-|Subscription Owner<br>Subscription Contributor|View reviews for a workload, triage recommendations linked to those reviews, manage review recommendation lifecycle.|

-|Advisor Recommendations Contributor (Assessments and Reviews)|View review recommendations, accept review recommendations, manage review recommendations' lifecycle.|

-### Failed ingestion jobs

-To troubleshoot a failed job, always look out for errors or warnings specified either in the API response or Azure OpenAI studio. Here are some of the common errors and warnings:

-# Learn how to work with the GPT-35-Turbo and GPT-4 models

-The GPT-35-Turbo and GPT-4 models are language models that are optimized for conversational interfaces. The models behave differently than the older GPT-3 models. Previous models were text-in and text-out, meaning they accepted a prompt string and returned a completion to append to the prompt. However, the GPT-35-Turbo and GPT-4 models are conversation-in and message-out. The models expect input formatted in a specific chat-like transcript format, and return a completion that represents a model-written message in the chat. While this format was designed specifically for multi-turn conversations, you'll find it can also work well for non-chat scenarios too.

-In Azure OpenAI there are two different options for interacting with these type of models:

-The Chat Completion API is a new dedicated API for interacting with the GPT-35-Turbo and GPT-4 models. This API is the preferred method for accessing these models. **It is also the only way to access the new GPT-4 models**.

-ChatML uses the same [completion API](../reference.md#completions) that you use for other models like text-davinci-002, it requires a unique token based prompt format known as Chat Markup Language (ChatML). This provides lower level access than the dedicated Chat Completion API, but also requires additional input validation, only supports gpt-35-turbo models, and **the underlying format is more likely to change over time**.

-This article walks you through getting started with the GPT-35-Turbo and GPT-4 models. It's important to use the techniques described here to get the best results. If you try to interact with the models the same way you did with the older model series, the models will often be verbose and provide less useful responses.

-See the [ingestion API reference article](/azure/ai-services/openai/reference#start-an-ingestion-job) for details on the request and response objects used by the ingestion API.

-| ```file```| file | Yes | N/A | The audio file object (not file name) to transcribe, in one of these formats: `flac`, `mp3`, `mp4`, `mpeg`, `mpga`, `m4a`, `ogg`, `wav`, or `webm`.<br/><br/>The file size limit for the Azure OpenAI Whisper model is 25 MB. If you need to transcribe a file larger than 25 MB, break it into chunks. Alternatively you can use the Azure AI Speech [batch transcription](../speech-service/batch-transcription-create.md#use-a-whisper-model) API.<br/><br/>You can get sample audio files from the [Azure AI Speech SDK repository at GitHub](https://github.com/Azure-Samples/cognitive-services-speech-sdk/tree/master/sampledata/audiofiles). |

-|  [Azure AI Search](../../search/index.yml) | Bring AI-powered cloud search to your mobile and web apps | [Azure AI Search API](/rest/api/searchservice) |

-| </br>&bullet; [fine-tuning](/rest/api/azureopenai/fine-tuning) |

-|  [Bot Service](/composer/) | Create bots and connect them across channels | [Bot Service API](/azure/bot-service/rest-api/bot-framework-rest-connector-api-reference?view=azure-bot-service-4.0&preserve-view=true) |

-|  [Content Safety](../../ai-services/content-safety/index.yml) | An AI service that detects unwanted contents | [Content Safety API](https://westus.dev.cognitive.microsoft.com/docs/services/content-safety-service-2023-10-15-preview/operations/TextBlocklists_AddOrUpdateBlocklistItems) |

-|  [Custom Vision](../../ai-services/custom-vision-service/index.yml) | Customize image recognition for your business applications. |**Custom Vision APIs**<br>&bullet; [prediction](https://westus2.dev.cognitive.microsoft.com/docs/services/Custom_Vision_Prediction_3.1/operations/5eb37d24548b571998fde5f3)<br>&bullet; [training](https://westus2.dev.cognitive.microsoft.com/docs/services/Custom_Vision_Training_3.3/operations/5eb0bcc6548b571998fddebd)|

-|  [Document Intelligence](../../ai-services/document-intelligence/index.yml) | Turn documents into intelligent data-driven solutions | [Document Intelligence API](/rest/api/aiservices/document-models?view=rest-aiservices-2023-07-31&preserve-view=true) |

-|  |

-|  [Language](../../ai-services/language-service/index.yml) | Build apps with industry-leading natural language understanding capabilities | [REST API](/rest/api/language/) |

-|  |

-| |

-|  [Video Indexer](/azure/azure-video-indexer) | Extract actionable insights from your videos | [Video Indexer API](/rest/api/videoindexer/accounts?view=rest-videoindexer-2024-01-01&preserve-view=true) |

-|  [Vision](../../ai-services/computer-vision/index.yml) | Analyze content in images and videos | [Vision API](https://eastus.dev.cognitive.microsoft.com/docs/services/Cognitive_Services_Unified_Vision_API_2024-02-01/operations/61d65934cd35050c20f73ab6) |

-|  [Anomaly Detector](../../ai-services/Anomaly-Detector/index.yml) <br>(deprecated 2023) | Identify potential problems early on | [Anomaly Detector API](https://westus2.dev.cognitive.microsoft.com/docs/services/AnomalyDetector-v1-1/operations/CreateMultivariateModel) |

-|  |

-|  [Language understanding (LUIS)](../../ai-services/luis/index.yml) <br>(deprecated 2023) | Understand natural language in your apps | [LUIS API](https://westus.dev.cognitive.microsoft.com/docs/services/luis-endpoint-api-v3-0/operations/5cb0a9459a1fe8fa44c28dd8) |

-|  [Metrics Advisor](../../ai-services/metrics-advisor/index.yml) <br>(deprecated 2023) | An AI service that detects unwanted contents | [Metrics Advisor API](https://westus.dev.cognitive.microsoft.com/docs/services/MetricsAdvisor/operations/createDataFeed) |

-|  [Personalizer](../../ai-services/personalizer/index.yml) <br>(deprecated 2023) | Create rich, personalized experiences for each user | [Personalizer API](https://westus2.dev.cognitive.microsoft.com/docs/services/personalizer-api/operations/Rank) |

-|  [QnA maker](../../ai-services/qnamaker/index.yml) <br>(deprecated 2022) | Distill information into easy-to-navigate questions and answers | [QnA Maker API](https://westus.dev.cognitive.microsoft.com/docs/services/5a93fcf85b4ccd136866eb37/operations/5ac266295b4ccd1554da75ff) |

-Whisper models by batch transcription are supported in the East US, Southeast Asia, and West Europe regions.

-python --version # ensure you've >=3.8

-## Create an index

-1. Choose your **Source data**. You can choose source data from a list of your recent data sources, a storage URL on the cloud or even upload files and folders from the local machine. You can also add a connection to another data source such as Azure Blob Storage.

- 1. The search type defaults to **Hybrid + Semantic**, which is a combination of keyword search, vector search and semantic search to give the best possible search results.

- 1. For the hybrid option to work, you need an embedding model. Choose the Azure OpenAI resource, which has the embedding model

-

-1. Use the prefilled name or type your own name for New Vector index name

-

- > [!NOTE]

- > If you see a **DeploymentNotFound** error, you need to assign more permissions. See [mitigate DeploymentNotFound error](#mitigate-deploymentnotfound-error) for more details.

-### Mitigate DeploymentNotFound error

-When you try to create a vector index, you might see the following error at the **Review + Finish** step:

-**Failed to create vector index. DeploymentNotFound: A valid deployment for the model=text-embedding-ada-002 was not found in the workspace connection=Default_AzureOpenAI provided.**

-This can happen if you are trying to create an index using an **Owner**, **Contributor**, or **Azure AI Developer** role at the project level. To mitigate this error, you might need to assign more permissions using either of the following methods.

-> [!NOTE]

-> You need to be assigned the **Owner** role of the resource group or higher scope (like Subscription) to perform the operation in the next steps. This is because only the Owner role can assign roles to others. See details [here](/azure/role-based-access-control/built-in-roles).

-#### Method 1: Assign more permissions to the user on the Azure AI hub resource

-If the Azure AI hub resource the project uses was created through Azure AI Studio:

-1. Sign in to [Azure AI Studio](https://aka.ms/azureaistudio) and select your project via **Build** > **Projects**.

-1. Select **AI project settings** from the collapsible left menu.

-1. From the **Resource Configuration** section, select the link for your resource group name that takes you to the Azure portal.

-1. In the Azure portal under **Overview** > **Resources** select the Azure AI service type. It's named similar to "YourAzureAIResourceName-aiservices."

- :::image type="content" source="../media/roles-access/resource-group-azure-ai-service.png" alt-text="Screenshot of Azure AI service in a resource group." lightbox="../media/roles-access/resource-group-azure-ai-service.png":::

-1. Select **Access control (IAM)** > **+ Add** to add a role assignment.

-1. Add the **Cognitive Services OpenAI User** role to the user who wants to make an index. `Cognitive Services OpenAI Contributor` and `Cognitive Services Contributor` also work, but they assign more permissions than needed for creating an index in Azure AI Studio.

-> [!NOTE]

-> You can also opt to assign more permissions [on the resource group](#method-2-assign-more-permissions-on-the-resource-group). However, that method assigns more permissions than needed to mitigate the **DeploymentNotFound** error.

-#### Method 2: Assign more permissions on the resource group

-If the Azure AI hub resource the project uses was created through Azure portal:

-1. Sign in to [Azure AI Studio](https://aka.ms/azureaistudio) and select your project via **Build** > **Projects**.

-1. Select **AI project settings** from the collapsible left menu.

-1. From the **Resource Configuration** section, select the link for your resource group name that takes you to the Azure portal.

-1. Select **Access control (IAM)** > **+ Add** to add a role assignment.

-1. Add the **Cognitive Services OpenAI User** role to the user who wants to make an index. `Cognitive Services OpenAI Contributor` and `Cognitive Services Contributor` also work, but they assign more permissions than needed for creating an index in Azure AI Studio.

- :::image type="content" source="../media/index-retrieve/configure-index-lookup-tool.png" alt-text="Screenshot of Configure Index Lookup." lightbox="../media/index-retrieve/configure-index-lookup-tool.png":::

-description: This article introduces the LLM tool for flows in Azure AI Studio.

-The prompt flow *LLM* tool enables you to use large language models (LLM) for natural language processing.

-Prepare a prompt as described in the [prompt tool](prompt-tool.md#prerequisites) documentation. The LLM tool and Prompt tool both support [Jinja](https://jinja.palletsprojects.com/en/3.1.x/) templates. For more information and best practices, see [prompt engineering techniques](../../../ai-services/openai/concepts/advanced-prompt-engineering.md).

- :::image type="content" source="../../media/prompt-flow/llm-tool.png" alt-text="Screenshot of the LLM tool added to a flow in Azure AI Studio." lightbox="../../media/prompt-flow/llm-tool.png":::

-1. From the **Api** drop-down list, select *chat* or *completion*.

-1. Enter values for the LLM tool input parameters described [here](#inputs). If you selected the *chat* API, see [chat inputs](#chat-inputs). If you selected the *completion* API, see [text completion inputs](#text-completion-inputs). For information about how to prepare the prompt input, see [prerequisites](#prerequisites).

-1. Add more tools to your flow as needed, or select **Run** to run the flow.

-1. The outputs are described [here](#outputs).

-The following are available input parameters:

-| prompt | string | text prompt for the language model | Yes |

-| model, deployment_name | string | the language model to use | Yes |

-| max\_tokens | integer | the maximum number of tokens to generate in the completion. Default is 16. | No |

-| temperature | float | the randomness of the generated text. Default is 1. | No |

-| stop | list | the stopping sequence for the generated text. Default is null. | No |

-| suffix | string | text appended to the end of the completion | No |

-| top_p | float | the probability of using the top choice from the generated tokens. Default is 1. | No |

-| logprobs | integer | the number of log probabilities to generate. Default is null. | No |

-| echo | boolean | value that indicates whether to echo back the prompt in the response. Default is false. | No |

-| presence\_penalty | float | value that controls the model's behavior regarding repeating phrases. Default is 0. | No |

-| frequency\_penalty | float | value that controls the model's behavior regarding generating rare phrases. Default is 0. | No |

-| best\_of | integer | the number of best completions to generate. Default is 1. | No |

-| logit\_bias | dictionary | the logit bias for the language model. Default is empty dictionary. | No |

-| prompt | string | text prompt that the language model should reply to | Yes |

-| model, deployment_name | string | the language model to use | Yes |

-| max\_tokens | integer | the maximum number of tokens to generate in the response. Default is inf. | No |

-| temperature | float | the randomness of the generated text. Default is 1. | No |

-| stop | list | the stopping sequence for the generated text. Default is null. | No |

-| top_p | float | the probability of using the top choice from the generated tokens. Default is 1. | No |

-| presence\_penalty | float | value that controls the model's behavior regarding repeating phrases. Default is 0. | No |

-| frequency\_penalty | float | value that controls the model's behavior regarding generating rare phrases. Default is 0. | No |

-| logit\_bias | dictionary | the logit bias for the language model. Default is empty dictionary. | No |

-| API | Return Type | Description |

-| Completion | string | The text of one predicted completion |

-| Chat | string | The text of one response of conversation |

-The following table provides an index of tools in prompt flow.

-| Tool (set) name | Description | Environment | Package name |

-| [LLM](./llm-tool.md) | Use Azure OpenAI large language models (LLM) for tasks such as text completion or chat. | Default | [promptflow-tools](https://pypi.org/project/promptflow-tools/) |

-| [Index Lookup*](./index-lookup-tool.md) | Search an Azure Machine Learning Vector Index for relevant results using one or more text queries. | Default | [promptflow-vectordb](https://pypi.org/project/promptflow-vectordb/) |

-| [Azure AI Language tools*](https://microsoft.github.io/promptflow/integrations/tools/azure-ai-language-tool.html) | This collection of tools is a wrapper for various Azure AI Language APIs, which can help effectively understand and analyze documents and conversations. The capabilities currently supported include: Abstractive Summarization, Extractive Summarization, Conversation Summarization, Entity Recognition, Key Phrase Extraction, Language Detection, PII Entity Recognition, Conversational PII, Sentiment Analysis, Conversational Language Understanding, Translator. You can learn how to use them by the [Sample flows](https://github.com/microsoft/promptflow/tree/e4542f6ff5d223d9800a3687a7cfd62531a9607c/examples/flows/integrations/azure-ai-language). Support contact: taincidents@microsoft.com | Custom | [promptflow-azure-ai-language](https://pypi.org/project/promptflow-azure-ai-language/) |

-_*The asterisk marks indicate custom tools, which are created by the community that extend prompt flow's capabilities for specific use cases. They aren't officially maintained or endorsed by prompt flow team. When you encounter questions or issues for these tools, please prioritize using the support contact if it is provided in the description._

-description: This article introduces the Prompt tool for flows in Azure AI Studio.

-The prompt flow *Prompt* tool offers a collection of textual templates that serve as a starting point for creating prompts. These templates, based on the [Jinja](https://jinja.palletsprojects.com/en/3.1.x/) template engine, facilitate the definition of prompts. The tool proves useful when prompt tuning is required prior to feeding the prompts into the large language model (LLM) in prompt flow.

-Prepare a prompt. The [LLM tool](llm-tool.md) and Prompt tool both support [Jinja](https://jinja.palletsprojects.com/en/3.1.x/) templates.

-In this example, the prompt incorporates Jinja templating syntax to dynamically generate the welcome message and personalize it based on the user's name. It also presents a menu of options for the user to choose from. Depending on whether the user_name variable is provided, it either addresses the user by name or uses a generic greeting.

-For more information and best practices, see [prompt engineering techniques](../../../ai-services/openai/concepts/advanced-prompt-engineering.md).

- :::image type="content" source="../../media/prompt-flow/prompt-tool.png" alt-text="Screenshot of the Prompt tool added to a flow in Azure AI Studio." lightbox="../../media/prompt-flow/prompt-tool.png":::

-1. Enter values for the Prompt tool input parameters described [here](#inputs). For information about how to prepare the prompt input, see [prerequisites](#prerequisites).

-1. Add more tools (such as the [LLM tool](llm-tool.md)) to your flow as needed, or select **Run** to run the flow.

-1. The outputs are described [here](#outputs).

-The following are available input parameters:

-| prompt | string | The prompt template in Jinja | Yes |

-| Inputs | - | List of variables of prompt template and its assignments | - |

-Inputs

-| Variable | Type | Sample Value |

-Outputs

-Inputs

-| Variable | Type | Sample Value |

-Outputs

-description: This article introduces the Python tool for flows in Azure AI Studio.

-The prompt flow *Python* tool offers customized code snippets as self-contained executable nodes. You can quickly create Python tools, edit code, and verify results.

- :::image type="content" source="../../media/prompt-flow/python-tool.png" alt-text="Screenshot of the Python tool added to a flow in Azure AI Studio." lightbox="../../media/prompt-flow/python-tool.png":::

-1. Enter values for the Python tool input parameters described [here](#inputs). For example, in the **Code** input text box you can enter the following Python code:

-1. Add more tools to your flow as needed, or select **Run** to run the flow.

-1. The outputs are described [here](#outputs). Given the previous example Python code input, if the input message is "world", the output is `hello world`.

-The list of inputs will change based on the arguments of the tool function, after you save the code. Adding type to arguments and return values help the tool show the types properly.

-| Code | string | Python code snippet | Yes |

-| Inputs | - | List of tool function parameters and its assignments | - |

-The output is the `return` value of the python tool function. For example, consider the following python tool function:

-If the input message is "world", the output is `hello world`.

-| Connection | param: CustomConnection | Connection type will be handled specially |

-Parameters with `Connection` type annotation will be treated as connection inputs, which means:

-> [!Note]

-> `Union[...]` type annotation is only supported for connection type, for example, `param: Union[CustomConnection, OpenAIConnection]`.

-## Consume custom connection in the Python tool

-If you're developing a python tool that requires calling external services with authentication, you can use the custom connection in prompt flow. It allows you to securely store the access key and then retrieve it in your python code.

-Create a custom connection that stores all your LLM API KEY or other required credentials.

-1. Go to **AI project settings**, then select **New Connection**.

-1. Select **Custom** service. You can define your connection name, and you can add multiple *Key-value pairs* to store your credentials and keys by selecting **Add key-value pairs**.

- > Make sure at least one key-value pair is set as secret, otherwise the connection will not be created successfully. You can set one Key-Value pair as secret by **is secret** checked, which will be encrypted and stored in your key value.

- :::image type="content" source="../../media/prompt-flow/create-connection.png" alt-text="Screenshot that shows create connection in AI Studio." lightbox = "../../media/prompt-flow/create-connection.png":::

- :::image type="content" source="../../media/prompt-flow/custom-connection-keys.png" alt-text="Screenshot that shows add extra meta to custom connection in AI Studio." lightbox = "../../media/prompt-flow/custom-connection-keys.png":::

-

-### Consume custom connection in Python

-To consume a custom connection in your python code, follow these steps:

-1. In the code section in your python node, import custom connection library `from promptflow.connections import CustomConnection`, and define an input parameter of type `CustomConnection` in the tool function.

-1. Parse the input to the input section, then select your target custom connection in the value dropdown.

- > Evaluation with AI-assisted metrics needs to call another GPT model to do the calculation. For best performance, use a GPT-4 or gpt-35-turbo-16k model. If you didn't previously deploy a GPT-4 or gpt-35-turbo-16k model, you can deploy another model by following the steps in [Deploy a chat model](#deploy-a-chat-model). Then return to this step and select the model you deployed.

- > The evaluation process may take up lots of tokens, so it's recommended to use a model which can support >=16k tokens.

-|DiskIOPSReadWrite | [UltraSSD disk][ultra-ssd-disks] IOPS Capability (minimum: 2 IOPS/GiB) | 100~160000 | No | `500`|

-|DiskMBpsReadWrite | [UltraSSD disk][ultra-ssd-disks] Throughput Capability(minimum: 0.032/GiB) | 1~2000 | No | `100`|

- > The **Containers** category includes both Kubernetes applications and standalone container images. This walkthrough is specific to Kubernetes applications. If you find that the steps to deploy an offer differ in some way, you're most likely trying to deploy a container image-based offer instead of a Kubernetes application-based offer.

-This article uses the Azure Marketplace offer for Open/WebSphere Liberty to accelerate your journey to AKS. The offer automatically provisions a number of Azure resources including an Azure Container Registry (ACR) instance, an AKS cluster, an Azure App Gateway Ingress Controller (AGIC) instance, the Liberty Operator, and optionally a container image including Liberty and your application. To see the offer, visit the [Azure portal](https://aka.ms/liberty-aks). If you prefer manual step-by-step guidance for running Liberty on AKS that doesn't utilize the automation enabled by the offer, see [Manually deploy a Java application with Open Liberty or WebSphere Liberty on an Azure Kubernetes Service (AKS) cluster](/azure/developer/java/ee/howto-deploy-java-liberty-app-manual).

-* You can use Azure Cloud Shell or a local terminal.

-* This article requires at least version 2.31.0 of Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

-* If running the commands in this guide locally (instead of Azure Cloud Shell):

- * Prepare a local machine with Unix-like operating system installed (for example, Ubuntu, Azure Linux, macOS, Windows Subsystem for Linux).

- * Install a Java SE implementation, version 17 or later. (for example, [Eclipse Open J9](https://www.eclipse.org/openj9/)).

- * Install [Maven](https://maven.apache.org/download.cgi) 3.5.0 or higher.

- * Install [Docker](https://docs.docker.com/get-docker/) for your OS.

-* Make sure you're assigned either the `Owner` role or the `Contributor` and `User Access Administrator` roles in the subscription. You can verify it by following steps in [List role assignments for a user or group](../role-based-access-control/role-assignments-list-portal.md#list-role-assignments-for-a-user-or-group).

-1. Visit the [Azure portal](https://portal.azure.com/). In the search box at the top of the page, type *IBM WebSphere Liberty and Open Liberty on Azure Kubernetes Service*. When the suggestions start appearing, select the one and only match that appears in the **Marketplace** section. If you prefer, you can go directly to the offer with this shortcut link: [https://aka.ms/liberty-aks](https://aka.ms/liberty-aks).

- Create environment variables in your shell for the resource group names for the cluster and the database.

-

- ### [Bash](#tab/in-bash)

-

- ```bash

- export RESOURCE_GROUP_NAME=<your-resource-group-name>

- export DB_RESOURCE_GROUP_NAME=<your-resource-group-name>

- ```

-

- ### [PowerShell](#tab/in-powershell)

-

- ```powershell

- $Env:RESOURCE_GROUP_NAME="<your-resource-group-name>"

- $Env:DB_RESOURCE_GROUP_NAME="<your-resource-group-name>"

- ```

-

-

-1. Select **Next**, enter the **AKS** pane. This pane allows you to select an existing AKS cluster and Azure Container Registry (ACR), instead of causing the deployment to create a new one, if desired. This capability enables you to use the sidecar pattern, as shown in the [Azure architecture center](/azure/architecture/patterns/sidecar). You can also adjust the settings for the size and number of the virtual machines in the AKS node pool. The remaining values do not need to be changed from their default values.

- 1. You can customize the **virtual network** and **subnet** into which the deployment will place the resources. The remaining values do not need to be changed from their default values.

-If you navigated away from the **Deployment is in progress** page, the following steps will show you how to get back to that page. If you're still on the page that shows **Your deployment is complete**, you can skip to the third step.

-1. Select the bottom-most deployment in the list. The **Deployment name** will match the publisher ID of the offer. It will contain the string `ibm`.

- Paste the value of `appDeploymentTemplateYaml` or `appDeploymentYaml` into a Bash shell, append `| grep secretName`, and execute. This command will output the Ingress TLS secret name, such as `- secretName: secret785e2c`. Save aside the value for `secretName` from the output.

- Paste the quoted string in `appDeploymentTemplateYaml` or `appDeploymentYaml` into a PowerShell, append `| ForEach-Object { [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($_)) } | Select-String "secretName"`, and execute. This command will output the Ingress TLS secret name, such as `- secretName: secret785e2c`. Save aside the value for `secretName` from the output.

-These values will be used later in this article. Note that several other useful commands are listed in the outputs.

-> [!NOTE]

-> You may notice a similar output named **appDeploymentYaml**. The difference between output *appDeploymentTemplateYaml* and *appDeploymentYaml* is:

-> * *appDeploymentTemplateYaml* is populated if and only if the deployment **does not include** an application.

-> * *appDeploymentYaml* is populated if and only if the deployment **does include** an application.

-Now that the database and AKS cluster have been created, we can proceed to preparing AKS to host your Open Liberty application.

-There are a few samples in the repository. We'll use *java-app/*. Here's the file structure of the application.

-If you see a message about being in "detached HEAD" state, this message is safe to ignore. It just means you have checked out a tag.

-Now that you've gathered the necessary properties, you can build the application. The POM file for the project reads many variables from the environment. As part of the Maven build, these variables are used to populate values in the YAML files located in *src/main/aks*. You can do something similar for your application outside Maven if you prefer.

-# The following variables will be used for deployment file generation into target.

-# The following variables will be used for deployment file generation into target.

-$Env:LOGIN_SERVER=<Azure-Container-Registry-Login-Server-URL>

-$Env:REGISTRY_NAME=<Azure-Container-Registry-name>

-$Env:USER_NAME=<Azure-Container-Registry-username>

-$Env:PASSWORD=<Azure-Container-Registry-password>

-$Env:DB_SERVER_NAME=<server-name>.database.windows.net

-$Env:DB_NAME=<database-name>

-$Env:DB_USER=<server-admin-login>@<server-name>

-$Env:DB_PASSWORD=<server-admin-password>

-$Env:INGRESS_TLS_SECRET=<ingress-TLS-secret-name>

-1. Start the application using `liberty:run`. `liberty:run` will also use the environment variables defined in the previous step.

- Paste the value of **cmdToConnectToCluster** into a Bash shell and execute.

- You'll see the output `secret/db-secret-sql created`.

- 1. Go to `https://<ADDRESS>` to test the application. For your convenience, this shell command will create an environment variable whose value you can paste straight into the browser.

-Quarkus dev mode enables live reload with background compilation. If you modify any aspect of your app source code and refresh your browser, you can see the changes. If there are any issues with compilation or deployment, an error page lets you know. Quarkus dev mode listens for a debugger on port 5005. If you want to wait for the debugger to attach before running, pass `-Dsuspend` on the command line. If you donΓÇÖt want the debugger at all, you can use `-Ddebug=false`.

-1. If you have successfully created the image, then it should now be in your local machineΓÇÖs Docker repository. You can verify the image creation by using the following command:

-| 1.25 | Aug 2022 | Oct 2022 | Dec 2022 | Jan 14, 2024 | Until 1.29 GA |

-| 1.25 | Azure policy 1.0.1<br>Metrics-Server 0.6.3<br>KEDA 2.9.3<br>Open Service Mesh 1.2.3<br>Core DNS V1.9.4<br>Overlay VPA 0.11.0<br>Azure-Keyvault-SecretsProvider 1.4.1<br>Application Gateway Ingress Controller (AGIC) 1.5.3<br>Image Cleaner v1.1.1<br>Azure Workload identity v1.0.0<br>MDC Defender 1.0.56<br>Azure Active Directory Pod Identity 1.8.13.6<br>GitOps 1.7.0<br>KMS 0.5.0| Cilium 1.12.8<br>CNI 1.4.44<br> Cluster Autoscaler 1.8.5.3<br> | OS Image Ubuntu 18.04 Cgroups V1 <br>ContainerD 1.7<br>Azure Linux 2.0<br>Cgroups V1<br>ContainerD 1.6<br>| Ubuntu 22.04 by default with cgroupv2 and Overlay VPA 0.13.0 |CgroupsV2 - If you deploy Java applications with the JDK, prefer to use JDK 11.0.16 and later or JDK 15 and later, which fully support cgroup v2

-Platform support policy applies to clusters in an n-3 version (where n is the latest supported AKS GA minor version), before the cluster drops to n-4. For example, Kubernetes v1.25 is considered platform support when v1.28 is the latest GA version. However, during the v1.29 GA release, v1.25 will then auto-upgrade to v1.26. If you are a running an n-2 version, the moment it becomes n-3 it also becomes deprecated, and you enter into the platform support policy.

-| client-application-ids | Contains a list of acceptable client application IDs. If multiple `application-id` elements are present, then each value is tried until either all are exhausted (in which case validation fails) or until one succeeds. If a client application ID isn't provided, one or more `audience` claims should be specified. Policy expressions aren't allowed. | No |

-This guide provides key concepts and instructions for containerization of Windows apps in App Service. If you've never used Azure App Service, follow the [custom container quickstart](quickstart-custom-container.md) and [tutorial](tutorial-custom-container.md) first.

-This guide provides key concepts and instructions for containerization of Linux apps in App Service. If you've never used Azure App Service, follow the [custom container quickstart](quickstart-custom-container.md) and [tutorial](tutorial-custom-container.md) first. There's also a [multi-container app quickstart](quickstart-multi-container.md) and [tutorial](tutorial-multi-container-app.md). For sidecar containers (preview), see [Tutorial: Configure a sidecar container for custom container in Azure App Service (preview)](tutorial-custom-container-sidecar.md).

-Use the following steps to configure your web app to pull from ACR using managed identity. The steps use system-assigned managed identity, but you can use user-assigned managed identity as well.

- Replace `<app-name>` with the name you used in the previous step. The output of the command (filtered by the `--query` and `--output` arguments) is the service principal ID of the assigned identity, which you use shortly.

-1. (Optional) If your app uses a [user-assigned managed identity](overview-managed-identity.md#add-a-user-assigned-identity), make sure this is configured on the web app and then set the `acrUserManagedIdentityID` property to specify its client ID:

-To connect and pull from a registry inside a virtual network or on-premises, your app must integrate with a virtual network. This is also needed for Azure Container Registry with private endpoint. When your network and DNS resolution is configured, you enable the routing of the image pull through the virtual network by configuring the `vnetImagePullEnabled` site setting:

-Navigate to `https://<app-name>.scm.azurewebsites.net/DebugConsole` and select the **LogFiles** folder to see the individual log files. To download the entire **LogFiles** directory, select the **Download** icon to the left of the directory name. You can also access this folder using an FTP client.

