources within a resource group.

+This article describes connectivity and networking concepts for Azure Database for PostgreSQL flexible server.

+* **Delegated subnet**. A virtual network contains subnets (subnetworks). Subnets enable you to segment your virtual network into smaller address spaces. Azure resources are deployed into specific subnets within a virtual network.

+ The smallest CIDR range you can specify for the subnet is /28, which provides 16 IP addresses, however the first and last address in any network or subnet can't be assigned to any individual host. Azure reserves five IPs to be utilized internally by Azure networking, which include two IPs that can't be assigned to host, mentioned above. This leaves you 11 available IP addresses for /28 CIDR range, whereas a single Azure Database for PostgreSQL flexible server instance with High Availability features utilizes four addresses.

+ - Dynamically apply rules to those virtual machines, or remove rules from those virtual machines.

+ For more information, see the [ASG overview](../../virtual-network/application-security-groups.md).

+ At this time, we don't support NSGs where an ASG is part of the rule with Azure Database for PostgreSQL flexible server. We currently advise using [IP-based source or destination filtering](../../virtual-network/network-security-groups-overview.md#security-rules) in an NSG.

+ > When setting up [Read Replicas across Azure regions](./concepts-read-replicas.md), Azure Database for PostgreSQL flexible server requires ability to send/receive traffic to **destination port 5432** for both primary and replica, as well as to **[Azure storage](../../virtual-network/service-tags-overview.md#available-service-tags)** in primary and replica regions from both primary and replica servers.

+* **Private DNS zone integration**. Azure private DNS zone integration allows you to resolve the private DNS within the current virtual network or any in-region peered virtual network where the private DNS zone is linked.

+[Azure Private DNS](../../dns/private-dns-overview.md) provides a reliable and secure DNS service for your virtual network. Azure Private DNS manages and resolves domain names in the virtual network without the need to configure a custom DNS solution.

+When using private network access with Azure virtual network, providing the private DNS zone information is **mandatory** in order to be able to do DNS resolution. For new Azure Database for PostgreSQL flexible server instance creation using private network access, private DNS zones need to be used while configuring Azure Database for PostgreSQL flexible server instances with private access.

+Using Azure portal, API, CLI or ARM, you can also change private DNS Zone from the one you provided when creating your Azure Database for PostgreSQL flexible server instance to another private DNS zone that exists the same or different subscription.

+ > Ability to change private DNS Zone from the one you provided when creating your Azure Database for PostgreSQL flexible server instance to another private DNS zone is currently disabled for servers with High Availability feature enabled.

+After you create a private DNS zone in Azure, you need to [link](../../dns/private-dns-virtual-network-links.md) a virtual network to it. Once linked, resources hosted in that virtual network can access the private DNS zone.

+ > We no longer validate virtual network link presence on server creation for Azure Database for PostgreSQL flexible server with private networking. When creating server through the portal we provide customer choice to create link on server creation via checkbox *"Link Private DNS Zone your virtual network"* in the Azure portal.

+If you're using a custom DNS server, you must use a DNS forwarder to resolve the FQDN of Azure Database for PostgreSQL flexible server. The forwarder IP address should be [168.63.129.16](../../virtual-network/what-is-ip-address-168-63-129-16.md).

+> Only private DNS zone names that end with **'postgres.database.azure.com'** can be linked. Your DNS zone name cannot be the same as your Azure Database for PostgreSQL flexible server instance(s) otherwise name resolution will fail.

+### Communication with privately networked clients in different regions

+* **[Global VNET peering](../../virtual-network/virtual-network-peering-overview.md)**. Most common methodology, as it's the easiest way to connect networks in different regions together. Global VNET peering creates a connection over the Azure backbone directly between the two peered VNETs. This provides best network throughput and lowest latencies for connectivity using this method. When VNETs are peered, Azure will also handle the routing automatically for you, these VNETs can communicate with all resources in the peered VNET, established on a VPN gateway.

+* **[VNET-to-VNET connection](../../vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal.md)**. A VNET-to-VNET connection is essentially a VPN between the two different Azure locations. The VNET-to-VNET connection is established on a VPN gateway. This means your traffic incurs two additional traffic hops as compared to global VNET peering. There's also additional latency and lower bandwidth as compared to that method.

