+* [Mobile ID](identity-provider-mobile-id.md)

+ Title: Set up sign-up and sign-in with Mobile ID

+description: Provide sign-up and sign-in to customers with Mobile ID in your applications using Azure Active Directory B2C.

+zone_pivot_groups: b2c-policy-type

+# Set up sign-up and sign-in with Mobile ID using Azure Active Directory B2C

+In this article, you learn how to provide sign-up and sign-in to customers with [Mobile ID](https://www.mobileid.ch) in your applications using Azure Active Directory B2C (Azure AD B2C). The Mobile ID solution protects access to your company data and applications with a comprehensive end-to- end solution for a strong multi-factor authentication (MFA). You add the Mobile ID to your user flows or custom policy using OpenID Connect protocol.

+## Prerequisites

+## Create a Mobile ID application

+To enable sign-in for users with Mobile ID in Azure AD B2C, you need to create an application. To create Mobile ID application, follow these steps:

+1. Contact [Mobile ID support](https://www.mobileid.ch/en/contact).

+1. Provide the Mobile ID the information about your Azure AD B2C tenant:

+ |Key |Note |

+ |||

+ |Redirect URI | Provide the `https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp` URI. If you use a [custom domain](custom-domain.md), enter `https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp`. Replace `your-tenant-name` with the name of your tenant, and `your-domain-name` with your custom domain. |

+ |Token endpoint authentication method| `client_secret_post`|

+1. After the app is registered, the following information will be provided by the Mobile ID. Use this information to configure your user flow, or custom policy.

+ |Key |Note |

+ |||

+ | Client ID | The Mobile ID client ID. For example, 11111111-2222-3333-4444-555555555555. |

+ | Client Secret| The Mobile ID client secret.|

+## Configure Mobile ID as an identity provider

+1. Make sure you're using the directory that contains Azure AD B2C tenant. Select the **Directory + subscription** filter in the top menu and choose the directory that contains your Azure AD B2C tenant.

+1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.

+1. Select **Identity providers**, and then select **New OpenID Connect provider**.

+1. Enter a **Name**. For example, enter *Mobile ID*.

+1. For **Metadata url**, enter the URL Mobile ID OpenId well-known configuration endpoint. For example:

+ ```http

+ https://openid.mobileid.ch/.well-known/openid-configuration

+ ```

+1. For **Client ID**, enter the Mobile ID Client ID.

+1. For **Client secret**, enter the Mobile ID client secret.

+1. For the **Scope**, enter the `openid, profile, phone, mid_profile`.

+1. Leave the default values for **Response type** (`code`), and **Response mode** (`form_post`).

+1. (Optional) For the **Domain hint**, enter `mobileid.ch`. For more information, see [Set up direct sign-in using Azure Active Directory B2C](direct-signin.md#redirect-sign-in-to-a-social-provider).

+1. Under **Identity provider claims mapping**, select the following claims:

+ - **User ID**: *sub*

+ - **Display name**: *name*

+1. Select **Save**.

+## Add Mobile ID identity provider to a user flow

+At this point, the Mobile ID identity provider has been set up, but it's not yet available in any of the sign-in pages. To add the Mobile ID identity provider to a user flow:

+1. In your Azure AD B2C tenant, select **User flows**.

+1. Select the user flow that you want to add the Mobile ID identity provider.

+1. Under the **Social identity providers**, select **Mobile ID**.

+1. Select **Save**.

+1. To test your policy, select **Run user flow**.

+1. For **Application**, select the web application named *testapp1* that you previously registered. The **Reply URL** should show `https://jwt.ms`.

+1. Select the **Run user flow** button.

+1. From the sign-up or sign-in page, select **Mobile ID** to sign in with Mobile ID.

+If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.

+## Create a policy key

+You need to store the client secret that you received from Mobile ID in your Azure AD B2C tenant.

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+2. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directory + subscription** filter in the top menu and choose the directory that contains your tenant.

+3. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.

+4. On the Overview page, select **Identity Experience Framework**.

+5. Select **Policy Keys** and then select **Add**.

+6. For **Options**, choose `Manual`.

+7. Enter a **Name** for the policy key. For example, `Mobile IDSecret`. The prefix `B2C_1A_` is added automatically to the name of your key.

+8. In **Secret**, enter your Mobile ID client secret.

+9. For **Key usage**, select `Signature`.

+10. Select **Create**.

+## Configure Mobile ID as an identity provider

+To enable users to sign in using a Mobile ID, you need to define the Mobile ID as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated.

+You can define a Mobile ID as a claims provider by adding it to the **ClaimsProviders** element in the extension file of your policy.

+1. Open the *TrustFrameworkExtensions.xml*.

+2. Find the **ClaimsProviders** element. If it doesn't exist, add it under the root element.

+3. Add a new **ClaimsProvider** as follows:

+ ```xml

+ <ClaimsProvider>

+ <Domain>mobileid.ch</Domain>

+ <DisplayName>Mobile-ID</DisplayName>

+ <TechnicalProfiles>

+ <TechnicalProfile Id="MobileID-OAuth2">

+ <DisplayName>Mobile-ID</DisplayName>

+ <Protocol Name="OAuth2" />

+ <Metadata>

+ <Item Key="ProviderName">Mobile-ID</Item>

+ <Item Key="authorization_endpoint">https://m.mobileid.ch/oidc/authorize</Item>

+ <Item Key="AccessTokenEndpoint">https://openid.mobileid.ch/token</Item>

+ <Item Key="ClaimsEndpoint">https://openid.mobileid.ch/userinfo</Item>

+ <Item Key="scope">openid, profile, phone, mid_profile</Item>

+ <Item Key="HttpBinding">POST</Item>

+ <Item Key="UsePolicyInRedirectUri">false</Item>

+ <Item Key="token_endpoint_auth_method">client_secret_post</Item>

+ <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>

+ <Item Key="client_id">Your application ID</Item>

+ </Metadata>

+ <CryptographicKeys>

+ <Key Id="client_secret" StorageReferenceId="B2C_1A_MobileIdSecret" />

+ </CryptographicKeys>

+ <OutputClaims>

+ <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub"/>

+ <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name"/>

+ <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="mobileid.ch" />

+ <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />

+ </OutputClaims>

+ <OutputClaimsTransformations>

+ <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />

+ <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />

+ <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />

+ <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />

+ </OutputClaimsTransformations>

+ <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />

+ </TechnicalProfile>

+ </TechnicalProfiles>

+ </ClaimsProvider>

+ ```

+4. Set **client_id** to the Mobile ID client ID.

+5. Save the file.

+```xml

+<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">

+ <ClaimsProviderSelections>

+ ...

+ <ClaimsProviderSelection TargetClaimsExchangeId="MobileIDExchange" />

+ </ClaimsProviderSelections>

+ ...

+</OrchestrationStep>

+<OrchestrationStep Order="2" Type="ClaimsExchange">

+ ...

+ <ClaimsExchanges>

+ <ClaimsExchange Id="MobileIDExchange" TechnicalProfileReferenceId="MobileID-OAuth2" />

+ </ClaimsExchanges>

+</OrchestrationStep>

+```

+## Test your custom policy

+1. Select your relying party policy, for example `B2C_1A_signup_signin`.

+1. For **Application**, select a web application that you [previously registered](tutorial-register-applications.md). The **Reply URL** should show `https://jwt.ms`.

+1. Select the **Run now** button.

+1. From the sign-up or sign-in page, select **Mobile ID** to sign in with Mobile ID.

+If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.

+## Next steps

+Learn how to [pass Mobile ID token to your application](idp-pass-through-user-flow.md).

+**2.1.9**

+- TOTP multifactor authentication support. Adding links that allows users to download and install the Microsoft authenticator app to complete the enrollment of the TOTP on the authenticator.

+**2.1.7**

+- Accessibility fix - correcting to the tab index

+**2.1.6**

+- Accessibility fix - set the focus on the input field for verification.

+- Updates to the UI elements and CSS classes

+| SamlAssertionSigning| No| Specify the X509 certificate (RSA key set) to use to sign SAML assertion `<saml:Assertion>` element of the SAML token. If not provided, the `SamlMessageSigning` cryptographic key is used instead.|

+Azure Active Directory (Azure AD) B2B direct connect is a feature of External Identities that lets you set up a mutual trust relationship with another Azure AD organization for seamless collaboration. This feature currently works with Microsoft Teams shared channels. With B2B direct connect, users from both organizations can work together using their home credentials and a shared channel in Teams, without having to be added to each otherΓÇÖs organizations as guests. Use B2B direct connect to share resources with external Azure AD organizations. Or use it to share resources across multiple Azure AD tenants within your own organization.

+Currently, B2B direct connect capabilities work with Teams shared channels. When B2B direct connect is established between two organizations, users in one organization can create a shared channel in Teams and invite an external B2B direct connect user to it. Then from within Teams, the B2B direct connect user can seamlessly access the shared channel in their home tenant Teams instance, without having to manually sign in to the organization hosting the shared channel.

+Users with this role can't change the credentials or reset MFA for members and owners of a [role-assignable group](groups-concept.md).

+Users with this role can't change the credentials or reset MFA for members and owners of a [role-assignable group](groups-concept.md).

+Users with this role can't change the credentials or reset MFA for members and owners of a [role-assignable group](groups-concept.md).

+Users with this role can't change the credentials or reset MFA for members and owners of a [role-assignable group](groups-concept.md).

+User<br/>(no admin role, but member or owner of a role-assignable group) | &nbsp; | &nbsp; | &nbsp; | &nbsp; | :heavy_check_mark: | :heavy_check_mark:

+In this section, a user called Britta Simon is created in Andromeda. Andromeda supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Andromeda, a new one is created after authentication. If you need to create a user manually, contact Andromeda Client support team.

+* An existing BIG-IP or [deploy a BIG-IP Virtual Edition (VE) in Azure](/azure/active-directory/manage-apps/f5-bigip-deployment-guide)

+As our example AD infrastructure is based on a .com domain suffix used both, internally and externally, we donΓÇÖt require any additional attributes to achieve a functional KCD SSO implementation. See the [advanced tutorial](/azure/active-directory/manage-apps/f5-big-ip-kerberos-advanced) for cases where you have multiple domains or userΓÇÖs log-in using an alternate suffix.

+You can refer to our [App Proxy guidance](../app-proxy/application-proxy-back-end-kerberos-constrained-delegation-how-to.md) to validate an IIS application is configured appropriately for KCD. F5ΓÇÖs article on [how the APM handles Kerberos SSO](https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-single-sign-on-concepts-configuration/kerberos-single-sign-on-method.html) is also a valuable resource.

+See [BIG-IP APM variable assign examples]( https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107) and [F5 BIG-IP session variables reference]( https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html) for more info.

+> [GitHub Enterprise Managed Users](https://docs.github.com/enterprise-cloud@latest/admin/authentication/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users) is a feature of GitHub Enterprise Cloud which is different from GitHub Enterprise's standard SAML SSO and user provisioning implementation. If you haven't specifically requested an EMU instance, you have a standard GitHub Enterprise Cloud plan. In that case, please refer to [the documentation](./github-provisioning-tutorial.md) to configure user provisioning in your non-EMU organization. User provisioning is not supported for [GitHub Enterprise Accounts](https://docs.github.com/enterprise-cloud@latest/admin/overview/about-enterprise-accounts)

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+To confirm that DNS is configured as expected, you can make a request to the Orchestrator's status endpoint. From your browser, request `http://sonar.maverics.com:7474/status`.

+- We made updates to Microsoft Authenticator that change the interaction between the Issuer of a verifiable credential and the user presenting the verifiable credential. This update forces all Verifiable Credentials to be reissued in Microsoft Authenticator for iOS. [More information](whats-new.md?#microsoft-authenticator-did-generation-update)

+- We made updates to Microsoft Authenticator that change the interaction between the Issuer of a verifiable credential and the user presenting the verifiable credential. This update forces all Verifiable Credentials to be reissued in Microsoft Authenticator for Android. [More information](whats-new.md?#microsoft-authenticator-did-generation-update)

+### Microsoft Authenticator DID Generation Update

+We are making protocol updates in Microsoft Authenticator to support Single Long Form DID, thus deprecating the use of pairwise. With this update, your DID in Microsoft Authenticator will be used of every issuer and relaying party exchange. Holders of verifiable credentials using Microsoft Authenticator must get their verifiable credentials reissued as any previous credentials aren't going to continue working.

+* **Operational Excellence**: To help you achieve process and workflow efficiency, resource manageability and deployment best practices. For more information, see [Advisor Operational Excellence recommendations](advisor-operational-excellence-recommendations.md).

+ Title: Customize the node configuration for Azure Kubernetes Service (AKS) node pools

+# Customize node configuration for Azure Kubernetes Service (AKS) node pools

+ Title: Enable Group Managed Service Accounts (GMSA) for your Windows Server nodes on your Azure Kubernetes Service (AKS) cluster

+# Enable Group Managed Service Accounts (GMSA) for your Windows Server nodes on your Azure Kubernetes Service (AKS) cluster

+* Azure CLI version 2.35.0 or greater

+In this article, you'll learn how to troubleshoot the following issues, as described in more detail in Architecture Center: [Preserve the original HTTP host name between a reverse proxy and its backend web application](/azure/architecture/best-practices/host-name-preservation#potential-issues)

+* [Incorrect absolute URLs](/azure/architecture/best-practices/host-name-preservation#incorrect-absolute-urls)

+* [Incorrect redirect URLs](/azure/architecture/best-practices/host-name-preservation#incorrect-redirect-urls)

+* [Broken cookies](/azure/architecture/best-practices/host-name-preservation#broken-cookies)

+ Title: Create an Azure Attestation certificate by using Bicep

+description: Learn how to create an Azure Attestation certificate by using Bicep.

+# Quickstart: Create an Azure Attestation provider with a Bicep file

+[Microsoft Azure Attestation](overview.md) is a solution for attesting Trusted Execution Environments (TEEs). This quickstart focuses on the process of deploying a Bicep file to create a Microsoft Azure Attestation policy.

+## Prerequisites

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+## Review the Bicep file

+The Bicep file used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/attestation-provider-create/).

+Azure resources defined in the Bicep file:

+- [Microsoft.Attestation/attestationProviders](/azure/templates/microsoft.attestation/attestationproviders?tabs=bicep)

+## Deploy the Bicep file

+1. Save the Bicep file as **main.bicep** to your local computer.

+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

+ # [CLI](#tab/CLI)

+ ```azurecli

+ az group create --name exampleRG --location eastus

+ az deployment group create --resource-group exampleRG --template-file main.bicep

+ ```

+ # [PowerShell](#tab/PowerShell)

+ ```azurepowershell

+ New-AzResourceGroup -Name exampleRG -Location eastus

+ New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep

+ ```

+

+ When the deployment finishes, you should see a message indicating the deployment succeeded.

+## Validate the deployment

+Use the Azure portal, Azure CLI, or Azure PowerShell to verify the resource group and server resource were created.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az resource list --resource-group exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Get-AzResource -ResourceGroupName exampleRG

+```

+## Clean up resources

+Other Azure Attestation build upon this quickstart. If you plan to continue on to work with subsequent quickstarts and tutorials, you may wish to leave these resources in place.

+When no longer needed, delete the resource group, which deletes the Attestation resource. To delete the resource group by using Azure CLI or Azure PowerShell:

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az group delete --name exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name exampleRG

+```

+## Next steps

+In this quickstart, you created an attestation resource using a Bicep file, and validated the deployment. To learn more about Azure Attestation, see [Overview of Azure Attestation](overview.md).

+* SUSE Linux Enterprise Server 12, 15, and 15.1 (SUSE didn't release versions numbered 13 or 14)

+* Ubuntu

+ **Linux OS** | **Name** |

+ | |

+ 20.04 LTS | Focal Fossa

+ 18.04 LTS | Bionic Beaver

+ 16.04 LTS | Xenial Xerus

+ 14.04 LTS | Trusty Tahr

+ * If the next step in the update process is to install a Service Pack, there must be 20 minutes left in the maintenance window, or that update will be skipped.

+ * If the next step in the update process is to install any other kind of update besides Service Pack, there must be 15 minutes left in the maintenance window, or that update will be skipped.

+ * If the next step in the update process is a reboot, there must be 10 minutes left in the maintenance window, or the reboot will be skipped.

+While defining a deployment, you also specify a schedule to approve and set a time period during which updates can be installed. This period is called the maintenance window. A 10-minute span of the maintenance window is reserved for reboots, assuming one is needed and you selected the appropriate reboot option. If patching takes longer than expected and there's less than 10 minutes in the maintenance window, a reboot won't occur.

+|Arc enabled Kubernetes helm chart extension version|1.1.19211001|

+|Arc Data extension for Azure Data Studio|1.1.0|

+Clone the repo [https://github.com/Azure-Samples/azure-cache-redis-samples/tree/main/quickstart/dotnet-core](https://github.com/Azure-Samples/azure-cache-redis-samples/tree/main/quickstart/dotnet-core) on GitHub.

+Make a note of the **HOST NAME** and the **Primary** access key. You'll use these values later to construct the *CacheConnection* secret.

+## Add a local secret for the connection string

+```dos

+## Connect to the cache with RedisConnection

+The connection to your cache is managed by the `RedisConnection` class. The connection is first made in this statement from `Program.cs`:

+ _redisConnection = await RedisConnection.InitializeAsync(connectionString: configuration["CacheConnection"].ToString());

+In `RedisConnection.cs`, you see the `StackExchange.Redis` namespace has been added to the code. This is needed for the `RedisConnection` class.

+<!-- Is this right Philo -->

+The `RedisConnection` code ensures that there is always a healthy connection to the cache by managing the `ConnectionMultiplexer` instance from `StackExchange.Redis`. The `RedisConnection` class recreates the connection when a connection is lost and unable to reconnect automatically.

+For more information, see [StackExchange.Redis](https://stackexchange.github.io/StackExchange.Redis/) and the code in a [GitHub repo](https://github.com/StackExchange/StackExchange.Redis).

+<!-- :::code language="csharp" source="~/samples-cache/quickstart/dotnet-core/RedisConnection.cs"::: -->

+In `program.cs`, you can see the following code for the `RunRedisCommandsAsync` method in the `Program` class for the console application:

+<!-- Replaced this code with lines 57-81 from dotnet-core/Program.cs -->

+private static async Task RunRedisCommandsAsync(string prefix)

+ // Simple PING command

+ Console.WriteLine($"{Environment.NewLine}{prefix}: Cache command: PING");

+ RedisResult pingResult = await _redisConnection.BasicRetryAsync(async (db) => await db.ExecuteAsync("PING"));

+ Console.WriteLine($"{prefix}: Cache response: {pingResult}");

+ // Simple get and put of integral data types into the cache

+ string key = "Message";

+ string value = "Hello! The cache is working from a .NET console app!";

+ Console.WriteLine($"{Environment.NewLine}{prefix}: Cache command: GET {key} via StringGetAsync()");

+ RedisValue getMessageResult = await _redisConnection.BasicRetryAsync(async (db) => await db.StringGetAsync(key));

+ Console.WriteLine($"{prefix}: Cache response: {getMessageResult}");

+ Console.WriteLine($"{Environment.NewLine}{prefix}: Cache command: SET {key} \"{value}\" via StringSetAsync()");

+ bool stringSetResult = await _redisConnection.BasicRetryAsync(async (db) => await db.StringSetAsync(key, value));

+ Console.WriteLine($"{prefix}: Cache response: {stringSetResult}");

+ Console.WriteLine($"{Environment.NewLine}{prefix}: Cache command: GET {key} via StringGetAsync()");

+ getMessageResult = await _redisConnection.BasicRetryAsync(async (db) => await db.StringGetAsync(key));

+ Console.WriteLine($"{prefix}: Cache response: {getMessageResult}");

+ // Store serialized object to cache

+ Employee e007 = new Employee("007", "Davide Columbo", 100);

+ stringSetResult = await _redisConnection.BasicRetryAsync(async (db) => await db.StringSetAsync("e007", JsonSerializer.Serialize(e007)));

+ Console.WriteLine($"{Environment.NewLine}{prefix}: Cache response from storing serialized Employee object: {stringSetResult}");

+ // Retrieve serialized object from cache

+ getMessageResult = await _redisConnection.BasicRetryAsync(async (db) => await db.StringGetAsync("e007"));

+ Employee e007FromCache = JsonSerializer.Deserialize<Employee>(getMessageResult);

+ Console.WriteLine($"{prefix}: Deserialized Employee .NET object:{Environment.NewLine}");

+ Console.WriteLine($"{prefix}: Employee.Name : {e007FromCache.Name}");

+ Console.WriteLine($"{prefix}: Employee.Id : {e007FromCache.Id}");

+ Console.WriteLine($"{prefix}: Employee.Age : {e007FromCache.Age}{Environment.NewLine}");

+ }

+Cache items can be stored and retrieved by using the `StringSetAsync` and `StringGetAsync` methods.

+In the example, you can see the `Message` key is set to value. The app updated that cached value. The app also executed the `PING` and command.

+### Work with .NET objects in the cache

+The Redis server stores most data as strings, but these strings can contain many types of data, including serialized binary data, which can be used when storing .NET objects in the cache.

+Azure Cache for Redis can cache both .NET objects and primitive data types, but before a .NET object can be cached it must be serialized.

+This .NET object serialization is the responsibility of the application developer, and gives the developer flexibility in the choice of the serializer.

+The following `Employee` class was defined in *Program.cs* so that the sample could also show how to get and set a serialized object :

+ public string Id { get; set; }

+ public string Name { get; set; }

+ public int Age { get; set; }

+ public Employee(string id, string name, int age)

+ {

+ Id = id;

+ Name = name;

+ Age = age;

+ }

+## Run the sample

+If you have opened any files, save them and build the app with the following command:

+```dos

+```dos

+If you continue to use this quickstart, you can keep the resources you created and reuse them.

+Otherwise, if you're finished with the quickstart sample application, you can delete the Azure resources created in this quickstart to avoid charges.

+### To delete a resource group

+1. Sign in to the [Azure portal](https://portal.azure.com) and select **Resource groups**.

+1. In the **Filter by name...** textbox, type the name of your resource group. The instructions for this article used a resource group named *TestResources*. On your resource group in the result list, select **...** then **Delete resource group**.

+ :::image type="content" source="media/cache-dotnet-core-quickstart/cache-delete-resource-group.png" alt-text="Delete":::

+1. You'll be asked to confirm the deletion of the resource group. Type the name of your resource group to confirm, and select **Delete**.

+- [Connection resilience](cache-best-practices-connection.md)

+- [Best Practices Development](cache-best-practices-development.md)

+Clone the repo from [(https://github.com/Azure-Samples/azure-cache-redis-samples/tree/main/quickstart/dotnet](https://github.com/Azure-Samples/azure-cache-redis-samples/tree/main/quickstart/dotnet) on GitHub.

+1. Create a file on your computer named *CacheSecrets.config* and place it *C:\AppSecrets\CacheSecrets.config*.

+1. Edit the *CacheSecrets.config* file and add the following contents:

+ ```xml

+ <appSettings>

+ <add key="CacheConnection" value="<host-name>,abortConnect=false,ssl=true,allowAdmin=true,password=<access-key>"/>

+ </appSettings>

+ ```

+1. Replace `<host-name>` with your cache host name.

+1. Replace `<access-key>` with the primary key for your cache.

+1. Save the file.

+<!-- this section was removed from the core sample -->

+In this section, you prepare the console application to use the [StackExchange.Redis](https://github.com/StackExchange/StackExchange.Redis) client for .NET.

+1. In Visual Studio, select **Tools** > **NuGet Package Manager** > **Package Manager Console**, and run the following command from the Package Manager Console window.

+ ```powershell

+ Install-Package StackExchange.Redis

+ ```

+

+1. Once the installation is completed, the *StackExchange.Redis* cache client is available to use with your project.

+## Connect to the Secrets cache

+In Visual Studio, open your *App.config* file to verify it contains an `appSettings` `file` attribute that references the *CacheSecrets.config* file.

+Never store credentials in source code. To keep this sample simple, we use an external secrets config file. A better approach would be to use [Azure Key Vault with certificates](/rest/api/keyvault/certificate-scenarios).

+## Connect to the cache with RedisConnection

+The connection to your cache is managed by the `RedisConnection` class. The connection is first made in this statement from `Program.cs`:

+ _redisConnection = await RedisConnection.InitializeAsync(connectionString: ConfigurationManager.AppSettings["CacheConnection"].ToString());

+In `RedisConnection.cs`, you see the `StackExchange.Redis` namespace with the `using` keyword. This is needed for the `RedisConnection` class.

+using StackExchange.Redis;

+<!-- Is this right Philo -->

+The `RedisConnection` code ensures that there is always a healthy connection to the cache by managing the `ConnectionMultiplexer` instance from `StackExchange.Redis`. The `RedisConnection` class recreates the connection when a connection is lost and unable to reconnect automatically.

+For more information, see [StackExchange.Redis](https://stackexchange.github.io/StackExchange.Redis/) and the code in a [GitHub repo](https://github.com/StackExchange/StackExchange.Redis).

+<!-- :::code language="csharp" source="~/samples-cache/quickstart/dotnet/Redistest/RedisConnection.cs"::: -->

+In `program.cs`, you can see the following code for the `RunRedisCommandsAsync` method in the `Program` class for the console application:

+private static async Task RunRedisCommandsAsync(string prefix)

+ // Simple PING command

+ Console.WriteLine($"{Environment.NewLine}{prefix}: Cache command: PING");

+ RedisResult pingResult = await _redisConnection.BasicRetryAsync(async (db) => await db.ExecuteAsync("PING"));

+ Console.WriteLine($"{prefix}: Cache response: {pingResult}");

+ // Simple get and put of integral data types into the cache

+ string key = "Message";

+ string value = "Hello! The cache is working from a .NET console app!";

+ Console.WriteLine($"{Environment.NewLine}{prefix}: Cache command: GET {key} via StringGetAsync()");

+ RedisValue getMessageResult = await _redisConnection.BasicRetryAsync(async (db) => await db.StringGetAsync(key));

+ Console.WriteLine($"{prefix}: Cache response: {getMessageResult}");

+ Console.WriteLine($"{Environment.NewLine}{prefix}: Cache command: SET {key} \"{value}\" via StringSetAsync()");

+ bool stringSetResult = await _redisConnection.BasicRetryAsync(async (db) => await db.StringSetAsync(key, value));

+ Console.WriteLine($"{prefix}: Cache response: {stringSetResult}");

+ Console.WriteLine($"{Environment.NewLine}{prefix}: Cache command: GET {key} via StringGetAsync()");

+ getMessageResult = await _redisConnection.BasicRetryAsync(async (db) => await db.StringGetAsync(key));

+ Console.WriteLine($"{prefix}: Cache response: {getMessageResult}");

+ // Store serialized object to cache

+ Employee e007 = new Employee("007", "Davide Columbo", 100);

+ stringSetResult = await _redisConnection.BasicRetryAsync(async (db) => await db.StringSetAsync("e007", JsonSerializer.Serialize(e007)));

+ Console.WriteLine($"{Environment.NewLine}{prefix}: Cache response from storing serialized Employee object: {stringSetResult}");

+ // Retrieve serialized object from cache

+ getMessageResult = await _redisConnection.BasicRetryAsync(async (db) => await db.StringGetAsync("e007"));

+ Employee e007FromCache = JsonSerializer.Deserialize<Employee>(getMessageResult);

+ Console.WriteLine($"{prefix}: Deserialized Employee .NET object:{Environment.NewLine}");

+ Console.WriteLine($"{prefix}: Employee.Name : {e007FromCache.Name}");

+ Console.WriteLine($"{prefix}: Employee.Id : {e007FromCache.Id}");

+ Console.WriteLine($"{prefix}: Employee.Age : {e007FromCache.Age}{Environment.NewLine}");

+ }

+```

+Cache items can be stored and retrieved by using the `StringSetAsync` and `StringGetAsync` methods.

+In the example, you can see the `Message` key is set to value. The app updated that cached value. The app also executed the `PING` and command.

+### Work with .NET objects in the cache

+The Redis server stores most data as strings, but these strings can contain many types of data, including serialized binary data, which can be used when storing .NET objects in the cache.

+Azure Cache for Redis can cache both .NET objects and primitive data types, but before a .NET object can be cached it must be serialized.

+This .NET object serialization is the responsibility of the application developer, and gives the developer flexibility in the choice of the serializer.

+One simple way to serialize objects is to use the `JsonConvert` serialization methods in `System.text.Json`.

+Add the `System.text.Json` namespace to Visual Studio:

+1. Select **Tools** > **NuGet Package Manager** > *Package Manager Console**.

+1. Then, run the following command from the Package Manager Console window.

+ ```powershell

+ Install-Package system.text.json

+ ```

+

+<!-- :::image type="content" source="media/cache-dotnet-how-to-use-azure-redis-cache/cache-console-app-partial.png" alt-text="Console app partial"::: -->

+The following `Employee` class was defined in *Program.cs* so that the sample could also show how to get and set a serialized object :

+## Run the sample

+Press **Ctrl+F5** to build and run the console app to test serialization of .NET objects.

+If you continuing to the use this quickstart, you can keep the resources created and reuse them.

+Otherwise, if you are finished with the quickstart sample application, you can delete the Azure resources created in this quickstart to avoid charges.

+You are asked to confirm the deletion of the resource group. Type the name of your resource group to confirm, and select **Delete**.

+- [Connection resilience](cache-best-practices-connection.md)

+- [Best Practices Development](cache-best-practices-development.md)

+1. On the **New** page, select **Databases** and then select **Azure Cache for Redis**.

+1. On the **New Redis Cache** page, configure the settings for your new premium cache.

+1. Select the **Networking** tab or select the **Networking** button at the bottom of the page.

+1. In the **Networking** tab, select your connectivity method. For premium cache instances, you can connect either publicly, via Public IP addresses or service endpoints, or privately, using a private endpoint.

+1. Select the **Next: Advanced** tab or select the **Next: Advanced** button on the bottom of the page.

+1. In the **Advanced** tab for a premium cache instance, configure the settings for non-TLS port, clustering, and data persistence. To enable clustering, select **Enable**.

+1. Select the **Next: Tags** tab or select the **Next: Tags** button at the bottom of the page.

+1. Optionally, in the **Tags** tab, enter the name and value if you wish to categorize the resource.

+1. Select **Review + create**. You're taken to the Review + create tab where Azure validates your configuration.