-By default all Windows Containers deployed in Azure App Service have a memory limit configured. The following table lists the default settings per App Service Plan SKU.

-The value is defined in MB and must be less and equal to the total physical memory of the host. For example, in an App Service plan with 8GB RAM, the cumulative total of `WEBSITE_MEMORY_LIMIT_MB` for all the apps must not exceed 8 GB. Information on how much memory is available for each pricing tier can be found in [App Service pricing](https://azure.microsoft.com/pricing/details/app-service/windows/), in the **Premium v3 service plan** section.

-App Service considers a container to be successfully started when the container starts and responds to an HTTP ping. The health ping request contains the header `User-Agent= "App Service Hyper-V Container Availability Check"`. If the container starts but doesn't respond to a ping after a certain amount of time, App Service logs an event in the Docker log, saying that the container didn't start.

-Further troubleshooting information is available at the Azure App Service OSS blog: [Enabling SSH on Linux Web App for Containers](https://azureossd.github.io/2022/04/27/2022-Enabling-SSH-on-Linux-Web-App-for-Containers/https://docsupdatetracker.net/index.html#troubleshooting)

- - ${WEBAPP_STORAGE_HOME}/site/wwwroot:/var/www/html

- - ${WEBAPP_STORAGE_HOME}/phpmyadmin:/var/www/phpmyadmin

- - ${WEBAPP_STORAGE_HOME}/LogFiles:/var/log

-You have two App Service Environments at this stage in the migration process. Your apps are running in both environments. You need to update any dependent resources to use the new IP inbound address for your new App Service Environment v3. For internal facing (ILB) App Service Environments, you need to update your private DNS zones to point to the new inbound IP address. You should account for both the old and new inbound IP at this point. You can remove the dependencies on the previous IP address after you complete the next step.

-## 11. Redirect customer traffic and complete migration

-This step is your opportunity to test and validate your new App Service Environment v3. Your App Service Environment v2 front ends are still running, but the backing compute is an App Service Environment v3. If you're able to access your apps without issues, that means you're ready to complete the migration.

-Once you confirm your apps are working as expected, you can redirect customer traffic to your new App Service Environment v3 front ends by running the following command. This command also deletes your old environment.

-If you find any issues or decide at this point that you no longer want to proceed with the migration, contact support to revert the migration. Don't run the above command if you need to revert the migration. For more information, see [Revert migration](side-by-side-migrate.md#redirect-customer-traffic-and-complete-migration).

-You receive the new inbound IP address once migration is complete but before you make the [DNS change to redirect customer traffic to your new App Service Environment v3](#redirect-customer-traffic-and-complete-migration). You don't get the inbound IP at this point in the process because there are dependencies on App Service Environment v3 resources that get created during the migration step. You have a chance to update any resources that are dependent on the new inbound IP before you redirect traffic to your new App Service Environment v3.

-The new inbound IP address is given so that you can set up new endpoints with services like [Traffic Manager](../../traffic-manager/traffic-manager-overview.md) or [Azure Front Door](../../frontdoor/front-door-overview.md) and update any of your private DNS zones. Don't move on to the next step until you account for these changes. There's downtime if you don't update dependent resources with the new inbound IP. **It's your responsibility to update any and all resources that are impacted by the IP address change associated with the new App Service Environment v3. Don't move on to the next step until you've made all required updates.**

-### Redirect customer traffic and complete migration

-The final step is to redirect traffic to your new App Service Environment v3 and complete the migration. The platform does this change for you, but only when you initiate it. Before you do this step, you should review your new App Service Environment v3 and perform any needed testing to validate that it's functioning as intended. Your App Service Environment v2 front ends are still running, but the backing compute is an App Service Environment v3. If you're able to access your apps without issues, that means you're ready to complete the migration.

-|**3**|**Testing and troubleshooting**|Upgrading using one of the automated migration features requires a 3-6 hour service window. If you use the side-by-side migration feature, you have the opportunity to [test and validate your App Service Environment v3](side-by-side-migrate.md#redirect-customer-traffic-and-complete-migration) before completing the upgrade. Support teams are monitoring upgrades to ensure success. If you have a support plan and you need technical help, create a [support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest).|

-| **Python** | linuxFxVersion="PYTHON&#124;3.7" |

-description: Enable Azure RBAC to authorize access to your Azure App Configuration instance

-Besides using Hash-based Message Authentication Code (HMAC), Azure App Configuration supports using Microsoft Entra ID to authorize requests to App Configuration instances. Microsoft Entra ID allows you to use Azure role-based access control (Azure RBAC) to grant permissions to a security principal. A security principal may be a user, a [managed identity](../active-directory/managed-identities-azure-resources/overview.md) or an [application service principal](../active-directory/develop/app-objects-and-service-principals.md). To learn more about roles and role assignments, see [Understanding different roles](../role-based-access-control/overview.md).

-1. The security principal's identity is authenticated and an OAuth 2.0 token is returned. The resource name to request a token is `https://login.microsoftonline.com/{tenantID}` where `{tenantID}` matches the Microsoft Entra tenant ID to which the service principal belongs.

-The authentication step requires that an application request contains an OAuth 2.0 access token at runtime. If an application is running within an Azure entity, such as an Azure Functions app, an Azure Web App, or an Azure VM, it can use a managed identity to access the resources. To learn how to authenticate requests made by a managed identity to Azure App Configuration, see [Authenticate access to Azure App Configuration resources with Microsoft Entra ID and managed identities for Azure Resources](howto-integrate-azure-managed-service-identity.md).

-description: Learn how to disable access key authentication for an Azure App Configuration instance

-Disabling access key authentication will delete all access keys. If any running applications are using access keys for authentication they will begin to fail once access key authentication is disabled. Enabling access key authentication again will generate a new set of access keys and any applications attempting to use the old access keys will still fail.

-> Additionally, it is recommended to read the [limitations](#limitations) section below to verify the limitations won't affect the intended usage of the resource.

-2. Locate the **Access keys** setting under **Settings**.

- :::image type="content" border="true" source="./media/access-keys-blade.png" alt-text="Screenshot showing how to access an Azure App Configuration resources access key blade":::

-To verify that access key authentication is no longer permitted, a request can be made to list the access keys for the Azure App Configuration resource. If access key authentication is disabled there will be no access keys and the list operation will return an empty list.

-2. Locate the **Access keys** setting under **Settings**.

- :::image type="content" border="true" source="./media/access-keys-blade.png" alt-text="Screenshot showing how to access an Azure App Configuration resources access key blade":::

-If access key authentication is disabled then an empty list will be returned.

-Be careful to restrict assignment of these roles only to those who require the ability to create an App Configuration resource or update its properties. Use the principle of least privilege to ensure that users have the fewest permissions that they need to accomplish their tasks. For more information about managing access with Azure RBAC, see [Best practices for Azure RBAC](../role-based-access-control/best-practices.md).

-## Limitations

-The capability to disable access key authentication has the following limitation:

-### ARM template access

-When access key authentication is disabled, the capability to read/write key-values in an [ARM template](./quickstart-resource-manager.md) will be disabled as well. This is because access to the Microsoft.AppConfiguration/configurationStores/keyValues resource used in ARM templates requires an Azure Resource Manager role, such as contributor or owner. When access key authentication is disabled, access to the resource requires one of the Azure App Configuration [data plane roles](concept-enable-rbac.md), therefore ARM template access is rejected.

-This quickstart describes how to :

-Accessing key-value data inside an ARM template requires an Azure Resource Manager role, such as contributor or owner. Access via one of the Azure App Configuration [data plane roles](concept-enable-rbac.md) currently is not supported.

-> [!NOTE]

-> Key-value data access inside an ARM template is disabled if access key authentication is disabled. For more information, see [disable access key authentication](./howto-disable-access-key-authentication.md#limitations).

-For issues encountered with Arc resource bridge, collect logs for further investigation using the Azure CLI [`az arcappliance logs`](/cli/azure/arcappliance/logs) command. This command needs to be run from the same management machine that was used to run commands to deploy the Arc resource bridge. If you are using a different machine to collect logs, you need to run the `az arcappliance get-credentials` command first before collecting logs.

-If you are unsure of your appliance VM IP, there is also the option to use the kubeconfig. You can retrieve the kubeconfig by running the [get-credentials command](/cli/azure/arcappliance) then run the logs command.

-If the resource bridge is offline, this is typically due to a networking change in the infrastructure, environment or cluster that stops the appliance VM from being able to communicate with its counterpart Azure resource. If you are unable to determine what changed, you can reboot the appliance VM, collect logs and submit a support ticket for further investigation.

-### Private Link is unsupported

-While trying to deploy Arc Resource Bridge, a "KVA timeout error" might appear. The "KVA timeout error" is a generic error that can be the result of a variety of network misconfigurations that involve the management machine, Appliance VM, or Control Plane IP not having communication with each other, to the internet, or required URLs. This communication failure is often due to issues with DNS resolution, proxy settings, network configuration, or internet access.

-For clarity, "management machine" refers to the machine where deployment CLI commands are being run. "Appliance VM" is the VM that hosts Arc resource bridge. "Control Plane IP" is the IP of the control plane for the Kubernetes management cluster in the Appliance VM.

-1. The management machine must be able to communicate with the Appliance VM IP and Control Plane IP. Ping the Control Plane IP and Appliance VM IP from the management machine and verify there is a response from both IPs.

-### `az arcappliance prepare` failure

-The `arcappliance` extension for Azure CLI enables a [prepare](/cli/azure/arcappliance/prepare) command, which enables you to download an OVA template to your vSphere environment. This OVA file is used to deploy the Azure Arc resource bridge. The `az arcappliance prepare` command uses the vSphere SDK and can result in the following error:

-```azurecli

-$ az arcappliance prepare vmware --config-file <path to config>

-Error: Error in reading OVA file: failed to parse ovf: strconv.ParseInt: parsing "3670409216":

-value out of range.

-```

-This error occurs when you run the Azure CLI commands in a 32-bit context, which is the default behavior. The vSphere SDK only supports running in a 64-bit context. The specific error returned from the vSphere SDK is `Unable to import ova of size 6GB using govc`. To resolve the error, install and use Azure CLI 64-bit.

-When you deploy the resource bridge on VMware vCenter, if you have been using the same template to deploy and delete the appliance multiple times, you might encounter the following error:

-`Appliance cluster deployment failed with error:

-Error: An error occurred during host configuration`

-To resolve this issue, delete the existing template manually. Then run [`az arcappliance prepare`](/cli/azure/arcappliance/prepare) to download a new template for deployment.

-When deploying the resource bridge on VMware vCenter, you specify the folder in which the template and VM will be created. The folder must be VM and template folder type. Other types of folder, such as storage folders, network folders, or host and cluster folders, can't be used by the resource bridge deployment.

-## Next steps

- |**Select an Azure Database Server**| Choose **Core (SQL)** to create a document database that you can query by using a SQL syntax. [Learn more about the Azure Cosmos DB](../cosmos-db/introduction.md). |

-[create an IoT hub]: ../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-csharp#create-an-iot-hub

-[Send telemetry from a device]: ../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-csharp

-| [Render] | Yes, except for Terra maps (`MapTile.GetTerraTile` and `layer=terra`) which are nonbillable.|<ul><li>15 tiles = 1 transaction</li><li>One request for Get Copyright = 1 transaction</li><li>One request for Get Map Attribution = 1 transaction</li><li>One request for Get Static Map = 1 transaction</li><li>One request for Get Map Tileset = 1 transaction</li></ul> <br> For Creator related usage, see the [Creator table]. |<ul><li>Maps Base Map Tiles (Gen2 pricing)</li><li>Maps Imagery Tiles (Gen2 pricing)</li><li>Maps Static Map Images (Gen2 pricing)</li><li>Maps Weather Tiles (Gen2 pricing)</li><li>Standard Hybrid Aerial Imagery Transactions (Gen1 S0 pricing)</li><li>Standard Aerial Imagery Transactions (Gen1 S0 pricing)</li><li>Standard S1 Aerial Imagery Transactions (Gen1 S1 pricing)</li><li>Standard S1 Hybrid Aerial Imagery Transactions (Gen1 S1 pricing)</li><li>Standard S1 Rendering Transactions (Gen1 S1 pricing)</li><li>Standard S1 Tile Transactions (Gen1 S1 pricing)</li><li>Standard S1 Weather Tile Transactions (Gen1 S1 pricing)</li><li>Standard Tile Transactions (Gen1 S0 pricing)</li><li>Standard Weather Tile Transactions (Gen1 S0 pricing)</li><li>Maps Copyright (Gen2 pricing, Gen1 S0 pricing and Gen1 S1 pricing)</li></ul>|

-description: Learn how the automatic migration process works.

-# Understand the automatic migration process for your classic alert rules

-As [previously announced](monitoring-classic-retirement.md), classic alerts in Azure Monitor are retired for public cloud users, though still in limited use until **31 May 2021**. Classic alerts for Azure Government cloud and Microsoft Azure operated by 21Vianet will retire on **29 February 2024**.

-A migration tool is available in the Azure portal for customers to trigger migration themselves. This article explains the automatic migration process in public cloud, that will start after 31 May 2021. It also details issues and solutions you might run into.

-## Important things to note

-The migration process converts classic alert rules to new, equivalent alert rules, and creates action groups. In preparation, be aware of the following points:

-## What will happen during the automatic migration process in public cloud?

- > [!NOTE]

- > If you don't want to wait for the automatic migration process to start, you can still trigger the migration voluntarily using the migration tool.

-## What if the automatic migration fails?

-When the automatic migration process fails, subscription owners will receive an email notifying them of the issue. You can use the migration tool in Azure Monitor to see the full details of the issue. See the [troubleshooting guide](alerts-understand-migration.md#common-problems-and-remedies) for help with problems you might face during migration.

- > [!NOTE]

- > In case an action is needed from customers, like temporarily disabling a resource lock or changing a policy assignment, customers will need to resolve any such issues. If the issues are not resolved by then, successful migration of your classic alerts cannot be guaranteed.

-## Next steps

-description: Learn how to use Azure portal or PowerShell to create, view and manage classic metric alert rules.

-# Create, view, and manage classic metric alerts using Azure Monitor

-> [!WARNING]

-> This article describes how to create older classic metric alerts. Azure Monitor now supports [newer near-real time metric alerts and a new alerts experience](./alerts-overview.md). Classic alerts are [retired](./monitoring-classic-retirement.md) for public cloud users. Classic alerts for Azure Government cloud and Microsoft Azure operated by 21Vianet will retire on **29 February 2024**.

->

-Classic metric alerts in Azure Monitor provide a way to get notified when one of your metrics crosses a threshold. Classic metric alerts is an older functionality that allows for alerting only on non-dimensional metrics. There's an existing newer functionality called Metric alerts, which has improved functionality over classic metric alerts. You can learn more about the new metric alerts functionality in [metric alerts overview](./alerts-metric-overview.md). In this article, we'll describe how to create, view and manage classic metric alert rules through Azure portal and PowerShell.

-## With Azure portal

-1. In the [portal](https://portal.azure.com/), locate the resource that you want to monitor, and then select it.

-2. In the **MONITORING** section, select **Alerts (Classic)**. The text and icon might vary slightly for different resources. If you don't find **Alerts (Classic)** here, you might find it in **Alerts** or **Alert Rules**.

- :::image type="content" source="media/alerts-classic-portal/AlertRulesButton.png" lightbox="media/alerts-classic-portal/AlertRulesButton.png" alt-text="Monitoring":::

-3. Select the **Add metric alert (classic)** command, and then fill in the fields.

- :::image type="content" source="media/alerts-classic-portal/AddAlertOnlyParamsPage.png" lightbox="media/alerts-classic-portal/AddAlertOnlyParamsPage.png" alt-text="Add Alert":::

-4. **Name** your alert rule. Then choose a **Description**, which also appears in notification emails.

-5. Select the **Metric** that you want to monitor. Then choose a **Condition** and **Threshold** value for the metric. Also choose the **Period** of time that the metric rule must be satisfied before the alert triggers. For example, if you use the period "Over the last 5 minutes" and your alert looks for a CPU above 80%, the alert triggers when the CPU has been consistently above 80% for 5 minutes. After the first trigger occurs, it triggers again when the CPU stays below 80% for 5 minutes. The CPU metric measurement happens every minute.

-6. Select **Email owners...** if you want administrators and co-administrators to receive email notifications when the alert fires.

-7. If you want to send notifications to additional email addresses when the alert fires, add them in the **Additional Administrator email(s)** field. Separate multiple emails with semicolons, in the following format: *email\@contoso.com;email2\@contoso.com*

-8. Put in a valid URI in the **Webhook** field if you want it to be called when the alert fires.

-9. If you use Azure Automation, you can select a runbook to be run when the alert fires.

-10. Select **OK** to create the alert.

-Within a few minutes, the alert is active and triggers as previously described.

-After you create an alert, you can select it and do one of the following tasks:

-* View a graph that shows the metric threshold and the actual values from the previous day.

-* Edit or delete it.

-* **Disable** or **Enable** it if you want to temporarily stop or resume receiving notifications for that alert.

-## With PowerShell

-This section shows how to use PowerShell commands create, view and manage classic metric alerts.The examples in the article illustrate how you can use Azure Monitor cmdlets for classic metric alerts.

-1. If you haven't already, set up PowerShell to run on your computer. For more information, see [How to Install and Configure PowerShell](/powershell/azure/). You can also review the entire list of Azure Monitor PowerShell cmdlets at [Azure Monitor (Insights) Cmdlets](/powershell/module/az.applicationinsights).

-2. First, log in to your Azure subscription.

- ```powershell

- Connect-AzAccount

- ```

-3. You'll see a sign in screen. Once you sign in your Account, TenantID, and default Subscription ID are displayed. All the Azure cmdlets work in the context of your default subscription. To view the list of subscriptions you have access to, use the following command:

- ```powershell

- Get-AzSubscription

- ```

-4. To change your working context to a different subscription, use the following command:

- ```powershell

- Set-AzContext -SubscriptionId <subscriptionid>

- ```

-5. You can retrieve all classic metric alert rules on a resource group:

- ```powershell

- Get-AzAlertRule -ResourceGroup montest

- ```

-6. You can view details of a classic metric alert rule

- ```powershell

- Get-AzAlertRule -Name simpletestCPU -ResourceGroup montest -DetailedOutput

- ```

-7. You can retrieve all alert rules set for a target resource. For example, all alert rules set on a VM.

- ```powershell

- Get-AzAlertRule -ResourceGroup montest -TargetResourceId /subscriptions/s1/resourceGroups/montest/providers/Microsoft.Compute/virtualMachines/testconfig

- ```

-8. Classic alert rules can no longer be created via PowerShell. Use the new ['Add-AzMetricAlertRuleV2'](/powershell/module/az.monitor/add-azmetricalertrulev2) command to create a metric alert rule instead.

-## Next steps

-description: Classic alerts will be deprecated. Alerts enable you to monitor Azure resource metrics, events, or logs, and they notify you when a condition you specify is met.

-# What are classic alerts in Azure?

-> [!NOTE]

-> This article describes how to create older classic metric alerts. Azure Monitor now supports [near real time metric alerts and a new alerts experience](./alerts-overview.md). Classic alerts are [retired](./monitoring-classic-retirement.md) for public cloud users. Classic alerts for Azure Government cloud and Microsoft Azure operated by 21Vianet will retire on **February 29, 2024**.

->

-Alerts allow you to configure conditions over data, and they notify you when the conditions match the latest monitoring data.

-## Old and new alerting capabilities

-In the past, Azure Monitor, Application Insights, Log Analytics, and Service Health had separate alerting capabilities. Over time, Azure improved and combined both the user interface and different methods of alerting. The consolidation is still in process.

-You can view classic alerts only on the classic alerts user screen in the Azure portal. To see this screen, select **View classic alerts** on the **Alerts** screen.

- :::image type="content" source="media/alerts-classic.overview/monitor-alert-screen2.png" lightbox="media/alerts-classic.overview/monitor-alert-screen2.png" alt-text="Screenshot that shows alert choices in the Azure portal.":::

-The new alerts user experience has the following benefits over the classic alerts experience:

-The newer metric alerts have the following benefits over the classic metric alerts:

-## Classic alerts on Azure Monitor data

-Two types of classic alerts are available:

-* **Classic metric alerts**: This alert triggers when the value of a specified metric crosses a threshold that you assign. The alert generates a notification when that threshold is crossed and the alert condition is met. At that point, the alert is considered "Activated." It generates another notification when it's "Resolved," that is, when the threshold is crossed again and the condition is no longer met.

-* **Classic activity log alerts**: A streaming log alert that triggers on an activity log event entry that matches your filter criteria. These alerts have only one state: "Activated." The alert engine applies the filter criteria to any new event. It doesn't search to find older entries. These alerts can notify you when a new Service Health incident occurs or when a user or application performs an operation in your subscription. An example of an operation might be "Delete virtual machine."

-For resource log data available through Azure Monitor, route the data into Log Analytics and use a log query alert. Log Analytics now uses the [new alerting method](./alerts-overview.md).

-The following diagram summarizes sources of data in Azure Monitor and, conceptually, how you can alert off of that data.

-## Taxonomy of alerts (classic)

-Azure uses the following terms to describe classic alerts and their functions:

-* **Alert**: A definition of criteria (one or more rules or conditions) that becomes activated when met.

-* **Active**: The state when the criteria defined by a classic alert are met.

-* **Resolved**: The state when the criteria defined by a classic alert are no longer met after they were previously met.

-* **Notification**: The action taken based off of a classic alert becoming active.

-* **Action**: A specific call sent to a receiver of a notification (for example, emailing an address or posting to a webhook URL). Notifications can usually trigger multiple actions.

-## How do I receive a notification from an Azure Monitor classic alert?

-Historically, Azure alerts from different services used their own built-in notification methods.

-Azure Monitor created a reusable notification grouping called *action groups*. Action groups specify a set of receivers for a notification. Any time an alert is activated that references the action group, all receivers receive that notification. With action groups, you can reuse a grouping of receivers (for example, your on-call engineer list) across many alert objects.

-Action groups support notification by posting to a webhook URL and to email addresses, SMS numbers, and several other actions. For more information, see [Action groups](./action-groups.md).

-Older classic activity log alerts use action groups. But the older metric alerts don't use action groups. Instead, you can configure the following actions:

-Webhooks enable automation and remediation, for example, by using:

-## Next steps

-Get information about alert rules and how to configure them:

-* Learn more about [metrics](../data-platform.md).

-* Configure [classic metric alerts via the Azure portal](alerts-classic-portal.md).

-* Configure [classic metric alerts via PowerShell](alerts-classic-portal.md).

-* Configure [classic metric alerts via the command-line interface (CLI)](alerts-classic-portal.md).

-* Configure [classic metric alerts via the Azure Monitor REST API](/rest/api/monitor/alertrules).

-* Learn more about [activity logs](../essentials/platform-logs-overview.md).

-* Configure [activity log alerts via the Azure portal](./activity-log-alerts.md).

-* Configure [activity log alerts via Azure Resource Manager](./alerts-activity-log.md).

-* Review the [activity log alert webhook schema](activity-log-alerts-webhook.md).

-* Learn more about [action groups](./action-groups.md).

-* Configure [newer alerts](alerts-metric.md).

-description: Learn how to use a Resource Manager template to create a classic metric alert to receive notifications by email or webhook.

-# Create a classic metric alert rule with a Resource Manager template

-> [!WARNING]

-> This article describes how to create older classic metric alert rules. Azure Monitor now supports [newer near-real time metric alerts and a new alerts experience](./alerts-overview.md). Classic alerts are [retired](./monitoring-classic-retirement.md) for public cloud users. Classic alerts for Azure Government cloud and Microsoft Azure operated by 21Vianet will retire on **29 February 2024**.

->

-This article shows how you can use an [Azure Resource Manager template](../../azure-resource-manager/templates/syntax.md) to configure Azure classic metric alert rules. This enables you to automatically set up alert rules on your resources when they are created to ensure that all resources are monitored correctly.

-The basic steps are as follows:

-1. Create a template as a JSON file that describes how to create the alert rule.

-2. [Deploy the template using any deployment method](../../azure-resource-manager/templates/deploy-powershell.md).

-Below we describe how to create a Resource Manager template first for an alert rule alone, then for an alert rule during the creation of another resource.

-## Resource Manager template for a classic metric alert rule

-To create an alert rule using a Resource Manager template, you create a resource of type `Microsoft.Insights/alertRules` and fill in all related properties. Below is a template that creates an alert rule.

-```json

-{

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "alertName": {

- "type": "string",

- "metadata": {

- "description": "Name of alert"

- }

- },

- "alertDescription": {

- "type": "string",

- "defaultValue": "",

- "metadata": {

- "description": "Description of alert"

- }

- },

- "isEnabled": {

- "type": "bool",

- "defaultValue": true,

- "metadata": {

- "description": "Specifies whether alerts are enabled"

- }

- },

- "resourceId": {

- "type": "string",

- "defaultValue": "",

- "metadata": {

- "description": "Resource ID of the resource emitting the metric that will be used for the comparison."

- }

- },

- "metricName": {

- "type": "string",

- "defaultValue": "",

- "metadata": {

- "description": "Name of the metric used in the comparison to activate the alert."

- }

- },

- "operator": {

- "type": "string",

- "defaultValue": "GreaterThan",

- "allowedValues": [

- "GreaterThan",

- "GreaterThanOrEqual",

- "LessThan",

- "LessThanOrEqual"

- ],

- "metadata": {

- "description": "Operator comparing the current value with the threshold value."

- }

- },

- "threshold": {

- "type": "string",

- "defaultValue": "",

- "metadata": {

- "description": "The threshold value at which the alert is activated."

- }

- },

- "aggregation": {

- "type": "string",

- "defaultValue": "Average",

- "allowedValues": [

- "Average",

- "Last",

- "Maximum",

- "Minimum",

- "Total"

- ],

- "metadata": {

- "description": "How the data that is collected should be combined over time."

- }

- },

- "windowSize": {

- "type": "string",

- "defaultValue": "PT5M",

- "metadata": {

- "description": "Period of time used to monitor alert activity based on the threshold. Must be between five minutes and one day. ISO 8601 duration format."

- }

- },

- "sendToServiceOwners": {

- "type": "bool",

- "defaultValue": true,

- "metadata": {

- "description": "Specifies whether alerts are sent to service owners"

- }

- },

- "customEmailAddresses": {

- "type": "string",

- "defaultValue": "",

- "metadata": {

- "description": "Comma-delimited email addresses where the alerts are also sent"

- }

- },

- "webhookUrl": {

- "type": "string",

- "defaultValue": "",

- "metadata": {

- "description": "URL of a webhook that will receive an HTTP POST when the alert activates."

- }

- }

- },

- "variables": {

- "customEmails": "[split(parameters('customEmailAddresses'), ',')]"

- },

- "resources": [

- {

- "type": "Microsoft.Insights/alertRules",

- "name": "[parameters('alertName')]",

- "location": "[resourceGroup().location]",

- "apiVersion": "2016-03-01",

- "properties": {

- "name": "[parameters('alertName')]",

- "description": "[parameters('alertDescription')]",

- "isEnabled": "[parameters('isEnabled')]",

- "condition": {

- "odata.type": "Microsoft.Azure.Management.Insights.Models.ThresholdRuleCondition",

- "dataSource": {

- "odata.type": "Microsoft.Azure.Management.Insights.Models.RuleMetricDataSource",

- "resourceUri": "[parameters('resourceId')]",

- "metricName": "[parameters('metricName')]"

- },

- "operator": "[parameters('operator')]",

- "threshold": "[parameters('threshold')]",

- "windowSize": "[parameters('windowSize')]",

- "timeAggregation": "[parameters('aggregation')]"

- },

- "actions": [

- {

- "odata.type": "Microsoft.Azure.Management.Insights.Models.RuleEmailAction",

- "sendToServiceOwners": "[parameters('sendToServiceOwners')]",

- "customEmails": "[variables('customEmails')]"

- },

- {

- "odata.type": "Microsoft.Azure.Management.Insights.Models.RuleWebhookAction",

- "serviceUri": "[parameters('webhookUrl')]",

- "properties": {}

- }

- ]

- }

- }

- ]

-}

-```

-An explanation of the schema and properties for an alert rule [is available here](/rest/api/monitor/alertrules).

-## Resource Manager template for a resource with a classic metric alert rule

-An alert rule on a Resource Manager template is most often useful when creating an alert rule while creating a resource. For example, you may want to ensure that a ΓÇ£CPU % > 80ΓÇ¥ rule is set up every time you deploy a Virtual Machine. To do this, you add the alert rule as a resource in the resource array for your VM template and add a dependency using the `dependsOn` property to the VM resource ID. HereΓÇÖs a full example that creates a Windows VM and adds an alert rule that notifies subscription admins when the CPU utilization goes above 80%.

-```json

-{

- "$schema": "https://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "newStorageAccountName": {

- "type": "string",

- "metadata": {

- "Description": "The name of the storage account where the VM disk is stored."

- }

- },

- "adminUsername": {

- "type": "string",

- "metadata": {

- "Description": "The name of the administrator account on the VM."

- }

- },

- "adminPassword": {

- "type": "securestring",

- "metadata": {

- "Description": "The administrator account password on the VM."

- }

- },

- "dnsNameForPublicIP": {

- "type": "string",

- "metadata": {

- "Description": "The name of the public IP address used to access the VM."

