-You've successfully used your Azure AD B2C user account to make an authorized call an Azure AD B2C protected web API.

- this.subscription= this.broadcastService.subscribe("msal:acquireTokenFailure", (payload) => {

-"optionalClaims":

- {

- "idToken": [

- {

- "name": "auth_time",

- "essential": true

- }

- ],

-1. Select **Cross cloud settings**.

-### Public Preview - Enabling customization capabilities for the Self-Service Password Reset (SSPR) hyperlinks, footer hyperlinks and browser icons in Company Branding.

-**Type:** New feature

-**Service category:** Authentications (Logins)

-**Product capability:** User Authentication

-Updating the Company Branding functionality on the Azure AD/Microsoft 365 sign-in experience to allow customizing Self Service Password Reset (SSPR) hyperlinks, footer hyperlinks and browser icon. For more information, see: [Add branding to your organizationΓÇÖs Azure Active Directory sign-in page](customize-branding.md).

-### Public Preview - Organizations can replace all references to Microsoft on the AAD auth experience

-**Type:** New feature

-**Service category:** Authentications (Logins)

-**Product capability:** User Authentication

-Updating the Company Branding functionality on the Azure AD/Microsoft 365 sign-in experience to allow customizing Self Service Password Reset (SSPR) hyperlinks, footer hyperlinks and browser icon. For more information, see: [Add branding to your organizationΓÇÖs Azure Active Directory sign-in page](customize-branding.md).

-description: In this tutorial, learn how to integrate Datawiza with Azure AD for secure hybrid access

-Datawiza's [Datawiza Access Broker

-(DAB)](https://www.datawiza.com/access-broker) extends Azure AD to enable Single Sign-on (SSO) and granular access controls to protect on-premise and cloud-hosted applications, such as Oracle E-Business Suite, Microsoft IIS, and SAP.

-Using this solution enterprises can quickly transition from legacy Web Access Managers (WAMs), such as Symantec SiteMinder, NetIQ, Oracle, and IBM to Azure AD without rewriting applications. Enterprises can also use Datawiza as a no-code or low-code solution to integrate new applications to Azure AD. This saves engineering time, reduces cost significantly and delivers the project in a secured manner.

-To get started, you'll need:

-[docker-compose](https://docs.docker.com/compose/install/)

-are required to run DAB. Your applications can run on any platform, such as the virtual machine and bare metal.

-

-|Steps| Description|

-| 1. | The user makes a request to access the on-premises or cloud-hosted application. DAB proxies the request made by the user to the application.|

-| 2. |The DAB checks the user's authentication state. If it doesn't receive a session token, or the supplied session token is invalid, then it sends the user to Azure AD for authentication.|

-| 4. | The DAB evaluates access policies and calculates attribute values to be included in HTTP headers forwarded to the application. During this step, the DAB may call out to the Identity provider to retrieve the information needed to set the header values correctly. The DAB sets the header values and sends the request to the application. |

-| 5. | The user is now authenticated and has access to the application.|

-To integrate your on-premises or cloud-hosted application with Azure AD, login to [Datawiza Cloud Management

-[Create an application](https://docs.datawiza.com/step-by-step/step2.html) and generate a key pair of `PROVISIONING_KEY` and `PROVISIONING_SECRET` for the application on the DCMC.

-For Azure AD, Datawiza offers a convenient [One click integration](https://docs.datawiza.com/tutorial/web-app-azure-one-click.html). This method to integrate Azure AD with DCMC can create an application registration on your behalf in your Azure AD tenant.

-

-Instead, if you want to use an existing web application in your Azure AD tenant, you can disable the option and populate the fields of the form. You'll need the tenant ID, client ID, and client secret. [Create a web application and get these values in your tenant](https://docs.datawiza.com/idp/azure.html).

-

-1. You can use either Docker or Kubernetes to run DAB. The docker image is needed for users to create a sample header-based application. [Configure DAB and SSO

