+* You can restrict inbound access to this port to the *AzureActiveDirectoryDomainServices* service tag.

+ > You need to use a minimum of *Enterprise* SKU for your managed domain to support replica sets. If needed, [change the SKU for a managed domain][howto-change-sku].

+ 

+The security questions and answers are stored securely in your Azure AD tenant and are only accessible to users via My Security-Info's [Combined registration experience](https://aka.ms/mfasetup). Administrators can't see, set, or modify the contents of another users' questions and answers.

+# Call an ASP.NET Core web API with Postman

+This article shows you how to call a protected ASP.NET Core web API using [Postman](https://www.postman.com/). Postman is an application that lets you send HTTP requests to a web API to test its authorization and access control (authentication) policies. In this article, you'll register a web app and a web API in a tenant on the Azure portal. The web app is used to get an access token generated by the Microsoft identity platform. Next, you'll use the token to make an authorized call to the web API using Postman.

+This article shows you how to call a protected ASP.NET Core web API using [Postman](https://www.postman.com/). Postman is an application that lets you send HTTP requests to a web API to test its authorization and access control (authentication) policies. Following on from the [Tutorial: Implement a protected endpoint to your API](web-api-tutorial-03-protect-endpoint.md), where you created a protected API, you'll need to register a web application with the Microsoft identity platform to generate an access token. Next, you'll use the token to make an authorized call to the API using Postman.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).

+- This Azure account must have permissions to manage applications. Any of the following Azure Active Directory (Azure AD) roles include the required permissions:

+ - Application administrator

+ - Application developer

+ - Cloud application administrator

+- [Download and install Postman](https://www.postman.com/downloads/).

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).

+- This Azure account must have permissions to manage applications. Any of the following Azure Active Directory (Azure AD) roles include the required permissions:

+ - Application administrator

+ - Application developer

+ - Cloud application administrator

+- Completion of the tutorial series:

+ - [Tutorial: Register web API with the Microsoft identity platform](web-api-tutorial-01-register-app.md).

+ - [Tutorial: Create and configure an ASP.NET Core project for authentication](web-api-tutorial-02-prepare-api.md).

+ - [Tutorial: Implement a protected endpoint to your API](web-api-tutorial-03-protect-endpoint.md).

+- [Download and install Postman](https://www.postman.com/downloads/).

+## Register an application with the Microsoft identity platform

+The Microsoft identity platform requires your application to be registered before providing identity and access management services. The application registration allows you to specify the name and type of the application and the sign-in audience. The sign-in audience specifies what types of user accounts are allowed to sign-in to a given application.

+### Register the web API

+Follow these steps to create the web API registration:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.

+1. Search for and select **Azure Active Directory**.

+1. Under **Manage**, select **App registrations > New registration**.

+1. Enter a **Name** for the application, such as _NewWebAPI1_.

+1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select **Help me choose** option.

+1. Select **Register**.

+ :::image type="content" source="./media/web-api-tutorial-01-register-app/register-application.png" alt-text="Screenshot that shows how to enter a name and select the account type.":::

+1. The application's **Overview** pane is displayed when registration is complete. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in your application source code.

+ :::image type="content" source="./media/web-api-tutorial-01-register-app/record-identifiers.png" alt-text="Screenshot that shows the identifier values on the overview page.":::

+> The **Supported account types** can be changed by referring to [Modify the accounts supported by an application](howto-modify-supported-accounts.md).

+#### Expose the API

+Once the API is registered, you can configure its permission by defining the scopes that the API exposes to client applications. Client applications request permission to perform operations by passing an access token along with its requests to the protected web API. The web API then performs the requested operation only if the access token it receives is valid.

+1. Under **Manage**, select **Expose an API > Add a scope**. Accept the proposed **Application ID URI** `(api://{clientId})` by selecting **Save and continue**. The `{clientId}` is the value recorded from the **Overview** page. Then enter the following information:

+ 1. For **Scope name**, enter `Forecast.Read`.

+ 1. For **Who can consent**, ensure that the **Admins and users** option is selected.

+ 1. In the **Admin consent display name** box, enter `Read forecast data`.

+ 1. In the **Admin consent description** box, enter `Allows the application to read weather forecast data`.

+ 1. In the **User consent display name** box, enter `Read forecast data`.

+ 1. In the **User consent description** box, enter `Allows the application to read weather forecast data`.

+ 1. Ensure that the **State** is set to **Enabled**.

+1. Select **Add scope**. If the scope has been entered correctly, it's listed in the **Expose an API** pane.

+### Register the web app

+Having a web API isn't enough however, as a web app is also needed to obtain an access token to access the web API you've created.

+Follow these steps to create the web app registration:

+1. Select **Home** to return to the home page. Search for and select **Azure Active Directory**.

+1. Under **Manage**, select **App registrations** > **New registration**.

+1. Enter a **Name** for the application, such as `web-app-calls-web-api`.

+1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option.

+1. Under **Redirect URI (optional)**, select **Web**, and then enter `http://localhost` in the URL text box.

+1. Select **Register**.

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. If access to multiple tenants is available, use the Directories + subscriptions filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.

+1. Search for and select **Azure Active Directory**.

+1. Under **Manage**, select **App registrations** > **New registration**.

+1. Enter a Name for the application, such as `web-app-calls-web-api`.

+1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option.

+1. Under **Redirect URI (optional)**, select **Web**, and then enter `http://localhost` in the URL text box.

+1. Select **Register**.

+When registration is complete, the Azure portal displays the app registration's **Overview** pane. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in later steps.

+#### Add a client secret

+A client secret is a string value your app can use to identity itself, and is sometimes referred to as an _application password_. The web app uses the client secret to prove its identity when it requests tokens.

+Follow these steps to configure a client secret:

+1. From the **Overview** pane in the Azure portal, under **Manage**, select **Certificates & secrets** > **Client secrets** > **New client secret**.

+1. Add a description for your client secret, for example _My client secret_.

+1. Select an expiration for the secret or specify a custom lifetime.

+ - A client secret's lifetime is limited to two years (24 months) or less. You can't specify a custom lifetime longer than 24 months.

+ - Microsoft recommends that you set an expiration value of less than 12 months.

+1. Select **Add**.

+1. Be sure to record the **Value** of the client secret. This secret value is **never displayed again** after you leave this page.

+#### Add permissions to access your web API

+By specifying a web API's scopes, the web app can obtain an access token containing the scopes provided by the Microsoft identity platform. Within the code, the web API can then provide permission-based access to its resources based on the scopes found in the access token.

+Follow these steps to configure client's permissions to the web API:

+1. From the **Overview** pane of your application in the Azure portal, under **Manage**, select **API permissions** > **Add a permission** > **My APIs**.

+1. Select **NewWebAPI1** or the API that you wish to add permissions to.

+1. Under **Select permissions**, check the box next to **Forecast.Read**. You may need to expand the **Permission** list. This selects the permissions the client app should have on behalf of the signed-in user.

+1. Select **Add permissions** to complete the process.

+After adding these permissions to your API, you should see the selected permissions under **Configured permissions**.

+You may also notice the **User.Read** permission for the Microsoft Graph API. This permission is added automatically when you register an app in the Azure portal.

+## Test the web API

+1. Clone the [ms-identity-docs-code-dotnet](https://github.com/Azure-Samples/ms-identity-docs-code-dotnet) repository.

+ ```

+1. Navigate to `ms-identity-docs-code-dotnet/web-api` folder and open `appsettings.json`, replace the `{APPLICATION_CLIENT_ID}` and `{DIRECTORY_TENANT_ID}` with:

+ - `{APPLICATION_CLIENT_ID}` is the web API **Application (client) ID** on the app's **Overview** pane **App registrations** in the Azure portal.

+ - `{DIRECTORY_TENANT_ID}` is the web API **Directory (tenant) ID** on the app's **Overview** pane **App registrations** in the Azure portal.

+1. Execute the following command to start the app:

+ dotnet run

+ ```

+1. An output similar to the following will appear. Record the port number in the `https://localhost:{port}` URL.

+ ...

+ ```

+1. Navigate to the web API that was created in [Tutorial: Create an ASP.NET Core project and configure the API](web-api-tutorial-02-prepare-api.md), for example _NewWebAPILocal_, and open the folder.

+ ### [.NET 6.0](#tab/dotnet6)

+ 1. Execute the following command to start the app:

+ ```bash

+ dotnet run

+ ```

+ ### [.NET 7.0](#tab/dotnet7)

+ 1. Open a new terminal and execute the following command to start the app on the `https` profile:

+ ```bash

+ dotnet run -launch-profile https`

+ ```

+

+1. An output similar to the following will appear. Record the port number in the `https://localhost:{port}` URL.

+ ...

+ ```

+### Configure an authorized request to the web API in Postman

+1. Launch the **Postman** application.

+1. In the main Postman window, find **Create a new request** and select **HTTP Request**.

+1. In the top bar, select **GET** from the dropdown menu.

+1. For the request URL, enter the URL of the endpoint exposed by the web API, `https://localhost:{port}/weatherforecast`.

+1. Select the **Authorization** tab to configure Postman to obtain a token from the Microsoft identity platform that will grant access to the web API.

+1. From the **Type** dropdown, select **OAuth 2.0**. This displays **Configure New Token** form.

+1. Enter the following values in the **Configure New Token** form:

+ | Setting | Value |

+ | - | - |

+ | Token Name | Provide any name for the token. For example, enter `Bearer` |

+ | Grant Type | Select **Authorization Code** |

+ | Callback URL | Enter `http://localhost`, which sets the Callback URL to the Redirect URI registered with Azure AD. DO NOT check the **Authorize using browser** checkbox. |

+ | Auth URL | `https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize` <br/> Replace `{tenantId}` with the **Directory (tenant) ID** |

+ | Access Token URL | `https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token` <br/> Replace `{tenantId}` with the **Directory (tenant) ID** |

+ | Client ID | The **Application (client) ID** value of your web app registration |

+ | Client Secret | The client secret **Value** of your web app registration |

+ | Scope | `api://{application_client_id}/Forecast.Read` <br/> Navigate to your web app registration, under **Manage**, select **API permissions**, then select **Forecast.Read** <br/> Copy the value in the textbox, which contains the **Scope** value |

+#### Get an access token and send a request to the web API

+1. Once these values are entered select the **Get New Access Token** button. This launches a Postman browser window where you authenticate with your user credentials. Be sure to allow pop ups from the Postman application in the browser.

+1. After authenticating, a new Postman generated pop-up window will appear. Select the **Use Token** button in Postman to provide the access token in the request.

+1. Select **Send** to send the request to the protected web API endpoint.

+With a valid access token included in the request, the expected response is 200 OK with output similar to:

+```

+For more information about OAuth 2.0 authorization code flow and application types, see:

+- [Microsoft identity platform and OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md)

+- [Application types for the Microsoft identity platform](v2-app-types.md#web-apps)

+- [Microsoft Edge](/microsoft-edge)

+- [Outlook](/mem/intune/apps/app-configuration-policies-outlook)

+- [Microsoft Power Apps](/power-apps)

+- [Microsoft Viva Engage](/viva/engage/overview) (previously [Yammer](/yammer))

+1. On the **Portal settings | Directories + subscriptions** page, find your customer tenant in the **Directory name** list, and then select **Switch**. This step will bring you to the tenant's home page.

+1. Select the **Overview** tab at the top of the page. You can find the tenant **Name**, **Tenant ID** and **Primary domain** under **Basic information**.

+1. At the bottom of the page, select **Add Platform**, and then select **Website**.

+1. In **Site URL**, enter the address of your website, for example `https://contoso.com`.

+1. Select **Save Changes**.

+1. From the menu, select the **plus** sign or **Add Product** link next to **PRODUCTS**. Under the **Add Products to Your App**, select **Set up** under **Facebook Login**.

+1. From the menu, select **Facebook Login**, select **Settings**.

+1. In **Valid OAuth redirect URIs**, enter the following URIs, replacing `<tenant-ID>` with your customer tenant ID and `<tenant-name>` with your customer tenant name:

+ - `https://login.microsoftonline.com/te/<tenant-ID>/oauth2/authresp`

+ - `https://<tenant-ID>.ciamlogin.com/<tenant-ID>/federation/oidc/www.facebook.com`

+ - `https://<tenant-ID>.ciamlogin.com/<tenant-name>.onmicrosoft.com/federation/oidc/www.facebook.com`

+ - `https://<tenant-ID>.ciamlogin.com/<tenant-ID>/federation/oauth2`

+ - `https://<tenant-ID>.ciamlogin.com/<tenant-name>.onmicrosoft.com/federation/oauth2`

+ > [!NOTE]

+ > To find your customer tenant ID, go to the [Microsoft Entra admin center](https://entra.microsoft.com). Under **Azure Active Directory**, select **Overview**. Then select the **Overview** tab and copy the **Tenant ID**.

+1. Select **Save Changes** at the bottom of the page.

+1. To make your Facebook application available to Azure AD, select the Status selector at the top right of the page and turn it **On** to make the Application public, and then select **Switch Mode**. At this point, the Status should change from **Development** to **Live**. For more information, see [Facebook App Development](https://developers.facebook.com/docs/development/release).

+ 1. Enter a **Name** for your application.

+ 1. Select a **User support email** address.

+1. Under the **Authorized domains** section, select **Add domain**, and then add `ciamlogin.com` and `microsoftonline.com`.

+ 1. Enter a suitable **Name** for your application, such as "Azure AD for customers."

+ 1. In **Valid OAuth redirect URIs**, enter the following URIs, replacing `<tenant-ID>` with your customer tenant ID and `<tenant-name>` with your customer tenant name:

+ - `https://login.microsoftonline.com`

+ - `https://login.microsoftonline.com/te/<tenant-ID>/oauth2/authresp`

+ - `https://login.microsoftonline.com/te/<tenant-name>.onmicrosoft.com/oauth2/authresp`

+ - `https://<tenant-ID>.ciamlogin.com/<tenant-ID>/federation/oidc/accounts.google.com`

+ - `https://<tenant-ID>.ciamlogin.com/<tenant-name>.onmicrosoft.com/federation/oidc/accounts.google.com`

+ - `https://<tenant-ID>.ciamlogin.com/<tenant-ID>/federation/oauth2`

+ - `https://<tenant-ID>.ciamlogin.com/<tenant-name>.onmicrosoft.com/federation/oauth2`

+ > [!NOTE]

+ > To find your customer tenant ID, go to the [Microsoft Entra admin center](https://entra.microsoft.com). Under **Azure Active Directory**, select **Overview**. Then select the **Overview** tab and copy the **Tenant ID**.

+2. Select **Create**.

+3. Copy the values of **Client ID** and **Client secret**. You need both values to configure Google as an identity provider in your tenant. **Client secret** is an important security credential.

+ Title: Prepare a React single-page app (SPA) for authentication

+description: Learn how to prepare a React single-page app (SPA) for authentication with your Azure Active Directory (AD) for customers tenant.

+#Customer intent: As a dev, devops, or IT admin, I want to learn how to enable authentication in my own React single-page app

+# Prepare a React single-page app (SPA) for authentication

+After registration is complete, you can create a React project using an integrated development environment (IDE). This guide demonstrates how to create a React single-page app using npm and create files needed for authentication and authorization.

+* Completion of the prerequisites and steps in [Prepare your customer tenant for building a React single-page app (SPA)](./how-to-single-page-application-react-prepare-tenant.md))

+Use the following tabs to create a React project within Visual Studio Code.

+> [Add sign-in and sign-out functionality to your app.](./how-to-single-page-application-react-sign-in-out.md)

+ Title: Prepare your customer tenant to authenticate users in a React single-page app (SPA)

+#Customer intent: As a dev I want to prepare my customer tenant for building a single-page app (SPA) with React

+# Prepare your customer tenant to authenticate users in a React single-page app (SPA)

+Before your applications can interact with Microsoft identity platform they must be registered in a customer tenant that you manage and must be associated with a user flow.

+In this article, you learn how to register your application and record identifies, create a user flow and associate that user flow with your application.

+> [Start building your React single-page app](./how-to-single-page-application-react-prepare-app.md)

+description: Learn how to configure a sample React single-page app (SPA) to sign in and sign out users.

+#Customer intent: As a dev, devops, I want to learn about how to configure a sample React single-page app to sign in and sign out users with my Azure Active Directory (Azure AD) for customers tenant

+# Sign in users in a sample React single-page app (SPA)

+This guide uses a sample React single-page application (SPA) to demonstrate how to add authentication to a SPA. This SPA enables users to sign in and sign out by using you Azure Active Directory (Azure AD) for customers tenant. The sample uses the [Microsoft Authentication Library for JavaScript (MSAL.js)](https://github.com/AzureAD/microsoft-authentication-library-for-js) to handle authentication.

+* Although any IDE that supports React applications can be used, **Visual Studio Code** is used for this guide. It can be downloaded from the [Downloads](https://visualstudio.microsoft.com/downloads) page.

+> [!div class="nextstepaction"]

+> [Enable self-service password reset](./how-to-enable-password-reset-customers.md)

+ Title: Add sign-in to a React single-page app (SPA)

+#Customer intent: As a developer I want to add sign-in and sign-out functionality to my React single-page app

+# Add sign-in to a React single-page app (SPA)

+In this article you will add components to the application and create a layout that displays the sign in and sign out experience. You will also add sign in and sign out experiences.

+* Completion of the prerequisites and steps in [Prepare an single-page app for authentication](how-to-single-page-application-react-prepare-app.md).