- }

- }

- },

- "variables": {

- "location": "Central US",

- "imagePublisher": "MicrosoftWindowsServer",

- "imageOffer": "WindowsServer",

- "windowsOSVersion": "2012-R2-Datacenter",

- "OSDiskName": "osdisk1",

- "nicName": "nc1",

- "addressPrefix": "10.0.0.0/16",

- "subnetName": "sn1",

- "subnetPrefix": "10.0.0.0/24",

- "storageAccountType": "Standard_LRS",

- "publicIPAddressName": "ip1",

- "publicIPAddressType": "Dynamic",

- "vmStorageAccountContainerName": "vhds",

- "vmName": "vm1",

- "vmSize": "Standard_A0",

- "virtualNetworkName": "vn1",

- "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]",

- "subnetRef": "[concat(variables('vnetID'),'/subnets/',variables('subnetName'))]",

- "vmID":"[resourceId('Microsoft.Compute/virtualMachines',variables('vmName'))]",

- "alertName": "highCPUOnVM",

- "alertDescription":"CPU is over 80%",

- "alertIsEnabled": true,

- "resourceId": "",

- "metricName": "Percentage CPU",

- "operator": "GreaterThan",

- "threshold": "80",

- "windowSize": "PT5M",

- "aggregation": "Average",

- "customEmails": "",

- "sendToServiceOwners": true,

- "webhookUrl": "http://testwebhook.test"

- },

- "resources": [

- {

- "type": "Microsoft.Storage/storageAccounts",

- "name": "[parameters('newStorageAccountName')]",

- "apiVersion": "2015-06-15",

- "location": "[variables('location')]",

- "properties": {

- "accountType": "[variables('storageAccountType')]"

- }

- },

- {

- "apiVersion": "2016-03-30",

- "type": "Microsoft.Network/publicIPAddresses",

- "name": "[variables('publicIPAddressName')]",

- "location": "[variables('location')]",

- "properties": {

- "publicIPAllocationMethod": "[variables('publicIPAddressType')]",

- "dnsSettings": {

- "domainNameLabel": "[parameters('dnsNameForPublicIP')]"

- }

- }

- },

- {

- "apiVersion": "2016-03-30",

- "type": "Microsoft.Network/virtualNetworks",

- "name": "[variables('virtualNetworkName')]",

- "location": "[variables('location')]",

- "properties": {

- "addressSpace": {

- "addressPrefixes": [

- "[variables('addressPrefix')]"

- ]

- },

- "subnets": [

- {

- "name": "[variables('subnetName')]",

- "properties": {

- "addressPrefix": "[variables('subnetPrefix')]"

- }

- }

- ]

- }

- },

- {

- "apiVersion": "2016-03-30",

- "type": "Microsoft.Network/networkInterfaces",

- "name": "[variables('nicName')]",

- "location": "[variables('location')]",

- "dependsOn": [

- "[concat('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]",

- "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]"

- ],

- "properties": {

- "ipConfigurations": [

- {

- "name": "ipconfig1",

- "properties": {

- "privateIPAllocationMethod": "Dynamic",

- "publicIPAddress": {

- "id": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPAddressName'))]"

- },

- "subnet": {

- "id": "[variables('subnetRef')]"

- }

- }

- }

- ]

- }

- },

- {

- "apiVersion": "2016-03-30",

- "type": "Microsoft.Compute/virtualMachines",

- "name": "[variables('vmName')]",

- "location": "[variables('location')]",

- "dependsOn": [

- "[concat('Microsoft.Storage/storageAccounts/', parameters('newStorageAccountName'))]",

- "[concat('Microsoft.Network/networkInterfaces/', variables('nicName'))]"

- ],

- "properties": {

- "hardwareProfile": {

- "vmSize": "[variables('vmSize')]"

- },

- "osProfile": {

- "computername": "[variables('vmName')]",

- "adminUsername": "[parameters('adminUsername')]",

- "adminPassword": "[parameters('adminPassword')]"

- },

- "storageProfile": {

- "imageReference": {

- "publisher": "[variables('imagePublisher')]",

- "offer": "[variables('imageOffer')]",

- "sku": "[variables('windowsOSVersion')]",

- "version": "latest"

- },

- "osDisk": {

- "name": "osdisk",

- "vhd": {

- "uri": "[concat('http://',parameters('newStorageAccountName'),'.blob.core.windows.net/',variables('vmStorageAccountContainerName'),'/',variables('OSDiskName'),'.vhd')]"

- },

- "caching": "ReadWrite",

- "createOption": "FromImage"

- }

- },

- "networkProfile": {

- "networkInterfaces": [

- {

- "id": "[resourceId('Microsoft.Network/networkInterfaces',variables('nicName'))]"

- }

- ]

- }

- }

- },

- {

- "type": "Microsoft.Insights/alertRules",

- "name": "[variables('alertName')]",

- "dependsOn": [

- "[variables('vmID')]"

- ],

- "location": "[variables('location')]",

- "apiVersion": "2016-03-01",

- "properties": {

- "name": "[variables('alertName')]",

- "description": "variables('alertDescription')",

- "isEnabled": "[variables('alertIsEnabled')]",

- "condition": {

- "odata.type": "Microsoft.Azure.Management.Insights.Models.ThresholdRuleCondition",

- "dataSource": {

- "odata.type": "Microsoft.Azure.Management.Insights.Models.RuleMetricDataSource",

- "resourceUri": "[variables('vmID')]",

- "metricName": "[variables('metricName')]"

- },

- "operator": "[variables('operator')]",

- "threshold": "[variables('threshold')]",

- "windowSize": "[variables('windowSize')]",

- "timeAggregation": "[variables('aggregation')]"

- },

- "actions": [

- {

- "odata.type": "Microsoft.Azure.Management.Insights.Models.RuleEmailAction",

- "sendToServiceOwners": "[variables('sendToServiceOwners')]",

- "customEmails": "[variables('customEmails')]"

- },

- {

- "odata.type": "Microsoft.Azure.Management.Insights.Models.RuleWebhookAction",

- "serviceUri": "[variables('webhookUrl')]",

- "properties": {}

- }

- ]

- }

- }

- ]

-}

-```

-## Next Steps

-* [Read more about Alerts](./alerts-overview.md)

-* [Add Diagnostic Settings](../essentials/resource-manager-diagnostic-settings.md) to your Resource Manager template

-* For the JSON syntax and properties, see [Microsoft.Insights/alertrules](/azure/templates/microsoft.insights/alertrules) template reference.

-description: Learn how to modify your webhooks, logic apps, and runbooks to prepare for voluntary migration.

-# Prepare your logic apps and runbooks for migration of classic alert rules

-> [!NOTE]

-> As [previously announced](monitoring-classic-retirement.md), classic alerts in Azure Monitor are retired for public cloud users, though still in limited use until **31 May 2021**. Classic alerts for Azure Government cloud and Microsoft Azure operated by 21Vianet will retire on **29 February 2024**.

->

-If you choose to voluntarily migrate your classic alert rules to new alert rules, there are some differences between the two systems. This article explains those differences and how you can prepare for the change.

-## API changes

-The APIs that create and manage classic alert rules (`microsoft.insights/alertrules`) are different from the APIs that create and manage new metric alerts (`microsoft.insights/metricalerts`). If you programmatically create and manage classic alert rules today, update your deployment scripts to work with the new APIs.

-The following table is a reference to the programmatic interfaces for both classic and new alerts:

-| Deployment script type | Classic alerts | New metric alerts |

-| - | -- | -- |

-|REST API | [microsoft.insights/alertrules](/rest/api/monitor/alertrules) | [microsoft.insights/metricalerts](/rest/api/monitor/metricalerts) |

-|Azure CLI | `az monitor alert` | [az monitor metrics alert](/cli/azure/monitor/metrics/alert) |

-|PowerShell | [Reference](/powershell/module/az.monitor/add-azmetricalertrule) | [Reference](/powershell/module/az.monitor/add-azmetricalertrulev2) |

-| Azure Resource Manager template | [For classic alerts](./alerts-enable-template.md)|[For new metric alerts](./alerts-metric-create-templates.md)|

-## Notification payload changes

-The notification payload format is slightly different between [classic alert rules](alerts-webhooks.md) and [new metric alerts](alerts-metric-near-real-time.md#payload-schema). If you have classic alert rules with webhook, logic app, or runbook actions, you must update the targets to accept the new payload format.

-Use the following table to map the webhook payload fields from the classic format to the new format:

-| Notification endpoint type | Classic alerts | New metric alerts |

-| -- | -- | -- |

-|Was the alert activated or resolved? | **status** | **data.status** |

-|Contextual information about the alert | **context** | **data.context** |

-|Time stamp at which the alert was activated or resolved | **context.timestamp** | **data.context.timestamp** |

-| Alert rule ID | **context.id** | **data.context.id** |

-| Alert rule name | **context.name** | **data.context.name** |

-| Description of the alert rule | **context.description** | **data.context.description** |

-| Alert rule condition | **context.condition** | **data.context.condition** |

-| Metric name | **context.condition.metricName** | **data.context.condition.allOf[0].metricName** |

-| Time aggregation (how the metric is aggregated over the evaluation window)| **context.condition.timeAggregation** | **context.condition.timeAggregation** |

-| Evaluation period | **context.condition.windowSize** | **data.context.condition.windowSize** |

-| Operator (how the aggregated metric value is compared against the threshold) | **context.condition.operator** | **data.context.condition.operator** |

-| Threshold | **context.condition.threshold** | **data.context.condition.allOf[0].threshold** |

-| Metric value | **context.condition.metricValue** | **data.context.condition.allOf[0].metricValue** |

-| Subscription ID | **context.subscriptionId** | **data.context.subscriptionId** |

-| Resource group of the affected resource | **context.resourceGroup** | **data.context.resourceGroup** |

-| Name of the affected resource | **context.resourceName** | **data.context.resourceName** |

-| Type of the affected resource | **context.resourceType** | **data.context.resourceType** |

-| Resource ID of the affected resource | **context.resourceId** | **data.context.resourceId** |

-| Direct link to the portal resource summary page | **context.portalLink** | **data.context.portalLink** |

-| Custom payload fields to be passed to the webhook or logic app | **properties** | **data.properties** |

-The payloads are similar, as you can see. The following section offers:

-## Modify a logic app to receive a metric alert notification

-If you're using logic apps with classic alerts, you must modify your logic-app code to parse the new metric alerts payload. Follow these steps:

-1. Create a new logic app.

-1. Use the template "Azure Monitor - Metrics Alert Handler". This template has an **HTTP request** trigger with the appropriate schema defined.

- :::image type="content" source="media/alerts-prepare-migration/logic-app-template.png" lightbox="media/alerts-prepare-migration/logic-app-template.png" alt-text="Screenshot shows two buttons, Blank Logic App and Azure Monitor ΓÇô Metrics Alert Handler.":::

-1. Add an action to host your processing logic.

-## Use an automation runbook that receives a metric alert notification

-The following example provides PowerShell code to use in your runbook. This code can parse the payloads for both classic metric alert rules and new metric alert rules.

-```PowerShell

-## Example PowerShell code to use in a runbook to handle parsing of both classic and new metric alerts.

-[OutputType("PSAzureOperationResponse")]

-param

-(

- [Parameter (Mandatory=$false)]

- [object] $WebhookData

-)

-$ErrorActionPreference = "stop"

-if ($WebhookData)

-{

- # Get the data object from WebhookData.

- $WebhookBody = (ConvertFrom-Json -InputObject $WebhookData.RequestBody)

- # Determine whether the alert triggering the runbook is a classic metric alert or a new metric alert (depends on the payload schema).

- $schemaId = $WebhookBody.schemaId

- Write-Verbose "schemaId: $schemaId" -Verbose

- if ($schemaId -eq "AzureMonitorMetricAlert") {

- # This is the new metric alert schema.

- $AlertContext = [object] ($WebhookBody.data).context

- $status = ($WebhookBody.data).status

- # Parse fields related to alert rule condition.

- $metricName = $AlertContext.condition.allOf[0].metricName

- $metricValue = $AlertContext.condition.allOf[0].metricValue

- $threshold = $AlertContext.condition.allOf[0].threshold

- $timeAggregation = $AlertContext.condition.allOf[0].timeAggregation

- }

- elseif ($schemaId -eq $null) {

- # This is the classic metric alert schema.

- $AlertContext = [object] $WebhookBody.context

- $status = $WebhookBody.status

- # Parse fields related to alert rule condition.

- $metricName = $AlertContext.condition.metricName

- $metricValue = $AlertContext.condition.metricValue

- $threshold = $AlertContext.condition.threshold

- $timeAggregation = $AlertContext.condition.timeAggregation

- }

- else {

- # The schema is neither a classic metric alert nor a new metric alert.

- Write-Error "The alert data schema - $schemaId - is not supported."

- }

- # Parse fields related to resource affected.

- $ResourceName = $AlertContext.resourceName

- $ResourceType = $AlertContext.resourceType

- $ResourceGroupName = $AlertContext.resourceGroupName

- $ResourceId = $AlertContext.resourceId

- $SubId = $AlertContext.subscriptionId

- ## Your logic to handle the alert here.

-}

-else {

- # Error

- Write-Error "This runbook is meant to be started from an Azure alert webhook only."

-}

-```

-For a full example of a runbook that stops a virtual machine when an alert is triggered, see the [Azure Automation documentation](../../automation/automation-create-alert-triggered-runbook.md).

-## Partner integration via webhooks

-Most of our partners that integrate with classic alerts already support newer metric alerts through their integrations. Known integrations that already work with new metric alerts include:

-If you're using a partner integration that's not listed here, confirm with the provider that they work with new metric alerts.

-## Next steps

-description: Understand how the alerts migration works and troubleshoot problems.

-# Understand migration options to newer alerts

-Classic alerts are [retired](./monitoring-classic-retirement.md) for public cloud users. Classic alerts for Azure Government cloud and Microsoft Azure operated by 21Vianet will retire on **29 February 2024**.

-This article explains how the manual migration and voluntary migration tool work, which will be used to migrate remaining alert rules. It also describes solutions for some common problems.

-> [!IMPORTANT]

-> Activity log alerts (including Service health alerts) and log search alerts are not impacted by the migration. The migration only applies to classic alert rules described [here](./monitoring-classic-retirement.md#retirement-of-classic-monitoring-and-alerting-platform).

-> [!NOTE]

-> If your classic alert rules are invalid i.e. they are on [deprecated metrics](#classic-alert-rules-on-deprecated-metrics) or resources that have been deleted, they will not be migrated and will not be available after service is retired.

-## Manually migrating classic alerts to newer alerts

-Customers that are interested in manually migrating their remaining alerts can already do so using the following sections. It also includes metrics that are retired and so cannot be migrated directly.

-### Guest metrics on virtual machines

-Before you can create new metric alerts on guest metrics, the guest metrics must be sent to the Azure Monitor logs store. Follow these instructions to create alerts:

-There are more options to collect guest metrics and alert on them, [learn more](../agents/agents-overview.md).

-### Storage and Classic Storage account metrics

-All classic alerts on storage accounts can be migrated except alerts on these metrics:

-Classic alert rules on Percent metrics must be migrated based on [the mapping between old and new storage metrics](../../storage/common/storage-metrics-migration.md#metrics-mapping-between-old-metrics-and-new-metrics). Thresholds will need to be modified appropriately because the new metric available is an absolute one.

-Classic alert rules on AnonymousThrottlingError, SASThrottlingError, and ThrottlingError must be split into two new alerts because there's no combined metric that provides the same functionality. Thresholds will need to be adapted appropriately.

-### Azure Cosmos DB metrics

-All classic alerts on Azure Cosmos DB metrics can be migrated except alerts on these metrics:

-Average Requests per Second, Consistency Level, Max RUPM Consumed Per Minute, Max RUs Per Second, Observed Read Latency, Observed Write Latency, and Storage Capacity aren't currently available in the [new system](../essentials/metrics-supported.md#microsoftdocumentdbdatabaseaccounts).

-Alerts on request metrics like Http 2xx, Http 3xx, and Service Availability aren't migrated because the way requests are counted is different between classic metrics and new metrics. Alerts on these metrics will need to be manually recreated with thresholds adjusted.

-### Classic alert rules on deprecated metrics

-The following are classic alert rules on metrics that were previously supported but were eventually deprecated. A small percentage of customer might have invalid classic alert rules on such metrics. Since these alert rules are invalid, they won't be migrated.

-| Resource type| Deprecated metric(s) |

-|-|-- |

-| Microsoft.DBforMySQL/servers | compute_consumption_percent, compute_limit |

-| Microsoft.DBforPostgreSQL/servers | compute_consumption_percent, compute_limit |

-| Microsoft.Network/publicIPAddresses | defaultddostriggerrate |

-| Microsoft.SQL/servers/databases | service_level_objective, storage_limit, storage_used, throttling, dtu_consumption_percent, storage_used |

-| Microsoft.Web/hostingEnvironments/multirolepools | averagememoryworkingset |

-| Microsoft.Web/hostingEnvironments/workerpools | bytesreceived, httpqueuelength |

-## How equivalent new alert rules and action groups are created

-The migration tool converts your classic alert rules to equivalent new alert rules and action groups. For most classic alert rules, equivalent new alert rules are on the same metric with the same properties such as `windowSize` and `aggregationType`. However, there are some classic alert rules are on metrics that have a different, equivalent metric in the new system. The following principles apply to the migration of classic alerts unless specified in the section below:

-In the following sections, we detail the metrics that have a different, equivalent metric in the new system. Any metric that remains the same for classic and new alert rules isn't listed. You can find a list of metrics supported in the new system [here](../essentials/metrics-supported.md).

-### Microsoft.Storage/storageAccounts and Microsoft.ClassicStorage/storageAccounts

-For Storage account services like blob, table, file, and queue, the following metrics are mapped to equivalent metrics as shown below:

-| Metric in classic alerts | Equivalent metric in new alerts | Comments|

-|--|||

-| AnonymousAuthorizationError| Transactions metric with dimensions "ResponseType"="AuthorizationError" and "Authentication" = "Anonymous"| |

-| AnonymousClientOtherError | Transactions metric with dimensions "ResponseType"="ClientOtherError" and "Authentication" = "Anonymous" | |

-| AnonymousClientTimeOutError| Transactions metric with dimensions "ResponseType"="ClientTimeOutError" and "Authentication" = "Anonymous" | |

-| AnonymousNetworkError | Transactions metric with dimensions "ResponseType"="NetworkError" and "Authentication" = "Anonymous" | |

-| AnonymousServerOtherError | Transactions metric with dimensions "ResponseType"="ServerOtherError" and "Authentication" = "Anonymous" | |

-| AnonymousServerTimeOutError | Transactions metric with dimensions "ResponseType"="ServerTimeOutError" and "Authentication" = "Anonymous" | |

-| AnonymousSuccess | Transactions metric with dimensions "ResponseType"="Success" and "Authentication" = "Anonymous" | |

-| AuthorizationError | Transactions metric with dimensions "ResponseType"="AuthorizationError" | |

-| AverageE2ELatency | SuccessE2ELatency | |

-| AverageServerLatency | SuccessServerLatency | |

-| Capacity | BlobCapacity | Use `aggregationType` 'average' instead of 'last'. Metric only applies to Blob services |

-| ClientOtherError | Transactions metric with dimensions "ResponseType"="ClientOtherError" | |

-| ClientTimeoutError | Transactions metric with dimensions "ResponseType"="ClientTimeOutError" | |

-| ContainerCount | ContainerCount | Use `aggregationType` 'average' instead of 'last'. Metric only applies to Blob services |

-| NetworkError | Transactions metric with dimensions "ResponseType"="NetworkError" | |

-| ObjectCount | BlobCount| Use `aggregationType` 'average' instead of 'last'. Metric only applies to Blob services |

-| SASAuthorizationError | Transactions metric with dimensions "ResponseType"="AuthorizationError" and "Authentication" = "SAS" | |

-| SASClientOtherError | Transactions metric with dimensions "ResponseType"="ClientOtherError" and "Authentication" = "SAS" | |

-| SASClientTimeOutError | Transactions metric with dimensions "ResponseType"="ClientTimeOutError" and "Authentication" = "SAS" | |

-| SASNetworkError | Transactions metric with dimensions "ResponseType"="NetworkError" and "Authentication" = "SAS" | |

-| SASServerOtherError | Transactions metric with dimensions "ResponseType"="ServerOtherError" and "Authentication" = "SAS" | |

-| SASServerTimeOutError | Transactions metric with dimensions "ResponseType"="ServerTimeOutError" and "Authentication" = "SAS" | |

-| SASSuccess | Transactions metric with dimensions "ResponseType"="Success" and "Authentication" = "SAS" | |

-| ServerOtherError | Transactions metric with dimensions "ResponseType"="ServerOtherError" | |

-| ServerTimeOutError | Transactions metric with dimensions "ResponseType"="ServerTimeOutError" | |

-| Success | Transactions metric with dimensions "ResponseType"="Success" | |

-| TotalBillableRequests| Transactions | |

-| TotalEgress | Egress | |

-| TotalIngress | Ingress | |

-| TotalRequests | Transactions | |

-### Microsoft.DocumentDB/databaseAccounts

-For Azure Cosmos DB, equivalent metrics are as shown below:

-| Metric in classic alerts | Equivalent metric in new alerts | Comments|

-|--|||

-| AvailableStorage | AvailableStorage||

-| Data Size | DataUsage| |

-| Document Count | DocumentCount||

-| Index Size | IndexUsage||

-| Service Unavailable | ServiceAvailability||

-| TotalRequestUnits | TotalRequestUnits||

-| Throttled Requests | TotalRequests with dimension "StatusCode" = "429"| 'Average' aggregation type is corrected to 'Count'|

-| Internal Server Errors | TotalRequests with dimension "StatusCode" = "500"}| 'Average' aggregation type is corrected to 'Count'|

-| Http 401 | TotalRequests with dimension "StatusCode" = "401"| 'Average' aggregation type is corrected to 'Count'|

-| Http 400 | TotalRequests with dimension "StatusCode" = "400"| 'Average' aggregation type is corrected to 'Count'|

-| Total Requests | TotalRequests| 'Max' aggregation type is corrected to 'Count'|

-| Mongo Count Request Charge| MongoRequestCharge with dimension "CommandName" = "count"||

-| Mongo Count Request Rate | MongoRequestsCount with dimension "CommandName" = "count"||

-| Mongo Delete Request Charge | MongoRequestCharge with dimension "CommandName" = "delete"||

-| Mongo Delete Request Rate | MongoRequestsCount with dimension "CommandName" = "delete"||

-| Mongo Insert Request Charge | MongoRequestCharge with dimension "CommandName" = "insert"||

-| Mongo Insert Request Rate | MongoRequestsCount with dimension "CommandName" = "insert"||

-| Mongo Query Request Charge | MongoRequestCharge with dimension "CommandName" = "find"||

-| Mongo Query Request Rate | MongoRequestsCount with dimension "CommandName" = "find"||

-| Mongo Update Request Charge | MongoRequestCharge with dimension "CommandName" = "update"||

-| Mongo Insert Failed Requests | MongoRequestCount with dimensions "CommandName" = "insert" and "Status" = "failed"| 'Average' aggregation type is corrected to 'Count'|

-| Mongo Query Failed Requests | MongoRequestCount with dimensions "CommandName" = "query" and "Status" = "failed"| 'Average' aggregation type is corrected to 'Count'|

-| Mongo Count Failed Requests | MongoRequestCount with dimensions "CommandName" = "count" and "Status" = "failed"| 'Average' aggregation type is corrected to 'Count'|

-| Mongo Update Failed Requests | MongoRequestCount with dimensions "CommandName" = "update" and "Status" = "failed"| 'Average' aggregation type is corrected to 'Count'|

-| Mongo Other Failed Requests | MongoRequestCount with dimensions "CommandName" = "other" and "Status" = "failed"| 'Average' aggregation type is corrected to 'Count'|

-| Mongo Delete Failed Requests | MongoRequestCount with dimensions "CommandName" = "delete" and "Status" = "failed"| 'Average' aggregation type is corrected to 'Count'|

-### How equivalent action groups are created

-Classic alert rules had email, webhook, logic app, and runbook actions tied to the alert rule itself. New alert rules use action groups that can be reused across multiple alert rules. The migration tool creates single action group for same actions no matter of how many alert rules are using the action. Action groups created by the migration tool use the naming format 'Migrated_AG*'.

-> [!NOTE]

-> Classic alerts sent localized emails based on the locale of classic administrator when used to notify classic administrator roles. New alert emails are sent via Action Groups and are only in English.

-## Rollout phases

-The migration tool is rolling out in phases to customers that use classic alert rules. Subscription owners will receive an email when the subscription is ready to be migrated by using the tool.

-> [!NOTE]

-> Because the tool is being rolled out in phases, you might see that some of your subscriptions are not yet ready to be migrated during the early phases.

-Most of the subscriptions are currently marked as ready for migration. Only subscriptions that have classic alerts on following resource types are still not ready for migration.

-## Who can trigger the migration?

-Any user who has the built-in role of Monitoring Contributor at the subscription level can trigger the migration. Users who have a custom role with the following permissions can also trigger the migration:

-> [!NOTE]

-> In addition to having above permissions, your subscription should additionally be registered with Microsoft.AlertsManagement resource provider. This is required to successfully migrate Failure Anomaly alerts on Application Insights.

-## Common problems and remedies

-After you trigger the migration, you'll receive email at the addresses you provided to notify you that migration is complete or if any action is needed from you. This section describes some common problems and how to deal with them.

-### Validation failed

-Because of some recent changes to classic alert rules in your subscription, the subscription cannot be migrated. This problem is temporary. You can restart the migration after the migration status moves back **Ready for migration** in a few days.

-### Scope lock preventing us from migrating your rules

-As part of the migration, new metric alerts and new action groups will be created, and then classic alert rules will be deleted. However, a scope lock can prevent us from creating or deleting resources. Depending on the scope lock, some or all rules couldn't be migrated. You can resolve this problem by removing the scope lock for the subscription, resource group, or resource, which is listed in the [migration tool](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/MigrationBladeViewModel), and triggering the migration again. Scope lock can't be disabled and must be removed during the migration process. [Learn more about managing scope locks](../../azure-resource-manager/management/lock-resources.md#portal).

-### Policy with 'Deny' effect preventing us from migrating your rules

-As part of the migration, new metric alerts and new action groups will be created, and then classic alert rules will be deleted. However, an [Azure Policy](../../governance/policy/index.yml) assignment can prevent us from creating resources. Depending on the policy assignment, some or all rules couldn't be migrated. The policy assignments that are blocking the process are listed in the [migration tool](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/MigrationBladeViewModel). Resolve this problem by either:

-## Next steps

-description: Learn how to reroute Azure metric alerts to other, non-Azure systems.

-# Call a webhook with a classic metric alert in Azure Monitor

-> [!WARNING]

-> This article describes how to use older classic metric alerts. Azure Monitor now supports [newer near-real time metric alerts and a new alerts experience](./alerts-overview.md). Classic alerts are [retired](./monitoring-classic-retirement.md) for public cloud users. Classic alerts for Azure Government cloud and Microsoft Azure operated by 21Vianet will retire on **29 February 2024**.

->

-You can use webhooks to route an Azure alert notification to other systems for post-processing or custom actions. You can use a webhook on an alert to route it to services that send SMS messages, to log bugs, to notify a team via chat or messaging services, or for various other actions.

-This article describes how to set a webhook on an Azure metric alert. It also shows you what the payload for the HTTP POST to a webhook looks like. For information about the setup and schema for an Azure activity log alert (alert on events), see [Call a webhook on an Azure activity log alert](../alerts/alerts-log-webhook.md).

-Azure alerts use HTTP POST to send the alert contents in JSON format to a webhook URI that you provide when you create the alert. The schema is defined later in this article. The URI must be a valid HTTP or HTTPS endpoint. Azure posts one entry per request when an alert is activated.

-## Configure webhooks via the Azure portal

-To add or update the webhook URI, in the [Azure portal](https://portal.azure.com/), go to **Create/Update Alerts**.

-You can also configure an alert to post to a webhook URI by using [Azure PowerShell cmdlets](../powershell-samples.md#create-metric-alerts), a [cross-platform CLI](../cli-samples.md#work-with-alerts), or [Azure Monitor REST APIs](/rest/api/monitor/alertrules).

-## Authenticate the webhook

-The webhook can authenticate by using token-based authorization. The webhook URI is saved with a token ID. For example: `https://mysamplealert/webcallback?tokenid=sometokenid&someparameter=somevalue`

-## Payload schema

-The POST operation contains the following JSON payload and schema for all metric-based alerts:

-```JSON

-{

- "status": "Activated",

- "context": {

- "timestamp": "2015-08-14T22:26:41.9975398Z",

- "id": "/subscriptions/s1/resourceGroups/useast/providers/microsoft.insights/alertrules/ruleName1",

- "name": "ruleName1",

- "description": "some description",

- "conditionType": "Metric",

- "condition": {

- "metricName": "Requests",

- "metricUnit": "Count",

- "metricValue": "10",

- "threshold": "10",

- "windowSize": "15",

- "timeAggregation": "Average",

- "operator": "GreaterThanOrEqual"

- },

- "subscriptionId": "s1",

- "resourceGroupName": "useast",

- "resourceName": "mysite1",

- "resourceType": "microsoft.foo/sites",

- "resourceId": "/subscriptions/s1/resourceGroups/useast/providers/microsoft.foo/sites/mysite1",

- "resourceRegion": "centralus",

- "portalLink": "https://portal.azure.com/#resource/subscriptions/s1/resourceGroups/useast/providers/microsoft.foo/sites/mysite1"

- },

- "properties": {

- "key1": "value1",

- "key2": "value2"

- }

-}

-```

-| Field | Mandatory | Fixed set of values | Notes |

-|: |: |: |: |

-| status |Y |Activated, Resolved |The status for the alert based on the conditions you set. |

-| context |Y | |The alert context. |

-| timestamp |Y | |The time at which the alert was triggered. |

-| id |Y | |Every alert rule has a unique ID. |

-| name |Y | |The alert name. |

-| description |Y | |A description of the alert. |

-| conditionType |Y |Metric, Event |Two types of alerts are supported: metric and event. Metric alerts are based on a metric condition. Event alerts are based on an event in the activity log. Use this value to check whether the alert is based on a metric or on an event. |

-| condition |Y | |The specific fields to check based on the **conditionType** value. |

-| metricName |For metric alerts | |The name of the metric that defines what the rule monitors. |

-| metricUnit |For metric alerts |Bytes, BytesPerSecond, Count, CountPerSecond, Percent, Seconds |The unit allowed in the metric. See [allowed values](/previous-versions/azure/reference/dn802430(v=azure.100)). |

-| metricValue |For metric alerts | |The actual value of the metric that caused the alert. |

-| threshold |For metric alerts | |The threshold value at which the alert is activated. |

-| windowSize |For metric alerts | |The period of time that's used to monitor alert activity based on the threshold. The value must be between 5 minutes and 1 day. The value must be in ISO 8601 duration format. |

-| timeAggregation |For metric alerts |Average, Last, Maximum, Minimum, None, Total |How the data that's collected should be combined over time. The default value is Average. See [allowed values](/previous-versions/azure/reference/dn802410(v=azure.100)). |

-| operator |For metric alerts | |The operator that's used to compare the current metric data to the set threshold. |

-| subscriptionId |Y | |The Azure subscription ID. |

-| resourceGroupName |Y | |The name of the resource group for the affected resource. |

-| resourceName |Y | |The resource name of the affected resource. |

-| resourceType |Y | |The resource type of the affected resource. |

-| resourceId |Y | |The resource ID of the affected resource. |

-| resourceRegion |Y | |The region or location of the affected resource. |

-| portalLink |Y | |A direct link to the portal resource summary page. |

-| properties |N |Optional |A set of key/value pairs that has details about the event. For example, `Dictionary<String, String>`. The properties field is optional. In a custom UI or logic app-based workflow, users can enter key/value pairs that can be passed via the payload. An alternate way to pass custom properties back to the webhook is via the webhook URI itself (as query parameters). |

-> [!NOTE]

-> You can set the **properties** field only by using [Azure Monitor REST APIs](/rest/api/monitor/alertrules).