+* **[Communication via network appliance in Hub and Spoke architecture](#using-hub-and-spoke-private-networking-design)**.

+Instead of connecting spoke virtual networks directly to each other, you can use network appliances to forward traffic between spokes. Network appliances provide more network services like deep packet inspection and traffic segmentation or monitoring, but they can introduce latency and performance bottlenecks if they're not properly sized.

+* VNET injected resources can't interact with Private Link by default. If you want to use **[Private Link](../../private-link/private-link-overview.md) for private networking, see [Azure Database for PostgreSQL flexible server networking with Private Link - Preview](./concepts-networking-private-link.md)**

+> Azure Resource Manager supports the ability to **lock** resources, as a security control. Resource locks are applied to the resource, and are effective across all users and roles. There are two types of resource lock: **CanNotDelete** and **ReadOnly**. These lock types can be applied either to a Private DNS zone, or to an individual record set. **Applying a lock of either type against Private DNS Zone or individual record set may interfere with the ability of Azure Database for PostgreSQL flexible server to update DNS records** and cause issues during important operations on DNS, such as High Availability failover from primary to secondary. For these reasons, please make sure you are **not** utilizing DNS private zone or record locks when utilizing High Availability features with Azure Database for PostgreSQL flexible server.

+Regardless of the networking option that you choose, we recommend that you always use an **FQDN** as host name when connecting to your Azure Database for PostgreSQL flexible server instance. The server's IP address isn't guaranteed to remain static. Using the FQDN helps you avoid making changes to your connection string.

+> [!NOTE]

+> Azure Database for PostgreSQL - Flexible server doesn't support [custom SSL\TLS certificates](https://www.postgresql.org/docs/current/ssl-tcp.html#SSL-CERTIFICATE-CREATION) at this time.

+- **Data in transit**: Azure Database for PostgreSQL - Flexible Server encrypts in-transit data with Secure Sockets Layer and Transport Layer Security (SSL/TLS). Encryption is enforced by default. For more detailed information on connection security with SSL\TLS see this [documentation](../flexible-server/concepts-networking-ssl-tls.md). For better security, you might choose to enable [SCRAM authentication in Azure Database for PostgreSQL - Flexible Server](how-to-connect-scram.md).

+ Although it's highly not recommended, if needed, due to legacy client incompatibility, you have an option to disable TLS\SSL for connections to Azure Database for PostgreSQL - Flexible Server by updating the `require_secure_transport` server parameter to OFF. You can also set TLS version by setting `ssl_max_protocol_version` server parameters.

+* General availability of [Migration service](../../postgresql/migrate/migration-service/concepts-migration-service-postgresql.md) in Azure Database for PostgreSQL flexible server.

+* Support for new [minor versions](./concepts-supported-versions.md) 16.1, 15.5, 14.10, 13.13, 12.17, 11.22 <sup>$</sup>

+* Support for new [minor versions](./concepts-supported-versions.md) 15.4, 14.9, 13.12, 12.16, 11.21 <sup>$</sup>

+| [**Vector quantization**](vector-search-how-to-configure-compression-storage.md#option-3-configure-scalar-quantization) | Index | Compress vector index size in memory and on disk using built-in scalar quantization. | [Create or Update Index (preview)](/rest/api/searchservice/indexes/create-or-update?view=rest-searchservice-2024-03-01-preview&preserve-view=true) to add a `compressions` section to a vector profile. |

+| [**Narrow data types**](vector-search-how-to-configure-compression-storage.md#option-1-assign-narrow-data-types-to-vector-fields) | Index | Assign a smaller data type on vector fields, assuming incoming data is of that data type. | [Create or Update Index (preview)](/rest/api/searchservice/indexes/create-or-update?view=rest-searchservice-2024-03-01-preview&preserve-view=true) to specify a vector field definition. |

+| [**stored property**](vector-search-how-to-configure-compression-storage.md#option-2-set-the-stored-property-to-remove-retrievable-storage) | Index | Boolean that reduces storage of vector indexes by *not* storing retrievable vectors. | [Create or Update Index (preview)](/rest/api/searchservice/indexes/create-or-update?view=rest-searchservice-2024-03-01-preview&preserve-view=true) to set `stored` on a vector field. |