+1. Open a web browser and navigate to the port specified in [Prepare a single-page application for authentication](./how-to-single-page-application-react-prepare-app.md). For example, http://localhost:3000/.

+[  ](media/how-to-manage-user-profile-info/user-settings.png#lightbox)

+- Prevent non-admins from creating their own tenants

+ - For more information, see [default user permissions](users-default-permissions.md#restrict-member-users-default-permissions)

+- Allow users to create security groups

+- Guest user access restrictions

+ - Guest users have the same access as members (most inclusive)

+ - Guest users have limited access to properties and memberships of directory objects

+ - Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)

+ - Users can use preview features for My Apps

+ - Administrators can access My Staff

+1. Add **Directory.Read.All**, **AuditLog.Read.All** and **Policy.Read.ConditionalAccess** then select the **Add permissions** button.

+* The current unused app processor identifies any apps that were created recently. In some instances newly created apps might need more time to deploy the code that uses the application registration. Progress is underway to filter out apps that were created within the past 60 days so they don't show as unused.

+ > These values are not real. Update these values with the actual Identifier and Reply URL. Please note the Identifier and Reply URL values are customer specific and should be able to specify it manually by copying it from Parallels My Account to the identity provider Azure. Contact [Parallels Desktop support team](https://www.parallels.com/support/) for any help. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+To configure single sign-on on **Parallels Desktop** side, you need to send the downloaded **Certificate (PEM)** and appropriate copied URLs from Azure portal to [Parallels Desktop support team](https://www.parallels.com/support/). They set this setting to have the SAML SSO connection set properly on both sides.

+In this section, you create a user called Britta Simon at Parallels Desktop. Work with [Parallels Desktop support team](https://www.parallels.com/support/) to add the users in the Parallels Desktop platform. Users must be created and activated before you use single sign-on.

+ | `https://<instancename>.service-now.com/consumer.do` |

+ | `https://<instancename>.service-now.com/consumer.do` |

+ | `https://<instancename>.service-now.com/consumer.do` |

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, copy the **App Federation Metadata Url** or download the **Federation Metadata XML** and save it on your computer.

+To configure single sign-on on **SuperAnnotate** side, you need to set up the copied **App Federation Metadata Url** or the downloaded **Federation Metadata XML** in the SSO setup page of the SuperAnnotate side to have the SAML SSO connection set properly on both sides.

+### Limitations

+- The savings associated with the recommendations are based on retail rates and don't take into account any temporary or long-term discounts that might apply to your account. As a result, the listed savings might be higher than actually possible.

+- The recommendations don't take into account the presence of Reserved Instances (RI) / Savings plan purchases. As a result, the listed savings might be higher than actually possible. In some cases, for example in the case of cross-series recommendations, depending on the types of SKUs that reserved instances have been purchased for, the costs might increase when the optimization recommendations are followed. We caution you to consider your RI/Savings plan purchases when you act on the right-size recommendations.

+Using default outbound connecitivty provided by a Standard Load Balancer or other Azure resources is not recommended for production workloads as this causes connection failures (also called SNAT port exhaustion). The recommended approach is using a VNet NAT which will prevent any failures of connectivity in this regard. NAT can scale seamlessly to ensure your application is never out ports. [Learn more about VNet NAT](../virtual-network/nat-gateway/nat-overview.md).

+Azure Advisor helps you assess and improve the continuity of your business-critical applications. It's important to be aware of upcoming Azure services and feature retirements to understand their impact on your workloads and plan migration.

+The Service Retirement workbook provides a single centralized resource level view of service retirements. It helps you assess impact, evaluate options, and plan for migration from retiring services and features. The workbook template is available in Azure Advisor gallery.

+> The workbook contains information about a subset of services and features that are in the retirement lifecycle. While we continue to add more services to this workbook, you can view the lifecycle status of all Azure services by visiting [Azure updates](https://azure.microsoft.com/updates/?updateType=retirements).

+For more information, see:

+* [Introduction to Advisor](advisor-overview.md)

+Learn more about [MariaDB server - OrcasMariaDbCpuOverload (Increase the MariaDB server vCores)](https://aka.ms/mariadbpricing).

+Learn more about [Database Instance - ParameterSlowStart (To improve file system performance in HANA DB with ANF, disable parameter for slow start after idle)](https://launchpad.support.sap.com/#/notes/3024346).

+### In high-availability scenario for HANA DB with ANF, disable the tcp_timestamps OS parameter

+Learn more about [Database Instance - DisableTCPTimestamps (In high-availability scenario for HANA DB with ANF, disable the tcp_timestamps OS parameter)](https://launchpad.support.sap.com/#/notes/3024346).

+A persistent volume represents a piece of storage that has been provisioned for use with Kubernetes pods. You can use a persistent volume with one or many pods, and it can be dynamically or statically provisioned. If multiple pods need concurrent access to the same storage volume, you can use Azure Files to connect using the [Server Message Block (SMB) protocol][smb-overview]. This article shows you how to dynamically create an Azure file share for use by multiple pods in an Azure Kubernetes Service (AKS) cluster.

+* You need an Azure [storage account][azure-storage-account].

+* Make sure you have Azure CLI version 2.0.59 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

+* When choosing between standard and premium file shares, it's important you understand the provisioning model and requirements of the expected usage pattern you plan to run on Azure Files. For more information, see [Choosing an Azure Files performance tier based on usage patterns][azure-files-usage].

+This section provides guidance for cluster administrators who want to provision one or more persistent volumes that include details of one or more shares on Azure Files. A persistent volume claim (PVC) uses the storage class object to dynamically provision an Azure Files file share.

+|location | Specify the Azure region of the Azure storage account.| For example, `eastus`. | No | If empty, driver uses the same location name as current AKS cluster.|

+|resourceGroup | Specify the resource group for the Azure Disks.| Existing resource group name | No | If empty, driver uses the same resource group name as current AKS cluster.|

+|shareName | Specify Azure file share name. | Existing or new Azure file share name. | No | If empty, driver generates an Azure file share name. |

+|folderName | Specify folder name in Azure file share. | Existing folder name in Azure file share. | No | If folder name doesn't exist in file share, the mount fails. |

+|server | Specify Azure storage account server address. | Existing server address, for example `accountname.privatelink.file.core.windows.net`. | No | If empty, driver uses default `accountname.file.core.windows.net` or other sovereign cloud account address. |

+|networkEndpointType | Specify network endpoint type for the storage account created by driver. If `privateEndpoint` is specified, a private endpoint is created for the storage account. For other cases, a service endpoint is created by default. | "",`privateEndpoint`| No | "" |

+|storeAccountKey | Specify whether to store account key to Kubernetes secret. | `true` or `false`<br>`false` means driver uses kubelet identity to get account key. | No | `true` |

+|secretNamespace | Specify the namespace of secret to store account key. <br><br> **Note:** <br> If `secretNamespace` isn't specified, the secret is created in the same namespace as the pod. | `default`,`kube-system`, etc. | No | PVC namespace, for example `csi.storage.k8s.io/pvc/namespace` |

+|useDataPlaneAPI | Specify whether to use [data plane API][data-plane-api] for file share create/delete/resize, which could solve the SRP API throttling issue because the data plane API has almost no limit, while it would fail when there's firewall or Vnet settings on storage account. | `true` or `false` | No | `false` |

+|fsGroupChangePolicy | Indicates how the driver changes volume's ownership. Pod `securityContext.fsGroupChangePolicy` is ignored. | `OnRootMismatch` (default), `Always`, `None` | No | `OnRootMismatch`|

+Storage classes define how to create an Azure file share. A storage account is automatically created in the [node resource group][node-resource-group] for use with the storage class to hold the Azure Files file share. Choose of the following [Azure storage redundancy SKUs][storage-skus] for `skuName`:

+* `Standard_LRS`: Standard locally redundant storage (LRS)

+* `Standard_GRS`: Standard geo-redundant storage (GRS)

+* `Standard_ZRS`: Standard zone redundant storage (ZRS)

+* `Standard_RAGRS`: Standard read-access geo-redundant storage (RA-GRS)

+* `Premium_LRS`: Premium locally redundant storage (LRS)

+* `Premium_ZRS`: pPremium zone redundant storage (ZRS)

+1. Create a file named `azure-file-sc.yaml` and copy in the following example manifest. For more information on `mountOptions`, see the [Mount options][mount-options] section.

+ ```yaml

+ kind: StorageClass

+ apiVersion: storage.k8s.io/v1

+ metadata:

+ name: my-azurefile

+ provisioner: file.csi.azure.com # replace with "kubernetes.io/azure-file" if aks version is less than 1.21

+ allowVolumeExpansion: true

+ mountOptions:

+ - dir_mode=0777

+ - file_mode=0777

+ - uid=0

+ - gid=0

+ - mfsymlinks

+ - cache=strict

+ - actimeo=30

+ parameters:

+ skuName: Premium_LRS

+ ```

+2. Create the storage class using the [`kubectl apply`][kubectl-apply] command.

+ ```bash

+ kubectl apply -f azure-file-sc.yaml

+ ```

+A persistent volume claim (PVC) uses the storage class object to dynamically provision an Azure file share. You can use the following YAML to create a persistent volume claim *100 GB* in size with *ReadWriteMany* access. For more information on access modes, see [Kubernetes persistent volume][access-modes].

+1. Create a file named `azure-file-pvc.yaml` and copy in the following YAML. Make sure the `storageClassName` matches the storage class you created in the previous step.

+ ```yaml

+ apiVersion: v1

+ kind: PersistentVolumeClaim

+ metadata:

+ name: my-azurefile

+ spec:

+ accessModes:

+ - ReadWriteMany

+ storageClassName: my-azurefile

+ resources:

+ requests:

+ storage: 100Gi

+ ```

+ > [!NOTE]

+ > If using the `Premium_LRS` SKU for your storage class, the minimum value for `storage` must be `100Gi`.

+2. Create the persistent volume claim using the [`kubectl apply`][kubectl-apply] command.

+ ```bash

+ kubectl apply -f azure-file-pvc.yaml

+ ```

+ Once completed, the file share is created. A Kubernetes secret is also created that includes connection information and credentials. You can use the [`kubectl get`][kubectl-get] command to view the status of the PVC:

+ ```bash

+ kubectl get pvc my-azurefile

+ ```

+ The output of the command resembles the following example:

+ ```output

+ NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE

+ my-azurefile Bound pvc-8436e62e-a0d9-11e5-8521-5a8664dc0477 10Gi RWX my-azurefile 5m

+ ```

+The following YAML creates a pod that uses the persistent volume claim *my-azurefile* to mount the Azure Files file share at the */mnt/azure* path. For Windows Server containers, specify a `mountPath` using the Windows path convention, such as *'D:'*.

+1. Create a file named `azure-pvc-files.yaml`, and copy in the following YAML. Make sure the `claimName` matches the PVC you created in the previous step.

+ ```yaml

+ kind: Pod

+ apiVersion: v1

+ metadata:

+ name: mypod

+ spec:

+ containers:

+ - name: mypod

+ image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine

+ resources:

+ requests:

+ cpu: 100m

+ memory: 128Mi

+ limits:

+ cpu: 250m

+ memory: 256Mi

+ volumeMounts:

+ - mountPath: "/mnt/azure"

+ name: volume

+ volumes:

+ - name: volume

+ persistentVolumeClaim:

+ claimName: my-azurefile

+ ```

+2. Create the pod using the [`kubectl apply`][kubectl-apply] command.

+ ```bash

+ kubectl apply -f azure-pvc-files.yaml

+ ```

+ You now have a running pod with your Azure Files file share mounted in the */mnt/azure* directory. This configuration can be seen when inspecting your pod using the [`kubectl describe`][kubectl-describe] command. The following condensed example output shows the volume mounted in the container.

+ ```output

+ Containers:

+ mypod:

+ Container ID: docker://053bc9c0df72232d755aa040bfba8b533fa696b123876108dec400e364d2523e

+ Image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine

+ Image ID: docker-pullable://nginx@sha256:d85914d547a6c92faa39ce7058bd7529baacab7e0cd4255442b04577c4d1f424

+ State: Running

+ Started: Fri, 01 Mar 2019 23:56:16 +0000

+ Ready: True

+ Mounts:

+ /mnt/azure from volume (rw)

+ /var/run/secrets/kubernetes.io/serviceaccount from default-token-8rv4z (ro)

+ [...]

+ Volumes:

+ volume:

+ Type: PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)

+ ClaimName: my-azurefile

+ ReadOnly: false

+ [...]

+ ```

+The default value for `fileMode` and `dirMode` is *0777* for Kubernetes versions 1.13.0 and above. If you're dynamically creating the persistent volume with a storage class, you can specify mount options on the storage class object. For more information, see [Mount options](https://kubernetes.io/docs/concepts/storage/storage-classes/#mount-options). The following example sets *0777*:

+For more information on using Azure tags, see [Use Azure tags in Azure Kubernetes Service (AKS)][use-tags].

+|volumeAttributes.fsGroupChangePolicy | Indicates how the driver changes a volume's ownership. Pod `securityContext.fsGroupChangePolicy` is ignored. | `OnRootMismatch` (default), `Always`, `None` | No | `OnRootMismatch` |

+Before you can use an Azure Files file share as a Kubernetes volume, you must create an Azure Storage account and the file share.

+1. Get the resource group name using the [`az aks show`][az-aks-show] command with the `--query nodeResourceGroup` parameter.

+2. Create a storage account using the [`az storage account create`][az-storage-account-create] command with the `--sku` parameter. The following command creates a storage account using the `Standard_LRS` SKU. Make sure to replace the following placeholders:

+ * `location` with the name of the region to create the resource in. It should be the same region as the AKS cluster nodes.

+3. Export the connection string as an environment variable using the following command, which you use to create the file share.

+4. Create the file share using the [`az storage share create`][az-storage-share-create] command. Make sure to replace `shareName` with your share name.

+5. Export the storage account key as an environment variable using the following command.

+6. Echo the storage account name and key using the following command. Copy this information, as you need these values when creating the Kubernetes volume.

+1. Create the secret using the `kubectl create secret` command. The following example creates a secret named *azure-secret* and populates the *azurestorageaccountname* and *azurestorageaccountkey* from the previous step. To use an existing Azure storage account, provide the account name and key.

+ ```bash

+ kubectl create secret generic azure-secret --from-literal=azurestorageaccountname=myAKSStorageAccount --from-literal=azurestorageaccountkey=$STORAGE_KEY

+ ```

+> Inline volume can only access secrets in the same namespace as the pod. To specify a different secret namespace, instead use the [persistent volume example][persistent-volume-example].

+To mount the Azure Files file share into your pod, you configure the volume in the container spec.

+1. Create a new file named `azure-files-pod.yaml` and copy in the following contents. If you changed the name of the file share or secret name, update the `shareName` and `secretName`. You can also update the `mountPath`, which is the path where the Files share is mounted in the pod. For Windows Server containers, specify a `mountPath` using the Windows path convention, such as *'D:'*.

+ ```yaml

+ apiVersion: v1

+ kind: Pod

+ metadata:

+ name: mypod

+ spec:

+ nodeSelector:

+ kubernetes.io/os: linux

+ containers:

+ - image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine

+ name: mypod

+ resources:

+ requests:

+ cpu: 100m

+ memory: 128Mi

+ limits:

+ cpu: 250m

+ memory: 256Mi

+ volumeMounts:

+ - name: azure

+ mountPath: /mnt/azure

+ volumes:

+ - name: azure

+ csi:

+ driver: file.csi.azure.com

+ readOnly: false

+ volumeAttributes:

+ secretName: azure-secret # required

+ shareName: aksshare # required

+ mountOptions: "dir_mode=0777,file_mode=0777,cache=strict,actimeo=30,nosharesock" # optional

+ ```

+2. Create the pod using the [`kubectl apply`][kubectl-apply] command.

+ ```bash

+ kubectl apply -f azure-files-pod.yaml

+ ```

+ You now have a running pod with an Azure Files file share mounted at */mnt/azure*. You can verify the share is mounted successfully using the [`kubectl describe`][kubectl-describe] command.

+ ```bash

+ kubectl describe pod mypod

+ ```

+### Mount file share as a persistent volume

+1. Create a new file named `azurefiles-pv.yaml` and copy in the following contents. Under `csi`, update `resourceGroup`, `volumeHandle`, and `shareName`. For mount options, the default value for `fileMode` and `dirMode` is *0777*.

+2. Create the persistent volume using the [`kubectl create`][kubectl-create] command.

+3. Create a new file named *azurefiles-mount-options-pvc.yaml* and copy the following contents.

+4. Create the PersistentVolumeClaim using the [`kubectl apply`][kubectl-apply] command.

+ ```bash

+ kubectl apply -f azurefiles-mount-options-pvc.yaml

+ ```

+5. Verify your PersistentVolumeClaim is created and bound to the PersistentVolume using the [`kubectl get`][kubectl-get] command.

+6. Update your container spec to reference your *PersistentVolumeClaim* and your pod in the YAML file. For example:

+7. A pod spec can't be updated in place, so delete the pod using the [`kubectl delete`][kubectl-delete] command and recreate it using the [`kubectl apply`][kubectl-apply] command.

+[azure-files-usage]: ../storage/files/understand-performance.md#choosing-a-performance-tier-based-on-usage-patterns

+[az-storage-account-create]: /cli/azure/storage/account#az-storage-account-create

+The Secrets Store CSI Driver on Azure Kubernetes Service (AKS) provides various methods of identity-based access to your Azure key vault. This article outlines these methods and how to use them to access your key vault and its contents from your AKS cluster. For more information, see [Use the Secrets Store CSI Driver][csi-secrets-store-driver].