-integration](https://docs.datawiza.com/step-by-step/step3.html). [Deploy DAB with Kubernetes](https://docs.datawiza.com/tutorial/web-app-AKS.html). A sample docker image `docker-compose.yml` file is provided for you to download and use. [Log in to the container registry](https://docs.datawiza.com/step-by-step/step3.html#important-step) to download the images of DAB and the header-based application.

- ```yaml

-

- ports:

- - "3001:3001"

-2. After executing `docker-compose -f docker-compose.yml up`, the

-header-based application should have SSO enabled with Azure AD. Open a browser and type in `http://localhost:9772/`.

-3. An Azure AD login page will show up.

-## Pass user attributes to the header-based application

-1. DAB gets user attributes from IdP and can pass the user attributes to the application via header or cookie. See the instructions on how to [pass user attributes](https://docs.datawiza.com/step-by-step/step4.html) such as email address, firstname, and lastname to the header-based application.

-2. After successfully configuring the user attributes, you should see the green check sign for each of the user attributes.

- 

-## Test the flow

-1. Navigate to the application URL.

-2. The DAB should redirect to the Azure AD login page.

-3. After successfully authenticating, you should be redirected to DAB.

-4. The DAB evaluates policies, calculates headers, and sends the user to the upstream application.

-5. Your requested application should show up.

-description: Learn how to migrate your Okta federated applications to Azure AD-managed authentication.

-For our example, we'll configure password hash synchronization and seamless SSO.

- 

-1. Select **Change user sign-in** > **Next**.

- 

- 

- 

- 

- 

- 

- Notice that **Seamless single sign-on** is set to **Off**. If you attempt to enable it, you'll get an error because it's already enabled for users in the tenant.

- 

-Follow the instructions to add a group to the password hash sync rollout. In the following example, the security group starts with 10 members.

-

-After you add the group, wait for about 30 minutes while the feature takes effect in your tenant. When the feature has taken effect, your users will no longer be redirected to Okta when they attempt to access Office 365 services.

- 

- 

- :::image type="content" source="media/migrate-okta-federation-to-azure-active-directory/register-application.png" alt-text="Screenshot that shows how to register an application." lightbox="media/migrate-okta-federation-to-azure-active-directory/register-application.png":::

-1. Select **Accounts in any organizational directory (Any Azure AD Directory - Multitenant)** > **Register**.

- 

- 

- 

- :::image type="content" source="media/migrate-okta-federation-to-azure-active-directory/delegated-permissions.png" alt-text="Screenshot that shows delegated permissions." lightbox="media/migrate-okta-federation-to-azure-active-directory/delegated-permissions.png":::

- :::image type="content" source="media/migrate-okta-federation-to-azure-active-directory/add-permissions.png" alt-text="Screenshot that shows how to add permissions." lightbox="media/migrate-okta-federation-to-azure-active-directory/add-permissions.png":::

- 

- 

- 

-1. Select **Show Advanced Settings**. By default, this configuration will tie the user principal name (UPN) in Okta to the UPN in Azure AD for reverse-federation access.

-1. Finish your selections for autoprovisioning. By default, if a user doesn't match in Okta, the system will attempt to provision the user in Azure AD. If you've migrated provisioning away from Okta, select **Redirect to Okta sign-in page**.

- 

- 

- :::image type="content" source="media/migrate-okta-federation-to-azure-active-directory/add-platform.png" alt-text="Screenshot that shows how to add a web platform." lightbox="media/migrate-okta-federation-to-azure-active-directory/add-platform.png":::

- 

- 

-1. Try to sign in to the [Microsoft 356 portal](https://portal.office.com) as the modified user. If your user isn't a part of the managed authentication pilot, you'll notice that your action loops. To exit the loop, add the user to the managed authentication experience.

-After you configure the Okta app in Azure AD and you configure the IDP in the Okta portal, you must assign the application to users.

- 

- 

-## Test-managed authentication on pilot members

-description: In this tutorial, you learn how to migrate your Okta sync provisioning to Azure AD Connect-based synchronization.

-In this tutorial, you'll learn how your organization can currently migrate User provisioning from Okta to Azure Active Directory (Azure AD) and migrate either User sync or Universal sync to Azure AD Connect. This capability will enable further provisioning into Azure AD and Office 365.

-Azure AD cloud provisioning will be the most familiar migration path for Okta customers who use Universal or User sync. The cloud provisioning agents are lightweight. They can be installed on or near domain controllers like the Okta directory sync agents. Don't install them on the same server.

->All prerequisites should be taken into consideration when you install Azure AD Connect or Azure AD cloud provisioning. To learn more before you continue with installation, see [Prerequisites for Azure AD Connect](../hybrid/how-to-connect-install-prerequisites.md).

-ImmutableID is the core attribute used to tie synchronized objects to their on-premises counterparts. Okta takes the Active Directory objectGUID of an on-premises object and converts it to a Base64 encoded string. Then, by default it stamps that string to the ImmutableID field in Azure AD.

-1. Enter your global administrator credentials in the modern authentication window.

- 

-1. After you connect to the tenant, verify the settings for your ImmutableID values. The example shown uses Okta defaults of objectGUID to ImmutableID.

- 

-1. There are several ways to manually confirm the objectGUID to Base64 conversion on-premises. For individual validation, use this example:

- 

-Before you cut over to Azure AD Connect, it's critical to validate that the ImmutableID values in Azure AD are going to exactly match their on-premises values.

-The example will grab *all* on-premises Azure AD users and export a list of their objectGUID values and ImmutableID values already calculated to a CSV file.

-1. Run these commands in PowerShell on a domain controller on-premises:

- Get-ADUser -Filter * -Properties objectGUID | Select -Object

- 

-1. Run these commands in an Azure AD PowerShell session to gather the already synchronized values:

- 

- After you have both exports, confirm that the ImmutableID for each user matches.

-1. Continue with [downloading and installing Azure AD Connect](../hybrid/how-to-connect-install-custom.md) to your chosen server.

-1. On the **Identifying users** page, under **Select how users should be identified with Azure AD**, select the **Choose a specific attribute** option. Then, select **mS-DS-ConsistencyGUID** if you haven't modified the Okta defaults.

- >This is the most critical step on this page. Before you select **Next**, ensure that the attribute you're selecting for a source anchor is what *currently* populates your existing Azure AD users. If you select the wrong attribute, you must uninstall and reinstall Azure AD Connect to reselect this option.

- 

-1. On the **Configure** page, make sure to select the **Enable staging mode** checkbox. Then select **Install**.

- 

- 

-1. Check that **Full Synchronization** to the domain.onmicrosoft.com connector space has users displaying under the **Connectors with Flow Updates** tab.

- 

- 

-1. In the **Search Connector Space** dialog, select the **Scope** dropdown and select **Pending Export**.

- 

- 

-1. Clear **Delete**, and select **Add** and **Modify**, followed by a search. You should see update functions for all users currently being synchronized to Azure AD via Okta. Add any new objects that Okta isn't currently syncing, but that exist in the organizational unit (OU) structure that was selected during the Azure AD Connect installation.

- 

-1. Double-clicking on updates shows what Azure AD Connect will communicate with Azure AD.

- 

- >Before you continue to the next step, ensure all user attributes are syncing properly and show on the **Pending Export** tab as expected. If they're deleted, make sure their ImmutableID values match and the user is in one of the selected OUs for synchronization.

-After you've prepared your list of source and destination targets, it's time to [install and configure Azure AD cloud sync agents](../cloud-sync/tutorial-single-forest.md). If you've opted to use an Azure AD Connect server, skip this section.

- 

-1. Select **Edit**, clear the **Enable API integration** option and select **Save**.

- 

- >If you have multiple Office 365 apps handling provisioning to Azure AD, ensure they're all switched off.

- 

- 

-1. Clear the **Enable staging mode** option and select **Next**.

- 

- 

-1. After the configuration completes, open the **Synchronization Service** as an administrator. View the **Export** on the domain.onmicrosoft.com connector. Verify that all additions, updates, and deletions are done as expected.

- 

-You've now successfully migrated to Azure AD Connect server-based provisioning. Updates and expansions to the feature set of Azure AD Connect can be done by rerunning the installation wizard.

-After you disable Okta provisioning, the Azure AD cloud sync agent is ready to begin synchronizing objects. Return to the [Azure AD portal](https://aad.portal.azure.com/).

-1. Modify the **Configuration** profile to **Enabled**.

-1. Evaluate that the provisioning connector has properly updated in-place objects. The cloud sync agents are nondestructive. They'll fail their updates if a match didn't occur properly.

-For more information about migrating from Okta to Azure AD, see:

-POST https://graph.microsoft.com/beta/groups

-## Microsoft Graph API

-Follow these instructions to assign a role using the Microsoft Graph API in [Graph Explorer](https://aka.ms/ge).

-In this example, a security principal with objectID `f8ca5a85-489a-49a0-b555-0a6d81e56f0d` is assigned the Billing Administrator role (role definition ID `b0f54661-2d74-4c50-afa3-1ec803f12efe`) at tenant scope. If you want to see the list of immutable role template IDs of all built-in roles, see [Azure AD built-in roles](permissions-reference.md).

-1. Sign in to the [Graph Explorer](https://aka.ms/ge).

-2. Select **POST** as the HTTP method from the dropdown.

-3. Select the API version to **v1.0**.

-4. Use the [Create unifiedRoleAssignment](/graph/api/rbacapplication-post-roleassignments) API to assign roles. Add following details to the URL and Request Body and select **Run query**.

-In this example, a security principal with objectID `f8ca5a85-489a-49a0-b555-0a6d81e56f0d` is assigned a time-bound eligible role assignment to Billing Administrator (role definition ID `b0f54661-2d74-4c50-afa3-1ec803f12efe`) for 180 days.

-1. Sign in to the [Graph Explorer](https://aka.ms/ge).

-2. Select **POST** as the HTTP method from the dropdown.

-3. Select the API version to **beta**.

-4. Use the [Create unifiedRoleEligibilityScheduleRequest](/graph/api/unifiedroleeligibilityschedulerequest-post-unifiedroleeligibilityschedulerequests) API to assign roles using PIM. Add following details to the URL and Request Body and select **Run query**.

-POST https://graph.microsoft.com/beta/rolemanagement/directory/roleEligibilityScheduleRequests

- "action": "AdminAssign",

- "type": "AfterDuration",

-POST https://graph.microsoft.com/beta/rolemanagement/directory/roleEligibilityScheduleRequests

- "action": "AdminAssign",

- "type": "NoExpiration"

-To activate the role assignment, use the [Create unifiedRoleAssignmentScheduleRequest](/graph/api/unifiedroleassignmentschedulerequest-post-unifiedroleassignmentschedulerequests) API.

-POST https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentScheduleRequests

- "action": "SelfActivate",

-# Tutorial: Azure Active Directory integration with Cisco Umbrella Admin SSO

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

-## AKS Engine

-[Azure Kubernetes Service Engine (AKS Engine)][aks-engine] is an open-source project that generates Azure Resource Manager templates you can use for deploying Kubernetes clusters on Azure.

-Kubernetes clusters created with AKS Engine support both the [kubenet][kubenet] and [Azure CNI][cni-networking] plugins. As such, both networking scenarios are supported by AKS Engine.

-[aks-engine]: https://github.com/Azure/aks-engine

-> When the secret/key is updated in external secrets store after the initial pod deployment, the updated secret will be periodically updated in the pod mount and the Kubernetes Secret.

-> Depending on how the application consumes the secret data:

-> 1. Mount Kubernetes secret as a volume: Use auto rotation feature + Sync K8s secrets feature in Secrets Store CSI Driver, application will need to watch for changes from the mounted Kubernetes Secret volume. When the Kubernetes Secret is updated by the CSI Driver, the corresponding volume contents are automatically updated.

-> 2. Application reads the data from containerΓÇÖs filesystem: Use rotation feature in Secrets Store CSI Driver, application will need to watch for the file change from the volume mounted by the CSI driver.

-> 3. Using Kubernetes secret for environment variable: The pod needs to be restarted to get the latest secret as environment variable.

-> Use something like https://github.com/stakater/Reloader to watch for changes on the synced Kubernetes secret and do rolling upgrades on pods

-[arc-k8s-cluster]: /azure-arc/kubernetes/quickstart-connect-cluster.md

-[aks-engine]: https://github.com/Azure/aks-engine

-[aks-engine]: https://github.com/Azure/aks-engine

-[aks-engine]: https://github.com/Azure/aks-engine

-# Managed NAT Gateway (preview)

-* The `aks-preview` extension version 0.5.31 or later

-### Install aks-preview CLI extension

-You also need the *aks-preview* Azure CLI extension version 0.5.31 or later. Install the *aks-preview* Azure CLI extension by using the [az extension add][az-extension-add] command. Or install any available updates by using the [az extension update][az-extension-update] command.

-```azurecli-interactive

-# Install the aks-preview extension

-az extension add --name aks-preview

-# Update the extension to make sure you have the latest version installed

-az extension update --name aks-preview

-```

-### Register the `AKS-NATGatewayPreview` feature flag

-To use the NAT Gateway feature, you must enable the `AKS-NATGatewayPreview` feature flag on your subscription.

-```azurecli

-az feature register --namespace "Microsoft.ContainerService" --name "AKS-NATGatewayPreview"

-```

-You can check on the registration status by using the [az feature list][az-feature-list] command:

-```azurecli-interactive

-az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/AKS-NATGatewayPreview')].{Name:name,State:properties.state}"

-```

-When ready, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:

-```azurecli-interactive

-az provider register --namespace Microsoft.ContainerService

-```

-description: Use the Dapr cluster extension for Azure Kubernetes Service (AKS) to deploy an application

-# Quickstart: Deploy an application using the Dapr cluster extension for Azure Kubernetes Service (AKS)

-In this quickstart, you will get familiar with using the [Dapr cluster extension][dapr-overview] in an AKS cluster. You will be deploying a hello world example, consisting of a Python application that generates messages and a Node application that consumes and persists them.

-* An AKS cluster with the [Dapr cluster extension][dapr-overview] enabled

-Use the [az group delete][az-group-delete] command to remove the resource group, the AKS cluster, namespace, and all related resources.

-The services are *managed* in the sense that Microsoft and the AKS team deploys, operates, and is responsible for service availability and functionality. Customers can't alter these managed components. Microsoft limits customization to ensure a consistent and scalable user experience. For a fully customizable solution, see [AKS Engine](https://github.com/Azure/aks-engine).

-[aks-engine]: https://github.com/Azure/aks-engine

-* If you expand your VNET after creating the cluster you must update your cluster (perform any managed cluster operation but node pool operations don't count) before adding a subnet outside the original cidr. AKS will error out on the agent pool add now though we originally allowed it. If you don't know how to reconcile your cluster file a support ticket.

-kubectl run -it --rm testvk --image=mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11

-NETWORK_PROFILE_ID=$(az network profile list --resource-group $NODE_RES_GROUP --query [0].id --output tsv)

-az network vnet subnet update --resource-group $RES_GROUP --vnet-name $AKS_VNET --name $AKS_SUBNET --remove delegations 0

-kubectl run -it --rm virtual-node-test --image=mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11

-## What if I need a feature that's not supported?

-If you encounter feature gaps, the open-source [aks-engine][aks-engine] project provides an easy and fully customizable way of running Kubernetes in Azure, including Windows support. For more information, see [AKS roadmap][aks-roadmap].

-[aks-engine]: https://github.com/azure/aks-engine

- <set-url>https://hooks.slack.com/services/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</set-url>

-az webapp up \

- --sku F1 \

- --logs

-Creating zip with contents of dir /home/cephas/myExpressApp ...

-1. Save your changes, then redeploy the app using the [az webapp up](/cli/azure/webapp#az-webapp-up) command again with no arguments:

- az webapp up

-An application gateway is a dedicated deployment in your virtual network. Within your virtual network, a dedicated subnet is required for the application gateway. You can have multiple instances of a given application gateway deployment in a subnet. You can also deploy other application gateways in the subnet. But you can't deploy any other resource in the application gateway subnet. You can't mix Standard_v2 and Standard Azure Application Gateway on the same subnet.

-| **Acumatica** | [**Acumatica**](https://www.acumatica.com/) is a technology provider that develops cloud- and browser-based enterprise resource planning (ERP) software for small and medium-sized businesses (SMBs). To bring expense claims into the modern age, Acumatica incorporated Form Recognizer into its native application. The Form Recognizer's prebuilt-receipt API and machine learning capabilities are used to automatically extract data from receipts. Acumatica's customers can file multiple, error-free claims in a matter of seconds, freeing up more time to focus on other important tasks. | [Customer story](https://customers.microsoft.com/story/762684-acumatica-partner-professional-services-azure) |

-|**Element**| [**Element**](https://www.element.com/) is a global business that provides specialist testing, inspection, and certification services to a diverse range of businesses. Element is one of the fastest growing companies in the global testing, inspection and certification sector having over 6,500 engaged experts working in more than 200 facilities across the globe. When the finance team for the Americas was forced to work from home during the COVID-19 pandemic, it needed to digitalize its paper processes fast. The creativity of the team and its use of Azure Form Recognizer delivered more than business as usualΓÇöit delivered significant efficiencies. The Element team used the tools in Microsoft Azure so the next phase could be expedited. Rather than coding from scratch, they saw the opportunity to use the Azure Form Recognizer. This integration quickly gave them the functionality they needed, together with the agility and security of Microsoft Azure. Microsoft Azure Logic Apps is used to automate the process of extracting the documents from email, storing them, and updating the system with the extracted data. Computer Vision, part of Azure Cognitive Services, partners with Azure Form Recognizer to extract the right data points from the invoice documentsΓÇöwhether they're a pdf or scanned images. | [Customer story](https://customers.microsoft.com/story/1414941527887021413-element)|

-|**Emaar Properties**| [**Emaar Properties**](https://www.emaar.com/en/), operates Dubai Mall, the world's most-visited retail and entertainment destination. Each year, the Dubai Mall draws more than 80 million visitors. To enrich the shopping experience, Emaar Properties offers a unique rewards program through a dedicated mobile app. Loyalty program points are earned via submitted receipts. Emaar Properties uses Microsoft Azure Form Recognizer to process submitted receipts and has achieved 92 percent reading accuracy.| [Customer story](https://customers.microsoft.com/story/1459754150957690925-emaar-retailers-azure-en-united-arab-emirates)|

-|**EY**| [**EY**](https://ey.com/) (Ernst & Young Global Limited) is a multinational professional services network that helps to create long-term value for clients and build trust in the capital markets. Enabled by data and technology, diverse EY teams in over 150 countries to help clients grow, transform, and operate. EY teams work across assurance, consulting, law, strategy, tax, and transactions to find solutions for complex issues facing our world today. The EY Technology team collaborated with Microsoft to build a platform that hastens invoice extraction and contract comparison processes. Azure Form Recognizer and Custom Vision partnered to enable EY teams to automate and improve the OCR and document handling processes for its consulting, tax, audit, and transactions services clients. | [Customer story](https://customers.microsoft.com/story/1404985164224935715-ey-professional-services-azure-form-recognizer)|

-|**Financial Fabric**| [**Financial Fabric**](https://www.financialfabric.com//), a Microsoft Cloud Solution Provider, delivers data architecture, science, and analytics services to investment managers at hedge funds, family offices, and corporate treasuries. Its daily processes involve extracting and normalizing data from thousands of complex financial documents, such as bank statements and legal agreements. The company then provides custom analytics to help its clients make better investment decisions. Extracting this data previously took days or weeks. By using Form Recognizer, Financial Fabric has reduced the time it takes to go from extraction to analysis to just minutes. | [Customer story](https://customers.microsoft.com/story/financial-fabric-banking-capital-markets-azure)|

-|**GEP**| [**GEP**](https://www.gep.com/) has developed an invoice processing solution for a client using Form Recognizer. "At GEP, we're seeing AI and automation make a profound impact on procurement and the supply chain. By combining our AI solution with Microsoft Form Recognizer, we automated the processing of 4,000 invoices a day for a client... It saved them tens of thousands of hours of manual effort, while improving accuracy, controls and compliance on a global scale." Sarateudu Sethi, GEP's Vice President of Artificial Intelligence. | [Blog](https://techcommunity.microsoft.com/t5/azure-ai/form-recognizer-now-reads-more-languages-processes-ids-and/ba-p/2179428)|

-|**Northern Trust**| [**Northern Trust**](https://www.northerntrust.com/) is a leading provider of wealth management, asset servicing, asset management, and banking to corporations, institutions, families, and individuals. As part of its initiative to digitize alternative asset servicing, Northern Trust has launched an AI-powered solution to extract unstructured investment data from alternative asset documents and making it accessible and actionable for asset-owner clients. Microsoft Azure Applied AI services accelerate time-to-value for enterprises building AI solutions. This proprietary solution transforms crucial information such as capital call notices, cash and stock distribution notices, and capital account statements from various unstructured formats into digital, actionable insights for investment teams. | [Customer story](https://www.businesswire.com/news/home/20210914005449/en/Northern-Trust-Automates-Data-Extraction-from-Alternative-Asset-Documentation)|

-|**Wilson Allen** | [**Wilson Allen**](https://wilsonallen.com/) took advantage of AI container support for Microsoft Azure Cognitive Services and created a powerful AI solution that help firms around the world find unprecedented levels of insight in previously siloed and unstructured data. Its clients can use this data to support business development and foster client relationships. | [Customer story](https://customers.microsoft.com/story/814361-wilson-allen-partner-professional-services-azure)|

-```

- "tenant-id": "INSERT AZURE TENANTID",

- "subscription-id": "INSERT AZURE SUBSCRIPTION ID",

- "resource-group": "INSERT RESOURCE GROUP NAME",

- "location": "INSERT REGION",

- "service-principal-id": "INSERT SPN ID",

- "service-principal-secret": "INSERT SPN Secret"

- }

-1. Select the deployment option based on the Azure cloud environment your Azure VMs are created in. This will open the custom Azure Resource Manager deployment page in the Azure portal.

-description: Be notified via SMS, webhook, SMS, email and more, when certain events occur in the activity log.

-# Alerts on activity log

-## Overview

-Activity log alerts allow you to be notified on events and operations that are logged in [Azure Activity Log](../essentials/activity-log.md). An alert is fired when a new [activity log event](../essentials/activity-log-schema.md) occurs that matches the conditions specified in the alert rule.

-Activity log alert rules are Azure resources, so they can be created by using an Azure Resource Manager template. They also can be created, updated, or deleted in the Azure portal. This article introduces the concepts behind activity log alerts. For more information on creating or usage of activity log alert rules, see [Create and manage activity log alerts](./alerts-activity-log.md).

-## Alerting on activity log event categories

-You can create activity log alert rules to receive notifications on one of the following activity log event categories:

-| Event Category | Category Description | Example |

-|-|-||

-| Administrative | ARM operation (e.g. create, update, delete, or action) was performed on resources in your subscription, resource group, or on a specific Azure resource.| A virtual machine in your resource group is deleted |

-| Service health | Service incidents (e.g. an outage or a maintenance event) occurred that may impact services in your subscription on a specific region.| An outage impacting VMs in your subscription in East US. |

-| Resource health | The health of a specific resource is degraded, or the resource becomes unavailable. | A VM in your subscription transitions to a degraded or unavailable state. |

-| Autoscale | An Azure Autoscale operation has occurred, resulting in success or failure | An autoscale action on a virtual machine scale set in your subscription failed. |

-| Recommendation | A new Azure Advisor recommendation is available for your subscription | A high-impact recommendation for your subscription was received. |

-| Security | Events detected by Microsoft Defender for Cloud | A suspicious double extension file executed was detected in your subscription |

-| Policy | Operations performed by Azure Policy | Policy Deny event occurred in your subscription. |

-> [!NOTE]

-> Alert rules **cannot** be created for events in Alert category of activity log.

-## Configuring activity log alert rules

-You can configure an activity log alert rule based on any top-level property in the JSON object for an activity log event. For more information, see [Categories in the Activity Log](../essentials/activity-log.md#view-the-activity-log).

-An alternative simple way for creating conditions for activity log alert rules is to explore or filter events via [Activity log in Azure portal](../essentials/activity-log.md#view-the-activity-log). In Azure Monitor - Activity log, one can filter and locate a required event and then create an alert rule to notify on similar events by using the **New alert rule** button.

-> [!NOTE]

-> An activity log alert rule monitors only for events in the subscription in which the alert rule is created.

-Activity log events have a few common properties which can be used to define an activity log alert rule condition:

- - Resource Level: For example, for a specific virtual machine

- - Resource Group Level: For example, all virtual machines in a specific resource group

- - Subscription Level: For example, all virtual machines in a subscription (or) all resources in a subscription

-In addition to these comment properties, different activity log events have category-specific properties that can be used to configure an alert rule for events of each category. For example, when creating a service health alert rule you can configure a condition on the impacted region or service that appear in the event.

-## Using action groups

-When an activity log alert is fired, it uses an action group to trigger actions or send notifications. An action group is a reusable set of notification receivers, such as email addresses, webhook URLs, or SMS phone numbers. The receivers can be referenced from multiple alerts rules to centralize and group your notification channels. When you define your activity log alert rule, you have two options. You can:

-* Use an existing action group in your activity log alert rule.

-* Create a new action group.

-To learn more about action groups, see [Create and manage action groups in the Azure portal](./action-groups.md).

-## Activity log alert rules limit

-You can create up to 100 active activity log alert rules per subscription (including rules for all activity log event categories, such as resource health or service health). This limit can't be increased.

-If you are reaching near this limit, there are several guidelines you can follow to optimize the use of activity log alerts rules, so that you can cover more resources and events with the same number of rules:

-* A single activity log alert rule can be configured to cover the scope of a single resource, a resource group, or an entire subscription. To reduce the number of rules you're using, consider to replace multiple rules covering a narrow scope with a single rule covering a broad scope. For example, if you have multiple VMs in a subscription, and you want an alert to be triggered whenever one of them is restarted, you can use a single activity log alert rule to cover all the VMs in your subscription. The alert will be triggered whenever any VM in the subscription is restarted.

-* A single service health alert rule can cover all the services and Azure regions used by your subscription. If you're using multiple service health alert rules per subscription, you can replace them with a single rule (or with a small number of rules, if you prefer).

-* A single resource health alert rule can cover multiple resource types and resources in your subscription. If you're using multiple resource health alert rules per subscription, you can replace them with a smaller number of rules (or even a single rule) that covers multiple resource types.

-## Next steps

-* **Essentials**: A set of standardized fields, common across all alert types, which describe what resource the alert is on, along with additional common alert metadata (for example, severity or description). Definitions of severity can be found in the [alerts overview](alerts-overview.md#overview).

-* **Essentials**: A set of standardized fields, common across all alert types, which describe what resource the alert is on, along with additional common alert metadata (for example, severity or description). Definitions of severity can be found in the [alerts overview](alerts-overview.md#overview).

-You can explore triggered alert instances in the alerts view either by clicking on the link in the email or text message, or browser to see the alerts view in the Azure portal. [Learn more about the alerts view](./alerts-overview.md#alerts-experience).

-description: Use Azure Monitor to create, view, and manage log alert rules

-# Create, view, and manage log alerts using Azure Monitor

-This article shows you how to create and manage log alerts. Azure Monitor log alerts allow users to use a [Log Analytics](../logs/log-analytics-tutorial.md) query to evaluate resource logs at a set frequency and fire an alert based on the results. Rules can trigger one or more actions using [Action Groups](./action-groups.md). [Learn more about functionality and terminology of log alerts](./alerts-unified-log.md).

- Alert rules are defined by three components:

-> [!NOTE]

-> This article describes creating alert rules using the new alert rule wizard.

-> The new alert rule experience is a little different than the old experience. Please note these changes:

-> - Previously, search results were included in the payloads of the triggered alert and its associated notifications. This was a limited and error prone solution. To get detailed context information about the alert so that you can decide on the appropriate action :

-> - The recommended best practice it to use [Dimensions](alerts-unified-log.md#split-by-alert-dimensions). Dimensions provide the column value that fired the alert, giving you context for why the alert fired and how to fix the issue.

-> - When you need to investigate in the logs, use the link in the alert to the search results in Logs.

-> - If you need the raw search results or for any other advanced customizations, use Logic Apps.

-> - The new alert rule wizard does not support customization of the JSON payload.

-> - Use custom properties in the [new API](/rest/api/monitor/scheduledqueryrule-2021-08-01/scheduled-query-rules/create-or-update#actions) to add static parameters and associated values to the webhook actions triggered by the alert.

-> - For more advanced customizations, use Logic Apps.

-> - The new alert rule wizard does not support customization of the email subject.

-> - Customers often use the custom email subject to indicate the resource on which the alert fired, instead of using the Log Analytics workspace. Use the [new API](alerts-unified-log.md#split-by-alert-dimensions) to trigger an alert of the desired resource using the resource id column.

-> - For more advanced customizations, use Logic Apps.

-1. In the [portal](https://portal.azure.com/), select the relevant resource. We recommend monitoring at scale by using a subscription or resource group for the alert rule.

-1. In the **Measurement** section, select values for the [**Measure**](./alerts-unified-log.md#measure), [**Aggregation type**](./alerts-unified-log.md#aggregation-type), and [**Aggregation granularity**](./alerts-unified-log.md#aggregation-granularity) fields.

- - By default, the rule counts the number of results in the last 5 minutes.

- - If the system detects summarized query results, the rule is automatically updated to capture that.

-

-1. (Optional) In the **Split by dimensions** section, select [alert splitting by dimensions](./alerts-unified-log.md#split-by-alert-dimensions):

- - If detected, The **Resource ID column** is selected automatically and changes the context of the fired alert to the record's resource.

- - Clear the **Resource ID column** to fire alerts on multiple resources in subscriptions or resource groups. For example, you can create a query that checks if 80% of the resource group's virtual machines are experiencing high CPU usage.

- - You can use the dimensions table to select up to six more splittings for any number or text columns types.

- - Alerts are fired individually for each unique splitting combination. The alert payload includes the combination that triggered the alert.

-1. In the **Alert logic** section, set the **Alert logic**: [**Operator**, **Threshold Value**](./alerts-unified-log.md#threshold-and-operator), and [**Frequency**](./alerts-unified-log.md#frequency).

- :::image type="content" source="media/alerts-log/alerts-rule-preview-agg-params-and-splitting.png" alt-text="Preview alert rule parameters.":::

-1. (Optional) In the **Advanced options** section, set the [**Number of violations to trigger the alert**](./alerts-unified-log.md#number-of-violations-to-trigger-alert).

- :::image type="content" source="media/alerts-log/alerts-rule-preview-advanced-options.png" alt-text="Advanced options.":::

- :::image type="content" source="media/alerts-log/alerts-create-alert-rule-preview.png" alt-text="Alert rule preview.":::

-1. (Optional) In the **Advanced options** section, you can set several options, including whether to **Enable upon creation**, or to [**Mute actions**](./alerts-unified-log.md#state-and-resolving-alerts) for a period after the alert rule fires.

-> [!NOTE]

-> If you, or your administrator assigned the Azure Policy **Azure Log Search Alerts over Log Analytics workspaces should use customer-managed keys**, you must select **Check workspace linked storage** option in **Advanced options**, or the rule creation will fail as it will not meet the policy requirements.

-* Learn about [log alerts](./alerts-unified-log.md).

-description: Get an overview of what you can do with metric alerts and how they work in Azure Monitor.

-# Understand how metric alerts work in Azure Monitor

-Metric alerts in Azure Monitor work on top of multi-dimensional metrics. These metrics could be [platform metrics](alerts-metric-near-real-time.md#metrics-and-dimensions-supported), [custom metrics](../essentials/metrics-custom-overview.md), [popular logs from Azure Monitor converted to metrics](./alerts-metric-logs.md) and Application Insights metrics. Metric alerts evaluate at regular intervals to check if conditions on one or more metric time-series are true and notify you when the evaluations are met. Metric alerts are stateful by default, that is, they only send out notifications when the state changes (fired, resolved). If you want to make them stateless, see [make metric alerts occur every time my condition is met](alerts-troubleshoot-metric.md#make-metric-alerts-occur-every-time-my-condition-is-met).

-## How do metric alerts work?

-You can define a metric alert rule by specifying a target resource to be monitored, metric name, condition type (static or dynamic), and the condition (an operator and a threshold/sensitivity) and an action group to be triggered when the alert rule fires. Condition types affect the way thresholds are determined. [Learn more about Dynamic Thresholds condition type and sensitivity options](../alerts/alerts-dynamic-thresholds.md).

-### Alert rule with static condition type

-Let's say you have created a simple static threshold metric alert rule as follows:

-From the time the alert rule is created, the monitor runs every 1 min and looks at metric values for the last 5 minutes and checks if the average of those values exceeds 70. If the condition is met that is, the average Percentage CPU for the last 5 minutes exceeds 70, the alert rule fires an activated notification. If you have configured an email or a web hook action in the action group associated with the alert rule, you will receive an activated notification on both.

-When you are using multiple conditions in one rule, the rule "ands" the conditions together. That is, an alert fires when all the conditions in the alert rule evaluate as true and resolve when one of the conditions is no longer true. An example for this type of alert rule would be to monitor an Azure virtual machine and alert when both "Percentage CPU is higher than 90%" and "Queue length is over 300 items".

-### Alert rule with dynamic condition type

-Let's say you have created a simple Dynamic Thresholds metric alert rule as follows:

-Once the alert rule is created, the Dynamic Thresholds machine learning algorithm will acquire historical data that is available, calculate threshold that best fits the metric series behavior pattern and will continuously learn based on new data to make the threshold more accurate.

-From the time the alert rule is created, the monitor runs every 1 min and looks at metric values in the last 20 minutes grouped into 5 minutes periods and checks if the average of the period values in each of the 4 periods exceeds the expected threshold. If the condition is met that is, the average Percentage CPU in the last 20 minutes (four 5 minutes periods) deviated from expected behavior four times, the alert rule fires an activated notification. If you have configured an email or a web hook action in the action group associated with the alert rule, you will receive an activated notification on both.

-### View and resolution of fired alerts

-The above examples of alert rules firing can also be viewed in the Azure portal in the **All Alerts** blade.

-Say the usage on "myVM" continues being above the threshold in subsequent checks, the alert rule will not fire again until the conditions are resolved.

-After some time, the usage on "myVM" comes back down to normal (goes below the threshold). The alert rule monitors the condition for two more times, to send out a resolved notification. The alert rule sends out a resolved/deactivated message when the alert condition is not met for three consecutive periods to reduce noise in case of flapping conditions.

-As the resolved notification is sent out via web hooks or email, the status of the alert instance (called monitor state) in Azure portal is also set to resolved.

-> [!NOTE]

->

-> When an alert rule monitors multiple conditions, a fired alert will be resolved if at least one of the conditions is no longer met for three consecutive periods.

-### Using dimensions

-Metric alerts in Azure Monitor also support monitoring multiple dimensions value combinations with one rule. Let's understand why you might use multiple dimension combinations with the help of an example.

-Say you have an App Service plan for your website. You want to monitor CPU usage on multiple instances running your web site/app. You can do that using a metric alert rule as follows:

- - Instance = InstanceName1, InstanceName2

-Like before, this rule monitors if the average CPU usage for the last 5 minutes exceeds 70%. However, with the same rule you can monitor two instances running your website. Each instance will get monitored individually and you will get notifications individually.

-Say you have a web app that is seeing massive demand and you will need to add more instances. The above rule still monitors just two instances. However, you can create a rule as follows:

- - Instance = *

-This rule will automatically monitor all values for the instance i.e you can monitor your instances as they come up without needing to modify your metric alert rule again.

-When monitoring multiple dimensions, Dynamic Thresholds alerts rule can create tailored thresholds for hundreds of metric series at a time. Dynamic Thresholds results in fewer alert rules to manage and significant time saving on management and creation of alerts rules.

-Say you have a web app with many instances and you don't know what the most suitable threshold is. The above rules will always use threshold of 70%. However, you can create a rule as follows:

- - Instance = *

-This rule monitors if the average CPU usage for the last 5 minutes exceeds the expected behavior for each instance. The same rule you can monitor instances as they come up without needing to modify your metric alert rule again. Each instance will get a threshold that fits the metric series behavior pattern and will continuously change based on new data to make the threshold more accurate. Like before, each instance will be monitored individually and you will get notifications individually.

-Increasing look-back periods and number of violations can also allow filtering alerts to only alert on your definition of a significant deviation. [Learn more about Dynamic Thresholds advanced options](../alerts/alerts-dynamic-thresholds.md#what-do-the-advanced-settings-in-dynamic-thresholds-mean).

-> [!NOTE]

->

-> We recommend choosing an *Aggregation granularity (Period)* that is larger than the *Frequency of evaluation*, to reduce the likelihood of missing the first evaluation of added time series in the following cases:

-> - Metric alert rule that monitors multiple dimensions ΓÇô When a new dimension value combination is added

-> - Metric alert rule that monitors multiple resources ΓÇô When a new resource is added to the scope

-> - Metric alert rule that monitors a metric that isnΓÇÖt emitted continuously (sparse metric) ΓÇô When the metric is emitted after a period longer than 24 hours in which it wasnΓÇÖt emitted

-## Monitoring at scale using metric alerts in Azure Monitor

-So far, you have seen how a single metric alert could be used to monitor one or many metric time-series related to a single Azure resource. Many times, you might want the same alert rule applied to many resources. Azure Monitor also supports monitoring multiple resources (of the same type) with one metric alert rule, for resources that exist in the same Azure region.

-This feature is currently supported for platform metrics (not custom metrics) for the following services in the following Azure clouds:

-| Service | Public Azure | Government | China |

-|:--|:--|:--|:--|

-| Virtual machines<sup>1</sup> | **Yes** | **Yes** | **Yes** |

-| SQL server databases | **Yes** | **Yes** | **Yes** |

-| SQL server elastic pools | **Yes** | **Yes** | **Yes** |

-| NetApp files capacity pools | **Yes** | **Yes** | **Yes** |

-| NetApp files volumes | **Yes** | **Yes** | **Yes** |

-| Key vaults | **Yes** | **Yes** | **Yes** |

-| Azure Cache for Redis | **Yes** | **Yes** | **Yes** |

-| Data box edge devices | **Yes** | **Yes** | **Yes** |

-| Recovery Services vaults | **Yes** | **No** | **No** |

-<sup>1</sup> Not supported for virtual machine network metrics (Network In Total, Network Out Total, Inbound Flows, Outbound Flows, Inbound Flows Maximum Creation Rate, Outbound Flows Maximum Creation Rate).

-You can specify the scope of monitoring by a single metric alert rule in one of three ways. For example, with virtual machines you can specify the scope as:

-> [!NOTE]

->

-> The scope of a multi-resource metric alert rule must contain at least one resource of the selected resource type.

-Creating metric alert rules that monitor multiple resources is like [creating any other metric alert](../alerts/alerts-metric.md) that monitors a single resource. Only difference is that you would select all the resources you want to monitor. You can also create these rules through [Azure Resource Manager templates](./alerts-metric-create-templates.md#template-for-a-metric-alert-that-monitors-multiple-resources). You will receive individual notifications for each monitored resource.

-> [!NOTE]

->

-> In a metric alert rule that monitors multiple resources, only one condition is allowed.

-## Typical latency

-For metric alerts, typically you will get notified in under 5 minutes if you set the alert rule frequency to be 1 min. In cases of heavy load for notification systems, you might see a longer latency.

-## Supported resource types for metric alerts

-You can find the full list of supported resource types in this [article](./alerts-metric-near-real-time.md#metrics-and-dimensions-supported).

-## Pricing model

-Each Metrics Alert rule is billed based for time series monitored. Prices for Metric Alert rules are available on the [Azure Monitor pricing page](https://azure.microsoft.com/pricing/details/monitor/).

-## Next steps

-description: Overview of alerting in Azure Monitor

-# Overview of alerts in Microsoft Azure

-This article describes what alerts are, their benefits, and how to get started using them.

-## What are alerts in Microsoft Azure?

-Alerts proactively notify you when issues are found with your infrastructure or application using your monitoring data in Azure Monitor. They allow you to identify and address issues before the users of your system notice them.

-## Overview

-The diagram below represents the flow of alerts.

-

-Alert rules are separated from alerts and the actions taken when an alert fires. The alert rule captures the target and criteria for alerting. The alert rule can be in an enabled or a disabled state. Alerts only fire when enabled.

-The following are key attributes of an alert rule:

-**Target Resource** - Defines the scope and signals available for alerting. A target can be any Azure resource. Example targets:

-For certain resources (like virtual machines), you can specify multiple resources as the target of the alert rule.

-**Signal** - Emitted by the target resource. Signals can be of the following types: metric, activity log, Application Insights, and log.

-**Criteria** - A combination of signal and logic applied on a target resource. Examples:

-**Alert Name** - A specific name for the alert rule configured by the user.

-**Alert Description** - A description for the alert rule configured by the user.

-**Severity** - The severity of the alert after the criteria specified in the alert rule is met. Severity can range from 0 to 4.

-**Action** - A specific action taken when the alert is fired. For more information, see [Action Groups](../alerts/action-groups.md).

-## What you can alert on

-You can alert on metrics and logs, as described in [monitoring data sources](./../agents/data-sources.md). Signals include but aren't limited to:

-## Alerts experience

-### Alerts page

-The Alerts page provides a summary of the alerts created in the last 24 hours.

-### Alert Recommendations (preview)

-If you don't have alert rules defined for the selected resource, either individually or as part of a resource group or subscription, you can [create a new alert rule](alerts-log.md#create-a-new-log-alert-rule-in-the-azure-portal), or [enable recommended out-of-the-box alert rules in the Azure portal (preview)](alerts-log.md#enable-recommended-out-of-the-box-alert-rules-in-the-azure-portal-preview).

-### Alerts summary pane

-If you have alerts configured for this resource, the alerts summary pane summarizes the alerts fired in the last 24 hours. You can filter the list by the subscription or any of the filter parameters at the top of the page. The page displays the total alerts for each severity. Select a severity to filter the alerts by that severity.

-> [!NOTE]

- > You can only access alerts generated in the last 30 days.

-You can also [programmatically enumerate the alert instances generated on your subscriptions by using REST APIs](#manage-your-alert-instances-programmatically).

-You can narrow down the list by selecting values from any of these filters at the top of the page:

-| Column | Description |

-|:|:|

-| Subscription | Select the Azure subscriptions for which you want to view the alerts. You can optionally choose to select all your subscriptions. Only alerts that you have access to in the selected subscriptions are included in the view. |

-| Resource group | Select a single resource group. Only alerts with targets in the selected resource group are included in the view. |

-| Resource type | Select one or more resource types. Only alerts with targets of the selected type are included in the view. This column is only available after a resource group has been specified. |

-| Resource | Select a resource. Only alerts with that resource as a target are included in the view. This column is only available after a resource type has been specified. |

-| Severity | Select an alert severity, or select **All** to include alerts of all severities. |

-| Alert condition | Select an alert condition, or select **All** to include alerts of all conditions. |

-| User response | Select a user response, or select **All** to include alerts of all user responses. |

-| Monitor service | Select a service, or select **All** to include all services. Only alerts created by rules that use service as a target are included. |

-| Time range | Only alerts fired within the selected time range are included in the view. Supported values are the past hour, the past 24 hours, the past seven days, and the past 30 days. |

-Select **Columns** at the top of the page to select which columns to show.

-### Alert details pane

-When you select an alert, this alert details pane provides details of the alert and enables you to change how you want to respond to the alert.

-The Alert details pane includes:

-|Section |Description |

-|Summary | Displays the properties and other significant information about the alert. |

-|History | Lists all actions on the alert and any changes made to the alert. |

-## Manage alerts

-You can set the user response of an alert to specify where it is in the resolution process. When the criteria specified in the alert rule is met, an alert is created or fired, and it has a status of *New*. You can change the status when you acknowledge an alert and when you close it. All user response changes are stored in the history of the alert.

-The following user responses are supported.

-| User Response | Description |

-|:|:|

-| New | The issue has been detected and hasn't yet been reviewed. |

-| Acknowledged | An administrator has reviewed the alert and started working on it. |

-| Closed | The issue has been resolved. After an alert has been closed, you can reopen it by changing it to another user response. |

-The *user response* is different and independent of the *alert condition*. The response is set by the user, while the alert condition is set by the system. When an alert fires, the alert's alert condition is set to *'fired'*, and when the underlying condition that caused the alert to fire clears, the alert condition is set to *'resolved'*.

-## Manage alert rules

-To show the **Rules** page, select **Manage alert rules**. The Rules page is a single place for managing all alert rules across your Azure subscriptions. It lists all alert rules and can be sorted based on target resources, resource groups, rule name, or status. You can also edit, enable, or disable alert rules from this page.

- :::image type="content" source="media/alerts-overview/alerts-rules.png" alt-text="Screenshot of alert rules page.":::

-## Create an alert rule

-You can author alert rules in a consistent manner, whatever of the monitoring service or signal type.

-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4tflw]

-

-Here's how to create a new alert rule:

-1. Pick the _target_ for the alert.

-1. Select the _signal_ from the available signals for the target.

-1. Specify the _logic_ to be applied to data from the signal.

-This simplified authoring process no longer requires you to know the monitoring source or signals that are supported before selecting an Azure resource. The list of available signals is automatically filtered based on the target resource that you select. Also based on that target, you're guided through defining the logic of the alert rule automatically.

-You can learn more about how to create alert rules in [Create, view, and manage alerts using Azure Monitor](../alerts/alerts-metric.md).

-Alerts are available across several Azure monitoring services. For information about how and when to use each of these services, see [Monitoring Azure applications and resources](../overview.md).

-## Azure role-based access control (Azure RBAC) for your alert instances

-The consumption and management of alert instances requires the user to have the Azure built-in roles of either [monitoring contributor](../../role-based-access-control/built-in-roles.md#monitoring-contributor) or [monitoring reader](../../role-based-access-control/built-in-roles.md#monitoring-reader). These roles are supported at any Azure Resource Manager scope, from the subscription level to granular assignments at a resource level. For example, if a user only has monitoring contributor access for virtual machine `ContosoVM1`, that user can consume and manage only alerts generated on `ContosoVM1`.

-## Manage your alert instances programmatically

-You might want to query programmatically for alerts generated against your subscription. Queries might be to create custom views outside of the Azure portal, or to analyze your alerts to identify patterns and trends.

-We recommended that you use [Azure Resource Graph](../../governance/resource-graph/overview.md) with the `AlertsManagementResources` schema for querying fired alerts. Resource Graph is recommended when you have to manage alerts generated across multiple subscriptions.

-The following sample request to the Resource Graph REST API returns alerts within one subscription in the last day:

-```json

-{

- "subscriptions": [

- <subscriptionId>

- ],

- "query": "alertsmanagementresources | where properties.essentials.lastModifiedDateTime > ago(1d) | project alertInstanceId = id, parentRuleId = tolower(tostring(properties['essentials']['alertRule'])), sourceId = properties['essentials']['sourceCreatedId'], alertName = name, severity = properties.essentials.severity, status = properties.essentials.monitorCondition, state = properties.essentials.alertState, affectedResource = properties.essentials.targetResourceName, monitorService = properties.essentials.monitorService, signalType = properties.essentials.signalType, firedTime = properties['essentials']['startDateTime'], lastModifiedDate = properties.essentials.lastModifiedDateTime, lastModifiedBy = properties.essentials.lastModifiedUserName"

-}

-```

-You can also see the result of this Resource Graph query in the portal with Azure Resource Graph Explorer: [portal.azure.com](https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/alertsmanagementresources%0A%7C%20where%20properties.essentials.lastModifiedDateTime%20%3E%20ago(1d)%0A%7C%20project%20alertInstanceId%20%3D%20id%2C%20parentRuleId%20%3D%20tolower(tostring(properties%5B'essentials'%5D%5B'alertRule'%5D))%2C%20sourceId%20%3D%20properties%5B'essentials'%5D%5B'sourceCreatedId'%5D%2C%20alertName%20%3D%20name%2C%20severity%20%3D%20properties.essentials.severity%2C%20status%20%3D%20properties.essentials.monitorCondition%2C%20state%20%3D%20properties.essentials.alertState%2C%20affectedResource%20%3D%20properties.essentials.targetResourceName%2C%20monitorService%20%3D%20properties.essentials.monitorService%2C%20signalType%20%3D%20properties.essentials.signalType%2C%20firedTime%20%3D%20properties%5B'essentials'%5D%5B'startDateTime'%5D%2C%20lastModifiedDate%20%3D%20properties.essentials.lastModifiedDateTime%2C%20lastModifiedBy%20%3D%20properties.essentials.lastModifiedUserName)

-You can also use the [Alert Management REST API](/rest/api/monitor/alertsmanagement/alerts) in lower scale querying scenarios or to update fired alerts.

-## Smart groups

-Smart groups are aggregations of alerts based on machine learning algorithms, which can help reduce alert noise and aid in troubleshooting. [Learn more about Smart Groups](./alerts-smartgroups-overview.md?toc=%2fazure%2fazure-monitor%2ftoc.json) and [how to manage your smart groups](./alerts-managing-smart-groups.md?toc=%2fazure%2fazure-monitor%2ftoc.json).

-description: Trigger emails, notifications, call websites URLs (webhooks), or automation when the log query condition you specify is met

-# Log alerts in Azure Monitor

-## Overview

-Log alerts are one of the alert types that are supported in [Azure Alerts](./alerts-overview.md). Log alerts allow users to use a [Log Analytics](../logs/log-analytics-tutorial.md) query to evaluate resources logs every set frequency, and fire an alert based on the results. Rules can trigger one or more actions using [Action Groups](./action-groups.md).

-> [!NOTE]

-> Log data from a [Log Analytics workspace](../logs/log-analytics-tutorial.md) can be sent to the Azure Monitor metrics store. Metrics alerts have [different behavior](alerts-metric-overview.md), which may be more desirable depending on the data you are working with. For information on what and how you can route logs to metrics, see [Metric Alert for Logs](alerts-metric-logs.md).

-## Prerequisites

-Log alerts run queries on Log Analytics data. First you should start [collecting log data](../essentials/resource-logs.md) and query the log data for issues. You can use the [alert query examples topic](../logs/queries.md) in Log Analytics to understand what you can discover or [get started on writing your own query](../logs/log-analytics-tutorial.md).

-[Azure Monitoring Contributor](../roles-permissions-security.md) is a common role that is needed for creating, modifying, and updating log alerts. Access & query execution rights for the resource logs are also needed. Partial access to resource logs can fail queries or return partial results. [Learn more about configuring log alerts in Azure](./alerts-log.md).

-> [!NOTE]

-> Log alerts for Log Analytics used to be managed using the legacy [Log Analytics Alert API](./api-alerts.md). [Learn more about switching to the current ScheduledQueryRules API](../alerts/alerts-log-api-switch.md).

-## Query evaluation definition

-Log search rules condition definition starts from:

-The following sections describe the different parameters you can use to set the above logic.

-### Log query

-The [Log Analytics](../logs/log-analytics-tutorial.md) query used to evaluate the rule. The results returned by this query are used to determine whether an alert is to be triggered. The query can be scoped to:

-

-> [!IMPORTANT]

-> Alert queries have constraints to ensure optimal performance and the relevance of the results. [Learn more here](./alerts-log-query.md).

-> [!IMPORTANT]

-> Resource centric and [cross-resource query](../logs/cross-workspace-query.md#querying-across-log-analytics-workspaces-and-from-application-insights) are only supported using the current scheduledQueryRules API. If you use the legacy [Log Analytics Alert API](./api-alerts.md), you will need to switch. [Learn more about switching](./alerts-log-api-switch.md)

-#### Query time Range

-Time range is set in the rule condition definition. It's called **Override query time range** in the advance settings section.

-Unlike log analytics, the time range in alerts is limited to a maximum of two days of data. Even if longer range **ago** command is used in the query, the time range will apply. For example, a query scans up to 2 days, even if the text contains **ago(7d)**.

-If you use **ago** command in the query, the range is automatically set to two days. You can also change time range manually in cases the query requires more data than the alert evaluation even if there is no **ago** command in the query.

-### Measure

-Log alerts turn log into numeric values that can be evaluated. You can measure two different things:

-* Result count

-* Calculation of a value

-#### Result count

-Count of results is the default measure and is used when you set a **Measure** with a selection of **Table rows**. Ideal for working with events such as Windows event logs, syslog, application exceptions. Triggers when log records happen or doesn't happen in the evaluated time window.

-Log alerts work best when you try to detect data in the log. It works less well when you try to detect lack of data in the logs. For example, alerting on virtual machine heartbeat.

-> [!NOTE]

-> Since logs are semi-structured data, they are inherently more latent than metric, you may experience misfires when trying to detect lack of data in the logs, and you should consider using [metric alerts](alerts-metric-overview.md). You can send data to the metric store from logs using [metric alerts for logs](alerts-metric-logs.md).

-##### Example of result count use case

-You want to know when your application responded with error code 500 (Internal Server Error). You would create an alert rule with the following details:

-```Kusto

-requests

-| where resultCode == "500"

-```

-Then alert rules monitors for any requests ending with 500 error code. The query runs every 15 minutes, over the last 15 minutes. If even one record is found, it fires the alert and triggers the actions configured.

-### Calculation of a value

-Calculation of a value is used when you select a column name of a numeric column for the **Measure**, and the result is a calculation that you perform on the values in that column. This would be used, for example, as CPU counter value.

-### Aggregation type

-The calculation that is done on multiple records to aggregate them to one numeric value using the [**Aggregation granularity**](#aggregation-granularity) defined. For example:

-### Aggregation granularity

-Determines the interval that is used to aggregate multiple records to one numeric value. For example, if you specified **5 minutes**, records would be grouped by 5-minute intervals using the **Aggregation type** specified.

-> [!NOTE]

-> As [bin()](/azure/kusto/query/binfunction) can result in uneven time intervals, the alert service will automatically convert [bin()](/azure/kusto/query/binfunction) function to [bin_at()](/azure/kusto/query/binatfunction) function with appropriate time at runtime, to ensure results with a fixed point.

-### Split by alert dimensions

-Split alerts by number or string columns into separate alerts by grouping into unique combinations. It's configured in **Split by dimensions** section of the condition (limited to six splits). When creating resource-centric alerts at scale (subscription or resource group scope), you can split by Azure resource ID column. Splitting on Azure resource ID column will change the target of the alert to the specified resource.

-Splitting by Azure resource ID column is recommended when you want to monitor the same condition on multiple Azure resources. For example, monitoring all virtual machines for CPU usage over 80%. You may also decide not to split when you want a condition on multiple resources in the scope. Such as monitoring that at least five machines in the resource group scope have CPU usage over 80%.

-#### Example of splitting by alert dimensions

-For example, you want to monitor errors for multiple virtual machines running your web site/app in a specific resource group. You can do that using a log alert rule as follows:

- ```Kusto

- // Reported errors

- union Event, Syslog // Event table stores Windows event records, Syslog stores Linux records

- | where EventLevelName == "Error" // EventLevelName is used in the Event (Windows) records

- or SeverityLevel== "err" // SeverityLevel is used in Syslog (Linux) records

- ```

- - Computer = VM1, VM2 (Filtering values in alert rules definition isn't available currently for workspaces and Application Insights. Filter in the query text.)

-This rule monitors if any virtual machine had error events in the last 15 minutes. Each virtual machine is monitored separately and will trigger actions individually.

-> [!NOTE]

-> Split by alert dimensions is only available for the current scheduledQueryRules API. If you use the legacy [Log Analytics Alert API](./api-alerts.md), you will need to switch. [Learn more about switching](./alerts-log-api-switch.md). Resource centric alerting at scale is only supported in the API version `2021-08-01` and above.

-## Alert logic definition

-Once you define the query to run and evaluation of the results, you need to define the alerting logic and when to fire actions. The following sections describe the different parameters you can use:

-### Threshold and operator

-The query results are transformed into a number that is compared against the threshold and operator.

-### Frequency

-The interval in which the query is run. Can be set from a minute to a day.

-### Number of violations to trigger alert

-You can specify the alert evaluation period and the number of failures needed to trigger an alert. Allowing you to better define an impact time to trigger an alert.

-For example, if your rule [**Aggregation granularity**](#aggregation-granularity) is defined as '5 minutes', you can trigger an alert only if three failures (15 minutes) of the last hour occurred. This setting is defined by your application business policy.

-## State and resolving alerts

-Log alerts can either be stateless or stateful (currently in preview).

-Stateless alerts fire each time the condition is met, even if fired previously. You can [mark the alert as closed](../alerts/alerts-managing-alert-states.md) once the alert instance is resolved. You can also mute actions to prevent them from triggering for a period after an alert rule fired using the **Mute Actions** option in the alert details section.

-See this alert stateless evaluation example:

-| Time | Log condition evaluation | Result

-| - | -| -| -

-| 00:05 | FALSE | Alert doesn't fire. No actions called.

-| 00:10 | TRUE | Alert fires and action groups called. New alert state ACTIVE.

-| 00:15 | TRUE | Alert fires and action groups called. New alert state ACTIVE.

-| 00:20 | FALSE | Alert doesn't fire. No actions called. Pervious alerts state remains ACTIVE.

-Stateful alerts fire once per incident and resolve. The alert rule resolves when the alert condition isn't met for 30 minutes for a specific evaluation period (to account for [log ingestion delay](../alerts/alerts-troubleshoot-log.md#data-ingestion-time-for-logs)), and for three consecutive evaluations to reduce noise if there is flapping conditions. For example, with a frequency of 5 minutes, the alert resolve after 40 minutes or with a frequency of 1 minute, the alert resolve after 32 minutes. The resolved notification is sent out via web-hooks or email, the status of the alert instance (called monitor state) in Azure portal is also set to resolved.

-Stateful alerts feature is currently in preview. You can set this using **Automatically resolve alerts** in the alert details section.

-## Location selection in log alerts

-Log alerts allow you to set a location for alert rules. You can select any of the supported locations, which align to [Log Analytics supported region list](https://azure.microsoft.com/global-infrastructure/services/?products=monitor).

-Location affects which region the alert rule is evaluated in. Queries are executed on the log data in the selected region, that said, the alert service end to end is global. Meaning alert rule definition, fired alerts, notifications, and actions aren't bound to the location in the alert rule. Data is transfer from the set region since the Azure Monitor alerts service is a [non-regional service](https://azure.microsoft.com/global-infrastructure/services/?products=monitor&regions=non-regional).

-## Pricing model

-Each Log Alert rule is billed based the interval at which the log query is evaluated (more frequent query evaluation results in a higher cost). Additionally, for Log Alerts configured for [at scale monitoring](#split-by-alert-dimensions), the cost will also depend on the number of time series created by the dimensions resulting from your query.

-Prices for Log Alert rules are available on the [Azure Monitor pricing page](https://azure.microsoft.com/pricing/details/monitor/).

-### Calculating the price for a Log Alert rule without dimensions

-The price of an alert rule which queries 1 resource event every 15-minutes can be calculated as:

-Total monthly price = 1 resource * 1 log alert rule * price per 15-minute internal log alert rule per month.

-### Calculating the price for a Log Alert rule with dimensions

-The price of an alert rule which monitors 10 VM resources at 1-minute frequency, using resource centric log monitoring, can be calculated as Price of alert rule + Price of number of dimensions. For example:

-Total monthly price = price per 1-minute log alert rule per month + ( 10 time series - 1 included free time series ) * price per 1-min interval monitored per month.

-Pricing of at scale log monitoring is applicable from Scheduled Query Rules API version 2021-02-01.

-## View log alerts usage on your Azure bill

-Log Alerts are listed under resource provider `microsoft.insights/scheduledqueryrules` with:

-> [!NOTE]

-> Unsupported resource characters such as `<, >, %, &, \, ?, /` are replaced with `_` in the hidden resource names and this will also reflect in the billing information.

-> [!NOTE]

-> Log alerts for Log Analytics used to be managed using the legacy [Log Analytics Alert API](./api-alerts.md) and legacy templates of [Log Analytics saved searches and alerts](../insights/solutions.md). [Learn more about switching to the current ScheduledQueryRules API](../alerts/alerts-log-api-switch.md). Any alert rule management should be done using [legacy Log Analytics API](./api-alerts.md) until you decide to switch and you can't use the hidden resources.

-## Next steps

-* Learn about [creating in log alerts in Azure](./alerts-log.md).

-* Understand [webhooks in log alerts in Azure](../alerts/alerts-log-webhook.md).

-* Learn about [Azure Alerts](./alerts-overview.md).

-* Learn more about [Log Analytics](../logs/log-query-overview.md).

-The Intelligent View works well for large distributed applications but sometimes it can take around one minute to load.

-If Intelligent View doesn't load, ensure that you've opted into the preview on Application Map.

-You can turn on monitoring for your Java apps running in Azure App Service just with one click, no code change required.

-Application Insights for Java is integrated with Azure App Service on Linux - both code-based and custom containers, and with App Service on Windows for code-based apps.

-The integration adds [Application Insights Java 3.x](./java-in-process-agent.md) and you will get the telemetry auto-collected.

-* [Set up Availability web tests](monitor-web-app-availability.md) to be alerted if your site is down.

-|Azure App Service on Windows | GA, OnBD* | GA, opt-in | Public Preview, Container and Custom Containers are GA | Public Preview | Not supported |

->You can migrate your Application Insight resources to alerts-bases smart detection (preview). The migration creates alert rules for the different smart detection modules. Once created, you can manage and configure these rules just like any other Azure Monitor alert rules. You can also configure action groups for these rules, thus enabling multiple methods of taking actions or triggering notification on new detections.

-Azure Monitor Container Insights is now in Public Preview of new schema for container logs called ContainerLogV2. As part of this schema, there new fields to make common queries to view AKS (Azure Kubernetes Service) and Azure Arc enabled Kubernetes data. In addition, this schema is compatible as a part of [Basic Logs](../logs/basic-logs-configure.md), which offer a low cost alternative to standard analytics logs.

-> The ContainerLogv2 schema is currently a preview feature, some features may be limited in the Portal experience from Container Insights

-When configuring an existing ConfigMap, we have to append the following section in your existing ConfigMap yaml file:

- # In the absense of this configmap, default value for containerlog_schema_version is "v1"

- # See documentation for benefits of v2 schema over v1 schema before opting for "v2" schema

-1. Download the new ConfigMap from [here](https://aka.ms/container-azm-ms-agentconfig). For new downloaded configmapdefault the value for containerlog_schema_version is "v1"

- ```yaml

- [log_collection_settings.schema]

- # In the absense of this configmap, default value for containerlog_schema_version is "v1"

- # Supported values for this setting are "v1","v2"

- # See documentation for benefits of v2 schema over v1 schema before opting for "v2" schema

- containerlog_schema_version = "v2"

- ```

-1. Once you have finished configuring the configmap Run the following kubectl command: kubectl apply -f `<configname>`

-> This solution is no longer in active development and may not work as expected. We suggest you try using [Azure Resource Graph to query Azure Monitor alerts](../alerts/alerts-overview.md#manage-your-alert-instances-programmatically).

-The Alert Management solution helps you analyze all of the alerts in your Log Analytics repository. These alerts may have come from a variety of sources including those sources [created by Log Analytics](../alerts/alerts-overview.md) or [imported from Nagios or Zabbix](../vm/monitor-virtual-machine.md). The solution also imports alerts from any [connected System Center Operations Manager management groups](../agents/om-agents.md).

-The default pricing for Log Analytics is a Pay-As-You-Go model that's based on ingested data volume and data retention. Each Log Analytics workspace is charged as a separate service and contributes to the bill for your Azure subscription. The amount of data ingestion can be considerable, depending on the following factors:

->The billable data volume calculation is substantially smaller than the size of the entire incoming JSON-packaged event, often less than 50%. It is essential to understand this calculation of billed data size when estimating costs and comparing to other pricing models.

-| Metrics | There is no charge for [standard metrics](essentials/metrics-supported.md) collected from Azure resources. There is a cost for cost for collecting [custom metrics](essentials/metrics-custom-overview.md) and for retrieving metrics from the [REST API](essentials/rest-api-walkthrough.md#retrieve-metric-values). |

-| Alerts | Charged based on the type and number of [signals](alerts/alerts-overview.md#what-you-can-alert-on) used by the alert rule, its frequency, and the type of [notification](alerts/action-groups.md) used in response. For [log alerts](alerts/alerts-unified-log.md) configured for [at scale monitoring](alerts/alerts-unified-log.md#split-by-alert-dimensions), the cost will also depend on the number of time series created by the dimensions resulting from your query. |

-To receive these entitlements for Log Analytics workspaces or Application Insights resources in a subscription, they must be use the Per-Node (OMS) pricing tier. This entitlement isn't visible in the estimated costs shown in the Usage and estimated cost pane.

-View alerts created by VM insights guest health with other [alerts in the Azure portal](../alerts/alerts-overview.md#alerts-experience). You can select **Alerts** from the **Azure Monitor** menu to view alerts for all monitored resources, or select **Alerts** from a virtual machine's menu to view alerts for just that virtual machine.

- * **LDAP Signing**

- The **LDAP Signing** feature is currently in preview. If this is your first time using this feature, register the feature before using it:

- ```azurepowershell-interactive

- Register-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFLdapSigning

- ```

- Check the status of the feature registration:

- > [!NOTE]

- > The **RegistrationState** may be in the `Registering` state for up to 60 minutes before changing to`Registered`. Wait until the status is `Registered` before continuing.