+| [**Vectorizers**](vector-search-integrated-vectorization.md) | Queries | Text-to-vector conversion during query execution. | [Create or Update Index (preview)](/rest/api/searchservice/indexes/create-or-update?view=rest-searchservice-2023-10-01-preview&preserve-view=true) to define a `vectorizer`. [Search POST (preview)](/rest/api/searchservice/documents/search-post?view=rest-searchservice-2023-10-01-preview&preserve-view=true) for `vectorQueries`, 2023-10-01-Preview or later. |

+| [**Integrated vectorization**](vector-search-integrated-vectorization.md) | Index, skillset | Skills-driven data chunking and embedding during indexing. | [Create or Update Skillset (preview)](/rest/api/searchservice/skillsets/create-or-update?view=rest-searchservice-2023-10-01-preview&preserve-view=true) for AzureOpenAIEmbedding skill and the data chunking properties of the Text Split skill. |

+1. [Review service limits at each tier](./search-limits-quotas-capacity.md#service-limits) to determine whether lower tiers can support the number of indexes you need. Across the Basic, S1, and S2 tiers, index limits are 15, 50, and 200, respectively. The Storage Optimized tier has a limit of 10 indexes because it's designed to support a low number of very large indexes.

+On search services created before April 3, 2024: Basic can have exactly one partition and up to three replicas, for a maximum limit of three SUs. The only adjustable resource is replicas.

+On search services created after April 3, 2024 in [supported regions](search-limits-quotas-capacity.md#supported-regions-with-higher-storage-limits): Basic can have up to three partitions and three replicas. The maximum SU limit is nine to support a full complement of partitions and replicas.

+For search services on any billable tier, regardless of creation date, you need a minimum of two replicas for high availability on queries.

+ - references_regions

+[**Azure AI Search**](search-what-is-azure-search.md) is a vector and full text information retrieval solution for the enterprise, and for traditional and generative AI scenarios.

+We strongly recommend the following regions because they provide [more storage per partition](search-limits-quotas-capacity.md#service-limits), three to seven times more depending on the tier, at the same billing rate. Extra capacity applies to search services created after April 3, 2024:

+| Country | Regions providing extra capacity per partition |

+|||

+| **United States** | East USΓÇï, East US 2, ΓÇïCentral USΓÇï, North Central USΓÇï, South Central USΓÇï, West USΓÇï, West US 2ΓÇï, West US 3ΓÇï, West Central USΓÇï |

+| **United Kingdom** | UK SouthΓÇï, UK WestΓÇï ΓÇï |

+| **United Arab Emirates** | UAE NorthΓÇïΓÇï |

+| **Switzerland** | Switzerland WestΓÇï |

+| **Sweden** | Sweden CentralΓÇïΓÇï |

+| **Poland** | Poland CentralΓÇïΓÇï |

+| **Norway** | Norway EastΓÇïΓÇï |

+| **Korea** | Korea Central, Korea SouthΓÇï ΓÇï |

+| **Japan** | Japan East, Japan WestΓÇï |

+| **Italy** | Italy NorthΓÇïΓÇï |

+| **India** | Central India, Jio India WestΓÇï ΓÇï |

+| **France** | France CentralΓÇïΓÇï |

+| **Europe** | North EuropeΓÇïΓÇï |

+| **Canada** | Canada CentralΓÇï, Canada EastΓÇïΓÇï |

+| **Bazil** | Brazil SouthΓÇïΓÇï |

+| **Asia Pacific** | East Asia, Southeast AsiaΓÇï ΓÇï |

+| **Australia** | Australia EastΓÇï, Australia SoutheastΓÇïΓÇï |

+Two notable exceptions might warrant provisioning Azure services in separate regions:

+Search services created after April 3, 2024 have larger partitions and higher vector quotas.

+After a search service is provisioned, you can [scale it to meet your needs](search-limits-quotas-capacity.md). On a billable tier, you can scale the service in two dimensions: replicas and partitions. For the free service, scale up isn't available and replica and partition configuration isn't offered.

+| Integrated vector compression and quantization | Use [built-in scalar quantization](vector-search-how-to-configure-compression-storage.md) to reduce vector index size in memory and on disk. You can also forego storage of vectors you don't need, or assign narrow data types to vector fields for reduced storage requirements. |

+1. Paste in the following example to upload JSON documents to the search index.