+- Azure AD Workload identity

+## Access with an Azure AD workload identity

+An [Azure AD workload identity][workload-identity] is an identity that an application running on a pod uses that authenticates itself against other Azure services that support it, such as Storage or SQL. It integrates with the native Kubernetes capabilities to federate with external identity providers. In this security model, the AKS cluster acts as token issuer. Azure Active Directory (Azure AD) then uses OpenID Connect (OIDC) to discover public signing keys and verify the authenticity of the service account token before exchanging it for an Azure AD token. Your workload can exchange a service account token projected to its volume for an Azure AD token using the Azure Identity client library using the Azure SDK or the Microsoft Authentication Library (MSAL).

+Before you begin, you must have the following prerequisites in place:

+- An existing Key Vault.

+- An active Azure Subscription.

+- An existing AKS cluster with `enable-oidc-issuer` and `enable-workload-identity` enabled

+Azure AD workload identity is supported on both Windows and Linux clusters.

+1. Set your subscription using the [`az account set`][az-account-set] command.

+ ```

+2. Create a managed identity using the [`az identity create`][az-identity-create] command.

+ ```azurecli-interactive

+3. You need to set an access policy that grants the workload identity permission to access the Key Vault secrets, access keys, and certificates. Assign these rights using the [`az keyvault set-policy`][az-keyvault-set-policy] command.

+4. Get the AKS cluster OIDC Issuer URL using the [`az aks show`][az-aks-show] command.

+5. You need to establish a federated identity credential between the Azure AD application and the service account issuer and subject. Get the object ID of the Azure AD application using the following commands. Make sure to update the values for `serviceAccountName` and `serviceAccountNamespace` with the Kubernetes service account name and its namespace.

+6. Create the federated identity credential between the managed identity, service account issuer, and subject using the [`az identity federated-credential create`][az-identity-federated-credential-create] command.

+7. Deploy a `SecretProviderClass` using the `kubectl apply` command and the following YAML script.

+8. Deploy a sample pod using the `kubectl apply` command and the following YAML script.

+1. Access your key vault using the [`az aks show`][az-aks-show] command and the user-assigned managed identity you created when you [enabled a managed identity on your AKS cluster][use-managed-identity].

+ Alternatively, you can create a new managed identity and assign it to your virtual machine (VM) scale set or to each VM instance in your availability set using the following commands.

+2. Grant your identity the permissions that enable it to read and view the contents of your key vault using the following [`az keyvault set-policy`][az-keyvault-set-policy] commands for each object type.

+ # Set policy to access keys in your key vault

+ # Set policy to access secrets in your key vault

+ # Set policy to access certs in your key vault

+3. Create a `SecretProviderClass` using the following YAML. Make sure to use your own values for `userAssignedIdentityID`, `keyvaultName`, `tenantId`, and the objects to retrieve from your key vault.

+4. Apply the `SecretProviderClass` to your cluster using the `kubectl apply` command.

+5. Create a pod using the following YAML.

+6. Apply the pod to your cluster using the `kubectl apply` command.

+To validate the secrets are mounted at the volume path specified in your pod's YAML, see [Use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster][validate-secrets].

+[az-account-set]: /cli/azure/account#az-account-set

+[az-identity-create]: /cli/azure/identity#az-identity-create

+[az-keyvault-set-policy]: /cli/azure/keyvault#az-keyvault-set-policy

+ Title: Resource management best practices for Azure Kubernetes Service (AKS)

+description: Learn the application developer best practices for resource management in Azure Kubernetes Service (AKS).

+As you develop and run applications in Azure Kubernetes Service (AKS), there are a few key areas to consider. The way you manage your application deployments can negatively impact the end-user experience of services you provide.

+This article focuses on running your clusters and workloads from an application developer perspective. For information about administrative best practices, see [Cluster operator best practices for isolation and resource management in Azure Kubernetes Service (AKS)][operator-best-practices-isolation].

+This article covers the following topics:

+>

+> * Ways to develop, debug, and deploy applications with Bridge to Kubernetes and Visual Studio Code.

+>

+Use pod requests and limits to manage compute resources within an AKS cluster. Pod requests and limits inform the Kubernetes scheduler of the compute resources to assign to a pod.

+*Pod requests* define a set amount of CPU and memory the pod needs regularly.

+In your pod specifications, it's important you define these requests and limits based on the above information. If you don't include these values, the Kubernetes scheduler can't consider the resources your applications requires to help with scheduling decisions.

+Monitor the performance of your application to adjust pod requests. If you underestimate pod requests, your application may receive degraded performance due to over-scheduling a node. If requests are overestimated, your application may have increased scheduling difficulty.

+### Pod CPU/Memory limits

+*Pod limits* set the maximum amount of CPU and memory a pod can use. *Memory limits* define which pods should be removed when nodes are unstable due to insufficient resources. Without proper limits set, pods are removed until resource pressure is lifted. While a pod may exceed the *CPU limit* periodically, the pod isn't removed for exceeding the CPU limit.

+Pod limits define when a pod loses control of resource consumption. When it exceeds the limit, the pod is marked for removal. This behavior maintains node health and minimizes impact to pods sharing the node. If you don't set a pod limit, it defaults to the highest available value on a given node.

+> In your pod specifications, define these requests and limits based on the above information. Failing to include these values prevents the Kubernetes scheduler from accounting for resources your applications requires to help with scheduling decisions.

+If the scheduler places a pod on a node with insufficient resources, application performance is degraded. Cluster administrators **must set *resource quotas*** on a namespace that requires you to set resource requests and limits. For more information, see [resource quotas on AKS clusters][resource-quotas].

+When you define a CPU request or limit, the value is measured in CPU units.

+* *1.0* CPU equates to one underlying virtual CPU core on the node.

+ * The same measurement is used for GPUs.

+* You can define fractions measured in millicores. For example, *100 m* is *0.1* of an underlying vCPU core.

+In the following basic example for a single NGINX pod, the pod requests *100 m* of CPU time and *128Mi* of memory. The resource limits for the pod are set to *250 m* CPU and *256Mi* memory.

+> **Best practice guidance**

+With Bridge to Kubernetes, you can develop, debug, and test applications directly against an AKS cluster. Developers within a team collaborate to build and test throughout the application lifecycle. You can continue to use existing tools such as Visual Studio or Visual Studio Code with the Bridge to Kubernetes extension.

+Using integrated development and test process with Bridge to Kubernetes reduces the need for local test environments like [minikube][minikube]. Instead, you develop and test against an AKS cluster, even in secured and isolated clusters.

+> Bridge to Kubernetes is intended for use with applications running on Linux pods and nodes.

+> **Best practice guidance**

+The [Visual Studio Code extension for Kubernetes][vscode-kubernetes] helps you develop and deploy applications to AKS. The extension provides the following features:

+* Intellisense for Kubernetes resources, Helm charts, and templates.

+* The ability to browse, deploy, and edit capabilities for Kubernetes resources from within VS Code.

+* Intellisense checks for resource requests or limits being set in the pod specifications:

+To implement some of these best practices, see [Develop with Bridge to Kubernetes][btk].

+If you browse to the external IP address at this stage, you see a 404 page displayed. This is because you still need to set up the connection to the external IP, which is done in the next sections.

+* The `--windows-admin-password` and `--windows-admin-username` parameters set the administrator credentials for any Windows Server nodes on the cluster and must meet [Windows Server password requirements][windows-server-password].

+1. Create a username to use as administrator credentials for the Windows Server nodes on your cluster. The following commands prompt you for a username and set it to *WINDOWS_USERNAME* for use in a later command (remember that the commands in this article are entered into a BASH shell).

+ ```azurecli-interactive

+ echo "Please enter the username to use as administrator credentials for Windows Server nodes on your cluster: " && read WINDOWS_USERNAME

+ ```

+2. Create a password for the administrator username that you created in the previous step.

+ ```azurecli-interactive

+ echo "Please enter the password to use as administrator credentials for Windows Server nodes on your cluster: " && read WINDOWS_PASSWORD

+ ```

+3. Create your cluster ensuring you specify the `--windows-admin-username` and `--windows-admin-password` parameters. The following example command creates a cluster using the value from *WINDOWS_USERNAME* you set in the previous command. Alternatively you can provide a different username directly in the parameter instead of using *WINDOWS_USERNAME*.

+ ```azurecli-interactive

+ az aks create \

+ --resource-group myResourceGroup \

+ --name myAKSCluster \

+ --node-count 2 \

+ --enable-addons monitoring \

+ --generate-ssh-keys \

+ --windows-admin-username $WINDOWS_USERNAME \

+ --windows-admin-password $WINDOWS_PASSWORD \

+ --vm-set-type VirtualMachineScaleSets \

+ --network-plugin azure

+ ```

+

+ > [!NOTE]

+ > If you get a password validation error, verify the password you set meets the [Windows Server password requirements][windows-server-password]. If your password meets the requirements, try creating your resource group in another region. Then try creating the cluster with the new resource group.

+ >

+ > If you do not specify an administrator username and password when setting `--vm-set-type VirtualMachineScaleSets` and `--network-plugin azure`, the username is set to *azureuser* and the password is set to a random value.

+ >

+ > The administrator username can't be changed, but you can change the administrator password your AKS cluster uses for Windows Server nodes using `az aks update`. For more details, see [Windows Server node pools FAQ][win-faq-change-admin-creds].

+

+ --os-sku Windows2019 \

+ --os-sku Windows2022 \

+NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME

+aks-nodepool1-90538373-vmss000000 Ready agent 54m v1.25.6 10.224.0.33 <none> Ubuntu 22.04.2 LTS 5.15.0-1035-azure containerd://1.6.18+azure-1

+aks-nodepool1-90538373-vmss000001 Ready agent 55m v1.25.6 10.224.0.4 <none> Ubuntu 22.04.2 LTS 5.15.0-1035-azure containerd://1.6.18+azure-1

+aksnpwin000000 Ready agent 40m v1.25.6 10.224.0.62 <none> Windows Server 2022 Datacenter 10.0.20348.1668 containerd://1.6.14+azure

+[aks-release-notes]: https://github.com/Azure/AKS/releases

+Azure Kubernetes Service (AKS) is a managed Kubernetes service that lets you quickly deploy and manage Kubernetes clusters. In this tutorial, you:

+* When you create an AKS cluster, a second resource group is automatically created to store the AKS resources. For more information, see [Why are two resource groups created with AKS?][aks-two-resource-groups]

+> There could be substantial cost involved once kube-audit logs are enabled. Consider disabling kube-audit logging when not required. An alternative approach to significantly reduce the number of logs and help reduce cost is by enabling collection from kube-audit-admin, which excludes the get and list audit events.

+[monitoring-aks-data-reference]: monitor-aks-reference.md

+ Title: Migration guidance for Open Service Mesh to Istio

+description: Migration guidance for Open Service Mesh configurations to Istio

+# Migration guidance for Open Service Mesh (OSM) configurations to Istio

+> [!IMPORTANT]

+> This article aims to provide a simplistic understanding of how to identify OSM configurations and translate them to equivalent Istio configurations for migrating workloads from OSM to Istio. This by no means, is considered to be an exhaustive detailed guide.

+This article provides practical guidance for mapping OSM policies to the [Istio](https://istio.io/) policies to help migrate your microservices deployments managed by OSM over to being managed by Istio. We utilize the OSM [Bookstore sample application](https://docs.openservicemesh.io/docs/getting_started/install_apps/) as a base reference for current OSM users. The following walk-through deploys the Bookstore application. The same steps are followed and explain how to apply the OSM [SMI](https://smi-spec.io/) traffic policies using the Istio equivalent.

+If you are not using OSM and are new to Istio, start with [Istio's own Getting Started guide](https://istio.io/latest/docs/setup/getting-started/) to learn how to use the Istio service mesh for your applications. If you are currently using OSM, make sure you are familiar with the OSM [Bookstore sample application](https://docs.openservicemesh.io/docs/getting_started/install_apps/) walk-through on how OSM configures traffic policies. The following walk-through does not duplicate the current documentation, and reference specific topics when relevant. You should be comfortable and fully aware of the bookstore application architecture before proceeding.

+## Prerequisites

+- An Azure subscription. If you don't have an Azure subscription, you can create a [free account](https://azure.microsoft.com/free).

+- [Azure CLI installed](/cli/azure/install-azure-cli).

+- OSM is uninstalled from your Kubernetes cluster

+- Any existing OSM Bookstore application, including namespaces, is uninstalled and deleted from your cluster

+- [Install the Istio AKS service mesh add-on](/azure/aks/istio-deploy-addon.md)

+## Modifications needed to the OSM Sample Bookstore Application

+To allow for Istio to manage the OSM bookstore application, there are a couple of changes needed in the existing manifests. Those changes are with the bookstore and the mysql services.

+### Bookstore Modifications

+In the OSM Bookstore walk-through, the bookstore service is deployed along with another bookstore-v2 service to demonstrate how OSM provides traffic shifting. This deployed services allowed you to split the client (`bookbuyer`) traffic between multiple service endpoints. The first new concept to understand how Istio handles what they refer to as [Traffic Shifting](https://istio.io/latest/docs/tasks/traffic-management/traffic-shifting/).

+OSM implementation of traffic shifting is based on the [SMI Traffic Split specification](https://github.com/servicemeshinterface/smi-spec/blob/main/apis/traffic-split/v1alpha4/traffic-split.md). The SMI Traffic Split specification requires the existence of multiple top-level services that are added as backends with the desired weight metric to shift client requests from one service to another. Istio accomplishes traffic shifting using a combination of a [Virtual Service](https://istio.io/latest/docs/reference/config/networking/virtual-service/) and a [Destination Rule](https://istio.io/latest/docs/reference/config/networking/destination-rule/). It is highly recommended that you familiarize yourself with both the concepts of a virtual service and destination rule.

+Put simply, the Istio virtual service defines routing rules for clients that request the host (service name). Virtual Services allows for multiple versions of a deployment to be associated to one virtual service hostname for clients to target. Multiple deployments can be labeled for the same service, representing different versions of the application behind the same hostname. The Istio virtual service can then be configured to weight the request to a specific version of the service. The available versions of the service are configured to use the `subsets` attribute in a Istio destination rule.

+The modification made to the bookstore service and deployment for Istio removes the need to have an explicit second service to target, which the SMI Traffic Split needs. There's no need for another service account for the bookstore v2 service as well, since it's to be consolidated under the bookstore service. The original OSM [traffic-access-v1.yaml](https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.2/manifests/access/traffic-access-v1.yaml) manifest modification to Istio for both the bookstore v1 and v2 are shown in the below [Create Pods, Services, and Service Accounts](#create-pods-services-and-service-accounts) section. We demonstrate how we do traffic splitting, known as traffic shifting later in the walk-through:

+### MySql Modifications

+Changes to the mysql stateful set are only needed in the service configuration. Under the service specification, OSM needed the `targetPort` and `appProtocol` attributes. These attributes are not needed for Istio. The following updated service for the mysqldb looks like:

+```yml

+apiVersion: v1

+kind: Service

+metadata:

+ name: mysqldb

+ labels:

+ app: mysqldb

+ service: mysqldb

+spec:

+ ports:

+ - port: 3306

+ name: tcp

+ selector:

+ app: mysqldb

+```

+## Deploy the Modified Bookstore Application

+Similar to the OSM Bookstore walk-through, we start with a new install of the bookstore application.

+### Create the Namespaces

+```bash

+kubectl create namespace bookstore

+kubectl create namespace bookbuyer

+kubectl create namespace bookthief

+kubectl create namespace bookwarehouse

+```

+### Add a namespace label for Istio sidecar injection

+For OSM, using the command `osm namespace add <namespace>` created the necessary annotations to the namespace for the OSM controller to add automatic sidecar injection. With Istio, you only need to just label a namespace to allow the Istio controller to be instructed to automatically inject the Envoy sidecar proxies.

+```bash

+kubectl label namespace bookstore istio-injection=enabled

+kubectl label namespace bookbuyer istio-injection=enabled

+kubectl label namespace bookthief istio-injection=enabled

+kubectl label namespace bookwarehouse istio-injection=enabled

+```

+### Deploy the Istio Virtual Service and Destination Rule for Bookstore

+As mentioned earlier in the Bookstore Modification section, Istio handles traffic shifting utilizing a VirtualService weight attribute we configure later in the walk-through. We deploy the virtual service and destination rule for the bookstore service. We deploy only the bookstore version 1 even though the bookstore version 2 is deployed. The Istio virtual service is only supplying a route to the version 1 of bookstore. Different from how OSM handles traffic shifting (traffic split), OSM deployed another service for the bookstore version 2 application. OSM needed to set up traffic to be split between client requests using a TrafficSplit. When using traffic shifting with Istio, we can reference shifting traffic to multiple Kubernetes application deployments (versions) labeled for the same service.

+In this walk-though, the deployment of both bookstore versions (v1 & v2) is deployed at the same time. Only the version 1 is reachable due to the virtual service configuration. There is no need to deploy another service for bookstore version 2, we enable a route to the bookstore version 2 later when we update the bookstore virtual service and provide the necessary weight attribute to do traffic shifting.