- ```azurepowershell-interactive

- Get-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFLdapSigning

- ```

-

- You can also use [Azure CLI commands](/cli/azure/feature) `az feature register` and `az feature show` to register the feature and display the registration status.

-1. From the NetApp Account view, click **Snapshot policy**.

-3. Click the **Hourly**, **Daily**, **Weekly**, or **Monthly** tab to create hourly, daily, weekly, or monthly snapshot policies. Specify the **Number of snapshots to keep**.

-4. Click **Save**.

-2. In the Edit window, under **Snapshot policy**, select a policy to use for the volume. Click **OK** to apply the policy.

-You can modify an existing snapshot policy to change the policy state, snapshot frequency (hourly, daily, weekly, or monthly), or number of snapshots to keep.

-1. From the NetApp Account view, click **Snapshot policy**.

-3. Make the changes in the Snapshot Policy window that appears, then click **Save**.

-1. From the NetApp Account view, click **Snapshot policy**.

-3. Click **Yes** to confirm that you want to delete the snapshot policy.

-> [!IMPORTANT]

-> This feature is currently in preview.

-> | mediaservices | resource group | 3-24 | Lowercase letters and numbers. |

-> | sites / functions / slots | global or per domain. See note below. | 2-60 | Alphanumeric, hyphens and Unicode characters that can be mapped to Punycode<br><br>Can't start or end with hyphen. |

-> Unicode characters are parsed to Punycode using the following method: https://docs.microsoft.com/dotnet/api/system.globalization.idnmapping.getascii

-## Blocks

-Blocks are meant to make it easier to go through the data. For example, block might be broken down based on when speakers change or there is a long pause.

-[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure-Samples%2Fmedia-services-video-indexer%2Fmaster%2FARM-Samples%2FCreate-Account%2Favam.template.json)

-1. Open The [template file](https://github.com/Azure-Samples/media-services-video-indexer/blob/master/ARM-Samples/Create-Account/avam.template.json) file and inspect its content.

-[Connect an existing classic paid Azure Video Indexer account to ARM-based account](connect-classic-account-to-arm.md)

-Improved line break logic to better split transcript into sentences. New editing capabilities are now available through the Azure Video Indexer portal, such as adding a new line and editing the lineΓÇÖs timestamp.

-For a list of file formats that you can use with Azure Video Indexer, see [Standard Encoder formats and codecs](/azure/azure/media-services/latest/encode-media-encoder-standard-formats-reference).

-1. Once your video has been uploaded, Azure Video Indexer starts indexing and analyzing the video. You see the progress.

- > :::image type="content" source="./media/video-indexer-get-started/progress.png" alt-text="Progress of the upload":::

-## Supported browsers

-For more information, see [supported browsers](video-indexer-overview.md#supported-browsers).

-## See also

-See [Upload and index videos](upload-index-videos.md) for more details.

-After you upload and index a video, you can start using [Azure Video Indexer website](video-indexer-view-edit.md) or [Azure Video Indexer Developer Portal](video-indexer-use-apis.md) to see the insights of the video.

-[Start using APIs](video-indexer-use-apis.md)

-You can visually examine the video's summarized insights by pressing the **Play** button on the video on the [Azure Video Indexer](https://www.videoindexer.ai/) website.

-You can also use the Get Video Index API. If the response status is `OK`, you get a detailed JSON output as the response content.

-|`blocks`|Might contain one or more [blocks](#blocks).|

-#### blocks

-Attribute | Description

-|

-`id`|The ID of the block.|

-`instances`|A list of time ranges for this block.|

-The `visualContentModeration` block contains time ranges that Azure Video Indexer found to potentially have adult content. If `visualContentModeration` is empty, no adult content was identified.

- - [Multi-user authorization using Resource Guard is now generally available](#multi-user-authorization-using-resource-guard-is-now-generally-available)

-## Multi-user authorization using Resource Guard is now generally available

-

-Azure Backup now supports multi-user authorization (MUA) that allows you to add an additional layer of protection to critical operations on your Recovery Services vaults. For MUA, Azure Backup uses the Azure resource, Resource Guard, to ensure critical operations are performed only with applicable authorization.

-For more information, see [how to protect Recovery Services vault and manage critical operations with MUA](multi-user-authorization.md).

->

-> Γÿ╝ Indicates the language is not available for scanned PDF document translation.

-|Language | Language code | Γÿ╝ Cloud ΓÇô Text Translation and Document Translation | Containers ΓÇô Text Translation|Custom Translator|Auto Language Detection|Dictionary

-| Amharic Γÿ╝ | `am` |Γ£ö|Γ£ö||||

-| Armenian Γÿ╝ | `hy` |Γ£ö|Γ£ö||Γ£ö||

-| Assamese Γÿ╝ | `as` |Γ£ö|Γ£ö|Γ£ö|||

-| Bangla Γÿ╝ | `bn` |Γ£ö|Γ£ö|Γ£ö||Γ£ö|

-| Bashkir Γÿ╝ | `ba` |Γ£ö|||||

-| Cantonese (Traditional) Γÿ╝ | `yue` |Γ£ö|Γ£ö||||

-| Divehi Γÿ╝ | `dv` |Γ£ö|||Γ£ö||

-| Georgian Γÿ╝ | `ka` |Γ£ö|||Γ£ö||

-| Greek Γÿ╝ | `el` |Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-| Gujarati Γÿ╝ | `gu` |Γ£ö|Γ£ö|Γ£ö|Γ£ö||

-| Hebrew Γÿ╝ | `he` |Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-| Inuinnaqtun Γÿ╝ | `ikt` |Γ£ö|||||

-| Inuktitut Γÿ╝ | `iu` |Γ£ö|Γ£ö|Γ£ö|Γ£ö||

-| Kannada Γÿ╝ | `kn` |Γ£ö|Γ£ö|Γ£ö|||

-| Khmer Γÿ╝ | `km` |Γ£ö|Γ£ö||Γ£ö||

-| Klingon (plqaD) Γÿ╝ | `tlh-Piqd` |Γ£ö| ||Γ£ö||

-| Kurdish (Northern) Γÿ╝ | `kmr` |Γ£ö|Γ£ö||||

-| Lao Γÿ╝ | `lo` |Γ£ö|Γ£ö||Γ£ö||

-| Latvian Γÿ╝| `lv` |Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-| Macedonian Γÿ╝ | `mk` |Γ£ö|||Γ£ö||

-| Malagasy Γÿ╝ | `mg` |Γ£ö|Γ£ö|Γ£ö|||

-| Malayalam Γÿ╝ | `ml` |Γ£ö|Γ£ö|Γ£ö|||

-| Mongolian (Cyrillic) Γÿ╝| `mn-Cyrl` |Γ£ö|||||

-| Mongolian (Traditional) Γÿ╝ | `mn-Mong` |Γ£ö|||Γ£ö||

-| Myanmar Γÿ╝ | `my` |Γ£ö|Γ£ö||Γ£ö||

-| Odia Γÿ╝ | `or` |Γ£ö|Γ£ö|Γ£ö|||

-| Queretaro Otomi Γÿ╝ | `otq` |Γ£ö|Γ£ö||||

-| Tahitian Γÿ╝ | `ty` |Γ£ö| |Γ£ö|Γ£ö||

-| Tamil Γÿ╝ | `ta` |Γ£ö|Γ£ö|Γ£ö||Γ£ö|

-| Telugu Γÿ╝ | `te` |Γ£ö|Γ£ö|Γ£ö|||

-| Thai Γÿ╝ | `th` |Γ£ö| |Γ£ö|Γ£ö|Γ£ö|

-| Tibetan Γÿ╝ | `bo` |Γ£ö||||

-| Tigrinya Γÿ╝ | `ti` |Γ£ö|Γ£ö||||

-| Vietnamese Γÿ╝ | `vi` |Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-Cognitive Services provides machine learning capabilities to solve general problems such as analyzing text for emotional sentiment or analyzing images to recognize objects or faces. You don't need special machine learning or data science knowledge to use these services.

-* Access solution from a programming REST API or SDK.

-Use another machine-learning solution when you:

-* Azure Machine Learning is tailored for data scientists.

-This quickstart describes how to use Bicep to create Cognitive Services.

-Create a resource using Bicep. This multi-service resource lets you:

- - Clone the entire Bot Framework Samples repository to get access to this sample project.

-1. Copy the [FlightBooking.json](https://aka.ms/clu-botframework-json) file in the **Core Bot** for CLU sample.

-4. Once the project is loaded, click on **Training** on the left. Press on Start a training job, provide the model name **v1** and press Train. All other settings such as **Standard Training** and the evaluation settings can be left as is.

-5. Once training is complete, click to **Deployments** on the left. Click on Add Deployment and create a new deployment with the name **Testing**, and assign model **v1** to the deployment.

-In the Core Bot sample, under the CLU folder, you can check out the **FlightBookingRecognizer.cs** file. Here is where the CLU API call to the deployed endpoint is made to retrieve the CLU prediction for intents and entities.

-Under the folder Dialogs folder, find the **MainDialog** which uses the following to make a CLU prediction.

-From a terminal, navigate to `samples/csharp_dotnetcore/90.core-bot-with-clu/90.core-bot-with-clu`

-1. Navigate to the `samples/csharp_dotnetcore/90.core-bot-with-clu/90.core-bot-with-clu` folder

-1. Select the `CoreBotWithCLU.csproj` file

-An AI system includes not only the technology, but also the people who will use it, the people who will be affected by it, and the environment in which it is deployed. Read the [transparency note for custom NER]() to learn about responsible AI use and deployment in your systems. You can also see the following articles for more information:

-An AI system includes not only the technology, but also the people who will use it, the people who will be affected by it, and the environment in which it is deployed. Read the [transparency note for custom text classification]() to learn about responsible AI use and deployment in your systems. You can also see the following articles for more information:

-# Connect different services with orchestration workflow

-This tutorial will include creating a **chit chat** knowledge base and **email commands** project. Chit chat will deal with common niceties and greetings with static responses.

-2. Find and select the [custom question answering](https://language.cognitive.azure.com/questionAnswering/projects/) card in the homepage.

-You are now done with deploying your knowledge base for chit chat. You can explore the type of questions and answers to expect in the **Edit knowledge base** tab.

-1. In Language Studio, go to the [conversational language understanding](https://language.cognitive.azure.com/clu/projects) service.

-3. Click on the arrow next to **Create new project** and select **Import**. Browse to the downloaded EmailProject.json file you downloaded and press Done.

-4. Once the project is loaded, click on **Training** on the left. Press on Start a training job, provide the model name **v1** and press Train. All other settings such as **Standard Training** and the evaluation settings can be left as is.

-5. Once training is complete, click to **Deployments** on the left. Click on Add Deployment and create a new deployment with the name **Testing**, and assign model **v1** to the deployment.

-You are now done with deploying a conversational language understanding project for email commands. You can explore the different commands in the **Utterances** page.

-## Create an orchestration workflow project

-1. In Language Studio, go to the [orchestration workflow](https://language.cognitive.azure.com/orchestration/projects) service.

-3. Once the project is created, click on **Add** in the **Build schema** page.

-6. Similar to conversational language understanding, go to **Training** and start a new training job with the name **v1** and press Train.

-7. Once training is complete, click to **Deployments** on the left. Click on Add deployment and create a new deployment with the name **Testing**, and assign model **v1** to the deployment and press Next.

-1. In the downloaded **OrchestrationWorkflowSample** solution, make sure to install all the required packages. In Visual Studio, go to _Tools_, _NuGet Package Manager_ and select _Package Manager Console_ and run the following command.

-2. In `Program.cs`, replace `{api-key}` and the placeholder endpoint. Use the key and endpoint for the Language resource you created earlier. You can find them in the **Keys and Endpoint** tab in your Language resource in Azure.

-Uri endpoint = new Uri("https://myaccount.api.cognitive.microsoft.com");

-3. Replace the orchestrationProject parameters to **Orchestrator** and **Testing** as below if they are not set already.

-4. Run the project or press F5 in Visual Studio.

-5. Input a query such as "read the email from matt" or "hello how are you". You'll now observe different responses for each, a conversational language understanding **EmailProject** response from the first, and the answer from the **chitchat** for the second query.

-## Get started with text summarization

-To use this feature, you submit raw unstructured text for analysis and handle the API output in your application. Analysis is performed as-is, with no additional customization to the model used on your data. There are two ways to use text summarization:

-* Text summarization takes raw unstructured text for analysis. See [Data and service limits](../concepts/data-limits.md) in the how-to guide for more information.

-* Text summarization works with a variety of written languages. See [language support](language-support.md) for more information.

-The following table represents the set of supported browsers which are currently available. **We support the most recent three versions of the browser** unless otherwise indicated.

-Get started with Email by provisioning your first Email Communication Services resource. Communication services resources can be provisioned through the [Azure portal](https://portal.azure.com) or with the .NET management client library. The management client library and the Azure portal allow you to create, configure, update and delete your resources and interface with [Azure Resource Manager](../../../azure-resource-manager/management/overview.md), Azure's deployment and management service. All functionality available in the client libraries is available in the Azure portal.

-description: Learn how to handle SMS events using Azure Communication Services.

-# Quickstart: Handle SMS events for Delivery Reports and Inbound Messages

-Get started with Azure Communication Services by using Azure Event Grid to handle Communication Services SMS events.

-## About Azure Event Grid

-[Azure Event Grid](../../../event-grid/overview.md) is a cloud-based eventing service. In this article, you'll learn how to subscribe to events for [communication service events](../../../event-grid/event-schema-communication-services.md), and trigger an event to view the result. Typically, you send events to an endpoint that processes the event data and takes actions. In this article, we'll send the events to a web app that collects and displays the messages.

-## Prerequisites

-## Setting up

-### Enable Event Grid resource provider

-If you haven't previously used Event Grid in your Azure subscription, you may need to register the Event Grid resource provider following the steps below:

-In the Azure portal:

-1. Select **Subscriptions** on the left menu.

-2. Select the subscription you're using for Event Grid.

-3. On the left menu, under **Settings**, select **Resource providers**.

-4. Find **Microsoft.EventGrid**.

-5. If not registered, select **Register**.

-It may take a moment for the registration to finish. Select **Refresh** to update the status. When **Status** is **Registered**, you're ready to continue.

-### Event Grid Viewer deployment

-For this quickstart, we will use the [Azure Event Grid Viewer Sample](/samples/azure-samples/azure-event-grid-viewer/azure-event-grid-viewer/) to view events in near-real time. This will provide the user with the experience of a real-time feed. In addition, the payload of each event should be available for inspection as well.

-## Subscribe to the SMS events using web hooks

-In the portal, navigate to your Azure Communication Services Resource that you created. Inside the Communication Service resource, select **Events** from the left menu of the **Communication Services** page.

-Press **Add Event Subscription** to enter the creation wizard.

-On the **Create Event Subscription** page, Enter a **name** for the event subscription.

-You can subscribe to specific events to tell Event Grid which of the SMS events you want to track, and where to send the events. Select the events you'd like to subscribe to from the dropdown menu. For SMS you'll have the option to choose `SMS Received` and `SMS Delivery Report Received`.

-If you're prompted to provide a **System Topic Name**, feel free to provide a unique string. This field has no impact on your experience and is used for internal telemetry purposes.

-Check out the full list of [events supported by Azure Communication Services](../../../event-grid/event-schema-communication-services.md).

-Select **Web Hook** for **Endpoint type**.

-For **Endpoint**, click **Select an endpoint**, and enter the URL of your web app.

-In this case, we will use the URL from the [Azure Event Grid Viewer Sample](/samples/azure-samples/azure-event-grid-viewer/azure-event-grid-viewer/) we set up earlier in the quickstart. The URL for the sample will be in the format: `https://{{site-name}}.azurewebsites.net/api/updates`

-Then select **Confirm Selection**.

-## Viewing SMS events

-### Triggering SMS events

-To view event triggers, we must generate events in the first place.

-Check out the full list of [events supported by Azure Communication Services](../../../event-grid/event-schema-communication-services.md).

-### Receiving SMS events

-Once you complete either action above you will notice that `SMS Received` and `SMS Delivery Report Received` events are sent to your endpoint. These events will show up in the [Azure Event Grid Viewer Sample](/samples/azure-samples/azure-event-grid-viewer/azure-event-grid-viewer/) we set up at the beginning. You can press the eye icon next to the event to see the entire payload. Events will look like this:

-You may also want to:

-description: Learn how to send an SMS message using Azure Communication Services.

-> SMS messages can be sent to and received from United States phone numbers. Phone numbers located in other geographies are not yet supported by Communication Services SMS.

-> For more information, see **[Phone number types](../../concepts/telephony/plan-solution.md)**.

-In this quickstart, you learned how to send SMS messages using Azure Communication Services.

-Azure Container Apps run in the context of an [environment](environment.md), which is supported by a virtual network (VNET). When you create an environment, you can provide a custom VNET, otherwise a VNET is automatically generated for you. Generated VNETs are inaccessible to you as they're created in Microsoft's tenent. To take full control over your VNET, provide an existing VNET to Container Apps as you create your environment.

-Consider a situation where you have a known good revision that's serving 100% of your traffic, but you want to issue and update to your app. You can deploy and test new revisions using their direct endpoints without affecting the main revision serving the app.

-There are two broad categories for why a container group may restart without explicit user input. First, containers may experience restarts caused by an application process crash. The ACI service recommends leveraging observability solutions such as Application Insights SDK, container group metrics, and container group logs to determine why the application experienced issues. Second, customers may experience restarts initiated by the ACI infrastructure due to maintenance events. To increase the availability of your application, run multiple container groups behind an ingress component such as an Application Gateway or Traffic Manager.

- customCommand: 'run build validate $(Build.Repository.LocalPath)/<Root-folder-from-Git-configuration-settings-in-ADF> /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testResourceGroup/providers/Microsoft.DataFactory/factories/<Your-Factory-Name>'

- customCommand: 'run build export $(Build.Repository.LocalPath)/<Root-folder-from-Git-configuration-settings-in-ADF> /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testResourceGroup/providers/Microsoft.DataFactory/factories/<Your-Factory-Name> "ArmTemplate"'

-zone_pivot_groups: azure-stack-edge-device-deployment

-This tutorial describes how to configure device related settings for your 1-node Azure Stack Edge Pro GPU device. You can set up your device name, update server, and time server via the local web UI.

-This tutorial describes how to configure device related settings for your 2-node Azure Stack Edge Pro GPU device. You can set up your device name, update server, and time server via the local web UI.

-The device settings can take around 5-7 minutes to complete.

-Repeat all the above steps for the second node of your device. Make sure that the same DNS domain is used for both the nodes.

-Repeat all the above steps for the second node of your device. Make sure that the same update server is used for both the nodes.

-

-Repeat all the above steps for the second node of your device. Make sure that the same NTP server is used for both the nodes.

->

-

-[Use Defender for Containers to scan your ACR images for vulnerabilities](defender-for-container-registries-usage.md).

-### Does Microsoft Defender for Containers support AKS clusters with virtual machines scale set (VMSS)?

-Yes.

-

-To use the default Azure credentials, you'll need the Azure Digital Twins instance's URL ([instructions to find](how-to-set-up-instance-portal.md#verify-success-and-collect-important-values)). You may also need an [app registration](./how-to-create-app-registration-portal.md) and the registration's [Application (client) ID](./how-to-create-app-registration-portal.md#collect-client-id-and-tenant-id).

-To use the interactive browser credentials, you'll need an **app registration** that has permissions to the Azure Digital Twins APIs. For steps on how to set up this app registration, see [Create an app registration with Azure Digital Twins access](./how-to-create-app-registration-portal.md). Once the app registration is set up, you'll need...

-* [the app registration's Application (client) ID](./how-to-create-app-registration-portal.md#collect-client-id-and-tenant-id)

-* [the app registration's Directory (tenant) ID](./how-to-create-app-registration-portal.md#collect-client-id-and-tenant-id)

-# Mandatory fields.

-description: Use the CLI to create an Azure AD app registration that can access Azure Digital Twins resources.

-# Optional fields. Don't forget to remove # if you need a field.

-#

-#

-#

-# Create an app registration to use with Azure Digital Twins (CLI)

-This article describes how to use the Azure CLI to create an [Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md) *app registration* that can access Azure Digital Twins.

-When working with Azure Digital Twins, it's common to interact with your instance through client applications. Those applications need to authenticate with Azure Digital Twins, and some of the [authentication mechanisms](how-to-authenticate-client.md) that apps can use involve an app registration.

-The app registration isn't required for all authentication scenarios. However, if you're using an authentication strategy or code sample that does require an app registration, this article shows you how to set one up and grant it permissions to the Azure Digital Twins APIs. It also covers how to collect important values that you'll need to use the app registration when authenticating.

->[!TIP]

-> You may prefer to set up a new app registration every time you need one, or to do this only once, establishing a single app registration that will be shared among all scenarios that require it.

-## Create manifest

-First, create a file containing certain service information that your app registration will need to access the Azure Digital Twins APIs. Later, you'll pass in this file when creating the app registration, to set up the Azure Digital Twins permissions.

-Create a new .json file on your computer called *manifest.json*. Copy this text into the file:

-```json

-[

- {

- "resourceAppId": "0b07f429-9f4b-4714-9392-cc5e8e80c8b0",

- "resourceAccess": [

- {

- "id": "4589bd03-58cb-4e6c-b17f-b580e39652f8",

- "type": "Scope"

- }

- ]

- }

-]

-```

-The static value `0b07f429-9f4b-4714-9392-cc5e8e80c8b0` is the resource ID for the Azure Digital Twins service endpoint, which your app registration will need to access the Azure Digital Twins APIs.

-

-Save the finished file.

-### Cloud Shell users: Upload manifest

-If you're using Cloud Shell for this tutorial, you'll need to upload the manifest file you created to the Cloud Shell, so that you can access it in Cloud Shell commands when configuring the app registration. If you're using a local installation of the Azure CLI, you can skip this step.

-To upload the file, go to the Cloud Shell window in your browser. Select the "Upload/Download files" icon and choose "Upload".

-Navigate to the *manifest.json* file on your machine and select **Open**. Doing so will upload the file to the root of your Cloud Shell storage.

-## Create the registration

-In this section, you'll run a CLI command to create an app registration with the following settings:

-* Name of your choice

-* Available only to accounts in the default directory (single tenant)

-* A web reply URL of `http://localhost`

-* Read/write permissions to the Azure Digital Twins APIs

-Run the following command to create the registration. If you're using Cloud Shell, the path to the manifest.json file is `@manifest.json`.

-```azurecli-interactive

-az ad app create --display-name <app-registration-name> --available-to-other-tenants false --reply-urls http://localhost --native-app --required-resource-accesses "<path-to-manifest.json>"

-```

-The output of the command is information about the app registration you've created.

-## Verify success

-You can confirm that the Azure Digital Twins permissions were granted by looking for the following fields in the output of the `az ad app create` command, and confirming their values match what's shown in the screenshot below:

-You can also verify the app registration was successfully created with the necessary API permissions by using the Azure portal. For portal instructions, see [Verify API permissions (portal)](how-to-create-app-registration-portal.md#verify-api-permissions).

-## Collect important values

-Next, collect some important values about the app registration that you'll need to use the app registration to authenticate a client application. These values include:

-* resource name

-* client ID

-* tenant ID

-* client secret

-To work with Azure Digital Twins, the resource name is `http://digitaltwins.azure.net`.

-The following sections describe how to find the other values.

-### Collect client ID and tenant ID

-To use the app registration for authentication, you may need to provide its **Application (client) ID** and **Directory (tenant) ID**. In this section, you'll collect these values so you can save them and use them whenever they're needed.

-You can find both of these values in the output from the `az ad app create` command.

-Application (client) ID:

-Directory (tenant) ID:

-### Collect client secret

-To create a client secret for your app registration, you'll need your app registration's client ID value from the previous section. Use the value in the following CLI command to create a new secret:

-```azurecli-interactive

-az ad app credential reset --id <client-ID> --append

-```

-You can also add optional parameters to this command to specify a credential description, end date, and other details. For more information about the command and its parameters, see [az ad app credential reset documentation](/cli/azure/ad/app/credential#az-ad-app-credential-reset).

-The output of this command is information about the client secret that you've created. Copy the value for `password` to use when you need the client secret for authentication.

->[!IMPORTANT]

->Make sure to copy the value now and store it in a safe place, as it cannot be retrieved again. If you can't find the value later, you'll have to create a new secret.

-## Create Azure Digital Twins role assignment

-In this section, you'll create a role assignment for the app registration to set its permissions on the Azure Digital Twins instance. This role will determine what permissions the app registration holds on the instance, so you should select the role that matches the appropriate level of permission for your situation. One possible role is [Azure Digital Twins Data Owner](../role-based-access-control/built-in-roles.md#azure-digital-twins-data-owner). For a full list of roles and their descriptions, see [Azure built-in roles](../role-based-access-control/built-in-roles.md).

-Use the following command to assign the role (must be run by a user with [sufficient permissions](how-to-set-up-instance-cli.md#prerequisites-permission-requirements) in the Azure subscription). The command requires you to pass in the name of the app registration.

-```azurecli-interactive

-az dt role-assignment create --dt-name <your-Azure-Digital-Twins-instance> --assignee "<name-of-app-registration>" --role "<appropriate-role-name>"

-```

-The result of this command is outputted information about the role assignment that's been created for the app registration.

-### Verify role assignment

-To further verify the role assignment, you can look for it in the Azure portal. Follow the instructions in [Verify role assignment (portal)](how-to-create-app-registration-portal.md#verify-role-assignment).

-## Other possible steps for your organization

-It's possible that your organization requires more actions from subscription Owners/administrators to successfully set up an app registration. The steps required may vary depending on your organization's specific settings.

-Here are some common potential activities that an Owner or administrator on the subscription may need to do.

-* Grant admin consent for the app registration. Your organization may have **Admin Consent Required** globally turned on in Azure AD for all app registrations within your subscription. If so, the Owner/administrator may need to grant additional delegated or application permissions.

-* Activate public client access by appending `--set publicClient=true` to a create or update command for the registration.

-* Set specific reply URLs for web and desktop access using the `--reply-urls` parameter. For more information on using this parameter with `az ad` commands, see the [az ad app documentation](/cli/azure/ad/app).

-* Allow for implicit OAuth2 authentication flows using the `--oauth2-allow-implicit-flow` parameter. For more information on using this parameter with `az ad` commands, see the [az ad app documentation](/cli/azure/ad/app).

-For more information about app registration and its different setup options, see [Register an application with the Microsoft identity platform](/graph/auth-register-app-v2).

-## Next steps

-In this article, you set up an Azure AD app registration that can be used to authenticate client applications with the Azure Digital Twins APIs.

-Next, read about authentication mechanisms, including one that uses app registrations and others that don't:

-* [Write app authentication code](how-to-authenticate-client.md)

-* Azure AD app registrations don't need to be recreated. If you're using an [app registration](./how-to-create-app-registration-portal.md) to connect to the Azure Digital Twins APIs, you can reuse the same app registration with your new instance.

-If you're using a client app to communicate with Azure Digital Twins that's authenticating with an [app registration](./how-to-create-app-registration-portal.md), this error may happen because your app registration doesn't have permissions set up for the Azure Digital Twins service.

-If any of this appears differently than described, follow the instructions on how to set up an app registration in [Create an app registration with Azure Digital Twins access](./how-to-create-app-registration-portal.md).

-There are possibilities and instances where an entire regional service (be it that of Microsoft, network service providers, customer, or other cloud service providers) gets degraded. The root cause for such regional wide service impact include natural calamity. That's why, for business continuity and mission critical applications it's important to plan for disaster recovery.

-If you rely on ExpressRoute connectivity between your on-premises network and Microsoft for mission critical operations, your disaster recovery plan should also include geo-redundant network connectivity.

-### Same metro

-[Many metros](expressroute-locations-providers.md#global-commercial-azure) have two ExpressRoute locations. An example would be *Amsterdam* and *Amsterdam2*. When designing redundancy, you could build two parallel paths to Azure with both locations in the same metro. The advantage of this design is when application failover happens, end-to-end latency between your on-premises applications and Microsoft stays approximately the same. However, if there is a natural disaster such as an earthquake, connectivity for both paths may no longer be available.

-### Different metros

-When you are designing ExpressRoute connectivity for disaster recovery, you need to consider:

-| **Sao Paulo2** | [TIVIT TSM](https://www.tivit.com/en/tivit/) | 3 | Brazil South | Supported | Ascenty Data Centers |

-This feature significantly increases the throughput of Azure Firewall Premium. For more details, see [Azure Firewall performance](firewall-performance.md).

-Azure Firewall Premium provides signature-based IDPS to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware. The IDPS signatures are applicable for both application and network level traffic (Layers 4-7), they're fully managed, and continuously updated. IDPS can be applied to inbound, spoke-to-spoke (East-West), and outbound traffic. Spoke-to-spoke (East-West) includes traffic that goes from/to an on-premises network.

-# What is Azure Front Door Standard/Premium (Preview) Endpoint Manager?

-> * This documentation is for Azure Front Door Standard/Premium (Preview). Looking for information on Azure Front Door? View [Azure Front Door Docs](../front-door-overview.md).

-> [!IMPORTANT]

-> * Azure Front Door Standard/Premium (Preview) is currently in public preview.

-> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [**Supplemental Terms of Use for Microsoft Azure Previews**](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

- |securityGroupName|Replace SECURITYGROUPNAME with the client AAD security group name for Kafka Rest Proxy. The variable will be passed to the `--kafka-client-group-name` parameter for `az-hdinsight-create`.|

- |securityGroupID|Replace SECURITYGROUPID with the client AAD security group ID for Kafka Rest Proxy. The variable will be passed to the `--kafka-client-group-id` parameter for `az-hdinsight-create`.|

- |clusterVersion|HDInsight cluster version, leave as-is for this tutorial. Kafka Rest Proxy requires a minimum cluster version of 4.0.|

- |componentVersion|Kafka version, leave as-is for this tutorial. Kafka Rest Proxy requires a minimum component version of 2.1.|

- |--kafka-client-group-id|The client AAD security group ID for Kafka Rest Proxy. The value is passed from the variable **$securityGroupID**.|

- |--kafka-client-group-name|The client AAD security group name for Kafka Rest Proxy. The value is passed from the variable **$securityGroupName**.|

-IoT Edge 1.1 is the first long-term support (LTS) release channel. This version introduced no new features, but will receive security updates and fixes to regressions. IoT Edge 1.1 LTS uses .NET Core 3.1, and will be supported until December 3, 2022 to match the [.NET Core and .NET 5 release lifecycle](https://dotnet.microsoft.com/platform/support/policy/dotnet-core).

->[!IMPORTANT]

->With the release of a long-term support channel, we recommend that all current customers running 1.0.x upgrade their devices to 1.1.x to receive ongoing support.

-Find and open the Startup.cs file in your akvwebapp project.

-Add the following lines before the `app.UseEndpoints` call, updating the URI to reflect the `vaultUri` of your key vault. This code uses [DefaultAzureCredential()](/dotnet/api/azure.identity.defaultazurecredential) to authenticate to Key Vault, which uses a token from managed identity to authenticate. For more information about authenticating to Key Vault, see the [Developer's Guide](./developers-guide.md#authenticate-to-key-vault-in-code). The code also uses exponential backoff for retries in case Key Vault is being throttled. For more information about Key Vault transaction limits, see [Azure Key Vault throttling guidance](./overview-throttling.md).

-Once you have logs in your Application Insights instance, they can be used to set [Azure Monitor alerts](../azure-monitor/alerts/alerts-overview.md#what-you-can-alert-on) based on query results.

-| Customer usage attribution | All new Azure application offers must also include an [Azure partner customer usage attribution](azure-partner-customer-usage-attribution.md) GUID. For more information about customer usage attribution and how to enable it, see [Azure partner customer usage attribution](azure-partner-customer-usage-attribution.md). |

-All new Azure application offers must also include an [Azure partner customer usage attribution](azure-partner-customer-usage-attribution.md) GUID.

-All new Azure application offers must also include an [Azure partner customer usage attribution](azure-partner-customer-usage-attribution.md) GUID.

-On [Use the portal to create an Azure AD application and service principal that can access resources](/active-directory/develop/howto-create-service-principal-portal) create a service principal. Be sure to save the client ID and the appID.

-7. Click **Review + create** and then **Create** when validation completes.

-The flexible server deployment model is designed to support high availability within single availability zone and across multiple availability zones. The architecture separates compute and storage. The database engine runs on a container inside a Linux virtual machine, while data files reside on Azure storage. The storage maintains three locally redundant synchronous copies of the database files ensuring data durability.

-You can create private endpoints for a variety of Azure services, such as Azure SQL and Azure Storage.

- For more information and an example, see [Quickstart: Create an ASP.NET Core web app in Azure](../app-service/quickstart-dotnetcore.md).

- For a detailed tutorial on creating a web app and an endpoint, see [Tutorial: Connect to a web app by using a private endpoint](tutorial-private-endpoint-webapp-portal.md).

-First, create a resource group by using [az group create](/cli/azure/group#az-group-create):

-Next, create a virtual network, subnet, and bastion host. You'll use the bastion host to connect securely to the VM for testing the private endpoint.

-1. Create a virtual network by using [az network vnet create](/cli/azure/network/vnet#az-network-vnet-create):

- * Name: **myVNet**

- * Address prefix: **10.0.0.0/16**

- * Subnet name: **myBackendSubnet**

- * Subnet prefix: **10.0.0.0/24**

- * Resource group: **CreatePrivateEndpointQS-rg**

- * Location: **eastus**

- ```azurecli-interactive

- az network vnet create \

- --resource-group CreatePrivateEndpointQS-rg\

- --location eastus \

- --name myVNet \

- --address-prefixes 10.0.0.0/16 \

- --subnet-name myBackendSubnet \

- --subnet-prefixes 10.0.0.0/24

- ```

-1. Update the subnet to disable private-endpoint network policies for the private endpoint by using [az network vnet subnet update](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-update):

- ```azurecli-interactive

- az network vnet subnet update \

- --name myBackendSubnet \

- --resource-group CreatePrivateEndpointQS-rg \

- --vnet-name myVNet \

- --disable-private-endpoint-network-policies true

- ```

-1. Create a public IP address for the bastion host by using [az network public-ip create](/cli/azure/network/public-ip#az-network-public-ip-create):

- * Standard zone-redundant public IP address name: **myBastionIP**

- * Resource group: **CreatePrivateEndpointQS-rg**

- ```azurecli-interactive

- az network public-ip create \

- --resource-group CreatePrivateEndpointQS-rg \

- --name myBastionIP \

- --sku Standard

- ```

-1. Create a bastion subnet by using [az network vnet subnet create](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-create):

- * Name: **AzureBastionSubnet**

- * Address prefix: **10.0.1.0/24**

- * Virtual network: **myVNet**

- * Resource group: **CreatePrivateEndpointQS-rg**