+1. After the green Validation passed message appears, select **Create**.

+> If you're using StackExchange.Redis as your client, ensure you're using the latest version of [StackExchange.Redis](https://www.nuget.org/packages/StackExchange.Redis/) 1.0.481 or later for clustering to work correctly. For more information on any issues with move exceptions, see [move exceptions](#im-getting-move-exceptions-when-using-stackexchangeredis-and-clustering-what-should-i-do).

+If you're using StackExchange.Redis and receive `MOVE` exceptions when using clustering, ensure that you're using [StackExchange.Redis 1.1.603](https://www.nuget.org/packages/StackExchange.Redis/) or later. For instructions on configuring your .NET applications to use StackExchange.Redis, see [Configure the cache clients](cache-dotnet-how-to-use-azure-redis-cache.md#configure-the-cache-client).

+- If you enabled clustering when you created your **Premium** cache, you can [change the cluster size](cache-how-to-premium-clustering.md#set-up-clustering). If your cache was created without clustering enabled, you can configure clustering at a later time.

+description: In this quickstart, you'll create a new Java app that uses Azure Cache for Redis

+In this quickstart, you incorporate Azure Cache for Redis into a Java app using the [Jedis](https://github.com/xetorthio/jedis) Redis client. Your cache is a secure, dedicated cache that is accessible from any application within Azure.

+Clone the repo [Java quickstart](https://github.com/Azure-Samples/azure-cache-redis-samples/tree/main/quickstart/java) on GitHub.

+Depending on your operating system, add environment variables for your **Host name** and **Primary access key** that you noted above. Open a command prompt, or a terminal window, and set up the following values:

+```dos

+## Understanding the Java sample

+In this sample, you use Maven to run the quickstart app.

+1. Change to the new *redistest* project directory.

+1. Open the *pom.xml* file. In the file, you'll see a dependency for [Jedis](https://github.com/xetorthio/jedis):

+ ```xml

+ <groupId>redis.clients</groupId>

+ <artifactId>jedis</artifactId>

+ <version>4.1.0</version>

+ <type>jar</type>

+ <scope>compile</scope>

+ ```

+1. Close the *pom.xml* file.

+1. Open *App.java* and see the code with the following code:

+ ```java

+ package example.demo;

+

+ import redis.clients.jedis.DefaultJedisClientConfig;

+ import redis.clients.jedis.Jedis;

+

+ /**

+ * Redis test

+ *

+ */

+ public class App

+ public static void main( String[] args )

+ {

+

+ boolean useSsl = true;

+ String cacheHostname = System.getenv("REDISCACHEHOSTNAME");

+ String cachekey = System.getenv("REDISCACHEKEY");

+

+ // Connect to the Azure Cache for Redis over the TLS/SSL port using the key.

+ Jedis jedis = new Jedis(cacheHostname, 6380, DefaultJedisClientConfig.builder()

+ .password(cachekey)

+ .ssl(useSsl)

+ .build());

+

+ // Perform cache operations using the cache connection object...

+

+ // Simple PING command

+ System.out.println( "\nCache Command : Ping" );

+ System.out.println( "Cache Response : " + jedis.ping());

+

+ // Simple get and put of integral data types into the cache

+ System.out.println( "\nCache Command : GET Message" );

+ System.out.println( "Cache Response : " + jedis.get("Message"));

+

+ System.out.println( "\nCache Command : SET Message" );

+ System.out.println( "Cache Response : " + jedis.set("Message", "Hello! The cache is working from Java!"));

+

+ // Demonstrate "SET Message" executed as expected...

+ System.out.println( "\nCache Command : GET Message" );

+ System.out.println( "Cache Response : " + jedis.get("Message"));

+

+ // Get the client list, useful to see if connection list is growing...

+ System.out.println( "\nCache Command : CLIENT LIST" );

+ System.out.println( "Cache Response : " + jedis.clientList());

+

+ jedis.close();

+ }

+ ```

+ This code shows you how to connect to an Azure Cache for Redis instance using the cache host name and key environment variables. The code also stores and retrieves a string value in the cache. The `PING` and `CLIENT LIST` commands are also executed.

+1. Close the *App.java*.

+1. First, if you haven't already, you must set the environment variables as noted above.

+ ```dos

+ set REDISCACHEHOSTNAME=<YOUR_HOST_NAME>.redis.cache.windows.net

+ set REDISCACHEKEY=<YOUR_PRIMARY_ACCESS_KEY>

+ ```

+

+1. Execute the following Maven command to build and run the app:

+ ```dos

+ mvn compile

+ mvn exec:java -D exec.mainClass=example.demo.App

+ ```

+In the example below, you see the `Message` key previously had a cached value. The value was updated to a new value using `jedis.set`. The app also executed the `PING` and `CLIENT LIST` commands.

+If you continue to use the quickstart code, you can keep the resources created in this quickstart and reuse them.

+Otherwise, if you're finished with the quickstart sample application, you can delete the Azure resources created in this quickstart to avoid charges.

+ :::image type="content" source="./media/cache-java-get-started/azure-cache-redis-delete-resource-group.png" alt-text="Azure resource group deleted":::

+1. You'll be asked to confirm the deletion of the resource group. Type the name of your resource group to confirm, and select **Delete**.

+- [Development](cache-best-practices-development.md)

+- [Connection resilience](cache-best-practices-connection.md)

+# Quickstart: Use Azure Cache for Redis with an ASP.NET Core web app

+Clone the repo [https://github.com/Azure-Samples/azure-cache-redis-samples/tree/main/quickstart/aspnet-core](https://github.com/Azure-Samples/azure-cache-redis-samples/tree/main/quickstart/aspnet-core) on GitHub.

+Make a note of the **HOST NAME** and the **Primary** access key. You use these values later to construct the *CacheConnection* secret.

+## Add a local secret for the connection string

+In your command window, execute the following command to store a new secret named *CacheConnection*, after replacing the placeholders, including angle brackets, for your cache name and primary access key:

+```dos

+## Connect to the cache with RedisConnection

+The connection to your cache is managed by the `RedisConnection` class. The connection is made in this statement in `HomeController.cs` in the *Controllers* folder:

+```csharp

+_redisConnection = await _redisConnectionFactory;

+In `RedisConnection.cs`, you see the `StackExchange.Redis` namespace has been added to the code. This is needed for the `RedisConnection` class.

+The `RedisConnection` code ensures that there is always a healthy connection to the cache by managing the `ConnectionMultiplexer` instance from `StackExchange.Redis`. The `RedisConnection` class recreates the connection when a connection is lost and unable to reconnect automatically.

+For more information, see [StackExchange.Redis](https://stackexchange.github.io/StackExchange.Redis/) and the code in a [GitHub repo](https://github.com/StackExchange/StackExchange.Redis).

+<!-- :::code language="csharp" source="~/samples-cache/quickstart/aspnet-core/ContosoTeamStats/RedisConnection.cs"::: -->

+## Layout views in the sample

+The home page layout for this sample is stored in the *_Layout.cshtml* file. From this page, you start the actual cache testing by clicking the **Azure Cache for Redis Test** from this page.

+1. Open *Views\Shared\\_Layout.cshtml*.

+1. You should see in `<div class="navbar-header">`:

+ ```html

+ <a class="navbar-brand" asp-area="" asp-controller="Home" asp-action="RedisCache">Azure Cache for Redis Test</a>

+ ```

+### Showing data from the cache

+From the home page, you select **Azure Cache for Redis Test** to see the sample output.

+1. In **Solution Explorer**, expand the **Views** folder, and then right-click the **Home** folder.

+1. You should see this code in the *RedisCache.cshtml* file.

+ ```csharp

+ @{

+ ViewBag.Title = "Azure Cache for Redis Test";

+ }

+ <h2>@ViewBag.Title.</h2>

+ <h3>@ViewBag.Message</h3>

+ <br /><br />

+ <table border="1" cellpadding="10">

+ <tr>

+ <th>Command</th>

+ <th>Result</th>

+ </tr>

+ <tr>

+ <td>@ViewBag.command1</td>

+ <td><pre>@ViewBag.command1Result</pre></td>

+ </tr>

+ <tr>

+ <td>@ViewBag.command2</td>

+ <td><pre>@ViewBag.command2Result</pre></td>

+ </tr>

+ <tr>

+ <td>@ViewBag.command3</td>

+ <td><pre>@ViewBag.command3Result</pre></td>

+ </tr>

+ <tr>

+ <td>@ViewBag.command4</td>

+ <td><pre>@ViewBag.command4Result</pre></td>

+ </tr>

+ <tr>

+ <td>@ViewBag.command5</td>

+ <td><pre>@ViewBag.command5Result</pre></td>

+ </tr>

+ </table>

+ ```

+## Run the app locally

+1. Execute the following command in your command window to build the app:

+ ```dos

+ dotnet build

+ ```

+

+1. Then run the app with the following command:

+ ```dos

+ dotnet run

+ ```

+

+1. Browse to `https://localhost:5001` in your web browser.

+1. Select **Azure Cache for Redis Test** in the navigation bar of the web page to test cache access.

+If you continue to use this quickstart, you can keep the resources you created and reuse them.

+1. In the **Filter by name...** box, type the name of your resource group. The instructions for this article used a resource group named *TestResources*. On your resource group, in the results list, select **...**, and then select **Delete resource group**.

+ :::image type="content" source="media/cache-web-app-howto/cache-delete-resource-group.png" alt-text="Delete":::

+1. You're asked to confirm the deletion of the resource group. Type the name of your resource group to confirm, and then select **Delete**.

+- [Connection resilience](cache-best-practices-connection.md)

+- [Best Practices Development](cache-best-practices-development.md)

+Clone the repo [https://github.com/Azure-Samples/azure-cache-redis-samples/tree/main/quickstart/aspnet](https://github.com/Azure-Samples/azure-cache-redis-samples/tree/main/quickstart/aspnet) on GitHub.

+In this section, you can see an MVC application that presents a view that displays a simple test against Azure Cache for Redis.

+### How the web.config file connects to the cache

+When you run the application locally, the information in *CacheSecrets.config* is used to connect to your Azure Cache for Redis instance. Later, you can deploy this application to Azure. At that time, you configure an app setting in Azure that the application uses to retrieve the cache connection information instead of this file.

+1. In **Solution Explorer**, open the *web.config* file.

+ :::image type="content" source="media/cache-web-app-howto/cache-web-config.png" alt-text="Web.config":::

+1. In the *web.config* file, you can how to set the `<appSetting>` element for running the application locally.

+ `<appSettings file="C:\AppSecrets\CacheSecrets.config">`

+## Install StackExchange.Redis

+Your solution needs the `StackExchange.Redis` package to run. Install it, with this procedure:

+1. Run the following command from the `Package Manager Console` window:

+1. The NuGet package downloads and adds the required assembly references for your client application to access Azure Cache for Redis with the `StackExchange.Redis` client.

+<!--

+Philo - Isn't this superfluous now?

+1. If you prefer to use a strong-named version of the `StackExchange.Redis` client library, install the `StackExchange.Redis` package.

+ -->

+## Connect to the cache with RedisConnection

+The connection to your cache is managed by the `RedisConnection` class. The connection is first made in this statement from `ContosoTeamStats/Controllers/HomeController.cs`:

+```csharp

+ private static Task<RedisConnection> _redisConnectionFactory = RedisConnection.InitializeAsync(connectionString: ConfigurationManager.AppSettings["CacheConnection"].ToString()););

+```

+The value of the *CacheConnection* secret is accessed using the Secret Manager configuration provider and is used as the password parameter.

+In `RedisConnection.cs`, you see the `StackExchange.Redis` namespace has been added to the code. This is needed for the `RedisConnection` class.

+```csharp

+using StackExchange.Redis;

+```

+The `RedisConnection` code ensures that there is always a healthy connection to the cache by managing the `ConnectionMultiplexer` instance from `StackExchange.Redis`. The `RedisConnection` class recreates the connection when a connection is lost and unable to reconnect automatically.

+For more information, see [StackExchange.Redis](https://stackexchange.github.io/StackExchange.Redis/) and the code in a [GitHub repo](https://github.com/StackExchange/StackExchange.Redis).

+<!-- :::code language="csharp" source="~/samples-cache/quickstart/aspnet/ContosoTeamStats/RedisConnection.cs "::: -->

+## Layout views in the sample

+The home page layout for this sample is stored in the *_Layout.cshtml* file. From this page, you start the actual cache testing by clicking the **Azure Cache for Redis Test** from this page.

+1. In **Solution Explorer**, expand the **Views** > **Shared** folder. Then open the *_Layout.cshtml* file.

+1. You see the following line in `<div class="navbar-header">`.

+ :::image type="content" source="media/cache-web-app-howto/cache-welcome-page.png" alt-text="screenshot of welcome page":::

+### Showing data from the cache

+From the home page, you select **Azure Cache for Redis Test** to see the sample output.

+1. In **Solution Explorer**, expand the **Views** folder, and then right-click the **Home** folder.

+1. You should see this code in the *RedisCache.cshtml* file.

+1. In the browser, select **Azure Cache for Redis Test** on the navigation bar.

+1. In the following example, the `Message` key previously had a cached value, which was set by using the Azure Cache for Redis console in the portal. The app updated that cached value. The app also executed the `PING` and `CLIENT LIST` commands.

+ :::image type="content" source="media/cache-web-app-howto/cache-simple-test-complete-local.png" alt-text="Screenshot of simple test completed local":::

+ :::image type="content" source="media/cache-web-app-howto/cache-publish-app.png" alt-text="Publish":::

+1. Select **Microsoft Azure App Service**, select **Create New**, and then select **Publish**.

+ :::image type="content" source="media/cache-web-app-howto/cache-publish-to-app-service.png" alt-text="Publish to App Service":::

+1. In the **Create App Service** dialog box, make the following changes:

+ :::image type="content" source="media/cache-web-app-howto/cache-create-app-service-dialog.png" alt-text="App Service dialog box":::

+1. After you configure the App Service hosting settings, select **Create**.

+1. Monitor the **Output** window in Visual Studio to see the publishing status. After the app has been published, the URL for the app is logged:

+ :::image type="content" source="media/cache-web-app-howto/cache-publishing-output.png" alt-text="Publishing output":::

+ :::image type="content" source="media/cache-web-app-howto/cache-find-app-service.png" alt-text="Find app":::

+ :::image type="content" source="media/cache-web-app-howto/cache-add-app-setting.png" alt-text="Add app setting":::

+1. In your browser, go to the URL for the app. The URL appears in the results of the publishing operation in the Visual Studio output window. It's also provided in the Azure portal on the overview page of the app you created.

+1. Select **Azure Cache for Redis Test** on the navigation bar to test cache access as you did with the local version.

+If you continue to use this quickstart, you can keep the resources you created and reuse them.

+1. In the **Filter by name...** box, type the name of your resource group. The instructions for this article used a resource group named *TestResources*. On your resource group, in the results list, select **...**, and then select **Delete resource group**.

+ :::image type="content" source="media/cache-dotnet-core-quickstart/cache-delete-resource-group.png" alt-text="Delete":::

+1. You're asked to confirm the deletion of the resource group. Type the name of your resource group to confirm, and then select **Delete**.

+- [Connection resilience](cache-best-practices-connection.md)

+- [Best Practices Development](cache-best-practices-development.md)

+* If you run into problems during deployment, you encounter an issue when using Start/Stop VMs v2 (preview), or if you have a related question, you can submit an issue on [GitHub](https://github.com/microsoft/startstopv2-deployments/issues). Filing an Azure support incident from the [Azure support site](https://azure.microsoft.com/support/options/) is also available for this preview version.

+|||manage.microsoft.com|manage.microsoft.us|Enterprise enrollment|

+### [Media Services](/azure/media-services/)

+For Azure Media Services v3 feature variations in Azure Government, see [Azure Media Services v3 clouds and regions availability](/azure/media-services/latest/azure-clouds-regions#us-government-cloud).

+| [Media Services](/azure/media-services/) | &#x2705; | &#x2705; |

+| [Media Services](/azure/media-services/) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |

+ Title: Troubleshooting Azure Monitor autoscale

+description: Tracking down problems with Azure Monitor autoscaling used in Service Fabric, Virtual Machines, Web Apps, and cloud services.

+# Troubleshooting Azure Monitor autoscale

+Read information on [autoscale best practices](autoscale-best-practices.md).

+1. Add the **oms_agent** add-on profile to the existing [azurerm_kubernetes_cluster resource](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/kubernetes_cluster)

+2. Add the [azurerm_log_analytics_solution](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_solution) following the steps in the Terraform documentation.

+3. The metrics are not collected by default through Terraform, so once onboarded, there is an additional step to assign the monitoring metrics publisher role, which is required to [enable the metrics](./container-insights-update-metrics.md#update-one-cluster-by-using-the-azure-cli).

+# Tutorial: Ingestion-time transformations in Azure Monitor Logs (preview)

+Ingestion-time transformation is applied to any workflow that doesn't currently use a [data collection rule](../essentials/data-collection-rule-overview.md) to send data to a [supported table](tables-feature-support.md). Any transformation on a workspace will be ignored for these workflows.

+The workflows that currently use data collection rules are as follows:

+## How are the Active Directory Connector credentials stored on the Azure NetApp Files service?

+The AD Connector credentials are stored in the Azure NetApp Files control plane database in an encrypted format. The encryption algorithm used is AES-256 (one-way).

+An alias has been predefined for the [public module registry](./modules.md#path-to-module). To reference a public module, you can use the format:

+```bicep

+br/public:<file>:<tag>

+```

+You can override the public module registry alias definition in the bicepconfig.json file:

+```json

+{

+ "moduleAliases": {

+ "br": {

+ "public": {

+ "registry": "<your_module_registry>",

+ "modulePath": "<optional_module_path>"

+ }

+ }

+ }

+}

+```

+To share modules with other people in your organization, create a [template spec](../templates/template-specs.md), [public registry](https://github.com/Azure/bicep-registry-modules), or [private registry](private-module-registry.md). Template specs and modules in the registry are only available to users with the correct permissions.

+#### Public module registry

+The public module registry is hosted in a Microsoft container registry (MCR). The source code and the modules are stored in [GitHub](https://github.com/azure/bicep-registry-modules). The [README file](https://github.com/azure/bicep-registry-modules#readme) in the GitHub repo lists the available modules and their latest versions:

+

+Select the versions to see the available versions. You can also select **Code** to see the module source code, and open the Readme files.

+There are only a few published modules currently. More modules are coming. If you like to contribute to the registry, see the [contribution guide](https://github.com/Azure/bicep-registry-modules/blob/main/CONTRIBUTING.md).

+To link to a public registry module, specify the module path with the following syntax:

+```bicep

+module <symbolic-name> 'br/public:<file-path>:<tag>' = {}

+```

+- **br/public** is the alias for the public module registry.

+- **file path** can contain segments that can be separated by the `/` character.

+- **tag** is used for specifying a version for the module.

+For example:

+> [!NOTE]

+> **br/public** is the alias for the public registry. It can also be written as

+>

+> ```bicep

+> module <symbolic-name> 'br:mcr.microsoft.com/bicep/<file-path>:<tag>' = {}

+> ```

+>

+> For more information see aliases and configuring aliases later in this section.

+#### Private module registry

+An alias for the public module registry has been predefined:

+You can override the public alias in the bicepconfig.json file.

+To share [modules](modules.md) within your organization, you can create a private module registry. You publish modules to that registry and give read access to users who need to deploy the modules. After the modules are shared in the registries, you can reference them from your Bicep files. To contribute to the public module registry, see the [contribution guide](https://github.com/Azure/bicep-registry-modules/blob/main/CONTRIBUTING.md).

+Learn how to publish Bicep modules to private modules registry, and how to call the modules from your Bicep files. Private module registry allows you to share Bicep modules within your organization. To learn more, see [Create private registry for Bicep modules](./private-module-registry.md). To contribute to the public module registry, see the [contribution guide](https://github.com/Azure/bicep-registry-modules/blob/main/CONTRIBUTING.md).

+ Title: Metrics in Azure SignalR Service

+description: Metrics in Azure SignalR Service.

+# Metrics in Azure SignalR Service

+Azure SignalR Service has some built-in metrics and you and sets up [alerts](../azure-monitor/alerts/alerts-overview.md) and [autoscale](./signalr-howto-scale-autoscale.md) base on metrics.

+## Understand metrics

+Metrics provide the running info of the service. The available metrics are:

+> [!CAUTION]

+> The aggregation type "Count" is meaningless for all the metrics. Please DO NOT use it.

+|Metric|Unit|Recommended Aggregation Type|Description|Dimensions|

+||||||

+|Connection Close Count|Count|Sum|The count of connections closed by various reasons.|Endpoint, ConnectionCloseCategory|

+|Connection Count|Count|Max / Avg|The amount of connection.|Endpoint|

+|Connection Open Count|Count|Sum|The count of new connections opened.|Endpoint|

+|Connection Quota Utilization|Percent|Max / Avg|The percentage of connection connected relative to connection quota.|No Dimensions|

+|Inbound Traffic|Bytes|Sum|The inbound traffic of service|No Dimensions|

+|Message Count|Count|Sum|The total amount of messages.|No Dimensions|

+|Outbound Traffic|Bytes|Sum|The outbound traffic of service|No Dimensions|

+|System Errors|Percent|Avg|The percentage of system errors|No Dimensions|

+|User Errors|Percent|Avg|The percentage of user errors|No Dimensions|

+### Understand Dimensions

+Dimensions of a metric are name/value pairs that carry extra data to describe the metric value.

+The dimensions available in some metrics:

+* Endpoint: Describe the type of connection. Including dimension values: Client, Server, LiveTrace

+* ConnectionCloseCategory: Describe the categories of why connection getting closed. Including dimension values:

+ - Normal: Normal closure.

+ - Throttled: With (Message count/rate or connection) throttling, check Connection Count and Message Count current usage and your resource limits.

+ - PingTimeout: Connection ping timeout.

+ - NoAvailableServerConnection: Client connection cannot be established (won't even pass handshake) as no available server connection.

+ - InvokeUpstreamFailed: Upstream invoke failed.

+ - SlowClient: Too many messages queued up at service side, which needed to be sent.

+ - HandshakeError: Terminate connection in handshake phase, could be caused by the remote party closed the WebSocket connection without completing the close handshake. Mostly, it's caused by network issue. Otherwise, please check if the client is able to create websocket connection due to some browser settings.

+ - ServerConnectionNotFound: Target hub server not available. Nothing need to be done for improvement, this is by-design and reconnection should be done after this drop.

+ - ServerConnectionClosed: Client connection aborted because the corresponding server connection is dropped. When app server uses Azure SignalR Service SDK, in the background, it initiates server connections to the remote Azure SignalR service. Each client connection to the service is associated with one of the server connections to route traffic between client and app server. Once a server connection is closed, all the client connections it serves will be closed with ServerConnectionDropped message.

+ - ServiceTransientError: Internal server error

+ - BadRequest: This caused by invalid hub name, wrong payload, etc.

+ - ClosedByAppServer: App server asks the service to close the client.

+ - ServiceReload: This is triggered when a connection is dropped due to an internal service component reload. This event does not indicate a malfunction and is part of normal service operation.

+ - ServiceModeSwitched: Connection closed after service mode switched like from serverless mode to default mode

+ - Unauthorized: The connection is unauthorized

+Learn more about [multi-dimensional metrics](../azure-monitor/essentials/data-platform-metrics.md#multi-dimensional-metrics)

+### Understand the minimum grain of message count

+The minimum grain of message count showed in metric are 1, which means 2 KB outbound data traffic. If user sending very small amount of messages such as several bytes in a sampling time period, the message count will be 0.

+The way to check out small amount of messages is using metrics *Outbound Traffic*, which is count by bytes.

+### Understand System Errors and User Errors

+The Errors are the percentage of failure operations. Operations are consist of connecting, sending message and so on. The difference between System Error and User Error is that the former is the failure caused by our internal service error and the latter is caused by users. In normal case, the System Errors should be very low and near to zero.

+> [!IMPORTANT]

+> In some cases, the User Error will be always very high, especially in serverless case. In some browser, when user close the web page, the SignalR client doesn't close gracefully. The service will finally close it because of timeout. The timeout closure will be counted into User Error.

+## Related resources

+- [Aggregation types in Azure Monitor](../azure-monitor/essentials/metrics-supported.md#microsoftsignalrservicesignalr )

+SignalR Service SDK supports multiple endpoints for SignalR Service instances. You can use this feature to scale the concurrent connections, or use it for cross-region messaging.

+## Service Endpoint Metrics

+To enable advanced router, SignalR server SDK provides multiple metrics to help server do smart decision. The properties are under `ServiceEndpoint.EndpointMetrics`.

+| Metric Name | Description |

+| -- | -- |

+| `ClientConnectionCount` | Total concurrent connected client connection count on all hubs for the service endpoint |

+| `ServerConnectionCount` | Total concurrent connected server connection count on all hubs for the service endpoint |

+| `ConnectionCapacity` | Total connection quota for the service endpoint, including client and server connections |

+Below is an example to customize router according to `ClientConnectionCount`.

+```cs

+private class CustomRouter : EndpointRouterDecorator

+{

+ public override ServiceEndpoint GetNegotiateEndpoint(HttpContext context, IEnumerable<ServiceEndpoint> endpoints)

+ {

+ return endpoints.OrderBy(x => x.EndpointMetrics.ClientConnectionCount).FirstOrDefault(x => x.Online) // Get the available endpoint with minimal clients load

+ ?? base.GetNegotiateEndpoint(context, endpoints); // Or fallback to the default behavior to randomly select one from primary endpoints, or fallback to secondary when no primary ones are online

+ }

+}

+```

+## Dynamic Scale ServiceEndpoints

+From SDK version 1.5.0, we're enabling dynamic scale ServiceEndpoints for ASP.NET Core version first. So you don't have to restart app server when you need to add/remove a ServiceEndpoint. As ASP.NET Core is supporting default configuration like `appsettings.json` with `reloadOnChange: true`, you don't need to change a code and it's supported by nature. And if you'd like to add some customized configuration and work with hot-reload, please refer to [this](https://docs.microsoft.com/aspnet/core/fundamentals/configuration/?view=aspnetcore-3.1).

+> [!NOTE]

+>

+> Considering the time of connection set-up between server/service and client/service may be different, to ensure no message loss during the scale process, we have a staging period waiting for server connections be ready before open the new ServiceEndpoint to clients. Usually it takes seconds to complete and you'll be able to see log like `Succeed in adding endpoint: '{endpoint}'` which indicates the process complete. But for some unexpected reasons like cross-region network issue or configuration inconsistent on different app servers, the staging period will not be able to finish correctly. Since limited things can be done in these cases, we choose to promote the scale as it is. It's suggested to restart App Server when you find the scaling process not working correctly.

+>

+> The default timeout period for the scale is 5 minutes, and it can be customized by changing the value in `ServiceOptions.ServiceScaleTimeout`. If you have a lot of app servers, it's suggested to extend the value a little bit more.

+In this article, you'll use Azure SignalR Service, Azure Functions, and Java to build a serverless application to broadcast messages to clients.

+> The code in this article is available on [GitHub](https://github.com/aspnet/AzureSignalR-samples/tree/main/samples/QuickStartServerless/java).

+- An Azure account with an active subscription. If you don't already have an account, [create an account for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio).

+

+ - The required SignalR Service bindings in Java are only supported in Azure Function Core Tools version 2.4.419 (host version 2.0.12332) or above.

+ - To install extensions, Azure Functions Core Tools requires the [.NET Core SDK](https://dotnet.microsoft.com/download) installed. However, no knowledge of .NET is required to build Java Azure Function apps.

+- [Apache Maven](https://maven.apache.org), version 3.0 or above.

+This quickstart can be run on macOS, Windows, or Linux.

+## Create an Azure SignalR Service instance

+## Configure and run the Azure Function app

+Make sure you have Azure Function Core Tools, Java (version 11 in the sample), and Maven installed.