+1. Select **Send request**. In a few seconds, you should see an HTTP 201 response in the adjacent pane.

+ If you get a 207, at least one document failed to upload. If you get a 404, you have a syntax error in either the header or body of the request. Verify that you changed the endpoint to include `/docs/index`.

+| [cross-origin resource sharing (CORS)](#corsoptions) | Yes |

+We recommend using a newer search service, created after April 3, 2024, for [higher storage per partition](search-limits-quotas-capacity.md#service-limits).

+Maximum limits on storage, workloads, and quantities of indexes and other objects depend on whether you [create Azure AI Search](search-create-service-portal.md) at **Free**, **Basic**, **Standard**, or **Storage Optimized** pricing tiers.

+|-||--|-|-|-||-|-|

+| Maximum index size&nbsp;<sup>4</sup> | N/A | N/A | N/A | 1.92 TB | 2.4 TB | 100 GB| N/A | N/A |

+<sup>1</sup> Basic services created before December 2017 have lower limits (5 instead of 15) on indexes. Basic tier is the only tier with a lower limit of 100 fields per index.

+<sup>3</sup> An upper limit exists for elements because having a large number of them significantly increases the storage required for your index. An element of a complex collection is defined as a member of that collection. For example, assume a [Hotel document with a Rooms complex collection](search-howto-complex-data-types.md#indexing-complex-types), each room in the Rooms collection is considered an element. During indexing, the indexing engine can safely process a maximum of 3,000 elements across the document as a whole. [This limit](search-api-migration.md#upgrade-to-2019-05-06) was introduced in `api-version=2019-05-06` and applies to complex collections only, and not to string collections or to complex fields.

+<sup>4</sup> On most tiers, maximum index size is all available storage on your search service. For S2, S3, and S3 HD, the maximum size of any index is the number provided in the table. Applies to search services created after April 3, 2024.

+When you index documents with vector fields, Azure AI Search constructs internal vector indexes using the algorithm parameters you provide. The size of these vector indexes is restricted by the memory reserved for vector search for your service's tier (or `SKU`).

+The table describes the vector index size quota per partition across the service tiers. For context, it includes:

+Use the [GET Service Statistics](/rest/api/searchservice/get-service-statistics) to retrieve your vector index size quota or review the **Indexes** page or **Usage** tab in the Azure portal.

+Vector limits vary by service creation date and tier. To check the age of your search service and learn more about vector indexes, see [Vector index size and staying under limits](vector-search-index-size.md).

+### Vector limits on services created after April 3, 2024 in supported regions

+The highest vector limits are available on search services created after April 3, 2024 in a [supported region](#supported-regions-with-higher-storage-limits).

+|--|--|--||

+| Basic | 15 | 5 | 1,100 million |

+| S1 | 160 | 35 | 8,200 million |

+| S2 | 350 | 100 | 23,500 million |

+| S3 | 700 | 200 | 47,000 million |

+| L1 | 1,000 | 12 | 2,800 million |

+| L2 | 2,000 | 36 | 8,400 million |

+Notice that L1 and L2 limits are unchanged in the April 3 rollout.

+### Vector limits on services created between July 1, 2023 and April 3, 2024

+The following limits applied to new services created between July 1 and April 3, 2024, except for the following regions, which have the original limits from before July 1, 2023:

+All other regions have these limits:

+|--|--|--||

+### Vector limits on services created before July 1, 2023

+| Tier | Storage quota (GB) | Vector quota per partition (GB) | Approx. floats per partition (assuming 15% overhead) |

+|--|--|--||

+| Basic | 2 | 0.5 | 115 million |

+| S1 | 25 | 1 | 235 million |

+| S2 | 100 | 6 | 1,400 million |

+| S3 | 200 | 12 | 2,800 million |

+| L1 | 1,000 | 12 | 2,800 million |

+| L2 | 2,000 | 36 | 8,400 million |

+|-||--|-|-|-||-|-|

+| Resource | Free | Basic | S1 | S2 | S3 | S3 HD | L1 | L2 |

+|-||-|-|-|-|-|-|-|

+|-||-|-|-|-|-|-|-|