- ```azurecli-interactive

- az network vnet subnet create \

- --resource-group CreatePrivateEndpointQS-rg \

- --name AzureBastionSubnet \

- --vnet-name myVNet \

- --address-prefixes 10.0.1.0/24

- ```

-1. Create a bastion host by using [az network bastion create](/cli/azure/network/bastion#az-network-bastion-create):

- * Name: **myBastionHost**

- * Resource group: **CreatePrivateEndpointQS-rg**

- * Public IP address: **myBastionIP**

- * Virtual network: **myVNet**

- * Location: **eastus**

- ```azurecli-interactive

- az network bastion create \

- --resource-group CreatePrivateEndpointQS-rg \

- --name myBastionHost \

- --public-ip-address myBastionIP \

- --vnet-name myVNet \

- --location eastus

- ```

-## Create a test virtual machine

-Next, create a VM that you can use to test the private endpoint.

-1. Create the VM by using [az vm create](/cli/azure/vm#az-vm-create).

-1. At the prompt, provide a password to be used as the credentials for the VM:

- * Name: **myVM**

- * Resource group: **CreatePrivateEndpointQS-rg**

- * Virtual network: **myVNet**

- * Subnet: **myBackendSubnet**

- * Server image: **Win2019Datacenter**

- ```azurecli-interactive

- az vm create \

- --resource-group CreatePrivateEndpointQS-rg \

- --name myVM \

- --image Win2019Datacenter \

- --public-ip-address "" \

- --vnet-name myVNet \

- --subnet myBackendSubnet \

- --admin-username azureuser

- ```

-## Create a private endpoint

-Next, create the private endpoint.

-1. Place the resource ID of the web app that you created earlier into a shell variable by using [az webapp list](/cli/azure/webapp#az-webapp-list).

-1. Create the endpoint and connection by using [az network private-endpoint create](/cli/azure/network/private-endpoint#az-network-private-endpoint-create):

- * Name: **myPrivateEndpoint**

- * Resource group: **CreatePrivateEndpointQS-rg**

- * Virtual network: **myVNet**

- * Subnet: **myBackendSubnet**

- * Connection name: **myConnection**

- * Web app: **\<webapp-resource-group-name>**

- ```azurecli-interactive

- id=$(az webapp list \

- --resource-group <webapp-resource-group-name> \

- --query '[].[id]' \

- --output tsv)

- az network private-endpoint create \

- --name myPrivateEndpoint \

- --resource-group CreatePrivateEndpointQS-rg \

- --vnet-name myVNet --subnet myBackendSubnet \

- --private-connection-resource-id $id \

- --group-id sites \

- --connection-name myConnection

- ```

-Next, create and configure the private DNS zone by using [az network private-dns zone create](/cli/azure/network/private-dns/zone#az-network-private-dns-zone-create).

-1. Create the virtual network link to the DNS zone by using [az network private-dns link vnet create](/cli/azure/network/private-dns/link/vnet#az-network-private-dns-link-vnet-create).

-1. Create a DNS zone group by using [az network private-endpoint dns-zone-group create](/cli/azure/network/private-endpoint/dns-zone-group#az-network-private-endpoint-dns-zone-group-create).

- * Zone name: **privatelink.azurewebsites.net**

- * Virtual network: **myVNet**

- * Resource group: **CreatePrivateEndpointQS-rg**

- * DNS link name: **myDNSLink**

- * Endpoint name: **myPrivateEndpoint**

- * Zone group name: **MyZoneGroup**

- ```azurecli-interactive

- az network private-dns zone create \

- --resource-group CreatePrivateEndpointQS-rg \

- --name "privatelink.azurewebsites.net"

- az network private-dns link vnet create \

- --resource-group CreatePrivateEndpointQS-rg \

- --zone-name "privatelink.azurewebsites.net" \

- --name MyDNSLink \

- --virtual-network myVNet \

- --registration-enabled false

- az network private-endpoint dns-zone-group create \

- ```

-## Test connectivity to the private endpoint

-Finally, use the VM that you created earlier to connect to the SQL Server instance across the private endpoint.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-

-1. On the left pane, select **Resource groups**.

-1. Select **CreatePrivateEndpointQS-rg**.

-1. Select **myVM**.

-1. On the overview page for **myVM**, select **Connect**, and then select **Bastion**.

-1. Select the blue **Use Bastion** button.

-1. Enter the username and password that you used when you created the VM.

-1. After you've connected, open PowerShell on the server.

-1. Enter `nslookup <your-webapp-name>.azurewebsites.net`, replacing *\<your-webapp-name>* with the name of the web app that you created earlier. You'll receive a message that's similar to the following:

- Name: mywebapp8675.privatelink.azurewebsites.net

- Address: 10.0.0.5

- Aliases: mywebapp8675.azurewebsites.net

- A private IP address of *10.0.0.5* is returned for the web app name. This address is in the subnet of the virtual network that you created earlier.

-1. In the bastion connection to *myVM**, open your web browser.

-1. Enter the URL of your web app, *https://\<your-webapp-name>.azurewebsites.net*.

- :::image type="content" source="./media/create-private-endpoint-portal/web-app-default-page.png" alt-text="Screenshot of the default web app page on a browser." border="true":::

-1. Close the connection to *myVM*.

-## Clean up resources

-When you're done using the private endpoint and the VM, use [az group delete](/cli/azure/group#az-group-delete) to remove the resource group and all the resources within it:

-```azurecli-interactive

-az group delete \

- --name CreatePrivateEndpointQS-rg

-```

-## What you've learned

-In this quickstart, you created:

-* A virtual network and bastion host

-* A virtual machine

-* A private endpoint for an Azure web app

-You used the VM to securely test connectivity to the web app across the private endpoint.

-You can create private endpoints for a variety of Azure services, such as Azure SQL and Azure Storage.

-* An Azure account with an active subscription. If you don't already have an Azure account, [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

-* An Azure web app with a *PremiumV2-tier* or higher app service plan, deployed in your Azure subscription.

- For more information and an example, see [Quickstart: Create an ASP.NET Core web app in Azure](../app-service/quickstart-dotnetcore.md).

- For a detailed tutorial on creating a web app and an endpoint, see [Tutorial: Connect to a web app by using a private endpoint](tutorial-private-endpoint-webapp-portal.md).

-First, you'll create a virtual network, subnet, and bastion host.

-You'll use the bastion host to connect securely to the VM for testing the private endpoint.

-1. Create a virtual network and bastion host with:

- * [New-AzVirtualNetwork](/powershell/module/az.network/new-azvirtualnetwork)

- * [New-AzPublicIpAddress](/powershell/module/az.network/new-azpublicipaddress)

- * [New-AzBastion](/powershell/module/az.network/new-azbastion)

-1. Configure the back-end subnet.

- ```azurepowershell-interactive

- $subnetConfig = New-AzVirtualNetworkSubnetConfig -Name myBackendSubnet -AddressPrefix 10.0.0.0/24

- ```

-1. Create the Azure Bastion subnet:

- ```azurepowershell-interactive

- $bastsubnetConfig = New-AzVirtualNetworkSubnetConfig -Name AzureBastionSubnet -AddressPrefix 10.0.1.0/24

- ```

-1. Create the virtual network:

- ```azurepowershell-interactive

- $parameters1 = @{

- Name = 'MyVNet'

- ResourceGroupName = 'CreatePrivateEndpointQS-rg'

- Location = 'eastus'

- AddressPrefix = '10.0.0.0/16'

- Subnet = $subnetConfig, $bastsubnetConfig

- }

- $vnet = New-AzVirtualNetwork @parameters1

- ```

-1. Create the public IP address for the bastion host:

- ```azurepowershell-interactive

- $parameters2 = @{

- Name = 'myBastionIP'

- ResourceGroupName = 'CreatePrivateEndpointQS-rg'

- Location = 'eastus'

- Sku = 'Standard'

- AllocationMethod = 'Static'

- }

- $publicip = New-AzPublicIpAddress @parameters2

- ```

-1. Create the bastion host:

- ```azurepowershell-interactive

- $parameters3 = @{

- ResourceGroupName = 'CreatePrivateEndpointQS-rg'

- Name = 'myBastion'

- PublicIpAddress = $publicip

- VirtualNetwork = $vnet

- }

- New-AzBastion @parameters3

- ```

-It can take a few minutes for the Azure Bastion host to deploy.

-## Create a test virtual machine

-Next, create a VM that you can use to test the private endpoint.

-1. Create the VM by using:

- * [Get-Credential](/powershell/module/microsoft.powershell.security/get-credential)

- * [New-AzNetworkInterface](/powershell/module/az.network/new-aznetworkinterface)

- * [New-AzVM](/powershell/module/az.compute/new-azvm)

- * [New-AzVMConfig](/powershell/module/az.compute/new-azvmconfig)

- * [Set-AzVMOperatingSystem](/powershell/module/az.compute/set-azvmoperatingsystem)

- * [Set-AzVMSourceImage](/powershell/module/az.compute/set-azvmsourceimage)

- * [Add-AzVMNetworkInterface](/powershell/module/az.compute/add-azvmnetworkinterface)

-1. Get the server admin credentials and password:

- ```azurepowershell-interactive

- $cred = Get-Credential

- ```

-1. Get the virtual network configuration:

- ```azurepowershell-interactive

- $vnet = Get-AzVirtualNetwork -Name myVNet -ResourceGroupName CreatePrivateEndpointQS-rg

- ```

-1. Create a network interface for the VM:

- ```azurepowershell-interactive

- $parameters1 = @{

- Name = 'myNicVM'

- ResourceGroupName = 'CreatePrivateEndpointQS-rg'

- Location = 'eastus'

- Subnet = $vnet.Subnets[0]

- }

- $nicVM = New-AzNetworkInterface @parameters1

- ```

-1. Configure the VM:

- ```azurepowershell-interactive

- $parameters2 = @{

- VMName = 'myVM'

- VMSize = 'Standard_DS1_v2'

- }

- $parameters3 = @{

- ComputerName = 'myVM'

- Credential = $cred

- }

- $parameters4 = @{

- PublisherName = 'MicrosoftWindowsServer'

- Offer = 'WindowsServer'

- Skus = '2019-Datacenter'

- Version = 'latest'

- }

- $vmConfig =

- New-AzVMConfig @parameters2 | Set-AzVMOperatingSystem -Windows @parameters3 | Set-AzVMSourceImage @parameters4 | Add-AzVMNetworkInterface -Id $nicVM.Id

- ```

-1. Create the VM:

- ```azurepowershell-interactive

- New-AzVM -ResourceGroupName 'CreatePrivateEndpointQS-rg' -Location 'eastus' -VM $vmConfig

- ```

-## Create a private endpoint

-1. Create a private endpoint and connection by using:

- * [New-AzPrivateLinkServiceConnection](/powershell/module/az.network/New-AzPrivateLinkServiceConnection)

- * [New-AzPrivateEndpoint](/powershell/module/az.network/new-azprivateendpoint)

-1. Place the web app into a variable. Replace \<webapp-resource-group-name> with the resource group name of your web app, and replace \<your-webapp-name> with your web app name.

- ```azurepowershell-interactive

- $webapp = Get-AzWebApp -ResourceGroupName <webapp-resource-group-name> -Name <your-webapp-name>

- ```

-1. Create the private endpoint connection:

- ```azurepowershell-interactive

- $parameters1 = @{

- Name = 'myConnection'

- PrivateLinkServiceId = $webapp.ID

- GroupID = 'sites'

- }

- $privateEndpointConnection = New-AzPrivateLinkServiceConnection @parameters1

- ```

-1. Place the virtual network into a variable:

- ```azurepowershell-interactive

- $vnet = Get-AzVirtualNetwork -ResourceGroupName 'CreatePrivateEndpointQS-rg' -Name 'myVNet'

- ```

-1. Disable the private endpoint network policy:

- ```azurepowershell-interactive

- $vnet.Subnets[0].PrivateEndpointNetworkPolicies = "Disabled"

- $vnet | Set-AzVirtualNetwork

- ```

-1. Create the private endpoint:

- ```azurepowershell-interactive

- $parameters2 = @{

- ResourceGroupName = 'CreatePrivateEndpointQS-rg'

- Name = 'myPrivateEndpoint'

- Location = 'eastus'

- Subnet = $vnet.Subnets[0]

- PrivateLinkServiceConnection = $privateEndpointConnection

- }

- New-AzPrivateEndpoint @parameters2

- ```

-## Configure the private DNS zone

-1. Create and configure the private DNS zone by using:

- * [New-AzPrivateDnsZone](/powershell/module/az.privatedns/new-azprivatednszone)

- * [New-AzPrivateDnsVirtualNetworkLink](/powershell/module/az.privatedns/new-azprivatednsvirtualnetworklink)

- * [New-AzPrivateDnsZoneConfig](/powershell/module/az.network/new-azprivatednszoneconfig)

- * [New-AzPrivateDnsZoneGroup](/powershell/module/az.network/new-azprivatednszonegroup)

-1. Place the virtual network into a variable:

- ```azurepowershell-interactive

- $vnet = Get-AzVirtualNetwork -ResourceGroupName 'CreatePrivateEndpointQS-rg' -Name 'myVNet'

- ```

-1. Create the private DNS zone:

- ```azurepowershell-interactive

- $parameters1 = @{

- ResourceGroupName = 'CreatePrivateEndpointQS-rg'

- Name = 'privatelink.azurewebsites.net'

- }

- $zone = New-AzPrivateDnsZone @parameters1

- ```

-1. Create a DNS network link:

- ```azurepowershell-interactive

- $parameters2 = @{

- ResourceGroupName = 'CreatePrivateEndpointQS-rg'

- ZoneName = 'privatelink.azurewebsites.net'

- Name = 'myLink'

- VirtualNetworkId = $vnet.Id

- }

- $link = New-AzPrivateDnsVirtualNetworkLink @parameters2

- ```

-1. Configure the DNS zone:

- ```azurepowershell-interactive

- $parameters3 = @{

- Name = 'privatelink.azurewebsites.net'

- PrivateDnsZoneId = $zone.ResourceId

- }

- $config = New-AzPrivateDnsZoneConfig @parameters3

- ```

-1. Create the DNS zone group:

- ```azurepowershell-interactive

- $parameters4 = @{

- ResourceGroupName = 'CreatePrivateEndpointQS-rg'

- PrivateEndpointName = 'myPrivateEndpoint'

- Name = 'myZoneGroup'

- PrivateDnsZoneConfig = $config

- }

- New-AzPrivateDnsZoneGroup @parameters4

- ```

-Finally, use the VM you created in the previous step to connect to the SQL server across the private endpoint.

-1. On the left pane, select **Resource groups**.

-1. Select **CreatePrivateEndpointQS-rg**.

-1. Select **myVM**.

-1. On the overview page for **myVM**, select **Connect**, and then select **Bastion**.

-1. Select the blue **Use Bastion** button.

-1. Enter the username and password that you used when you created the VM.

-1. After you've connected, open PowerShell on the server.

-1. Enter `nslookup <your-webapp-name>.azurewebsites.net`. Replace **\<your-webapp-name>** with the name of the web app that you created earlier. You'll receive a message that's similar to the following:

- Name: mywebapp8675.privatelink.azurewebsites.net

- Address: 10.0.0.5

- Aliases: mywebapp8675.azurewebsites.net

- A private IP address of *10.0.0.5* is returned for the web app name. This address is in the subnet of the virtual network that you created earlier.

-1. In the bastion connection to **myVM**, open your web browser.

-1. Enter the URL of your web app, **https://\<your-webapp-name>.azurewebsites.net**.

- :::image type="content" source="./media/create-private-endpoint-portal/web-app-default-page.png" alt-text="Screenshot of the default web app page on a browser." border="true":::

-1. Close the connection to **myVM**.

-## Clean up resources

-When you're done using the private endpoint and the VM, use [Remove-AzResourceGroup](/powershell/module/az.resources/remove-azresourcegroup) to remove the resource group and all the resources within it:

-```azurepowershell-interactive

-Remove-AzResourceGroup -Name CreatePrivateEndpointQS-rg -Force

-```

-## What you've learned

-In this quickstart, you created:

-* A virtual network and bastion host

-* A virtual machine

-* A private endpoint for an Azure web app

-You used the VM to securely test connectivity to the web app across the private endpoint.

-description: Learn how to create a private endpoint for an Azure service with a static private IP address.

-# Create a private endpoint with a static IP address using PowerShell

- A private endpoint IP address is allocated by DHCP in your virtual network by default. In this article, you'll create a private endpoint with a static IP address.

-## Prerequisites

- - For more information and an example, see [Quickstart: Create an ASP.NET Core web app in Azure](../app-service/quickstart-dotnetcore.md).

-

- - The example webapp in this article is named **myWebApp1979**. Replace the example with your webapp name.

-If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. To find the installed version, run `Get-Module -ListAvailable Az`. If you need to upgrade, see [Install the Azure PowerShell module](/powershell/azure/install-Az-ps). If you're running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure.

-## Create a resource group

-An Azure resource group is a logical container where Azure resources are deployed and managed.

-Create a resource group with [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup):

-```azurepowershell-interactive

-New-AzResourceGroup -Name 'myResourceGroup' -Location 'eastus'

-```

-## Create a virtual network and bastion host

-A virtual network and subnet is required for to host the private IP address for the private endpoint. You'll create a bastion host to connect securely to the virtual machine to test the private endpoint. You'll create the virtual machine in a later section.

-In this section, you'll:

-```azurepowershell-interactive

-## Configure the back-end subnet. ##

-$subnetConfig = New-AzVirtualNetworkSubnetConfig -Name myBackendSubnet -AddressPrefix 10.0.0.0/24

-## Create the Azure Bastion subnet. ##

-$bastsubnetConfig = New-AzVirtualNetworkSubnetConfig -Name AzureBastionSubnet -AddressPrefix 10.0.1.0/24

-## Create the virtual network. ##

-$net = @{

- Name = 'MyVNet'

- ResourceGroupName = 'myResourceGroup'

- Location = 'eastus'

- AddressPrefix = '10.0.0.0/16'

- Subnet = $subnetConfig, $bastsubnetConfig

-}

-$vnet = New-AzVirtualNetwork @net

-## Create the public IP address for the bastion host. ##

-$ip = @{

- Name = 'myBastionIP'

- ResourceGroupName = 'myResourceGroup'

- Location = 'eastus'

- Sku = 'Standard'

- AllocationMethod = 'Static'

- Zone = 1,2,3

-}

-$publicip = New-AzPublicIpAddress @ip

-## Create the bastion host. ##

-$bastion = @{

- ResourceGroupName = 'myResourceGroup'

- Name = 'myBastion'

- PublicIpAddress = $publicip

- VirtualNetwork = $vnet

-}

-New-AzBastion @bastion -AsJob

-```

-## Create a private endpoint

-An Azure service that supports private endpoints is required to setup the private endpoint and connection to the virtual network. For the examples in this article, we are using an Azure WebApp from the prerequisites. For more information on the Azure services that support a private endpoint, see [Azure Private Link availability](availability.md).

-> [!IMPORTANT]

-> You must have a previously deployed Azure WebApp to proceed with the steps in this article. See [Prerequisites](#prerequisites) for more information.

-In this section, you'll:

-```azurepowershell-interactive

-## Place the previously created webapp into a variable. ##

-$webapp = Get-AzWebApp -ResourceGroupName myResourceGroup -Name myWebApp1979

-## Create the private endpoint connection. ##

-$pec = @{

- Name = 'myConnection'

- PrivateLinkServiceId = $webapp.ID

- GroupID = 'sites'

-}

-$privateEndpointConnection = New-AzPrivateLinkServiceConnection @pec

-## Place the virtual network you created previously into a variable. ##

-$vnet = Get-AzVirtualNetwork -ResourceGroupName 'myResourceGroup' -Name 'myVNet'

-## Disable the private endpoint network policy. ##

-$vnet.Subnets[0].PrivateEndpointNetworkPolicies = "Disabled"

-$vnet | Set-AzVirtualNetwork

-## Create the static IP configuration. ##

-$ip = @{

- Name = 'myIPconfig'

- GroupId = 'sites'

- MemberName = 'sites'

- PrivateIPAddress = '10.0.0.10'

-}

-$ipconfig = New-AzPrivateEndpointIpConfiguration @ip

-## Create the private endpoint. ##

-$pe = @{

- ResourceGroupName = 'myResourceGroup'

- Name = 'myPrivateEndpoint'

- Location = 'eastus'

- Subnet = $vnet.Subnets[0]

- PrivateLinkServiceConnection = $privateEndpointConnection

- IpConfiguration = $ipconfig

-}

-New-AzPrivateEndpoint @pe

-```

-## Configure the private DNS zone

-A private DNS zone is used to resolve the DNS name of the private endpoint in the virtual network. For this example, we are using the DNS information for an Azure WebApp, for more information on the DNS configuration of private endpoints, see [Azure Private Endpoint DNS configuration](private-endpoint-dns.md)].

-In this section, you'll:

-```azurepowershell-interactive

-## Place the virtual network into a variable. ##

-$vnet = Get-AzVirtualNetwork -ResourceGroupName 'myResourceGroup' -Name 'myVNet'

-## Create the private DNS zone. ##

-$zn = @{

- ResourceGroupName = 'myResourceGroup'

- Name = 'privatelink.azurewebsites.net'

-}

-$zone = New-AzPrivateDnsZone @zn

-## Create a DNS network link. ##

-$lk = @{

- ResourceGroupName = 'myResourceGroup'

- ZoneName = 'privatelink.azurewebsites.net'

- Name = 'myLink'

- VirtualNetworkId = $vnet.Id

-}

-$link = New-AzPrivateDnsVirtualNetworkLink @lk

-## Configure the DNS zone. ##

-$cg = @{

- Name = 'privatelink.azurewebsites.net'

- PrivateDnsZoneId = $zone.ResourceId

-}

-$config = New-AzPrivateDnsZoneConfig @cg

-## Create the DNS zone group. ##

-$zg = @{

- ResourceGroupName = 'myResourceGroup'

- PrivateEndpointName = 'myPrivateEndpoint'

- Name = 'myZoneGroup'

- PrivateDnsZoneConfig = $config

-}

-New-AzPrivateDnsZoneGroup @zg

-```

-## Create a test virtual machine

-To verify the static IP address and the functionality of the private endpoint, a test virtual machine connected to your virtual network is required.

-In this section, you'll:

-```azurepowershell-interactive

-## Create the credential for the virtual machine. Enter a username and password at the prompt. ##

-$cred = Get-Credential

-## Place the virtual network into a variable. ##

-$vnet = Get-AzVirtualNetwork -Name myVNet -ResourceGroupName myResourceGroup

-## Create a network interface for the virtual machine. ##

-$nic = @{

- Name = 'myNicVM'

- ResourceGroupName = 'myResourceGroup'

- Location = 'eastus'

- Subnet = $vnet.Subnets[0]

-}

-$nicVM = New-AzNetworkInterface @nic

-## Create the configuration for the virtual machine. ##

-$vm1 = @{

- VMName = 'myVM'

- VMSize = 'Standard_DS1_v2'

-}

-$vm2 = @{

- ComputerName = 'myVM'

- Credential = $cred

-}

-$vm3 = @{

- PublisherName = 'MicrosoftWindowsServer'

- Offer = 'WindowsServer'

- Skus = '2019-Datacenter'

- Version = 'latest'

-}

-$vmConfig =

-New-AzVMConfig @vm1 | Set-AzVMOperatingSystem -Windows @vm2 | Set-AzVMSourceImage @vm3 | Add-AzVMNetworkInterface -Id $nicVM.Id

-## Create the virtual machine. ##

-New-AzVM -ResourceGroupName 'myResourceGroup' -Location 'eastus' -VM $vmConfig

-```

-## Test connectivity with the private endpoint

-Use the VM you created in the previous step to connect to the webapp across the private endpoint.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-

-2. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines**.

-3. Select **myVM**.

-4. On the overview page for **myVM**, select **Connect**, and then select **Bastion**.

-5. Enter the username and password that you used when you created the VM. Select **Connect**.

-6. After you've connected, open PowerShell on the server.

-7. Enter `nslookup mywebapp1979.azurewebsites.net`. Replace **mywebapp1979** with the name of the web app that you created earlier. You'll receive a message that's similar to the following:

- ```powershell

- Server: UnKnown

- Address: 168.63.129.16

- Non-authoritative answer:

- Name: mywebapp1979.privatelink.azurewebsites.net

- Address: 10.0.0.10

- Aliases: mywebapp1979.azurewebsites.net

- ```

- A static private IP address of *10.0.0.10* is returned for the web app name.

-8. In the bastion connection to **myVM**, open the web browser.

-9. Enter the URL of your web app, **https://mywebapp1979.azurewebsites.net**.

- If your web app hasn't been deployed, you'll get the following default web app page:

- :::image type="content" source="./media/private-endpoint-static-ip-powershell/web-app-default-page.png" alt-text="Screenshot of the default web app page on a browser." border="true":::

-10. Close the connection to **myVM**.

-## Next steps

-To learn more about Private Link and Private endpoints, see

-If both ExpressRoute circuits (to AVS and to on-premises) are terminated in the same ExpressRoute gateway, you could think that the gateway is going to route packets across them. However, an ExpressRoute gateway isn't designed to do that. Instead, you need to hairpin the traffic to a Network Virtual Appliance that is able to route the traffic. To that purpose, two actions are required:

-If advertising less specific prefixes isn't possible, you could instead implement an alternative design using two separate VNets. In this design, instead of propagating less specific routes to attract traffic to the ExpressRoute gateway, two different NVAs in separate VNets exchange routes between each other, and propagate them to their respective ExpressRoute circuits via BGP and Azure Route Server, as the following diagram shows:

-Note that some sort of encapsulation protocol such as VXLAN or IPsec is required between the NVAs. The reason why encapsulation is needed is because the NVA NICs would learn the routes from ExpressRoute and from the Route Server, so they would send packets that need to be routed to the other NVA in the wrong direction. This would create a routing loop returning the packets to the local NVA.

-The main difference between this dual VNet design and the previously described single VNet design is that with two VNets you're actually interconnecting from a routing perspective both ExpressRoute circuits (AVS and on-premises), meaning that whatever is learned from one will be advertised to the other. In the single-VNet design described earlier in this document a common set of supernets or less specific prefixes are sent down both circuits to attract traffic to the VNet.

-The **"Entities - Get \<entity name>"** action allows you to do the following:

-description: Integrate Azure SignalR Service into your application with Service Connector

-This page shows the supported authentication types and client types of Azure SignalR Service using Service Connector. You might still be able to connect to Azure SignalR Service in other programming languages without using Service Connector. This page also shows default environment variable name and value (or Spring Boot configuration) you get when you create the service connection. You can learn more about [Service Connector environment variable naming convention](concept-service-connector-internals.md).

-## Supported Authentication types and client types

-**Secret/ConnectionString**

-| Default environment variable name | Description | Example value |

-| | | |

-| AZURE_SIGNALR_CONNECTIONSTRING | SignalR Service connection string | `Endpoint=https://{signalrName}.service.signalr.net;AccessKey={};Version=1.0;` |

-**System-assigned Managed Identity**

-| Default environment variable name | Description | Example value |

-| | | |

-| AZURE_SIGNALR_CONNECTIONSTRING | SignalR Service connection string with Managed Identity | `Endpoint=https://{signalrName}.service.signalr.net;AuthType=aad;ClientId={};Version=1.0;` |

-**User-assigned Managed Identity**

-| Default environment variable name | Description | Example value |

-| | | |

-| AZURE_SIGNALR_CONNECTIONSTRING | SignalR Service connection string with Managed Identity | `Endpoint=https://{signalrName}.service.signalr.net;AuthType=aad;ClientId={};Version=1.0;` |

-**Service Principal**

-| Default environment variable name | Description | Example value |

-| | | |

-| AZURE_SIGNALR_CONNECTIONSTRING | SignalR Service connection string with Service Principal | `Endpoint=https://{signalrName}.service.signalr.net;AuthType=aad;ClientId={};ClientSecret={};TenantId={};Version=1.0;` |

-Follow the tutorials listed below to learn more about Service Connector.

-description: Error list and suggested actions of Service Connector

-If you come across an issue, you can refer to the error message to find suggested actions or fixes. This how-to guide shows you several options to troubleshoot Service Connector.

-## Troubleshooting from the Azure portal

-| Unknown resource type | <ul><li>Check source and target resource to verify whether the service types are supported by Service Connector.</li><li>Check whether the specified source-target connection combination is supported by Service Connector.</li></ul> |

-| Unknown resource type | <ul><li>Check whether the target resource exists.</li><li>Check the correctness of the target resource ID.</li></ul> |

-### Troubleshooting using the Azure CLI

-#### InvalidArgumentValueError

-| Required keys missing for parameter `{Parameter}`. All possible keys are: `{Keys}` | Provide value for the auth info parameter, usually in the form of `--param key1=val1 key2=val2`. |

-| Only one auth info is needed | User can only provide one auth info parameter. Check whether auth info is missing or multiple auth info parameters are provided. |

-| Auth info argument should be provided when updating the connection: `{ConnectionName}` | When you update a secret type connection, auth info parameter should be provided. This error occurs because user's secret cannot be accessed through the ARM API.

-| Either client type or auth info should be specified to update | When you update a connection, either client type or auth info should be provided. |

-| Usage error: {} [KEY=VALUE ...] | Check the available keys and provide values for the auth info parameter, usually in the form of `--param key1=val1 key2=val2`. |

-| Unsupported Key `{Key}` is provided for parameter `{Parameter}`. All possible keys are: `{Keys}` | Check the available keys and provide values for the auth info parameter, usually in the form of `--param key1=val1 key2=val2`. |

-The Service Connector service helps you connect Azure compute services to other backing services. This service configures the network settings and connection information (for example, generating environment variables) between compute services and target backing services in management plane. Developers use their preferred SDK or library that consumes the connection information to do data plane operations against the target backing service.

-## What are the benefits using Service Connector?

-**Connect to target backing service with just a single command or a few clicks:**

-* **Azure Portal:** Use the guided portal experience to create service-to-service connections and manage connections with a hierarchy list.

-Use the Azure CLI [[az spring-cloud connection](quickstart-cli-spring-cloud-connection.md)] command to create and manage service connections to your Spring Cloud application.

-#### [Using an access key](#tab/Using-access-key)

-Use the Azure CLI [az spring-cloud connection]() command to create a service connection to an Azure Blob Storage with an access key, providing the following information:

-#### [Using Managed Identity](#tab/Using-Managed-Identity)

-Use the Azure CLI [az spring-cloud connection](quickstart-cli-spring-cloud-connection.md) command to create a service connection to a Blob Storage with System-assigned Managed Identity, providing the following information:

-> - [Tutorial: Spring Cloud + MySQL](./tutorial-java-spring-mysql.md)

-> - [Tutorial: Spring Cloud + Apache Kafka on Confluent Cloud](./tutorial-java-spring-confluent-kafka.md)

-description: Quickstart showing how to create a service connection in Spring Cloud from Azure portal

-1. Then select **Next: Review + Create** to review the provided information. Then select **Create** to create the service connection. It might take 1 minute to complete the operation.

-1. Select the ellipsis **...** and **Validate**. You can see the connection validation details in the pop-up blade from the right.

-The preceding snippets are all for specifying MoveCost for a whole service at once from outside the service itself. However, move cost is most useful when the move cost of a specific service object changes over its lifespan. Since the services themselves probably have the best idea of how costly they are to move a given time, there's an API for services to report their own individual move cost during runtime.

-## Azure status history

-While the Azure status page always shows the latest health information, you can view older events using the [Azure status history page](https://status.azure.com/status/history/). The history page contains all RCAs for incidents that occurred on November 20th, 2019 or later and will - from that date forward - provide a 5-year RCA history. RCAs prior to November 20th, 2019 are not available.

-description: Azure storage offers different access tiers so that you can store your blob data in the most cost-effective manner based on how it is being used. Learn about the Hot, Cool, and Archive access tiers for Blob Storage.

-Data stored in the cloud grows at an exponential pace. To manage costs for your expanding storage needs, it can be helpful to organize your data based on how frequently it will be accessed and how long it will be retained. Azure storage offers different access tiers so that you can store your blob data in the most cost-effective manner based on how it is being used. Azure Storage access tiers include:

-A blob in the Cool tier in a general-purpose v2 accounts is subject to an early deletion penalty if it is deleted or moved to a different tier before 30 days has elapsed. This charge is prorated. For example, if a blob is moved to the Cool tier and then deleted after 21 days, you'll be charged an early deletion fee equivalent to 9 (30 minus 21) days of storing that blob in the Cool tier.

-An archived blob's metadata remains available for read access, so that you can list the blob and its properties, metadata, and index tags. Metadata for a blob in the Archive tier is read-only, while blob index tags can be read or written. Snapshots are not supported for archived blobs.

-Only storage accounts that are configured for LRS, GRS, or RA-GRS support moving blobs to the Archive tier. The Archive tier is not supported for ZRS, GZRS, or RA-GZRS accounts. For more information about redundancy configurations for Azure Storage, see [Azure Storage redundancy](../common/storage-redundancy.md).

-The default access tier for a new general-purpose v2 storage account is set to the Hot tier by default. You can change the default access tier setting when you create a storage account or after it is created. If you do not change this setting on the storage account or explicitly set the tier when uploading a blob, then a new blob is uploaded to the Hot tier by default.

-Changing the default access tier setting for a storage account applies to all blobs in the account for which an access tier has not been explicitly set. If you toggle the default access tier setting from Hot to Cool in a general-purpose v2 account, then you are charged for write operations (per 10,000) for all blobs for which the access tier is inferred. You are charged for both read operations (per 10,000) and data retrieval (per GB) if you toggle from Cool to Hot in a general-purpose v2 account.

-When you create a legacy Blob Storage account, you must specify the default access tier setting as Hot or Cool at create time. There's no charge for changing the default account access tier setting from Hot to Cool in a legacy Blob Storage account. You are charged for both read operations (per 10,000) and data retrieval (per GB) if you toggle from Cool to Hot in a Blob Storage account. Microsoft recommends using general-purpose v2 storage accounts rather than Blob Storage accounts when possible.

-¹ Objects in the Cool tier on general-purpose v2 accounts have a minimum retention duration of 30 days. For Blob Storage accounts, there is no minimum retention duration for the Cool tier.

-| [Standard general-purpose v2](https://docs.microsoft.com/azure/storage/common/storage-account-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#types-of-storage-accounts) |  |  |  |  |

-| [Premium block blobs](https://docs.microsoft.com/azure/storage/common/storage-account-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#types-of-storage-accounts) |  |  |  |  |

-To update an ACL, create a new ACL object with the ACL entry that you want to update, and then use that object in update ACL operation. Do not get the existing ACL, just provide ACL entries to be updated.

-## Download the flight data

-1. Browse to [Research and Innovative Technology Administration, Bureau of Transportation Statistics](https://www.transtats.bts.gov/DL_SelectFields.asp?Table_ID=236&DB_Short_Name=On-Time).

-2. On the page, select the following values:

- | Name | Value |

- | | |

- | Filter Year |2013 |

- | Filter Period |January |

- | Fields |Year, FlightDate, Reporting_Airline, IATA_CODE_Reporting_Airline, Flight_Number_Reporting_Airline, OriginAirportID, Origin, OriginCityName, OriginState, DestAirportID, Dest, DestCityName, DestState, DepDelayMinutes, ArrDelay, ArrDelayMinutes, CarrierDelay, WeatherDelay, NASDelay, SecurityDelay, LateAircraftDelay. |

- Clear all other fields.

-3. Select **Download**. You get a .zip file with the data fields you selected.

-## Extract and upload the data

-In this section, you'll upload data to your HDInsight cluster and then copy that data to your Data Lake Storage Gen2 account.

-1. Open a command prompt and use the following Secure Copy (Scp) command to upload the .zip file to the HDInsight cluster head node:

-2. After the upload has finished, connect to the cluster by using SSH. On the command prompt, enter the following command:

-3. Use the following command to unzip the .zip file:

-4. Use the following command to create the Data Lake Storage Gen2 container.

-5. Use the following command to create a directory.

-6. Use the following command to copy the *.csv* file to the directory:

-1. Go to [Research and Innovative Technology Administration, Bureau of Transportation Statistics](https://www.transtats.bts.gov/DL_SelectFields.asp?gnoyr_VQ=FGJ).

-2. Select the **Prezipped File** check box to select all data fields.

-3. Select the **Download** button and save the results to your computer.

-4. Unzip the contents of the zipped file and make a note of the file name and the path of the file. You need this information in a later step.

-Immutable storage for Azure Blob Storage enables users to store business-critical data in a WORM (Write Once, Read Many) state. While in a WORM state, data cannot be modified or deleted for a user-specified interval. By configuring immutability policies for blob data, you can protect your data from overwrites and deletes. Immutability policies include time-based retention policies and legal holds. For more information about immutability policies for Blob Storage, see [Store business-critical blob data with immutable storage](immutable-storage-overview.md).

-After the storage account is created, you can configure a default version-level policy for the account. For more details, see [Configure a default time-based retention policy](#configure-a-default-time-based-retention-policy).

-Keep in mind that enabling version-level immutability support for a container does not make data in that container immutable. You must also either configure a default immutability policy for the container, or an immutability policy on a specific blob version. If you enabled version-level immutability for the storage account when it was created, you can also configure a default immutability policy for the account.

-To configure version-level immutability policies for an existing container, you must migrate the container to support version-level immutable storage. Container migration may take some time and cannot be reversed. You can migrate ten containers at a time per storage account.

-If the container has an existing container-level legal hold, then it cannot be migrated until the legal hold is removed.

-To migrate a container to support version-level immutable storage in the Azure portal, follow these steps:

-While the migration operation is underway, the scope of the policy on the container shows as *Container*.

-If the container does not have an existing time-based retention policy when you attempt to migrate to version-level immutability, then the operation fails. The following example checks the value of the **JobStateInfo.State** property and displays the error message if the operation failed because the container-level policy does not exist.

-The default policy is not automatically applied to blob versions that existed before the default policy was configured.

-You can also configure a time-based retention policy on a previous version of a blob. A previous version is always immutable in that it cannot be modified. However, a previous version can be deleted. A time-based retention policy protects against deletion while it is in effect.

-1. Configure the time-based retention policy for the new blob in the **Retention policy** field. If there is a default policy configured for the container, that policy is selected by default. You can also specify a custom policy for the blob.

-You can modify an unlocked time-based retention policy to shorten or lengthen the retention interval. You can also delete an unlocked policy. Editing or deleting an unlocked time-based retention policy for a blob version does not affect policies in effect for any other versions. If there is a default time-based retention policy in effect for the container, then the blob version with the modified or deleted policy will no longer inherit from the container.

-When you have finished testing a time-based retention policy, you can lock the policy. A locked policy is compliant with SEC 17a-4(f) and other regulatory compliance. You can lengthen the retention interval for a locked policy up to five times, but you cannot shorten it.

-After a policy is locked, you cannot delete it. However, you can delete the blob after the retention interval has expired.

-Geo-redundant storage (with GRS or GZRS) replicates your data to another physical location in the secondary region to protect against regional outages. However, that data is available to be read only if the customer or Microsoft initiates a failover from the primary to secondary region. When you enable read access to the secondary region, your data is always available to be read, including in a situation where the primary region becomes unavailable. For read access to the secondary region, enable read-access geo-redundant storage (RA-GRS) or read-access geo-zone-redundant storage (RA-GZRS).

-> [!IMPORTANT]

-> The following information can only be used with version 9 (or above) of the storage sync agent. Versions lower than 9 will not have the StorageSyncSelfService cmdlets.

-In Azure File Sync agent version 9 and above, [Volume Shadow Copy Service (VSS) snapshots](file-sync-deployment-guide.md#self-service-restore-through-previous-versions-and-vss-volume-shadow-copy-service) (including the **Previous Versions** tab) are supported on volumes with cloud tiering enabled. This allows you to perform self-service restores instead of relying on an admin to perform restores for you. However, you must enable previous version compatibility through PowerShell, which will increase your snapshot storage costs. VSS snapshots don't protect against disasters on the server endpoint itself, so they should only be used alongside cloud-side backups. For details, see [Self Service restore through Previous Versions and VSS](file-sync-deployment-guide.md#self-service-restore-through-previous-versions-and-vss-volume-shadow-copy-service).

-> Before using NFS file shares for production, see the [Troubleshoot Azure NFS file shares](storage-troubleshooting-files-nfs.md) article for a list of known issues.

-> Before using NFS file shares for production, see the [Troubleshoot Azure NFS file shares](storage-troubleshooting-files-nfs.md) article for a list of known issues.

-The following workloads have known issues. See the [Troubleshoot Azure NFS file shares](storage-troubleshooting-files-nfs.md) article for list of known issues:

- > The provided mounting script will mount the NFS share only until the Linux machine is rebooted. To automatically mount the share every time the machine reboots, use a [static mount with /etc/fstab](storage-how-to-use-files-linux.md#static-mount-with-etcfstab).

-description: Troubleshoot Azure NFS file share problems.

-# Troubleshoot Azure NFS file share problems

-This article lists some common problems and known issues related to Azure NFS file shares. It provides potential causes and workarounds when these problems are encountered.

-## Cannot connect to or mount an Azure NFS file share

-1. When the connection is established, you will see fields that are present in the output data.

-2. Paste the following script and **Run** it using the **Built-in** serverless SQL endpoint. Replace *container* and *adlsname* with the name of the container and ADLS Gen2 account used in the previous step.

- ``SQL

-1. In the **Filter** area, select a field to filter the incoming data with a condition.

-1. Select the Azure Data Lake Gen2 table to send your filtered data:

-You can see the job under the Process Data section in the **Stream Analytics jobs** tab. Select **Open metrics** to monitor it or stop and restart it, as needed.

-#### Choosing the workload for the initial migration

-There are a few differences in SQL Data Manipulation Language (DML) syntax between Netezza SQL and Azure Synapse (T-SQL) that you should be aware during migration:

-### Extracting metadata and data from a Netezza environment

-#### Use Workload management

-Use [Workload management](/azure/synapse-analytics/sql-data-warehouse/sql-data-warehouse-workload-management?context=/azure/synapse-analytics/context/context) instead of resource classes. ETL would be in its own workgroup and should be configured to have more resources per query (less concurrency by more resources). For more information, see [What is dedicated SQL pool in Azure Synapse Analytics](/azure/synapse-analytics/sql-data-warehouse/sql-data-warehouse-overview-what-is).

-#### Migrating data marts&mdash;stay physical or go virtual?

-### Re-engineering existing Netezza-specific scripts

-### Using existing third-party ETL tools

-### Scaling compute resources

-## Accessing Azure Synapse Analytics using Microsoft and third-party BI tools

-## Minimizing the impact of data warehouse migration on BI tools and reports using data virtualization

-## Identifying high priority reports to migrate first