+```bash

+kubectl apply -f - <<EOF

+# Create bookstore virtual service

+apiVersion: networking.istio.io/v1alpha3

+kind: VirtualService

+metadata:

+ name: bookstore-virtualservice

+ namespace: bookstore

+spec:

+ hosts:

+ - bookstore

+ http:

+ - route:

+ - destination:

+ host: bookstore

+ subset: v1

+# Create bookstore destination rule

+apiVersion: networking.istio.io/v1alpha3

+kind: DestinationRule

+metadata:

+ name: bookstore-destination

+ namespace: bookstore

+spec:

+ host: bookstore

+ subsets:

+ - name: v1

+ labels:

+ app: bookstore

+ version: v1

+ - name: v2

+ labels:

+ app: bookstore

+ version: v2

+EOF

+```

+### Create Pods, Services, and Service Accounts

+We use a single manifest file that contains the modifications discussed earlier in the walk-through to deploy the `bookbuyer`, `bookthief`, `bookstore`, `bookwarehouse`, and `mysql` applications.

+```bash

+kubectl apply -f - <<EOF

+##################################################################################################

+# bookbuyer service

+##################################################################################################

+# Create bookbuyer Service Account

+apiVersion: v1

+kind: ServiceAccount

+metadata:

+ name: bookbuyer

+ namespace: bookbuyer

+# Create bookbuyer Deployment

+apiVersion: apps/v1

+kind: Deployment

+metadata:

+ name: bookbuyer

+ namespace: bookbuyer

+spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: bookbuyer

+ version: v1

+ template:

+ metadata:

+ labels:

+ app: bookbuyer

+ version: v1

+ spec:

+ serviceAccountName: bookbuyer

+ nodeSelector:

+ kubernetes.io/arch: amd64

+ kubernetes.io/os: linux

+ containers:

+ - name: bookbuyer

+ image: openservicemesh/bookbuyer:latest-main

+ imagePullPolicy: Always

+ command: ["/bookbuyer"]

+ env:

+ - name: "BOOKSTORE_NAMESPACE"

+ value: bookstore

+ - name: "BOOKSTORE_SVC"

+ value: bookstore

+##################################################################################################

+# bookthief service

+##################################################################################################

+# Create bookthief ServiceAccount

+apiVersion: v1

+kind: ServiceAccount

+metadata:

+ name: bookthief

+ namespace: bookthief

+# Create bookthief Deployment

+apiVersion: apps/v1

+kind: Deployment

+metadata:

+ name: bookthief

+ namespace: bookthief

+spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: bookthief

+ template:

+ metadata:

+ labels:

+ app: bookthief

+ version: v1

+ spec:

+ serviceAccountName: bookthief

+ nodeSelector:

+ kubernetes.io/arch: amd64

+ kubernetes.io/os: linux

+ containers:

+ - name: bookthief

+ image: openservicemesh/bookthief:latest-main

+ imagePullPolicy: Always

+ command: ["/bookthief"]

+ env:

+ - name: "BOOKSTORE_NAMESPACE"

+ value: bookstore

+ - name: "BOOKSTORE_SVC"

+ value: bookstore

+ - name: "BOOKTHIEF_EXPECTED_RESPONSE_CODE"

+ value: "503"

+##################################################################################################

+# bookstore service version 1 & 2

+##################################################################################################

+# Create bookstore Service

+apiVersion: v1

+kind: Service

+metadata:

+ name: bookstore

+ namespace: bookstore

+ labels:

+ app: bookstore

+spec:

+ ports:

+ - port: 14001

+ name: bookstore-port

+ selector:

+ app: bookstore

+# Create bookstore Service Account

+apiVersion: v1

+kind: ServiceAccount

+metadata:

+ name: bookstore

+ namespace: bookstore

+# Create bookstore-v1 Deployment

+apiVersion: apps/v1

+kind: Deployment

+metadata:

+ name: bookstore-v1

+ namespace: bookstore

+spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: bookstore

+ version: v1

+ template:

+ metadata:

+ labels:

+ app: bookstore

+ version: v1

+ spec:

+ serviceAccountName: bookstore

+ nodeSelector:

+ kubernetes.io/arch: amd64

+ kubernetes.io/os: linux

+ containers:

+ - name: bookstore

+ image: openservicemesh/bookstore:latest-main

+ imagePullPolicy: Always

+ ports:

+ - containerPort: 14001

+ name: web

+ command: ["/bookstore"]

+ args: ["--port", "14001"]

+ env:

+ - name: BOOKWAREHOUSE_NAMESPACE

+ value: bookwarehouse

+ - name: IDENTITY

+ value: bookstore-v1

+# Create bookstore-v2 Deployment

+apiVersion: apps/v1

+kind: Deployment

+metadata:

+ name: bookstore-v2

+ namespace: bookstore

+spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: bookstore

+ version: v2

+ template:

+ metadata:

+ labels:

+ app: bookstore

+ version: v2

+ spec:

+ serviceAccountName: bookstore

+ nodeSelector:

+ kubernetes.io/arch: amd64

+ kubernetes.io/os: linux

+ containers:

+ - name: bookstore

+ image: openservicemesh/bookstore:latest-main

+ imagePullPolicy: Always

+ ports:

+ - containerPort: 14001

+ name: web

+ command: ["/bookstore"]

+ args: ["--port", "14001"]

+ env:

+ - name: BOOKWAREHOUSE_NAMESPACE

+ value: bookwarehouse

+ - name: IDENTITY

+ value: bookstore-v2

+##################################################################################################

+# bookwarehouse service

+##################################################################################################

+# Create bookwarehouse Service Account

+apiVersion: v1

+kind: ServiceAccount

+metadata:

+ name: bookwarehouse

+ namespace: bookwarehouse

+# Create bookwarehouse Service

+apiVersion: v1

+kind: Service

+metadata:

+ name: bookwarehouse

+ namespace: bookwarehouse

+ labels:

+ app: bookwarehouse

+spec:

+ ports:

+ - port: 14001

+ name: bookwarehouse-port

+ selector:

+ app: bookwarehouse

+# Create bookwarehouse Deployment

+apiVersion: apps/v1

+kind: Deployment

+metadata:

+ name: bookwarehouse

+ namespace: bookwarehouse

+spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: bookwarehouse

+ template:

+ metadata:

+ labels:

+ app: bookwarehouse

+ version: v1

+ spec:

+ serviceAccountName: bookwarehouse

+ nodeSelector:

+ kubernetes.io/arch: amd64

+ kubernetes.io/os: linux

+ containers:

+ - name: bookwarehouse

+ image: openservicemesh/bookwarehouse:latest-main

+ imagePullPolicy: Always

+ command: ["/bookwarehouse"]

+##################################################################################################

+# mysql service

+##################################################################################################

+apiVersion: v1

+kind: ServiceAccount

+metadata:

+ name: mysql

+ namespace: bookwarehouse

+apiVersion: v1

+kind: Service

+metadata:

+ name: mysqldb

+ labels:

+ app: mysqldb

+ service: mysqldb

+spec:

+ ports:

+ - port: 3306

+ name: tcp

+ selector:

+ app: mysqldb

+apiVersion: apps/v1

+kind: StatefulSet

+metadata:

+ name: mysql

+ namespace: bookwarehouse

+spec:

+ serviceName: mysql

+ replicas: 1

+ selector:

+ matchLabels:

+ app: mysql

+ template:

+ metadata:

+ labels:

+ app: mysql

+ spec:

+ serviceAccountName: mysql

+ nodeSelector:

+ kubernetes.io/os: linux

+ containers:

+ - image: mysql:5.6

+ name: mysql

+ env:

+ - name: MYSQL_ROOT_PASSWORD

+ value: mypassword

+ - name: MYSQL_DATABASE

+ value: booksdemo

+ ports:

+ - containerPort: 3306

+ name: mysql

+ volumeMounts:

+ - mountPath: /mysql-data

+ name: data

+ readinessProbe:

+ tcpSocket:

+ port: 3306

+ initialDelaySeconds: 15

+ periodSeconds: 10

+ volumes:

+ - name: data

+ emptyDir: {}

+ volumeClaimTemplates:

+ - metadata:

+ name: data

+ spec:

+ accessModes: [ "ReadWriteOnce" ]

+ resources:

+ requests:

+ storage: 250M

+EOF

+```

+To view these resources on your cluster, run the following commands:

+```bash

+kubectl get pods,deployments,serviceaccounts -n bookbuyer

+kubectl get pods,deployments,serviceaccounts -n bookthief

+kubectl get pods,deployments,serviceaccounts,services,endpoints -n bookstore

+kubectl get pods,deployments,serviceaccounts,services,endpoints -n bookwarehouse

+```

+### View the Application UIs

+Similar to the original OSM walk-through, if you have the OSM repo cloned you can utilize the port forwarding scripts to view the UIs of each application [here](https://release-v1-2.docs.openservicemesh.io/docs/getting_started/install_apps/#view-the-application-uis). For now, we are only concerned to view the `bookbuyer` and `bookthief` UI.

+```bash

+cp .env.example .env

+bash <<EOF

+./scripts/port-forward-bookbuyer-ui.sh &

+./scripts/port-forward-bookthief-ui.sh &

+wait

+EOF

+```

+In a browser, open up the following urls:

+http://localhost:8080 - bookbuyer

+http://localhost:8083 - bookthief

+## Configure Istio's Traffic Policies

+To maintain continuity with the original OSM Bookstore walk-through for the translation to Istio, we discuss [OSM's Permissive Traffic Policy Mode](https://release-v1-2.docs.openservicemesh.io/docs/getting_started/traffic_policies/#permissive-traffic-policy-mode). OSM's permissive traffic policy mode was a concept of allowing or denying traffic in the mesh without any specific [SMI Traffic Access Control rule](https://github.com/servicemeshinterface/smi-spec/blob/main/apis/traffic-access/v1alpha3/traffic-access.md) deployed. The permissive traffic mode configuration existed to allow users to onboard applications into the mesh, while gaining mTLS encryption, without requiring explicit rules to allow applications in the mesh to communicate. The permissive traffic mode feature was to avoid breaking the communications of your application as soon as OSM managed it, and provide time to define your rules while ensuring that application communications was mTLS encrypted. This setting could be set to `true` or `false` via OSM's MeshConfig.

+Istio handles mTLS enforcement differently. Different from OSM, Istio's permissive mode automatically configures sidecar proxies to use mTLS but allow the service to accept both plaintext and mTLS traffic. The equivalent to OSM's permissive mode configuration is to utilize Istio's `PeerAuthentication` settings. `PeerAuthentication` can be done granularly at the namespace or for the entire mesh. For more information on Istio's enforcement of mTLS, read the [Istio Mutual TLS Migration article](https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/).

+### Enforce Istio Strict Mode on Bookstore Namespaces

+It is important to remember, just like OSM's permissive mode, Istio's `PeerAuthentication` configuration is only related to the use of mTLS enforcement. Actual layer-7 policies, much like those used in OSM's HTTPRouteGroups, is handled using Istio's AuthorizationPolicy configurations you see later in the walk-through.

+We granularly put the `bookbuyer`, `bookthief`, `bookstore`, and `bookwarehouse` namespaces in Istio's mTLS strict mode.

+```bash

+kubectl apply -f - <<EOF

+apiVersion: security.istio.io/v1beta1

+kind: PeerAuthentication

+metadata:

+ name: bookbuyer

+ namespace: bookbuyer

+spec:

+ mtls:

+ mode: STRICT

+apiVersion: security.istio.io/v1beta1

+kind: PeerAuthentication

+metadata:

+ name: bookthief

+ namespace: bookthief

+spec:

+ mtls:

+ mode: STRICT

+apiVersion: security.istio.io/v1beta1

+kind: PeerAuthentication

+metadata:

+ name: bookstore

+ namespace: bookstore

+spec:

+ mtls:

+ mode: STRICT

+apiVersion: security.istio.io/v1beta1

+kind: PeerAuthentication

+metadata:

+ name: bookwarehouse

+ namespace: bookwarehouse

+spec:

+ mtls:

+ mode: STRICT

+EOF

+```

+### Deploy Istio Access Control Policies

+Similar to OSM's [SMI Traffic Target](https://github.com/servicemeshinterface/smi-spec/blob/v0.6.0/apis/traffic-access/v1alpha2/traffic-access.md) and [SMI Traffic Specs](https://github.com/servicemeshinterface/smi-spec/blob/v0.6.0/apis/traffic-specs/v1alpha4/traffic-specs.md) resources to define access control and routing policies for the applications to communicate, Istio accomplishes these similar fine-grain controls by using `AuthorizationPolicy` configurations.

+Let's walk through translating the bookstore TrafficTarget policy, which specifically allows the `bookbuyer` to communicate to it, with only certain layer-7 path, headers, and methods. The following is a portion of the [traffic-access-v1.yaml](https://raw.githubusercontent.com/openservicemesh/osm-docs/release-v1.2/manifests/access/traffic-access-v1.yaml) manifest.

+```yml

+kind: TrafficTarget

+apiVersion: access.smi-spec.io/v1alpha3

+metadata:

+ name: bookstore

+ namespace: bookstore

+spec:

+ destination:

+ kind: ServiceAccount

+ name: bookstore

+ namespace: bookstore

+ rules:

+ - kind: HTTPRouteGroup

+ name: bookstore-service-routes

+ matches:

+ - buy-a-book

+ - books-bought

+ sources:

+ - kind: ServiceAccount

+ name: bookbuyer

+ namespace: bookbuyer

+apiVersion: specs.smi-spec.io/v1alpha4

+kind: HTTPRouteGroup

+metadata:

+ name: bookstore-service-routes

+ namespace: bookstore

+spec:

+ matches:

+ - name: books-bought

+ pathRegex: /books-bought

+ methods:

+ - GET

+ headers:

+ - "user-agent": ".*-http-client/*.*"

+ - "client-app": "bookbuyer"

+ - name: buy-a-book

+ pathRegex: ".*a-book.*new"

+ methods:

+ - GET

+```

+If you notice under the TrafficTarget policy, in the spec is where you can explicitly define what source service can communicate with a destination service. We can see that we are allowing the source `bookbuyer` to be authorized to communicate to the destination bookstore. If we translate the service-to-service authorization from an OSM `TrafficTarget` configuration to an Istio `AuthorizationPolicy`, it looks like this below:

+```yml

+apiVersion: security.istio.io/v1beta1

+kind: AuthorizationPolicy

+metadata:

+ name: bookstore

+ namespace: bookstore

+spec:

+ selector:

+ matchLabels:

+ app: bookstore

+ action: ALLOW

+ rules:

+ - from:

+ - source:

+ principals: ["cluster.local/ns/bookbuyer/sa/bookbuyer"]

+```

+In the Istio's `AuthorizationPolicy`, you notice how the OSM TrafficTarget policy destination service is mapped to the selector label match and the namespace the service resides in. The source service is shown under the rules section where there is a source/principles attribute that maps to the service account name for the `bookbuyer` service.

+In addition to just the source/destination configuration in the OSM TrafficTarget, OSM binds the use of a HTTPRouteGroup to further define the layer-7 authorization the source has access to. We can see in just the portion of the HTTPRouteGroup below. There are two `matches` for the allowed source service.

+```yml

+apiVersion: specs.smi-spec.io/v1alpha4

+kind: HTTPRouteGroup

+metadata:

+ name: bookstore-service-routes

+ namespace: bookstore

+spec:

+ matches:

+ - name: books-bought

+ pathRegex: /books-bought

+ methods:

+ - GET

+ headers:

+ - "user-agent": ".*-http-client/*.*"

+ - "client-app": "bookbuyer"

+ - name: buy-a-book

+ pathRegex: ".*a-book.*new"

+ methods:

+ - GET

+```

+There is a `match` named `books-bought` that allows the source to access path `/books-bought` using a `GET` method with host header user-agent and client-app information, and a `buy-a-book` match that uses a regex express for a path containing `.*a-book.*new` using a `GET` method.

+We can define these OSM HTTPRouteGroup configurations in the rules section of the Istio `AuthorizationPolicy` shown below:

+```yml

+apiVersion: "security.istio.io/v1beta1"

+kind: "AuthorizationPolicy"

+metadata:

+ name: "bookstore"

+ namespace: bookstore

+spec:

+ selector:

+ matchLabels:

+ app: bookstore

+ action: ALLOW

+ rules:

+ - from:

+ - source:

+ principals: ["cluster.local/ns/bookbuyer/sa/bookbuyer"]

+ - source:

+ namespaces: ["bookbuyer"]

+ to:

+ - operation:

+ methods: ["GET"]

+ paths: ["*/books-bought", "*/buy-a-book/new"]

+ - when:

+ - key: request.headers[User-Agent]

+ values: ["*-http-client/*"]

+ - key: request.headers[Client-App]

+ values: ["bookbuyer"]

+```

+We can now deploy the OSM migrated traffic-access-v1.yaml manifest as understood by Istio below. There is not an `AuthorizationPolicy` for the bookthief, so the bookthief UI should stop incrementing books from bookstore v1:

+```bash

+kubectl apply -f - <<EOF

+##################################################################################################

+# bookstore policy

+##################################################################################################

+apiVersion: "security.istio.io/v1beta1"

+kind: "AuthorizationPolicy"

+metadata:

+ name: "bookstore"

+ namespace: bookstore

+spec:

+ selector:

+ matchLabels:

+ app: bookstore

+ action: ALLOW

+ rules:

+ - from:

+ - source:

+ principals: ["cluster.local/ns/bookbuyer/sa/bookbuyer"]

+ - source:

+ namespaces: ["bookbuyer"]

+ to:

+ - operation:

+ methods: ["GET"]

+ paths: ["*/books-bought", "*/buy-a-book/new"]

+ - when:

+ - key: request.headers[User-Agent]

+ values: ["*-http-client/*"]

+ - key: request.headers[Client-App]

+ values: ["bookbuyer"]

+##################################################################################################

+# bookwarehouse policy

+##################################################################################################

+apiVersion: security.istio.io/v1beta1

+kind: AuthorizationPolicy

+metadata:

+ name: "bookwarehouse"

+ namespace: bookwarehouse

+spec:

+ selector:

+ matchLabels:

+ app: bookwarehouse

+ action: ALLOW

+ rules:

+ - from:

+ - source:

+ principals: ["cluster.local/ns/bookstore/sa/bookstore"]

+ - source:

+ namespaces: ["bookstore"]

+ to:

+ - operation:

+ methods: ["POST"]

+##################################################################################################

+# mysql policy

+##################################################################################################

+apiVersion: security.istio.io/v1beta1

+kind: AuthorizationPolicy

+metadata:

+ name: "mysql"

+ namespace: bookwarehouse

+spec:

+ selector:

+ matchLabels:

+ app: mysql

+ action: ALLOW

+ rules:

+ - from:

+ - source:

+ principals: ["cluster.local/ns/bookwarehouse/sa/bookwarehouse"]

+ - source:

+ namespaces: ["bookwarehouse"]

+ to:

+ - operation:

+ ports: ["3306"]

+EOF

+```

+### Allowing the Bookthief Application to access Bookstore

+Currently there is no `AuthorizationPolicy` that allows for the bookthief to communicate with bookstore. We can deploy the following `AuthorizationPolicy` to allow the bookthief to communicate to the bookstore. You notice the addition for the rule for the bookstore policy that allows the bookthief authorization.