+1. Initialize the project using Maven:

+ Maven asks you for values needed to finish generating the project. Provide the following values:

+ | **package** | `com.signalr` | A value that is the Java package for the generated function code. Use the default. |

+1. Go to the folder `src/main/java/com/signalr` and copy the following code to *Function.java*:

+1. Some dependencies need to be added. Open *pom.xml* and add the following dependencies used in the code:

+1. The client interface for this sample is a web page. We read HTML content from *content/https://docsupdatetracker.net/index.html* in the `index` function, and then create a new file *content/https://docsupdatetracker.net/index.html* in the `resources` directory. Your directory tree should look like this:

+ ``` nsProject

+ | - src

+ | | - main

+ | | | - java

+ | | | | - com

+ | | | | | - signalr

+ | | | | | | - Function.java

+ | | | - resources

+ | | | | - content

+ | | | | | - https://docsupdatetracker.net/index.html

+ | - pom.xml

+ | - host.json

+ | - local.settings.json

+1. Open *https://docsupdatetracker.net/index.html* and copy the following content:

+ <h1>Azure SignalR Serverless Sample</h1>

+ <div id="messages"></div>

+ <script src="https://cdnjs.cloudflare.com/ajax/libs/microsoft-signalr/3.1.7/signalr.min.js"></script>

+ <script>

+ connection.on('newMessage', (message) => {

+ });

+ connection.start()

+ </script>

+1. You're almost done now. The last step is to set a connection string of the SignalR Service to Azure Function settings.

+ 1. Search for the Azure SignalR instance you deployed earlier using the **Search** box in Azure portal. Select the instance to open it.

+ 1. Copy the primary connection string, and then run the following command:

+1. Run the Azure Function in local:

+ After Azure Function is running locally, go to `http://localhost:7071/api/index` and you'll see the current star count. If you star or "unstar" in the GitHub, you'll get a star count refreshing every few seconds.

+In this quickstart, you built and ran a real-time serverless application in the local host. Next, learn more about how to bi-directional communicating between clients and Azure Function with SignalR Service.

+ In this article, you'll use Azure SignalR Service, Azure Functions, and JavaScript to build a serverless application to broadcast messages to clients.

+> You can get all code mentioned in the article from [GitHub](https://github.com/aspnet/AzureSignalR-samples/tree/main/samples/QuickStartServerless/javascript).

+- A code editor, such as [Visual Studio Code](https://code.visualstudio.com/).

+- An Azure account with an active subscription. If you don't already have an Azure account, [create an account for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio).

+The examples should work with other versions of Node.js, for more information, see [Azure Functions runtime versions documentation](../azure-functions/functions-versions.md#languages).

+This quickstart can be run on macOS, Windows, or Linux.

+## Create an Azure SignalR Service instance

+Make sure you have Azure Functions Core Tools installed.

+1. Using the command line, create an empty directory and then change to it. Initialize a new project:

+2. After you initialize a project, you need to create functions. In this sample, we'll create three functions:

+ 1. Run the following command to create a `index` function, which will host a web page for clients.

+ Open *index/function.json* and copy the following json code:

+ Open *index/index.js* and copy the following code:

+ 2. Create a `negotiate` function for clients to get an access token.

+ Open *negotiate/function.json* and copy the following json code:

+

+ 3. Create a `broadcast` function to broadcast messages to all clients. In the sample, we use a time trigger to broadcast messages periodically.

+

+

+ Open *broadcast/function.json* and copy the following code:

+

+

+ Open *broadcast/index.js* and copy the following code:

+

+3. The client interface of this sample is a web page. We read HTML content from *content/https://docsupdatetracker.net/index.html* in the `index` function, create a new file named *https://docsupdatetracker.net/index.html* in the `content` directory under your project root folder. Copy the following code:

+4. You're almost done now. The last step is to set a connection string of the SignalR Service to Azure Function settings.

+ 1. In the Azure portal, find the SignalR instance you deployed earlier by typing its name in the **Search** box. Select the instance to open it.

+

+

+

+5. Run the Azure function in local host:

+ After Azure Function running locally. Use your browser to visit `http://localhost:7071/api/index` and you can see the current star count. And if you star or "unstar" in GitHub, you'll see the star count refreshing every few seconds.

+ > SignalR binding needs Azure Storage, but you can use local storage emulator when the function is running locally.

+ > If you got an error like `There was an error performing a read operation on the Blob Storage Secret Repository. Please ensure the 'AzureWebJobsStorage' connection string is valid.` You need to download and enable [Storage Emulator](../storage/common/storage-use-emulator.md)

+In this quickstart, you built and ran a real-time serverless application in localhost. Next, learn more about how to bi-directional communicating between clients and Azure Function with SignalR Service.

+For more information about Multi-Factor Authentication support for SQL tools, see [Using multi-factor Azure Active Directory authentication](/azure/azure-sql/database/authentication-mfa-ssms-overview).

+`Active Directory Interactive` authentication supports multi-factor authentication using [Microsoft.Data.SqlClient](/sql/connect/ado-net/introduction-microsoft-data-sqlclient-namespace) to connect to Azure SQL data sources. In a client C# program, the enum value directs the system to use the Azure Active Directory (Azure AD) interactive mode that supports Multi-Factor Authentication to connect to Azure SQL Database. The user who runs the program sees the following dialog boxes:

+ If the user's domain is federated with Azure AD, the dialog box doesn't appear, because no password is needed.

+ If the Azure AD policy imposes Multi-Factor Authentication on the user, a dialog box to sign in to your account will display.

+## Prerequisite

+For the C# example to run, a [logical SQL server](logical-servers.md) admin needs to assign an Azure AD admin for your server.

+## Microsoft.Data.SqlClient

+The C# example relies on the [Microsoft.Data.SqlClient](/sql/connect/ado-net/introduction-microsoft-data-sqlclient-namespace) namespace. For more information, see [Using Azure Active Directory authentication with SqlClient](/sql/connect/ado-net/sql/azure-active-directory-authentication).

+> [System.Data.SqlClient](/dotnet/api/system.data.sqlclient) uses the Azure Active Directory Authentication Library (ADAL), which will be deprecated. If you're using the [System.Data.SqlClient](/dotnet/api/system.data.sqlclient) namespace for Azure Active Directory authentication, migrate applications to [Microsoft.Data.SqlClient](/sql/connect/ado-net/introduction-microsoft-data-sqlclient-namespace) and the [Microsoft Authentication Library (MSAL)](/azure/active-directory/develop/msal-migration). For more information about using Azure AD authentication with SqlClient, see [Using Azure Active Directory authentication with SqlClient](/sql/connect/ado-net/sql/azure-active-directory-authentication).

+Before you run the C# example, it's a good idea to check that your setup and configurations are correct in [SQL Server Management Studio (SSMS)](/sql/ssms/download-sql-server-management-studio-ssms). Any C# program failure can then be narrowed to source code.

+Run SSMS from the same computer, in the same building, where you plan to run the C# example. For this test, any **Authentication** mode is OK. If there's any indication that the server isn't accepting your IP address, see [server-level and database-level firewall rules](firewall-configure.md) for help.

+> If you are a guest user in the database, you also need to provide the Azure AD domain name for the database: Select **Options** > **AD domain name or tenant ID**. If you are running SSMS 18.x or later, the AD domain name or tenant ID is no longer needed for guest users because 18.x or later automatically recognizes it.

+>

+>To find the domain name in the Azure portal, select **Azure Active Directory** > **Custom domain names**. In the C# example program, providing a domain name is not necessary.

+using Microsoft.Data.SqlClient;

+public class Program

+ public static void Main(string[] args)

+ // Use your own server, database, and user ID.

+ // Connetion string - user ID is not provided and is asked interactively.

+ string ConnectionString = @"Server=<your server>.database.windows.net; Authentication=Active Directory Interactive; Database=<your database>";

+ using (SqlConnection conn = new SqlConnection(ConnectionString))

+ conn.Open();

+ Console.WriteLine("ConnectionString2 succeeded.");

+ using (var cmd = new SqlCommand("SELECT @@Version", conn))

+ Console.WriteLine("select @@version");

+ var result = cmd.ExecuteScalar();

+ Console.WriteLine(result.ToString());

+ Console.ReadKey();

+ }

+}

+ConnectionString2 succeeded.

+select @@version

+Microsoft SQL Azure (RTM) - 12.0.2000.8

+ ...

+- [Azure Active Directory server principals](authentication-azure-ad-logins.md)

+- [Azure AD-only authentication with Azure SQL](authentication-azure-ad-only-authentication.md)

+- [Using multi-factor Azure Active Directory authentication](authentication-mfa-ssms-overview.md)

+description: "Learn how to enable Intel SGX for Always Encrypted with secure enclaves in Azure SQL Database by selecting SGX-enabled hardware."

+[Always Encrypted with secure enclaves](/sql/relational-databases/security/encryption/always-encrypted-enclaves) in Azure SQL Database uses [Intel Software Guard Extensions (Intel SGX)](https://itpeernetwork.intel.com/microsoft-azure-confidential-computing/) enclaves. For Intel SGX to be available, the database must use the [vCore model](service-tiers-vcore.md) and [DC-series](service-tiers-sql-database-vcore.md#dc-series) hardware.

+Configuring the DC-series hardware to enable Intel SGX enclaves is the responsibility of the Azure SQL Database administrator. See [Roles and responsibilities when configuring SGX enclaves and attestation](always-encrypted-enclaves-plan.md#roles-and-responsibilities-when-configuring-sgx-enclaves-and-attestation).

+> Intel SGX is not available in hardware configurations other than DC-series. For example, Intel SGX is not available for Gen5 hardware, and it is not available for databases using the [DTU model](service-tiers-dtu.md).

+> Before you configure the DC-series hardware for your database, check the regional availability of DC-series and make sure you understand its performance limitations. For more information, see [DC-series](service-tiers-sql-database-vcore.md#dc-series).

+For detailed instructions for how to configure a new or existing database to use a specific hardware configuration, see [Hardware configuration](service-tiers-sql-database-vcore.md#hardware-configuration).

+In this step, you will create a new Azure SQL Database logical server and a new database using DC-series hardware, required for Always Encrypted with secure enclaves. For more information see [DC-series](service-tiers-sql-database-vcore.md#dc-series).

+ > You need to select a location (an Azure region) that supports both the DC-series hardware and Microsoft Azure Attestation. For the list of regions supporting DC-series, see [DC-series availability](service-tiers-sql-database-vcore.md#dc-series). [Here](https://azure.microsoft.com/global-infrastructure/services/?products=azure-attestation) is the regional availability of Microsoft Azure Attestation.

+ > You need to create your resource group in a region (location) that supports both the DC-series hardware and Microsoft Azure Attestation. For the list of regions supporting DC-series, see [DC-series availability](service-tiers-sql-database-vcore.md#dc-series). [Here](https://azure.microsoft.com/global-infrastructure/services/?products=azure-attestation) is the regional availability of Microsoft Azure Attestation.

+1. Assign yourself to the Attestation Contributor role for the attestation provider, to ensure you have permissions to configure an attestation policy.

+Intel SGX is a hardware-based trusted execution environment technology. Intel SGX is available for databases that use the [vCore model](service-tiers-sql-database-vcore.md) and [DC-series](service-tiers-sql-database-vcore.md?#dc-series) hardware. Therefore, to ensure you can use Always Encrypted with secure enclaves in your database, you need to either select the DC-series hardware when you create the database, or you can update your existing database to use the DC-series hardware.

+> Intel SGX is not available in hardware other than DC-series. For example, Intel SGX is not available for Gen5 hardware, and it is not available for databases using the [DTU model](service-tiers-dtu.md).

+> Before you configure the DC-series hardware for your database, check the regional availability of DC-series and make sure you understand its performance limitations. For details, see [DC-series](service-tiers-sql-database-vcore.md#dc-series).

+[Microsoft Azure Attestation](../../attestation/overview.md) is a solution for attesting Trusted Execution Environments (TEEs), including Intel SGX enclaves in Azure SQL databases using DC-series hardware.

+- Azure SQL Database administrator - enables SGX enclaves in databases by selecting the DC-series hardware, and provides the attestation administrator with the identity of the Azure SQL logical server that needs to access the attestation provider.

+ Title: Analyze and prevent deadlocks

+description: Learn how to analyze deadlocks and prevent them from reoccurring in Azure SQL Database

+# Analyze and prevent deadlocks in Azure SQL Database

+This article teaches you how to identify deadlocks in Azure SQL Database, use deadlock graphs and Query Store to identify the queries in the deadlock, and plan and test changes to prevent deadlocks from reoccurring.

+This article focuses on identifying and analyzing deadlocks due to lock contention. Learn more about other types of deadlocks in [resources that can deadlock](/sql/relational-databases/sql-server-transaction-locking-and-row-versioning-guide#deadlock_resources).

+## How deadlocks occur in Azure SQL Database

+Each new database in Azure SQL Database has the [read committed snapshot](/sql/t-sql/statements/alter-database-transact-sql-set-options?view=azuresqldb-current&preserve-view=true#read_committed_snapshot--on--off--1) (RCSI) database setting enabled by default. [Blocking](understand-resolve-blocking.md) between sessions reading data and sessions writing data is minimized under RCSI, which uses row versioning to increase concurrency. However, blocking and deadlocks may still occur in databases in Azure SQL Database because:

+- Queries that modify data may block one another.

+- Queries may run under isolation levels that increase blocking. Isolation levels may be specified via client library methods, [query hints](/sql/t-sql/queries/hints-transact-sql-query), or [SET statements](/sql/t-sql/statements/set-transaction-isolation-level-transact-sql) in Transact-SQL.

+- [RCSI may be disabled](/sql/t-sql/statements/alter-database-transact-sql-set-options?view=azuresqldb-current&preserve-view=true#read_committed_snapshot--on--off--1), causing the database to use shared (S) locks to protect SELECT statements run under the read committed isolation level. This may increase blocking and deadlocks.

+### An example deadlock

+A deadlock occurs when two or more tasks permanently block one another because each task has a lock on a resource the other task is trying to lock. A deadlock is also called a cyclic dependency: in the case of a two-task deadlock, transaction A has a dependency on transaction B, and transaction B closes the circle by having a dependency on transaction A.

+For example:

+1. **Session A** begins an explicit transaction and runs an update statement that acquires an update (U) lock on one row on table `SalesLT.Product` that is [converted to an exclusive (X) lock](/sql/relational-databases/sql-server-transaction-locking-and-row-versioning-guide#behavior-when-modifying-data).

+1. **Session B** runs an update statement that modifies the `SalesLT.ProductDescription` table. The update statement joins to the `SalesLT.Product` table to find the correct rows to update.

+ - **Session B** acquires an update (U) lock on 72 rows on the `SalesLT.ProductDescription` table.

+ - **Session B** needs a shared lock on rows on the table `SalesLT.Product`, including the row that is locked by **Session A**. **Session B** is blocked on `SalesLT.Product`.

+1. **Session A** continues its transaction, and now runs an update against the `SalesLT.ProductDescription` table. **Session A** is blocked by Session B on `SalesLT.ProductDescription`.

+All transactions in a deadlock will wait indefinitely unless one of the participating transactions is rolled back, for example, because its session was terminated.

+The database engine deadlock monitor periodically checks for tasks that are in a deadlock. If the deadlock monitor detects a cyclic dependency, it chooses one of the tasks as a victim and terminates its transaction with error 1205, "Transaction (Process ID *N*) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction." Breaking the deadlock in this way allows the other task or tasks in the deadlock to complete their transactions.

+>[!NOTE]

+> Learn more about the criteria for choosing a deadlock victim in the [Deadlock process list](#deadlock-process-list) section of this article.

+The application with the transaction chosen as the deadlock victim should retry the transaction, which usually completes after the other transaction or transactions involved in the deadlock have finished.

+It is a best practice to introduce a short, randomized delay before retry to avoid encountering the same deadlock again. Learn more about how to design [retry logic for transient errors](troubleshoot-common-connectivity-issues.md#retry-logic-for-transient-errors).

+### Default isolation level in Azure SQL Database

+New databases in Azure SQL Database enable read committed snapshot (RCSI) by default. RCSI changes the behavior of the [read committed isolation level](/sql/relational-databases/sql-server-transaction-locking-and-row-versioning-guide#database-engine-isolation-levels) to use [row-versioning](/sql/relational-databases/sql-server-transaction-locking-and-row-versioning-guide#Row_versioning) to provide statement-level consistency without the use of shared (S) locks for SELECT statements.

+With RCSI enabled:

+- Statements reading data do not block statements modifying data.

+- Statements modifying data do not block statements reading data.

+[Snapshot isolation level](/sql/t-sql/statements/alter-database-transact-sql-set-options?view=azuresqldb-current&preserve-view=true#b-enable-snapshot-isolation-on-a-database) is also enabled by default for new databases in Azure SQL Database. Snapshot isolation is an additional row-based isolation level that provides transaction-level consistency for data and which uses row versions to select rows to update. To use snapshot isolation, queries or connections must explicitly set their transaction isolation level to `SNAPSHOT`. This may only be done when snapshot isolation is enabled for the database.

+You can identify if RCSI and/or snapshot isolation are enabled with Transact-SQL. Connect to your database in Azure SQL Database and run the following query:

+```sql

+SELECT name, is_read_committed_snapshot_on, snapshot_isolation_state_desc

+FROM sys.databases

+WHERE name = DB_NAME();

+GO

+```

+If RCSI is enabled, the `is_read_committed_snapshot_on` column will return the value **1**. If snapshot isolation is enabled, the `snapshot_isolation_state_desc` column will return the value **ON**.

+If [RCSI has been disabled](/sql/t-sql/statements/alter-database-transact-sql-set-options?view=azuresqldb-current&preserve-view=true#read_committed_snapshot--on--off--1) for a database in Azure SQL Database, investigate why RCSI was disabled before re-enabling it. Application code may have been written expecting that queries reading data will be blocked by queries writing data, resulting in incorrect results from race conditions when RCSI is enabled.

+### Interpreting deadlock events

+A deadlock event is emitted after the deadlock manager in Azure SQL Database detects a deadlock and selects a transaction as the victim. In other words, if you set up alerts for deadlocks, the notification fires after an individual deadlock has been resolved. There is no user action that needs to be taken for that deadlock. Applications should be written to include [retry logic](troubleshoot-common-connectivity-issues.md#retry-logic-for-transient-errors) so that they automatically continue after receiving error 1205, "Transaction (Process ID *N*) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction."

+It's useful to set up alerts, however, as deadlocks may reoccur. Deadlock alerts enable you to investigate if a pattern of repeat deadlocks is happening in your database, in which case you may choose to take action to prevent deadlocks from reoccurring. Learn more about alerting in the [Monitor and alert on deadlocks](#monitor-and-alert-on-deadlocks) section of this article.

+### Top methods to prevent deadlocks

+The lowest risk approach to preventing deadlocks from reoccurring is generally to [tune nonclustered indexes](#prevent-a-deadlock-from-reoccurring) to optimize queries involved in the deadlock.

+- Risk is low for this approach because tuning nonclustered indexes doesn't require changes to the query code itself, reducing the risk of a user error when rewriting Transact-SQL that causes incorrect data to be returned to the user.

+- Effective nonclustered index tuning helps queries find the data to read and modify more efficiently. By reducing the amount of data that a query needs to access, the likelihood of blocking is reduced and deadlocks can often be prevented.

+

+In some cases, creating or tuning a clustered index can reduce blocking and deadlocks. Because the clustered index is included in all nonclustered index definitions, creating or modifying a clustered index can be an IO intensive and time consuming operation on larger tables with existing nonclustered indexes. Learn more about [Clustered index design guidelines](/sql/relational-databases/sql-server-index-design-guide#Clustered).

+When index tuning isn't successful at preventing deadlocks, other methods are available:

+- If the deadlock occurs only when a particular plan is chosen for one of the queries involved in the deadlock, [forcing a query plan](/sql/relational-databases/system-stored-procedures/sp-query-store-force-plan-transact-sql) with Query Store may prevent deadlocks from reoccurring.

+- Rewriting Transact-SQL for one or more transactions involved in the deadlock can also help prevent deadlocks. Breaking apart explicit transactions into smaller transactions requires careful coding and testing to ensure data validity when concurrent modifications occur.

+Learn more about each of these approaches in the [Prevent a deadlock from reoccurring](#prevent-a-deadlock-from-reoccurring) section of this article.

+## Monitor and alert on deadlocks

+In this article, we will use the `AdventureWorksLT` sample database to set up alerts for deadlocks, cause an example deadlock, analyze the deadlock graph for the example deadlock, and test changes to prevent the deadlock from reoccurring.

+We'll use the [SQL Server Management Studio](/sql/ssms/download-sql-server-management-studio-ssms) (SSMS) client in this article, as it contains functionality to display deadlock graphs in an interactive visual mode. You can use other clients such as [Azure Data Studio](/sql/azure-data-studio/download-azure-data-studio) to follow along with the examples, but you may only be able to view deadlock graphs as XML.

+### Create the AdventureWorksLT database

+To follow along with the examples, create a new database in Azure SQL Database and select **Sample** data as the **Data source**.

+For detailed instructions on how to create `AdventureWorksLT` with the Azure portal, Azure CLI, or PowerShell, select the approach of your choice in [Quickstart: Create an Azure SQL Database single database](single-database-create-quickstart.md).

+### Set up deadlock alerts in the Azure portal

+To set up alerts for deadlock events, follow the steps in the article [Create alerts for Azure SQL Database and Azure Synapse Analytics using the Azure portal](alerts-insights-configure-portal.md).

+Select **Deadlocks** as the signal name for the alert. Configure the **Action group** to notify you using the method of your choice, such as the **Email/SMS/Push/Voice** action type.

+## Collect deadlock graphs in Azure SQL Database with Extended Events

+Deadlock graphs are a rich source of information regarding the processes and locks involved in a deadlock. To collect deadlock graphs with Extended Events (XEvents) in Azure SQL Database, capture the `sqlserver.database_xml_deadlock_report` event.

+You can collect deadlock graphs with XEvents using either the [ring buffer target](xevent-code-ring-buffer.md) or an [event file target](xevent-code-event-file.md). Considerations for selecting the appropriate target type are summarized in the following table:

+|Approach |Benefits |Considerations |Usage scenarios |

+|||||

+|Ring buffer target | <ul><li>Simple setup with Transact-SQL only.</li></ul> | <ul><li>Event data is cleared when the XEvents session is stopped for any reason, such as taking the database offline or a database failover.</li><li>Database resources are used to maintain data in the ring buffer and to query session data.</li></ul> | <ul><li>Collect sample trace data for testing and learning.</li><li>Create for short term needs if you cannot set up a session using an event file target immediately.</li><li>Use as a "landing pad" for trace data, when you have set up an automated process to persist trace data into a table.</li> </ul> |

+Event file target | <ul><li>Persists event data to a blob in Azure Storage so data is available even after the session is stopped.</li><li>Event files may be downloaded from the Azure portal or [Azure Storage Explorer](#use-azure-storage-explorer) and analyzed locally, which does not require using database resources to query session data.</li></ul> | <ul><li>Setup is more complex and requires configuration of an Azure Storage container and database scoped credential.</ul></li> | <ul><li>General use when you want event data to persist even after the event session stops.</li><li>You want to run a trace that generates larger amounts of event data than you would like to persist in memory.</li></ul> |

+Select the target type you would like to use:

+# [Ring buffer target](#tab/ring-buffer)

+The ring buffer target is convenient and easy to set up, but has a limited capacity, which can cause older events to be lost. The ring buffer does not persist events to storage and the ring buffer target is cleared when the XEvents session is stopped. This means that any XEvents collected will not be available when the database engine restarts for any reason, such as a failover. The ring buffer target is best suited to learning and short-term needs if you do not have the ability to set up an XEvents session to an event file target immediately.

+This sample code creates an XEvents session that captures deadlock graphs in memory using the [ring buffer target](/sql/relational-databases/extended-events/targets-for-extended-events-in-sql-server#ring_buffer-target). The maximum memory allowed for the ring buffer target is 4 MB, and the session will automatically run when the database comes online, such as after a failover.

+To create and then start a XEvents session for the `sqlserver.database_xml_deadlock_report` event that writes to the ring buffer target, connect to your database and run the following Transact-SQL:

+```sql

+CREATE EVENT SESSION [deadlocks] ON DATABASE

+ADD EVENT sqlserver.database_xml_deadlock_report

+ADD TARGET package0.ring_buffer

+WITH (STARTUP_STATE=ON, MAX_MEMORY=4 MB)

+GO

+ALTER EVENT SESSION [deadlocks] ON DATABASE

+ STATE = START;

+GO

+```

+# [Event file target](#tab/event-file)

+The event file target persists deadlock graphs to files so they are available even after the XEvents session is stopped. The event file target also allows you to capture more deadlock graphs without allocating additional memory for a ring buffer. The event file target is suitable for long term use and for collecting larger amounts of trace data.

+To create an XEvents session that writes to an event file target, we will:

+1. Configure an Azure Storage container to hold the trace files using the Azure portal.

+1. Create a database scoped credential with Transact-SQL.

+1. Create the XEvents session with Transact-SQL.

+### Configure an Azure Storage container

+To configure an Azure Storage container, first create or select an existing Azure Storage account, then create the container. Generate a Shared Access Signature (SAS) token for the container. This section describes completing this process in the Azure portal.

+> [!NOTE]

+> If you wish to create and configure the Azure Storage blob container with PowerShell, see [Event File target code for extended events in Azure SQL Database](xevent-code-event-file.md). Alternately, you may find it convenient to [Use Azure Storage Explorer](#use-azure-storage-explorer) to create and configure the Azure Storage blob container instead of using the Azure portal.

+#### Create or select an Azure Storage account

+You can use an existing Azure Storage account or create a new Azure Storage account to host a container for trace files.

+To use an existing Azure Storage account:

+1. Navigate to the resource group you want to work with in the Azure portal.

+1. On the **Overview** pane, Under **Resources**, set the **Type** dropdown to *Storage account*.

+1. Select the storage account you want to use.

+To create a new Azure Storage account, follow the steps in [Create an Azure storage account](/azure/media-services/latest/storage-create-how-to). Complete the process by selecting **Go to resource** in the final step.

+#### Create a container

+From the storage account page in the Azure portal:

+1. Under **Data storage**, select **Containers**.

+1. Select **+ Container** to create a new container. The New container pane will appear.

+1. Enter a name for the container under **Name**.

+1. Select **Create**.

+1. Select the container from the list after it has been created.

+#### Create a shared access token

+From the container page in the Azure portal:

+1. Under **Settings**, select **Shared access tokens**.

+1. Leave the **Signing method** radio button set to the default selection, **Account key**.

+1. Under the **Permissions** dropdown, select the **Read**, **Write**, and **List** permissions.

+1. Set **Start** to the date and time you would like to be able to write trace files. Optionally, configure the time zone in the dropdown below **Start**.

+1. Set **Expiry** to the date and time you would like these permissions to expire. Optionally, configure the time zone in the dropdown below **Expiry**. You are able to set this to a date far in the future, such as ten years, if you wish.

+1. Select **Generate SAS token and URL**. The Blob SAS token and Blob SAS URL will be displayed on the screen.

+1. Copy and preserve the *Blob SAS token* and *Blob SAS URL* values for use in further steps.

+### Create a database scoped credential

+Connect to your database in Azure SQL Database with SSMS to run the following steps.

+To create a database scoped credential, you must first create a [master key](/sql/t-sql/statements/create-master-key-transact-sql) in the database if one does not exist.

+Run the following Transact-SQL to create a master key if one does not exist:

+```sql

+IF 0 = (SELECT COUNT(*)

+ FROM sys.symmetric_keys

+ WHERE symmetric_key_id = 101 and name=N'##MS_DatabaseMasterKey##')

+BEGIN

+ PRINT N'Creating master key';

+ CREATE MASTER KEY;

+END

+ELSE

+BEGIN

+ PRINT N'Master key already exists, no action taken';

+END

+GO

+```

+Next, create a database scoped credential with the following Transact-SQL. Before running the code:

+- Modify the URL to reflect your storage account name and your container name. This URL will be present at the beginning of the *Blob SAS URL* you copied when you created the shared access token. You only need the text prior to the first `?` in the string.

+- Modify the `SECRET` to contain the *Blob SAS token* value you copied when you created the shared access token.

+```sql

+CREATE DATABASE SCOPED CREDENTIAL

+ [https://yourstorageaccountname.blob.core.windows.net/yourcontainername]

+ WITH

+ IDENTITY = 'SHARED ACCESS SIGNATURE',

+ SECRET = 'sp=r&st=2022-04-08T14:34:21Z&se=2032-04-08T22:34:21Z&sv=2020-08-04&sr=c&sig=pUNbbsmDiMzXr1vuNGZh84zyOMBFaBjgWv53IhOzYWQ%3D'

+ ;

+GO

+```

+### Create the XEvents session

+Create and start the XEvents session with the following Transact-SQL. Before running the statement:

+- Replace the `filename` value to reflect your storage account name and your container name. This URL will be present at the beginning of the *Blob SAS URL* you copied when you created the shared access token. You only need the text prior to the first `?` in the string.

+- Optionally change the filename stored. The filename you specify here will be part of the actual filename(s) used for the blob(s) storing event data: additional values will be appended so that all event files have a unique name.

+- Optionally add additional events to the session.

+```sql

+CREATE EVENT SESSION [deadlocks_eventfile] ON DATABASE

+ADD EVENT sqlserver.database_xml_deadlock_report

+ADD TARGET package0.event_file

+ (SET filename =

+ 'https://yourstorageaccountname.blob.core.windows.net/yourcontainername/deadlocks.xel'

+ )

+WITH (STARTUP_STATE=ON, MAX_MEMORY=4 MB)

+GO

+ALTER EVENT SESSION [deadlocks_eventfile] ON DATABASE

+ STATE = START;

+GO

+```

+## Cause a deadlock in AdventureWorksLT

+> [!NOTE]

+> This example works in the AdventureWorksLT database with the default schema and data when RCSI has been enabled. See [Create the AdventureWorksLT database](#create-the-adventureworkslt-database) for instructions to create the database.

+To cause a deadlock, you will need to connect two sessions to the `AdventureWorksLT` database. We'll refer to these sessions as **Session A** and **Session B**.

+In **Session A**, run the following Transact-SQL. This code begins an [explicit transaction](/sql/relational-databases/sql-server-transaction-locking-and-row-versioning-guide#starting-transactions) and runs a single statement that updates the `SalesLT.Product` table. To do this, the transaction acquires an [update (U) lock](/sql/relational-databases/sql-server-transaction-locking-and-row-versioning-guide#behavior-when-modifying-data) on one row on table `SalesLT.Product` which is converted to an exclusive (X) lock. We leave the transaction open.

+```sql

+BEGIN TRAN

+ UPDATE SalesLT.Product SET SellEndDate = SellEndDate + 1

+ WHERE Color = 'Red';

+```

+Now, in **Session B**, run the following Transact-SQL. This code doesn't explicitly begin a transaction. Instead, it operates in [autocommit transaction mode](/sql/relational-databases/sql-server-transaction-locking-and-row-versioning-guide#starting-transactions). This statement updates the `SalesLT.ProductDescription` table. The update will take out an update (U) lock on 72 rows on the `SalesLT.ProductDescription` table. The query joins to other tables, including the `SalesLT.Product` table.

+```sql

+UPDATE SalesLT.ProductDescription SET Description = Description

+ FROM SalesLT.ProductDescription as pd

+ JOIN SalesLT.ProductModelProductDescription as pmpd on

+ pd.ProductDescriptionID = pmpd.ProductDescriptionID

+ JOIN SalesLT.ProductModel as pm on

+ pmpd.ProductModelID = pm.ProductModelID

+ JOIN SalesLT.Product as p on

+ pm.ProductModelID=p.ProductModelID

+ WHERE p.Color = 'Silver';

+```

+To complete this update, **Session B** needs a shared (S) lock on rows on the table `SalesLT.Product`, including the row that is locked by **Session A**. **Session B** will be blocked on `SalesLT.Product`.

+Return to **Session A**. Run the following Transact-SQL statement. This runs a second UPDATE statement as part of the open transaction.

+```sql

+ UPDATE SalesLT.ProductDescription SET Description = Description

+ FROM SalesLT.ProductDescription as pd

+ JOIN SalesLT.ProductModelProductDescription as pmpd on

+ pd.ProductDescriptionID = pmpd.ProductDescriptionID

+ JOIN SalesLT.ProductModel as pm on

+ pmpd.ProductModelID = pm.ProductModelID

+ JOIN SalesLT.Product as p on

+ pm.ProductModelID=p.ProductModelID

+ WHERE p.Color = 'Red';

+```

+The second update statement in **Session A** will be blocked by **Session B** on the `SalesLT.ProductDescription`.

+**Session A** and **Session B** are now mutually blocking one another. Neither transaction can proceed, as they each need a resource that is locked by the other.

+After a few seconds, the deadlock monitor will identify that the transactions in **Session A** and **Session B** are mutually blocking one another, and that neither can make progress. You should see a deadlock occur, with **Session A** chosen as the deadlock victim. An error message will appear in **Session A** with text similar to the following:

+> Msg 1205, Level 13, State 51, Line 7

+> Transaction (Process ID 91) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction.

+**Session B** will complete successfully.

+If you [set up deadlock alerts in the Azure portal](#set-up-deadlock-alerts-in-the-azure-portal), you should receive a notification shortly after the deadlock occurs.

+## View deadlock graphs from an XEvents session

+If you have [set up an XEvents session to collect deadlocks](#collect-deadlock-graphs-in-azure-sql-database-with-extended-events) and a deadlock has occurred after the session was started, you can view an interactive graphic display of the deadlock graph as well as the XML for the deadlock graph.

+Different methods are available to obtain deadlock information for the ring buffer target and event file targets. Select the target you used for your XEvents session:

+# [Ring buffer target](#tab/ring-buffer)

+If you set up an XEvents session writing to the ring buffer, you can query deadlock information with the following Transact-SQL. Before running the query, replace the value of `@tracename` with the name of your xEvents session.

+```sql

+DECLARE @tracename sysname = N'deadlocks';

+WITH ring_buffer AS (

+ SELECT CAST(target_data AS XML) as rb

+ FROM sys.dm_xe_database_sessions AS s

+ JOIN sys.dm_xe_database_session_targets AS t

+ ON CAST(t.event_session_address AS BINARY(8)) = CAST(s.address AS BINARY(8))

+ WHERE s.name = @tracename and

+ t.target_name = N'ring_buffer'

+), dx AS (

+ SELECT

+ dxdr.evtdata.query('.') as deadlock_xml_deadlock_report

+ FROM ring_buffer

+ CROSS APPLY rb.nodes('/RingBufferTarget/event[@name=''database_xml_deadlock_report'']') AS dxdr(evtdata)

+)

+SELECT

+ d.query('/event/data[@name=''deadlock_cycle_id'']/value').value('(/value)[1]', 'int') AS [deadlock_cycle_id],

+ d.value('(/event/@timestamp)[1]', 'DateTime2') AS [deadlock_timestamp],

+ d.query('/event/data[@name=''database_name'']/value').value('(/value)[1]', 'nvarchar(256)') AS [database_name],

+ d.query('/event/data[@name=''xml_report'']/value/deadlock') AS deadlock_xml,

+ LTRIM(RTRIM(REPLACE(REPLACE(d.value('.', 'nvarchar(2000)'),CHAR(10),' '),CHAR(13),' '))) as query_text

+FROM dx

+CROSS APPLY deadlock_xml_deadlock_report.nodes('(/event/data/value/deadlock/process-list/process/inputbuf)') AS ib(d)

+ORDER BY [deadlock_timestamp] DESC;

+GO

+```

+# [Event file target](#tab/event-file)

+If you set up an XEvents session writing to an event file, you can download files from the Azure portal and view them locally, or you can query event files with Transact-SQL.

+Downloading files from the Azure portal is recommended because this method does not require using database resources to query session data.

+### Optionally restart the XEvents session

+If an Extended Events session is currently running and writing to an event file target, the blob container being written to will have a **Lease state** of *Leased* in the Azure portal. The size will be the maximum size of the file. To download a smaller file, you may wish to stop and restart the Extended Events session before downloading files. This will cause the file to change its **Lease state** to *Available*, and the file size will be the space used by events in the file.

+To stop and restart an XEvents session, connect to your database and run the following Transact-SQL. Before running the code, replace the name of the xEvents session with the appropriate value.

+```sql

+ALTER EVENT SESSION [deadlocks_eventfile] ON DATABASE

+ STATE = STOP;

+GO

+ALTER EVENT SESSION [deadlocks_eventfile] ON DATABASE

+ STATE = START;

+GO

+```

+### Download trace files from the Azure portal

+To view deadlock events that have been collected across multiple files, download the event session files to your local computer and view the files in SSMS.

+> [!NOTE]

+> You can also use [Use Azure Storage Explorer](#use-azure-storage-explorer) to quickly and conveniently download event session files from a blob container in Azure Storage.

+To download the files from the Azure portal:

+1. Navigate to the storage account hosting your container in the Azure portal.

+1. Under **Data storage**, select **Containers**.

+1. Select the container holding your XEvent trace files.

+1. For each file you wish to download, select **...**, then **Download**.

+### View XEvents trace files in SSMS

+If you have download multiple files, you can open events from all of the files together in the XEvents viewer in SSMS. To do so:

+1. Open SSMS.

+1. Select **File**, then **Open**, then **Merge Extended Events files...**.

+1. Select **Add**.

+1. Navigated to the directory where you downloaded the files. Use the **Shift** key to select multiple files.

+1. Select **Open**.

+1. Select **OK** in the **Merge Extended Events Files** dialog.

+If you have downloaded a single file, right-click the file and select **Open with**, then **SSMS**. This will open the XEvents viewer in SSMS.

+Navigate between events collected by selecting the relevant timestamp. To view the XML for a deadlock, double-click the `xml_report` row in the lower pane.

+### Query trace files with Transact-SQL

+> [!Important]

+> Querying large (1 GB and larger) XEvents trace files using this method is not recommended because it may consume large amounts of memory in your database or elastic pool.

+To query XEvents trace files from an Azure Storage container with Transact-SQL, you must provide the exact file name for the trace file. You must also run the query in the context of the database with the credential to access the storage, in other words, the same database that has created the XEvents files.

+Run the following Transact-SQL to query the currently active XEvents trace file. Before running the query, replace `@tracename` with the name of your XEvents session.

+```sql

+DECLARE @tracename sysname = N'deadlocks_eventfile',

+ @filename nvarchar(2000);

+WITH eft as (SELECT CAST(target_data AS XML) as rb

+ FROM sys.dm_xe_database_sessions AS s

+ JOIN sys.dm_xe_database_session_targets AS t

+ ON CAST(t.event_session_address AS BINARY(8)) = CAST(s.address AS BINARY(8))

+ WHERE s.name = @tracename and

+ t.target_name = N'event_file'

+)

+SELECT @filename = ft.evtdata.value('(@name)[1]','nvarchar(2000)')

+FROM eft

+CROSS APPLY rb.nodes('EventFileTarget/File') as ft(evtdata);

+WITH xevents AS (

+ SELECT cast(event_data as XML) as ed

+ FROM sys.fn_xe_file_target_read_file(@filename, null, null, null )

+), dx AS (

+ SELECT

+ dxdr.evtdata.query('.') as deadlock_xml_deadlock_report

+ FROM xevents

+ CROSS APPLY ed.nodes('/event[@name=''database_xml_deadlock_report'']') AS dxdr(evtdata)

+)

+SELECT

+ d.query('/event/data[@name=''deadlock_cycle_id'']/value').value('(/value)[1]', 'int') AS [deadlock_cycle_id],

+ d.value('(/event/@timestamp)[1]', 'DateTime2') AS [deadlock_timestamp],

+ d.query('/event/data[@name=''database_name'']/value').value('(/value)[1]', 'nvarchar(256)') AS [database_name],

+ d.query('/event/data[@name=''xml_report'']/value/deadlock') AS deadlock_xml,

+ LTRIM(RTRIM(REPLACE(REPLACE(d.value('.', 'nvarchar(2000)'),CHAR(10),' '),CHAR(13),' '))) as query_text

+FROM dx

+CROSS APPLY deadlock_xml_deadlock_report.nodes('(/event/data/value/deadlock/process-list/process/inputbuf)') AS ib(d)

+ORDER BY [deadlock_timestamp] DESC;

+GO

+```

+To query non-active files, navigate to the Storage Account and container in the Azure portal to identify the filenames.

+Run the following Transact-SQL query against your database to query a specific XEvents file. Before running the query, substitute the storage account name, container name, and filename in the URL for `@filename`:

+```sql

+declare @filename nvarchar(2000) = N'https://yourstorageaccountname.blob.core.windows.net/yourcontainername/yourfilename.xel';

+with xevents AS (

+ SELECT cast(event_data as XML) as ed

+ FROM sys.fn_xe_file_target_read_file(@filename, null, null, null )

+), dx AS (

+ SELECT

+ dxdr.evtdata.query('.') as deadlock_xml_deadlock_report

+ FROM xevents

+ CROSS APPLY ed.nodes('/event[@name=''database_xml_deadlock_report'']') AS dxdr(evtdata)

+)

+SELECT

+ d.query('/event/data[@name=''deadlock_cycle_id'']/value').value('(/value)[1]', 'int') AS [deadlock_cycle_id],

+ d.value('(/event/@timestamp)[1]', 'DateTime2') AS [deadlock_timestamp],

+ d.query('/event/data[@name=''database_name'']/value').value('(/value)[1]', 'nvarchar(256)') AS [database_name],

+ d.query('/event/data[@name=''xml_report'']/value/deadlock') AS deadlock_xml,

+ LTRIM(RTRIM(REPLACE(REPLACE(d.value('.', 'nvarchar(2000)'),CHAR(10),' '),CHAR(13),' '))) as query_text

+FROM dx

+CROSS APPLY deadlock_xml_deadlock_report.nodes('(/event/data/value/deadlock/process-list/process/inputbuf)') AS ib(d)

+ORDER BY [deadlock_timestamp] DESC;

+GO

+```

+### View and save a deadlock graph in XML

+Viewing a deadlock graph in XML format allows you to copy the `inputbuffer` of Transact-SQL statements involved in the deadlock. You may also prefer to analyze deadlocks in a text-based format.

+If you have used a Transact-SQL query to return deadlock graph information, to view the deadlock graph XML, select the value in the `deadlock_xml` column from any row to open the deadlock graph's XML in a new window in SSMS.

+The XML for this example deadlock graph is:

+```xml

+<deadlock>

+ <victim-list>

+ <victimProcess id="process24756e75088" />

+ </victim-list>

+ <process-list>

+ <process id="process24756e75088" taskpriority="0" logused="6528" waitresource="KEY: 8:72057594045202432 (98ec012aa510)" waittime="192" ownerId="1011123" transactionname="user_transaction" lasttranstarted="2022-03-08T15:44:43.490" XDES="0x2475c980428" lockMode="U" schedulerid="3" kpid="30192" status="suspended" spid="89" sbid="0" ecid="0" priority="0" trancount="2" lastbatchstarted="2022-03-08T15:44:49.250" lastbatchcompleted="2022-03-08T15:44:49.210" lastattention="1900-01-01T00:00:00.210" clientapp="Microsoft SQL Server Management Studio - Query" hostname="LAPTOP-CHRISQ" hostpid="16716" loginname="chrisqpublic" isolationlevel="read committed (2)" xactid="1011123" currentdb="8" currentdbname="AdventureWorksLT" lockTimeout="4294967295" clientoption1="671096864" clientoption2="128056">

+ <executionStack>

+ <frame procname="unknown" queryhash="0xef52b103e8b9b8ca" queryplanhash="0x02b0f58d7730f798" line="1" stmtstart="2" stmtend="792" sqlhandle="0x02000000c58b8f1e24e8f104a930776e21254b1771f92a520000000000000000000000000000000000000000">

+unknown </frame>

+ </executionStack>

+ <inputbuf>

+ UPDATE SalesLT.ProductDescription SET Description = Description

+ FROM SalesLT.ProductDescription as pd

+ JOIN SalesLT.ProductModelProductDescription as pmpd on

+ pd.ProductDescriptionID = pmpd.ProductDescriptionID

+ JOIN SalesLT.ProductModel as pm on

+ pmpd.ProductModelID = pm.ProductModelID

+ JOIN SalesLT.Product as p on

+ pm.ProductModelID=p.ProductModelID

+ WHERE p.Color = 'Red' </inputbuf>

+ </process>

+ <process id="process2476d07d088" taskpriority="0" logused="11360" waitresource="KEY: 8:72057594045267968 (39e18040972e)" waittime="2641" ownerId="1013536" transactionname="UPDATE" lasttranstarted="2022-03-08T15:44:46.807" XDES="0x2475ca80428" lockMode="S" schedulerid="2" kpid="94040" status="suspended" spid="95" sbid="0" ecid="0" priority="0" trancount="2" lastbatchstarted="2022-03-08T15:44:46.807" lastbatchcompleted="2022-03-08T15:44:46.760" lastattention="1900-01-01T00:00:00.760" clientapp="Microsoft SQL Server Management Studio - Query" hostname="LAPTOP-CHRISQ" hostpid="16716" loginname="chrisqpublic" isolationlevel="read committed (2)" xactid="1013536" currentdb="8" currentdbname="AdventureWorksLT" lockTimeout="4294967295" clientoption1="671088672" clientoption2="128056">

+ <executionStack>

+ <frame procname="unknown" queryhash="0xef52b103e8b9b8ca" queryplanhash="0x02b0f58d7730f798" line="1" stmtstart="2" stmtend="798" sqlhandle="0x020000002c85bb06327c0852c0be840fc1e30efce2b7c8090000000000000000000000000000000000000000">

+unknown </frame>

+ </executionStack>

+ <inputbuf>

+ UPDATE SalesLT.ProductDescription SET Description = Description

+ FROM SalesLT.ProductDescription as pd

+ JOIN SalesLT.ProductModelProductDescription as pmpd on

+ pd.ProductDescriptionID = pmpd.ProductDescriptionID

+ JOIN SalesLT.ProductModel as pm on

+ pmpd.ProductModelID = pm.ProductModelID

+ JOIN SalesLT.Product as p on

+ pm.ProductModelID=p.ProductModelID

+ WHERE p.Color = 'Silver'; </inputbuf>

+ </process>

+ </process-list>

+ <resource-list>

+ <keylock hobtid="72057594045202432" dbid="8" objectname="9e011567-2446-4213-9617-bad2624ccc30.SalesLT.ProductDescription" indexname="PK_ProductDescription_ProductDescriptionID" id="lock2474df12080" mode="U" associatedObjectId="72057594045202432">

+ <owner-list>

+ <owner id="process2476d07d088" mode="U" />

+ </owner-list>

+ <waiter-list>

+ <waiter id="process24756e75088" mode="U" requestType="wait" />

+ </waiter-list>

+ </keylock>

+ <keylock hobtid="72057594045267968" dbid="8" objectname="9e011567-2446-4213-9617-bad2624ccc30.SalesLT.Product" indexname="PK_Product_ProductID" id="lock2474b588580" mode="X" associatedObjectId="72057594045267968">

+ <owner-list>

+ <owner id="process24756e75088" mode="X" />

+ </owner-list>

+ <waiter-list>

+ <waiter id="process2476d07d088" mode="S" requestType="wait" />

+ </waiter-list>

+ </keylock>

+ </resource-list>

+</deadlock>

+```

+To save the deadlock graph as an XML file:

+1. Select **File** and **Save As...**.

+1. Leave the **Save as type** value as the default **XML Files (*.xml)**

+1. Set the **File name** to the name of your choice.

+1. Select **Save**.

+### Save a deadlock graph as an XDL file that can be displayed interactively in SSMS

+Viewing an interactive representation of a deadlock graph can be useful to get a quick overview of the processes and resources involved in a deadlock, and quickly identifying the deadlock victim.

+To save a deadlock graph as a file that can be graphically displayed by SSMS:

+1. Select the value in the `deadlock_xml` column from any row to open the deadlock graph's XML in a new window in SSMS.

+1. Select **File** and **Save As...**.

+1. Set **Save as type** to **All Files**.

+1. Set the **File name** to the name of your choice, with the extension set to **.xdl**.

+1. Select **Save**.

+ :::image type="content" source="media/analyze-prevent-deadlocks/ssms-save-deadlock-file-xdl.png" alt-text="A screenshot in SSMS of saving a deadlock graph XML file to a file with the xsd extension." lightbox="media/analyze-prevent-deadlocks/ssms-save-deadlock-file-xdl.png":::

+1. Close the file by selecting the **X** on the tab at the top of the window, or by selecting **File**, then **Close**.

+1. Reopen the file in SSMS by selecting **File**, then **Open**, then **File**. Select the file you saved with the `.xdl` extension.

+ The deadlock graph will now display in SSMS with a visual representation of the processes and resources involved in the deadlock.

+ :::image type="content" source="media/analyze-prevent-deadlocks/ssms-deadlock-graph-xdl-file-graphic-display.png" alt-text="Screenshot of an xdl file opened in SSMS. The deadlock graph is displayed graphically, with processes indicated by ovals and lock resources as rectangles." lightbox="media/analyze-prevent-deadlocks/ssms-deadlock-graph-xdl-file-graphic-display.png":::

+## Analyze a deadlock for Azure SQL Database

+A deadlock graph typically has three nodes:

+- **Victim-list**. The deadlock victim process identifier.

+- **Process-list**. Information on all the processes involved in the deadlock. Deadlock graphs use the term 'process' to represent a session running a transaction.

+- **Resource-list**. Information about the resources involved in the deadlock.

+When analyzing a deadlock, it is useful to step through these nodes.

+### Deadlock victim list

+The deadlock victim list shows the process that was chosen as the deadlock victim. In the visual representation of a deadlock graph, processes are represented by ovals. The deadlock victim process has an "X" drawn over the oval.

+In the [XML view of a deadlock graph](#view-and-save-a-deadlock-graph-in-xml), the `victim-list` node gives an ID for the process that was the victim of the deadlock.

+In our example deadlock, the victim process ID is **process24756e75088**. We can use this ID when examining the process-list and resource-list nodes to learn more about the victim process and the resources it was locking or requesting to lock.

+### Deadlock process list

+The deadlock process list is a rich source of information about the transactions involved in the deadlock.

+The graphic representation of the deadlock graph shows only a subset of information contained in the deadlock graph XML. The ovals in the deadlock graph represent the process, and show information including the:

+- Server process ID, also known as the session ID or SPID.

+- [Deadlock priority](/sql/t-sql/statements/set-deadlock-priority-transact-sql) of the session. If two sessions have different deadlock priorities, the session with the lower priority is chosen as the deadlock victim. In this example, both sessions have the same deadlock priority.

+- The amount of transaction log used by the session in bytes. If both sessions have the same deadlock priority, the deadlock monitor chooses the session that is less expensive to roll back as the deadlock victim. The cost is determined by comparing the number of log bytes written to that point in each transaction.

+

+ In our example deadlock, session_id 89 had used a lower amount of transaction log, and was selected as the deadlock victim.

+Additionally, you can view the [input buffer](/sql/relational-databases/system-dynamic-management-views/sys-dm-exec-input-buffer-transact-sql) for the last statement run in each session prior to the deadlock by hovering the mouse over each process. The input buffer will appear in a tooltip.

+Additional information is available for processes in the [XML view of the deadlock graph](#view-and-save-a-deadlock-graph-in-xml), including:

+- Identifying information for the session, such as the client name, host name, and login name.

+- The query plan hash for the last statement run by each session prior to the deadlock. The query plan hash is useful for retrieving more information about the query from [Query Store](/sql/relational-databases/performance/monitoring-performance-by-using-the-query-store).

+In our example deadlock:

+- We can see that both sessions were run using the SSMS client under the **chrisqpublic** login.

+- The query plan hash of the last statement run prior to the deadlock by our deadlock victim is **0x02b0f58d7730f798**. We can see the text of this statement in the input buffer.

+- The query plan hash of the last statement run by the other session in our deadlock is also **0x02b0f58d7730f798**. We can see the text of this statement in the input buffer. In this case, both queries have the same query plan hash because the queries are identical, except for a literal value used as an equality predicate.

+We'll use these values later in this article to [find additional information in Query Store](#find-query-execution-plans-in-query-store).

+#### Limitations of the input buffer in the deadlock process list

+There are some limitations to be aware of regarding input buffer information in the deadlock process list.

+Query text may be truncated in the input buffer. The input buffer is limited to the first 4,000 characters of the statement being executed.

+Additionally, some statements involved in the deadlock may not be included in the deadlock graph. In our example, **Session A** ran two update statements within a single transaction. Only the second update statement, the update that caused the deadlock, is included in the deadlock graph. The first update statement run by **Session A** played a part in the deadlock by blocking **Session B**. The input buffer, `query_hash`, and related information for the first statement run by **Session A** is not included in the deadlock graph.

+To identify the full Transact-SQL run in a multi-statement transaction involved in a deadlock, you will need to either find the relevant information in the stored procedure or application code that ran the query, or run a trace using [Extended Events](/sql/relational-databases/extended-events/extended-events) to capture full statements run by sessions involved in a deadlock while it occurs. If a statement involved in the deadlock has been truncated and only partial Transact-SQL appears in the input buffer, you can find the [Transact-SQL for the statement in Query Store with the Execution Plan](#find-query-execution-plans-in-query-store).

+### Deadlock resource list

+The deadlock resource list shows which lock resources are owned and waited on by the processes in the deadlock.

+Resources are represented by rectangles in the visual representation of the deadlock:

+> [!NOTE]

+> You may notice that database names are represented as uniquedientifers in deadlock graphs for databases in Azure SQL Database. This is the `physical_database_name` for the database listed in the [sys.databases](/sql/relational-databases/system-catalog-views/sys-databases-transact-sql) and [sys.dm_user_db_resource_governance](/sql/relational-databases/system-dynamic-management-views/sys-dm-user-db-resource-governor-azure-sql-database) dynamic management views.

+In this example deadlock:

+- The deadlock victim, which we have referred to as **Session A**:

+ - Owns an exclusive (X) lock on a key on the `PK_Product_ProductID` index on the `SalesLT.Product` table.

+ - Requests an update (U) lock on a key on the `PK_ProductDescription_ProductDescriptionID` index on the `SalesLT.ProductDescription` table.

+- The other process, which we have referred to as **Session B**:

+ - Owns an update (U) lock on a key on the `PK_ProductDescription_ProductDescriptionID` index on the `SalesLT.ProductDescription` table.

+ - Requests a shared (S) lock on a key on the `PK_ProductDescription_ProductDescriptionID` index on the `SalesLT.ProductDescription` table.

+We can see the same information in the [XML of the deadlock graph](#view-and-save-a-deadlock-graph-in-xml) in the **resource-list** node.

+### Find query execution plans in Query Store

+It is often useful to examine the query execution plans for statements involved in the deadlock. These execution plans can often be found in Query Store using the query plan hash from the XML view of the deadlock graph's [process list](#deadlock-process-list).

+This Transact-SQL query looks for query plans matching the query plan hash we found for our example deadlock. Connect to the user database in Azure SQL Database to run the query.

+```sql

+DECLARE @query_plan_hash binary(8) = 0x02b0f58d7730f798

+SELECT

+ qrsi.end_time as interval_end_time,

+ qs.query_id,

+ qp.plan_id,

+ qt.query_sql_text,

+ TRY_CAST(qp.query_plan as XML) as query_plan,

+ qrs.count_executions

+FROM sys.query_store_query as qs

+JOIN sys.query_store_query_text as qt on qs.query_text_id=qt.query_text_id

+JOIN sys.query_store_plan as qp on qs.query_id=qp.query_id

+JOIN sys.query_store_runtime_stats qrs on qp.plan_id = qrs.plan_id

+JOIN sys.query_store_runtime_stats_interval qrsi on qrs.runtime_stats_interval_id=qrsi.runtime_stats_interval_id

+WHERE query_plan_hash = @query_plan_hash

+ORDER BY interval_end_time, query_id;

+GO

+```

+You may not be able to obtain a query execution plan from Query Store, depending on your Query Store [CLEANUP_POLICY or QUERY_CAPTURE_MODE settings](/sql/t-sql/statements/alter-database-transact-sql-set-options#query-store). In this case, you can often get needed information by [displaying the estimated execution plan](/sql/relational-databases/performance/display-the-estimated-execution-plan) for the query.

+### Look for patterns that increase blocking

+When examining query execution plans involved in deadlocks, look out for patterns that may contribute to blocking and deadlocks.

+- **Table or index scans**. When queries modifying data are run under RCSI, the selection of rows to update is done using a blocking scan where an update (U) lock is taken on the data row as data values are read. If the data row does not meet the update criteria, the update lock is released and the next row is locked and scanned.

+ Tuning indexes to help modification queries find rows more efficiently reduces the number of update locks issued. This reduces the chances of blocking and deadlocks.

+- **Indexed views referencing more than one table**. When you modify a table that is referenced in an indexed view, the database engine must also maintain the indexed view. This requires taking out more locks and can lead to increased blocking and deadlocks. Indexed views may also cause update operations to internally execute under the read committed isolation level.

+- **Modifications to columns referenced in foreign key constraints**. When you modify columns in a table that are referenced in a FOREIGN KEY constraint, the database engine must look for related rows in the referencing table. Row versions cannot be used for these reads. In cases where cascading updates or deletes are enabled, the isolation level may be escalated to serializable for the duration of the statement to protect against phantom inserts.

+- **Lock hints**. Look for [table hints](/sql/t-sql/queries/hints-transact-sql-table) that specify isolation levels requiring more locks. These hints include `HOLDLOCK` (which is equivalent to serializable), `SERIALIZABLE`, `READCOMMITTEDLOCK` (which disables RCSI), and `REPEATABLEREAD`. Additionally, hints such as `PAGLOCK`, `TABLOCK`, `UPDLOCK`, and `XLOCK` can increase the risks of blocking and deadlocks.

+ If these hints are in place, research why the hints were implemented. These hints may prevent race conditions and ensure data validity. It may be possible to leave these hints in place and prevent future deadlocks using an alternate method in the [Prevent a deadlock from reoccurring](#prevent-a-deadlock-from-reoccurring) section of this article if necessary.

+ > [!NOTE]

+ > Learn more about behavior when modifying data using row versioning in the [Transaction locking and row versioning guide](/sql/relational-databases/sql-server-transaction-locking-and-row-versioning-guide#behavior-when-modifying-data).

+When examining the full code for a transaction, either in an execution plan or in application query code, look for additional problematic patterns:

+- **User interaction in transactions**. User interaction inside an explicit multi-statement transaction significantly increases the duration of transactions. This makes it more likely for these transactions to overlap and for blocking and deadlocks to occur.

+ Similarly, holding an open transaction and querying an unrelated database or system mid-transaction significantly increases the chances of blocking and deadlocks.

+- **Transactions accessing objects in different orders**. Deadlocks are less likely to occur when concurrent explicit multi-statement transactions follow the same patterns and access objects in the same order.

+## Prevent a deadlock from reoccurring

+There are multiple techniques available to prevent deadlocks from reoccurring, including index tuning, forcing plans with Query Store, and modifying Transact-SQL queries.

+- **Review the table's clustered index**. Most tables benefit from clustered indexes, but often, tables are implemented as [heaps](/sql/relational-databases/indexes/heaps-tables-without-clustered-indexes) by accident.

+ One way to check for a clustered index is by using the [sp_helpindex](/sql/relational-databases/system-stored-procedures/sp-helpindex-transact-sql) system stored procedure. For example, we can view a summary of the indexes on the `SalesLT.Product` table by executing the following statement:

+ ```sql

+ exec sp_helpindex 'SalesLT.Product';

+ GO

+ ```

+ Review the index_description column. A table can have only one clustered index. If a clustered index has been implemented for the table, the index_description will contain the word 'clustered'.

+ If no clustered index is present, the table is a heap. In this case, review if the table was intentionally created as a heap to solve a specific performance problem. Consider implementing a clustered index based on the [clustered index design guidelines](/sql/relational-databases/sql-server-index-design-guide#Clustered).

+ In some cases, creating or tuning a clustered index may reduce or eliminate blocking in deadlocks. In other cases, you may need to employ an additional technique such as the others in this list.

+- **Create or modify nonclustered indexes.** Tuning nonclustered indexes can help your modification queries find the data to update more quickly, which reduces the number of update locks required.

+ In our example deadlock, the query execution plan [found in Query Store](#find-query-execution-plans-in-query-store) contains a clustered index scan against the `PK_Product_ProductID` index. The deadlock graph indicates that a shared (S) lock wait on this index is a component in the deadlock.

+ :::image type="content" source="media/analyze-prevent-deadlocks/deadlock-execution-plan-clustered-index-scan.png" alt-text="Screenshot of a query execution plan. A clustered index scan is being performed against the PK_Product_ProductID index on the Product table.":::

+ This index scan is being performed because our update query needs to modify an indexed view named `vProductAndDescription`. As mentioned in the [Look for patterns that increase blocking](#look-for-patterns-that-increase-blocking) section of this article, indexed views referencing multiple tables may increase blocking and the likelihood of deadlocks.

+ If we create the following nonclustered index in the `AdventureWorksLT` database that "covers" the columns from `SalesLT.Product` referenced by the indexed view, this helps the query find rows much more efficiently:

+ ```sql

+ CREATE INDEX ix_Product_ProductID_Name_ProductModelID on SalesLT.Product (ProductID, Name, ProductModelID);