->

->

-## Next steps

-* Learn more about Azure alerts and webhooks in the video [Integrate Azure alerts with PagerDuty](https://go.microsoft.com/fwlink/?LinkId=627080).

-* Learn how to [execute Azure Automation scripts (runbooks) on Azure alerts](https://go.microsoft.com/fwlink/?LinkId=627081).

-* Learn how to [use a logic app to send an SMS message via Twilio from an Azure alert](https://github.com/Azure/azure-quickstart-templates/tree/master/demos/alert-to-text-message-with-logic-app).

-* Learn how to [use a logic app to send a Slack message from an Azure alert](https://github.com/Azure/azure-quickstart-templates/tree/master/demos/alert-to-slack-with-logic-app).

-* Learn how to [use a logic app to send a message to an Azure Queue from an Azure alert](https://github.com/Azure/azure-quickstart-templates/tree/master/demos/alert-to-queue-with-logic-app).

-description: The Log Analytics Alert REST API allows you to create and manage alerts in Log Analytics. This article provides details about the API and examples for performing different operations.

-# Legacy Log Analytics Alert REST API

-This article describes how to manage alert rules using the legacy API.

-> [!IMPORTANT]

-> As [announced](https://azure.microsoft.com/updates/switch-api-preference-log-alerts/), the Log Analytics Alert API will be retired on October 1, 2025. You must transition to using the Scheduled Query Rules API for log search alerts by that date.

-> Log Analytics workspaces created after June 1, 2019 use the [scheduledQueryRules API](/rest/api/monitor/scheduledqueryrule-2021-08-01/scheduled-query-rules) to manage alert rules. [Switch to the current API](./alerts-log-api-switch.md) in older workspaces to take advantage of Azure Monitor scheduledQueryRules [benefits](./alerts-log-api-switch.md#benefits).

-The Log Analytics Alert REST API allows you to create and manage alerts in Log Analytics. This article provides details about the API and several examples for performing different operations.

-The Log Analytics Search REST API is RESTful and can be accessed via the Azure Resource Manager REST API. In this article, you'll find examples where the API is accessed from a PowerShell command line by using [ARMClient](https://github.com/projectkudu/ARMClient). This open-source command-line tool simplifies invoking the Azure Resource Manager API.

-The use of ARMClient and PowerShell is one of many options you can use to access the Log Analytics Search API. With these tools, you can utilize the RESTful Azure Resource Manager API to make calls to Log Analytics workspaces and perform search commands within them. The API outputs search results in JSON format so that you can use the search results in many different ways programmatically.

-## Prerequisites

-Currently, alerts can only be created with a saved search in Log Analytics. For more information, see the [Log Search REST API](../logs/log-query-overview.md).

-## Schedules

-A saved search can have one or more schedules. The schedule defines how often the search is run and the time interval over which the criteria are identified. Schedules have the properties described in the following table:

-| Property | Description |

-|: |: |

-| `Interval` |How often the search is run. Measured in minutes. |

-| `QueryTimeSpan` |The time interval over which the criteria are evaluated. Must be equal to or greater than `Interval`. Measured in minutes. |

-| `Version` |The API version being used. Currently, this setting should always be `1`. |

-For example, consider an event query with an `Interval` of 15 minutes and a `Timespan` of 30 minutes. In this case, the query would be run every 15 minutes. An alert would be triggered if the criteria continued to resolve to `true` over a 30-minute span.

-### Retrieve schedules

-Use the Get method to retrieve all schedules for a saved search.

-```powershell

-armclient get /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules?api-version=2015-03-20

-```

-Use the Get method with a schedule ID to retrieve a particular schedule for a saved search.

-```powershell

-armclient get /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Subscription ID}/schedules/{Schedule ID}?api-version=2015-03-20

-```

-The following sample response is for a schedule:

-```json

-{

- "value": [{

- "id": "subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/sampleRG/providers/Microsoft.OperationalInsights/workspaces/MyWorkspace/savedSearches/0f0f4853-17f8-4ed1-9a03-8e888b0d16ec/schedules/a17b53ef-bd70-4ca4-9ead-83b00f2024a8",

- "etag": "W/\"datetime'2016-02-25T20%3A54%3A49.8074679Z'\"",

- "properties": {

- "Interval": 15,

- "QueryTimeSpan": 15,

- "Enabled": true,

- }

- }]

-}

-```

-### Create a schedule

-Use the Put method with a unique schedule ID to create a new schedule. Two schedules can't have the same ID even if they're associated with different saved searches. When you create a schedule in the Log Analytics console, a GUID is created for the schedule ID.

-> [!NOTE]

-> The name for all saved searches, schedules, and actions created with the Log Analytics API must be in lowercase.

-```powershell

-$scheduleJson = "{'properties': { 'Interval': 15, 'QueryTimeSpan':15, 'Enabled':'true' } }"

-armclient put /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/mynewschedule?api-version=2015-03-20 $scheduleJson

-```

-### Edit a schedule

-Use the Put method with an existing schedule ID for the same saved search to modify that schedule. In the following example, the schedule is disabled. The body of the request must include the *etag* of the schedule.

-```powershell

-$scheduleJson = "{'etag': 'W/\"datetime'2016-02-25T20%3A54%3A49.8074679Z'\""','properties': { 'Interval': 15, 'QueryTimeSpan':15, 'Enabled':'false' } }"

-armclient put /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/mynewschedule?api-version=2015-03-20 $scheduleJson

-```

-### Delete schedules

-Use the Delete method with a schedule ID to delete a schedule.

-```powershell

-armclient delete /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Subscription ID}/schedules/{Schedule ID}?api-version=2015-03-20

-```

-## Actions

-A schedule can have multiple actions. An action might define one or more processes to perform, such as sending an email or starting a runbook. An action also might define a threshold that determines when the results of a search match some criteria. Some actions will define both so that the processes are performed when the threshold is met.

-All actions have the properties described in the following table. Different types of alerts have other different properties, which are described in the following table:

-| Property | Description |

-|: |: |

-| `Type` |Type of the action. Currently, the possible values are `Alert` and `Webhook`. |

-| `Name` |Display name for the alert. |

-| `Version` |The API version being used. Currently, this setting should always be `1`. |

-### Retrieve actions

-Use the Get method to retrieve all actions for a schedule.

-```powershell

-armclient get /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions?api-version=2015-03-20

-```

-Use the Get method with the action ID to retrieve a particular action for a schedule.

-```powershell

-armclient get /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Subscription ID}/schedules/{Schedule ID}/actions/{Action ID}?api-version=2015-03-20

-```

-### Create or edit actions

-Use the Put method with an action ID that's unique to the schedule to create a new action. When you create an action in the Log Analytics console, a GUID is for the action ID.

-> [!NOTE]

-> The name for all saved searches, schedules, and actions created with the Log Analytics API must be in lowercase.

-Use the Put method with an existing action ID for the same saved search to modify that schedule. The body of the request must include the etag of the schedule.

-The request format for creating a new action varies by action type, so these examples are provided in the following sections.

-### Delete actions

-Use the Delete method with the action ID to delete an action.

-```powershell

-armclient delete /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Subscription ID}/schedules/{Schedule ID}/Actions/{Action ID}?api-version=2015-03-20

-```

-### Alert actions

-A schedule should have one and only one Alert action. Alert actions have one or more of the sections described in the following table:

-| Section | Description | Usage |

-|: |: |: |

-| Threshold |Criteria for when the action is run.| Required for every alert, before or after they're extended to Azure. |

-| Severity |Label used to classify the alert when triggered.| Required for every alert, before or after they're extended to Azure. |

-| Suppress |Option to stop notifications from alerts. | Optional for every alert, before or after they're extended to Azure. |

-| Action groups |IDs of Azure `ActionGroup` where actions required are specified, like emails, SMSs, voice calls, webhooks, automation runbooks, and ITSM Connectors.| Required after alerts are extended to Azure.|

-| Customize actions|Modify the standard output for select actions from `ActionGroup`.| Optional for every alert and can be used after alerts are extended to Azure. |

-### Thresholds

-An Alert action should have one and only one threshold. When the results of a saved search match the threshold in an action associated with that search, any other processes in that action are run. An action can also contain only a threshold so that it can be used with actions of other types that don't contain thresholds.

-Thresholds have the properties described in the following table:

-| Property | Description |

-|: |: |

-| `Operator` |Operator for the threshold comparison. <br> gt = Greater than <br> lt = Less than |

-| `Value` |Value for the threshold. |

-For example, consider an event query with an `Interval` of 15 minutes, a `Timespan` of 30 minutes, and a `Threshold` of greater than 10. In this case, the query would be run every 15 minutes. An alert would be triggered if it returned 10 events that were created over a 30-minute span.

-The following sample response is for an action with only a `Threshold`:

-```json

-"etag": "W/\"datetime'2016-02-25T20%3A54%3A20.1302566Z'\"",

-"properties": {

- "Type": "Alert",

- "Name": "My threshold action",

- "Threshold": {

- "Operator": "gt",

- "Value": 10

- },

- "Version": 1

-}

-```

-Use the Put method with a unique action ID to create a new threshold action for a schedule.

-```powershell

-$thresholdJson = "{'properties': { 'Name': 'My Threshold', 'Version':'1', 'Type':'Alert', 'Threshold': { 'Operator': 'gt', 'Value': 10 } } }"

-armclient put /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/mythreshold?api-version=2015-03-20 $thresholdJson

-```

-Use the Put method with an existing action ID to modify a threshold action for a schedule. The body of the request must include the etag of the action.

-```powershell

-$thresholdJson = "{'etag': 'W/\"datetime'2016-02-25T20%3A54%3A20.1302566Z'\"','properties': { 'Name': 'My Threshold', 'Version':'1', 'Type':'Alert', 'Threshold': { 'Operator': 'gt', 'Value': 10 } } }"

-armclient put /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/mythreshold?api-version=2015-03-20 $thresholdJson

-```

-#### Severity

-Log Analytics allows you to classify your alerts into categories for easier management and triage. The Alerts severity levels are `informational`, `warning`, and `critical`. These categories are mapped to the normalized severity scale of Azure Alerts as shown in the following table:

-|Log Analytics severity level |Azure Alerts severity level |

-|||

-|`critical` |Sev 0|

-|`warning` |Sev 1|

-|`informational` | Sev 2|

-The following sample response is for an action with only `Threshold` and `Severity`:

-```json

-"etag": "W/\"datetime'2016-02-25T20%3A54%3A20.1302566Z'\"",

-"properties": {

- "Type": "Alert",

- "Name": "My threshold action",

- "Threshold": {

- "Operator": "gt",

- "Value": 10

- },

- "Severity": "critical",

- "Version": 1

-}

-```

-Use the Put method with a unique action ID to create a new action for a schedule with `Severity`.

-```powershell

-$thresholdWithSevJson = "{'properties': { 'Name': 'My Threshold', 'Version':'1','Severity': 'critical', 'Type':'Alert', 'Threshold': { 'Operator': 'gt', 'Value': 10 } } }"

-armclient put /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/mythreshold?api-version=2015-03-20 $thresholdWithSevJson

-```

-Use the Put method with an existing action ID to modify a severity action for a schedule. The body of the request must include the etag of the action.

-```powershell

-$thresholdWithSevJson = "{'etag': 'W/\"datetime'2016-02-25T20%3A54%3A20.1302566Z'\"','properties': { 'Name': 'My Threshold', 'Version':'1','Severity': 'critical', 'Type':'Alert', 'Threshold': { 'Operator': 'gt', 'Value': 10 } } }"

-armclient put /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/mythreshold?api-version=2015-03-20 $thresholdWithSevJson

-```

-#### Suppress

-Log Analytics-based query alerts fire every time the threshold is met or exceeded. Based on the logic implied in the query, an alert might get fired for a series of intervals. The result is that notifications are sent constantly. To prevent such a scenario, you can set the `Suppress` option that instructs Log Analytics to wait for a stipulated amount of time before notification is fired the second time for the alert rule.

-For example, if `Suppress` is set for 30 minutes, the alert will fire the first time and send notifications configured. It will then wait for 30 minutes before notification for the alert rule is again used. In the interim period, the alert rule will continue to run. Only notification is suppressed by Log Analytics for a specified time regardless of how many times the alert rule fired in this period.

-The `Suppress` property of a log search alert rule is specified by using the `Throttling` value. The suppression period is specified by using the `DurationInMinutes` value.

-The following sample response is for an action with only `Threshold`, `Severity`, and `Suppress` properties.

-```json

-"etag": "W/\"datetime'2016-02-25T20%3A54%3A20.1302566Z'\"",

-"properties": {

- "Type": "Alert",

- "Name": "My threshold action",

- "Threshold": {

- "Operator": "gt",

- "Value": 10

- },

- "Throttling": {

- "DurationInMinutes": 30

- },

- "Severity": "critical",

- "Version": 1

-}

-```

-Use the Put method with a unique action ID to create a new action for a schedule with `Severity`.

-```powershell

-$AlertSuppressJson = "{'properties': { 'Name': 'My Threshold', 'Version':'1','Severity': 'critical', 'Type':'Alert', 'Throttling': { 'DurationInMinutes': 30 },'Threshold': { 'Operator': 'gt', 'Value': 10 } } }"

-armclient put /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/myalert?api-version=2015-03-20 $AlertSuppressJson

-```

-Use the Put method with an existing action ID to modify a severity action for a schedule. The body of the request must include the etag of the action.

-```powershell

-$AlertSuppressJson = "{'etag': 'W/\"datetime'2016-02-25T20%3A54%3A20.1302566Z'\"','properties': { 'Name': 'My Threshold', 'Version':'1','Severity': 'critical', 'Type':'Alert', 'Throttling': { 'DurationInMinutes': 30 },'Threshold': { 'Operator': 'gt', 'Value': 10 } } }"

-armclient put /subscriptions/{Subscription ID}/resourceGroups/{ResourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/myalert?api-version=2015-03-20 $AlertSuppressJson

-```

-#### Action groups

-All alerts in Azure use action group as the default mechanism for handling actions. With an action group, you can specify your actions once and then associate the action group to multiple alerts across Azure without the need to declare the same actions repeatedly. Action groups support multiple actions like email, SMS, voice call, ITSM connection, automation runbook, and webhook URI.

-For users who have extended their alerts into Azure, a schedule should now have action group details passed along with `Threshold` to be able to create an alert. E-mail details, webhook URLs, runbook automation details, and other actions need to be defined inside an action group first before you create an alert. You can create an [action group from Azure Monitor](./action-groups.md) in the Azure portal or use the [Action Group API](/rest/api/monitor/actiongroups).

-To associate an action group to an alert, specify the unique Azure Resource Manager ID of the action group in the alert definition. The following sample illustrates the use:

-```json

-"etag": "W/\"datetime'2017-12-13T10%3A52%3A21.1697364Z'\"",

-"properties": {

- "Type": "Alert",

- "Name": "test-alert",

- "Description": "I need to put a description here",

- "Threshold": {

- "Operator": "gt",

- "Value": 12

- },

- "AzNsNotification": {

- "GroupIds": [

- "/subscriptions/1234a45-123d-4321-12aa-123b12a5678/resourcegroups/my-resource-group/providers/microsoft.insights/actiongroups/test-actiongroup"

- ]

- },

- "Severity": "critical",

- "Version": 1

-}

-```

-Use the Put method with a unique action ID to associate an already existing action group for a schedule. The following sample illustrates the use:

-```powershell

-$AzNsJson = "{'properties': { 'Name': 'test-alert', 'Version':'1', 'Type':'Alert', 'Threshold': { 'Operator': 'gt', 'Value': 12 },'Severity': 'critical', 'AzNsNotification': {'GroupIds': ['subscriptions/1234a45-123d-4321-12aa-123b12a5678/resourcegroups/my-resource-group/providers/microsoft.insights/actiongroups/test-actiongroup']} } }"

-armclient put /subscriptions/{Subscription ID}/resourceGroups/{Resource Group Name}/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/myAzNsaction?api-version=2015-03-20 $AzNsJson

-```

-Use the Put method with an existing action ID to modify an action group associated for a schedule. The body of the request must include the etag of the action.

-```powershell

-$AzNsJson = "{'etag': 'datetime'2017-12-13T10%3A52%3A21.1697364Z'\"', 'properties': { 'Name': 'test-alert', 'Version':'1', 'Type':'Alert', 'Threshold': { 'Operator': 'gt', 'Value': 12 },'Severity': 'critical', 'AzNsNotification': { 'GroupIds': ['subscriptions/1234a45-123d-4321-12aa-123b12a5678/resourcegroups/my-resource-group/providers/microsoft.insights/actiongroups/test-actiongroup'] } } }"

-armclient put /subscriptions/{Subscription ID}/resourceGroups/{Resource Group Name}/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/myAzNsaction?api-version=2015-03-20 $AzNsJson

-```

-#### Customize actions

-By default, actions follow standard templates and format for notifications. But you can customize some actions, even if they're controlled by action groups. Currently, customization is possible for `EmailSubject` and `WebhookPayload`.

-##### Customize EmailSubject for an action group

-By default, the email subject for alerts is Alert Notification `<AlertName>` for `<WorkspaceName>`. But the subject can be customized so that you can specify words or tags to allow you to easily employ filter rules in your Inbox. The customized email header details need to be sent along with `ActionGroup` details, as in the following sample:

-```json

-"etag": "W/\"datetime'2017-12-13T10%3A52%3A21.1697364Z'\"",

-"properties": {

- "Type": "Alert",

- "Name": "test-alert",

- "Description": "I need to put a description here",

- "Threshold": {

- "Operator": "gt",

- "Value": 12

- },

- "AzNsNotification": {

- "GroupIds": [

- "/subscriptions/1234a45-123d-4321-12aa-123b12a5678/resourcegroups/my-resource-group/providers/microsoft.insights/actiongroups/test-actiongroup"

- ],

- "CustomEmailSubject": "Azure Alert fired"

- },

- "Severity": "critical",

- "Version": 1

-}

-```

-Use the Put method with a unique action ID to associate an existing action group with customization for a schedule. The following sample illustrates the use:

-```powershell

-$AzNsJson = "{'properties': { 'Name': 'test-alert', 'Version':'1', 'Type':'Alert', 'Threshold': { 'Operator': 'gt', 'Value': 12 },'Severity': 'critical', 'AzNsNotification': {'GroupIds': ['subscriptions/1234a45-123d-4321-12aa-123b12a5678/resourcegroups/my-resource-group/providers/microsoft.insights/actiongroups/test-actiongroup'], 'CustomEmailSubject': 'Azure Alert fired'} } }"

-armclient put /subscriptions/{Subscription ID}/resourceGroups/{Resource Group Name}/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/myAzNsaction?api-version=2015-03-20 $AzNsJson

-```

-Use the Put method with an existing action ID to modify an action group associated for a schedule. The body of the request must include the etag of the action.

-```powershell

-$AzNsJson = "{'etag': 'datetime'2017-12-13T10%3A52%3A21.1697364Z'\"', 'properties': { 'Name': 'test-alert', 'Version':'1', 'Type':'Alert', 'Threshold': { 'Operator': 'gt', 'Value': 12 },'Severity': 'critical', 'AzNsNotification': {'GroupIds': ['subscriptions/1234a45-123d-4321-12aa-123b12a5678/resourcegroups/my-resource-group/providers/microsoft.insights/actiongroups/test-actiongroup']}, 'CustomEmailSubject': 'Azure Alert fired' } }"

-armclient put /subscriptions/{Subscription ID}/resourceGroups/{Resource Group Name}/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/myAzNsaction?api-version=2015-03-20 $AzNsJson

-```

-##### Customize WebhookPayload for an action group

-By default, the webhook sent via an action group for Log Analytics has a fixed structure. But you can customize the JSON payload by using specific variables supported to meet requirements of the webhook endpoint. For more information, see [Webhook action for log search alert rules](./alerts-log-webhook.md).

-The customized webhook details must be sent along with `ActionGroup` details. They'll be applied to all webhook URIs specified inside the action group. The following sample illustrates the use:

-```json

-"etag": "W/\"datetime'2017-12-13T10%3A52%3A21.1697364Z'\"",

-"properties": {

- "Type": "Alert",

- "Name": "test-alert",

- "Description": "I need to put a description here",

- "Threshold": {

- "Operator": "gt",

- "Value": 12

- },

- "AzNsNotification": {

- "GroupIds": [

- "/subscriptions/1234a45-123d-4321-12aa-123b12a5678/resourcegroups/my-resource-group/providers/microsoft.insights/actiongroups/test-actiongroup"

- ],

- "CustomWebhookPayload": "{\"field1\":\"value1\",\"field2\":\"value2\"}",

- "CustomEmailSubject": "Azure Alert fired"

- },

- "Severity": "critical",

- "Version": 1

-},

-```

-Use the Put method with a unique action ID to associate an existing action group with customization for a schedule. The following sample illustrates the use:

-```powershell

-$AzNsJson = "{'properties': { 'Name': 'test-alert', 'Version':'1', 'Type':'Alert', 'Threshold': { 'Operator': 'gt', 'Value': 12 },'Severity': 'critical', 'AzNsNotification': {'GroupIds': ['subscriptions/1234a45-123d-4321-12aa-123b12a5678/resourcegroups/my-resource-group/providers/microsoft.insights/actiongroups/test-actiongroup'], 'CustomEmailSubject': 'Azure Alert fired','CustomWebhookPayload': '{\"field1\":\"value1\",\"field2\":\"value2\"}'} } }"

-armclient put /subscriptions/{Subscription ID}/resourceGroups/{Resource Group Name}/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/myAzNsaction?api-version=2015-03-20 $AzNsJson

-```

-Use the Put method with an existing action ID to modify an action group associated for a schedule. The body of the request must include the etag of the action.

-```powershell

-$AzNsJson = "{'etag': 'datetime'2017-12-13T10%3A52%3A21.1697364Z'\"', 'properties': { 'Name': 'test-alert', 'Version':'1', 'Type':'Alert', 'Threshold': { 'Operator': 'gt', 'Value': 12 },'Severity': 'critical', 'AzNsNotification': {'GroupIds': ['subscriptions/1234a45-123d-4321-12aa-123b12a5678/resourcegroups/my-resource-group/providers/microsoft.insights/actiongroups/test-actiongroup']}, 'CustomEmailSubject': 'Azure Alert fired','CustomWebhookPayload': '{\"field1\":\"value1\",\"field2\":\"value2\"}' } }"

-armclient put /subscriptions/{Subscription ID}/resourceGroups/{Resource Group Name}/Microsoft.OperationalInsights/workspaces/{Workspace Name}/savedSearches/{Search ID}/schedules/{Schedule ID}/actions/myAzNsaction?api-version=2015-03-20 $AzNsJson

-```

-## Next steps

-* Use the [REST API to perform log searches](../logs/log-query-overview.md) in Log Analytics.

-* Learn about [log search alerts in Azure Monitor](./alerts-types.md#log-alerts).

-* Learn how to [create, edit, or manage log search alert rules in Azure Monitor](./alerts-log.md).

-To instrument your Node.js application, use the [SDK](./nodejs.md).

-To monitor Python apps, use the [SDK](/previous-versions/azure/azure-monitor/app/opencensus-python).

-description: Important reference material needed when you monitor parts of Azure Monitor

-# Monitoring Azure Monitor data reference

-> [!NOTE]

-> This article may seem confusing because it lists the parts of the Azure Monitor service that are monitored by itself.

-See [Monitoring Azure Monitor](monitor-azure-monitor.md) for an explanation of how Azure Monitor monitors itself.

-## Metrics

-This section lists all the platform metrics collected automatically for Azure Monitor into Azure Monitor.

-|Metric Type | Resource Provider / Type Namespace<br/> and link to individual metrics |

-|-|--|

-| [Autoscale behaviors for VMs and AppService](./autoscale/autoscale-overview.md) | [microsoft.insights/autoscalesettings](/azure/azure-monitor/platform/metrics-supported#microsoftinsightsautoscalesettings) |

-While technically not about Azure Monitor operations, the following metrics are collected into Azure Monitor namespaces.

-|Metric Type | Resource Provider / Type Namespace<br/> and link to individual metrics |

-|-|--|

-| Log Analytics agent gathered data for the [Metric alerts on logs](./alerts/alerts-metric-logs.md#metrics-and-dimensions-supported-for-logs) feature | [Microsoft.OperationalInsights/workspaces](/azure/azure-monitor/platform/metrics-supported##microsoftoperationalinsightsworkspaces)

-| [Application Insights availability tests](./app/availability-overview.md) | [Microsoft.Insights/Components](./essentials/metrics-supported.md#microsoftinsightscomponents)

-See a complete list of [platform metrics for other resources types](/azure/azure-monitor/platform/metrics-supported).

-## Metric Dimensions

-For more information on what metric dimensions are, see [Multi-dimensional metrics](/azure/azure-monitor/platform/data-platform-metrics#multi-dimensional-metrics).

-The following dimensions are relevant for the following areas of Azure Monitor.

-### Autoscale

-| Dimension Name | Description |

-| - | -- |

-|MetricTriggerRule | The autoscale rule that triggered the scale action |

-|MetricTriggerSource | The metric value that triggered the scale action |

-|ScaleDirection | The direction of the scale action (up or down)

-## Resource logs

-This section lists all the Azure Monitor resource log category types collected.

-|Resource Log Type | Resource Provider / Type Namespace<br/> and link |

-|-|--|

-| [Autoscale for VMs and AppService](./autoscale/autoscale-overview.md) | [Microsoft.insights/autoscalesettings](./essentials/resource-logs-categories.md#microsoftinsightsautoscalesettings)|

-| [Application Insights availability tests](./app/availability-overview.md) | [Microsoft.insights/Components](./essentials/resource-logs-categories.md#microsoftinsightscomponents) |

-For additional reference, see a list of [all resource logs category types supported in Azure Monitor](/azure/azure-monitor/platform/resource-logs-schema).

-## Azure Monitor Logs tables

-This section refers to all of the Azure Monitor Logs Kusto tables relevant to Azure Monitor resource types and available for query by Log Analytics.

-|Resource Type | Notes |

-|--|-|

-| [Autoscale for VMs and AppService](./autoscale/autoscale-overview.md) | [Autoscale Tables](/azure/azure-monitor/reference/tables/tables-resourcetype#azure-monitor-autoscale-settings) |

-## Activity log

-For a partial list of entires that the Azure Monitor services writes to the activity log, see [Azure resource provider operations](../role-based-access-control/resource-provider-operations.md#monitor). There may be other entires not listed here.

-For more information on the schema of Activity Log entries, see [Activity Log schema](./essentials/activity-log-schema.md).

-## Schemas

-The following schemas are in use by Azure Monitor.

-### Action Groups

-The following schemas are relevant to action groups, which are part of the notification infrastructure for Azure Monitor. Following are example calls and responses for action groups.