+```bash

+kubectl apply -f - <<EOF

+##################################################################################################

+# bookstore policy

+##################################################################################################

+apiVersion: "security.istio.io/v1beta1"

+kind: "AuthorizationPolicy"

+metadata:

+ name: "bookstore"

+ namespace: bookstore

+spec:

+ selector:

+ matchLabels:

+ app: bookstore

+ action: ALLOW

+ rules:

+ - from:

+ - source:

+ principals: ["cluster.local/ns/bookbuyer/sa/bookbuyer", "cluster.local/ns/bookthief/sa/bookthief"]

+ - source:

+ namespaces: ["bookbuyer", "bookthief"]

+ to:

+ - operation:

+ methods: ["GET"]

+ paths: ["*/books-bought", "*/buy-a-book/new"]

+ - when:

+ - key: request.headers[User-Agent]

+ values: ["*-http-client/*"]

+ - key: request.headers[Client-App]

+ values: ["bookbuyer"]

+##################################################################################################

+# bookwarehouse policy

+##################################################################################################

+apiVersion: security.istio.io/v1beta1

+kind: AuthorizationPolicy

+metadata:

+ name: "bookwarehouse"

+ namespace: bookwarehouse

+spec:

+ selector:

+ matchLabels:

+ app: bookwarehouse

+ action: ALLOW

+ rules:

+ - from:

+ - source:

+ principals: ["cluster.local/ns/bookstore/sa/bookstore"]

+ - source:

+ namespaces: ["bookstore"]

+ to:

+ - operation:

+ methods: ["POST"]

+##################################################################################################

+# mysql policy

+##################################################################################################

+apiVersion: security.istio.io/v1beta1

+kind: AuthorizationPolicy

+metadata:

+ name: "mysql"

+ namespace: bookwarehouse

+spec:

+ selector:

+ matchLabels:

+ app: mysql

+ action: ALLOW

+ rules:

+ - from:

+ - source:

+ principals: ["cluster.local/ns/bookwarehouse/sa/bookwarehouse"]

+ - source:

+ namespaces: ["bookwarehouse"]

+ to:

+ - operation:

+ ports: ["3306"]

+EOF

+```

+The bookthief UI should now be incrementing books from bookstore v1.

+## Configure Traffic Shifting between two Service Versions

+To demonstrate how to balance traffic between two versions of a Kubernetes service, known as traffic shifting in Istio. As you recall in a previous section, OSM implementation of traffic shifting relied on two distinct services being deployed and adding those service names to the backend configuration of the `TrafficTarget` policy. This deployment architecture is not needed for how Istio implements traffic shifting. With Istio, we can create multiple deployments that represent each version of the service application and shift traffic to those specific versions via the Istio `virtualservice` configuration.

+The currently deployed `virtualservice` only has a route rule to the v1 version of the bookstore shown below:

+```yml

+spec:

+ hosts:

+ - bookstore

+ http:

+ - route:

+ - destination:

+ host: bookstore

+ subset: v1

+```

+We update the `virtualservice` to shift 100% of the weight to the v2 version of the bookstore.

+```bash

+kubectl apply -f - <<EOF

+# Create bookstore virtual service

+apiVersion: networking.istio.io/v1alpha3

+kind: VirtualService

+metadata:

+ name: bookstore-virtualservice

+ namespace: bookstore

+spec:

+ hosts:

+ - bookstore

+ http:

+ - route:

+ - destination:

+ host: bookstore

+ subset: v1

+ weight: 0

+ - destination:

+ host: bookstore

+ subset: v2

+ weight: 100

+EOF

+```

+You should now see both the `bookbuyer` and `bookthief` UI incrementing for the `bookstore` v2 service only. You can continue to experiment by changing the `weigth` attribute to shift traffic between the two `bookstore` versions.

+## Summary

+We hope this walk-through provided the necessary guidance on how to migrate your current OSM policies to Istio policies. Take time and review the [Istio Concepts](https://istio.io/latest/docs/concepts/) and walking through [Istio's own Getting Started guide](https://istio.io/latest/docs/setup/getting-started/) to learn how to use the Istio service mesh to manage your applications.

+In this quickstart, you get familiar with using the [Dapr cluster extension][dapr-overview] in an AKS or Arc-enabled Kubernetes cluster. You are deploying a hello world example, consisting of a Python application that generates messages and a Node application that consumes and persists them.

+* An AKS or Arc-enabled Kubernetes cluster with the [Dapr cluster extension][dapr-overview] enabled.

+To obtain the files you are using to deploy the sample application, clone the [Quickstarts repository][hello-world-gh] and change to the `hello-kubernetes` directory:

+cd quickstarts/tutorials/hello-kubernetes/

+Dapr can use many different state stores such as, Redis, Azure Cosmos DB, DynamoDB, and Cassandra to persist and retrieve state. For this example, we use Redis.

+1. Open the [Azure portal][azure-portal-cache] to start the Azure Cache for Redis creation flow.

+2. Fill out the necessary information.

+3. Click **Create** to kickoff deployment of your Redis instance.

+4. Take note of the hostname of your Redis instance, which you can retrieve from the **Overview** section in Azure. The hostname might be similar to the following example: `xxxxxx.redis.cache.windows.net:6380`.

+5. Once your instance is created, youΓÇÖll need to grab your access key. Navigate to **Access keys** under **Settings** and create a Kubernetes secret to store your Redis password:

+Once your store is created, you'll need to add the keys to the redis.yaml file in the deploy directory of the Hello World repository. Replace the `redisHost` value with your own Redis master address, and the `redisPassword` with your own Secret. You can learn more [here][dapr-component-secrets].

+This deploys the Node.js app to Kubernetes. The Dapr control plane will automatically inject the Dapr sidecar to the Pod. If you take a look at the `node.yaml` file, you see how Dapr is enabled for that deployment:

+> This is a good time to get acquainted with the Dapr dashboard, a convenient interface to check status, information, and logs of applications running on Dapr. To access the dashboard at `http://localhost:8080/`, run the following command:

+This example is a basic Python app that posts JSON messages to `localhost:3500`, which is the default listening port for Dapr. You can invoke the Node.js application's `neworder` endpoint by posting to `v1.0/invoke/nodeapp/method/neworder`. The message contains some data with an `orderId` that increments once per second:

+> As with the previous command, the following command will wait for the deployment to complete:

+[hello-world-gh]: https://github.com/dapr/quickstarts/tree/master/tutorials/hello-kubernetes

+> [!NOTE]

+> The ACR name that you choose must be unique across the `azurecr.io` domain. If you specify an existing ACR name, an error is returned and the ACR is not created.

+NAME STATUS ROLES AGE VERSION

+aks-nodepool1-19366578-vmss000002 Ready agent 47h v1.25.6

+aks-nodepool1-19366578-vmss000003 Ready agent 47h v1.25.6

+When completed, use the [`docker images`][docker-images] command to see the created images. Two images are downloaded or created. The *azure-vote-front* image contains the front-end application. The *redis* image is used to start a Redis instance.

+REPOSITORY TAG IMAGE ID CREATED SIZE

+mcr.microsoft.com/oss/bitnami/redis 6.0.8 3a54a920bb6c 2 years ago 103MB

+mcr.microsoft.com/azuredocs/azure-vote-front v1 4d4d08c25677 5 years ago 935MB

+> The AKS API will mark the pod security policy as `Deprecated` on 06-01-2023 and remove it in version *1.25*. We recommend you migrate to [pod security admission controller](use-psa.md) before the deprecation deadline to stay within Azure support.

+| **Configuration API (v2)** | Default is: `<apim-service-name>.configuration.azure-api.net` |

+1. On the "Overview" screen, make note of the **Tenant ID**, as well as the **Primary domain**.

+ The **authentication endpoint** for a workforce tenant should be a [value specific to the cloud environment](../active-directory/develop/authentication-national-cloud.md#azure-ad-authentication-endpoints). For example, a workforce tenant in global Azure would use "https://login.microsoftonline.com" as its authentication endpoint. Make note of the authentication endpoint value, as it is needed to construct the right **Issuer URL**.

+ The **authentication endpoint** for a customer tenant should be `https://<tenant-subdomain>.ciamlogin.com`, replacing *\<tenant-subdomain>* with the default subdomain for the tenant. The default subdomain is part of the **primary domain** for the tenant, which should be of the form `<tenant-subdomain>.onmicrosoft.com` and was set during tenant creation. For example, if the tenant had the domain "contoso.onmicrosoft.com", the tenant subdomain would be "contoso", and the authentication endpoint would be "https://contoso.ciamlogin.com". Make note of the authentication endpoint value, as it is needed to construct the right **Issuer URL**.

+ |Issuer URL| Use `<authentication-endpoint>/<tenant-id>/v2.0`, and replace *\<authentication-endpoint>* with the **authentication endpoint** you determined in the previous step for your tenant type and cloud environment, also replacing *\<tenant-id>* with the **Directory (tenant) ID** in which the app registration was created. For applications that use Azure AD v1, omit `/v2.0` in the URL. <br/><br/> This value is used to redirect users to the correct Azure AD tenant, as well as to download the appropriate metadata to determine the appropriate token signing keys and token issuer claim value for example. Any configuration other than a tenant-specific endpoint will be treated as multi-tenant. In multi-tenant configurations, no validation of the issuer or tenant ID is performed by the system, and these checks should be fully handled in [your app's authorization logic](#authorize-requests).|

+ |Allowed Token Audiences| This field is optional. The configured **Application (client) ID** is *always* implicitly considered to be an allowed audience. If your application represents an API that will be called by other clients, you should also add the **Application ID URI** that you configured on the app registration. There is a limit of 500 characters total across the list of allowed audiences.|

+Maintenance operations are optimized to start outside standard business hours (9-5pm) as statistically that is a better timing for any interruptions and restarts of workloads as there is a less stress on the system (in customer applications and transitively also on the platform itself). For App Service Plan and App Service Environment v2, maintenance can continue into business hours during longer maintenance events.

+1. Run the `azd init` command to initialize the `azd` app template. Include the `--template` parameter to specify the name of an existing `azd` template you wish to use. More information about working with templates is available on the [choose an `azd` template](/azure/developer/azure-developer-cli/azd-templates) page.

+ For this tutorial, Flask users should specify the [Python (Flask) web app with PostgresSQL](https://github.com/Azure-Samples/msdocs-flask-postgresql-sample-app.git) template.

+ azd init --template msdocs-flask-postgresql-sample-app

+ For this tutorial, Django users should specify the [Python (Django) web app with PostgresSQL](https://github.com/Azure-Samples/msdocs-django-postgresql-sample-app.git) template.

+ ```bash

+ azd init --template msdocs-django-postgresql-sample-app

+ ```

+1. Run the `azd auth login` command to sign-in to Azure.

+ ```bash

+ azd auth login

+ ```

+1. Run the `azd up` command to provision the necessary Azure resources and deploy the app code. The `azd up` command will also prompt you to select the desired subscription and location to deploy to.

+ azd up

+The `azd init` command cloned the sample app project template to your machine. The project template includes the following components:

+[  ](./media/application-gateway-backend-health-troubleshooting/appgwunhealthy.png#lightbox)

+### Common Name (CN) doesn't match

+**Message:**

+(For V2) The Common Name of the leaf certificate presented by the backend server does not match the Probe or Backend Setting hostname of the application gateway.</br>

+(For V1) The Common Name (CN) of the backend certificate doesnΓÇÖt match.

+**Cause:**

+(For V2) This occurs when you have selected HTTPS protocol in the backend setting, and neither the Custom ProbeΓÇÖs nor Backend SettingΓÇÖs hostname (in that order) matches the Common Name (CN) of the backend serverΓÇÖs certificate.</br>

+(For V1) The FQDN of the backend pool target doesnΓÇÖt match the Common Name (CN) of the backend serverΓÇÖs certificate.

+**Solution:** The hostname information is critical for backend HTTPS connection since that value is used to set the Server Name Indication (SNI) during TLS handshake. You can fix this problem in the following ways based on your gatewayΓÇÖs configuration.

+For V2,

+* If youΓÇÖre using a Default Probe ΓÇô You can specify a hostname in the associated Backend setting of your application gateway. You can select ΓÇ£Override with specific hostnameΓÇ¥ or ΓÇ£Pick hostname from backend targetΓÇ¥ in the backend setting.

+* If youΓÇÖre using a Custom Probe ΓÇô For Custom Probe, you can use the ΓÇ£hostΓÇ¥ field to specify the Common Name of the backend server certificate. Alternatively, if the Backend Setting is already configured with the same hostname, you can choose ΓÇ£Pick hostname from backend settingΓÇ¥ in the probe settings.

+For V1, verify the backend pool target's FQDN is same the Common Name (CN).

+**Tips:** To determine the Common Name (CN) of the backend server(s)ΓÇÖ certificate, you can use any of these methods.

+* By using browser or any client:

+Access the backend server directly (not through Application Gateway) and click on the certificate padlock in the address bar to view the certificate details. You will find it under the ΓÇ£Issued ToΓÇ¥ section.

+[  ](./media/application-gateway-backend-health-troubleshooting/browser-cert.png#lightbox)

+* By logging into the backend server (Windows):

+ 1. Sign into the machine where your application is hosted.

+ 2. Select Win+R or right-click the Start button and select Run.

+ 3. Enter certlm.msc and select Enter. You can also search for Certificate Manager on the Start menu.

+ 4. Locate the certificate (typically in Certificates - Local Computer\Personal\Certificates), and open the certificate.

+ 5. On the Details tab, check the certificate Subject.

+* By logging to the backend server (Linux):

+Run this OpenSSL command by specifying the right certificate filename ` openssl x509 -in certificate.crt -subject -noout`

+### Backend certificate has expired

+**Message:** Backend certificate is invalid. Current date is not within the "Valid from" and "Valid to" date range on the certificate.

+**Cause:** An expired certificate is deemed unsafe and hence the application gateway marks the backend server with an expired certificate as unhealthy.

+**Solution:** The solution depends on which part of the certificate chain has expired on the backend server.

+For V2 SKU,

+* Expired Leaf (also known as Domain or Server) certificate ΓÇô Renew the server certificate with certificate provider and install the new certificate on the backend server. Ensure that you have installed the complete certificate chain comprising of `Leaf (topmost) > Intermediate(s) > Root`. Based on the type of Certificate Authority (CA), you may take the following actions on your gateway.

+ * Publicly known CA: If the certificate issuer is a well-known CA, you need not take any action on the application gateway.

+ * Private CA: If the leaf certificate is issued by a private CA, you need to check if the signing Root CA certificate has changed. In such cases, you must upload the new Root CA certificate (.CER) to the associated Backend setting of your gateway.

+* Expired Intermediate or Root certificate ΓÇô Typically, these certificates have relatively extended validity periods (a decade or two). When Root/Intermediate certificate expires, we recommend you check with your certificate provider for the renewed certificate files. Ensure you have installed this updated and complete certificate chain comprising `Leaf (topmost) > Intermediate(s) > Root` on the backend server.

+ * If the Root certificate remains unchanged or if the issuer is a well-known CA, you need NOT take any action on the application gateway.

+ * When using a Private CA, if the Root CA certificate itself or the root of the renewed Intermediate certificate has changed, you must upload the new Root certificate to the application gatewayΓÇÖs Backend Setting.

+For V1 SKU,

+* Renew the expired Leaf (also known as Domain or Server) certificate with your CA and upload the same leaf certificate (.CER) to the associated Backend setting of your application gateway.

+### The intermediate certificate was not found

+**Message:** The **Intermediate certificate is missing** from the certificate chain presented by the backend server. Ensure the certificate chain is complete and correctly ordered on the backend server.

+**Cause:** The intermediate certificate(s) is not installed in the certificate chain on the backend server.