+ GO

+ ```

+ After creating this index, the deadlock no longer reoccurs.

+ When deadlocks involve modifications to columns referenced in foreign key constraints, ensure that indexes on the referencing table of the FOREIGN KEY support efficiently finding related rows.

+ While indexes can dramatically improve query performance in some cases, indexes also have overhead and management costs. Review [general index design guidelines](/sql/relational-databases/sql-server-index-design-guide#General_Design) to help assess the benefit of indexes before creating indexes, especially wide indexes and indexes on large tables.

+- **Assess the value of indexed views**. Another option to prevent our example deadlock from reoccurring is to drop the `SalesLT.vProductAndDescription` indexed view. If that indexed view is not being used, this will reduce the overhead of maintaining the indexed view over time.

+- **Use Snapshot isolation**. In some cases, [setting the transaction isolation level](/sql/t-sql/statements/set-transaction-isolation-level-transact-sql) to snapshot for one or more of the transactions involved in a deadlock may prevent blocking and deadlocks from reoccurring.

+ This technique is most likely to be successful when used on SELECT statements when [read committed snapshot is disabled in a database](#how-deadlocks-occur-in-azure-sql-database). When read committed snapshot is disabled, SELECT queries using the read committed isolation level require shared (S) locks. Using snapshot isolation on these transactions removes the need for shared locks, which can prevent blocking and deadlocks.

+ In databases where read committed snapshot isolation has been enabled, SELECT queries do not require shared (S) locks, so deadlocks are more likely to occur between transactions that are modifying data. In cases where deadlocks occur between multiple transactions modifying data, snapshot isolation may result in an [update conflict](/sql/relational-databases/sql-server-transaction-locking-and-row-versioning-guide#behavior-in-summary) instead of a deadlock. This similarly requires one of the transactions to retry its operation.

+- **Force a plan with Query Store**. You may find that one of the queries in the deadlock has multiple execution plans, and the deadlock only occurs when a specific plan is used. You can prevent the deadlock from reoccurring by [forcing a plan](/sql/relational-databases/system-stored-procedures/sp-query-store-force-plan-transact-sql) in Query Store.

+- **Modify the Transact-SQL**. You may need to modify Transact-SQL to prevent the deadlock from reoccurring. Modifying Transact-SQL should be done carefully and changes should be rigorously tested to ensure that data is correct when modifications run concurrently. When rewriting Transact-SQL, consider:

+ - Ordering statements in transactions so that they access objects in the same order.

+ - Breaking apart transactions into smaller transactions when possible.

+ - Using query hints, if necessary, to optimize performance. You can apply hints without changing application code [using Query Store](/sql/relational-databases/performance/query-store-hints?view=azuresqldb-current&preserve-view=true).

+Find more ways to [minimize deadlocks in the Transaction locking and row versioning guide](/sql/relational-databases/sql-server-transaction-locking-and-row-versioning-guide#deadlock_minimizing).

+> [!NOTE]

+> In some cases, you may wish to [adjust the deadlock priority](/sql/t-sql/statements/set-deadlock-priority-transact-sql) of one or more sessions involved in a deadlock if it is important for one of the sessions to complete successfully without retrying, or when one of the queries involved in the deadlock is not critical and should be always chosen as the victim. While this does not prevent the deadlock from reoccurring, it may reduce the impact of future deadlocks.

+## Drop an XEvents session

+You may wish to leave an XEvents session collecting deadlock information running on critical databases for long periods. Be aware that if you use an event file target, this may result in large files if multiple deadlocks occur. You may delete blob files from Azure Storage for an active trace, except for the file that is currently being written to.

+When you wish to remove an XEvents session, the Transact-SQL drop the session is the same, regardless of the target type selected.

+To remove an XEvents session, run the following Transact-SQL. Before running the code, replace the name of the session with the appropriate value.

+```sql

+ALTER EVENT SESSION [deadlocks] ON DATABASE

+ STATE = STOP;

+GO

+DROP EVENT SESSION [deadlocks] ON DATABASE;

+GO

+```

+## Use Azure Storage Explorer

+[Azure Storage Explorer](/azure/vs-azure-tools-storage-manage-with-storage-explorer) is a standalone application that simplifies working with event file targets stored in blobs in Azure Storage. You can use Storage Explorer to:

+- [Create a blob container](/azure/vs-azure-tools-storage-explorer-blobs#create-a-blob-container) to hold XEvent session data.

+- [Get the shared access signature (SAS)](/azure/vs-azure-tools-storage-explorer-blobs#get-the-sas-for-a-blob-container) for a blob container.

+ - As mentioned in [Collect deadlock graphs in Azure SQL Database with Extended Events](#collect-deadlock-graphs-in-azure-sql-database-with-extended-events), the read, write, and list permissions are required.

+ - Remove any leading `?` character from the `Query string` to use the value as the secret when [creating a database scoped credential](?tabs=event-file#create-a-database-scoped-credential).

+- [View and download](/azure/vs-azure-tools-storage-explorer-blobs#view-a-blob-containers-contents) extended event files from a blob container.

+

+[Download Azure Storage Explorer.](https://azure.microsoft.com/features/storage-explorer/).

+## Next steps

+Learn more about performance in Azure SQL Database:

+- [Understand and resolve Azure SQL Database blocking problems](understand-resolve-blocking.md)

+- [Transaction Locking and Row Versioning Guide](/sql/relational-databases/sql-server-transaction-locking-and-row-versioning-guide)

+- [SET TRANSACTION ISOLATION LEVEL](/sql/t-sql/statements/set-transaction-isolation-level-transact-sql)

+- [Azure SQL Database: Improving Performance Tuning with Automatic Tuning](/Shows/Data-Exposed/Azure-SQL-Database-Improving-Performance-Tuning-with-Automatic-Tuning)

+- [Deliver consistent performance with Azure SQL](/learn/modules/azure-sql-performance/)

+- [Retry logic for transient errors](troubleshoot-common-connectivity-issues.md#retry-logic-for-transient-errors).

+ 

+ For Azure AD users and groups, the **Object ID** is displayed next to the admin name. For applications (service principals), the **Application ID** is displayed.

+ For Azure AD users and groups, the **Object ID** is displayed next to the admin name. For applications (service principals), the **Application ID** is displayed.

+> [!NOTE]

+> [System.Data.SqlClient](/dotnet/api/system.data.sqlclient) uses the Azure Active Directory Authentication Library (ADAL), which will be deprecated. If you're using the [System.Data.SqlClient](/dotnet/api/system.data.sqlclient) namespace for Azure Active Directory authentication, migrate applications to [Microsoft.Data.SqlClient](/sql/connect/ado-net/introduction-microsoft-data-sqlclient-namespace) and the [Microsoft Authentication Library (MSAL)](/azure/active-directory/develop/msal-migration). For more information about using Azure AD authentication with SqlClient, see [Using Azure Active Directory authentication with SqlClient](/sql/connect/ado-net/sql/azure-active-directory-authentication).

+>

+> SSMS and SSDT still uses the Azure Active Directory Authentication Library (ADAL). If you want to continue using *ADAL.DLL* in your applications, you can use the links in this section to install the latest SSMS, ODBC, and OLE DB driver that contains the latest *ADAL.DLL* library.

+- [Microsoft Authentication Library (MSAL)](/azure/active-directory/develop/msal-migration) or Azure Active Directory Authentication Library for SQL Server (*ADAL.DLL*). Below are the download links to install the latest SSMS, ODBC, and OLE DB driver that contains the *ADAL.DLL* library.

+Register your application if you have not already done so. To register an app, you need to either be an Azure AD admin or a user assigned the Azure AD *Application Developer* role. For more information about assigning roles, see [Assign administrator and non-administrator roles to users with Azure Active Directory](../../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md).

+Completing an app registration generates and displays an **Application ID**.

+To register your application:

+1. In the Azure portal, select **Azure Active Directory** > **App registrations** > **New registration**.

+ 

+ After the app registration is created, the **Application ID** value is generated and displayed.

+ 

+1. You'll also need to create a client secret for signing in. Follow the guide here to [upload a certificate or create a secret for signing in](../../active-directory/develop/howto-create-service-principal-portal.md#authentication-two-options).

+1. Record the following from your application registration. It should be available from your **Overview** pane:

+To provision a logical server or managed instance, you'll need to have the appropriate permissions to create these resources. Azure users with higher permissions, such as subscription [Owners](../../role-based-access-control/built-in-roles.md#owner), [Contributors](../../role-based-access-control/built-in-roles.md#contributor), [Service Administrators](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles), and [Co-Administrators](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles) have the privilege to create a SQL server or managed instance. To create these resources with the least privileged Azure RBAC role, use the [SQL Server Contributor](../../role-based-access-control/built-in-roles.md#sql-server-contributor) role for SQL Database and [SQL Managed Instance Contributor](../../role-based-access-control/built-in-roles.md#sql-managed-instance-contributor) role for SQL Managed Instance.

+- `<objectId>`: Can be found by going to the [Azure portal](https://portal.azure.com), and going to your **Azure Active Directory** resource. In the **User** pane, search for the Azure AD user and find their **Object ID**. If you're using an application (service principal) as the Azure AD admin, replace this value with the **Application ID**. You will need to update the `principalType` as well.

+# The sid is the Azure AD Object ID for the user or group, and Application ID for applications. Update the principalType as well

+ "description": "The Object ID of the Azure AD admin if the admin is a user or group. For Applications, use the Application ID."

+ :::image type="content" source="media/authentication-azure-ad-only-authentication/azure-ad-only-managed-instance-create-basic.png" alt-text="Azure portal screenshot of the create SQL Managed Instance basic tab ":::

+ :::image type="content" source="media/authentication-azure-ad-only-authentication/azure-ad-only-managed-instance-create-basic-choose-authentication.png" alt-text="Azure portal screenshot of the create SQL Managed Instance basic tab and choosing Azure AD only authentication":::

+- `<objectId>`: Can be found by going to the [Azure portal](https://portal.azure.com), and going to your **Azure Active Directory** resource. In the **User** pane, search for the Azure AD user and find their **Object ID**. If you're using an application (service principal) as the Azure AD admin, replace this value with the **Application ID**. You'll need to update the `principalType` as well.

+ "description": "The Object ID of the Azure AD admin. The Object ID of the Azure AD admin if the admin is a user or group. For Applications, use the Application ID."

+ "description": "Allow inbound redirect traffic to SQL Managed Instance inside the virtual network",

+Once the deployment is complete for your managed instance, you may notice that the SQL Managed Instance needs **Read** permissions to access Azure Active Directory. Read permissions can be granted by clicking on the displayed message in the Azure portal by a person with enough privileges. For more information, see [Directory Readers role in Azure Active Directory for Azure SQL](authentication-aad-directory-readers-role.md).

+ Excessive parallelism becomes most problematic when there are more concurrent requests than can be supported by the CPU and worker thread resources provided by the service objective. Avoid MAXDOP 0 to reduce the risk of potential future problems due to excessive parallelism if a database is scaled up, or if future hardware configurations in Azure SQL Database provide more cores for the same database service objective.

+Microsoft periodically refreshes hardware to optimize the customer experience. During these refreshes, Azure adds gateways built on newer hardware, migrates traffic to them, and eventually decommissions gateways built on older hardware in some regions.

+You can add more CPU resources to your Azure SQL Database by configuring the vCore count or the [hardware configuration](service-tiers-sql-database-vcore.md#hardware-configuration) for databases using the [vCore purchasing model](service-tiers-sql-database-vcore.md).

+* [Detectable types of query performance bottlenecks in Azure SQL Database](../identify-query-performance-issues.md)

+* [Analyze and prevent deadlocks in Azure SQL Database](analyze-prevent-deadlocks.md)

+|[sys.event_log (Azure SQL Database)](/sql/relational-databases/system-catalog-views/sys-event-log-azure-sql-database)|Returns successful database connections and connection failures for Azure SQL Database. You can use this information to track or troubleshoot your database activity.|

+> This rule is approximate because it does not consider the specific type of hardware used for the DTU database or elastic pool.

+In the DTU model, the system may select any available [hardware configuration](service-tiers-dtu.md#hardware-configuration) for your database or elastic pool. Further, in the DTU model you have only indirect control over the number of vCores (logical CPUs) by choosing higher or lower DTU or eDTU values.

+In the vCore model, customers must make an explicit choice of both the hardware configuration and the number of vCores (logical CPUs). While DTU model does not offer these choices, hardware type and the number of logical CPUs used for every database and elastic pool are exposed via dynamic management views. This makes it possible to determine the matching vCore service objective more precisely.

+A T-SQL query below, when executed in the context of a DTU database to be migrated, returns a matching (possibly fractional) number of vCores in each hardware configuration in the vCore model. By rounding this number to the closest number of vCores available for [databases](resource-limits-vcore-single-databases.md) and [elastic pools](resource-limits-vcore-elastic-pools.md) in each hardware configuration in the vCore model, customers can choose the vCore service objective that is the closest match for their DTU database or elastic pool.

+Besides the number of vCores (logical CPUs) and the type of hardware, several other factors may influence the choice of vCore service objective:

+- For the same hardware type and the same number of vCores, IOPS and transaction log throughput resource limits for vCore databases are often higher than for DTU databases. For IO-bound workloads, it may be possible to lower the number of vCores in the vCore model to achieve the same level of performance. Actual resource limits for DTU and vCore databases are exposed in the [sys.dm_user_db_resource_governance](/sql/relational-databases/system-dynamic-management-views/sys-dm-user-db-resource-governor-azure-sql-database) view. Comparing these values between the DTU database or pool to be migrated, and a vCore database or pool with an approximately matching service objective will help you select the vCore service objective more precisely.

+- The mapping query also returns the amount of memory per core for the DTU database or elastic pool to be migrated, and for each hardware configuration in the vCore model. Ensuring similar or higher total memory after migration to vCore is important for workloads that require a large memory data cache to achieve sufficient performance, or workloads that require large memory grants for query processing. For such workloads, depending on actual performance, it may be necessary to increase the number of vCores to get sufficient total memory.

+- In the vCore model, the supported maximum database size may differ depending on hardware. For large databases, check supported maximum sizes in the vCore model for [single databases](resource-limits-vcore-single-databases.md) and [elastic pools](resource-limits-vcore-elastic-pools.md).

+- Some hardware configurations may not be available in every region. Check availability under [Hardware configuration for SQL Database](./service-tiers-sql-database-vcore.md#hardware-configuration).

+> The optimal configuration of the target database is workload-dependent. Thus, to achieve the optimal price/performance ratio after migration, you may need to leverage the flexibility of the vCore model to adjust the number of vCores, hardware configuration, and service and compute tiers. You may also need to adjust database configuration parameters, such as [maximum degree of parallelism](configure-max-degree-of-parallelism.md), and/or change the database [compatibility level](/sql/t-sql/statements/alter-database-transact-sql-compatibility-level) to enable recent improvements in the database engine.

+We see that the DTU database has the equivalent of 0.25 logical CPUs (vCores), with 0.42 GB of memory per vCore, and is using Gen4 hardware. The smallest vCore service objectives in the Gen4 and Gen5 hardware configurations, **GP_Gen4_1** and **GP_Gen5_2**, provide more compute resources than the Standard S0 database, so a direct match is not possible. Since Gen4 hardware is being [decommissioned](https://azure.microsoft.com/updates/gen-4-hardware-on-azure-sql-database-approaching-end-of-life-in-2020/), the **GP_Gen5_2** option is preferred. Additionally, if the workload is well-suited for the [Serverless](serverless-tier-overview.md) compute tier, then **GP_S_Gen5_1** would be a closer match.

+[Azure Monitor SQL insights](../../azure-monitor/insights/sql-insights-overview.md) is a tool for monitoring managed instances, databases in Azure SQL Database, and SQL Server instances in Azure SQL VMs. This service uses a remote agent to capture data from dynamic management views (DMVs) and routes the data to Azure Log Analytics, where it can be monitored and analyzed. You can view this data from [Azure Monitor](../../azure-monitor/overview.md) in provided views, or access the Log data directly to run queries and analyze trends. To start using Azure Monitor SQL insights, see [Enable SQL insights](../../azure-monitor/insights/sql-insights-enable.md).

+### Monitoring deadlocks

+In some cases, two or more queries may mutually block one another, resulting in a deadlock.

+You can create an Extended Events trace a database in Azure SQL Database to capture deadlock events, then find related queries and their execution plans in Query Store. Learn more in [Analyze and prevent deadlocks in Azure SQL Database](analyze-prevent-deadlocks.md).

+For Azure SQL Managed Instance, refer to the [Deadlocks](/sql/relational-databases/sql-server-transaction-locking-and-row-versioning-guide#deadlock_tools) of the [Transaction locking and row versioning guide](/sql/relational-databases/sql-server-transaction-locking-and-row-versioning-guide).

+- [Tune applications and databases for performance in Azure SQL Database and Azure SQL Managed Instance](performance-guidance.md)

+- [Understand and resolve Azure SQL Database blocking problems](understand-resolve-blocking.md)

+- [Analyze and prevent deadlocks in Azure SQL Database](analyze-prevent-deadlocks.md)

+ To prevent deadlocks from reoccurring in Azure SQL Database, see [Analyze and prevent deadlocks in Azure SQL Database](analyze-prevent-deadlocks.md). For Azure SQL Managed Instance, refer to the [Deadlocks](/sql/relational-databases/sql-server-transaction-locking-and-row-versioning-guide#deadlock_tools) of the [Transaction locking and row versioning guide](/sql/relational-databases/sql-server-transaction-locking-and-row-versioning-guide).

+In the vCore-based purchasing model, your costs depend on the choice and usage of:

+- Service tier

+- Hardware configuration

+- Compute resources (the number of vCores and the amount of memory)

+- Reserved database storage

+- Actual backup storage

+If the hardware you want to use is not available in your region, you may request it using the following steps. For more information on hardware regional availability, see [Hardware configurations for SQL Database](./service-tiers-sql-database-vcore.md#hardware-configuration) or [Hardware configurations for SQL Managed Instance](../managed-instance/service-tiers-managed-instance-vcore.md#hardware-configurations).

+1. In the **Description** field, state your request, including the name of the hardware and the name of the region you need it in.

+The size of reservation should be based on the total amount of compute used by the existing or soon-to-be-deployed database or managed instance within a specific region and using the same performance tier and hardware configuration.

+1. Specify the service objective. The service objective prescribes the service tier, hardware configuration, and max vCores. For service objective options, see [serverless resource limits](resource-limits-vcore-single-databases.md#general-purposeserverless-computegen5)

+## Hardware configuration

+In the DTU-based purchasing model, customers cannot choose the hardware configuration used for their databases. While a given database usually stays on a specific type of hardware for a long time (commonly for multiple months), there are certain events that can cause a database to be moved to different hardware.

+For example, a database can be moved to different hardware if it's scaled up or down to a different service objective, or if the current infrastructure in a datacenter is approaching its capacity limits, or if the currently used hardware is being decommissioned due to its end of life.

+If a database is moved to different hardware, workload performance can change. The DTU model guarantees that the throughput and response time of the [DTU benchmark](dtu-benchmark.md) workload will remain substantially identical as the database moves to a different hardware type, as long as its service objective (the number of DTUs) stays the same.

+However, across the wide spectrum of customer workloads running in Azure SQL Database, the impact of using different hardware for the same service objective can be more pronounced. Different workloads may benefit from different hardware configurations and features. Therefore, for workloads other than the [DTU benchmark](dtu-benchmark.md), it's possible to see performance differences if the database moves from one type of hardware to another.

+Customers can use the [vCore](service-tiers-vcore.md) model to choose their preferred hardware configuration during database creation and scaling. In the vCore model, detailed resource limits of each service objective in each hardware configuration are documented for [single databases](resource-limits-vcore-single-databases.md) and [elastic pools](resource-limits-vcore-elastic-pools.md). For more information about hardware in the vCore model, see [Hardware configuration for SQL Database](./service-tiers-sql-database-vcore.md#hardware-configuration) or [Hardware configuration for SQL Managed Instance](../managed-instance/service-tiers-managed-instance-vcore.md#hardware-configurations).

+- Choice of hardware configuration to better match compute and memory requirements of the workload.

+## Hardware configuration

+Hardware configurations in the vCore model include Gen4, Gen5, M-series, Fsv2-series, and DC-series. Hardware configuration defines compute and memory limits and other characteristics that impact workload performance.

+- Fsv2-series is a compute optimized hardware configuration delivering low CPU latency and high clock speed for the most CPU demanding workloads.

+- Depending on the workload, Fsv2-series can deliver more CPU performance per vCore than other types of hardware. For example, the 72 vCore Fsv2 compute size can provide more CPU performance than 80 vCores on Gen5, at lower cost.

+- Fsv2 provides less memory and tempdb per vCore than other hardware, so workloads sensitive to those limits may perform better on Gen5 or M-series.

+- M-series is a memory optimized hardware configuration for workloads demanding more memory and higher compute limits than provided by other types of hardware.

+M-series is only supported in the Business Critical tier and does not support zone redundancy. For regions where M-series is available, see [M-series availability](#m-series-1).

+To create databases or elastic pools on M-series hardware, the subscription must be a paid offer type including Pay-As-You-Go or Enterprise Agreement (EA). For a complete list of Azure offer types supported by M-series, see [current offers without spending limits](https://azure.microsoft.com/support/legal/offer-details).

+DC-series is only supported for Provisioned compute (Serverless is not supported) and does not support zone redundancy. For regions where DC-series is available, see [DC-series availability](#dc-series-1).

+To create databases or elastic pools on DC-series hardware, the subscription must be a paid offer type including Pay-As-You-Go or Enterprise Agreement (EA). For a complete list of Azure offer types supported by DC-series, see [current offers without spending limits](https://azure.microsoft.com/support/legal/offer-details).

+### Selecting hardware configuration

+You can select hardware configuration for a database or elastic pool in SQL Database at the time of creation. You can also change hardware configuration of an existing database or elastic pool.

+**To select a hardware configuration when creating a SQL Database or pool**

+Select the desired hardware configuration:

+**To change hardware configuration of an existing SQL Database or pool**

+Follow the steps to change configuration, and select hardware configuration as described in the previous steps.

+Gen4 hardware is [being retired](https://azure.microsoft.com/updates/gen-4-hardware-on-azure-sql-database-approaching-end-of-life-in-2020/) and is no longer available for new deployments. All new databases must be deployed on other hardware configurations.

+Gen5 hardware is available in all public regions worldwide.

+Australia Central, Australia Central 2, Australia East, Australia Southeast, Brazil South, Canada Central, East Asia, East US, France Central, India Central, Korea Central, Korea South, North Europe, South Africa North, Southeast Asia, UK South, UK West, West Europe, West US 2.

+DC-series is available in the following regions:

+Canada Central, Canada East, East US, North Europe, UK South, West Europe, West US.

+## Compute resources (CPU and memory)

+The following table compares compute resources in different hardware configurations and compute tiers:

+|Hardware configuration |Compute |Memory |

+|DC-series | - Intel&reg; XEON E-2288G processors<br>- Featuring Intel Software Guard Extension (Intel SGX))<br>- Provision up to 8 vCores (1 vCore = 1 physical core) | 4.5 GB per vCore |

+\* In the [sys.dm_user_db_resource_governance](/sql/relational-databases/system-dynamic-management-views/sys-dm-user-db-resource-governor-azure-sql-database) dynamic management view, hardware generation for databases using Intel&reg; SP-8160 (Skylake) processors appears as Gen6, hardware generation for databases using Intel&reg; 8272CL (Cascade Lake) appears as Gen7 and hardware generation for databases using Intel Xeon&reg; Platinum 8307C (Ice Lake) appear as Gen8. For a given compute size and hardware configuration, resource limits are the same regardless of processor type (Broadwell, Skylake, or Cascade Lake).

+For more information see resource limits for [single databases](resource-limits-vcore-single-databases.md) and [elastic pools](resource-limits-vcore-elastic-pools.md).

+> In Azure SQL Database, compute resources (CPU and memory), I/O, and data and log storage are charged per database or elastic pool. Backup storage is charged per each database.

+The vCore purchasing model provides transparency in database CPU, memory, and storage resource allocation, hardware configuration, higher scaling granularity, and pricing discounts with the [Azure Hybrid Benefit (AHB)](../azure-hybrid-benefit.md) and [Reserved Instance (RI)](../database/reserved-capacity-overview.md).

+|[sys.event_log](/sql/relational-databases/system-catalog-views/sys-event-log-azure-sql-database)|Returns successful Azure SQL Database connections and connection failures. You can use this information to track or troubleshoot your database activity with SQL Database.|

+- [Analyze and prevent deadlocks in Azure SQL Database](analyze-prevent-deadlocks.md)

+For information on troubleshooting deadlocks, see [Analyze and prevent deadlocks in Azure SQL Database](analyze-prevent-deadlocks.md).

+Blocking is an unavoidable and by-design characteristic of any relational database management system (RDBMS) with lock-based concurrency. Blocking in a database in Azure SQL Database occurs when one session holds a lock on a specific resource and a second SPID attempts to acquire a conflicting lock type on the same resource. Typically, the time frame for which the first SPID locks the resource is small. When the owning session releases the lock, the second connection is then free to acquire its own lock on the resource and continue processing. This is normal behavior and may happen many times throughout the course of a day with no noticeable effect on system performance.

+Each new database in Azure SQL Database has the [read committed snapshot](/sql/t-sql/statements/alter-database-transact-sql-set-options?view=azuresqldb-current&preserve-view=true#read_committed_snapshot--on--off--1) (RCSI) database setting enabled by default. Blocking between sessions reading data and sessions writing data is minimized under RCSI, which uses row versioning to increase concurrency. However, blocking and deadlocks may still occur in databases in Azure SQL Database because:

+- Queries that modify data may block one another.

+- Queries may run under isolation levels that increase blocking. Isolation levels may be specified in application connection strings, [query hints](/sql/t-sql/queries/hints-transact-sql-query), or [SET statements](/sql/t-sql/statements/set-transaction-isolation-level-transact-sql) in Transact-SQL.

+- [RCSI may be disabled](/sql/t-sql/statements/alter-database-transact-sql-set-options?view=azuresqldb-current&preserve-view=true#read_committed_snapshot--on--off--1), causing the database to use shared (S) locks to protect SELECT statements run under the read committed isolation level. This may increase blocking and deadlocks.

+[Snapshot isolation level](/sql/t-sql/statements/alter-database-transact-sql-set-options?view=azuresqldb-current&preserve-view=true#b-enable-snapshot-isolation-on-a-database) is also enabled by default for new databases in Azure SQL Database. Snapshot isolation is an additional row-based isolation level that provides transaction-level consistency for data and which uses row versions to select rows to update. To use snapshot isolation, queries or connections must explicitly set their transaction isolation level to `SNAPSHOT`. This may only be done when snapshot isolation is enabled for the database.

+You can identify if RCSI and/or snapshot isolation are enabled with Transact-SQL. Connect to your database in Azure SQL Database and run the following query:

+```sql

+SELECT name, is_read_committed_snapshot_on, snapshot_isolation_state_desc

+FROM sys.databases

+WHERE name = DB_NAME();

+GO

+```

+If RCSI is enabled, the `is_read_committed_snapshot_on` column will return the value **1**. If snapshot isolation is enabled, the `snapshot_isolation_state_desc` column will return the value **ON**.

+The duration and transaction context of a query determine how long its locks are held and, thereby, their effect on other queries. SELECT statements run under RCSI [do not acquire shared (S) locks on the data being read](/sql/relational-databases/sql-server-transaction-locking-and-row-versioning-guide#behavior-when-reading-data), and therefore do not block transactions that are modifying data. For INSERT, UPDATE, and DELETE statements, the locks are held during the query, both for data consistency and to allow the query to be rolled back if necessary.

+For queries executed within an [explicit transaction](/sql/relational-databases/sql-server-transaction-locking-and-row-versioning-guide#starting-transactions), the type of locks and duration for which the locks are held are determined by the type of query, the transaction isolation level, and whether lock hints are used in the query. For a description of locking, lock hints, and transaction isolation levels, see the following articles:

+To counteract the difficulty of troubleshooting blocking problems, a database administrator can use SQL scripts that constantly monitor the state of locking and blocking in the database in Azure SQL Database. To gather this data, there are essentially two methods.

+Remember to run each of these scripts in the target database in Azure SQL Database.

+* Use the [sys.dm_tran_locks](/sql/relational-databases/system-dynamic-management-views/sys-dm-tran-locks-transact-sql) DMV for more granular information on what locks have been placed by queries. This DMV can return large amounts of data on a production database, and is useful for diagnosing what locks are currently held.

+## Gather information from Extended Events

+- Category deadlock_monitor

+ - database_xml_deadlock_report

+- Category session

+> [!NOTE]

+> For detailed information on deadlocks, see [Analyze and prevent deadlocks in Azure SQL Database](analyze-prevent-deadlocks.md).

+ If the query performs only SELECT operations, consider [running the statement under snapshot isolation](/sql/t-sql/statements/set-transaction-isolation-level-transact-sql) if it is enabled in your database, especially if RCSI has been disabled. As when RCSI is enabled, queries reading data do not require shared (S) locks under snapshot isolation level. Additionally, snapshot isolation provides transaction level consistency for all statements in an explicit multi-statement transaction. Snapshot isolation may [already be enabled in your database](#understand-blocking). Snapshot isolation may also be used with queries performing modifications, but you must handle [update conflicts](/sql/relational-databases/sql-server-transaction-locking-and-row-versioning-guide#behavior-in-summary).

+ The impact of this scenario is reduced when read committed snapshot is enabled on the database, which is the default configuration in Azure SQL Database. Learn more in the [Understand blocking](#understand-blocking) section of this article.

+* [Analyze and prevent deadlocks in Azure SQL Database](analyze-prevent-deadlocks.md)

+||Serverless compute| The [serverless compute tier](database/serverless-tier-overview.md) autoscales compute resources based on workload activity and bills for the amount of compute used per second. Azure SQL Database serverless is currently available in the vCore purchasing model's general purpose service tier with Gen5 hardware or newer.|

+|Hardware configuration| Available hardware configurations | The vCore-based purchasing model allows you to select the appropriate hardware configuration for your workload. [Hardware configuration options](database/service-tiers-sql-database-vcore.md#hardware-configuration) include Gen5, M-series, Fsv2-series, and DC-series.|

+||vCore-based sizing options| Configure the compute size for your database or elastic pool by selecting the appropriate service tier, compute tier, and hardware for your workload. When using an elastic pool, configure the reserved vCores for the pool, and optionally configure per-database settings. For sizing options and resource limits in the vCore-based purchasing model, see [vCore single databases](database/resource-limits-vcore-single-databases.md), and [vCore elastic pools](database/resource-limits-vcore-elastic-pools.md).|

+|Hardware configuration|Available hardware configurations| SQL Managed Instance [hardware configurations](managed-instance/service-tiers-managed-instance-vcore.md#hardware-configurations) include standard-series (Gen5), premium-series, and memory optimized premium-series hardware. |

+|Compute size | vCore-based sizing options | Compute size (service objective) is the maximum amount of CPU, memory, and storage resources available for a single managed instance or instance pool. Configure the compute size for your managed instance by selecting the appropriate service tier and hardware for your workload. Learn about [resource limits for managed instances](managed-instance/resource-limits.md). |

+ The managed instance that hosts the secondary databases in the failover group. The secondary cannot be in the same Azure region as the primary.

+Azure RBAC write access is necessary to create and manage failover groups. The [SQL Managed Instance Contributor](../../role-based-access-control/built-in-roles.md#sql-managed-instance-contributor) has all the necessary permissions to manage failover groups.

+- System databases are not replicated to the secondary instance in a failover group. Therefore, scenarios that depend on objects from the system databases such as Server Logins and Agent jobs, require objects to be manually created on the secondary instances and also manually kept in sync after any changes made on primary instance. The only exception is Service master Key (SMK) for SQL Managed Instance, that is replicated automatically to secondary instance during creation of failover group. Any subsequent changes of SMK on the primary instance however will not be replicated to secondary instance. To learn more, see how to [Enable scenarios dependent on objects from the system databases](#enable-scenarios-dependent-on-objects-from-the-system-databases).

+| [16 TB support in Business Critical](resource-limits.md#service-tier-characteristics) | Support for allocation up to 16 TB of space on SQL Managed Instance in the Business Critical service tier using the new memory optimized premium-series hardware. |

+| [Memory optimized premium-series hardware](resource-limits.md#service-tier-characteristics) | Deploy your SQL Managed Instance to the new memory optimized premium-series hardware to take advantage of the latest Intel Ice Lake CPUs. Memory optimized hardware offers higher memory to vCore ratio. |

+| [Premium-series hardware](resource-limits.md#service-tier-characteristics) | Deploy your SQL Managed Instance to the new premium-series hardware to take advantage of the latest Intel Ice Lake CPUs. |

+| **16 TB support for Business Critical preview** | The Business Critical service tier of SQL Managed Instance now provides increased maximum instance storage capacity of up to 16 TB with the new premium-series and memory optimized premium-series hardware, which are currently in preview. See [resource limits](resource-limits.md#service-tier-characteristics) to learn more. |

+|**New hardware preview** | There are now two new hardware configurations for SQL Managed Instance: premium-series, and a memory optimized premium-series. Both offerings take advantage of a new hardware powered by the latest Intel Ice Lake CPUs, and offer a higher memory to vCore ratio to support your most resource demanding database applications. As part of this announcement, the Gen5 hardware has been renamed to standard-series. The two new premium hardware offerings are currently in preview. See [resource limits](resource-limits.md#service-tier-characteristics) to learn more. |

+| **Hardware Configuration** | Select one of the options. | Hardware configuration generally defines the compute and memory limits and other characteristics that impact the performance of the workload. **Gen5** is the default.|

+|First instance of another hardware or maintenance window in a non-empty subnet (for example, first Premium-series instance in a subnet with Standard-series instances)|Virtual cluster creation¹|90% of operations finish in 4 hours.|

+¹ A separate virtual cluster is created for each hardware configuration and for each maintenance window configuration.

+|Instance hardware or maintenance window change (General Purpose)|- Virtual cluster creation or resizing¹|90% of operations finish in 4 hours (creation) or 2.5 hours (resizing) .|

+|Instance hardware or maintenance window change (Business Critical)|- Virtual cluster creation or resizing¹<br>- Always On availability group seeding|90% of operations finish in 4 hours (creation) or 2.5 hours (resizing) + time to seed all databases (220 GB/hour).|

+¹ Managed instance must be placed in a virtual cluster with the corresponding hardware and maintenance window. If there is no such virtual cluster in the subnet, a new one must be created first to accommodate the instance.

+## Hardware configuration characteristics

+SQL Managed Instance has characteristics and resource limits that depend on the underlying infrastructure and architecture. SQL Managed Instance can be deployed on multiple hardware configurations.

+> The Gen5 hardware has been renamed to the **standard-series (Gen5)**. We are introducing two new hardware configurations in limited preview: **premium-series** and **memory optimized premium-series**.

+For information on previously available hardware, see [Previously available hardware](#previously-available-hardware) later in this article.

+Hardware configurations have different characteristics, as described in the following table:

+> If your workload requires storage sizes greater than the available resource limits for Azure SQL Managed Instance, consider the Azure SQL Database [Hyperscale service tier](../database/service-tier-hyperscale.md).

+### Regional support for premium-series hardware (preview)

+Support for the premium-series hardware (public preview) is currently available only in these specific regions: <br>

+### In-memory OLTP available space

+The amount of In-memory OLTP space in [Business Critical](../database/service-tier-business-critical.md) service tier depends on the number of vCores and hardware configuration. The following table lists the limits of memory that can be used for In-memory OLTP objects.

+## Previously available hardware

+This section includes details on previously available hardware. Consider [moving your instance of SQL Managed Instance to the standard-series (Gen5)](../database/service-tiers-vcore.md) hardware to experience a wider range of vCore and storage scalability, accelerated networking, best IO performance, and minimal latency.

+> [!IMPORTANT]

+> Gen4 hardware is being retired and is not available for new deployments.

+### Hardware characteristics

+### In-memory OLTP available space

+The amount of In-memory OLTP space in [Business Critical](../database/service-tier-business-critical.md) service tier depends on the number of vCores and hardware configuration. The following table lists limits of memory that can be used for In-memory OLTP objects.

+- Control over hardware configuration to better match the compute and memory requirements of the workload.

+## Hardware configurations

+Hardware configuration options in the vCore model include standard-series (Gen5), premium-series, and memory optimized premium-series. Hardware configuration generally defines the compute and memory limits and other characteristics that impact workload performance.

+For more information on the hardware configuration specifics and limitations, see [Hardware configuration characteristics](resource-limits.md#hardware-configuration-characteristics).

+### Selecting a hardware configuration

+You can select hardware configuration at the time of instance creation, or you can change hardware of an existing instance.

+**To select hardware configuration when creating a SQL Managed Instance**

+On the **Basics** tab, select the **Configure database** link in the **Compute + storage** section, and then select desired hardware:

+**To change hardware of an existing SQL Managed Instance**

+On the Pricing tier page, you will be able to change hardware as described in the previous steps.

+Gen4 hardware is [being retired](https://azure.microsoft.com/updates/gen-4-hardware-on-azure-sql-database-approaching-end-of-life-in-2020/) and is no longer available for new deployments. All new instances must be deployed on other hardware configurations.

+Premium-series and memory optimized premium-series hardware is in preview, and has limited regional availability. For more details, see [Azure SQL Managed Instance resource limits](../managed-instance/resource-limits.md#hardware-configuration-characteristics).

+In the vCore model, you can choose hardware configurations as follows:

+Find more information about the difference between hardware configurations in [SQL Managed Instance resource limits](resource-limits.md#hardware-configuration-characteristics).

+ - [Hardware configuration](resource-limits.md#hardware-configuration-characteristics)

+- Plans to scale up/down or change the service tier, hardware configuration, or maintenance window

+- Each managed instance uses a number of addresses that depend on pricing tier and hardware configuration.

+The same scenario as for the maintenance window applies for changing the [hardware configuration](resource-limits.md#hardware-configuration-characteristics) as a virtual cluster always uses the same hardware. In case of new instance creation or changing the hardware of the existing instance, if there is no such virtual cluster in the subnet, a new one must be created first to accommodate the instance.

+We recommend the following formula for calculating the total number of IP addresses. This formula takes into account the potential creation of a new virtual cluster during a later create request or instance update. It also takes into account the maintenance window and hardware requirements of virtual clusters.

+- c = number of different maintenance window configurations and hardware configurations

+### Destination subnet limitations

+Consider the following limitations when choosing a destination subnet for an existing instance:

+- The destination subnet must be in the same virtual network as the source subnet.

+- The DNS zone of the destination subnet must match the DNS zone of the source subnet as changing the DNS zone of a managed instance is not currently supported.

+- Instances running on Gen4 hardware must be upgraded to newer hardware since Gen4 is being retired. Upgrading hardware and moving to another subnet can be performed in one operation.

+- Based on the baseline CPU usage, you can provision a managed instance that matches the number of cores that you are using on SQL Server, having in mind that CPU characteristics might need to be scaled to match [VM characteristics where the managed instance is installed](../../managed-instance/resource-limits.md#hardware-configuration-characteristics).