-#### Create Action Group

-```json

-{

- "authorization": {

- "action": "microsoft.insights/actionGroups/write",

- "scope": "/subscriptions/52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a/resourceGroups/testK-TEST/providers/microsoft.insights/actionGroups/TestingLogginc"

- },

- "caller": "test.cam@ieee.org",

- "channels": "Operation",

- "claims": {

- "aud": "https://management.core.windows.net/",

- "iss": "https://sts.windows.net/04ebb17f-c9d2-bbbb-881f-8fd503332aac/",

- "iat": "1627074914",

- "nbf": "1627074914",

- "exp": "1627078814",

- "http://schemas.microsoft.com/claims/authnclassreference": "1",

- "aio": "AUQAu/8TbbbbyZJhgackCVdLETN5UafFt95J8/bC1SP+tBFMusYZ3Z4PBQRZUZ4SmEkWlDevT4p7Wtr4e/R+uksbfixGGQumxw==",

- "altsecid": "1:live.com:00037FFE809E290F",

- "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd",

- "appid": "c44b4083-3bb0-49c1-bbbb-974e53cbdf3c",

- "appidacr": "2",

- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "test.cam@ieee.org",

- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "cam",

- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "test",

- "groups": "d734c6d5-bbbb-4b39-8992-88fd979076eb",

- "http://schemas.microsoft.com/identity/claims/identityprovider": "live.com",

- "ipaddr": "73.254.xxx.xx",

- "name": "test cam",

- "http://schemas.microsoft.com/identity/claims/objectidentifier": "f19e58c4-5bfa-4ac6-8e75-9823bbb1ea0a",

- "puid": "1003000086500F96",

- "rh": "0.AVgAf7HrBNLJbkKIH4_VAzMqrINAS8SwO8FJtH2XTlPL3zxYAFQ.",

- "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation",

- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "SzEgbtESOKM8YsOx9t49Ds-L2yCyUR-hpIDinBsS-hk",

- "http://schemas.microsoft.com/identity/claims/tenantid": "04ebb17f-c9d2-bbbb-881f-8fd503332aac",

- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "live.com#test.cam@ieee.org",

- "uti": "KuRF5PX4qkyvxJQOXwZ2AA",

- "ver": "1.0",

- "wids": "62e90394-bbbb-4237-9190-012177145e10",

- "xms_tcdt": "1373393473"

- },

- "correlationId": "74d253d8-bd5a-4e8d-a38e-5a52b173b7bd",

- "description": "",

- "eventDataId": "0e9bc114-dcdb-4d2d-b1ea-d3f45a4d32ea",

- "eventName": {

- "value": "EndRequest",

- "localizedValue": "End request"

- },

- "category": {

- "value": "Administrative",

- "localizedValue": "Administrative"

- },

- "eventTimestamp": "2021-07-23T21:21:22.9871449Z",

- "id": "/subscriptions/52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a/resourceGroups/testK-TEST/providers/microsoft.insights/actionGroups/TestingLogginc/events/0e9bc114-dcdb-4d2d-b1ea-d3f45a4d32ea/ticks/637626720829871449",

- "level": "Informational",

- "operationId": "74d253d8-bd5a-4e8d-a38e-5a52b173b7bd",

- "operationName": {

- "value": "microsoft.insights/actionGroups/write",

- "localizedValue": "Create or update action group"

- },

- "resourceGroupName": "testK-TEST",

- "resourceProviderName": {

- "value": "microsoft.insights",

- "localizedValue": "Microsoft Insights"

- },

- "resourceType": {

- "value": "microsoft.insights/actionGroups",

- "localizedValue": "microsoft.insights/actionGroups"

- },

- "resourceId": "/subscriptions/52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a/resourceGroups/testK-TEST/providers/microsoft.insights/actionGroups/TestingLogginc",

- "status": {

- "value": "Succeeded",

- "localizedValue": "Succeeded"

- },

- "subStatus": {

- "value": "Created",

- "localizedValue": "Created (HTTP Status Code: 201)"

- },

- "submissionTimestamp": "2021-07-23T21:22:22.1634251Z",

- "subscriptionId": "52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a",

- "tenantId": "04ebb17f-c9d2-bbbb-881f-8fd503332aac",

- "properties": {

- "statusCode": "Created",

- "serviceRequestId": "33658bb5-fc62-4e40-92e8-8b1f16f649bb",

- "eventCategory": "Administrative",

- "entity": "/subscriptions/52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a/resourceGroups/testK-TEST/providers/microsoft.insights/actionGroups/TestingLogginc",

- "message": "microsoft.insights/actionGroups/write",

- "hierarchy": "52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a"

- },

- "relatedEvents": []

-}

-```

-#### Delete Action Group

-```json

-{

- "authorization": {

- "action": "microsoft.insights/actionGroups/delete",

- "scope": "/subscriptions/52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a/resourceGroups/testk-test/providers/microsoft.insights/actionGroups/TestingLogginc"

- },

- "caller": "test.cam@ieee.org",

- "channels": "Operation",

- "claims": {

- "aud": "https://management.core.windows.net/",

- "iss": "https://sts.windows.net/04ebb17f-c9d2-bbbb-881f-8fd503332aac/",

- "iat": "1627076795",

- "nbf": "1627076795",

- "exp": "1627080695",

- "http://schemas.microsoft.com/claims/authnclassreference": "1",

- "aio": "AUQAu/8TbbbbTkWb9O23RavxIzqfHvA2fJUU/OjdhtHPNAjv0W4pyNnoZ3ShUOEzDut700WhNXth6ZYpd7al4XyJPACEfmtr9g==",

- "altsecid": "1:live.com:00037FFE809E290F",

- "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd",

- "appid": "c44b4083-3bb0-49c1-bbbb-974e53cbdf3c",

- "appidacr": "2",

- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "test.cam@ieee.org",

- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "cam",

- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "test",

- "groups": "d734c6d5-bbbb-4b39-8992-88fd979076eb",

- "http://schemas.microsoft.com/identity/claims/identityprovider": "live.com",

- "ipaddr": "73.254.xxx.xx",

- "name": "test cam",

- "http://schemas.microsoft.com/identity/claims/objectidentifier": "f19e58c4-5bfa-4ac6-8e75-9823bbb1ea0a",

- "puid": "1003000086500F96",

- "rh": "0.AVgAf7HrBNLJbkKIH4_VAzMqrINAS8SwO8FJtH2XTlPL3zxYAFQ.",

- "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation",

- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "SzEgbtESOKM8YsOx9t49Ds-L2yCyUR-hpIDinBsS-hk",

- "http://schemas.microsoft.com/identity/claims/tenantid": "04ebb17f-c9d2-bbbb-881f-8fd503332aac",

- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "live.com#test.cam@ieee.org",

- "uti": "E1BRdcfDzk64rg0eFx8vAA",

- "ver": "1.0",

- "wids": "62e90394-bbbb-4237-9190-012177145e10",

- "xms_tcdt": "1373393473"

- },

- "correlationId": "a0bd5f9f-d87f-4073-8650-83f03cf11733",

- "description": "",

- "eventDataId": "8c7c920e-6a50-47fe-b264-d762e60cc788",

- "eventName": {

- "value": "EndRequest",

- "localizedValue": "End request"

- },

- "category": {

- "value": "Administrative",

- "localizedValue": "Administrative"

- },

- "eventTimestamp": "2021-07-23T21:52:07.2708782Z",

- "id": "/subscriptions/52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a/resourceGroups/testk-test/providers/microsoft.insights/actionGroups/TestingLogginc/events/8c7c920e-6a50-47fe-b264-d762e60cc788/ticks/637626739272708782",

- "level": "Informational",

- "operationId": "f7cb83ba-36fa-47dd-8ec4-bcac40879241",

- "operationName": {

- "value": "microsoft.insights/actionGroups/delete",

- "localizedValue": "Delete action group"

- },

- "resourceGroupName": "testk-test",

- "resourceProviderName": {

- "value": "microsoft.insights",

- "localizedValue": "Microsoft Insights"

- },

- "resourceType": {

- "value": "microsoft.insights/actionGroups",

- "localizedValue": "microsoft.insights/actionGroups"

- },

- "resourceId": "/subscriptions/52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a/resourceGroups/testk-test/providers/microsoft.insights/actionGroups/TestingLogginc",

- "status": {

- "value": "Succeeded",

- "localizedValue": "Succeeded"

- },

- "subStatus": {

- "value": "OK",

- "localizedValue": "OK (HTTP Status Code: 200)"

- },

- "submissionTimestamp": "2021-07-23T21:54:00.1811815Z",

- "subscriptionId": "52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a",

- "tenantId": "04ebb17f-c9d2-bbbb-881f-8fd503332aac",

- "properties": {

- "statusCode": "OK",

- "serviceRequestId": "88fe5ac8-ee1a-4b97-9d5b-8a3754e256ad",

- "eventCategory": "Administrative",

- "entity": "/subscriptions/52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a/resourceGroups/testk-test/providers/microsoft.insights/actionGroups/TestingLogginc",

- "message": "microsoft.insights/actionGroups/delete",

- "hierarchy": "52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a"

- },

- "relatedEvents": []

-}

-```

-#### Unsubscribe using Email

-```json

-{

- "caller": "test.cam@ieee.org",

- "channels": "Operation",

- "claims": {

- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "",

- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "person@contoso.com",

- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "",

- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/spn": "",

- "http://schemas.microsoft.com/identity/claims/objectidentifier": ""

- },

- "correlationId": "8f936022-18d0-475f-9704-5151c75e81e4",

- "description": "User with email address:person@contoso.com has unsubscribed from action group:TestingLogginc, Action:testEmail_-EmailAction-",

- "eventDataId": "9b4b7b3f-79a2-4a6a-b1ed-30a1b8907765",

- "eventName": {

- "value": "",

- "localizedValue": ""

- },

- "category": {

- "value": "Administrative",

- "localizedValue": "Administrative"

- },

- "eventTimestamp": "2021-07-23T21:38:35.1687458Z",

- "id": "/subscriptions/52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a/resourceGroups/testK-TEST/providers/microsoft.insights/actionGroups/TestingLogginc/events/9b4b7b3f-79a2-4a6a-b1ed-30a1b8907765/ticks/637626731151687458",

- "level": "Informational",

- "operationId": "",

- "operationName": {

- "value": "microsoft.insights/actiongroups/write",

- "localizedValue": "Create or update action group"

- },

- "resourceGroupName": "testK-TEST",

- "resourceProviderName": {

- "value": "microsoft.insights",

- "localizedValue": "Microsoft Insights"

- },

- "resourceType": {

- "value": "microsoft.insights/actiongroups",

- "localizedValue": "microsoft.insights/actiongroups"

- },

- "resourceId": "/subscriptions/52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a/resourceGroups/testK-TEST/providers/microsoft.insights/actionGroups/TestingLogginc",

- "status": {

- "value": "Succeeded",

- "localizedValue": "Succeeded"

- },

- "subStatus": {

- "value": "Updated",

- "localizedValue": "Updated"

- },

- "submissionTimestamp": "2021-07-23T21:38:35.1687458Z",

- "subscriptionId": "52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a",

- "tenantId": "",

- "properties": {},

- "relatedEvents": []

-}

-```

-#### Unsubscribe using SMS

-```json

-{

- "caller": "",

- "channels": "Operation",

- "claims": {

- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "4252137109",

- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "",

- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "",

- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/spn": "",

- "http://schemas.microsoft.com/identity/claims/objectidentifier": ""

- },

- "correlationId": "e039f06d-c0d1-47ac-b594-89239101c4d0",

- "description": "User with phone number:4255557109 has unsubscribed from action group:TestingLogginc, Action:testPhone_-SMSAction-",

- "eventDataId": "789d0b03-2a2f-40cf-b223-d228abb5d2ed",

- "eventName": {

- "value": "",

- "localizedValue": ""

- },

- "category": {

- "value": "Administrative",

- "localizedValue": "Administrative"

- },

- "eventTimestamp": "2021-07-23T21:31:47.1537759Z",

- "id": "/subscriptions/52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a/resourceGroups/testK-TEST/providers/microsoft.insights/actionGroups/TestingLogginc/events/789d0b03-2a2f-40cf-b223-d228abb5d2ed/ticks/637626727071537759",

- "level": "Informational",

- "operationId": "",

- "operationName": {

- "value": "microsoft.insights/actiongroups/write",

- "localizedValue": "Create or update action group"

- },

- "resourceGroupName": "testK-TEST",

- "resourceProviderName": {

- "value": "microsoft.insights",

- "localizedValue": "Microsoft Insights"

- },

- "resourceType": {

- "value": "microsoft.insights/actiongroups",

- "localizedValue": "microsoft.insights/actiongroups"

- },

- "resourceId": "/subscriptions/52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a/resourceGroups/testK-TEST/providers/microsoft.insights/actionGroups/TestingLogginc",

- "status": {

- "value": "Succeeded",

- "localizedValue": "Succeeded"

- },

- "subStatus": {

- "value": "Updated",

- "localizedValue": "Updated"

- },

- "submissionTimestamp": "2021-07-23T21:31:47.1537759Z",

- "subscriptionId": "52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a",

- "tenantId": "",

- "properties": {},

- "relatedEvents": []

-}

-```

-#### Update Action Group

-```json

-{

- "authorization": {

- "action": "microsoft.insights/actionGroups/write",

- "scope": "/subscriptions/52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a/resourceGroups/testK-TEST/providers/microsoft.insights/actionGroups/TestingLogginc"

- },

- "caller": "test.cam@ieee.org",

- "channels": "Operation",

- "claims": {

- "aud": "https://management.core.windows.net/",

- "iss": "https://sts.windows.net/04ebb17f-c9d2-bbbb-881f-8fd503332aac/",

- "iat": "1627074914",

- "nbf": "1627074914",

- "exp": "1627078814",

- "http://schemas.microsoft.com/claims/authnclassreference": "1",

- "aio": "AUQAu/8TbbbbyZJhgackCVdLETN5UafFt95J8/bC1SP+tBFMusYZ3Z4PBQRZUZ4SmEkWlDevT4p7Wtr4e/R+uksbfixGGQumxw==",

- "altsecid": "1:live.com:00037FFE809E290F",

- "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd",

- "appid": "c44b4083-3bb0-49c1-bbbb-974e53cbdf3c",

- "appidacr": "2",

- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "test.cam@ieee.org",

- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "cam",

- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "test",

- "groups": "d734c6d5-bbbb-4b39-8992-88fd979076eb",

- "http://schemas.microsoft.com/identity/claims/identityprovider": "live.com",

- "ipaddr": "73.254.xxx.xx",

- "name": "test cam",

- "http://schemas.microsoft.com/identity/claims/objectidentifier": "f19e58c4-5bfa-4ac6-8e75-9823bbb1ea0a",

- "puid": "1003000086500F96",

- "rh": "0.AVgAf7HrBNLJbkKIH4_VAzMqrINAS8SwO8FJtH2XTlPL3zxYAFQ.",

- "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation",

- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "SzEgbtESOKM8YsOx9t49Ds-L2yCyUR-hpIDinBsS-hk",

- "http://schemas.microsoft.com/identity/claims/tenantid": "04ebb17f-c9d2-bbbb-881f-8fd503332aac",

- "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "live.com#test.cam@ieee.org",

- "uti": "KuRF5PX4qkyvxJQOXwZ2AA",

- "ver": "1.0",

- "wids": "62e90394-bbbb-4237-9190-012177145e10",

- "xms_tcdt": "1373393473"

- },

- "correlationId": "5a239734-3fbb-4ff7-b029-b0ebf22d3a19",

- "description": "",

- "eventDataId": "62c3ebd8-cfc9-435f-956f-86c45eecbeae",

- "eventName": {

- "value": "BeginRequest",

- "localizedValue": "Begin request"

- },

- "category": {

- "value": "Administrative",

- "localizedValue": "Administrative"

- },

- "eventTimestamp": "2021-07-23T21:24:34.9424246Z",

- "id": "/subscriptions/52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a/resourceGroups/testK-TEST/providers/microsoft.insights/actionGroups/TestingLogginc/events/62c3ebd8-cfc9-435f-956f-86c45eecbeae/ticks/637626722749424246",

- "level": "Informational",

- "operationId": "5a239734-3fbb-4ff7-b029-b0ebf22d3a19",

- "operationName": {

- "value": "microsoft.insights/actionGroups/write",

- "localizedValue": "Create or update action group"

- },

- "resourceGroupName": "testK-TEST",

- "resourceProviderName": {

- "value": "microsoft.insights",

- "localizedValue": "Microsoft Insights"

- },

- "resourceType": {

- "value": "microsoft.insights/actionGroups",

- "localizedValue": "microsoft.insights/actionGroups"

- },

- "resourceId": "/subscriptions/52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a/resourceGroups/testK-TEST/providers/microsoft.insights/actionGroups/TestingLogginc",

- "status": {

- "value": "Started",

- "localizedValue": "Started"

- },

- "subStatus": {

- "value": "",

- "localizedValue": ""

- },

- "submissionTimestamp": "2021-07-23T21:25:22.1522025Z",

- "subscriptionId": "52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a",

- "tenantId": "04ebb17f-c9d2-bbbb-881f-8fd503332aac",

- "properties": {

- "eventCategory": "Administrative",

- "entity": "/subscriptions/52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a/resourceGroups/testK-TEST/providers/microsoft.insights/actionGroups/TestingLogginc",

- "message": "microsoft.insights/actionGroups/write",

- "hierarchy": "52c65f65-bbbb-bbbb-bbbb-7dbbfc68c57a"

- },

- "relatedEvents": []

-}

-```

-## See Also

-Azure Monitor uses a consumption-based pricing (pay-as-you-go) billing model where you only pay for what you use. Features of Azure Monitor that are enabled by default do not incur any charge, including collection and alerting on the [Activity log](essentials/activity-log.md) and collection and analysis of [platform metrics](essentials/metrics-supported.md).

-| Logs | Ingestion, retention, and export of data in [Log Analytics workspaces](logs/log-analytics-workspace-overview.md) and [legacy Application insights resources](app/convert-classic-resource.md). This will typically be the bulk of Azure Monitor charges for most customers. There is no charge for querying this data except in the case of [Basic Logs](logs/basic-logs-configure.md) or [Archived Logs](logs/data-retention-archive.md).<br><br>Charges for Logs can vary significantly on the configuration that you choose. See [Azure Monitor Logs pricing details](logs/cost-logs.md) for details on how charges for Logs data are calculated and the different pricing tiers available. |

-| Platform Logs | Processing of [diagnostic and auditing information](essentials/resource-logs.md) is charged for [certain services](essentials/resource-logs-categories.md#costs) when sent to destinations other than a Log Analytics workspace. There's no direct charge when this data is sent to a Log Analytics workspace, but there is a charge for the workspace data ingestion and collection. |

-| Metrics | There is no charge for [standard metrics](essentials/metrics-supported.md) collected from Azure resources. There is a cost for collecting [custom metrics](essentials/metrics-custom-overview.md) and for retrieving metrics from the [REST API](essentials/rest-api-walkthrough.md#retrieve-metric-values). |

-| Alerts | Alerts are charged based on the type and number of [signals](alerts/alerts-overview.md) used by the alert rule, its frequency, and the type of [notification](alerts/action-groups.md) used in response. For [log search alerts](alerts/alerts-types.md#log-alerts) configured for [at scale monitoring](alerts/alerts-types.md#monitor-the-same-condition-on-multiple-resources-using-splitting-by-dimensions-1), the cost will also depend on the number of time series created by the dimensions resulting from your query. |

-| Web tests | There is a cost for [standard web tests](app/availability-standard-tests.md) and [multi-step web tests](app/availability-multistep.md) in Application Insights. Multi-step web tests have been deprecated.

-There are two primary tools to view, analyze and optimize your Azure Monitor costs. Each is described in detail in the following sections.

-To get started analyzing your Azure Monitor charges, open [Cost Management + Billing](../cost-management-billing/costs/quick-acm-cost-analysis.md?toc=/azure/billing/TOC.json) in the Azure portal. This tool includes several built-in dashboards for deep cost analysis like cost by resource and invoice details. Select **Cost Management** and then **Cost analysis**. Select your subscription or another [scope](../cost-management-billing/costs/understand-work-scopes.md).

-Other services such as Microsoft Defender for Cloud and Microsoft Sentinel also bill their usage against Log Analytics workspace resources, so you might want to add them to your filter. See [Common cost analysis uses](../cost-management-billing/costs/cost-analysis-common-uses.md) for details on using this view.

- - **Budget alerts.** To be notified if there are significant increases in your spending, create a [budget alerts](../cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending.md) for a single workspace or group of workspaces.

-These exports are in CSV format and will contain a list of daily usage (billed quantity and cost) by resource, [billing meter](cost-meters.md), and several other fields such as [AdditionalInfo](../cost-management-billing/automate/understand-usage-details-fields.md#list-of-fields-and-descriptions). You can use Microsoft Excel to do rich analyses of your usage not possible in the **Cost Analytics** experiences in the portal.

-For example, usage from Log Analytics can be found by first filtering on the **Meter Category** column to show

-There are several approaches to view the benefits a workspace receives from various offers such as the [Defender for Servers data allowance](logs/cost-logs.md#workspaces-with-microsoft-defender-for-cloud) and the [Microsoft Sentinel benefit for Microsoft 365 E5, A5, F5, and G5 customers](https://azure.microsoft.com/offers/sentinel-microsoft-365-offer/).

-Since a usage export has both the number of units of usage and their cost, you can use this export to see the amount of benefits you are receiving. In the usage export, to see the benefits, filter the *Instance ID* column to your workspace. (To select all of your workspaces in the spreadsheet, filter the *Instance ID* column to "contains /workspaces/".) Then filter on the Meter to either of the following two meters:

-You can also see these data benefits in the Log Analytics Usage and estimated costs page. If the workspace is receiving these benefits, there will be a sentence below the cost estimate table that gives the data volume of the benefits used over the last 31 days.

-The [Operation](/azure/azure-monitor/reference/tables/operation) table contains daily events which given the amount of benefit used from the [Defender for Servers data allowance](logs/cost-logs.md#workspaces-with-microsoft-defender-for-cloud) and the [Microsoft Sentinel benefit for Microsoft 365 E5, A5, F5, and G5 customers](https://azure.microsoft.com/offers/sentinel-microsoft-365-offer/). The `Detail` column for these events are all of the format `Benefit amount used 1.234 GB`, and the type of benefit is in the `OperationKey` column. Here is a query that charts the benefits used in the last 31-days:

-You can get additional usage details about Log Analytics workspaces and Application Insights resources from the **Usage and Estimated Costs** option for each.

-This view includes the following:

-Depending on the number of nodes of the suite that your organization purchased, moving some subscriptions into a Per GB (pay-as-you-go) pricing tier might be advantageous, but this requires careful consideration.

-Also, if you move a subscription to the new Azure monitoring pricing model in April 2018, the Per GB tier is the only tier available. Moving a subscription to the new Azure monitoring pricing model isn't advisable if you have an Operations Management Suite subscription.

-description: Learn about how Azure Monitor monitors itself

-<!-- VERSION 2.2-->

-# Monitoring Azure Monitor

-When you have critical applications and business processes relying on Azure resources, you want to monitor those resources for their availability, performance, and operation.

-This article describes the monitoring data generated by Azure Monitor. Azure Monitor uses [itself](./overview.md) to monitor certain parts of its own functionality. You can monitor:

- If you're unfamiliar with the features of Azure Monitor common to all Azure services that use it, read [Monitoring Azure resources with Azure Monitor](./essentials/monitor-azure-resource.md).

-For an overview showing where autoscale and the audit log fit into Azure Monitor, see [Introduction to Azure Monitor](overview.md).

-## Monitoring overview page in Azure portal

-The **Overview** page in the Azure portal for Azure Monitor shows links and tutorials on how to use Azure Monitor in general. It doesn't mention any of the specific resources discussed later in this article.

-## Monitoring data

-Azure Monitor collects the same kinds of monitoring data as other Azure resources that are described in [Monitoring data from Azure resources](./essentials/monitor-azure-resource.md#monitoring-data-from-azure-resources).

-See [Monitoring *Azure Monitor* data reference](azure-monitor-monitoring-reference.md) for detailed information on the metrics and logs metrics created by Azure Monitor.

-## Collection and routing

-Platform metrics and the Activity log are collected and stored automatically, but can be routed to other locations by using a diagnostic setting.

-Resource Logs aren't collected and stored until you create a diagnostic setting and route them to one or more locations.

-See [Create diagnostic setting to collect platform logs and metrics in Azure](/azure/azure-monitor/platform/diagnostic-settings) for the detailed process for creating a diagnostic setting using the Azure portal, CLI, or PowerShell. When you create a diagnostic setting, you specify which categories of logs to collect. The categories for *Azure Monitor* are listed in [Azure Monitor monitoring data reference](azure-monitor-monitoring-reference.md#resource-logs).

-The metrics and logs you can collect are discussed in the following sections.

-## Analyzing metrics

-You can analyze metrics for *Azure Monitor* with metrics from other Azure services using metrics explorer by opening **Metrics** from the **Azure Monitor** menu. See [Analyze metrics with Azure Monitor metrics explorer](./essentials/analyze-metrics.md) for details on using this tool.

-For a list of the platform metrics collected for Azure Monitor into itself, see [Azure Monitor monitoring data reference](azure-monitor-monitoring-reference.md#metrics).

-For reference, you can see a list of [all resource metrics supported in Azure Monitor](./essentials/metrics-supported.md).

-<!-- Optional: Call out additional information to help your customers. For example, you can include additional information here about how to use metrics explorer specifically for your service. Remember that the UI is subject to change quite often so you will need to maintain these screenshots yourself if you add them in. -->

-## Analyzing logs

-Data in Azure Monitor Logs is stored in tables where each table has its own set of unique properties.

-All resource logs in Azure Monitor have the same fields followed by service-specific fields. The common schema is outlined in [Azure Monitor resource log schema](./essentials/resource-logs-schema.md) The schemas for autoscale resource logs are found in the [Azure Monitor Data Reference](azure-monitor-monitoring-reference.md#resource-logs)

-The [Activity log](./essentials/activity-log.md) is a type of platform log in Azure that provides insight into subscription-level events. You can view it independently or route it to Azure Monitor Logs, where you can do much more complex queries using Log Analytics.

-For a list of the types of resource logs collected for Azure Monitor, see [Monitoring Azure Monitor data reference](azure-monitor-monitoring-reference.md#resource-logs).

-For a list of the tables used by Azure Monitor Logs and queryable by Log Analytics, see [Monitoring Azure Monitor data reference](azure-monitor-monitoring-reference.md#azure-monitor-logs-tables)

-### Sample Kusto queries

-These are now listed in the [Log Analytics user interface](./logs/queries.md).

-## Alerts

-Azure Monitor alerts proactively notify you when important conditions are found in your monitoring data. They allow you to identify and address issues in your system before your customers notice them. You can set alerts on [metrics](./alerts/alerts-metric-overview.md), [logs](./alerts/alerts-types.md#log-alerts), and the [activity log](./alerts/activity-log-alerts.md). Different types of alerts have benefits and drawbacks.

-For an in-depth discussion of using alerts with autoscale, see [Troubleshoot Azure autoscale](./autoscale/autoscale-troubleshoot.md).

-## Next steps

-Next, add a `SnapshotCollector` section to *appsettings.json* where you can override the defaults. The following example shows a configuration equivalent to the default configuration:

-If you need to customize the Snapshot Collector's behavior manually, without using *appsettings.json*, use the overload of `AddSnapshotCollector` that takes a delegate. For example:

-TelemetryClient _telemetryClient = new TelemetryClient();

-void ExampleRequest()

- // TODO: Handle the request.

- // Report the exception to Application Insights.

- _telemetryClient.TrackException(ex);

- // TODO: Rethrow the exception if desired.

-The combination of the quota assigned to the volume and the selected service level determines the [throughput limit](azure-netapp-files-service-levels.md) for a volume with automatic QoS . For volumes with manual QoS, the throughput limit can be defined individually. When you make performance plans about Azure NetApp Files, you need to understand several considerations.

-The maximum empirical throughput that has been observed in testing is 4,500 MiB/s. At the Premium storage tier, an automatic QoS volume quota of 70.31 TiB will provision a throughput limit that is high enough to achieve this level of performance.

-For automatic QoS volumes, if you are considering assigning volume quota amounts beyond 70.31 TiB, additional quota may be assigned to a volume for storing more data. However, the added quota doesn't result in a further increase in actual throughput.

-This section describes quota management and throughput for volumes with the automatic QoS type.

-If a workloadΓÇÖs performance is throughput-limit bound, it is possible to overprovision the automatic QoS volume quota to set a higher throughput level and achieve higher performance.

-For example, if an automatic QoS volume in the Premium storage tier has only 500 GiB of data but requires 128 MiB/s of throughput, you can set the quota to 2 TiB so that the throughput level is set accordingly (64 MiB/s per TB * 2 TiB = 128 MiB/s).

-If you consistently overprovision a volume for achieving a higher throughput, consider using the manual QoS volumes or using a higher service level instead. In this example, you can achieve the same throughput limit with half the automatic QoS volume quota by using the Ultra storage tier instead (128 MiB/s per TiB * 1 TiB = 128 MiB/s).

-NIC Teaming is not supported in Azure. Although multiple network interfaces are supported on Azure virtual machines, they represent a logical rather than a physical construct. As such, they provide no fault tolerance. Also, the bandwidth available to an Azure virtual machine is calculated for the machine itself and not any individual network interface.

-Jumbo frames are not supported with Azure virtual machines.

-> Your account must have the appropriate permissions in order to perform these tasks. For example, to invite a user to your tenant, you must have a role that includes this permission, such as [Guest Inviter](/entra/identity/role-based-access-control/permissions-reference) role or [User Administrator](/entra/identity/role-based-access-control/permissions-reference).

-1. Search or scroll to find users you want to add to the group, then select the user(s) by tapping the circle next to their name.

-1. Select **Add** in the top right corner to add the selected users(s) to the group.

-1. Search or scroll to find groups to which this user should be added, then select the group(s) by tapping the circle next to the group name.

-1. Select **Add** in the top right corner to add the user to the selected group(s).

-To [manage authentication methods](/entra/identity/authentication/concept-authentication-methods-manage) or [reset a user's password](/entra/fundamentals/users-reset-password-azure-portal), you need to do the following steps:

-1. Select **Reset password** to assign a temporary password to the user, or **Authentication methods** to manage to Tap on the desired user, then tap on ΓÇ£Reset passwordΓÇ¥ or ΓÇ£Authentication methodsΓÇ¥ based on your permissions.

-| Standard | Supported |

-* Ensure that the file share is present in one of the [supported storage account types](azure-file-share-support-matrix.md).

-For more information about availability zones, see [Availability Zones](https://learn.microsoft.com/azure/reliability/availability-zones-overview?tabs=azure-cli).

-For browsers that support the advanced Clipboard API access, you can copy and paste text between your local device and the remote session in the same way you copy and paste between applications on your local device. For other browsers, you can use the Bastion clipboard access tool palette.

- * **Availability zone**: Select the zone(s) from the dropdown, if desired. Only certain regions are supported. For more information, see the [What are availability zones?](https://learn.microsoft.com/azure/reliability/availability-zones-overview?tabs=azure-cli) article.