-Whatever the decision is, it must involve the business, since they produce the reports and dashboards, and consume the insights these artifacts provide in support of the decisions that are made around your business. That said, if most reports and dashboards can be migrated seamlessly, with minimal effort, and offer up like- for-like results, simply by pointing your BI tool(s) at Azure Synapse, instead of your legacy data warehouse system, then everyone benefits. Therefore, if it's that straight forward and there's no reliance on legacy system proprietary SQL extensions, then there's no doubt that the above ease of migration option breeds confidence.

-### Migrating reports based on usage

-Usage is interesting, since it's an indicator of business value. Reports and dashboards that are never used clearly aren't contributing to supporting any decisions and$1 [don't currently offer any value. So, do you've any mechanism for finding out which reports, and dashboards are currently not used? Several BI tools provide statistics on usage, which would be an obvious place to start.

-### Migrating reports based on business value

-### Migrating reports based on data migration strategy

-### Gauging the impact of SQL incompatibilities on your reporting portfolio

-#### Using EXPLAIN statements to find SQL incompatibilities

-## Testing report and dashboard migration to Azure Synapse Analytics

-## Analyzing lineage to understand dependencies between reports, dashboards, and data

-## Migrating BI tool semantic layers to Azure Synapse Analytics

-# Minimizing SQL issues for Netezza migrations

-Migrating your existing data warehouse to Azure Synapse enables you to utilize:

-Several tools from Microsoft and third-party partner vendors can help you migrate your existing data warehouse to Azure Synapse.

-They include:

-Let's look at these in more detail.

-Microsoft offers several tools to help you migrate your existing data warehouse to Azure Synapse. They are:

-> Data Factory allows you to build scalable data integration pipelines code free.

-[Azure Data Factory connectors](/azure/data-factory/connector-overview?msclkid=00086e4acff211ec9263dee5c7eb6e69) connect to external data sources and databases and have templates for common data integration tasks. A visual front-end, browser-based, GUI enables non-programmers to create and run process pipelines to ingest, transform, and load data, while more experienced programmers have the option to incorporate custom code if necessary, such as Python programs.

-Development of simple or comprehensive ETL and ELT processes without coding or maintenance, with a few clicks. These processes ingest, move, prepare, transform, and process your data. Design and manage scheduling and triggers in Azure Data Factory to build an automated data integration and loading environment. Define, manage, and schedule PolyBase bulk data load processes in Data Factory.

-Use Data Factory to implement and manage a hybrid environment that includes on-premises, cloud, streaming and SaaS data&mdash;for example, from applications like Salesforce&mdash;in a secure and consistent way.

-A new capability in Data Factory is wrangling data flows. This opens up Data Factory to business users to make use of platform and allows them to visually discover, explore, and prepare data at scale without writing code. This easy-to-use Data Factory capability is like Microsoft Excel Power Query or Microsoft Power BI Dataflows, where self-service data preparation business users use a spreadsheet style user interface, with drop-down transforms, to prepare and integrate data.

-Azure ExpressRoute creates private connections between Azure data centers and infrastructure on your premises or in a collocation environment. ExpressRoute connections don't go over the public Internet, and they offer more reliability, faster speeds, and lower latencies than typical Internet connections. In some cases, using ExpressRoute connections to transfer data between on-premises systems and Azure can give you significant cost benefits.

-[AzCopy](/azure/storage/common/storage-use-azcopy-v10) is a command line utility that copies files to Azure Blob Storage via a standard internet connection. You can use it to upload extracted, compressed, delimited text files before loading via PolyBase or native parquet reader (if the exported files are parquet) in a warehouse migration project. Individual files, file selections, and file directories can be uploaded.

-Microsoft offers a service called Azure Data Box. This service writes data to be migrated to a physical storage device. This device is then shipped to an Azure data center and loaded into cloud storage. This service can be cost-effective for large volumes of data&mdash;for example, tens or hundreds of terabytes&mdash;or where network bandwidth isn't readily available and is typically used for the one-off historical data load when migrating a large amount of data to Azure Synapse.

-Another service available is Data Box Gateway, a virtualized cloud storage gateway device that resides on your premises and sends your images, media, and other data to Azure. Use Data Box Gateway for one-off migration tasks or ongoing incremental data uploads.

-PolyBase is tightly integrated with Azure Data Factory (see next section) to enable data load ETL/ELT processes to be rapidly developed and scheduled via a visual GUI, leading to higher productivity and fewer errors than hand-written code.

-There are some limitations in PolyBase. Rows to be loaded must be less than 1 MB in length. Fixed-width format or nested data such as JSON and XML aren't directly readable.

-## Microsoft partners to help you migrate your data warehouse to Azure Synapse Analytics

-## Offloading data staging and ETL processing to Azure Data Lake and Azure Data Factory

-> [!TIP]

-> Offload ELT processing to Azure Data Lake and still run at scale as your data volumes grow.

-Data Factory lets you use [connectors](/azure/data-factory/connector-overview) from both cloud and on-premises data sources. Agent software, known as a *self-hosted integration runtime*, securely accesses on-premises data sources and supports secure, scalable data transfer.

-#### Transforming data using Data Factory

-> Professional ETL developers can use Data Factory mapping data flows to clean, transform and integrate data without the need to write code.

-#### Utilizing Spark to scale data integration

-#### Linking self-service data prep and Data Factory ETL processing using wrangling data flows

-#### Linking Data and Analytics in Analytical Pipelines

-In addition to cleaning and transforming data, Data Factory can combine data integration and analytics in the same pipeline. Use Data Factory to create both data integration and analytical pipelines&mdash;the latter being an extension of the former. Drop an analytical model into a pipeline so that clean, integrated data can be stored to provide predictions or recommendations. Act on this information immediately or store it in your data warehouse to provide you with new insights and recommendations that can be viewed in BI tools.

-Visual Studio .NET for Apache® Spark™ aims to make Spark accessible to .NET developers across all Spark APIs. It takes Spark support beyond R, Scala, Python, and Java to .NET. While initially only available on Apache Spark on HDInsight, Microsoft intends to make this available on Azure Synapse Spark Pool Notebook.

-### Utilizing Azure Analytics with your data warehouse

-Combine machine learning models built using the tools with Azure Synapse by.

-## Integrating live streaming data into Azure Synapse Analytics

-## Creating a logical data warehouse using PolyBase

-This data is over and above the structured transaction data and master data sources that typically feed data warehouses. These new data sources include semi-structured data (like JSON, XLM, or Avro) or unstructured data (like text, voice, image, or video) which is more complex to process and analyze. This data could be very high volume, high velocity, or both.

-> Azure Synapse gives best-of-breed performance and price-performance in independent benchmark.

-#### Choosing the workload for the initial migration

-In cases where a legacy warehouse has evolved over a long time, you may need to reengineer to maintain the required performance levels or to support new data like IoT steams. Migrate to Azure Synapse to get the benefits of a scalable cloud environment as part of the re-engineering process. Migration could include a change in the underlying data model, such as a move from an Inmon model to a data vault.

-#### Using a VM Teradata instance as part of a migration

-> Use Azure's VM capability to create a temporary Teradata instance to speed up migration and minimize impact on the source system.

-The Azure environment also includes specific features for complex analytics on time- series data at a scale called [time series insights](https://azure.microsoft.com/services/time-series-insights/). This is aimed at IoT data analysis applications and may be more appropriate for this use case.

-There are a few differences in SQL Data Manipulation Language (DML) syntax between Teradata SQL and Azure Synapse (T-SQL) that you should be aware during migration:

-### Extracting metadata and data from a Teradata environment

-## Performance Recommendations for Teradata Migrations

-#### Data Indexing

-#### Use Workload management

-Use [Workload management](/azure/synapse-analytics/sql-data-warehouse/sql-data-warehouse-workload-management?context=/azure/synapse-analytics/context/context) instead of resource classes. ETL would be in its own workgroup and should be configured to have more resources per query (less concurrency by more resources). For more information, see [What is dedicated SQL pool in Azure Synapse Analytics](/azure/synapse-analytics/sql-data-warehouse/sql-data-warehouse-overview-what-is).

-#### Using a VM Teradata instance as part of a migration

-#### Migrating data marts - stay physical or go virtual?

-### Re-engineering existing Teradata-specific scripts

-Some elements of the ETL process are easy to migrate&mdash;for example, by simple bulk data load into a staging table from an external file. It may even be possible to automate those parts of the process, for example, by using PolyBase instead of fast load or MLOAD. If the exported files are Parquet, you can use a native Parquet reader, which is a faster option than PolyBase. Other parts of the process that contain arbitrary complex SQL and/or stored procedures will take more time to reengineer.

-### Using existing third party ETL tools

-### Scaling compute resources

-## Accessing Azure Synapse Analytics using Microsoft and third-party BI tools

-## Minimizing the impact of data warehouse migration on BI tools and reports using data virtualization

-## Identifying high priority reports to migrate first

-Whatever the decision is, it must involve the business, since they produce the reports and dashboards, and consume the insights these artifacts provide in support of the decisions that are made around your business. That said, if most reports and dashboards can be migrated seamlessly, with minimal effort, and offer up like- for-like results, simply by pointing your BI tool(s) at Azure Synapse, instead of your legacy data warehouse system, then everyone benefits. Therefore, if it's that straight forward and there's no reliance on legacy system proprietary SQL extensions, then there's no doubt that the above ease of migration option breeds confidence.

-### Migrating reports based on usage

-Usage is interesting, since it's an indicator of business value. Reports and dashboards that are never used clearly aren't contributing to supporting any decisions and$1 [don't currently offer any value. So, do you've any mechanism for finding out which reports, and dashboards are currently not used? Several BI tools provide statistics on usage, which would be an obvious place to start.

-### Migrating reports based on business value

-### Migrating reports based on data migration strategy

-### Gauging the impact of SQL incompatibilities on your reporting portfolio

-#### Using EXPLAIN statements to find SQL incompatibilities

-## Testing report and dashboard migration to Azure Synapse Analytics

-## Analyzing lineage to understand dependencies between reports, dashboards, and data

-## Migrating BI tool semantic layers to Azure Synapse Analytics

-# Minimizing SQL issues for Teradata migrations

-### Using a VM Teradata instance as part of a migration

-> Use the VM capability in Azure to create a temporary Teradata instance to speed up migration and minimize impact on the source system.

-Migrating your existing data warehouse to Azure Synapse enables you to utilize:

-Several tools from Microsoft and third-party partner vendors can help you migrate your existing data warehouse to Azure Synapse.

-They include:

-Let's look at these in more detail.

-Microsoft offers several tools to help you migrate your existing data warehouse to Azure Synapse. They are:

-> Data Factory allows you to build scalable data integration pipelines code free.

-[Azure Data Factory connectors](/azure/data-factory/connector-overview?msclkid=00086e4acff211ec9263dee5c7eb6e69) connect to external data sources and databases and have templates for common data integration tasks. A visual front-end, browser-based, GUI enables non-programmers to create and run process pipelines to ingest, transform, and load data, while more experienced programmers have the option to incorporate custom code if necessary, such as Python programs.

-Development of simple or comprehensive ETL and ELT processes without coding or maintenance, with a few clicks. These processes ingest, move, prepare, transform, and process your data. Design and manage scheduling and triggers in Azure Data Factory to build an automated data integration and loading environment. Define, manage, and schedule PolyBase bulk data load processes in Data Factory.

-Use Data Factory to implement and manage a hybrid environment that includes on-premises, cloud, streaming and SaaS data&mdash;for example, from applications like Salesforce&mdash;in a secure and consistent way.

-A new capability in Data Factory is wrangling data flows. This opens up Data Factory to business users to make use of platform and allows them to visually discover, explore and prepare data at scale without writing code. This easy-to-use Data Factory capability is like Microsoft Excel Power Query or Microsoft Power BI Dataflows, where self-service data preparation business users use a spreadsheet style user interface, with drop-down transforms, to prepare and integrate data.

-Azure ExpressRoute creates private connections between Azure data centers and infrastructure on your premises or in a colocation environment. ExpressRoute connections don't go over the public Internet, and they offer more reliability, faster speeds, and lower latencies than typical Internet connections. In some cases, using ExpressRoute connections to transfer data between on-premises systems and Azure can give you significant cost benefits.

-[AzCopy](/azure/storage/common/storage-use-azcopy-v10) is a command line utility that copies files to Azure Blob Storage via a standard internet connection. You can use it to upload extracted, compressed, delimited text files before loading via PolyBase or native parquet reader (if the exported files are parquet) in a warehouse migration project. Individual files, file selections, and file directories can be uploaded.

-Microsoft offers a service called Azure Data Box. This service writes data to be migrated to a physical storage device. This device is then shipped to an Azure data center and loaded into cloud storage. This service can be cost-effective for large volumes of data&mdash;for example, tens or hundreds of terabytes&mdash;or where network bandwidth isn't readily available and is typically used for the one-off historical data load when migrating a large amount of data to Azure Synapse.

-Another service available is Data Box Gateway, a virtualized cloud storage gateway device that resides on your premises and sends your images, media, and other data to Azure. Use Data Box Gateway for one-off migration tasks or ongoing incremental data uploads.

-PolyBase is tightly integrated with Azure Data Factory (see next section) to enable data load ETL/ELT processes to be rapidly developed and scheduled via a visual GUI, leading to higher productivity and fewer errors than hand-written code.

-There are some limitations in PolyBase. Rows to be loaded must be less than 1 MB in length. Fixed-width format or nested data such as JSON and XML aren't directly readable.

-## Microsoft partners to help you migrate your data warehouse to Azure Synapse Analytics

-## Offloading data staging and ETL processing to Azure Data Lake and Azure Data Factory

-> [!TIP]

-> Offload ELT processing to Azure Data Lake and still run at scale as your data volumes grow.

-[Microsoft Azure Data Factory](https://azure.microsoft.com/services/data-factory/)] is a pay-as-you-use, hybrid data integration service for highly scalable ETL and ELT processing. Data Factory provides a simple web-based user interface to build data integration pipelines, in a code-free manner that can:

-#### Transforming data using Data Factory

-> Professional ETL developers can use Data Factory mapping data flows to clean, transform and integrate data without the need to write code.

-#### Utilizing Spark to scale data integration

-#### Linking self-service data prep and Data Factory ETL processing using wrangling data flows

-#### Linking Data and Analytics in Analytical Pipelines

-Visual Studio .NET for Apache® Spark™ aims to make Spark accessible to .NET developers across all Spark APIs. It takes Spark support beyond R, Scala, Python, and Java to .NET. While initially only available on Apache Spark on HDInsight, Microsoft intends to make this available on Azure Synapse Spark Pool Notebook.

-### Utilizing Azure Analytics with your data warehouse

-Combine machine learning models built using the tools with Azure Synapse by.

-## Integrating live streaming data into Azure Synapse Analytics

-## Creating a logical data warehouse using PolyBase

-This data is over and above the structured transaction data and master data sources that typically feed data warehouses. These new data sources include semi-structured data (like JSON, XLM, or Avro) or unstructured data (like text, voice, image, or video) which is more complex to process and analyze. This data could be very high volume, high velocity, or both.

-description: Learn how to optimize the performance of your transactional code in dedicated SQL pool while minimizing risk for long rollbacks.

- WHEN actualRowCounts.actual_row_count >= statsRowCounts.stats_row_count THEN actualRowCounts.actual_row_count - statsRowCounts.stats_row_count

- ELSE statsRowCounts.stats_row_count - actualRowCounts.actual_row_count

- WHEN actualRowCounts.actual_row_count = 0 THEN statsRowCounts.stats_row_count

- WHEN statsRowCounts.stats_row_count = 0 THEN actualRowCounts.actual_row_count

- WHEN actualRowCounts.actual_row_count >= statsRowCounts.stats_row_count THEN CONVERT(NUMERIC(18, 0), CONVERT(NUMERIC(18, 2), (actualRowCounts.actual_row_count - statsRowCounts.stats_row_count)) / CONVERT(NUMERIC(18, 2), actualRowCounts.actual_row_count) * 100)

- ELSE CONVERT(NUMERIC(18, 0), CONVERT(NUMERIC(18, 2), (statsRowCounts.stats_row_count - actualRowCounts.actual_row_count)) / CONVERT(NUMERIC(18, 2), actualRowCounts.actual_row_count) * 100)

- select distinct object_id from sys.stats where stats_id > 1

- select object_id, sum(rows) as stats_row_count from sys.partitions group by object_id

- SELECT sm.name [schema] ,

- tb.name logical_table_name ,

- tb.object_id object_id ,

- SUM(rg.row_count) actual_row_count

- FROM sys.schemas sm

- INNER JOIN sys.tables tb ON sm.schema_id = tb.schema_id

- INNER JOIN sys.pdw_table_mappings mp ON tb.object_id = mp.object_id

- INNER JOIN sys.pdw_nodes_tables nt ON nt.name = mp.physical_name

- INNER JOIN sys.dm_pdw_nodes_db_partition_stats rg ON rg.object_id = nt.object_id

- AND rg.pdw_node_id = nt.pdw_node_id

- AND rg.distribution_id = nt.distribution_id

- WHERE rg.index_id = 1

- GROUP BY sm.name, tb.name, tb.object_id

-[Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Supported <br>

- ```

- ```

-These maintenance operations that don't require a reboot are applied one fault domain at a time. They stop if they receive any warning health signals from platform monitoring tools.

-Each infrastructure update rolls out zone by zone, within a single region. But, you can have deployment going on in Zone 1, and different deployment going in Zone 2, at the same time. Deployments are not all serialized. But, a single deployment only rolls out one zone at a time to reduce risk.

-3. In **Create network address translation (NAT) gateway**, enter or select the following information.

-> Virtual Network NAT provides outbound connectivity for standard internal load balancers. To configure create a NAT gateway resource and associate it to your subnet. For more information on integrating a NAT gateway with your internal load balancers, see [Tutorial: Integrate NAT gateway with an internal load balancer - Azure portal - Virtual Network NAT](tutorial-nat-gateway-load-balancer-internal-portal.md).

-4. In **Create network address translation (NAT) gateway**, enter or select the following information.

-3. In **Create network address translation (NAT) gateway**, enter or select the following information.

-9. Select the **Security** tab.

- | Type | Select **Internal**. |

-5. In **Frontend IP configuration**, select **+ Add a frontend IP**.

-7. Select **myBackendSubnet** in **Subnet**.

-8. Select **Dynamic** for **Assignment**.

-9. Select **Zone-redundant** in **Availability zone**.

-10. Select **Add**.

-11. Select **Next: Backend pools** at the bottom of the page.

-12. In the **Backend pools** tab, select **+ Add a backend pool**.

-13. Enter **myBackendPool** for **Name** in **Add backend pool**.

-14. Select **NIC** or **IP Address** for **Backend Pool Configuration**.

-15. Select **IPv4** or **IPv6** for **IP version**.

-16. Select **Add**.

-17. Select the **Next: Inbound rules** button at the bottom of the page.

-18. In **Load balancing rule** in the **Inbound rules** tab, select **+ Add a load balancing rule**.

-19. In **Add load balancing rule**, enter or select the following information:

- | Backend pool | Select **myBackendPool**. |

-20. Select **Add**.

-21. Select the blue **Review + create** button at the bottom of the page.

-22. Select **Create**.

-1. Find the public IP address for the NAT gateway on the **Overview** screen. Select **All services** in the left-hand menu, select **All resources**, and then select **myPublicIP**.

-3. Select **All services** in the left-hand menu, select **All resources**, and then from the resources list, select **myVM1** that is located in the **TutorIntLBNAT-rg** resource group.

-5. Select the blue **Use Bastion** button.

-6. Enter the username and password entered during VM creation.

-7. Open **Internet Explorer** on **myVM1**.