+- Based on the baseline memory usage, choose [the service tier that has matching memory](../../managed-instance/resource-limits.md#hardware-configuration-characteristics). The amount of memory cannot be directly chosen, so you would need to select the managed instance with the amount of vCores that has matching memory (for example, 5.1 GB/vCore in Gen5).

+- Use the CPU usage baseline to provision a managed instance that matches the number of cores that your instance of SQL Server uses. It might be necessary to scale resources to match the [hardware characteristics](../../managed-instance/resource-limits.md#hardware-configuration-characteristics).

+More information: [Hardware characteristics of Azure SQL Managed Instance ](../../managed-instance/resource-limits.md#hardware-configuration-characteristics)

+More information: [Hardware characteristics of Azure SQL Managed Instance ](../../managed-instance/resource-limits.md#hardware-configuration-characteristics)

+The fixes documented in the VMware security advisory [VMSA-2021-0028.6](https://www.vmware.com/security/advisories/VMSA-2021-0028.html) to address CVE-2021-44228 and CVE-2021-45046 have been applied to these AVS managed VMware products: vCenter Server, NSX-T Data Center, SRM and HCX.

+Per VMware security advisory [VMSA-2021-0027](https://www.vmware.com/security/advisories/VMSA-2021-0027.html), multiple vulnerabilities in VMware vCenter Server have been reported to VMware.

+To address the vulnerabilities (CVE-2021-21980 and CVE-2021-22049) reported in VMware security advisory, vCenter Server has been updated to 6.7 Update 3p release in all Azure VMware Solution private clouds.

+Per VMware security advisory [VMSA-2021-0020](https://www.vmware.com/security/advisories/VMSA-2021-0020.html), multiple vulnerabilities in the VMware vCenter Server have been reported to VMware.

+To address the vulnerabilities (CVE-2021-21991, CVE-2021-21992, CVE-2021-21993, CVE-2021-22005, CVE-2021-22006, CVE-2021-22007, CVE-2021-22008, CVE-2021-22009, CVE-2021-22010, CVE-2021-22011, CVE-2021-22012,CVE-2021-22013, CVE-2021-22014, CVE-2021-22015, CVE-2021-22016, CVE-2021-22017, CVE-2021-22018, CVE-2021-22019, CVE-2021-22020) reported in VMware security advisory [VMSA-2021-0020](https://www.vmware.com/security/advisories/VMSA-2021-0020.html), vCenter Server has been updated to 6.7 Update 3o in all Azure VMware Solution private clouds. All new Azure VMware Solution private clouds are deployed with vCenter Server version 6.7 Update 3o.

+All new Azure VMware Solution private clouds are now deployed with NSX-T Data Center version [!INCLUDE [nsxt-version](includes/nsxt-version.md)]. NSX-T Data Center version in existing private clouds will be upgraded through September, 2021 to NSX-T Data Center [!INCLUDE [nsxt-version](includes/nsxt-version.md)] release.

+For more information on this NSX-T Data Center version, see [VMware NSX-T Data Center [!INCLUDE [nsxt-version](includes/nsxt-version.md)] Release Notes](https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/rn/VMware-NSX-T-Data-Center-312-Release-Notes.html).

+Azure VMware Solution service will do maintenance work through May 23, 2021, to apply important updates to the vCenter Server in your private cloud. You'll receive a notification through Azure Service Health that includes the timeline of the maintenance for your private cloud.

+During this time, VMware vCenter Server will be unavailable and you won't be able to manage VMs (stop, start, create, or delete). It's recommended that, during this time, you don't plan any other activities like scaling up private cloud, creating new networks, and so on, in your private cloud.

+All new Azure VMware Solution private clouds are now deployed with VMware vCenter Server version 6.7U3l and NSX-T Data Center version 2.5.2. We're not using NSX-T Data Center 3.1.1 for new private clouds because of an identified issue in NSX-T Data Center 3.1.1 that impacts customer VM connectivity.

+The VMware recommended mitigation was applied to all existing private clouds currently running NSX-T Data Center 3.1.1 on Azure VMware Solution. The workaround has been confirmed that there's no impact to customer VM connectivity.

+All new Azure VMware Solution private clouds are deployed with VMware vCenter Server version 6.7U3l and NSX-T Data Center version 3.1.1. Any existing private clouds will be updated and upgraded **through June 2021** to the releases mentioned above.

+- Azure VMware Solution service will do maintenance work **through March 19, 2021,** to update the vCenter Server in your private cloud to vCenter Server 6.7 Update 3l version.

+- VMware vCenter Server will be unavailable during this time, so you can't manage your VMs (stop, start, create, delete) or private cloud scaling (adding/removing servers and clusters). However, VMware High Availability (HA) will continue to operate to protect existing VMs.

+>This is non-disruptive and should not impact Azure VMware Services or workloads. During maintenance, various VMware alerts, such as _Lost network connectivity on DVPorts_ and _Lost uplink redundancy on DVPorts_, appear in vCenter Server and clear automatically as the maintenance progresses.

+- [Use NSX-T Data Center to host your DHCP server](#use-nsx-t-data-center-to-host-your-dhcp-server)

+>If you want to configure DHCP using a simplified view of NSX-T Data Center operations, see [Configure DHCP for Azure VMware Solution](configure-dhcp-azure-vmware-solution.md).

+>For clouds created on or after July 1, 2021, the simplified view of NSX-T Data Center operations must be used to configure DHCP on the default Tier-1 Gateway in your environment.

+>DHCP does not work for virtual machines (VMs) on the VMware HCX L2 stretch network when the DHCP server is in the on-premises datacenter. NSX-T Data Center, by default, blocks all DHCP requests from traversing the L2 stretch. For the solution, see the [Configure DHCP on L2 stretched VMware HCX networks](configure-l2-stretched-vmware-hcx-networks.md) procedure.

+## Use NSX-T Data Center to host your DHCP server

+If you want to use NSX-T Data Center to host your DHCP server, you'll create a DHCP server and a relay service. Then you'll add a network segment and specify the DHCP IP address range.

+ :::image type="content" source="./media/manage-dhcp/edit-tier-1-gateway.png" alt-text="Screenshot showing how to edit the NSX-T Data Center Tier-1 Gateway for using a DHCP server." border="true":::

+ :::image type="content" source="./media/manage-dhcp/add-subnet.png" alt-text="Screenshot showing how to add a subnet to the NSX-T Data Center Tier-1 Gateway for using a DHCP server." border="true":::

+>For clouds created on or after July 1, 2021, the simplified view of NSX-T Data Center operations must be used to configure DHCP on the default Tier-1 Gateway in your environment.

+ :::image type="content" source="./media/manage-dhcp/edit-tier-1-gateway.png" alt-text="Screenshot showing how to edit the NSX-T Data Center Tier-1 Gateway." border="true":::

+ :::image type="content" source="./media/manage-dhcp/add-subnet.png" alt-text="Screenshot showing how to add a subnet to the NSX-T Data Center Tier-1 Gateway." border="true":::

+- [How to join the beta program](https://docs.github.com/en/get-started/signing-up-for-github/signing-up-for-a-new-github-account)

+ Title: Configure external identity source for vCenter Server

+description: Learn how to configure Active Directory over LDAP or LDAPS for vCenter Server as an external identity source.

+> * List all existing external identity sources integrated with vCenter Server SSO

+You'll run the `Get-ExternalIdentitySources` cmdlet to list all external identity sources already integrated with vCenter Server SSO.

+You'll run the `New-LDAPSIdentitySource` cmdlet to add an AD over LDAP with SSL as an external identity source to use with SSO into vCenter Server.

+You'll run the `New-LDAPIdentitySource` cmdlet to add AD over LDAP as an external identity source to use with SSO into vCenter Server.

+You'll run the `Add-GroupToCloudAdmins` cmdlet to add an existing AD group to cloudadmin group. The users in this group have privileges equal to the cloudadmin (cloudadmin@vsphere.local) role defined in vCenter Server SSO.

+- [Azure VMware Solution identity concepts](concepts-identity.md) - Use vCenter Server to manage virtual machine (VM) workloads and NSX-T Manager to manage and extend the private cloud. Access and identity management use the CloudAdmin role for vCenter Server and restricted administrator rights for NSX-T Manager.

+ Title: Metrics in Azure Web PubSub Service

+description: Metrics in Azure Web PubSub Service.

+# Metrics in Azure Web PubSub Service

+Azure Web PubSub Service has some built-in metrics and you and sets up [alerts](../azure-monitor/alerts/alerts-overview.md) base on metrics.

+## Understand metrics

+Metrics provide the running info of the service. The available metrics are:

+|Metric|Unit|Recommended Aggregation Type|Description|Dimensions|

+||||||

+|Connection Close Count|Count|Sum|The count of connections closed by various reasons.|ConnectionCloseCategory|

+|Connection Count|Count|Max / Avg|The amount of connection.|No Dimensions|

+|Connection Open Count|Count|Sum|The count of new connections opened.|No Dimensions|

+|Connection Quota Utilization|Percent|Max / Avg|The percentage of connection connected relative to connection quota.|No Dimensions|

+|Inbound Traffic|Bytes|Sum|The inbound traffic of service|No Dimensions|

+|Outbound Traffic|Bytes|Sum|The outbound traffic of service|No Dimensions|

+### Understand Dimensions

+Dimensions of a metric are name/value pairs that carry extra data to describe the metric value.

+The dimension available in some metrics:

+* ConnectionCloseCategory: Describe the categories of why connection getting closed. Including dimension values:

+ - Normal: Normal closure.

+ - Throttled: With traffic or connection throttling, check Connection Count and Outbound Traffic usage and your resource limits.

+ - SendEventFailed: Event handler invokes failed.

+ - EventHandlerNotFound: Event handler not found.

+ - SlowClient: Too many messages queued up at service side, which needed to be sent.

+ - ServiceTransientError: Internal server error

+ - BadRequest: This caused by invalid hub name, wrong payload, etc.

+ - ServiceReload: This is triggered when a connection is dropped due to an internal service component reload. This event doesn't indicate a malfunction and is part of normal service operation.

+ - Unauthorized: The connection is unauthorized

+Learn more about [multi-dimensional metrics](../azure-monitor/essentials/data-platform-metrics.md#multi-dimensional-metrics)

+## Related resources

+- [Aggregation types in Azure Monitor](../azure-monitor/essentials/metrics-supported.md#microsoftsignalrservicewebpubsub )

+| Europe | Vienna, Austria<br />Copenhagen, Denmark<br />Helsinki, Finland<br />Marseille, France<br />Paris, France<br />Frankfurt, Germany<br />Milan, Italy<br />Riga, Latvia<br />Amsterdam, Netherlands<br />Warsaw, Poland<br />Madrid, Spain<br />Stockholm, Sweden<br />London, UK <br /> Manchester, UK | Austria<br />Bulgaria<br />Denmark<br />Finland<br />France<br />Germany<br />Greece<br />Ireland<br />Italy<br />Netherlands<br />Norway<br />Poland<br />Russia<br />Spain<br />Sweden<br />Switzerland<br />United Kingdom |

+ Title: Available States for Azure Cloud Services (extended support)

+description: Available Power and Provisioning States for Azure Cloud Services (extended support)

+# Available Provisioning and Power States for Azure Cloud Services (extended support)

+## Available Provisioning States for Azure Cloud Services (extended support)

+This table lists the different Provisioning states for Cloud Services (extended support) resource.

+| Status | Description |

+|||

+|Creating|The CSES resource is in the process of creating|

+|Updating|The CSES resource is in the state of being updated|

+|Failed|The CSES resource is unable to achieve the status requested in the deployment|

+|Succeeded|The CSES resource is successfully deployed with the latest deployment request|

+|Deleting|The CSES resource is in the process of deleting|

+## Available Role Instance/Power States for Azure Cloud Services (extended support)

+This table lists the different power states for Cloud Services (extended support) instances.

+|State|Details|

+|||

+|Started|The Role Instance is healthy and is currently running|

+|Stopping|The Role Instance is in the process of getting stopped|

+|Stopped|The Role Instance is in the Stopped State|

+|Unknown|The Role Instance is either in the process of creating or is not ready to service the traffic|

+|Starting|The Role Instance is in the process of moving to healthy/running state|

+|Busy|The Role Instance is not responding|

+|Destroyed|The Role instance is destroyed|

+## Next steps

+- Review the [deployment prerequisites](deploy-prerequisite.md) for Cloud Services (extended support).

+- Review [frequently asked questions](faq.yml) for Cloud Services (extended support).

+- Deploy a Cloud Service (extended support) using the [Azure portal](deploy-portal.md), [PowerShell](deploy-powershell.md), [Template](deploy-template.md) or [Visual Studio](deploy-visual-studio.md).

+Our Speech SDK will automatically use a compressed format for transmission when a `pcm` output format is set.

+For Linux and Windows, `GStreamer` is required to enable this feature.

+For Android, iOS and macOS, no extra configuration is needed starting version 1.20.

+We keep improving the Speech SDK's performance, so try to use the latest Speech SDK in your application.

+|[CMU Arctic corpus](https://pyroomacoustics.readthedocs.io/en/pypi-release/pyroomacoustics.datasets.cmu_arctic.html)|About 1100 sentences selected from out-of-copyright works specifically for use in speech synthesis projects. An excellent starting point.|

+- [Saving Snow Leopards with Deep Learning and Computer Vision on Spark](/archive/blogs/machinelearning/saving-snow-leopards-with-deep-learning-and-computer-vision-on-spark)

+- [Simple Scala Examples](samples-scala.md)

+Since the Credential object can be passed to multiple Chat or Calling client instances, the SDK will make no assumptions about its lifetime and leaves the responsibility of its disposal to the developer. It's up to the Communication Services applications to dispose the Credential instance when it's no longer needed. Disposing the credential is also the recommended way of canceling scheduled refresh actions when the proactive refreshing is enabled.

+- **Best Worker**: The workers that are best able to handle the job are picked first. The logic to rank Workers can be customized, with an expression or Azure function to compare two workers. [See example][worker-scoring]

+[offer_accepted_event]: ../../how-tos/router-sdk/subscribe-events.md#microsoftcommunicationrouterworkerofferaccepted

+[worker-scoring]: ../../how-tos/router-sdk/customize-worker-scoring.md

+- [Azure Function Rule How To](../../how-tos/router-sdk/azure-function.md)

+

+ Title: Azure function rule example

+description: Learn how to wire up Azure Functions to Job Router decision points.

+

+# Azure function rule engine

+As part of the customer extensibility model, Azure Communication Services Job Router supports an Azure Function based rule engine. It gives you the ability to bring your own Azure function. With Azure Functions, you can incorporate custom and complex logic into the process of routing.

+## Creating an Azure function

+If you're new to Azure Functions, refer to [Getting started with Azure Functions](../../../azure-functions/functions-get-started.md) to learn how to create your first function with your favorite tool and language.

+> [!NOTE]

+> Your Azure Function will need to be configured to use an [Http trigger](../../../azure-functions/functions-triggers-bindings.md)

+The Http request body that is sent to your function will include the labels of each of the entities involved. For example, if you're writing a function to determine job priority, the payload will include the all the job labels under the `job` key.

+```json

+{

+ "job": {

+ "label1": "foo",

+ "label2": "bar",

+ "urgent": true,

+ }

+}

+```

+The following example will inspect the value of the `urgent` label and return a priority of 10 if it's true.

+```csharp

+public static class GetPriority

+{

+ [FunctionName("GetPriority")]

+ public static async Task<IActionResult> Run(

+ [HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req,

+ ILogger log)

+ {

+ var priority = 5;

+ string requestBody = await new StreamReader(req.Body).ReadToEndAsync();

+ var data = JsonConvert.DeserializeObject<JObject>(requestBody);

+ var isUrgent = data["job"]["urgent"].Value<bool>();

+ if (isUrgent)

+ priority = 10;

+ return new OkObjectResult(JsonConvert.SerializeObject(priority));

+ }

+}

+```

+## Configure a policy to use the Azure function

+Inspect your deployed function in the Azure portal and locate the function Uri and authentication key. Then use the SDK to configure a policy that uses a rule engine to point to that function.

+```csharp

+await client.SetClassificationPolicyAsync(

+ "policy-1",

+ prioritizationRule: new AzureFunctionRule("<insert function uri>", new AzureFunctionRuleCredential("<insert function key>")));

+```

+When a new job is submitted or updated, this function will be called to determine the priority of the job.

+## Errors

+If the Azure Function fails or returns a non-200 code, the job will move to the `ClassificationFailed` state and you'll receive a `JobClassificationFailedEvent` from Event Grid containing details of the error.

+

+ Title: Azure Function Rule concepts for Azure Communication Services

+description: Learn how to customize how workers are ranked for the best worker mode

+

+# How to customize how workers are ranked for the best worker distribution mode

+The `best-worker` distribution mode selects the workers that are best able to handle the job first. The logic to rank Workers can be customized, with an expression or Azure function to compare two workers. The following example shows how to customize this logic with your own Azure Function.

+## Scenario: Custom scoring rule in best worker distribution mode

+We want to distribute offers among their workers associated with a queue. The workers will be given a score based on their labels and skill set. The worker with the highest score should get the first offer (_BestWorker Distribution Mode_).

+### Situation

+- A job has been created and classified.

+ - Job has the following **labels** associated with it

+ - ["CommunicationType"] = "Chat"

+ - ["IssueType"] = "XboxSupport"

+ - ["Language"] = "en"

+ - ["HighPriority"] = true

+ - ["SubIssueType"] = "ConsoleMalfunction"

+ - ["ConsoleType"] = "XBOX_SERIES_X"

+ - ["Model"] = "XBOX_SERIES_X_1TB"

+ - Job has the following **WorkerSelectors** associated with it

+ - ["English"] >= 7

+ - ["ChatSupport"] = true

+ - ["XboxSupport"] = true

+- Job currently is in a state of '**Queued**'; enqueued in *Xbox Hardware Support Queue* waiting to be matched to a worker.

+- Multiple workers become available simultaneously.

+ - **Worker 1** has been created with the following **labels**

+ - ["HighPrioritySupport"] = true

+ - ["HardwareSupport"] = true

+ - ["Support_XBOX_SERIES_X"] = true

+ - ["English"] = 10

+ - ["ChatSupport"] = true

+ - ["XboxSupport"] = true

+ - **Worker 2** has been created with the following **labels**

+ - ["HighPrioritySupport"] = true

+ - ["HardwareSupport"] = true

+ - ["Support_XBOX_SERIES_X"] = true

+ - ["Support_XBOX_SERIES_S"] = true

+ - ["English"] = 8

+ - ["ChatSupport"] = true

+ - ["XboxSupport"] = true

+ - **Worker 3** has been created with the following **labels**

+ - ["HighPrioritySupport"] = false

+ - ["HardwareSupport"] = true

+ - ["Support_XBOX"] = true

+ - ["English"] = 7

+ - ["ChatSupport"] = true

+ - ["XboxSupport"] = true

+### Expectation

+We would like the following behavior when scoring workers to select which worker gets the first offer.

+The decision flow (as shown above) is as follows:

+- If a job is **NOT HighPriority**:

+ - Workers with label: **["Support_XBOX"] = true**; get a score of *100*

+ - Otherwise, get a score of *1*

+- If a job is **HighPriority**:

+ - Workers with label: **["HighPrioritySupport"] = false**; get a score of *1*

+ - Otherwise, if **["HighPrioritySupport"] = true**:

+ - Does Worker specialize in console type -> Does worker have label: **["Support_<**jobLabels.ConsoleType**>"] = true**? If true, worker gets score of *200*

+ - Otherwise, get a score of *100*

+## Creating an Azure function

+Before moving on any further in the process, let us first define an Azure function that scores worker.

+> [!NOTE]

+> The following Azure function is using JavaScript. For more information, please refer to [Quickstart: Create a JavaScript function in Azure using Visual Studio Code](../../../azure-functions/create-first-function-vs-code-node.md)

+Sample input for **Worker 1**

+```json

+{

+ "job": {

+ "CommunicationType": "Chat",

+ "IssueType": "XboxSupport",

+ "Language": "en",

+ "HighPriority": true,

+ "SubIssueType": "ConsoleMalfunction",

+ "ConsoleType": "XBOX_SERIES_X",

+ "Model": "XBOX_SERIES_X_1TB"

+ },

+ "selectors": [

+ {

+ "key": "English",

+ "operator": "GreaterThanEqual",

+ "value": 7,

+ "ttl": null

+ },

+ {

+ "key": "ChatSupport",

+ "operator": "Equal",

+ "value": true,

+ "ttl": null

+ },

+ {

+ "key": "XboxSupport",

+ "operator": "Equal",

+ "value": true,

+ "ttl": null

+ }

+ ],

+ "worker": {

+ "Id": "e3a3f2f9-3582-4bfe-9c5a-aa57831a0f88",

+ "HighPrioritySupport": true,

+ "HardwareSupport": true,

+ "Support_XBOX_SERIES_X": true,

+ "English": 10,

+ "ChatSupport": true,

+ "XboxSupport": true

+ }

+}

+```

+Sample implementation:

+```javascript

+module.exports = async function (context, req) {

+ context.log('Best Worker Distribution Mode using Azure Function');

+ let score = 0;

+ const jobLabels = req.body.job;

+ const workerLabels = req.body.worker;

+ const isHighPriority = !!jobLabels["HighPriority"];

+ context.log('Job is high priority? Status: ' + isHighPriority);

+ if(!isHighPriority) {

+ const isGenericXboxSupportWorker = !!workerLabels["Support_XBOX"];

+ context.log('Worker provides general xbox support? Status: ' + isGenericXboxSupportWorker);

+ score = isGenericXboxSupportWorker ? 100 : 1;

+ } else {

+ const workerSupportsHighPriorityJob = !!workerLabels["HighPrioritySupport"];

+ context.log('Worker provides high priority support? Status: ' + workerSupportsHighPriorityJob);

+ if(!workerSupportsHighPriorityJob) {

+ score = 1;

+ } else {

+ const key = `Support_${jobLabels["ConsoleType"]}`;

+

+ const workerSpecializeInConsoleType = !!workerLabels[key];

+ context.log(`Worker specializes in consoleType: ${jobLabels["ConsoleType"]} ? Status: ${workerSpecializeInConsoleType}`);

+ score = workerSpecializeInConsoleType ? 200 : 100;

+ }

+ }

+ context.log('Final score of worker: ' + score);

+ context.res = {

+ // status: 200, /* Defaults to 200 */

+ body: score

+ };

+}

+```

+Output for **Worker 1**

+```markdown

+200

+```

+With the aforementioned implementation, for the given job we'll get the following scores for workers:

+| Worker | Score |

+|--|-|

+| Worker 1 | 200 |

+| Worker 2 | 200 |

+| Worker 3 | 1 |

+## Distribute offers based on best worker mode

+Now that the Azure function app is ready, let us create an instance of **BestWorkerDistribution** mode using Router SDK.

+```csharp

+ // -- initialize router client

+ // Setup Distribution Policy

+ var bestWorkerDistributionMode = new BestWorkerMode(

+ scoringRule: new AzureFunctionRule(

+ functionAppUrl: "<insert function url>");

+ var distributionPolicy = await client.SetDistributionPolicyAsync(

+ id: "BestWorkerDistributionMode",

+ mode: bestWorkerDistributionMode,

+ name: "XBox hardware support distribution",

+ offerTTL: TimeSpan.FromMinutes(5));

+ // Setup Queue

+ var queue = await client.SetQueueAsync(

+ id: "XBox_Hardware_Support_Q",

+ distributionPolicyId: distributionPolicy.Value.Id,

+ name: "XBox Hardware Support Queue");

+ // Setup Channel

+ var channel = await client.SetChannelAsync("Xbox_Chat_Channel");

+ // Create workers

+ var worker1Labels = new LabelCollection()

+ {

+ ["HighPrioritySupport"] = true,

+ ["HardwareSupport"] = true,

+ ["Support_XBOX_SERIES_X"] = true,

+ ["English"] = 10,

+ ["ChatSupport"] = true,

+ ["XboxSupport"] = true

+ };

+ var worker1 = await client.RegisterWorkerAsync(

+ id: "Worker_1",

+ totalCapacity: 100,

+ queueIds: new[] {queue.Value.Id},

+ labels: worker1Labels,

+ channelConfigurations: new[] {new ChannelConfiguration(channel.Value.Id, 10)});

+ var worker2Labels = new LabelCollection()

+ {

+ ["HighPrioritySupport"] = true,

+ ["HardwareSupport"] = true,

+ ["Support_XBOX_SERIES_X"] = true,

+ ["Support_XBOX_SERIES_S"] = true,

+ ["English"] = 8,

+ ["ChatSupport"] = true,

+ ["XboxSupport"] = true

+ };

+ var worker2 = await client.RegisterWorkerAsync(

+ id: "Worker_2",

+ totalCapacity: 100,

+ queueIds: new[] { queue.Value.Id },

+ labels: worker2Labels,

+ channelConfigurations: new[] { new ChannelConfiguration(channel.Value.Id, 10) });

+ var worker3Labels = new LabelCollection()

+ {

+ ["HighPrioritySupport"] = false,

+ ["HardwareSupport"] = true,

+ ["Support_XBOX"] = true,

+ ["English"] = 7,

+ ["ChatSupport"] = true,

+ ["XboxSupport"] = true

+ };

+ var worker3 = await client.RegisterWorkerAsync(

+ id: "Worker_3",

+ totalCapacity: 100,

+ queueIds: new[] { queue.Value.Id },

+ labels: worker3Labels,

+ channelConfigurations: new[] { new ChannelConfiguration(channel.Value.Id, 10) });

+ // Create Job

+ var jobLabels = new LabelCollection()

+ {

+ ["CommunicationType"] = "Chat",

+ ["IssueType"] = "XboxSupport",

+ ["Language"] = "en",

+ ["HighPriority"] = true,

+ ["SubIssueType"] = "ConsoleMalfunction",

+ ["ConsoleType"] = "XBOX_SERIES_X",

+ ["Model"] = "XBOX_SERIES_X_1TB"

+ };

+ var workerSelectors = new List<LabelSelector>()

+ {

+ new LabelSelector("English", LabelOperator.GreaterThanEqual, 7),

+ new LabelSelector("ChatSupport", LabelOperator.Equal, true),

+ new LabelSelector("XboxSupport", LabelOperator.Equal, true)

+ };

+ var job = await client.CreateJobAsync(

+ channelId: channel.Value.Id,

+ queueId: queue.Value.Id,

+ priority: 100,

+ channelReference: "ChatChannel",

+ labels: jobLabels,

+ workerSelectors: workerSelectors);

+ var getJob = await client.GetJobAsync(job.Value.Id);

+ Console.WriteLine(getJob.Value.Assignments.Select(assignment => assignment.Value.WorkerId).First());

+```

+Output

+```markdown

+Worker_1 // or Worker_2

+Since both workers, Worker_1 and Worker_2, get the same score of 200,

+the worker who has been idle the longest will get the first offer.

+```

+Analytical store can be disabled in SQL API containers using `Update-AzCosmosDBSqlContainer` PowerShell command, by updating `-AnalyticalStorageTtl` (analytical Time-To-Live) to `0`. Please note that currently this action can't be undone. If analytical store is disabled in a container, it can never be re-enabled.

+1. Sign into the [Azure portal](https://portal.azure.com/) and navigate to your subscription.

+1. Select **Access control (IAM)**.

+1. Select **Add** > **Add role assignment** to open the **Add role assignment** page.

+1. Assign the following role. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

+ | Setting | Value |

+ | | |

+ | Role | CosmosRestoreOperator |

+ | Assign access to | User, group, or service principal |

+ | Members | &lt;User of your choice&gt; |

+ :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-page.png" alt-text="Screenshot that shows Add role assignment page in Azure portal.":::

+1. Repeat step 4 with the **Cosmos DB Operator** role to grant the write permission. When assigning this role from the Azure portal, it grants the restore permission to the whole subscription.

+This article describes how to get the [latest restorable timestamp](latest-restore-timestamp-continuous-backup.md) for accounts with continuous backup mode. It explains how to get the latest restorable time using Azure PowerShell and Azure CLI, and provides the request and response format for the PowerShell and CLI commands.

+This feature is supported for Cosmos DB SQL API containers and Cosmos DB MongoDB API collections. This feature is in preview for Table API tables and Gremlin API graphs.

+**Sample response (in UTC format):**

+**Sample response (in UTC format):**

+**Sample response (in UTC format):**

+**Sample response (in UTC format):**

+**Sample response (in UTC format):**

+**Sample response (in UTC format):**

+**Sample response (in UTC format):**

+## Gremlin graph backup information

+**Sample response (in UTC format):**

+## Table backup information

+**Sample response (in UTC format):**

+* [Introduction to continuous backup mode with point-in-time restore](continuous-backup-restore-introduction.md)

+* [Continuous backup mode resource model](continuous-backup-restore-resource-model.md)

+- [In Python](/python/api/overview/azure/identity-readme?view=azure-python#credential-classes)

+### In Python

+The Azure Cosmos DB RBAC is supported in the [Python SDK versions 4.3.0b4](sql-api-sdk-python.md) and higher.

+```python

+aad_credentials = ClientSecretCredential(

+ tenant_id="<azure-ad-tenant-id>",

+ client_id="<client-application-id>",

+ client_secret="<client-application-secret>")

+client = CosmosClient("<account-endpoint>", aad_credentials)

+```

+By default, the API only works at the container level, but it can be easily extended to work at the database or account level. This article helps you understand the semantics of latest restorable timestamp api, how it gets calculated and use cases for it. To learn more, see [how to get the latest restore timestamp](get-latest-restore-timestamp.md) for SQL API, MongoDB API, Table API (preview), Gremlin API (preview) accounts.

+1. Sign in to the Azure portal and go to your Azure Cosmos DB account.

+1. Select **Access control (IAM)**.

+1. Select **Add** > **Add role assignment**.

+ :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::

+1. On the **Roles** tab, select **DocumentDB Account Contributor**.

+1. On the **Members** tab, select **Managed identity**, and then select **Select members**.

+1. Select your Azure subscription.

+1. Under **System-assigned managed identity**, select **Function App**, and then select **FishTankTemperatureService**.

+1. On the **Review + assign** tab, select **Review + assign** to assign the role.

+> * If the account is of type Table API or Gremlin API. These two APIs are in preview.

+Currently, SQL API and API for MongoDB accounts with single write region, that have shared, provisioned, or autoscale provisioned throughput support migration. Table API and Gremlin API are in preview.

+This console app uses the [MongoDB Java driver](https://www.mongodb.com/docs/drivers/java-drivers/).

+It's critical to carry out certain up-front planning and decision-making about your migration before you actually move any data. This initial decision-making process is the "pre-migration".

+Your goal in pre-migration is to:

+1. Ensure that you set up Azure Cosmos DB to fulfill your application's requirements, and

+2. Plan out how you will execute the migration.

+1. [Discover your existing MongoDB resources and create a data estate spreadsheet to track them](#pre-migration-discovery)

+2. [Assess the readiness of your existing MongoDB resources for data migration](#pre-migration-assessment)

+3. [Map your existing MongoDB resources to new Azure Cosmos DB resources](#pre-migration-mapping)

+4. [Plan the logistics of migration process end-to-end, before you kick off the full-scale data migration](#execution-logistics)

+The [Database Migration Assistant](https://aka.ms/mongodma)(DMA) assists you with the [Discovery](#programmatic-discovery-using-the-database-migration-assistant) and [Assessment](#programmatic-assessment-using-the-database-migration-assistant) stages of the planning.

+The first pre-migration step is resource discovery.

+In this step, you need to create a **data estate migration spreadsheet**.

+* This sheet contains a comprehensive list of the existing resources (databases or collections) in your MongoDB data estate.

+* The purpose of this spreadsheet is to enhance your productivity and help you to plan migration from end-to-end.

+* You're recommended to extend this document and use it as a tracking document throughout the migration process.

+### Programmatic discovery using the Database Migration Assistant

+You may use the [Database Migration Assistant](https://aka.ms/mongodma) (DMA) to assist you with the discovery stage and create the data estate migration sheet programmatically.

+It's easy to [setup and run DMA](https://aka.ms/mongodma#how-to-run-the-dma) through an Azure Data Studio client. It can be run from any machine connected to your source MongoDB environment.

+You can use either one of the following DMA output files as the data estate migration spreadsheet:

+* `workload_database_details.csv` - Gives a database-level view of the source workload. Columns in file are: Database Name, Collection count, Document Count, Average Document Size, Data Size, Index Count and Index Size.

+* `workload_collection_details.csv` - Gives a collection-level view of the source workload. Columns in file are: Database Name, Collection Name, Doc Count, Average Document Size, Data size, Index Count, Index Size and Index definitions.

+Here's a sample database-level migration spreadsheet created by DMA:

+

+### Manual discovery

+Alternately, you may refer to the sample spreadsheet above and create a similar document yourself.

+* The spreadsheet should be structured as a record of your data estate resources, in list form.

+* Each row corresponds to a resource (database or collection).

+* Each column corresponds to a property of the resource; start with at least *name* and *data size (GB)* as columns.

+* As you progress through this guide, you'll build this spreadsheet into a tracking document for your end-to-end migration planning, adding columns as needed.

+* [MongoDB Shell](https://www.mongodb.com/try/download/shell)

+* [MongoDB Compass](https://www.mongodb.com/try/download/compass)

+Second, as a prelude to planning your migration, assess the readiness of resources in your data estate for migration.

+Assessment involves finding out whether you're using the [features and syntax that are supported](./feature-support-42.md). It also includes making sure you're adhering to the [limits and quotas](../concepts-limits.md#per-account-limits). The aim of this stage is to create a list of incompatibilities and warnings, if any. After you have the assessment results, you can try to address the findings during rest of the migration planning.

+### Programmatic assessment using the Database Migration Assistant

+[Database Migration Assistant](https://aka.ms/mongodma) (DMA) also assists you with the assessment stage of pre-migration planning.

+Refer to the section [Programmatic discovery using the Database Migration Assistant](#programmatic-discovery-using-the-database-migration-assistant) to know how to setup and run DMA.

+The DMA notebook runs a few assessment rules against the resource list it gathers from source MongoDB. The assessment result lists the required and recommended changes needed to proceed with the migration.

+The results are printed as an output in the DMA notebook and saved to a CSV file - `assessment_result.csv`.

+> [!NOTE]

+> Database Migration Assistant is a preliminary utility meant to assist you with the pre-migration steps. It does not perform an end-to-end assessment.

+> In addition to running the DMA, we also recommend you to go through [the supported features and syntax](./feature-support-42.md), [Cosmos DB limits and quotas](../concepts-limits.md#per-account-limits) in detail, as well as perform a proof-of-concept prior to the actual migration.

+Figure out what Azure Cosmos DB resources you'll create. This means stepping through your data estate migration spreadsheet and mapping each existing MongoDB resource to a new Azure Cosmos DB resource.

+* Anticipate that each MongoDB database will become an Azure Cosmos DB database.

+* Anticipate that each MongoDB collection will become an Azure Cosmos DB collection.

+* Determine whether you'll be using sharded or unsharded collections in Cosmos DB. The unsharded collection limit is 20 GB. Sharding, on the other hand, helps achieve horizontal scale that is critical to the performance of many workloads.

+* If using sharded collections, *do not assume that your MongoDB collection shard key becomes your Azure Cosmos DB collection shard key. Do not assume that your existing MongoDB data model/document structure is what you'll employ on Azure Cosmos DB.*

+* Refer to [Partitioning and horizontal scaling in Azure Cosmos DB](../partitioning-overview.md) to choose the best shard key. Partitioning, also known as Sharding, is a key point of consideration before migrating data. Azure Cosmos DB uses fully-managed partitioning to increase the capacity in a database to meet the storage and throughput requirements. This feature doesn't need the hosting or configuration of routing servers.

+* Follow the guide for [Data modeling in Azure Cosmos DB](../modeling-data.md) to choose a data model.

+* Follow [Optimize provisioned throughput cost in Azure Cosmos DB](../optimize-cost-throughput.md#optimize-by-provisioning-throughput-at-different-levels) to choose between dedicated and shared throughput for each resource that you will migrate

+* [How to model and partition data on Azure Cosmos DB using a real-world example](../how-to-model-partition-example.md) is a real-world example of sharding and data modeling to aid you in your decision-making process

+* In Azure Cosmos DB, the throughput is provisioned in advance and is measured in Request Units (RUs) per second. Unlike VMs or on-premises servers, RUs are easy to scale up and down at any time. You can change the number of provisioned RUs instantly. For more information, see [Request units in Azure Cosmos DB](../request-units.md).

+* Plan how you will monitor the progress of migration once it has started. If you are coordinating your data migration effort among a team, plan a regular cadence of team syncs too, so that you have a comprehensive view of how the high-priority migrations are going.

+* For a post-migration guide, see [Post-migration optimization steps when using Azure Cosmos DB's API for MongoDB](post-migration-optimization.md).

+ * If all you know is the number of vCores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](../convert-vcore-to-request-unit.md)

+Use the same tool to manage your different Azure entities in one place. You can manage Azure Cosmos DB entities, manipulate data, update stored procedures and triggers along with other Azure entities like storage blobs and queues. Azure Storage Explorer supports Cosmos accounts configured for SQL, MongoDB, Gremlin, and Table APIs.

+> The Azure Cosmos DB integration with Storage Explorer has been deprecated. Any existing functionality will not be removed for a minimum of one year from this release. You should use the [Azure Portal](https://portal.azure.com/), [Azure Portal desktop app](https://portal.azure.com/App/Download) or the standalone [Azure Cosmos DB Explorer](data-explorer.md) instead. The alternative options contain many new features that aren't currently supported in Storage Explorer.

+Cost Management shows organizational cost and usage patterns with advanced analytics. Reports in Cost Management show the usage-based costs consumed by Azure services and third-party Marketplace offerings. Costs are based on negotiated prices and factor in reservation and Azure Hybrid Benefit discounts. Collectively, the reports show your internal and external costs for usage and Azure Marketplace charges. **Other charges, such as reservation purchases, support, and taxes aren't yet shown in reports**. The reports help you understand your spending and resource use and can help find spending anomalies. Predictive analytics are also available. Cost Management uses Azure management groups, budgets, and recommendations to show clearly how your expenses are organized and how you might reduce costs.

+Cost allocation data exposed by the [Usage Details](/rest/api/consumption/usagedetails/list) API is supported by the 2021-10-01 version or later. However, cost allocation data results might be empty if you're using an unsupported API or if you don't have any cost allocation rules.

+## Troubleshoot spending limit banner

+If the spending limit banner doesn't appear, you can manually navigate to your subscription's URL.

+1. Ensure that you've navigated to the correct tenant/directory in the Azure portal.

+1. Navigate to `https://portal.azure.com/#blade/Microsoft_Azure_Billing/RemoveSpendingLimitBlade/subscriptionId/11111111-1111-1111-1111-111111111111` and replace the example subscription ID with your subscription ID.

+The spending limit banner should appear.

+This article will explain managed virtual network and Managed Private endpoints in Azure Data Factory.

+When you create an Azure Integration Runtime (IR) within Azure Data Factory managed virtual network (VNET), the integration runtime will be provisioned with the managed virtual network and will leverage private endpoints to securely connect to supported data stores.

+Creating an Azure IR within managed virtual network ensures that data integration process is isolated and secure.

+Benefits of using managed virtual network:

+- With a managed virtual network, you can offload the burden of managing the virtual network to Azure Data Factory. You don't need to create a subnet for Azure Integration Runtime that could eventually use many private IPs from your virtual network and would require prior network infrastructure planning.

+- Managed virtual network along with Managed private endpoints protects against data exfiltration.

+>Currently, the managed virtual network is only supported in the same region as Azure Data Factory region.

+Managed private endpoints are private endpoints created in the Azure Data Factory managed virtual network establishing a private link to Azure resources. Azure Data Factory manages these private endpoints on your behalf.

+When you use a private link, traffic between your data stores and managed virtual network traverses entirely over the Microsoft backbone network. Private Link protects against data exfiltration risks. You establish a private link to a resource by creating a private endpoint.

+Private endpoint uses a private IP address in the managed virtual network to effectively bring the service into it. Private endpoints are mapped to a specific resource in Azure and not the entire service. Customers can limit connectivity to a specific resource approved by their organization. Learn more about [private links and private endpoints](../private-link/index.yml).

+The following data sources have native Private Endpoint support and can be connected through private link from ADF managed virtual network.

+> Because Azure SQL Managed Instance native Private Endpoint in public preview, you can access it from managed virtual network using Private Linked Service and Load Balancer. Please see [How to access SQL Managed Instance from Data Factory Managed VNET using Private Endpoint](tutorial-managed-virtual-network-sql-managed-instance.md).

+To access on-premises data sources from managed virtual network using Private Endpoint, please see this tutorial [How to access on-premises SQL Server from Data Factory Managed VNET using Private Endpoint](tutorial-managed-virtual-network-on-premise-sql-server.md).

+### Azure Data Factory managed virtual network is available in the following Azure regions

+Generally, managed virtual network is available to all Azure Data Factory regions, except:

+### Outbound communications through public endpoint from ADF managed virtual network

+- When you create a Linked Service for Azure Key Vault, there is no Azure Integration Runtime reference. So you can't create Private Endpoint during Linked Service creation of Azure Key Vault. But when you create Linked Service for data stores which references Azure Key Vault Linked Service and this Linked Service references Azure Integration Runtime with managed virtual network enabled, then you are able to create a Private Endpoint for the Azure Key Vault Linked Service during the creation.

+- Tutorial: [Build a copy pipeline using managed virtual network and private endpoints](tutorial-copy-data-portal-private.md)

+- Tutorial: [Build mapping dataflow pipeline using managed virtual network and private endpoints](tutorial-data-flow-private.md)

+ ],

+ ...

+ Title: Move Azure Data Share Accounts to another Azure region using the Azure portal

+description: Use Azure Resource Manager template to move Azure Data Share account from one Azure region to another using the Azure portal.

+#Customer intent: As an Azure Data Share User, I want to move my Data Share account to a new region.

+# Move an Azure Data Share Account to another region using the Azure portal

+There are various scenarios in which you'd want to move your existing Azure Data Share accounts from one region to another. For example, you may want to create a Data Share Account for testing in a new region. You may also want to move a Data Share Account to another region as part of disaster recovery planning.

+Azure Data Share accounts canΓÇÖt be moved from one region to another. You can however, use an Azure Resource Manager template to export the existing Data Share account, modify the parameters to match the destination region, and then deploy the template to the new region. For more information on Resource Manager and templates, see [Quickstart: Create and deploy Azure Resource Manager templates by using the Azure portal](../azure-resource-manager/templates/quickstart-create-templates-use-the-portal.md).

+## Prerequisites

+- Make sure that the Azure Data Share account is in the Azure region from which you want to move.

+- Azure Data Share accounts canΓÇÖt be moved between regions. YouΓÇÖll have to re-add datasets to sent shares and resend invitations to Data Share recipients. For any received shares, you will need to request that the data provider sends you a new invitation.

+## Prepare and move

+The following steps show how to deploy a new Data Share account using a Resource Manager template via the portal.

+### Export the template and deploy from the portal

+1. Login to the [Azure portal](https://portal.azure.com).

+1. Select **All resources** and then select your Data Share account

+1. Select **Automation** > **Export template**

+1. Choose **Deploy** in the **Export template** blade.

+1. Select **Edit parameters** to open the **parameters.json** file in the online editor.

+1. To edit the parameter of the Data Share account name, change the property under **parameters** > **value** from the source Data Share Account's name to the name of the Data Share Account you want to create in a new region, ensure the name is in quotes:

+ ```json

+ {

+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "accounts_my_datashare_account_name": {

+ "value": "<target-datashare-account-name>"

+ }

+ }

+ }

+ ```

+1. Select **Save** in the editor.

+1. Select **Edit template** to open the **template.json** file in the online editor.

+1. To edit the target region where the Data Share account will be moved, change the **location** property under **resources** in the online editor:

+ ```json

+ "resources": [

+ {

+ "type": "Microsoft.DataShare/accounts",

+ "apiVersion": "2021-08-01",

+ "name": "[parameters('accounts_my_datashare_account_name')]",

+ "location": "<target-region>",

+ "identity": {

+ "type": "SystemAssigned"

+ }

+ "properties": {}

+ }

+ ]

+ ```

+1. To obtain region location codes, see [Azure Locations](https://azure.microsoft.com/global-infrastructure/locations/). The code for a region is the region name with no spaces, **Central US** = **centralus**.

+1. You can also change other parameters in the template if you choose. This is optional depending on your requirements:

+ * **Sent Shares** - You can edit which Sent Shares are deployed into the target Data Share Account by adding or removing Shares from the **resources** section in the **template.json** file.:

+ ```json

+ "resources": [

+ {

+ "type": "Microsoft.DataShare/accounts/shares",

+ "apiVersion": "2021-08-01",

+ "name": "[concat(parameters('accounts_my_datashare_account_name'), '/test_sent_share')]",

+ "dependsOn": [

+ "[resourceId('Microsoft.DataShare/accounts', parameters('accounts_my_datashare_account_name'))]"

+ ],

+ "properties": {

+ "shareKind": "CopyBased"

+ }

+ },

+ ]

+ ```

+ * **Sent Share Invitations** - You can edit which Invitations are deployed into the target Data Share account by adding or removing Invitations from the resources section in the **template.json** file.

+ ```json

+ "resources": [

+ {

+ "type": "Microsoft.DataShare/accounts/shares/invitations",

+ "apiVersion": "2021-08-01",

+ "name": "[concat(parameters('accounts_my_datashare_account_name'), '/test_sent_share/blob_snapshot_jsmith_microsoft_com')]",

+ "dependsOn": [

+ "[resourceId('Microsoft.DataShare/accounts/shares', parameters('accounts_my_datashare_account_name'), 'test_sent_share')]",

+ "[resourceId('Microsoft.DataShare/accounts', parameters('accounts_my_datashare_account_name'))]"

+ ],

+ "properties": {

+ "targetEmail": "jsmith@microsoft.com"

+ }

+ }

+ ]

+ ```

+

+ * **Datasets** - You can edit which datasets are deployed into the target Data Share account by adding or removing datasets from the resources section in the **template.json** file. Below is an example of a BlobFolder dataset.

+

+ * If you are also moving the resources contained in the datasets to a new region, you will have to remove the datasets from the **template.json** file and manually re-add them once the Data Share account and resources referenced in the datasets are moved to the new region.

+

+ >[!IMPORTANT]

+ >* Datasets will fail to deploy if the new Data Share account you are deploying will not automatically inherit required permissions to access the datasets. The required permissions depend on the dataset type. See here for required permissions for [Azure Synapse Analytics and Azure SQL Database datasets](how-to-share-from-sql.md#prerequisites-for-sharing-from-azure-sql-database-or-azure-synapse-analytics-formerly-azure-sql-dw). See here for required permissions for [Azure Storage and Azure Data Lake Gen 1 and Gen2 datasets](how-to-share-from-storage.md#prerequisites-for-the-source-storage-account).

+

+ ```json

+ "resources": [

+ {

+ "type": "Microsoft.DataShare/accounts/shares/dataSets",

+ "apiVersion": "2021-08-01",

+ "name": "[concat(parameters('accounts_my_datashare_account_name'), '/blobpath/directory')]",

+ "dependsOn": [

+ "[resourceId('Microsoft.DataShare/accounts/shares', parameters('accounts_my_datashare_account_name'), 'blobpath')]",

+ "[resourceId('Microsoft.DataShare/accounts', parameters('accounts_my_datashare_account_name'))]"

+ ],

+ "kind": "BlobFolder",

+ "properties": {

+ "containerName": "<container-name>",

+ "prefix": "<prefix>"

+ "subscriptionId": "<subscription-id>",

+ "resourceGroup": "<resource-group-name>",

+ "storageAccountName": "<storage-account-name>"