-All processing and resources are associated with a Batch account. When your application makes a request against the Batch service, it authenticates the request using the Azure Batch account name, the URL of the account, and either an access key or a Microsoft Entra token.

-When a storage account is linked to a Batch account, it's considered to be the *autostorage account*. An autostorage account is required if you plan to use the [application packages](batch-application-packages.md) capability, as it's used to store the application package .zip files. It can also be used for [task resource files](resource-files.md#storage-container-name-autostorage). Linking Batch accounts to autostorage can avoid the need for shared access signature (SAS) URLs to access the resource files.

-This article provides the Email delivery best practices and how to use the Azure Communication Services Email suppression list feature that allows customers to manage opt-out capabilities for email communications. It also provides information on the features that are important for emails opt out management that helps you improve email complaint management, promote better email practices, and increase your email delivery success, boosting the likelihood of getting to recipients' inboxes efficiently.

-It's important to know how interested your customers are in your email communication and to respect their opt-out or unsubscribe requests when they decide not to get emails from you. This helps you keep a good sender reputation. Whether you have a manual or automated process in place for handling unsubscribes, it's important to provide an "unsubscribe" link in the email payload you send. When recipients decide not to receive further emails, they can click on the 'unsubscribe' link and remove their email address from your mailing list.

-The functionality of the links and instructions in the email is vital; they must be working correctly and promptly notify the application mailing list to remove the contact from the appropriate list or lists. A proper unsubscribe mechanism should be explicit and transparent from the subscriber's perspective, ensuring they know precisely which messages they're unsubscribing from. Ideally, they should be offered a preferences center that gives them the option to unsubscribe in cases where they're subscribed to multiple lists within your organization. This process prevents accidental unsubscribes and allows users to manage their opt-in and opt-out preferences effectively through the unsubscribe management process.

-Azure Communication Service Email offers a powerful platform with a centralized managed unsubscribe list with opt out preferences saved to our data store. This feature helps the developers to meet guidelines of email providers, requiring one-click list-unsubscribe implementation in the emails sent from our platform. To proactively identify and avoid significant delivery problems, suppression list features, including but not limited to:

-* Compliance and Legal Considerations: This feature is crucial for adhering to legal responsibilities defined in local government legislation like the CAN-SPAM Act in the United States. It ensures that customers can easily manage opt-outs and maintain compliance with these regulations.

-* Better Sender Reputation: When emails aren't sent to users who have chosen to opt out, it helps protect the senderΓÇÖs reputation and lowers the chance of being blocked by email providers.

-* Improved User Experience: It respects the preferences of users who don't wish to receive communications, leading to a better user experience and potentially higher engagement rates with recipients who choose to receive emails.

-* Operational Efficiency: Suppression lists can be managed programmatically, allowing for efficient handling of large numbers of opt-out requests without manual intervention.

-* Cost-Effectiveness: By not sending emails to recipients who opted out, it reduces the volume of sent emails, which can lower operational costs associated with email delivery.

-* Data-Driven Decisions: The suppression list feature provides insights into the number of opt-outs, which can be valuable data for making informed decisions about email campaign strategies.

-These benefits contribute to a more efficient, compliant, and user-friendly email communication system when using Azure Communication Services. To enable email logs and monitor your email delivery, follow the steps outlined in [Azure Communication Services email logs Communication Service in Azure Communication Service](../../concepts/analytics/logs/email-logs.md).

-In this article, you learn how to use Azure Communication Services Calling SDK to retrieve Microsoft Teams Meeting audio conferencing details. This functionality allows users who are already connected to a Microsoft Teams Meeting to be able to get the conference ID and dial in phone number associated with the meeting. At present, Teams audio conferencing feature returns a conference ID and only one dial-in toll or toll-free phone number depending on the priority assigned. In the future, Teams audio conferencing feature will return a collection of all toll and toll-free numbers, giving users control on what Teams meeting dial-in details to use

- Or clone the repo using any method described in [Clone an existing Git repo](https://learn.microsoft.com/azure/devops/repos/git/clone).

-description: Learn how to migrate a calling product from Twilio to Azure Communication Services.

-# Migrating from Twilio Video to Azure Communication Services

- --replica-timeout 1800 --replica-retry-limit 1 --replica-completion-count 1 --parallelism 1 \

- --replica-timeout 1800 --replica-retry-limit 1 --replica-completion-count 1 --parallelism 1 \

-| A job that processes a single message or a small batch of messages from an Azure queue and exits | Job | Use the *Event* job type and [configure a custom scale rule](tutorial-event-driven-jobs.md) to trigger job executions. |

-Manual jobs are triggered on-demand using the Azure CLI or a request to the Azure Resource Manager API.

- --replica-timeout 1800 --replica-retry-limit 0 --replica-completion-count 1 --parallelism 1 \

-Cron expressions in scheduled jobs are evaluated in Universal Time Coordinated (UTC).

- --replica-timeout 1800 --replica-retry-limit 0 --replica-completion-count 1 --parallelism 1 \

-In an app, each replica continuously processes events and a scaling rule determines the number of replicas to run to meet demand. In event-driven jobs, each job typically processes a single event, and a scaling rule determines the number of jobs to run.

- --replica-timeout 1800 --replica-retry-limit 0 --replica-completion-count 1 --parallelism 1 \

-POST https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/my-resource-group/providers/Microsoft.App/jobs/my-job/start?api-version=2022-11-01-preview

-To authenticate the request, replace `<TOKEN>` in the `Authorization` header with a valid bearer token. For more information, see [Azure REST API reference](/rest/api/azure).

-POST https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/my-resource-group/providers/Microsoft.App/jobs/my-job/start?api-version=2022-11-01-preview

-Replace `<SUBSCRIPTION_ID>` with your subscription ID and `<TOKEN>` in the `Authorization` header with a valid bearer token. For more information, see [Azure REST API reference](/rest/api/azure).

-GET https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/my-resource-group/providers/Microsoft.App/jobs/my-job/executions?api-version=2022-11-01-preview

-Container settings define the containers to run in each replica of a job execution. They include environment variables, secrets, and resource limits. For more information, see [Containers](containers.md).

-| Parallelism | `parallelism` | `--parallelism` | The number of replicas to run per execution. For most jobs, set the value to `1`. |

-| Replica completion count | `replicaCompletionCount` | `--replica-completion-count` | The number of replicas to complete successfully for the execution to succeed. For most jobs, set the value to `1`. |

-To request an increase in quota amounts for your container app, learn [how to request a limit increase](faq.yml#how-can-i-request-a-quota-increase-) and [submit a support ticket](https://azure.microsoft.com/support/create-ticket/).

-| Feature | Scope | Default | Is Configurable | Remarks |

-| Environments | Region | Up to 15 | Yes | Limit up to 15 environments per subscription, per region. |

-| Environments | Global | Up to 20 | Yes | Limit up to 20 environments per subscription across all regions |

-| Revisions | Container app | 100 | No | |

-| Replicas | Revision | 300 | Yes | |

- | Minimum number of replicas per revision | 0 | 0 | 300 |

- | Maximum number of replicas per revision | 10 | 1 | 300 |

- To request an increase in maximum replica amounts for your container app, [submit a support ticket](https://azure.microsoft.com/support/create-ticket/).

-> [Set up a Spring Cloud Config Server](spring-cloud-config-server.md)

-> [Use Spring Cloud Eureka Server](spring-cloud-eureka-server.md)

-The job you create starts an execution for each message that is sent to an Azure Storage Queue. Each job execution runs a container that performs the following steps:

-1. Dequeues one message from the queue.

- --replica-retry-limit "1" \

- --replica-completion-count "1" \

- --parallelism "1" \

- | `--replica-retry-limit` | The number of times to retry a replica. |

- | `--replica-completion-count` | The number of replicas to complete successfully before a job execution is considered successful. |

- | `--parallelism` | The number of replicas to start per job execution. |

-Free tier lasts indefinitely for the lifetime of the account and it comes with all the [benefits and features](introduction.md#an-ai-database-with-unmatched-reliability-and-flexibility) of a regular Azure Cosmos DB account. These benefits include unlimited storage and throughput (RU/s), SLAs, high availability, turnkey global distribution in all Azure regions, and more.

- ΓÇ» ΓÇ» --restore-timestamp <timestamp>

- --name <container-name> \

- ΓÇ» ΓÇ» --restore-timestamp <timestamp>

- ΓÇ» ΓÇ» --restore-timestamp <timestamp>

- --restore-timestamp <timestamp>

- --restore-timestamp <timestamp>

- ΓÇ» ΓÇ» --restore-timestamp <timestamp>

- "restoreTimestampInUtc": "<timestamp>"

- "restoreTimestampInUtc": "<timestamp>"

- "restoreTimestampInUtc": "<timestamp>"

- "restoreTimestampInUtc": "<timestamp>"

-# Configure customer-managed keys for your existing Azure Cosmos DB account with Azure Key Vault (Preview)

-> [!NOTE]

-> Currently, enabling customer-managed keys on existing Azure Cosmos DB accounts is in preview. This preview is provided without a service-level agreement. Certain features of this preview may not be supported or may have constrained capabilities. For more information, see [supplemental terms of use for Microsoft Azure previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-Yes. Since the capability is currently in preview, we recommend testing all scenarios first on nonproduction accounts and once you're comfortable you can consider production accounts.

-> Currently, customer-managed keys are available only for new Azure Cosmos DB accounts. You should configure them during account creation. Enabling customer-managed keys on your existing accounts is available for preview. You can refer to the link [here](how-to-setup-customer-managed-keys-existing-accounts.md) for more details

-## An AI database providing industry-leading capabilities... for free

-If you're an existing Azure AI or GitHub Copilot customer, you may try Azure Cosmos DB for free with 40,000 [RU/s](request-units.md) of throughput for 90 days under the Azure AI Advantage offer.

-> [!div class="nextstepaction"]

-> [90-day Free Trial with Azure AI Advantage](ai-advantage.md)

-If you aren't an Azure customer, you may use the [30-day Free Trial without an Azure subscription](https://azure.microsoft.com/try/cosmosdb/). No commitment follows the end of your trial period.

-Alternatively, you may use the [Azure Cosmos DB lifetime free tier](free-tier.md) with the first 1000 [RU/s](request-units.md) of throughput and 25 GB of storage free.

-## An AI database for more than just AI apps

-## An AI database with unmatched reliability and flexibility

-Free tier lasts indefinitely for the lifetime of the account and comes with all the [benefits and features](introduction.md#an-ai-database-with-unmatched-reliability-and-flexibility) of a regular Azure Cosmos DB account, including unlimited storage and throughput (RU/s), SLAs, high availability, turnkey global distribution in all Azure regions, and more. You can create a free tier account using Azure portal, CLI, PowerShell, and a Resource Manager template. To learn more, see how to [create a free tier account](free-tier.md) article and the [pricing page](https://azure.microsoft.com/pricing/details/cosmos-db/).

-The following cmdlet is an example to trigger a restore operation with the restore command by using the target account, source account, location, resource group, PublicNetworkAccess and timestamp:

- -PublicNetworkAccess Disabled

-If `PublicNetworkAccess` is not set, restored account is accessible from public network, please ensure to pass `Disabled` to the `PublicNetworkAccess` option to disable public network access for restored account.

- --public-network-access Disabled

-If `--public-network-access` is not set, restored account is accessible from public network. Please ensure to pass `Disabled` to the `--public-network-access` option to prevent public network access for restored account.

- ..

- "name": "40e93dbd-2abe-4356-a31a-35567b777220",

- ..

- ..

- ..

- ...

-

-...

- ...

-[ {

-```

-"graphNames": [

- "graph1",

- "graph3",

- "graph2"

-]

-```

-```

-},

-"type": "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restorableTables"

-```

-```

-```

-```

-```

- "restoreTimestampInUtc": "6/24/2020 4:01:48 AM"

-# Resource model for restore in same account for Azure Cosmos DB (preview)

-In 2023, a notable trend in software was the integration of AI enhancements, often achieved by incorporating specialized standalone vector databases into existing tech stacks. This article explains what vector databases are, as well as presents an alternative architecture that you might want to consider: using an integrated vector database in the NoSQL or relational database you already use, especially when working with multi-modal data. This approach not only allows you to reduce cost but also achieve greater data consistency, scale, and performance.

-> Data consistency, scale, and performance guarantees are why OpenAI built its ChatGPT service on top of Azure Cosmos DB. You, too, can take advantage of its integrated vector database, as well as its single-digit millisecond response times, automatic and instant scalability, and guaranteed speed at any scale. Please consult the [implementation samples](#how-to-implement-integrated-vector-database-functionalities) section of this article and [try](#next-step) the lifetime free tier or one of the free trial options.

-[90-day Free Trial with Azure AI Advantage](ai-advantage.md)

-This playbook (guide) helps customers who buy Microsoft software and services through a Microsoft account manager set up an MCA. The guide was created to recommend best practices to onboard you to an MCA.

-Simplified purchasing with **fast and fully automated** access to Azure and per-seat licenses

-> The following steps apply only to **new MCA customers** that have never signed an MCA or EA but who may have bought Azure or per seat products through another method, such as a licensing vehicle or contracting type. If you're a **customer migrating to MCA from an existing Microsoft EA**, see [Migrate from an EA to transition to an MCA](#migrate-from-an-ea-to-an-mca).

-**The name and email address of the Billing Account Owner** who is the person in your organization that has authorization. They make the initial purchases and sign the MCA. They may or may not be the same person as the signer mentioned previously, depending on your organization's requirements.

-The MCA allows you to create multi-tenant billing relationships. They let you securely share your billing account with other tenants, while maintaining control over your billing data. If your organization needs multiple tenants, see [Manage billing across multiple tenants](../manage/manage-billing-across-tenants.md).

-**The name and email address of the Billing Account Owner** who is the person in your organization that has authorization and signs the MCA and who makes the initial purchases. They may or may not be the same person as the signer mentioned previously, depending on your organization's requirements.

-The MCA allows you to create multi-tenant billing relationships. They let you securely share your billing account with other tenants, while maintaining control over your billing data. If your organization needs multiple tenants, see [Manage billing across multiple tenants](../manage/manage-billing-across-tenants.md).

-The MCA provides more features for automation, reporting, and billing optimization for multiple tenants. These features may not be applicable to all customers; however, for those customers who need more reporting and automation, these features offer significant benefits. Review the following steps if necessary:

-Savings plan purchase recommendations are calculated by analyzing your hourly usage data over the last 7, 30, and 60 days. Azure simulates what your costs would have been if you had a savings plan and compares it with your actual pay-as-you-go costs incurred over the time duration. The commitment amount that maximizes your savings is recommended. To learn more about how recommendations are generated, see [How hourly commitment recommendations are generated](purchase-recommendations.md#how-hourly-commitment-recommendations-are-generated).

-## How hourly commitment recommendations are generated

-The goal of our savings plan recommendation is to help you make the most cost-effective commitment. Calculations are based on your actual on-demand costs, and don't include usage covered by existing reservations or savings plans.

-We start by looking at your hourly and total on-demand usage costs incurred from savings plan-eligible resources in the last 7, 30, and 60 days. These costs are inclusive of any negotiated discounts that you have. We then run hundreds of simulations of what your total cost would have been if you had purchased either a one or three-year savings plan with an hourly commitment equivalent to your hourly costs.

-As we simulate each candidate recommendation, some hours will result in savings. For example, when savings plan-discounted usage plus the hourly commitment less than that hourΓÇÖs historic on-demand charge. In other hours, no savings would be realized. For example, when discounted usage plus the hourly commitment is greater than or greater than on-demand charges. We sum up the simulated hourly charges for each candidate and compare it to your actual total on-demand charge. Only candidates that result in savings are eligible for consideration as recommendations. We also calculate the percentage of your compute usage costs that would be covered by the recommendation, plus any other previously purchased reservations or savings plan.

-Finally, we present a differentiated set of one-year and three-year recommendations (currently up to 10 each). The recommendations provide the greatest savings across different compute coverage levels. The recommendations with the greatest savings for one year and three years are the highlighted options.

-To account for scenarios where there were significant reductions in your usage, including recently decommissioned services, we run more simulations using only the last three days of usage. The lower of the three day and 30-day recommendations are highlighted, even in situations where the 30-day recommendation may appear to provide greater savings. The lower recommendation is to ensure that we don't encourage overcommitment based on stale data.

-By default, the recommendations are for the entire billing scope (billing account or billing profile for MCA and billing account for EA). You can also view separate subscription and resource group-level recommendations by changing benefit application to one of those levels.

-Recommendations are term-specific, so you'll see the one-year or three-year recommendations at each level by toggling the term options. We don't currently support management group-level recommendations.

-The highlighted recommendation is projected to result in the greatest savings. The other values allow you to see how increasing or decreasing your commitment could affect both your savings. They also show how much of your total compute usage cost would be covered by savings plans or reservation commitments. When the commitment amount is increased, your savings could be reduced because you may end up with lower utilization each hour. If you lower the commitment, your savings could also be reduced. In this case, although you'll likely have greater utilization each hour, there will likely be other hours where your savings plan won't fully cover your usage. Usage beyond your hourly commitment is charged at the more expensive pay-as-you-go rates.

-When you trade one or more reservations for a savings plan, you're shifting the balance of your previous commitments to a new savings plan commitment. For example, if you have a one-year reservation with a value of $500, and halfway through the term you look to trade it for a savings plan, you would still have an outstanding commitment of about $250.

-The minimum hourly commitment must be at least equal to the outstanding amount divided by (24 times the term length in days).

-As part of the trade in, the outstanding commitment is automatically included in your new savings plan. We do it by dividing the outstanding commitment by the number of hours in the term of the new savings plan. For example, 24 times the term length in days. And by making the value the minimum hourly commitment you can make during as part of the trade-in. Using the previous example, the $250 amount would be converted into an hourly commitment of about $0.029 for a new one-year savings plan.

-If you're trading multiple reservations, the aggregate outstanding commitment is used. You may choose to increase the value, but you can't decrease it. The new savings plan is used to cover usage of eligible resources.

-The minimum value doesn't necessarily represent the hourly commitment necessary to cover the resources that were covered by the exchanged reservation. If you want to cover those resources, you'll most likely have to increase the hourly commitment. To determine the appropriate hourly commitment:

-1. Download your price list.

-2. For each reservation order you're returning, find the product in the price sheet and determine its unit price under either a one-year or three-year savings plan (filter by term and price type).

-3. Multiply unit price by the number of instances that are being returned. The result gives you the total hourly commitment required to cover the product with your savings plan.

-4. Repeat for each reservation order to be returned.

-5. Sum the values and enter the total as the hourly commitment.

-Although compute reservation exchanges become unavailable at the end of the grace period, noncompute reservation exchanges are unchanged. You're able to continue to trade-in reservations for saving plans.ΓÇï

-| [div](control-flow-expression-language-functions.md#div) | Return the result from dividing two numbers. |

-| [mod](control-flow-expression-language-functions.md#mod) | Return the remainder from dividing two numbers. |

-| [sub](control-flow-expression-language-functions.md#sub) | Return the result from subtracting the second number from the first number. |

-Return the integer result from dividing two numbers.

-To get the remainder result, see [mod()](#mod).

-| <*divisor*> | Yes | Integer or Float | The number that divides the *dividend*, but cannot be 0 |

-| <*quotient-result*> | Integer | The integer result from dividing the first number by the second number |

-*Example*

-Both examples divide the first number by the second number:

-div(10, 5)

-div(11, 5)

-And return this result: `2`

-Return the remainder from dividing two numbers.

-To get the integer result, see [div()](#div).

-| <*divisor*> | Yes | Integer or Float | The number that divides the *dividend*, but cannot be 0. |

-This example divides the first number by the second number:

-And return this result: `1`

-| <*multiplicand2*> | Yes | Integer or Float | The number that multiples *multiplicand1* |

-These examples multiple the first number by the second number:

-Return the result from subtracting the second number from the first number.

-This article describes the steps required to install update on your Azure Stack Edge Pro with GPU via the local web UI and via the Azure portal. You apply the software updates or hotfixes to keep your Azure Stack Edge Pro device and the associated Kubernetes cluster on the device up-to-date.

-The current update is Update 2312. This update installs two updates, the device update followed by Kubernetes updates.

-For information on what's new in this update, go to [Release notes](azure-stack-edge-gpu-2312-release-notes.md).

-**To apply the 2312 update, your device must be running version 2203 or later.**

- *Update package cannot be installed as its dependencies are not met.*

-| Current version of Azure Stack Edge software and Kubernetes | Upgrade to Azure Stack Edge software and Kubernetes | Desired update to 2312 |

-| 2207 | 2303 | 2312 |

-| 2209 | 2303 | 2312 |

-| 2210 | 2303 | 2312 |

-| 2301 | 2303 | 2312 |

-| 2303 | Directly to | 2312 |

-If you have Azure Kubernetes service deployed and your Azure Stack Edge device and Kubernetes versions are either 2207 or 2209, you must update in multiple steps to apply 2312.

-Use the following steps to update your Azure Stack Edge version and Kubernetes version to 2312:

-1. Update both device software and Kubernetes to 2312.

-If you are running 2210 or 2301, you can update both your device version and Kubernetes version directly to 2303 and then to 2312.

-If you are running 2303, you can update both your device version and Kubernetes version directly to 2312.

-In Azure portal, the process will require two clicks, the first update gets your device version to 2303 and your Kubernetes version to 2210, and the second update gets your Kubernetes version upgraded to 2312.

-From the local UI, you will have to run each update separately: update the device version to 2303, update Kubernetes version to 2210, update Kubernetes version to 2303, and then the third update gets both the device version and Kubernetes version to 2312.

-Each time you change the Kubernetes profile, you are prompted for the Kubernetes update. Go ahead and apply the update.

-The procedure to update an Azure Stack Edge is the same whether it is a single-node device or a two-node cluster. This applies both to the Azure portal or the local UI procedure.

- The Kubernetes worker VMs will go down when a node goes down. The Kubernetes master VM will fail over to the other node. Workloads will continue to run. For more information, see [Kubernetes failover scenarios for Azure Stack Edge](azure-stack-edge-gpu-kubernetes-failover-scenarios.md).

-Provisioning actions such as creating shares or virtual machines are not supported during update. The update takes about 60 to 75 minutes per node to complete.

- If updating from the Windows Server Update Services, specify the server URI. The server at that URI will deploy the updates on all the devices connected to this server.

-We recommend that you install updates through the Azure portal. The device automatically scans for updates once a day. Once the updates are available, you see a notification in the portal. You can then download and install the updates.

-Depending on the software version that you are running, install process might differ slightly.

-1. When the updates are available for your device, you see a notification in the **Overview** page of your Azure Stack Edge resource. Select the notification or from the top command bar, **Update device**. This will allow you to apply device software updates.

-4. After the download is complete, the notification banner updates to indicate the completion. If you chose to download and install the updates, the installation will begin automatically.

-7. After the restart, the device software will finish updating. After the update is complete, you can verify from the local web UI that the device software is updated. The Kubernetes software version has not been updated.

-8. You will see a notification banner indicating that device updates are available. Select this banner to start updating the Kubernetes software on your device.

-1. In the search box of the Microsoft Update Catalog, enter the Knowledge Base (KB) number of the hotfix or terms for the update you want to download. For example, enter **Azure Stack Edge**, and then click **Search**.

- The update listing appears as **Azure Stack Edge Update 2312**.

- | Azure Kubernetes Service | Azure Private MEC Solution in your environment<br><br>SAP Digital Manufacturing for Edge Computing or another Microsoft Partner Solution in your Environment | Azure Stack Edge Update 2312 Kubernetes Package for Private MEC/SAP Workloads | release~ase-2307d.3.2.2380.1632-42623-79365624-release_host_MsKubernetes_Package |

- | Kubernetes for Azure Stack Edge |Other workloads in your environment | Azure Stack Edge Update 2312 Kubernetes Package for Non Private MEC/Non SAP Workloads | \release~ase-2307d.3.2.2380.1632-42623-79365624-release_host_AseKubernetes_Package |

-1. Select **Download**. There are two packages to download for the update. The first package will have two files for the device software updates (*SoftwareUpdatePackage.0.exe*, *SoftwareUpdatePackage.1.exe*) and the second package has two files for the Kubernetes updates (*Kubernetes_Package.0.exe* and *Kubernetes_Package.1.exe*), respectively. Download the packages to a folder on the local system. You can also copy the folder to a network share that is reachable from the device.

-1. In the local web UI, go to **Maintenance** > **Software update**. Make a note of the software version that you are running.

-4. When prompted for confirmation, select **Yes** to proceed. Given the device is a single node device, after the update is applied, the device restarts and there is downtime.

-5. The update starts. After the device is successfully updated, it restarts. The local UI is not accessible in this duration.

-6. After the restart is complete, you are taken to the **Sign in** page. To verify that the device software has been updated, in the local web UI, go to **Maintenance** > **Software update**. For the current release, the displayed software version should be **Azure Stack Edge 2312**.

-7. You will now update the Kubernetes software version. Select the remaining two Kubernetes files together (file with the *Kubernetes_Package.0.exe* and *Kubernetes_Package.1.exe* suffix) and repeat the above steps to apply update.

-10. After the Kubernetes update is successfully installed, there is no change to the displayed software in **Maintenance** > **Software update**.

-Learn more about [administering your Azure Stack Edge Pro](azure-stack-edge-manage-access-power-connectivity-mode.md).

-### Kubernetes and IoT Edge

-This feature has been deprecated. Support will end soon.

-All new deployments of IoT Edge on Azure Stack Edge must be on a Linux VM. For detailed steps, see [Deploy IoT runtime on Ubuntu VM on Azure Stack Edge](azure-stack-edge-gpu-deploy-iot-edge-linux-vm.md).

-Follow these steps to configure compute IPs for your Kubernetes workloads.

-1. From the dropdown select a virtual switch that you will use for Kubernetes compute traffic. <!--By default, all switches are configured for management. You can't configure storage intent as storage traffic was already configured based on the network topology that you selected earlier.-->

-1. Assign **Kubernetes node IPs**. These static IP addresses are for the Kubernetes VMs.

- - For an *n*-node device, a contiguous range of a minimum of *n+1* IPv4 addresses (or more) are provided for the compute VM using the start and end IP addresses. For a 1-node device, provide a minimum of two, free, contiguous IPv4 addresses.

- > [!IMPORTANT]

- > - Kubernetes on Azure Stack Edge uses 172.27.0.0/16 subnet for pod and 172.28.0.0/16 subnet for service. Make sure that these are not in use in your network. If these subnets are already in use in your network, you can change these subnets by running the ```Set-HcsKubeClusterNetworkInfo``` cmdlet from the PowerShell interface of the device. For more information, see Change Kubernetes pod and service subnets. <!--Target URL not available.-->

- > - DHCP mode is not supported for Kubernetes node IPs. If you plan to deploy IoT Edge/Kubernetes, you must assign static Kubernetes IPs and then enable IoT role. This will ensure that static IPs are assigned to Kubernetes node VMs.

- > - If your datacenter firewall is restricting or filtering traffic based on source IPs or MAC addresses, make sure that the compute IPs (Kubernetes node IPs) and MAC addresses are on the allowed list. The MAC addresses can be specified by running the ```Set-HcsMacAddressPool``` cmdlet on the PowerShell interface of the device.

-1. Assign **Kubernetes external service IPs**. These are also the load-balancing IP addresses. These contiguous IP addresses are for services that you want to expose outside of the Kubernetes cluster and you specify the static IP range depending on the number of services exposed.

- > [!IMPORTANT]

- > We strongly recommend that you specify a minimum of one IP address for Azure Stack Edge Hub service to access compute modules. You can then optionally specify additional IP addresses for other services/IoT Edge modules (1 per service/module) that need to be accessed from outside the cluster. The service IP addresses can be updated later.

- 

-1. The configuration takes a couple minutes to apply and you may need to refresh the browser.

- > The artifactName 'CodeAnalysisLogs' is required for integration with Defender for Cloud. For additional tool configuration options, see [the Microsoft Security DevOps wiki](https://github.com/microsoft/security-devops-action/wiki)

-| Supported use cases:| :::image type="icon" source="./medi) **Only available with Defender for Servers plan 2**|

-| Clouds: | :::image type="icon" source="./media/icons/yes-icon.png"::: Azure Commercial clouds<br> :::image type="icon" source="./media/icons/yes-icon.png"::: Azure Commercial clouds<br> :::image type="icon" source="./media/icons/no-icon.png"::: Azure Government<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Azure Commercial clouds<br> :::image type="icon" source="./media/icons/no-icon.png"::: Azure Government<br>:::image type="icon" source="./media/icons/no-icon.png"::: Microsoft Azure operated by 21Vianet<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Azure Commercial clouds<br> :::image type="icon" source="./media/icons/no-icon.png"::: Azure Government<br>:::image type="icon" source="./media/icons/no-icon.png"::: Microsoft Azure operated by 21Vianet<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Connected AWS accounts<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Azure Commercial clouds<br> :::image type="icon" source="./media/icons/no-icon.png"::: Azure Government<br>:::image type="icon" source="./media/icons/no-icon.png"::: Microsoft Azure operated by 21Vianet<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Connected AWS accounts<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Connected GCP projects |

-| Operating systems: | :::image type="icon" source="./media/icons/yes-icon.png"::: Windows<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Windows<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Linux |

-the recommendation ### [Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/d57a4221-a804-52ca-3dea-768284f06bb7) is set to be deprecated.

-3. To cancel a running project, use the following command:

- ```azurecli

- az dms project task cancel -n runnowtask --project-name PGMigration -g PostgresDemo --service-name PostgresCLI

- ```

-4. To delete a running project, use the following command:

- az dms project task delete -n runnowtask --project-name PGMigration -g PostgresDemo --service-name PostgresCLI

-5. To delete DMS service, use the following command:

-> If a rule is present in the ruleset that has as its destination a private resolver inbound endpoint, do not link the ruleset to the VNet where the inbound endpoint is provisioned. This configuration can cause DNS resolution loops. For example: In the previous scenario, no ruleset link should be added to `myeastvnet` because the inbound endpoint at `10.10.0.4` is provisioned in `myeastvnet` and a rule is present that resolves `azure.contoso.com` using the inbound endpoint.