+**Solution:** An Intermediate certificate is used to sign the Leaf certificate and is thus needed to complete the chain. Check with your Certificate Authority (CA) for the necessary Intermediate certificate(s) and install them on your backend server. This chain must start with the Leaf Certificate, then the Intermediate certificate(s), and finally, the Root CA certificate. We recommend installing the complete chain on the backend server, including the Root CA certificate. For reference, look at the certificate chain example under [Leaf must be topmost in chain](application-gateway-backend-health-troubleshooting.md#leaf-must-be-topmost-in-chain).

+> [!NOTE]

+> A self-signed certificate which is NOT a Certificate Authority will also result in the same error. This is because application gateway considers such self-signed certificate as "Leaf" certificate and looks for its signing Intermediate certificate. You can follow this article to correctly [generate a self-signed certificate](./self-signed-certificates.md).

+These images show the difference between the self-signed certificates.

+[  ](./media/application-gateway-backend-health-troubleshooting/self-signed-types.png#lightbox)

+### The leaf or server certificate was not found

+**Message:** The **Leaf certificate is missing** from the certificate chain presented by the backend server. Ensure the chain is complete and correctly ordered on the backend server.

+**Cause:** The Leaf (also known as Domain or Server) certificate is missing from the certificate chain on the backend server.

+**Solution:** You can get the leaf certificate from your Certificate Authority (CA). Install this leaf certificate and all its signing certificates (Intermediate and Root CA certificates) on the backend server. This chain must start with the Leaf Certificate, then the Intermediate certificate(s), and finally, the Root CA certificate. We recommend installing the complete chain on the backend server, including the Root CA certificate. For reference, look at the certificate chain example under [Leaf must be topmost in chain](application-gateway-backend-health-troubleshooting.md#leaf-must-be-topmost-in-chain).

+### Server certificate is not issued by a publicly known CA

+**Message:** The backend **Server certificate** is not signed by a well-known Certificate Authority (CA). To use unknown CA certificates, its Root certificate must be uploaded to the Backend Setting of the application gateway.

+**Cause:** You have chosen ΓÇ£well-known CA certificateΓÇ¥ in the backend setting, but the Root certificate presented by the backend server is not publicly known.

+**Solution:** When a Leaf certificate is issued by a private Certificate Authority (CA), the signing Root CAΓÇÖs certificate must be uploaded to the application gatewayΓÇÖs associated Backend Setting. This enables your application gateway to establish a trusted connection with that backend server. To fix this, go to the associated backend setting, choose ΓÇ£not a well-known CAΓÇ¥ and upload the Root CA certificate (.CER). To identify and download the root certificate, you can follow the same steps as described under [Trusted root certificate mismatch](application-gateway-backend-health-troubleshooting.md#trusted-root-certificate-mismatch-root-certificate-is-available-on-the-backend-server).

+### The Intermediate certificate is NOT signed by a publicly known CA.

+**Message:** The **Intermediate certificate** is not signed by a well-known Certificate Authority (CA). Ensure the certificate chain is complete and correctly ordered on the backend server.

+**Cause:** You have chosen ΓÇ£well-known CA certificateΓÇ¥ in the backend setting, but the Intermediate certificate presented by the backend server is not signed by any publicly known CA.

+**Solution:** When a certificate is issued by a private Certificate Authority (CA), the signing Root CAΓÇÖs certificate must be uploaded to the application gatewayΓÇÖs associated Backend Setting. This enables your application gateway to establish a trusted connection with that backend server. To fix this, contact your private CA to get the appropriate Root CA certificate (.CER) and upload that CER file to the Backend Setting of your application gateway by selecting ΓÇ£not a well-known CAΓÇ¥. We also recommend installing the complete chain on the backend server, including the Root CA certificate, for easy verification.

+### Trusted root certificate mismatch (no Root certificate on the backend server)

+**Message:** The Intermediate certificate not signed by any Root certificates uploaded to the application gateway. Ensure the certificate chain is complete and correctly ordered on the backend server.

+**Cause:** None of the Root CA certificates uploaded to the associated Backend Setting have signed the Intermediate certificate installed on the backend server. The backend server has only Leaf and Intermediate certificates installed.

+**Solution:** A Leaf certificate is signed by an Intermediate certificate, which is signed by a Root CA certificate. When using a certificate from Private Certificate Authority (CA), you must upload the corresponding Root CA certificate to the application gateway. Contact your private CA to get the appropriate Root CA certificate (.CER) and upload that CER file to the Backend setting of your application gateway.

+### Trusted root certificate mismatch (Root certificate is available on the backend server)

+**Message:** The root certificate of the server certificate used by the backend doesn't match the trusted root certificate added to the application gateway. Ensure that you add the correct root certificate to allowlist the backend.

+**Cause:** This error occurs when none of the Root certificates uploaded to your application gatewayΓÇÖs backend setting matches the Root certificate present on the backend server.

+**Solution:** This applies to a backend server certificate issued by a Private Certificate Authority (CA) or is a self-signed one. Identify and upload the right Root CA certificate to the associated backend setting.

+**Tips:** To identify and download the root certificate, you can use any of these methods.

+* Using a browser: Access the backend server directly (not through Application Gateway) and click on the certificate padlock in the address bar to view the certificate details.

+ 1. Choose the root certificate in the chain and click on Export. By default, this will be a .CRT file.

+ 2. Open that .CRT file.

+ 3. Go to the Details tab and click on ΓÇ£Copy to FileΓÇ¥,

+ 4. On Certificate Export Wizard page, click Next,

+ 5. Select ΓÇ£Base-64 encoded X.509 (.CER) and click Next,

+ 6. Give a new file name and click Next,

+ 7. Click Finish to get a .CER file.

+ 8. Upload this Root certificate (.CER) of your private CA to the application gatewayΓÇÖs backend setting.

+* By logging into the backend server (Windows)

+ 1. Sign into the machine where your application is hosted.

+ 2. Select Win+R or right-click the Start button, and then select Run.

+ 3. Enter certlm.msc and select Enter. You can also search for Certificate Manager on the Start menu.

+ 4. Locate the certificate, typically in Certificates - Local Computer\Personal\Certificates, and open it.

+ 5. Select the root certificate and then select View Certificate.

+ 6. In the Certificate properties, select the Details tab and click ΓÇ£Copy to FileΓÇ¥,

+ 7. On Certificate Export Wizard page, click Next,

+ 8. Select ΓÇ£Base-64 encoded X.509 (.CER) and click Next,

+ 9. Give a new file name and click Next,

+ 10. Click Finish to get a .CER file.

+ 11. Upload this Root certificate (.CER) of your private CA to the application gatewayΓÇÖs backend setting.

+### Leaf must be topmost in chain.

+**Message:** The Leaf certificate is not the topmost certificate in the chain presented by the backend server. Ensure the certificate chain is correctly ordered on the backend server.

+**Cause:** The Leaf (also known as Domain or Server) certificate is not installed in the correct order on the backend server.

+**Solution:** The certificate installation on the backend server must include an ordered list of certificates comprising the leaf certificate and all its signing certificates (Intermediate and Root CA certificates). This chain must start with the leaf certificate, then the Intermediate certificate(s), and finally, the Root CA certificate. We recommend installing the complete chain on the backend server, including the Root CA certificate.

+Given is an example of a Server certificate installation along with its Intermediate and Root CA certificates, denoted as depths (0, 1, 2, and so on) in OpenSSL. You can verify the same for your backend serverΓÇÖs certificate using the following OpenSSL commands.</br>

+`s_client -connect <FQDN>:443 -showcerts`</br>

+OR </br>

+`s_client -connect <IPaddress>:443 -servername <TLS SNI hostname> -showcerts`

+[  ](./media/application-gateway-backend-health-troubleshooting/cert-chain.png#lightbox)

+> If you receive an error message for the backend server certificate, verify that the frontend certificate Common Name (CN) matches the backend certificate CN. For more information, see [Trusted root certificate mismatch](./application-gateway-backend-health-troubleshooting.md#trusted-root-certificate-mismatch-root-certificate-is-available-on-the-backend-server)

+> [Manage web traffic with an application gateway using the Azure CLI](./tutorial-manage-web-traffic-cli.md)

+>[!Note]

+>If the virtual network Application Gateway is deployed into doesn't reside in the same resource group as the AKS nodes, please ensure the identity used by AGIC has _Network Contributor_ role assigned to the subnet the Application Gateway is deployed into.

+If you have errors with the backend certificate common name (CN), see our [troubleshooting guide](./application-gateway-backend-health-troubleshooting.md#common-name-cn-doesnt-match).

+ In this article, learn how to create user delegation, shared access signature (SAS) tokens, using the Azure portal or Azure Storage Explorer. User delegation SAS tokens are secured with Azure AD credentials. SAS tokens provide secure, delegated access to resources in your Azure storage account.

+To get started, you need:

+* A **standard performance** [Azure Blob Storage account](https://portal.azure.com/#create/Microsoft.StorageAccount-ARM). You need to create containers to store and organize your blob data within your storage account. If you don't know how to create an Azure storage account with a storage container, follow these quickstarts:

+1. The **Upload blob** window appears. Select your files to upload.

+ * Consider setting a longer duration period for the time you're using your storage account for Form Recognizer Service operations.

+ * The value of the expiry time is determined by whether you're using an **Account key** or **User delegation key** **Signing method**:

+ * **Account key**: There's no imposed maximum time limit; however, best practices recommended that you configure an expiration policy to limit the interval and minimize compromise. [Configure an expiration policy for shared access signatures](/azure/storage/common/sas-expiration-policy).

+ * **User delegation key**: The value for the expiry time is a maximum of seven days from the creation of the SAS token. The SAS is invalid after the user delegation key expires, so a SAS with an expiry time of greater than seven days will still only be valid for seven days. For more information,*see* [Use Azure AD credentials to secure a SAS](/azure/storage/blobs/storage-blob-user-delegation-sas-create-cli#use-azure-ad-credentials-to-secure-a-sas).

+1. The **Allowed IP addresses** field is optional and specifies an IP address or a range of IP addresses from which to accept requests. If the request IP address doesn't match the IP address or address range specified on the SAS token, authorization fails. The IP address or a range of IP addresses must be public IPs, not private. For more information,*see*, [**Specify an IP address or IP range**](/rest/api/storageservices/create-account-sas#specify-an-ip-address-or-ip-range).

+* You need the [**Azure Storage Explorer**](../../vs-azure-tools-storage-manage-with-storage-explorer.md) app installed in your Windows, macOS, or Linux development environment.

+1. A new window appears with the **Container** name, **SAS URL**, and **Query string** for your container.

+The SAS URL includes a special set of [query parameters](/rest/api/storageservices/create-user-delegation-sas#assign-permissions-with-rbac). Those parameters indicate how the client accesses the resources.

+### Prerequisite

+- You must [create the Data collection rule](#create-data-collection-rule).

+### Enable Change tracking

+1. In the **Policy** page, under **Authoring**, select **Definitions**

+1. In **Policy | Definitions** page, under the **Definition Type** category, select **Initiative** and in **Category**, select **Change Tracking and Inventory**. You'll see a list of three policies:

+ #### [Arc-enabled virtual machines](#tab/arcvm)

+ - Select *Enable Change Tracking and Inventory for Arc-enabled virtual machines*.

+

+ :::image type="content" source="media/enable-vms-monitoring-agent/enable-for-arc-virtual-machine-manager-inline.png" alt-text="Screenshot showing the selection of Arc-enabled virtual machines." lightbox="media/enable-vms-monitoring-agent/enable-for-arc-virtual-machine-manager-expanded.png":::

+ #### [Virtual machines Scale Sets](#tab/vmss)

+ - Select *Enable Change Tracking and inventory for Virtual Machine Scale Sets*.

+

+ :::image type="content" source="media/enable-vms-monitoring-agent/enable-for-virtual-machine-scale-set-inline.png" alt-text="Screenshot showing the selection of virtual machines scale sets." lightbox="media/enable-vms-monitoring-agent/enable-for-virtual-machine-scale-set-expanded.png":::

+ #### [Virtual machines](#tab/vm)

+ - Select *Enable Change Tracking and inventory for virtual machines*.

+

+ :::image type="content" source="media/enable-vms-monitoring-agent/enable-for-vm-inline.png" alt-text="Screenshot showing the selection of virtual machines." lightbox="media/enable-vms-monitoring-agent/enable-for-vm-expanded.png":::

+

+

+1. Select *Enable Change Tracking and Inventory for virtual machines* to enable the change tracking on Azure virtual machines.

+ - Configure ChangeTracking Extension for Linux virtual machines

+ :::image type="content" source="media/enable-vms-monitoring-agent/enable-change-tracking-virtual-machines-inline.png" alt-text="Screenshot showing the selection of three policies." lightbox="media/enable-vms-monitoring-agent/enable-change-tracking-virtual-machines-expanded.png":::

+1. Select **Assign** to assign the policy to a resource group. For example, *Assign Built in User-Assigned Managed identity to virtual machines*.

+ > [!NOTE]

+ > The Resource group contains virtual machines and when you assign the policy, it will enable change tracking at scale to a resource group. The virtual machines that are on-boarded to the same resource group will automatically have the change tracking feature enabled.

+1. In the **Enable Change Tracking and Inventory for virtual machines** page, enter the following options:

+description: Retrieve old key-values using point-in-time revisions in Azure App Configuration, which maintains a record of changes to key-values.

+# Point-in-time key-values

+## Post failover operations

+Once you perform a failover from primary site to secondary site, either with or without data loss, you may need to do the following:

+- Update the connection string for your applications to connect to the newly promoted primary Arc SQL managed instance

+- If you plan to continue running the production workload off of the secondary site, update the `--license-type` to either `BasePrice` or `LicenseIncluded` to initiate billing for the vCores consumed.

+[Overview: Azure Arc-enabled SQL Managed Instance business continuity](managed-instance-business-continuity-overview.md)

+This setting is required for Consumption plan apps on Windows and for Premium plan apps on both Windows and Linux. It's not required for Dedicated plan apps, which aren't dynamically scaled by Functions.

+zone_pivot_groups: functions-task-versions

+YAML pipelines are defined using a YAML file in your repository. A step is the smallest building block of a pipeline and can be a script or task (prepackaged script). [Learn about the key concepts and components that make up a pipeline](/azure/devops/pipelines/get-started/key-pipelines-concepts).

+You'll use the AzureFunctionApp task to deploy to Azure Functions. There are now two versions of the AzureFunctionApp task ([AzureFunctionApp@1](/azure/devops/pipelines/tasks/reference/azure-function-app-v1), [AzureFunctionApp@2](/azure/devops/pipelines/tasks/reference/azure-function-app-v2)). AzureFunctionApp@2 includes enhanced validation support that makes pipelines less likely to fail because of errors.

+Choose your task version at the top of the article. YAML pipelines aren't available for Azure DevOps 2019 and earlier.

+* A function app with its code in a GitHub repository. If you don't yet have an Azure Functions code project, you can create one by completing the following language-specific article:

+ # [C\#](#tab/csharp)

+ [Quickstart: Create a C# function in Azure using Visual Studio Code](create-first-function-vs-code-csharp.md)

+ # [JavaScript](#tab/javascript)

+ [Quickstart: Create a JavaScript function in Azure using Visual Studio Code](create-first-function-vs-code-node.md)

+ # [Python](#tab/python)

+ [Quickstart: Create a function in Azure with Python using Visual Studio Code](create-first-function-vs-code-python.md)

+ # [PowerShell](#tab/powershell)

+ [Quickstart: Create a PowerShell function in Azure using Visual Studio Code](create-first-function-vs-code-powershell.md)

+

+## Build your app

+# [YAML](#tab/yaml)

+1. Sign in to your Azure DevOps organization and navigate to your project.

+1. In your project, navigate to the **Pipelines** page. Then choose the action to create a new pipeline.

+1. Walk through the steps of the wizard by first selecting **GitHub** as the location of your source code.

+1. You might be redirected to GitHub to sign in. If so, enter your GitHub credentials.

+1. When the list of repositories appears, select your sample app repository.

+1. Azure Pipelines will analyze your repository and recommend a template. Select **Save and run**, then select **Commit directly to the main branch**, and then choose **Save and run** again.

+1. A new run is started. Wait for the run to finish.

+# [Classic](#tab/classic)

+To get started:

+How you build your app in Azure Pipelines depends on your app's programming language. Each language has specific build steps that create a deployment artifact. A deployment artifact is used to update your function app in Azure.

+To use built-in build templates, when you create a new build pipeline, select **Use the classic editor** to create a pipeline by using designer templates.

+

+After you configure the source of your code, search for Azure Functions build templates. Select the template that matches your app language.

+

+In some cases, build artifacts have a specific folder structure. You might need to select the **Prepend root folder name to archive paths** check box.

+

+### Example YAML build pipelines

+The following language-specific pipelines can be used for building apps.

+# [C\#](#tab/csharp)

+You can use the following sample to create a YAML file to build a .NET app.

+If you see errors when building your app, verify that the version of .NET that you use matches your Azure Functions version. For more information, see [Azure Functions runtime versions overview](functions-versions.md).