+ }

+ }

+ ]

+ ```

+

+1. Select **Save** in the online editor.

+1. Under the **Project details** section, select the **Subscription** dropdown to choose the subscription where the target Data Share account will be deployed.

+1. Select the **Resource group** dropdown to choose the resource group where the target Data Share account will be deployed. You can select **Create new** to create a new resource group for the target Data Share account.

+1. Verify that the **Location** field is set to the target location you want the Data Share account to be deployed to.

+1. Verify under **Instance details** that the name matches the name that you entered in the parameters editor above.

+1. Select **Review + Create** to advance to the next page.

+1. Review the terms and select **Create** to begin the deployment.

+1. Once the deployment finishes, go to the newly created Data Share account.

+1. If you were unable to transfer datasets using the template, you will need to re-add datasets to all of your Sent Shares.

+1. Resend invitations to all recipients of your sent shares and alert the consumers of your shares that they will need to reaccept and remap the data you are sharing with them.

+## Verify

+### Sent shares

+- Confirm that all sent shares in your source Data Share account are now present in the target Data Share account.

+- For each sent share, confirm that all data sets from the source share are now present in the target share. If they are not, you will need to manually re-add them.

+- For all share subscriptions in each sent share in your source account, confirm that you have sent invitations to all recipients of the shares so that they will be able to access the data again.

+### Received shares

+- Confirm that you have requested new invitations from data providers for all received shares from your source data share account.

+- Once you receive these invitations, you will need to remap the data sets and run snapshots to access the data again.

+## Clean up source resources

+To complete the move of the Data Share account, delete the source Data Share account. To do so, select the resource group from your dashboard in the Azure portal, navigate to the Data Share account you wish to delete and select **Delete** at the top of the page.

+## Next steps

+In this tutorial, you moved an Azure Data Share account from one region to another and cleaned up the source resources. To learn more about moving resources between regions and disaster recovery in Azure, refer to:

+- [Move resources to a new resource group or subscription](../azure-resource-manager/management/move-resource-group-and-subscription.md)

+- [Move Azure VMs to another region](../site-recovery/azure-to-azure-tutorial-migrate.md)

+For in-depth troubleshooting, see [Configure Azure Storage firewalls and virtual networks](/azure/storage/common/storage-network-security).

+- To add users to a lab, you must have [User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) or [Owner](/azure/role-based-access-control/built-in-roles#owner) role in the subscription the lab is in.

+To add users to a lab, you must be a [User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) or [Owner](/azure/role-based-access-control/built-in-roles#owner) of the subscription the lab is in. For more information, see [Add lab owners, contributors, and users in Azure DevTest Labs](devtest-lab-add-devtest-user.md).

+Once you connect to the VM, you can use it to do your work. You have [Owner](/azure/role-based-access-control/built-in-roles#owner) role on all lab VMs you claim or create, unless you unclaim them.

+* For connecting Excel to Hadoop using Power Query, see [Connect Excel to Apache Hadoop by using Power Query](../hadoop/apache-hadoop-connect-excel-power-query.md)

+* If you need more help, you can submit a support request from the [Azure portal](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade/). Select **Support** from the menu bar or open the **Help + support** hub. For more detailed information, review [How to create an Azure support request](../../azure-portal/supportability/how-to-create-azure-support-request.md). Access to Subscription Management and billing support is included with your Microsoft Azure subscription, and Technical Support is provided through one of the [Azure Support Plans](https://azure.microsoft.com/support/plans/).

+| [Get device](/rest/api/iothub/service/devices/get-identity) | Yes | Yes |

+| [Delete module](/rest/api/iothub/service/modules/delete-identity) | Yes | Yes |

+| [Get module twin](/rest/api/iothub/service/modules/get-twin) | | Yes |

+| [Update module twin](/rest/api/iothub/service/modules/update-twin) | | Yes |

+* To change your IoT Hub tier, follow the steps in [Upgrade your IoT hub](iot-hub-upgrade.md).

+| Workflows per region per subscription | - Consumption: 1,000 workflows where each logic app is limited to 1 workflow <br><br>- Standard: Unlimited, based on the selected hosting plan, app activity, size of machine instances, and resource usage, where each logic app can have multiple workflows ||

+- Review the [regulatory compliance details for Azure Security Benchmark](../governance/policy/samples/gov-azure-security-benchmark.md).

+The git information is stored in the properties for a training run. You can view this information using the Azure portal or Python SDK.

+> Different parsers are used to read labels for these formats. If you are using the plain text format, only use alphabetical, numerical and `'_'` in your labels. All other characters are recognized as the separator of labels.

+ Title: Move Azure regions - Azure portal - Azure Database for MySQL Flexible server

+description: Move an Azure Database for MySQL Flexible server from one Azure region to another using the Azure portal.

+#Customer intent: As an Azure service administrator, I want to move my service resources to another Azure region.

+# Move an Azure Database for MySQL flexible server to another region by using the Azure portal

+There are various scenarios for moving an existing Azure Database for MySQL flexible server from one region to another. For example, you might want to move a production server to another region as part of your disaster recovery planning.

+You can use Azure Database for MySQL flexible server's [geo-restore](concepts-backup-restore.md#geo-restore) feature to complete the move to another region. To do so, first ensure geo-redundancy is enabled for your flexible server. Next, trigger geo-restore for your geo-redundant server and move your server to the geo-paired region.

+> [!NOTE]

+> This article focuses on moving your server to a different region. If you want to move your server to a different resource group or subscription, refer to the [move](../../azure-resource-manager/management/move-resource-group-and-subscription.md) article.

+## Prerequisites

+- Ensure the source server has geo-redundancy enabled. You can enable geo-redundancy post server-create for locally redundant or same-zone redundant servers. Currently, for a Zone-redundant High Availability server geo-redundancy can only be enabled/disabled at server create time.

+- Make sure that your Azure Database for MySQL source flexible server is deployed in the Azure region that you want to move from.

+## Move

+To move the Azure Database for MySQL flexible server to the geo-paired region using the Azure portal, use the following steps:

+1. In the [Azure portal](https://portal.azure.com/), choose your flexible server that you want to restore the backup from.

+2. Click **Overview** from the left panel.

+3. From the overview page, click **Restore**.

+4. Restore page will be shown with an option to choose **Geo-redundant restore**. If you have configured your server for geographically redundant backups, the server can be restored to the corresponding Azure paired region and the geo-redundant restore option can be enabled. Geo-redundant restore option restores the server to Latest UTC Now timestamp and hence after selection of Geo-redundant restore, the point-in-time restore options cannot be selected simultaneously.

+ :::image type="content" source="./media/how-to-restore-server-portal/georestore-flex.png" alt-text="Geo-restore option":::

+ :::image type="content" source="./media/how-to-restore-server-portal/georestore-enabled-flex.png" alt-text="Enabling Geo-Restore":::

+5. Provide a new server name in the **Name** field in the Server details section.

+6. When primary region is down, one cannot create geo-redundant servers in the respective geo-paired region as storage cannot be provisioned in the primary region. One must wait for the primary region to be up to provision geo-redundant servers in the geo-paired region. With the primary region down one can still geo-restore the source server to the geo-paired region by disabling the geo-redundancy option in the Compute + Storage Configure Server settings in the restore portal experience and restore as a locally redundant server to ensure business continuity.

+ :::image type="content" source="./media/how-to-restore-server-portal/georestore-region-down-1.png" alt-text="Compute + Storage window":::

+ :::image type="content" source="./media/how-to-restore-server-portal/georestore-region-down-2.png" alt-text="Disabling Geo-Redundancy":::

+ :::image type="content" source="./media/how-to-restore-server-portal/georestore-region-down-3.png" alt-text="Restoring as Locally redundant server":::

+7. Select **Review + Create** to review your selections.

+8. A notification will be shown that the restore operation has been initiated. This operation may take a few minutes.

+The new server created by geo-restore has the same server admin login name and password that was valid for the existing server at the time the restore was initiated. The password can be changed from the new server's Overview page. Additionally during a geo-restore, **Networking** settings such as virtual network settings and firewall rules can be configured as described in the below section.

+## Clean up source server

+You may want to delete the source Azure Database for MySQL flexible server. To do so, use the following steps:

+1. Once the replica has been created, locate and select your Azure Database for MySQL source flexible server.

+1. In the **Overview** window, select **Delete**.

+1. Type in the name of the source server to confirm you want to delete.

+1. Select **Delete**.

+## Next steps

+In this tutorial, you moved an Azure Database for MySQL flexible server from one region to another by using the Azure portal and then cleaned up the unneeded source resources.

+- Learn more about [geo-restore](concepts-backup-restore.md#geo-restore)

+- Learn more about [Azure paired regions](overview.md#azure-regions) supported for Azure Database for MySQL flexible server

+- Learn more about [business continuity](concepts-business-continuity.md) options

+|| [Azure Data Factory](how-to-link-azure-data-factory.md) | [Yes](how-to-link-azure-data-factory.md) | No | [Yes](how-to-link-azure-data-factory.md) | No |

+|| [Azure Data Share](how-to-link-azure-data-share.md) | [Yes](how-to-link-azure-data-share.md) | No | [Yes](how-to-link-azure-data-share.md) | No |

+|| [Azure SQL Managed Instance](register-scan-azure-sql-database-managed-instance.md)| [Yes](register-scan-azure-sql-database-managed-instance.md#scan) | [Yes](register-scan-azure-sql-database-managed-instance.md#scan) | No* | No |

+|| [SAP Business Warehouse](register-scan-sap-bw.md) | [Yes](register-scan-sap-bw.md#register) | No | No | No |

+[Elastic data map in Azure Purview](concept-elastic-data-map.md)

+1. Select **Test connection**.

+- If delegated auth is used:

+ - Make sure proper [Power BI license](/power-bi/admin/service-admin-licensing-organization#subscription-license-types) is assigned to Power BI admin user that is used for the scan.

+ - Exclude the user from Azure multi-factor authentication.

+You can use the fully managed Azure integration runtime for scan - make sure to provide the security token to authenticate to Salesforce, learn more from the credential configuration in [Scan](#scan) section. Otherwise, if you want the scan to be initiated from a Salesforce trusted IP range for your organization, you can configure a self-hosted integration runtime to connect to it:

+* Set up the latest [self-hosted integration runtime](https://www.microsoft.com/download/details.aspx?id=39717). For more information, see [the create and configure a self-hosted integration runtime guide](manage-integration-runtimes.md). The minimal supported Self-hosted Integration Runtime version is 5.11.7953.1.

+In this section you'll give your Azure Cognitive Search service permission to read data from your SQL Server. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

+1. In the Azure portal, navigate to your Azure SQL Server page.

+1. Select **Access control (IAM)**.

+1. Select **Add > Add role assignment**.

+ :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::

+1. On the **Roles** tab, select the appropriate **Reader** role.

+1. On the **Members** tab, select **Managed identity**, and then select **Select members**.

+1. Select your Azure subscription.

+1. If you're using a system-assigned managed identity, select **System-assigned managed identity**, search for your search service, and then select it.

+1. Otherwise, if you're using a user-assigned managed identity, select **User-assigned managed identity**, search for the name of the user-assigned managed identity, and then select it.

+1. On the **Review + assign** tab, select **Review + assign** to assign the role.

+| [Search Service Contributor](../role-based-access-control/built-in-roles.md#search-service-contributor) | (Generally available) This role is equivalent to Contributor at the service-level. </br></br>(Preview) Provides full access to all actions on indexes, synonym maps, indexers, data sources, and skillsets through [`Microsoft.Search/searchServices/*`](../role-based-access-control/resource-provider-operations.md#microsoftsearch). This role is for search service administrators who need to fully manage the service. This role has been extended to include data plane operations. Data plane support is in preview. </br></br>Like Contributor, members of this role cannot make or manage role assignments or change authorization options. Your service must be enabled for the preview for data requests. |

+> When the service endpoint is private, some portal features are disabled. You can view and manage service level information, but index, indexer, and skillset information is hidden for security reasons. As an alternative to the portal, you can use the [VS Code Extension](https://aka.ms/vscode-search) to interact with the various components in the service. Additionally, ARM templates don't currently have support for updating existing Private Endpoints that are connected to a search service.

+In this article, you created a VM on a virtual network and a search service with a Private Endpoint. You connected to the VM from the internet and securely communicated to the search service using Private Link. To learn more about Private Endpoint, seeΓÇ»[What is Azure Private Endpoint?](../private-link/private-endpoint-overview.md).

+**Data destruction**: When customers delete data or leave Azure, Microsoft follows strict standards for deleting data, as well as the physical destruction of decommissioned hardware. Microsoft executes a complete deletion of data on customer request and on contract termination. For more information, see [Data management at Microsoft](https://www.microsoft.com/trust-center/privacy/data-management).

+The IP firewall rules are applied at the Service Bus namespace level. Therefore, the rules apply to all connections from clients using any **supported protocol** (AMQP (5671) and HTTPS (443)). Any connection attempt from an IP address that doesn't match an allowed IP rule on the Service Bus namespace is rejected as unauthorized. The response doesn't mention the IP rule. IP filter rules are applied in order, and the first rule that matches the IP address determines the accept or reject action.

+[express-route]: ../expressroute/expressroute-faqs.md#supported-services

+ - Assumptions related to the separation of attributions between owner and platform, in the context of managing certificates

+ - The long pipeline of certificates from issuance to consumption

+ - Certificate rotation - why, how and when

+ - What could possibly go wrong?

+Aspects such as securing/managing domain names, enrolling into certificates, or setting up authorization controls to enforce certificate issuance are beyond the scope of this article. Refer to the Registration Authority (RA) of your favorite Public Key Infrastructure (PKI) service. Microsoft-internal consumers: please reach out to Azure Security.

+ - Certificates declared in the NodeType section of the cluster manifest can be found on each node of that type, according to the [presentation rules](cluster-security-certificates.md#presentation-rules)

+ - Certificates declared above are installed with their corresponding private keys included.

+ - Certificates declared in the presentation rules should pass the [validation rules](cluster-security-certificates.md#validation-rules)

+Service Fabric, for its part, assumes the following responsibilities:

+ - Locating certificates that match the declarations in the cluster definition

+ - Granting access to the corresponding private keys to Service Fabric-controlled entities on a 'need' basis

+ - Validating certificates in strict accordance with established security best-practices and the cluster definition

+ - Raising alerts on impending expiration of certificates, or failures to perform the basic steps of certificate validation

+ - Validating (to some degree) that the certificate-related aspects of the cluster definition are met by the underlying configuration of the hosts

+ 1. A domain owner registers with the RA of a PKI a domain or subject that they'd like to associate with ensuing certificates; the certificates will, in turn, constitute proofs of ownership of said domain or subject.

+ 3. An authorized requester then enrolls into a certificate via a Secret Management Service; in Microsoft Azure, the SMS of choice is Azure Key Vault (AKV), which securely stores and allows the retrieval of secrets and certificates by authorized entities. AKV also renews/re-keys the certificate as configured in the associated certificate policy (AKV uses AAD as the identity provider).

+ 4. An authorized retriever - which we'll refer to as a 'provisioning agent' - retrieves the certificate, inclusive of its private key, from the vault, and installs it on the machines hosting the cluster.

+This topic is covered in detail in the [Key Vault documentation](../key-vault/certificates/create-certificate.md); we're including a synopsis here for continuity and easier reference. Continuing with Azure as the context, and using Azure Key Vault as the secret management service, an authorized certificate requester must have at least certificate management permissions on the vault, granted by the vault owner; the requester would then enroll into a certificate as follows:

+ - By creating a certificate policy in Azure Key Vault (AKV), which specifies the domain/subject of the certificate, the desired issuer, key type and length, intended key usage and more; see [Certificates in Azure Key Vault](../key-vault/certificates/certificate-scenarios.md) for details.

+ - Creates a certificate in the same vault with the policy specified above; this, in turn, generates a key pair as vault objects, a certificate signing request signed with the private key, and which is then forwarded to the designated issuer for signing

+ - Once the issuer (Certificate Authority) replies with the signed certificate, the result is merged into the vault, and the certificate data is available:

+ - Under `{vaultUri}/certificates/{name}`: The certificate including the public key and metadata.

+ - Under `{vaultUri}/keys/{name}`: The certificate's private key, available for cryptographic operations (wrap/unwrap, sign/verify).

+ - Under `{vaultUri}/secrets/{name}`: The certificate inclusive of its private key, available for downloading as an unprotected pfx or pem file.

+

+Recall that a certificate in the vault contains a chronological list of certificate instances that share a policy. Certificate versions will be created according to the lifetime and renewal attributes of this policy. It is highly recommended that vault certificates not share subjects or domains/DNS names, as it can be disruptive in a cluster to provision certificate instances from different vault certificates, with identical subjects but substantially different other attributes, such as issuer, key usages etc.

+ - Ad-hoc: an operator retrieves the certificate from the vault (as pfx/PKCS #12 or pem) and installs it on each node

+ - As a virtual machine scale set 'secret' during deployment: Using its first party identity on behalf of the operator, the Compute service retrieves the certificate from a template-deployment-enabled vault and installs it on each node of the virtual machine scale set ([like so](../virtual-machine-scale-sets/virtual-machine-scale-sets-faq.yml)); note this allows the provisioning of versioned secrets only

+ - Using the [Key Vault VM extension](../virtual-machines/extensions/key-vault-windows.md); this allows the provisioning of certificates using version-less declarations, with periodic refreshing of observed certificates. In this case, the VM/VMSS is expected to have a [managed identity](../virtual-machines/security-policy.md#managed-identities-for-azure-resources), an identity that has been granted access to the vault(s) containing the observed certificates.

+> Currently (7.2 CU4+), Service Fabric selects the cert with the largest 'NotBefore' property value (most recently issued). Prior to 7.2CU4 Service Fabric picked the valid cert with the largest NotAfter (furthest expiring).

+ - **Friendly name of appliance**: Provide a friendly name with which you want to track this appliance in the Azure portal under recovery services vault infrastructure.

+ - **Azure Site Recovery replication appliance key**: Copy the key from the portal by navigating to **Recovery Services vault** > **Getting started** > **Site Recovery** > **VMware to Azure: Prepare Infrastructure**.

+ - After pasting the key, click **Login.** You will be redirected to a new authentication tab.

+ By default, an authentication code will be generated as highlighted below, in the **Appliance configuration manager** page. Use this code in the authentication tab.

+ After successful registration, you can close the tab and move to appliance configuration manager to continue the set up.

+6. After successful login, Subscription, Resource Group and Recovery Services vault details are displayed. You can log out in case you want to change the vault. Else, select **Continue** to proceed.

+7. Select **Add vCenter Server** to add vCenter information. Enter the server name or IP address of the vCenter and port information. Post that, provide username, password and friendly name. This is used to fetch details of [virtual machine managed through the vCenter](vmware-azure-tutorial-prepare-on-premises.md#prepare-an-account-for-automatic-discovery). The user account details will be encrypted and stored locally in the machine.

+> If you're trying to add the same vCenter Server to multiple appliances, then ensure that the same friendly name is used in all the appliances.

+8. After successfully saving the vCenter information, select **Add virtual machine credentials** to provide user details of the VMs discovered through the vCenter.

+ > - For Linux OS, ensure to provide root credentials and for Windows OS, a user account with admin privileges should be added, these credentials will be used to push install mobility agent on to the source VM during enable replication operation. The credentials can be chosen per VM in the Azure portal during enable replication workflow.

+9. After successfully adding the details, select **Continue** to install all Azure Site Recovery replication appliance components and register with Azure services. This activity can take up to 30 minutes.

+Before you begin to protect any VMware vSphere virtual machines (VMs) by using Azure Site Recovery, allocate sufficient bandwidth, based on your daily data-change rate, to meet your desired recovery point objective (RPO). Be sure to deploy the right number of configuration servers and process servers on-premises.

+Supported version | vCenter Server 7.0, 6.7, 6.5, 6.0 or 5.5| Windows Server 2016, Windows Server 2012 R2 | NA |Windows Server 2016, Windows Server 2012 R2|NA

+Supported configuration|vCenter Server, ESXi| Hyper-V cluster, Hyper-V host|NA|Hyper-V cluster, Hyper-V host|NA|

+You can run the tool from Windows Server 2012 R2 if the server has network access to connect to the vCenter Server/vSphere ESXi host that holds the VMs to be profiled. However, we recommend that you run the tool on a server whose hardware configuration meets the [configuration server sizing guidelines](site-recovery-plan-capacity-vmware.md#size-recommendations-for-the-configuration-server-and-inbuilt-process-server). If you already deployed Site Recovery components on-premises, run the tool from the configuration server.

+This is the second tutorial in a series that shows you how to set up disaster recovery to Azure for on-premises VMware VMs. In the previous tutorial, we [prepared the on-premises Azure Site Recovery replication appliance](deploy-vmware-azure-replication-appliance-preview.md) for disaster recovery to Azure.

+ Title: Move an Azure Spatial Anchors account between regions

+description: Move an Azure Spatial Anchors account between regions

+#Customer intent: As an Azure service administrator, I want to move my service resources to another Azure region.

+# Move a Spatial Anchors account between regions

+This article describes how to move a Spatial Anchors account to a different Azure region. You might move your resources to another region for many reasons. For example, to take advantage of a new Azure region, to deploy features or services available in specific regions only, to meet internal policy and governance requirements, or in response to capacity planning requirements.

+## Prerequisites

+* Make sure that the Spatial Anchors account is in the Azure region from which you want to move.

+* Spatial Anchors accounts can't be moved between regions. You'll have to associate a new Spatial Anchors account in your source code to point to the target region. You'll also have to recreate all the anchors that you had previously created.

+## Prepare and move

+### Create a new Spatial Anchors account in the target region

+### Update your source code

+The next step is to associate your new Spatial Anchors account in your source code. You already took note of the **Account Key**, **Account ID**, and **Account Domain** values. You can use them to update your apps or web services source code.

+## Verify

+Run your app or web service and verify it's still functional after the move. You'll need to recreate all the anchors that you had previously created.

+## Clean up

+To complete the move of the Spatial Anchors account, delete the source Spatial Anchors account or resource group. To do so, select the Spatial Anchors account or resource group from your dashboard in the portal and select Delete at the top of each page.

+## Next steps

+In this tutorial, you moved a Spatial Anchors account from one region to another and cleaned up the source resources. To learn more about moving resources between regions and disaster recovery in Azure, refer to:

+> [!div class="nextstepaction"]

+> [Move resources to a new resource group or subscription](../../azure-resource-manager/management/move-resource-group-and-subscription.md)

+## Create a Spatial Anchors resource

+## Create a Spatial Anchors resource

+## Create a Spatial Anchors resource

+## Create a Spatial Anchors resource

+## Create a Spatial Anchors resource

+## Create a Spatial Anchors resource

+## Create a Spatial Anchors resource

+## Create a Spatial Anchors resource

+## Create a Spatial Anchors resource

+## Create a Spatial Anchors resource

+## Create a Spatial Anchors resource

+- [Azure CLI version 2.30.0 or higher](/cli/azure/install-azure-cli).

+- [!INCLUDE [install-app-user-identity-extension](includes/install-app-user-identity-extension.md)]

+- [Azure CLI version 2.30.0 or higher](/cli/azure/install-azure-cli).

+- [!INCLUDE [install-app-user-identity-extension](includes/install-app-user-identity-extension.md)]

+| User-assigned managed identities | per app instance | 20 | 20 |

+| Throughput (ingress + egress) for a single file share (MiB/sec) | <ul><li>Up to 300 MiB/sec, with large file share feature enabled²</li><li>Up to 60 MiB/sec, default</li></ul> | 100 + CEILING(0.04 * ProvisionedGiB) + CEILING(0.06 * ProvisionedGiB) |

+| Throughput rate (ingress + egress) (MiB/sec) | `100 + CEILING(0.04 * ProvisionedGiB) + CEILING(0.06 * ProvisionedGiB)` |

+Other common reasons that result in input deserialization errors are:

+1. Integer column having a value greater than 9223372036854775807.

+2. Strings instead of array of objects or line separated objects. Valid example : *[{'a':1}]*. Invalid example : *"'a' :1"*.

+3. Using Event Hub capture blob in Avro format as input in your job.

+4. Having two columns in a single input event that differ only in case. Example: *column1* and *COLUMN1*.

+* [Azure Stream Analytics Management REST API Reference](/rest/api/streamanalytics/)

+When creating the virtual machine, be sure to place it on either the same virtual network as the host pool virtual machines or on a virtual network that has connectivity to the host pool virtual machines. It must also be joined to your Active Directory domain. You can create a virtual machine in multiple ways. Here are a few options:

+To configure FSLogix profile container, do the following on each session host registered to the host pool:

+2. Launch an internet browser and [download the FSLogix agent](https://aka.ms/fslogix_download).

+3. Open the downloaded .zip file, navigate to either **Win32\\Release** or **x64\\Release** (depending on your operating system) and run **FSLogixAppsSetup** to install the FSLogix agent. To learn more about how to install FSLogix, see [Download and install FSLogix](/fslogix/install-ht/).

+4. Navigate to **Program Files** > **FSLogix** > **Apps** to confirm the agent installed successfully.

+5. From the start menu, run **regedit** as an administrator. Navigate to **Computer\\HKEY_LOCAL_MACHINE\\Software\\FSLogix**.

+7. Create the following values for the **Profiles** key (replacing **\\\\hostname\\share** with your real path):

+ | Name | Type | Data/Value |

+ ||--|--|

+ | Enabled | DWORD | 1 |

+ | VHDLocations | Multi-String Value | \\\\hostname\\share |

+ - **Windows Virtual Desktop** (App ID 5a0aa725-4958-4b0c-80a9-34562e23f3b7)

+ - **Windows Virtual Desktop Client** (App ID fa4345a4-a730-4230-84a8-7d9651b86739), which will let you set policies on the web client

+10. Once you've selected your app, choose **Select**, and then select **Done**.

+ > [!div class="mx-imgBorder"]

+ > 

+ >[!NOTE]

+ >To find the App ID of the app you want to select, go to **Enterprise Applications** and select **Microsoft Applications** from the application type drop-down menu.

+

+11. Go to **Conditions** > **Client apps**. In **Configure**, select **Yes**, and then select where to apply the policy:

+>- Windows Desktop and client on Windows 10/11 machines. Windows Desktop client version 1.2.1026.0 or later.

+- Connect to a Windows 10/11 Multi-session or Windows 10/11 Enterprise virtual machine (VM).

+This section will show you how to install the Teams desktop app on your Windows 10/11 Multi-session or Windows 10/11 Enterprise VM image. To learn more, check out [Install or update the Teams desktop app on VDI](/microsoftteams/teams-for-vdi#install-or-update-the-teams-desktop-app-on-vdi).

+- East US 2

+- Korea Central

+- Sweden Central

+- Central India

+An [Azure Compute Gallery](../shared-image-galleries.md) simplifies custom image sharing across your organization. Custom images are like marketplace images, but you create them yourself. Custom images can be used to bootstrap configurations such as preloading applications, application configurations, and other OS configurations.

+Create an image version from the VM using [az sig image-version create](/cli/azure/sig/image-version#az-sig-image-version-create).

+ --name myVM2 \

+> [Create highly available VMs](tutorial-availability-sets.md)

+Standard_NC6 <br> Standard_NC6_Promo | Standard_NC4as_T4_v3 <br>or<br>Standard_NC8as_T4 | CPU: Intel Haswell vs AMD Rome<br>GPU count: 1 (same)<br>GPU generation: NVIDIA Keppler vs. Turing (+2 generations, ~2x FP32 FLOPs)<br>GPU memory (GiB per GPU): 16 (+4)<br>vCPU: 4 (-2) or 8 (+2)<br>Memory GiB: 16 (-40) or 56 (same)<br>Temp Storage (SSD) GiB: 180 (-160) or 360 (+20)<br>Max data disks: 8 (-4) or 16 (+4)<br>Accelerated Networking: Yes (+)<br>Premium Storage: Yes (+)|

+* **RHEL**: 3.10.0-693, 2.6.32-573*

+> [!NOTE]

+> Other kernel versions may be supported. For the most up to date list, reference the compatibility tables for each distrubution at [Supported Linux and FreeBSD virtual machines for Hyper-V](/windows-server/virtualization/hyper-v/supported-linux-and-freebsd-virtual-machines-for-hyper-v-on-windows) and confirm that SR-IOV is supported. Additional details can be found in the release notes for the [Linux Integration Services for Hyper-V and Azure](https://www.microsoft.com/download/details.aspx?id=55106). * RHEL 6.7-6.10 are supported if the Mellanox VF version 4.5+ is installed before Linux Integration Services 4.3+.

+ Title: 'Scenario: Connect to Microsoft 365 using ExpressRoute private peering'

+description: Learn about how to connect to Microsoft 365 through Virtual WAN using ExpressRoute private peering.

+# Scenario: Connect to Microsoft 365 via Virtual WAN using ExpressRoute private peering

+This article walks you through a solution using Virtual WAN to create a connection to Microsoft 365 using Azure Virtual WAN and ExpressRoute private peering. A few examples of when you might want to use this type of connection are:

+* The customer is in an area where internet isn't available.

+* The customer is in a highly regulated environment.

+In many cases, Microsoft doesn't recommend using Azure ExpressRoute with Microsoft peering to connect to Microsoft 365. When you aren't using Azure Virtual WAN, the most common concerns are:

+* Implementing Azure ExpressRoute can be complex when it comes to routing.

+* The use of Public IP addresses for the peering.

+* ExpressRoute is normally against Microsoft Edge distribution policy.

+* Egress costs can have a high-cost implication.

+* Cost and scalability are normally not comparable to premium internet connections and higher.

+While it's possible for you to request that the subscription allowlists use Microsoft 365 via Azure ExpressRoute, this still doesn't remove the limitations and implications listed above.

+When you use Virtual WAN and ExpressRoute with private peering for your solution, you can keep down costs and enable redundancy. The solution in this article uses default behavior from the Microsoft global network in combination with Microsoft services. Microsoft service traffic is always transported on the Microsoft global network. For more information, see [Microsoft global network](../networking/microsoft-global-network.md).

+The technologies engaged in this solution are:

+* Azure ExpressRoute local.

+* Azure Virtual WAN secured virtual hub.

+* Firewall Appliance that is capable of service-based routing.

+## <a name="architecture"></a>Architecture

+The architecture is simple. However, when using this Virtual WAN solution, the ExpressRoute circuit isn't geo-redundant because it's only deployed in one edge co-location. To establish the necessary geo-redundancy, you must build additional ExpressRoute circuits.

+**Figure 1**

+## <a name="workflow"></a>Workflow

+### 1. Deploy a virtual hub with Azure Firewall

+First, deploy an Azure Virtual WAN hub with Azure Firewall. Azure Firewall is used not only to make the solution secure, but also as an Internet access point. For steps, see [Install Azure Firewall in a Virtual WAN hub](howto-firewall.md).

+**Figure 2**

+### 2. Deploy ExpressRoute gateway and connections

+Next, deploy an Azure Virtual WAN ExpressRoute gateway into the Virtual WAN connection. Then, connect your ExpressRoute local to the gateway and secure Internet for that ExpressRoute. That will announce a default route (0.0.0.0/0) to your on-premises environment. For steps, see [Create ExpressRoute connections using Azure Virtual WAN](virtual-wan-expressroute-portal.md).

+**Figure 3**

+### 3. Set static route

+From on-premises, you can now set a static route to point to the gateway. Or, you can use newer SDWAN or firewall devices to use service-based routing and only send traffic for Microsoft 365 Services to the secured Virtual WAN hub. For steps, see [Install Azure Firewall in a Virtual WAN hub](howto-firewall.md#configure-additional-settings).

+### 4. Build ExpressRoute circuit for geo-redundancy

+To implement a highly available architecture and improve latency for your user, you should distribute additional hubs. We suggest putting ExpressRoute circuits in different locations. For example, in Germany Frankfurt and West Europe Amsterdam. For a list of ExpressRoute locations and providers, see the [ExpressRoute locations and connectivity providers](../expressroute/expressroute-locations-providers.md#global-commercial-azure) article.

+You have two design options for this configuration:

+* Option 1: Create two separate circuits connected to two separate hubs (Figure 4).

+* Option 2: Interconnect both Virtual WAN hubs (Figure 5), then disable branch-to-branch connectivity within the virtual hub properties (Figure 6). With this option, the result is a private, redundant, high performant connection to Microsoft 365 services.

+**Option 1: Figure 4**

+**Option 2: Figure 5**

+**Option 2: Figure 6**

+## Next steps

+* [Azure Peering Service overview](../peering-service/about.md).

+|**[CROSS-SITE-SCRIPTING](#drs941-10)**|XSS - Cross-site Scripting|

+|**[MS-ThreatIntel-WebShells](#drs9905-10)**|Protect against Web shell attacks|

+|**[MS-ThreatIntel-CVEs](#drs99001-10)**|Protect against CVE attacks|

+|99005006|Spring4Shell Interaction Attempt|

+|99001014|Attempted Spring Cloud routing-expression injection [CVE-2022-22963](https://www.cve.org/CVERecord?id=CVE-2022-22963)|

+|99001015|Attempted Spring Framework unsafe class object exploitation [CVE-2022-22965](https://www.cve.org/CVERecord?id=CVE-2022-22965)|

+|99001016|Attempted Spring Cloud Gateway Actuator injection [CVE-2022-22947](https://www.cve.org/CVERecord?id=CVE-2022-22947)

+|99005006|Spring4Shell Interaction Attempt|

+|99001014|Attempted Spring Cloud routing-expression injection [CVE-2022-22963](https://www.cve.org/CVERecord?id=CVE-2022-22963)|

+|99001015|Attempted Spring Framework unsafe class object exploitation [CVE-2022-22965](https://www.cve.org/CVERecord?id=CVE-2022-22965)|

+|99001016|Attempted Spring Cloud Gateway Actuator injection [CVE-2022-22947](https://www.cve.org/CVERecord?id=CVE-2022-22947)|

+### <a name="drs9905-10"></a> MS-ThreatIntel-WebShells

+|RuleId|Description|

+|||

+|99005006|Spring4Shell Interaction Attempt|

+### <a name="drs99001-10"></a> MS-ThreatIntel-CVEs

+|RuleId|Description|

+|||

+|99001014|Attempted Spring Cloud routing-expression injection [CVE-2022-22963](https://www.cve.org/CVERecord?id=CVE-2022-22963)|

+|99001015|Attempted Spring Framework unsafe class object exploitation [CVE-2022-22965](https://www.cve.org/CVERecord?id=CVE-2022-22965)|

+|99001016|Attempted Spring Cloud Gateway Actuator injection [CVE-2022-22947](https://www.cve.org/CVERecord?id=CVE-2022-22947)|

+|800110|Spring4Shell Interaction Attempt|

+|800111|Attempted Spring Cloud routing-expression injection - [CVE-2022-22963](https://www.cve.org/CVERecord?id=CVE-2022-22963)|

+|800112|Attempted Spring Framework unsafe class object exploitation - [CVE-2022-22965](https://www.cve.org/CVERecord?id=CVE-2022-22965)|

+|800113|Attempted Spring Cloud Gateway Actuator injection - [CVE-2022-22947](https://www.cve.org/CVERecord?id=CVE-2022-22947)|

+|800110|Spring4Shell Interaction Attempt|

+|800111|Attempted Spring Cloud routing-expression injection - [CVE-2022-22963](https://www.cve.org/CVERecord?id=CVE-2022-22963)|

+|800112|Attempted Spring Framework unsafe class object exploitation - [CVE-2022-22965](https://www.cve.org/CVERecord?id=CVE-2022-22965)|

+|800113|Attempted Spring Cloud Gateway Actuator injection - [CVE-2022-22947](https://www.cve.org/CVERecord?id=CVE-2022-22947)|

+|800110|Spring4Shell Interaction Attempt|

+|800111|Attempted Spring Cloud routing-expression injection - [CVE-2022-22963](https://www.cve.org/CVERecord?id=CVE-2022-22963)|

+|800112|Attempted Spring Framework unsafe class object exploitation - [CVE-2022-22965](https://www.cve.org/CVERecord?id=CVE-2022-22965)|

+|800113|Attempted Spring Cloud Gateway Actuator injection - [CVE-2022-22947](https://www.cve.org/CVERecord?id=CVE-2022-22947)|