-description: Configure Azure and on-premises DNS to resolve private DNS zones and on-premises domains

-This article provides guidance on how to configure hybrid DNS resolution by using an [Azure DNS Private Resolver](#azure-dns-private-resolver) with a [DNS forwarding ruleset](#dns-forwarding-ruleset).

-In this article, the private zone **azure.contoso.com** and the resource record **test** are used. Autoregistration isn't required for the current demonstration.

-**Requirement**: You must create a virtual network link in the zone to the virtual network where you deploy your Azure DNS Private Resolver. In the following example, the private zone is linked to two VNets: **myeastvnet** and **mywestvnet**. At least one link is required.

-The following quickstarts are available to help you create a private resolver. These quickstarts walk you through creating a resource group, a virtual network, and Azure DNS Private Resolver. The steps to configure an inbound endpoint, outbound endpoint, and DNS forwarding ruleset are provided:

- When you're finished, write down the IP address of the inbound endpoint for the Azure DNS Private Resolver. In this example, the IP address is **10.10.0.4**. This IP address is used later to configure on-premises DNS conditional forwarders.

-**Requirement**: You must create a virtual network link to the vnet where your private resolver is deployed. In the following example, two virtual network links are present. The link **myeastvnet-link** is created to a hub vnet where the private resolver is provisioned. There's also a virtual network link **myeastspoke-link** that provides hybrid DNS resolution in a spoke vnet that doesn't have its own private resolver. The spoke network is able to use the private resolver because it peers with the hub network. The spoke vnet link isn't required for the current demonstration.

-Next, create a rule in your ruleset for your on-premises domain. In this example, we use **contoso.com**. Set the destination IP address for your rule to be the IP address of your on-premises DNS server. In this example, the on-premises DNS server is at **10.100.0.2**. Verify that the rule is **Enabled**.

-Using a VM located in the virtual network where the Azure DNS Private Resolver is provisioned, issue a DNS query for a resource record in your on-premises domain. In this example, a query is performed for the record **testdns.contoso.com**:

-The path for the query is: Azure DNS > inbound endpoint > outbound endpoint > ruleset rule for contoso.com > on-premises DNS (10.100.0.2). The DNS server at 10.100.0.2 is an on-premises DNS resolver, but it could also be an authoritative DNS server.

-* Learn how to [Set up DNS failover using private resolvers](tutorial-dns-private-resolver-failover.md)

-> Quickstarts are for you to quickly ramp up on the service. If you are already familiar with the service, you may want to see .NET samples for Event Hubs in our .NET SDK repository on GitHub: [Event Hubs samples on GitHub](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/eventhub/Azure.Messaging.EventHubs/samples), [Event processor samples on GitHub](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/eventhub/Azure.Messaging.EventHubs.Processor/samples).

-4. On the **Event Hubs Namespace** page in the Azure portal, you see three incoming messages in the **Messages** chart. Refresh the page to update the chart if needed. It may take a few seconds for it to show that the messages have been received.

-Note down the connection string and the container name. You use them in the receive code.

- Console.ReadLine();

- Console.ReadLine();

-4. You should see a message that the events have been received.

-5. In the Azure portal, you can verify that there are three outgoing messages, which Event Hubs sent to the receiving application. Refresh the page to update the chart. It may take a few seconds for it to show that the messages have been received.

-## Clean up resources

-Delete the resource group that has the Event Hubs namespace or delete only the namespace if you want to keep the resource group.

-## Next steps

-# Send events to or receive events from event hubs by using JavaScript

-This quickstart shows how to send events to and receive events from an event hub using the **@azure/event-hubs** npm package.

-1. Run `node send.js` to execute this file. This command sends a batch of three events to your event hub.

-1. In the Azure portal, verify that the event hub has received the messages. Refresh the page to update the chart. It might take a few seconds for it to show that the messages have been received.

- You have now sent events to an event hub.

-Note the connection string and the container name. You'll use them in the receive code.

-For the receiving side, you need to install two more packages. In this quickstart, you use Azure Blob storage to persist checkpoints so that the program doesn't read the events that it has already read. It performs metadata checkpoints on received messages at regular intervals in a blob. This approach makes it easy to continue receiving messages later from where you left off.

- ```

-You have now received events from your event hub. The receiver program will receive events from all the partitions of the default consumer group in the event hub.

-## Next steps

-If you use **Azure Event Hubs** to store the diagnostic logging information, the information is stored in Event Hubs instances named **insights-logs-operationlogs** and **insights-metrics-pt1m**. You can also select an existing event hub except for the event hub for which you are configuring diagnostic settings.

-

-You can enable either runtime audit logs or application metrics logs by selecting *Diagnostic settings* from the *Monitoring* section on the Event Hubs namespace page in Azure portal. Click on *Add diagnostic setting* as shown below.

-

-

-Once runtime logs are enabled, Event Hubs will start collecting and storing them according to the diagnostic setting configuration.

-To collect sample runtime audit logs in your Event Hubs namespace, you can publish and consume sample data using client applications which are based on [Event Hubs SDK](../event-hubs/event-hubs-dotnet-standard-getstarted-send.md) (AMQP) or using any [Apache Kafka client application](../event-hubs/event-hubs-quickstart-kafka-enabled-event-hubs.md).

-By analyzing these logs you should be able to audit how each client application interacts with Event Hubs. Each field associated with runtime audit logs are defined in [runtime audit logs reference](../event-hubs/monitor-event-hubs-reference.md#runtime-audit-logs).

-Application metrics includes the following runtime metrics.

-Therefore you can use application metrics to monitor runtime metrics such as consumer lag or active connection from a given client application. Each field associated with runtime audit logs are defined in [application metrics logs reference](../event-hubs/monitor-event-hubs-reference.md#runtime-audit-logs).

-| **Seattle** | [Equinix SE2](https://www.equinix.com/locations/americas-colocation/united-states-colocation/seattle-data-centers/se2/) | 1 | West US 2 | Supported | Aryaka Networks<br/>CenturyLink Cloud Connect<br/>DE-CIX<br/>Equinix<br/>Level 3 Communications<br/>Megaport<br/>PacketFabric<br/>Telus<br/>Zayo |

-For a guided walkthrough of these steps, see [Configure HTTPS on an Azure Front Door custom domain using the Azure portal](standard-premium/how-to-configure-https-custom-domain.md#using-your-own-certificate).

-description: Learn how to onboard a root or apex domain to an existing Azure Front Door using the Azure portal.

-Azure Front Door uses CNAME records to validate domain ownership for the onboarding of custom domains. Azure Front Door doesn't expose the frontend IP address associated with your Front Door profile. So you can't map your apex domain to an IP address if your intent is to onboard it to Azure Front Door.

-The Domain Name System (DNS) protocol prevents the assignment of CNAME records at the zone apex. For example, if your domain is `contoso.com`; you can create CNAME records for `somelabel.contoso.com`; but you can't create CNAME for `contoso.com` itself. This restriction presents a problem for application owners who load balances applications behind Azure Front Door. Since using an Azure Front Door profile requires creation of a CNAME record, it isn't possible to point at the Azure Front Door profile from the zone apex.

-This problem can be resolved by using alias records in Azure DNS. Unlike CNAME records, alias records are created at the zone apex. Application owners can use it to point their zone apex record to an Azure Front Door profile that has public endpoints. Application owners can point to the same Azure Front Door profile used for any other domain within their DNS zone. For example, `contoso.com` and `www.contoso.com` can point to the same Azure Front Door profile.

-> There are other DNS providers as well that support CNAME flattening or DNS chasing. However, Azure Front Door recommends using Azure DNS for its customers for hosting their domains.

-You can use the Azure portal to onboard an apex domain on your Azure Front Door and enable HTTPS on it by associating it with a Transport Layer Security (TLS) certificate. Apex domains are also referred as *root* or *naked* domains.

-1. Select **Domains** from under *Settings* on the left side pane for your Azure Front Door profile and then select **+ Add** to add a new custom domain.

- :::image type="content" source="./media/front-door-apex-domain/add-domain.png" alt-text="Screenshot of adding a new domain to an Azure Front Door profile.":::

-1. On **Add a domain** page, you enter information about the custom domain. You can choose Azure-managed DNS (recommended) or you can choose to use your DNS provider.

- - **Azure-managed DNS** - select an existing DNS zone and for *Custom domain*, select **Add new**. Select **APEX domain** from the pop-up and then select **OK** to save.

- :::image type="content" source="./media/front-door-apex-domain/add-custom-domain.png" alt-text="Screenshot of adding a new custom domain to an Azure Front Door profile.":::

- - **Another DNS provider** - make sure the DNS provider supports CNAME flattening and follow the steps for [adding a custom domain](standard-premium/how-to-add-custom-domain.md#add-a-new-custom-domain).

-1. Select the **Pending** validation state. A new page appears with DNS TXT record information needed to validate the custom domain. The TXT record is in the form of `_dnsauth.<your_subdomain>`.

- :::image type="content" source="./media/front-door-apex-domain/pending-validation.png" alt-text="Screenshot of custom domain pending validation.":::

- - **Azure DNS-based zone** - select the **Add** button to create a new TXT record with the displayed value in the Azure DNS zone.

- :::image type="content" source="./media/front-door-apex-domain/validate-custom-domain.png" alt-text="Screenshot of validate a new custom domain.":::

- - If you're using another DNS provider, manually create a new TXT record of name `_dnsauth.<your_subdomain>` with the record value as shown on the page.

-1. Close the *Validate the custom domain* page and return to the *Domains* page for the Azure Front Door profile. You should see the *Validation state* change from **Pending** to **Approved**. If not, wait up to 10 minutes for changes to reflect. If your validation doesn't get approved, make sure your TXT record is correct and name servers are configured correctly if you're using Azure DNS.

- :::image type="content" source="./media/front-door-apex-domain/validation-approved.png" alt-text="Screenshot of new custom domain passing validation.":::

-1. Select **Unassociated** from the *Endpoint association* column, to add the new custom domain to an endpoint.

- :::image type="content" source="./media/front-door-apex-domain/unassociated-endpoint.png" alt-text="Screenshot of unassociated custom domain to an endpoint.":::

-1. On the *Associate endpoint and route* page, select the **Endpoint** and **Route** you would like to associate the domain to. Then select **Associate** to complete this step.

- :::image type="content" source="./media/front-door-apex-domain/associate-endpoint.png" alt-text="Screenshot of associated endpoint and route page for a domain.":::

-1. Under the *DNS state* column, select the **CNAME record is currently not detected** to add the alias record to DNS provider.

- - **Azure DNS** - select the **Add** button on the page.

- :::image type="content" source="./media/front-door-apex-domain/cname-record.png" alt-text="Screenshot of add or update CNAME record page.":::

- - **A DNS provider that supports CNAME flattening** - you must manually enter the alias record name.

-1. Once the alias record gets created and the custom domain is associated to the Azure Front Door endpoint, traffic starts flowing.

- :::image type="content" source="./media/front-door-apex-domain/cname-record-added.png" alt-text="Screenshot of completed APEX domain configuration.":::

-> * The **DNS state** column is used for CNAME mapping check. Since an apex domain doesnΓÇÖt support a CNAME record, the DNS state will show 'CNAME record is currently not detected' even after you add the alias record to the DNS provider.

-> * When placing service like an Azure Web App behind Azure Front Door, you need to configure with the web app with the same domain name as the root domain in Azure Front Door. You also need to configure the backend host header with that domain name to prevent a redirect loop.

-> * Apex domains don't have CNAME records pointing to the Azure Front Door profile, therefore managed certificate autorotation will always fail unless domain validation is completed between rotations.

-1. Select the record **type** as *A* record and then select *Yes* for **Alias record set**. **Alias type** should be set to *Azure resource*.

-1. Select the Azure subscription that contains your Azure Front Door profile. Then select the Azure Front Door resource from the **Azure resource** dropdown.

- :::image type="content" source="./media/front-door-apex-domain/front-door-apex-alias-record.png" alt-text="Alias record for zone apex":::

-1. The above step creates a zone apex record pointing to your Azure Front Door resource and also a CNAME record mapping *afdverify* (example - `afdverify.contosonews.com`) that is used for onboarding the domain on your Azure Front Door profile.

-1. On the Azure Front Door designer tab, select on '+' icon on the Frontend hosts section to add a new custom domain.

-1. Enter the root or apex domain name in the custom host name field, example `contosonews.com`.

-1. Once the CNAME mapping from the domain to your Azure Front Door is validated, select on **Add** to add the custom domain.

- :::image type="content" source="./media/front-door-apex-domain/front-door-onboard-apex-domain.png" alt-text="Custom domain menu":::

-1. Select the custom domain that was added and under the section **Custom domain HTTPS**, change the status to **Enabled**.

-1. Select the **Certificate management type** to *'Use my own certificate'*.

- :::image type="content" source="./media/front-door-apex-domain/front-door-onboard-apex-custom-domain.png" alt-text="Custom domain HTTPS settings":::

- > Azure Front Door managed certificate management type is not currently supported for apex or root domains. The only option available for enabling HTTPS on an apex or root domain for Azure Front Door is using your own custom TLS/SSL certificate hosted on Azure Key Vault.

-1. Ensure that you have setup the right permissions for Azure Front Door to access your key Vault as noted in the UI, before proceeding to the next step.

-1. Choose a **Key Vault account** from your current subscription and then select the appropriate **Secret** and **Secret version** to map to the right certificate.

-1. Select **Update** to save the selection and then Select **Save**.

-1. Select **Refresh** after a couple of minutes and then select the custom domain again to see the progress of certificate provisioning.

-> Ensure that you have created appropriate routing rules for your apex domain or added the domain to existing routing rules.

-description: In this article, you learn how to onboard a custom domain to Azure Front Door profile using the Azure portal.

-#Customer intent: As a website owner, I want to add a custom domain to my Front Door configuration so that my users can use my custom domain to access my content.

-# Configure a custom domain on Azure Front Door using the Azure portal

-When you use Azure Front Door for application delivery, a custom domain is necessary if you would like your own domain name to be visible in your end-user requests. Having a visible domain name can be convenient for your customers and useful for branding purposes.

-After you create an Azure Front Door Standard/Premium profile, the default frontend host will have a subdomain of `azurefd.net`. This subdomain gets included in the URL when Azure Front Door Standard/Premium delivers content from your backend by default. For example, `https://contoso-frontend.azurefd.net/activeusers.htm`. For your convenience, Azure Front Door provides the option of associating a custom domain with the default host. With this option, you deliver your content with a custom domain in your URL instead of an Azure Front Door owned domain name. For example, `https://www.contoso.com/photo.png`.

-## Prerequisites

-* Before you can complete the steps in this tutorial, you must first create an Azure Front Door profile. For more information, see [Quickstart: Create a Front Door Standard/Premium](create-front-door-portal.md).

-A custom domain is configured on the **Domains** page of the Azure Front Door profile. A custom domain can be set up and validated prior to endpoint association. A custom domain and its subdomains can only be associated with a single endpoint at a time. However, you can use different subdomains from the same custom domain for different Azure Front Door profiles. You may also map custom domains with different subdomains to the same Azure Front Door endpoint.

-1. Select **Domains** under settings for your Azure Front Door profile and then select **+ Add** button.

- :::image type="content" source="../media/how-to-add-custom-domain/add-domain-button.png" alt-text="Screenshot of add domain button on domain landing page.":::

-1. On the *Add a domain* page, select the **Domain type**. You can select between a **Non-Azure validated domain** or an **Azure pre-validated domain**.

- * **Non-Azure validated domain** is a domain that requires ownership validation. When you select Non-Azure validated domain, the recommended DNS management option is to use Azure-managed DNS. You may also use your own DNS provider. If you choose Azure-managed DNS, select an existing DNS zone. Then select an existing custom subdomain or create a new one. If you're using another DNS provider, manually enter the custom domain name. Then select **Add** to add your custom domain.

- :::image type="content" source="../media/how-to-add-custom-domain/add-domain-page.png" alt-text="Screenshot of add a domain page.":::

- * **Azure pre-validated domain** is a domain already validated by another Azure service. When you select this option, domain ownership validation isn't required from Azure Front Door. A dropdown list of validated domains by different Azure services appear.

- :::image type="content" source="../media/how-to-add-custom-domain/pre-validated-custom-domain.png" alt-text="Screenshot of prevalidated custom domain in add a domain page.":::

- > * Azure Front Door supports both Azure managed certificate and Bring Your Own Certificates. For Non-Azure validated domain, the Azure managed certificate is issued and managed by the Azure Front Door. For Azure pre-validated domain, the Azure managed certificate gets issued and is managed by the Azure service that validates the domain. To use own certificate, see [Configure HTTPS on a custom domain](how-to-configure-https-custom-domain.md).

- > * Azure Front Door supports Azure pre-validated domains and Azure DNS zones in different subscriptions.

- > * Currently Azure pre-validated domains only supports domains validated by Static Web App.

- :::image type="content" source="../media/how-to-add-custom-domain/validation-state-submitting.png" alt-text="Screenshot of domain validation state submitting.":::

- > * Starting September 2023, Azure Front Door supports Bring Your Own Certificates (BYOC) based domain ownership validation. Front Door will automatically approve the domain ownership so long as the Certificate Name (CN) or Subject Alternative Name (SAN) of provided certificate matches the custom domain. When you select Azure managed certificate, the domain ownership will continue to be valdiated via the DNS TXT record.

- > * For custom domains created before BYOC based validation is supported and the domain validation status is anything but **Approved**, you need to trigger the auto approval of the domain ownership validation by selecting the **Validation State** and then click on the **Revalidate** button in the portal. If you're using the command line tool, you can trigger domain validation by sending an empty PATCH request to the domain API.

- > * An Azure pre-validated domain will have a validation state of **Pending** and will automatically change to **Approved** after a few minutes. Once validation gets approved, skip to [**Associate the custom domain to your Front Door endpoint**](#associate-the-custom-domain-with-your-azure-front-door-endpoint) and complete the remaining steps.

- The validation state will change to **Pending** after a few minutes.

- :::image type="content" source="../media/how-to-add-custom-domain/validation-state-pending.png" alt-text="Screenshot of domain validation state pending.":::

-1. Select the **Pending** validation state. A new page appears with DNS TXT record information needed to validate the custom domain. The TXT record is in the form of `_dnsauth.<your_subdomain>`. If you're using Azure DNS-based zone, select the **Add** button, and a new TXT record with the displayed record value gets created in the Azure DNS zone. If you're using another DNS provider, manually create a new TXT record of name `_dnsauth.<your_subdomain>` with the record value as shown on the page.

- :::image type="content" source="../media/how-to-add-custom-domain/validate-custom-domain.png" alt-text="Screenshot of validate custom domain page.":::

-1. Close the page to return to custom domains list landing page. The provisioning state of custom domain should change to **Provisioned** and validation state should change to **Approved**.

- :::image type="content" source="../media/how-to-add-custom-domain/provisioned-approved-status.png" alt-text="Screenshot of provisioned and approved status.":::

-After you validate your custom domain, you can associate it to your Azure Front Door Standard/Premium endpoint.

-1. Select the **Unassociated** link to open the **Associate endpoint and routes** page. Select an endpoint and routes you want to associate the domain with. Then select **Associate** to update your configuration.

- :::image type="content" source="../media/how-to-add-custom-domain/associate-endpoint-routes.png" alt-text="Screenshot of associate endpoint and routes page.":::

- The Endpoint association status should change to reflect the endpoint to which the custom domain is currently associated.

- :::image type="content" source="../media/how-to-add-custom-domain/endpoint-association-status.png" alt-text="Screenshot of endpoint association link.":::

-1. Select the DNS state link.

- :::image type="content" source="../media/how-to-add-custom-domain/dns-state-link.png" alt-text="Screenshot of DNS state link.":::

- > For an Azure pre-validated domain, go to the DNS hosting service and manually update the CNAME record for this domain from the other Azure service endpoint to Azure Front Door endpoint. This step is required, regardless of whether the domain is hosted with Azure DNS or with another DNS service. The link to update the CNAME from the DNS State column isn't available for this type of domain.

-1. The **Add or update the CNAME record** page appears and displays the CNAME record information that must be provided before traffic can start flowing. If you're using Azure DNS hosted zones, the CNAME records can be created by selecting the **Add** button on the page. If you're using another DNS provider, you must manually enter the CNAME record name and value as shown on the page.

- :::image type="content" source="../media/how-to-add-custom-domain/add-update-cname-record.png" alt-text="Screenshot of add or update CNAME record.":::

-1. Once the CNAME record gets created and the custom domain is associated to the Azure Front Door endpoint, traffic starts flowing.

- > * If HTTPS is enabled, certificate provisioning and propagation may take a few minutes because propagation is being done to all edge locations.

- > * If your domain CNAME is indirectly pointed to a Front Door endpoint, for example, using Azure Traffic Manager for multi-CDN failover, the **DNS state** column shows as **CNAME/Alias record currently not detected**. Azure Front Door can't guarantee 100% detection of the CNAME record in this case. If you've configured an Azure Front Door endpoint to Azure Traffic Manager and still see this message, it doesnΓÇÖt mean you didn't set up correctly, therefore further no action is necessary from your side.

-After you've validated and associated the custom domain, verify that the custom domain is correctly referenced to your endpoint.

-Lastly, validate that your application content is getting served using a browser.

-* Learn about [End-to-end TLS with Azure Front Door](../end-to-end-tls.md).

-description: In this article, you'll learn how to configure HTTPS on an Azure Front Door custom domain.

-#Customer intent: As a website owner, I want to add a custom domain to my Front Door configuration so that my users can use my custom domain to access my content.

-# Configure HTTPS on an Azure Front Door custom domain using the Azure portal

-Azure Front Door enables secure TLS delivery to your applications by default when you use your own custom domains. To learn more about custom domains, including how custom domains work with HTTPS, see [Domains in Azure Front Door](../domain.md).

-Azure Front Door supports Azure-managed certificates and customer-managed certificates. In this article, you'll learn how to configure both types of certificates for your Azure Front Door custom domains.

-## Azure Front Door-managed certificates for non-Azure pre-validated domains

-Follow the steps below if you have your own domain, and the domain is not already associated with [another Azure service that pre-validates domains for Azure Front Door](../domain.md#domain-validation).

-1. Select **Domains** under settings for your Azure Front Door profile and then select **+ Add** to add a new domain.

- :::image type="content" source="../media/how-to-configure-https-custom-domain/add-new-custom-domain.png" alt-text="Screenshot of domain configuration landing page.":::

-1. On the **Add a domain** page, enter or select the following information, then select **Add** to onboard the custom domain.

- :::image type="content" source="../media/how-to-configure-https-custom-domain/add-domain-azure-managed.png" alt-text="Screenshot of add a domain page with Azure managed DNS selected.":::

- | Domain type | Select **Non-Azure pre-validated domain** |

- | DNS management | Select **Azure managed DNS (Recommended)** |

- | DNS zone | Select the **Azure DNS zone** that host the custom domain. |

- | HTTPS | Select **AFD Managed (Recommended)** |

-1. Validate and associate the custom domain to an endpoint by following the steps in enabling [custom domain](how-to-add-custom-domain.md).

-1. After the custom domain is associated with an endpoint successfully, Azure Front Door generates a certificate and deploys it. This process may take from several minutes to an hour to complete.

-## Azure-managed certificates for Azure pre-validated domains

-Follow the steps below if you have your own domain, and the domain is associated with [another Azure service that pre-validates domains for Azure Front Door](../domain.md#domain-validation).

-1. Select **Domains** under settings for your Azure Front Door profile and then select **+ Add** to add a new domain.

- :::image type="content" source="../media/how-to-configure-https-custom-domain/add-new-custom-domain.png" alt-text="Screenshot of domain configuration landing page.":::

-1. On the **Add a domain** page, enter or select the following information, then select **Add** to onboard the custom domain.

- :::image type="content" source="../media/how-to-configure-https-custom-domain/add-pre-validated-domain.png" alt-text="Screenshot of add a domain page with pre-validated domain.":::

- | Domain type | Select **Azure pre-validated domain** |

- | Pre-validated custom domain | Select a custom domain name from the drop-down list of Azure services. |

- | HTTPS | Select **Azure managed (Recommended)** |

-1. Validate and associate the custom domain to an endpoint by following the steps in enabling [custom domain](how-to-add-custom-domain.md).

-1. Once the custom domain gets associated to endpoint successfully, an AFD managed certificate gets deployed to Front Door. This process may take from several minutes to an hour to complete.

-## Using your own certificate

-We recommend you create a separate Azure Key Vault to store your Azure Front Door TLS certificates. For more information, see [create an Azure Key Vault](../../key-vault/general/quick-create-portal.md). If you already a certificate, you can upload it to your new Azure Key Vault. Otherwise, you can create a new certificate through Azure Key Vault from one of the certificate authorities (CAs) partners.

-> Azure Front Door currently only supports Azure Key Vault in the same subscription. Selecting an Azure Key Vault under a different subscription will result in a failure.

-> [!NOTE]

-> * Azure Front Door doesn't support certificates with elliptic curve (EC) cryptography algorithms. Also, your certificate must have a complete certificate chain with leaf and intermediate certificates, and also the root certification authority (CA) must be part of the [Microsoft Trusted CA List](https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT).

-> * We recommend using [**managed identity**](../managed-identity.md) to allow access to your Azure Key Vault certificates because App registration will be retired in the future.

-> * This action requires you to have *Global Administrator* permissions in Microsoft Entra ID. The registration only needs to be performed **once per Microsoft Entra tenant**.

-> * The application ID of **205478c0-bd83-4e1b-a9d6-db63a3e1e1c8** and **d4631ece-daab-479b-be77-ccb713491fc0** is predefined by Azure for Front Door Standard and Premium across all Azure tenants and subscriptions. Azure Front Door (Classic) has a different application ID.

-1. Use PowerShell, run the following command:

- **Azure public cloud:**

- **Azure government cloud:**

-1. If needed, install [Azure CLI](/cli/azure/install-azure-cli) on your local machine.

- **Azure public cloud:**

- **Azure government cloud:**

-#### Grant Azure Front Door access to your Key Vault

-Grant Azure Front Door permission to access the certificates in your Azure Key Vault account. You only need to give **GET** permission to the certificate and secret in order for Azure Front Door to retrieve the certificate.

-1. In your key vault account, select **Access policies**.

-1. In **Secret permissions**, select **Get** to allow Front Door to retrieve the certificate.

-1. In **Certificate permissions**, select **Get** to allow Front Door to retrieve the certificate.

-1. In **Select principal**, search for **205478c0-bd83-4e1b-a9d6-db63a3e1e1c8**, and select **Microsoft.AzureFrontDoor-Cdn**. Select **Next**.

-1. Navigate to **Secrets** under *Settings* and select **+ Add certificate**.

- :::image type="content" source="../media/how-to-configure-https-custom-domain/add-certificate.png" alt-text="Screenshot of Azure Front Door secret landing page.":::

-1. On the **Add certificate** page, select the checkbox for the certificate you want to add to Azure Front Door Standard/Premium.

-1. When you select a certificate, you must [select the certificate version](../domain.md#rotate-own-certificate). If you select **Latest**, Azure Front Door will automatically update whenever the certificate is rotated (renewed). Alternatively, you can select a specific certificate version if you prefer to manage certificate rotation yourself.

- Leave the version selection as "Latest" and select **Add**.

- :::image type="content" source="../media/how-to-configure-https-custom-domain/add-certificate-page.png" alt-text="Screenshot of add certificate page.":::

-1. Once the certificate gets provisioned successfully, you can use it when you add a new custom domain.

- :::image type="content" source="../media/how-to-configure-https-custom-domain/successful-certificate-provisioned.png" alt-text="Screenshot of certificate successfully added to secrets.":::

-1. Navigate to **Domains** under *Setting* and select **+ Add** to add a new custom domain. On the **Add a domain** page, choose

-"Bring Your Own Certificate (BYOC)" for *HTTPS*. For *Secret*, select the certificate you want to use from the drop-down.

- > The common name (CN) of the selected certificate must match the custom domain being added.

- :::image type="content" source="../media/how-to-configure-https-custom-domain/add-custom-domain-https.png" alt-text="Screenshot of add a custom domain page with HTTPS.":::

-1. Follow the on-screen steps to validate the certificate. Then associate the newly created custom domain to an endpoint as outlined in [creating a custom domain](how-to-add-custom-domain.md) guide.

-1. Select the certificate state to open the **Certificate details** page.

- :::image type="content" source="../media/how-to-configure-https-custom-domain/domain-certificate.png" alt-text="Screenshot of certificate state on domains landing page.":::

-1. On the **Certificate details** page, you can change between *Azure managed* and *Bring Your Own Certificate (BYOC)*.

- If you select *Bring Your Own Certificate (BYOC)*, follow the steps described above to select a certificate.

- :::image type="content" source="../media/how-to-configure-https-custom-domain/certificate-details-page.png" alt-text="Screenshot of certificate details page.":::

-* Learn about [End-to-end TLS with Azure Front Door](../end-to-end-tls.md).

-### Logical operators

-description: How to integrate Azure IoT Hub and Apache Flink®

-## Prerequisites

-1. [Create an Azure IoTHub](/azure/iot-hub/iot-hub-create-through-portal/)

-2. [Create Flink cluster on HDInsight on AKS](./flink-create-cluster-portal.md)

-## Configure Flink cluster

-Add ABFS storage account keys in your Flink cluster's configuration.

-Add the following configurations:

-`fs.azure.account.key.<your storage account's dfs endpoint> = <your storage account's shared access key>`

-## Writing the Flink job

-### Set up configuration for ABFS

-```java

-Properties props = new Properties();

-props.put(

- "fs.azure.account.key.<your storage account's dfs endpoint>",

- "<your storage account's shared access key>"

-);

-Configuration conf = ConfigurationUtils.createConfiguration(props);

-StreamExecutionEnvironment env = StreamExecutionEnvironment.getExecutionEnvironment(conf);

-```

-This set up is required for Flink to authenticate with your ABFS storage account to write data to it.

-### Defining the IoT Hub source

-IoTHub is build on top of event hub and hence supports a kafka-like API. So in our Flink job, we can define a `KafkaSource` with appropriate parameters to consume messages from IoTHub.

-```java

-String connectionString = "<your iot hub connection string>";

-KafkaSource<String> source = KafkaSource.<String>builder()

- .setBootstrapServers("<your iot hub's service bus url>:9093")

- .setTopics("<name of your iot hub>")

- .setGroupId("$Default")

- .setProperty("partition.discovery.interval.ms", "10000")

- .setProperty("security.protocol", "SASL_SSL")

- .setProperty("sasl.mechanism", "PLAIN")

- .setProperty("sasl.jaas.config", String.format("org.apache.kafka.common.security.plain.PlainLoginModule required username=\"$ConnectionString\" password=\"%s\";", connectionString))

- .setStartingOffsets(OffsetsInitializer.committedOffsets(OffsetResetStrategy.EARLIEST))

- .setValueOnlyDeserializer(new SimpleStringSchema())

- .build();

-DataStream<String> kafka = env.fromSource(source, WatermarkStrategy.noWatermarks(), "Kafka Source");

-kafka.print();

-```

-The connection string for IoT Hub can be found here -

-Within the connection string, you can find a service bus URL (URL of the underlying event hub namespace), which you need to add as a bootstrap server in your kafka source. In this case, it is: `iothub-ns-sagiri-iot-25146639-20dff4e426.servicebus.windows.net:9093`

-### Defining the ABFS sink

-```java

-String outputPath = "abfs://<container name>@<your storage account's dfs endpoint>";

-final FileSink<String> sink = FileSink

- .forRowFormat(new Path(outputPath), new SimpleStringEncoder<String>("UTF-8"))

- .withRollingPolicy(

- DefaultRollingPolicy.builder()

- .withRolloverInterval(Duration.ofMinutes(2))

- .withInactivityInterval(Duration.ofMinutes(3))

- .withMaxPartSize(MemorySize.ofMebiBytes(5))

- .build())

- .build();

-kafka.sinkTo(sink);

-### Flink job code

-```java

-package org.example;

-import java.time.Duration;

-import java.util.Properties;

-import org.apache.flink.configuration.Configuration;

-import org.apache.flink.configuration.ConfigurationUtils;

-import org.apache.flink.core.fs.Path;

-import org.apache.flink.streaming.api.environment.StreamExecutionEnvironment;

-import org.apache.flink.streaming.api.datastream.DataStream;

-import org.apache.flink.api.common.serialization.SimpleStringSchema;

-import org.apache.flink.api.common.eventtime.WatermarkStrategy;

-public class StreamingJob {

- public static void main(String[] args) throws Throwable {

- Properties props = new Properties();

- props.put(

- "fs.azure.account.key.<your storage account's dfs endpoint>",

- "<your storage account's shared access key>"

- );

- Configuration conf = ConfigurationUtils.createConfiguration(props);

- StreamExecutionEnvironment env = StreamExecutionEnvironment.getExecutionEnvironment(conf);

- String connectionString = "<your iot hub connection string>";

-

- KafkaSource<String> source = KafkaSource.<String>builder()

- .setBootstrapServers("<your iot hub's service bus url>:9093")

- .setTopics("<name of your iot hub>")

- .setGroupId("$Default")

- .setProperty("partition.discovery.interval.ms", "10000")

- .setProperty("security.protocol", "SASL_SSL")

- .setProperty("sasl.mechanism", "PLAIN")

- .setProperty("sasl.jaas.config", String.format("org.apache.kafka.common.security.plain.PlainLoginModule required username=\"$ConnectionString\" password=\"%s\";", connectionString))

- .setStartingOffsets(OffsetsInitializer.committedOffsets(OffsetResetStrategy.EARLIEST))

- .setValueOnlyDeserializer(new SimpleStringSchema())

- .build();

- DataStream<String> kafka = env.fromSource(source, WatermarkStrategy.noWatermarks(), "Kafka Source");

- kafka.print();

- String outputPath = "abfs://<container name>@<your storage account's dfs endpoint>";

- final FileSink<String> sink = FileSink

- .forRowFormat(new Path(outputPath), new SimpleStringEncoder<String>("UTF-8"))

- .withRollingPolicy(

- DefaultRollingPolicy.builder()

- .withRolloverInterval(Duration.ofMinutes(2))

- .withInactivityInterval(Duration.ofMinutes(3))

- .withMaxPartSize(MemorySize.ofMebiBytes(5))

- .build())

- .build();

- kafka.sinkTo(sink);

- env.execute("Azure-IoTHub-Flink-ABFS");

- }

-#### Maven dependencies

-<dependency>

- <groupId>org.apache.flink</groupId>

- <artifactId>flink-java</artifactId>

- <version>${flink.version}</version>

-</dependency>

-<dependency>

- <groupId>org.apache.flink</groupId>

- <artifactId>flink-streaming-java</artifactId>

- <version>${flink.version}</version>

-</dependency>

-<dependency>

- <groupId>org.apache.flink</groupId>

- <artifactId>flink-streaming-scala_2.12</artifactId>

- <version>${flink.version}</version>

-</dependency>

-<dependency>

- <groupId>org.apache.flink</groupId>

- <artifactId>flink-clients</artifactId>

- <version>${flink.version}</version>

-</dependency>

-<dependency>

- <groupId>org.apache.flink</groupId>

- <artifactId>flink-connector-kafka</artifactId>

- <version>${flink.version}</version>

-</dependency>

-<dependency>

- <groupId>org.apache.flink</groupId>

- <artifactId>flink-connector-files</artifactId>

- <version>${flink.version}</version>

-</dependency>

-### Submit job

-Submit job using HDInsight on AKS's [Flink job submission API](./flink-job-management.md)

-To learn more about implementing automatic reconnections, see [Manage device reconnections to create resilient applications](../../iot-develop/concepts-manage-device-reconnections.md).

-|[Send telemetry from a device to Azure IoT Hub (C)](quickstart-send-telemetry-iot-hub.md?pivots=programming-language-ansi-c)|[Azure IoT C SDK](https://github.com/Azure/azure-iot-sdk-c)|

-|[Send telemetry from a device to Azure IoT Hub (C#)](quickstart-send-telemetry-iot-hub.md?pivots=programming-language-csharp)|[Azure IoT SDK for .NET](https://github.com/Azure/azure-iot-sdk-csharp)|

-|[Send telemetry from a device to Azure IoT Hub (Node.js)](quickstart-send-telemetry-iot-hub.md?pivots=programming-language-nodejs)|[Azure IoT Node.js SDK](https://github.com/Azure/azure-iot-sdk-node)|

-|[Send telemetry from a device to Azure IoT Hub (Python)](quickstart-send-telemetry-iot-hub.md?pivots=programming-language-python)|[Azure IoT Python SDK](https://github.com/Azure/azure-iot-sdk-python)|

-|[Send telemetry from a device to Azure IoT Hub (Java)](quickstart-send-telemetry-iot-hub.md?pivots=programming-language-java)|[Azure IoT SDK for Java](https://github.com/Azure/azure-iot-sdk-java)|

-|[Quickstart: Connect an ESPRESSIF ESP32-Azure IoT Kit to IoT Hub](quickstart-devkit-espressif-esp32-freertos-iot-hub.md)|ESPRESSIF ESP32|FreeRTOS middleware|

-For more information on the difference between devices types covered in this article, see [About IoT Device Types](concepts-iot-device-types.md).

-> For more information on different device categories so you can choose the best SDK for your device, see [Azure IoT Device Types](concepts-iot-device-types.md).

-> [Connect a general simulated device to IoT Hub](quickstart-send-telemetry-iot-hub.md)

-> [Learn more about connecting embedded devices using C SDK and Embedded C SDK](concepts-using-c-sdk-and-embedded-c-sdk.md)

-> [Connect a simulated device to IoT Hub](quickstart-send-telemetry-iot-hub.md)

-> [Connect a general simulated device to IoT Hub](quickstart-send-telemetry-iot-hub.md)

-> [Learn more about connecting embedded devices using C SDK and Embedded C SDK](concepts-using-c-sdk-and-embedded-c-sdk.md)

-> [Connect a simulated device to IoT Hub](quickstart-send-telemetry-iot-hub.md)

-> [Connect a simulated device to IoT Hub](quickstart-send-telemetry-iot-hub.md)

-> [Learn more about connecting embedded devices using C SDK and Embedded C SDK](concepts-using-c-sdk-and-embedded-c-sdk.md)

-> [Connect a device to IoT Hub](quickstart-send-telemetry-iot-hub.md)

-> [Connect a general simulated device to IoT Hub](quickstart-send-telemetry-iot-hub.md)

-> [Learn more about connecting embedded devices using C SDK and Embedded C SDK](concepts-using-c-sdk-and-embedded-c-sdk.md)

-> [Connect a simulated device to IoT Hub](quickstart-send-telemetry-iot-hub.md)

-> [Connect a simulated device to IoT Hub](quickstart-send-telemetry-iot-hub.md)

-> [Connect a simulated device to IoT Hub](quickstart-send-telemetry-iot-hub.md)

-> [Connect a general device to IoT Hub](quickstart-send-telemetry-iot-hub.md)

-> [Learn more about connecting embedded devices using C SDK and Embedded C SDK](concepts-using-c-sdk-and-embedded-c-sdk.md)

-> [Connect a simulated device to IoT Hub](quickstart-send-telemetry-iot-hub.md)

-> [Connect a general simulated device to IoT Hub](quickstart-send-telemetry-iot-hub.md)

-> [Learn more about connecting embedded devices using C SDK and Embedded C SDK](concepts-using-c-sdk-and-embedded-c-sdk.md)

-* Send telemetry from devices, see [Quickstart: Send telemetry from an IoT Plug and Play device to Azure IoT Hub](../iot-develop/quickstart-send-telemetry-iot-hub.md?toc=/azure/iot-hub/toc.json&bc=/azure/iot-hub/breadcrumb/toc.json).

-* Send telemetry from devices, see [Quickstart: Send telemetry from an IoT Plug and Play device to Azure IoT Hub](../iot-develop/quickstart-send-telemetry-iot-hub.md?toc=/azure/iot-hub/toc.json&bc=/azure/iot-hub/breadcrumb/toc.json&pivots=programming-language-csharp).

-* Send telemetry from devices, see [Quickstart: Send telemetry from an IoT Plug and Play device to Azure IoT Hub](../iot-develop/quickstart-send-telemetry-iot-hub.md?toc=/azure/iot-hub/toc.json&bc=/azure/iot-hub/breadcrumb/toc.json&pivots=programming-language-java)

-* Send telemetry from devices, see [Quickstart: Send telemetry from an IoT Plug and Play device to Azure IoT Hub](../iot-develop/quickstart-send-telemetry-iot-hub.md?toc=/azure/iot-hub/toc.json&bc=/azure/iot-hub/breadcrumb/toc.json&pivots=programming-language-nodejs)

-* Send telemetry from devices, see [Quickstart: Send telemetry from an IoT Plug and Play device to Azure IoT Hub](../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-python) article.

-The [Send telemetry from a device to an IoT hub](../iot-develop/quickstart-send-telemetry-iot-hub.md?toc=/azure/iot-hub/toc.json&bc=/azure/iot-hub/breadcrumb/toc.json&pivots=programming-language-csharp) quickstart and [Send cloud-to-device messages with IoT Hub](c2d-messaging-dotnet.md) article show the basic device-to-cloud and cloud-to-device messaging functionality of IoT Hub. The [Configure Message Routing with IoT Hub](tutorial-routing.md) article shows a way to reliably store device-to-cloud messages in Microsoft Azure blob storage. However, in some scenarios, you can't easily map the data your devices send into the relatively small device-to-cloud messages that IoT Hub accepts. For example:

-The [Send telemetry from a device to an IoT hub](../iot-develop/quickstart-send-telemetry-iot-hub.md?toc=/azure/iot-hub/toc.json&bc=/azure/iot-hub/breadcrumb/toc.json&pivots=programming-language-java) quickstart and [Send cloud-to-device messages with IoT Hub](c2d-messaging-java.md) articles show the basic device-to-cloud and cloud-to-device messaging functionality of IoT Hub. The [Configure message routing with IoT Hub](tutorial-routing.md) tutorial shows a way to reliably store device-to-cloud messages in Azure blob storage. However, in some scenarios, you can't easily map the data your devices send into the relatively small device-to-cloud messages that IoT Hub accepts. For example:

-The [Send telemetry from a device to an IoT hub](../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-nodejs) quickstart and [Send cloud-to-device messages with IoT Hub](c2d-messaging-node.md) articles show the basic device-to-cloud and cloud-to-device messaging functionality of IoT Hub. The [Configure Message Routing with IoT Hub](tutorial-routing.md) tutorial shows a way to reliably store device-to-cloud messages in Microsoft Azure blob storage. However, in some scenarios, you can't easily map the data your devices send into the relatively small device-to-cloud messages that IoT Hub accepts. For example:

-The [Send telemetry from a device to an IoT hub](../iot-develop/quickstart-send-telemetry-iot-hub.md?toc=/azure/iot-hub/toc.json&bc=/azure/iot-hub/breadcrumb/toc.json&pivots=programming-language-python) quickstart and [Send cloud-to-device messages with IoT Hub](c2d-messaging-python.md) articles show the basic device-to-cloud and cloud-to-device messaging functionality of IoT Hub. The [Configure Message Routing with IoT Hub](tutorial-routing.md) tutorial shows a way to reliably store device-to-cloud messages in Microsoft Azure blob storage. However, in some scenarios, you can't easily map the data your devices send into the relatively small device-to-cloud messages that IoT Hub accepts. For example:

-* To learn how to create and read IoT Hub messages in various programming languages, see the [Quickstarts](../iot-develop/quickstart-send-telemetry-iot-hub.md?toc=/azure/iot-hub/toc.json&bc=/azure/iot-hub/breadcrumb/toc.json).

-* Read from a [built-in endpoint](../iot-develop/quickstart-send-telemetry-iot-hub.md?toc=/azure/iot-hub/toc.json&bc=/azure/iot-hub/breadcrumb/toc.json)

-It's a good practice to throttle your calls so that you don't hit/exceed the throttling limits. If you do hit the limit, IoT Hub responds with error code 429 and the client should back-off and retry. These limits are per hub (or in some cases per hub/unit). For more information, see [Retry patterns](../iot-develop/concepts-manage-device-reconnections.md#retry-patterns).

-Learn how to [manage connectivity and reliable messaging](../iot-develop/concepts-manage-device-reconnections.md) using the IoT Hub device SDKs.

- Replace the value of the `connectionString` constant with the device connection string that you saved in the [Register a device](../iot-develop/quickstart-send-telemetry-iot-hub.md?toc=/azure/iot-hub/toc.json&bc=/azure/iot-hub/breadcrumb/toc.json#register-a-device) section of the quickstart for sending telemetry.

-The IoT Hub service provides intra-region HA by implementing redundancies in almost all layers of the service. The [SLA published by the IoT Hub service](https://azure.microsoft.com/support/legal/sl#retry-patterns) must be built in to the components interacting with a cloud application to deal with transient failures.

-* [Quickstart: Send telemetry from an IoT Plug and Play device to Azure IoT Hub](../iot-develop/quickstart-send-telemetry-iot-hub.md?toc=/azure/iot-hub/toc.json&bc=/azure/iot-hub/breadcrumb/toc.json)

-* Complete one of the [Send telemetry](../iot-develop/quickstart-send-telemetry-iot-hub.md?toc=/azure/iot-hub/toc.json&bc=/azure/iot-hub/breadcrumb/toc.json) quickstarts in the development language of your choice. Alternatively, you can use any device app that sends temperature telemetry; for example, the [Raspberry Pi online simulator](raspberry-pi-get-started.md) or one of the [Embedded device](../iot-develop/quickstart-devkit-mxchip-az3166.md) quickstarts. These articles cover the following requirements:

-* To learn more about the Azure IoT device SDKs and managing retries, see [Retry patterns](../iot-develop/concepts-manage-device-reconnections.md#retry-patterns).

-* [Connection and retry patterns with device SDKs](../iot-develop/concepts-manage-device-reconnections.md#connection-and-retry).

-We recommend using Azure IoT device SDKs to manage connections reliably. To learn more, see [Manage connectivity and reliable messaging by using Azure IoT Hub device SDKs](../iot-develop/concepts-manage-device-reconnections.md)

-To mitigate 500xxx errors, issue a retry from the device. To [automatically manage retries](../iot-develop/concepts-manage-device-reconnections.md#connection-and-retry), make sure you use the latest version of the [Azure IoT SDKs](iot-hub-devguide-sdks.md). For best practice on transient fault handling and retries, see [Transient fault handling](/azure/architecture/best-practices/transient-faults).

-This tutorial uses the Azure sample from the [.NET send telemetry quickstart](../iot-develop/quickstart-send-telemetry-iot-hub.md?toc=/azure/iot-hub/toc.json&bc=/azure/iot-hub/breadcrumb/toc.json&pivots=programming-language-csharp) to send messages to the IoT hub. You can always use a device or another sample to send messages, but you may have to modify a few steps accordingly.

-description: Use the Azure portal, Azure CLI, or GitHub Actions to deploy Azure IoT Operations extensions with the Azure IoT Orchestrator

-Deploy Azure IoT Operations Preview to a Kubernetes cluster using the Azure portal, Azure CLI, or GitHub actions. Once you have Azure IoT Operations deployed, then you can use the Azure IoT Orchestrator Preview service to manage and deploy additional workloads to your cluster.

-Cloud resources:

-* An Azure subscription. If you don't have an Azure subscription, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

-* Azure access permissions. At a minimum, have **Contributor** permissions in your Azure subscription. Depending on the deployment method and feature flag status you select, you may also need **Microsoft/Authorization/roleAssignments/write** permissions. If you *don't* have role assignment write permissions, take the following additional steps when deploying:

- * If deploying with an Azure Resource Manager template, set the `deployResourceSyncRules` parameter to `false`.

- * If deploying with the Azure CLI, include the `--disable-rsync-rules`.

-* An [Azure Key Vault](../../key-vault/general/overview.md) that has the **Permission model** set to **Vault access policy**. You can check this setting in the **Access configuration** section of an existing key vault.