+```yaml

+pool:

+ vmImage: 'windows-latest'

+steps:

+- script: |

+ dotnet restore

+ dotnet build --configuration Release

+- task: DotNetCoreCLI@2

+ inputs:

+ command: publish

+ arguments: '--configuration Release --output publish_output'

+ projects: '*.csproj'

+ publishWebProjects: false

+ modifyOutputPath: false

+ zipAfterPublish: false

+- task: ArchiveFiles@2

+ displayName: "Archive files"

+ inputs:

+ rootFolderOrFile: "$(System.DefaultWorkingDirectory)/publish_output"

+ includeRootFolder: false

+ archiveFile: "$(System.DefaultWorkingDirectory)/build$(Build.BuildId).zip"

+- task: PublishBuildArtifacts@1

+ inputs:

+ PathtoPublish: '$(System.DefaultWorkingDirectory)/build$(Build.BuildId).zip'

+ artifactName: 'drop'

+```

+# [JavaScript](#tab/javascript)

+You can use the following sample to create a YAML file to build a JavaScript app:

+```yaml

+pool:

+ vmImage: ubuntu-latest # Use 'windows-latest' if you have Windows native +Node modules

+steps:

+- bash: |

+ if [ -f extensions.csproj ]

+ then

+ dotnet build extensions.csproj --output ./bin

+ fi

+ npm install

+ npm run build --if-present

+ npm prune --production

+- task: ArchiveFiles@2

+ displayName: "Archive files"

+ inputs:

+ rootFolderOrFile: "$(System.DefaultWorkingDirectory)"

+ includeRootFolder: false

+ archiveFile: "$(System.DefaultWorkingDirectory)/build$(Build.BuildId).zip"

+- task: PublishBuildArtifacts@1

+ inputs:

+ PathtoPublish: '$(System.DefaultWorkingDirectory)/build$(Build.BuildId).zip'

+ artifactName: 'drop'

+```

+# [Python](#tab/python)

+Use one of the following samples to create a YAML file to build an app for a specific Python version. Python is only supported for function apps running on Linux.

+**Version 3.7**

+```yaml

+pool:

+ vmImage: ubuntu-latest

+steps:

+- task: UsePythonVersion@0

+ displayName: "Setting Python version to 3.7 as required by functions"

+ inputs:

+ versionSpec: '3.7'

+ architecture: 'x64'

+- bash: |

+ if [ -f extensions.csproj ]

+ then

+ dotnet build extensions.csproj --output ./bin

+ fi

+ pip install --target="./.python_packages/lib/site-packages" -r ./requirements.txt

+- task: ArchiveFiles@2

+ displayName: "Archive files"

+ inputs:

+ rootFolderOrFile: "$(System.DefaultWorkingDirectory)"

+ includeRootFolder: false

+ archiveFile: "$(System.DefaultWorkingDirectory)/build$(Build.BuildId).zip"

+- task: PublishBuildArtifacts@1

+ inputs:

+ PathtoPublish: '$(System.DefaultWorkingDirectory)/build$(Build.BuildId).zip'

+ artifactName: 'drop'

+**Version 3.6**

+```yaml

+pool:

+ vmImage: ubuntu-latest

+steps:

+- task: UsePythonVersion@0

+ displayName: "Setting Python version to 3.6 as required by functions"

+ inputs:

+ versionSpec: '3.6'

+ architecture: 'x64'

+- bash: |

+ if [ -f extensions.csproj ]

+ then

+ dotnet build extensions.csproj --output ./bin

+ fi

+ pip install --target="./.python_packages/lib/python3.6/site-packages" -r ./requirements.txt

+- task: ArchiveFiles@2

+ displayName: "Archive files"

+ inputs:

+ rootFolderOrFile: "$(System.DefaultWorkingDirectory)"

+ includeRootFolder: false

+ archiveFile: "$(System.DefaultWorkingDirectory)/build$(Build.BuildId).zip"

+- task: PublishBuildArtifacts@1

+ inputs:

+ PathtoPublish: '$(System.DefaultWorkingDirectory)/build$(Build.BuildId).zip'

+ artifactName: 'drop'

+# [PowerShell](#tab/powershell)

+You can use the following sample to create a YAML file to package a PowerShell app. PowerShell is supported only for Windows Azure Functions.

+```yaml

+pool:

+ vmImage: 'windows-latest'

+steps:

+- task: ArchiveFiles@2

+ displayName: "Archive files"

+ inputs:

+ rootFolderOrFile: "$(System.DefaultWorkingDirectory)"

+ includeRootFolder: false

+ archiveFile: "$(System.DefaultWorkingDirectory)/build$(Build.BuildId).zip"

+- task: PublishBuildArtifacts@1

+ inputs:

+ PathtoPublish: '$(System.DefaultWorkingDirectory)/build$(Build.BuildId).zip'

+ artifactName: 'drop'

+## Deploy your app

+You'll deploy with the [Azure Function App Deploy](/azure/devops/pipelines/tasks/deploy/azure-function-app) task. This task requires an [Azure service connection](/azure/devops/pipelines/library/service-endpoints) as an input. An Azure service connection stores the credentials to connect from Azure Pipelines to Azure.

+# [YAML](#tab/yaml)

+To deploy to Azure Functions, add the following snippet at the end of your `azure-pipelines.yml` file. The default `appType` is Windows. You can specify Linux by setting the `appType` to `functionAppLinux`.

+```yaml

+trigger:

+- main

+variables:

+ # Azure service connection established during pipeline creation

+ azureSubscription: <Name of your Azure subscription>

+ appName: <Name of the function app>

+ # Agent VM image name

+ vmImageName: 'ubuntu-latest'

+- task: AzureFunctionApp@1 # Add this at the end of your file

+ inputs:

+ azureSubscription: <Azure service connection>

+ appType: functionAppLinux # default is functionApp

+ appName: $(appName)

+ package: $(System.ArtifactsDirectory)/**/*.zip

+ #Uncomment the next lines to deploy to a deployment slot

+ #Note that deployment slots is not supported for Linux Dynamic SKU

+ #deployToSlotOrASE: true

+ #resourceGroupName: '<Resource Group Name>'

+ #slotName: '<Slot name>'

+The snippet assumes that the build steps in your YAML file produce the zip archive in the `$(System.ArtifactsDirectory)` folder on your agent.

+# [Classic](#tab/classic)

+You'll need to create a separate release pipeline to deploy to Azure Functions. When you create a new release pipeline, search for the Azure Functions release template.

+

+## Deploy a container

+You can automatically deploy your code to Azure Functions as a custom container after every successful build. To learn more about containers, see [Create a function on Linux using a custom container](functions-create-function-linux-custom-image.md).

+### Deploy with the Azure Function App for Container task

+# [YAML](#tab/yaml/)

+The simplest way to deploy to a container is to use the [Azure Function App on Container Deploy task](/azure/devops/pipelines/tasks/deploy/azure-rm-functionapp-containers).

+To deploy, add the following snippet at the end of your YAML file:

+```yaml

+trigger:

+- main

+variables:

+ # Container registry service connection established during pipeline creation

+ dockerRegistryServiceConnection: <Docker registry service connection>

+ imageRepository: <Name of your image repository>

+ containerRegistry: <Name of the Azure container registry>

+ dockerfilePath: '$(Build.SourcesDirectory)/Dockerfile'

+ tag: '$(Build.BuildId)'

+

+ # Agent VM image name

+ vmImageName: 'ubuntu-latest'

+- task: AzureFunctionAppContainer@1 # Add this at the end of your file

+ inputs:

+ azureSubscription: '<Azure service connection>'

+ appName: '<Name of the function app>'

+ imageName: $(containerRegistry)/$(imageRepository):$(tag)

+The snippet pushes the Docker image to your Azure Container Registry. The **Azure Function App on Container Deploy** task pulls the appropriate Docker image corresponding to the `BuildId` from the repository specified, and then deploys the image.

+# [Classic](#tab/classic/)

+The best way to deploy your function app as a container is to use the [Azure Function App on Container Deploy task](/azure/devops/pipelines/tasks/deploy/azure-rm-functionapp-containers) in your release pipeline.

+How you deploy your app depends on your app's programming language. Each language has a template with specific deploy steps. If you can't find a template for your language, select the generic **Azure App Service Deployment** template.

+## Deploy to a slot

+# [YAML](#tab/yaml)

+You can configure your function app to have multiple slots. Slots allow you to safely deploy your app and test it before making it available to your customers.

+The following YAML snippet shows how to deploy to a staging slot, and then swap to a production slot:

+```yaml

+- task: AzureFunctionApp@1

+ inputs:

+ azureSubscription: <Azure service connection>

+ appType: functionAppLinux

+ appName: <Name of the Function app>

+ package: $(System.ArtifactsDirectory)/**/*.zip

+ deployToSlotOrASE: true

+ resourceGroupName: <Name of the resource group>

+ slotName: staging

+- task: AzureAppServiceManage@0

+ inputs:

+ azureSubscription: <Azure service connection>

+ WebAppName: <name of the Function app>

+ ResourceGroupName: <name of resource group>

+ SourceSlot: staging

+ SwapWithProduction: true

+# [Classic](#tab/classic)

+You can configure your function app to have multiple slots. Slots allow you to safely deploy your app and test it before making it available to your customers.

+Use the option **Deploy to Slot** in the **Azure Function App Deploy** task to specify the slot to deploy to. You can swap the slots by using the **Azure App Service Manage** task.

+## Create a pipeline with Azure CLI

+To create a build pipeline in Azure, use the `az functionapp devops-pipeline create` [command](/cli/azure/functionapp/devops-pipeline#az-functionapp-devops-pipeline-create). The build pipeline is created to build and release any code changes that are made in your repo. The command generates a new YAML file that defines the build and release pipeline and then commits it to your repo. The prerequisites for this command depend on the location of your code.

+- If your code is in GitHub:

+ - You must have **write** permissions for your subscription.

+ - You must be the project administrator in Azure DevOps.

+ - You must have permissions to create a GitHub personal access token (PAT) that has sufficient permissions. For more information, see [GitHub PAT permission requirements.](/azure/devops/pipelines/repos/github#repository-permissions-for-personal-access-token-pat-authentication)

+ - You must have permissions to commit to the main branch in your GitHub repository so you can commit the autogenerated YAML file.

+- If your code is in Azure Repos:

+ - You must have **write** permissions for your subscription.

+ - You must be the project administrator in Azure DevOps.

+

+

+

+You'll deploy with the [Azure Function App Deploy v2](/azure/devops/pipelines/tasks/reference/azure-function-app-v2) task. This task requires an [Azure service connection](/azure/devops/pipelines/library/service-endpoints) as an input. An Azure service connection stores the credentials to connect from Azure Pipelines to Azure.

+The v2 version of the task includes support for newer applications stacks for .NET, Python, and Node. The task includes networking predeployment checks and deployment won't proceed when there are issues.

+- task: AzureFunctionApp@2 # Add this at the end of your file

+ deploymentMethod: 'auto' # 'auto' | 'zipDeploy' | 'runFromPackage'. Required. Deployment method. Default: auto.

+

+- task: AzureFunctionApp@2

+ deploymentMethod: 'auto'

+This article shows you how to add controls to a map. You'll also learn how to create a map with all controls and a [style picker].

+A zoom control adds buttons for zooming the map in and out. The following code sample creates an instance of the [ZoomControl] class, and adds it the bottom-right corner of the map.

+<!-

+->

+A pitch control adds buttons for tilting the pitch to map relative to the horizon. The following code sample creates an instance of the [PitchControl] class. It adds the PitchControl to top-right corner of the map.

+<!-

+->

+A compass control adds a button for rotating the map. The following code sample creates an instance of the [CompassControl] class and adds it the bottom-left corner of the map.

+<!-

+->

+The following image shows a map with the zoom, compass, pitch, and style picker controls in the top-right corner of the map. Notice how they automatically stack. The order of the control objects in the script dictates the order in which they appear on the map. To change the order of the controls on the map, you can change their order in the array.

+<!-

+<br/>

+->

+The style picker control is defined by the [StyleControl] class. For more information on using the style picker control, see [choose a map style].

+The [Navigation Control Options] sample is a tool to test out the various options for customizing the controls.

+<!-

+<br/>

+->

+> [CompassControl]

+> [PitchControl]

+> [StyleControl]

+> [ZoomControl]

+> [Add a pin]

+> [Add a popup]

+> [Add a line layer]

+> [Add a polygon layer]

+> [Add a bubble layer]

+[style picker]: choose-map-style.md

+[ZoomControl]: /javascript/api/azure-maps-control/atlas.control.zoomcontrol

+[PitchControl]: /javascript/api/azure-maps-control/atlas.control.pitchcontrol

+[CompassControl]: /javascript/api/azure-maps-control/atlas.control.compasscontrol

+[StyleControl]: /javascript/api/azure-maps-control/atlas.control.stylecontrol

+[Navigation Control Options]: https://samples.azuremaps.com/?search=Map%20Navigation%20Control%20Options&sample=map-navigation-control-options

+[choose a map style]: choose-map-style.md

+[Add a pin]: map-add-pin.md

+[Add a popup]: map-add-popup.md

+[Add a line layer]: map-add-line-layer.md

+[Add a polygon layer]: map-add-shape.md

+[Add a bubble layer]: map-add-bubble-layer.md

+| Setting | Description |

+|-|-|

+| Size | The size of each bubble. This option is hidden when a field is passed into the **Size** bucket of the **Fields** pane. More options will appear as outlined in the [Bubble size scaling](#bubble-size-scaling) section further down in this article. |

+| Shape | Transparency. The fill transparency of each bubble. |

+| Color | Fill color of each bubble. This option is hidden when a field is passed into the **Legend** bucket of the **Fields** pane and a separate **Data colors** section will appear in the **Format** pane. |

+| Border | Settings for the border include color, width, transparency and blur.<br/>&nbsp;&nbsp;&nbsp;&nbsp;ΓÇó Color specifies the color that outlines the bubble. This option is hidden when the **High-contrast outline** option is enabled.<br/>&nbsp;&nbsp;&nbsp;&nbsp;ΓÇó Width specifies the width of the outline in pixels.<br/>&nbsp;&nbsp;&nbsp;&nbsp;ΓÇó Transparency specifies the transparency of each bubble.<br/>&nbsp;&nbsp;&nbsp;&nbsp;ΓÇó Blur specifies the amount of blur applied to the outline of the bubble. A value of one blurs the bubbles such that only the center point has no transparency. A value of 0 apply any blur effect.|

+| Zoom | Settings for the zoom property include scale, maximum and minimum.<br/>&nbsp;&nbsp;&nbsp;&nbsp;ΓÇó Zoom scale is the amount the bubbles should scale relative to the zoom level. A zoom scale of one means no scaling. Large values will make bubbles smaller when zoomed out and larger when zoomed in. This helps to reduce the clutter on the map when zoomed out, yet ensures points stand out more when zoomed in. A value of 1 doesn't apply any scaling.<br/>&nbsp;&nbsp;&nbsp;&nbsp;ΓÇó Maximum zoom level tiles are available.<br/>&nbsp;&nbsp;&nbsp;&nbsp;ΓÇó Minimum zoom level tiles are available. |

+| Options | Settings for the options property include pitch alignment and layer position.<br/>&nbsp;&nbsp;&nbsp;&nbsp;ΓÇó Pitch alignment specifies how the bubbles look when the map is pitched.<br/>&nbsp;&nbsp;&nbsp;&nbsp;ΓÇó layer position specifies the position of the layer relative to other map layers. |

+> [Add a 3D column layer](power-bi-visual-add-3d-column-layer.md)

+> [Customize visualization titles, backgrounds, and legends](/power-bi/visuals/power-bi-visualization-customize-title-background-and-legend)

+description: This article discusses how to use Azure Maps Power BI visual.

+# Get started with Azure Maps Power BI visual

+Other than the scenarios previously described, no other data overlaid on the map is sent to the Azure Maps servers. All rendering of data happens locally within the client.

+> [!TIP]

+> If using the Azure Maps [Geographic API endpoints], your firewall may need to be updated to allow access to the Azure Maps platform using either or all of the following URLs:

+>

+> - `https://atlas.microsoft.com`

+> - `https://us.atlas.microsoft.com`

+> - `https://eu.atlas.microsoft.com`

+For more information about privacy and terms of use related to the Azure Maps Power BI visual, see [Microsoft Azure Legal Information].

+<!-

+Before you can use the Azure Maps visual in Power BI, you must select the **Use Azure Maps Visual** security option. To do this in Power BI desktop select **File** &gt; **Options and Settings** &gt; **Options** &gt; **Security**, then select the **Use Azure Maps Visual** checkbox.

+->

+Power BI creates an empty Azure Maps visual design canvas.

+1. Performing one of the two following actions in the **Fields** pane provides the minimal data needed to load the Azure Maps visual:

+ 1. Drag data fields containing latitude and longitude coordinate information into the **Latitude** and/or **Longitude** buckets.

+ 1. Drag data fields containing geospatial data to the **Location** bucket.

+<!

+>

+ :::image type="content" source="media/power-bi-visual/bubble-layer-with-legend-color-and-size.png" alt-text="A screenshot of the Azure Maps visual displaying points as colored and scaled bubbles on the map that demonstrate the size field." lightbox="media/power-bi-visual/bubble-layer-with-legend-color-and-size.png":::

+4. Use the options in the **Format** pane to customize how data is rendered. The following image is the same map as shown previously, but with the bubble layers fill transparency option set to 50% and the high-contrast outline option enabled.

+| Location | Used to enter easily understandable geographical data such as country, state, and city. |

+| Legend | The field used to categorize the data and assign a unique color for data points in each category. When this bucket is filled, a **Data colors** section appears in the **Format** pane that allows adjustments to the colors. |

+The **Map settings** section is divided into three subsections: [style], [view] and [controls].