- ```bash

-* An Azure Arc-enabled Kubernetes cluster. If you don't have one, follow the steps in [Prepare your Azure Arc-enabled Kubernetes cluster](./howto-prepare-cluster.md?tabs=wsl-ubuntu).

-### Azure CLI

-Sign in to Azure CLI. To prevent potential permission issues later, sign in interactively with a browser here even if you already logged in before.

-```azurecli-interactive

-az login

-```

-> [!NOTE]

-> If you're using GitHub Codespaces in a browser, `az login` returns a localhost error in the browser window after logging in. To fix, either:

->

-> * Open the codespace in VS Code desktop, and then run `az login` in the terminal. This opens a browser window where you can log in to Azure.

-> * After you get the localhost error on the browser, copy the URL from the browser and use `curl <URL>` in a new terminal tab. You should see a JSON response with the message "You have logged into Microsoft Azure!".

-Deploy Azure IoT Operations to your cluster. The [az iot ops init](/cli/azure/iot/ops#az-iot-ops-init) command does the following steps:

-* Creates a key vault in your resource group.

-* Sets up a service principal to give your cluster access to the key vault.

-* Configures TLS certificates.

-* Configures a secrets store on your cluster that connects to the key vault.

-* Deploys the Azure IoT Operations resources.

-```azurecli-interactive

-az iot ops init --cluster <CLUSTER_NAME> -g <RESOURCE_GROUP> --kv-id $(az keyvault create -n <NEW_KEYVAULT_NAME> -g <RESOURCE_GROUP> -o tsv --query id)

-```

->[!TIP]

->If you get an error that says *Your device is required to be managed to access your resource*, go back to the previous step and make sure that you signed in interactively.

-If you don't have **Microsoft.Authorization/roleAssignment/write** permissions in your Azure subscription, include the `--disable-rsync-rules` feature flag.

-If you encounter an issue with the KeyVault access policy and the Service Principal (SP) permissions, [pass service principal and KeyVault arguments](howto-manage-secrets.md#pass-service-principal-and-key-vault-arguments-to-azure-iot-operations-deployment).

-Use optional flags to customize the `az iot ops init` command. To learn more, see [az iot ops init](/cli/azure/iot/ops#az-iot-ops-init).

-> [!TIP]

-> You can check the configurations of topic maps, QoS, message routes with the [CLI extension](/cli/azure/iot/ops#az-iot-ops-check-examples) `az iot ops check --detail-level 2`.

-It can take several minutes for the deployment to complete. Continue running the `get pods` command to refresh your view.

-Currently, there is no support for updating an existing Azure IoT Operations deployment. Instead, start with a clean cluster for a new deployment.

- az keyvault create --enable-rbac-authorization false --name "<KEYVAULT_NAME>" --resource-group "<RESOURCE_GROUP>"

-There's a wide variety of devices available from different manufacturers to build your solution. For prototyping a microprocessor device, you can use a device such as a [Raspberry Pi](https://www.raspberrypi.org/). The Raspberry Pi lets you attach many different types of sensor. For prototyping a microcontroller device, use devices such as the [ESPRESSIF ESP32](../iot-develop/quickstart-devkit-espressif-esp32-freertos-iot-hub.md), [STMicroelectronics B-U585I-IOT02A Discovery kit](../iot-develop/quickstart-devkit-stm-b-u585i-iot-hub.md), [STMicroelectronics B-L4S5I-IOT01A Discovery kit](../iot-develop/quickstart-devkit-stm-b-l4s5i-iot-hub.md), or [NXP MIMXRT1060-EVK Evaluation kit](../iot-develop/quickstart-devkit-nxp-mimxrt1060-evk-iot-hub.md). These boards typically have built-in sensors, such as temperature and accelerometer sensors.

-For a tutorial on using MQTT directly, see [Use MQTT to develop an IoT device client without using a device SDK](../iot-develop/tutorial-use-mqtt.md).

-To learn more, see [Tutorial - Use MQTT to develop an IoT device client](../iot-develop/tutorial-use-mqtt.md).

-* [Use MQTT to develop an IoT device client without using a device SDK](../iot-develop/tutorial-use-mqtt.md)

-To learn more about implementing automatic reconnections to endpoints, see [Manage device reconnections to create resilient applications](../iot-develop/concepts-manage-device-reconnections.md).

-To learn more about implementing automatic reconnections to endpoints, see [Manage device reconnections to create resilient applications](../iot-develop/concepts-manage-device-reconnections.md).

-For devices that connect to an IoT hub directly or to an IoT hub in an IoT Central application, make sure that the devices continue to connect as your solution scales. To learn more, see [Manage device reconnections after autoscale](../iot-develop/concepts-manage-device-reconnections.md) and [Handle connection failures](../iot-central/core/concepts-device-implementation.md#best-practices).

-To learn more about when to use the embedded device SDKs, see [C SDK and Embedded C SDK usage scenarios](../iot-develop/concepts-using-c-sdk-and-embedded-c-sdk.md).

-Create an access policy for your key vault that grants certificate permissions to your user account.

-```azurecli

-az keyvault set-policy --name <your-key-vault-name> --upn user@domain.com --certificate-permissions delete get list create purge

-```

-#### Grant access to your key vault

-Create an access policy for your key vault that grants certificate permissions to your user account

-```azurecli

-az keyvault set-policy --name <your-key-vault-name> --upn user@domain.com --certificate-permissions delete get list create purge

-```

-Create a vault access policy for your key vault that grants key permissions to your user account.

-```azurecli

-az keyvault set-policy --name <YourKeyVaultName> --upn user@domain.com --certificate-permissions delete get list create purge update

-```

-In this quickstart, you create a key vault in Azure Key Vault with Azure PowerShell. Azure Key Vault is a cloud service that works as a secure secrets store. You can securely store keys, passwords, certificates, and other secrets. For more information on Key Vault you may review the [Overview](../general/overview.md). Azure PowerShell is used to create and manage Azure resources using commands or scripts. Once that you have completed that, you will store a certificate.

-To add a certificate to the vault, you just need to take a couple of additional steps. This certificate could be used by an application.

-Type the commands below to create a self-signed certificate with policy called **ExampleCertificate** :

-Now, you have created a Key Vault, stored a certificate, and retrieved it.

-In this quickstart you created a Key Vault and stored a certificate in it. To learn more about Key Vault and how to integrate it with your applications, continue on to the articles below.

-Create an access policy for your key vault that grants certificate permission to your user account

-### [Azure CLI](#tab/azure-cli)

-```azurecli

-az keyvault set-policy --name <your-unique-keyvault-name> --upn user@domain.com --certificate-permissions delete get list create

-```

-### [Azure PowerShell](#tab/azure-powershell)

-```azurepowershell

-Set-AzKeyVaultAccessPolicy -VaultName "<your-unique-keyvault-name>" -UserPrincipalName "user@domain.com" -PermissionsToCertificates delete,get,list,create

-```

-1. Enable Azure RBAC permissions on new key vault:

-2. Enable Azure RBAC permissions on existing key vault:

-Run the following command to create a role assignment:

-### Creating custom roles

-## Frequently Asked Questions:

-Create an access policy for your key vault that grants key permissions to your user account.

-```azurecli

-az keyvault set-policy --name <your-key-vault-name> --upn user@domain.com --key-permissions delete get list create purge

-```

-Create an access policy for your key vault that grants key permissions to your user account

-```azurecli

-az keyvault set-policy --name <your-key-vault-name> --upn user@domain.com --key-permissions delete get list create purge

-```

-Create an access policy for your key vault that grants key permissions to your user account

-```azurecli

-az keyvault set-policy --name <YourKeyVaultName> --upn user@domain.com --key-permissions delete get list create update purge

-```

-Create an access policy for your key vault that grants key permission to your user account.

-### [Azure CLI](#tab/azure-cli)

-```azurecli

-az keyvault set-policy --name <your-unique-keyvault-name> --upn user@domain.com --key-permissions get list create delete

-```

-### [Azure PowerShell](#tab/azure-powershell)

-```azurepowershell

-Set-AzKeyVaultAccessPolicy -VaultName "<your-unique-keyvault-name>" -UserPrincipalName "user@domain.com" -PermissionsToKeys get,list,create,delete

-```

-Create an access policy for your key vault that grants secret permissions to your user account.

-```azurecli

-az keyvault set-policy --name <your-key-vault-name> --upn user@domain.com --secret-permissions delete get list set purge

-```

-Create an access policy for your key vault that grants secret permissions to your user account

-```azurecli

-az keyvault set-policy --name <YourKeyVaultName> --upn user@domain.com --secret-permissions delete get list set purge

-```

-Create an access policy for your key vault that grants secret permissions to your user account

-```azurepowershell

-Set-AzKeyVaultAccessPolicy -VaultName "<YourKeyVaultName>" -UserPrincipalName "user@domain.com" -PermissionsToSecrets delete,get,list,set,purge

-```

-Create a vault access policy for your key vault that grants secret permissions to your user account with the [az keyvault set-policy](/cli/azure/keyvault#az-keyvault-set-policy) command.

-```azurecli

-az keyvault set-policy --name <your-key-vault-name> --upn user@domain.com --secret-permissions delete get list set purge update

-```

-1. Navigate to your new key vault in the Azure portal

-1. On the Key Vault settings pages, select **Secrets**.

-1. Select on **Generate/Import**.

- - **Value**: Type a value for the secret. Key Vault APIs accept and return secret values as strings.

-Once that you receive the message that the secret has been successfully created, you may select on it on the list.

-By clicking "Show Secret Value" button in the right pane, you can see the hidden value.

-Use the Azure PowerShell [Set-AzKeyVaultAccessPolicy](/powershell/module/az.keyvault/set-azkeyvaultaccesspolicy) cmdlet to update the Key Vault access policy and grant secret permissions to your user account.

-```azurepowershell-interactive

-Set-AzKeyVaultAccessPolicy -VaultName "<your-unique-keyvault-name>" -UserPrincipalName "user@domain.com" -PermissionsToSecrets get,set,delete

-```

-Create an access policy for your key vault that grants secret permission to your user account.

-### [Azure CLI](#tab/azure-cli)

-```azurecli

-az keyvault set-policy --name <your-unique-keyvault-name> --upn user@domain.com --secret-permissions delete get list set

-```

-### [Azure PowerShell](#tab/azure-powershell)

-```azurepowershell

-Set-AzKeyVaultAccessPolicy -VaultName "<your-unique-keyvault-name>" -UserPrincipalName "user@domain.com" -PermissionsToSecrets delete,get,list,set

-```

-# Kubernetes resource propagation from hub cluster to member clusters (preview)

-Platform admins often need to deploy Kubernetes resources into multiple clusters, for example:

-* Roles and role bindings to manage who can access what.

-* An infrastructure application that needs to be on all clusters, for example, Prometheus, Flux.

-Application developers often need to deploy Kubernetes resources into multiple clusters, for example:

-* Deploy a video serving application into multiple clusters, one per region, for low latency watching experience.

-* Deploy a shopping cart application into two paired regions for customers to continue to shop during a single region outage.

-* Deploy a batch compute application into clusters with inexpensive spot node pools available.

-It's tedious to create and update these Kubernetes resources across tens or even hundreds of clusters, and track their current status in each cluster.

-Azure Kubernetes Fleet Manager (Fleet) provides Kubernetes resource propagation to enable at-scale management of Kubernetes resources.

-You can create Kubernetes resources in the hub cluster and propagate them to selected member clusters via Kubernetes Customer Resources: `MemberCluster` and `ClusterResourcePlacement`.

-Fleet supports these custom resources based on an [open-source cloud-native multi-cluster solution][fleet-github].

-## What is `MemberCluster`?