+| Style | The style of the map. The dropdown list contains [blank and blank accessible], [grayscale dark], [grayscale light], [high contrast dark], [high contrast light], [night], [road], [road shaded relief], [satellite] and [satellite road labels]. |

+| Auto zoom | Automatically zooms the map into the data loaded through the **Fields** pane of the visual. As the data changes, the map updates its position accordingly. When **Auto zoom** is set to **Off**, the remaining settings in this section become active that enable to user to define the default map view. |

+| Navigation | Adds buttons to the map as another method to allow the report readers to zoom, rotate, and change the pitch of the map. See this document on [Navigating the map] for details on all the different ways users can navigate the map. |

+For coverage details for the different Azure Maps services that power this visual, see [Geographic coverage information].

+For a list of supported browsers, see [Azure Maps Web SDK supported browsers].

+Yes, addresses and other location strings can be used in the Azure Maps Power BI visual. For more information on addresses and other location strings, see [The location field] in the *Geocoding in Azure Maps Power BI Visual* article.

+> [Understanding layers in the Azure Maps Power BI visual]

+> [Manage the Azure Maps Power BI visual within your organization]

+> [Tips and tricks for color formatting in Power BI]

+> [Customize visualization titles, backgrounds, and legends]

+[Geographic API endpoints]: geographic-scope.md#geographic-api-endpoint-mapping

+[Azure Maps Web SDK supported browsers]: supported-browsers.md

+[controls]: #controls

+[Customize visualization titles, backgrounds, and legends]: /power-bi/visuals/power-bi-visualization-customize-title-background-and-legend

+[Geographic coverage information]: geographic-coverage.md

+[style]: #style

+<!- Styles -->

+[blank and blank accessible]: supported-map-styles.md#blank-and-blank_accessible

+[grayscale dark]: supported-map-styles.md#grayscale_dark

+[grayscale light]: supported-map-styles.md#grayscale_light

+[high contrast dark]: supported-map-styles.md#high_contrast_dark

+[high contrast light]: supported-map-styles.md#high_contrast_light

+[night]: supported-map-styles.md#night

+[road]: supported-map-styles.md#road

+[road shaded relief]: supported-map-styles.md#road_shaded_relief

+[satellite road labels]: supported-map-styles.md#satellite_road_labels

+[Manage the Azure Maps Power BI visual within your organization]: power-bi-visual-manage-access.md

+[Microsoft Azure Legal Information]: https://azure.microsoft.com/support/legal/

+[Navigating the map]: map-accessibility.md#navigating-the-map

+[Tips and tricks for color formatting in Power BI]: /power-bi/visuals/service-tips-and-tricks-for-color-formatting

+[Understanding layers in the Azure Maps Power BI visual]: power-bi-visual-understanding-layers.md

+[view]: #view

+[The location field]: power-bi-visual-geocode.md#the-location-field

+ Title: Release notes - Spatial IO Module

+description: Release notes for the Azure Maps Spatial IO Module.

+# Spatial IO Module release notes

+This document contains information about new features and other changes to the Azure Maps Spatial IO Module.

+## [0.1.4]

+### Bug fixes (0.1.4)

+- make sure parsed geojson features (from KML) are always assigned with valid IDs

+- unescape XML &amp; that otherwise breaks valid urls

+- handles empty `<Icon><\Icon>` inside KMLReader

+## Next steps

+Explore samples showcasing Azure Maps:

+> [!div class="nextstepaction"]

+> [Azure Maps Spatial IO Samples]

+Stay up to date on Azure Maps:

+> [!div class="nextstepaction"]

+> [Azure Maps Blog]

+[0.1.4]: https://www.npmjs.com/package/azure-maps-spatial-io/v/0.1.4

+[Azure Maps Spatial IO Samples]: https://samples.azuremaps.com/?search=Spatial%20IO%20Module

+[Azure Maps Blog]: https://techcommunity.microsoft.com/t5/azure-maps-blog/bg-p/AzureMapsBlog

+### Azure technical support

+For Azure support issues, open an [Azure support ticket](https://azure.microsoft.com/support/create-ticket/).

+- Tracking of router changes

+- React components usage statistics

+npm install @microsoft/applicationinsights-react-js

+The React Native plugin for Application Insights JavaScript SDK collects device information. By default, this plugin automatically collects:

+- **Device Model Name** (Such as iPhone XS, Samsung Galaxy Fold, Huawei P30 Pro etc.)

+You must be using a version >= 2.0.0 of `@microsoft/applicationinsights-web`. This plugin only works in react-native apps. It doesn't work with [apps using the Expo framework](https://docs.expo.io/) or Create React Native App, which is based on the Expo framework.

+By default, this plugin relies on the [`react-native-device-info` package](https://www.npmjs.com/package/react-native-device-info). You must install and link to this package. Keep the `react-native-device-info` package up to date to collect the latest device names using your app.

+Since v3, support for accessing the DeviceInfo has been abstracted into an interface `IDeviceInfoModule` to enable you to use / set your own device info module. This interface uses the same function names and result `react-native-device-info`.

+#### Disabling automatic device info collection

+```typescript

+import { ApplicationInsights } from '@microsoft/applicationinsights-web';

+var RNPlugin = new ReactNativePlugin();

+var appInsights = new ApplicationInsights({

+ config: {

+ instrumentationKey: 'YOUR_INSTRUMENTATION_KEY_GOES_HERE',

+ disableDeviceCollection: true,

+ extensions: [RNPlugin]

+ }

+});

+appInsights.loadAppInsights();

+```

+#### Using your own device info collection class

+```typescript

+import { ApplicationInsights } from '@microsoft/applicationinsights-web';

+// Simple inline constant implementation

+const myDeviceInfoModule = {

+ getModel: () => "deviceModel",

+ getDeviceType: () => "deviceType",

+ // v5 returns a string while latest returns a promise

+ getUniqueId: () => "deviceId", // This "may" also return a Promise<string>

+};

+var RNPlugin = new ReactNativePlugin();

+RNPlugin.setDeviceInfoModule(myDeviceInfoModule);

+var appInsights = new ApplicationInsights({

+ config: {

+ instrumentationKey: 'YOUR_INSTRUMENTATION_KEY_GOES_HERE',

+ extensions: [RNPlugin]

+ }

+});

+appInsights.loadAppInsights();

+```

+### IDeviceInfoModule

+Interface to abstract how the plugin can access the Device Info. This interface is a stripped down version of the `react-native-device-info` interface and is mostly supplied for testing.

+```typescript

+export interface IDeviceInfoModule {

+ /**

+ * Returns the Device Model

+ */

+ getModel: () => string;

+ /**

+ * Returns the device type

+ */

+ getDeviceType: () => string;

+ /**

+ * Returns the unique Id for the device. To support both the current version and previous

+ * versions react-native-device-info, this may return either a `string` or `Promise<string>`.

+ * When a promise is returned, the plugin will "wait" for the promise to `resolve` or `reject`

+ * before processing any events. This WILL cause telemetry to be BLOCKED until either of these

+ * states, so when returning a Promise, it MUST `resolve` or `reject`. Tt can't just never resolve.

+ * There is a default timeout configured via `uniqueIdPromiseTimeout` to automatically unblock

+ * event processing when this issue occurs.

+ */

+ getUniqueId: () => Promise<string> | string;

+}

+```

+If events are getting "blocked" because the `Promise` returned via `getUniqueId` is never resolved / rejected, you can call `setDeviceId()` on the plugin to "unblock" this waiting state. There is also an automatic timeout configured via `uniqueIdPromiseTimeout` (defaults to 5 seconds), which will internally call `setDeviceId()` with any previously configured value.

+npm install @microsoft/applicationinsights-angularplugin-js

+> [!IMPORTANT]

+> When using the ErrorService, there is an implicit dependency on the `@microsoft/applicationinsights-analytics-js` extension. you MUST include either the `'@microsoft/applicationinsights-web'` or include the `@microsoft/applicationinsights-analytics-js` extension. Otherwise, unhandled errors caught by the error service will not be sent.

+To track uncaught exceptions, set up ApplicationinsightsAngularpluginErrorService in `app.module.ts`:

+> [!IMPORTANT]

+> When using the ErrorService, there is an implicit dependency on the `@microsoft/applicationinsights-analytics-js` extension. you MUST include either the `'@microsoft/applicationinsights-web'` or include the `@microsoft/applicationinsights-analytics-js` extension. Otherwise, unhandled errors caught by the error service will not be sent.

+To chain more custom error handlers, create custom error handlers that implement IErrorService:

+```javascript

+import { IErrorService } from '@microsoft/applicationinsights-angularplugin-js';

+export class CustomErrorHandler implements IErrorService {

+ handleError(error: any) {

+ ...

+ }

+}

+```

+And pass errorServices array through extensionConfig:

+```javascript

+extensionConfig: {

+ [angularPlugin.identifier]: {

+ router: this.router,

+ error

+ }

+ }

+```

+1. Install the latest [OpenTelemetry.Extensions.AzureMonitor](https://www.nuget.org/packages/OpenTelemetry.Extensions.AzureMonitor) package:

+ ```dotnetcli

+ dotnet add package --prerelease OpenTelemetry.Extensions.AzureMonitor

+ ```

+1. Add the following code snippet.

+ ```csharp

+ var tracerProvider = Sdk.CreateTracerProviderBuilder()

+ .SetSampler(new ApplicationInsightsSampler(new ApplicationInsightsSamplerOptions { SamplingRatio = 0.1F }))

+ .AddAzureMonitorTraceExporter();

+ ```

+1. Install the latest [Azure.Identity](https://www.nuget.org/packages/Azure.Identity) package:

+ ```dotnetcli

+ dotnet add package Azure.Identity

+ ```

+

+1. Provide the desired credential class:

+ ```csharp

+ var builder = WebApplication.CreateBuilder(args);

+ builder.Services.AddOpenTelemetry().UseAzureMonitor(options => {

+ options.Credential = new DefaultAzureCredential();

+ });

+ var app = builder.Build();

+ app.Run();

+ ```

+1. Install the latest [Azure.Identity](https://www.nuget.org/packages/Azure.Identity) package:

+ ```dotnetcli

+ dotnet add package Azure.Identity

+ ```

+1. Provide the desired credential class:

+ ```csharp

+ var credential = new DefaultAzureCredential();

+ var tracerProvider = Sdk.CreateTracerProviderBuilder()

+ .AddAzureMonitorTraceExporter(options =>

+ {

+ options.Credential = credential;

+ });

+ var metricsProvider = Sdk.CreateMeterProviderBuilder()

+ .AddAzureMonitorMetricExporter(options =>

+ var loggerFactory = LoggerFactory.Create(builder =>

+ {

+ builder.AddOpenTelemetry(options =>

+ {

+ options.AddAzureMonitorLogExporter(options =>

+ {

+ options.Credential = credential;

+ });

+ });

+ ```

+> The histogram is the most versatile and most closely equivalent to the Application Insights GetMetric [Classic API](api-custom-events-metrics.md). Azure Monitor currently flattens the histogram instrument into our five supported aggregation types, and support for percentiles is underway. Although less versatile, other OpenTelemetry instruments have a lesser impact on your application's performance.

+ .AddAzureMonitorMetricExporter()

+ .AddAzureMonitorMetricExporter()

+ .AddAzureMonitorMetricExporter()

+- To log an Exception using an Activity:

+ ```csharp

+ using (var activity = activitySource.StartActivity("ExceptionExample"))

+ {

+ try

+ {

+ throw new Exception("Test exception");

+ }

+ catch (Exception ex)

+ {

+ activity?.SetStatus(ActivityStatusCode.Error);

+ activity?.RecordException(ex);

+ }

+ }

+ ```

+- To log an Exception using ILogger:

+ ```csharp

+ var logger = loggerFactory.CreateLogger(logCategoryName);

+ try

+ {

+ throw new Exception("Test Exception");

+ }

+ catch (Exception ex)

+ {

+ logger.Log(

+ logLevel: LogLevel.Error,

+ eventId: 0,

+ exception: ex,

+ message: "Hello {name}.",

+ args: new object[] { "World" });

+ }

+ ```

+- To log an Exception using an Activity:

+ ```csharp

+ using (var activity = activitySource.StartActivity("ExceptionExample"))

+ {

+ try

+ {

+ throw new Exception("Test exception");

+ }

+ catch (Exception ex)

+ {

+ activity?.SetStatus(ActivityStatusCode.Error);

+ activity?.RecordException(ex);

+ }

+ }

+ ```

+- To log an Exception using ILogger:

+ ```csharp

+ var logger = loggerFactory.CreateLogger("ExceptionExample");

+ try

+ {

+ throw new Exception("Test Exception");

+ }

+ catch (Exception ex)

+ {

+ logger.Log(

+ logLevel: LogLevel.Error,

+ eventId: 0,

+ exception: ex,

+ message: "Hello {name}.",

+ args: new object[] { "World" });

+ }

+ ```

+ .AddAzureMonitorTraceExporter()

+ .AddAzureMonitorTraceExporter()

+ .AddAzureMonitorTraceExporter()

+- For Azure support issues, open an [Azure support ticket](https://azure.microsoft.com/support/create-ticket/).

+- For Azure support issues, open an [Azure support ticket](https://azure.microsoft.com/support/create-ticket/).

+- For help with troubleshooting, review the [troubleshooting steps](java-standalone-troubleshoot.md).

+- For Azure support issues, open an [Azure support ticket](https://azure.microsoft.com/support/create-ticket/).

+- For Azure support issues, open an [Azure support ticket](https://azure.microsoft.com/support/create-ticket/).

+> If you are using Azure Managed Grafana to query your data, please configure a [Managed Private Endpoint](https://aka.ms/ags/mpe) to ensure the queries from Managed Grafana into your Azure Monitor workspace use the Microsoft backbone network without going through the internet.

+## TI upload indicators API limits

+> | snapshots | **Yes** - Full <br> No - Incremental | **Yes** - Full <br> No - Incremental | No - Full <br> **Yes** - Incremental |

+| Supported workload | Supported region |

+| | |

+| **Azure VMs**, **SQL Server in Azure VMs**, **SAP HANA in Azure VMs** | Australia East, Australia Southeast, Brazil South, Canada Central, Canada East, Central US, East Asia, East US 2, East US, France Central, Germany West Central, Central India, South India, Japan East, Japan West, Korea Central, Korea South, North Central US, North Europe, Norway East, South Central US, South East Asia, UAE North, UK South, UK West, West Central US, West Europe, West US 2, West US, US Gov Arizona, US Gov Virginia, US Gov Texas, China North 2, China East 2 |

+Azure Disk Backup offers a turnkey solution that provides snapshot lifecycle management for managed disks by automating periodic creation of snapshots and retaining it for configured duration using backup policy. You can manage the disk snapshots with zero infrastructure cost and without the need for custom scripting or any management overhead. This is a crash-consistent backup solution that takes point-in-time backup of a managed disk using incremental snapshots with support for multiple backups per day. It's also an agent-less solution and doesn't impact production application performance. It supports backup and restore of both OS and data disks (including shared disks), whether or not they're currently attached to a running Azure virtual machine.

+**Example response for list of recovery points**

+Select the relevant recovery points from the above list and proceed to prepare the restore request. We'll choose a recovery point named `a3d02fc3ab8a4c3a8cc26688c26d3356` from the above list to restore.

+For example, we'll use a disk named `APITestDisk2`, under a resource group `targetrg`, present in the same region as the backed-up disk, but under a different subscription.

+It returns two responses: 202 (Accepted) when another operation is created, and 200 (OK) when that operation completes.

+**Example response to restore validate request**

+Once the *POST* operation is submitted, it will return the initial response as 202 (Accepted) with an _Azure-asyncOperation_ header.

+Track the _Azure-AsyncOperation_ header with a *GET* request. When the request is successful, it returns 200 (OK) with a success status response.

+It returns two responses: 202 (Accepted) when another operation is created, and 200 (OK) when that operation completes.

+**Example response to trigger restore request**

+Once the *POST* operation is submitted, it will return the initial response as 202 (Accepted) with an _Azure-asyncOperation_ header.

+Track the _Azure-AsyncOperation_ header with a *GET* request. When the request is successful, it will return 200 (OK) with a job ID that should be further tracked for completion of restore request.

+Use the *GET* command to track the _JobId_ present in the [trigger restore response](#response-to-trigger-restore-requests) above.

+ * Connect using SSH or RDP. (The bastion tunnel doesn't relay web servers or hosts.)

+ > [!IMPORTANT]

+ > Remote connection to VMs that are joined to Azure AD is allowed only from Windows 10 or later PCs that are Azure AD registered (starting with Windows 10 20H1), Azure AD joined, or hybrid Azure AD joined to the *same* directory as the VM.

+ Once you sign in to your target VM, the native client on your computer opens up with your VM session; **MSTSC** for RDP sessions, and **SSH CLI extension (az ssh)** for SSH sessions.

+ 1. Once you sign in to your target VM, the native client on your computer opens up with your VM session; **MSTSC** for RDP sessions, and **SSH CLI extension (az ssh)** for SSH sessions.

+This section helps you connect to your virtual machine from native clients on *non*-Windows local computers (example: a Linux PC) using the **az network bastion tunnel** command. You can also connect using this method from a Windows computer. This is helpful when you require an SSH connection and want to upload files to your VM. The bastion tunnel supports RDP/SSH connection, but doesn't relay web servers or hosts.

+Language option only applies when you're using the standard model.

+Gender neutral caption option only applies when you're using the standard model.

+Smart cropping aspect rations only applies when you're using the standard model.

+- The `diarization` property can be used to specify hints for the minimum and maximum number of speaker labels to generate when performing optional diarization (speaker separation). With this feature, the service is now able to generate speaker labels for more than two speakers. To use this property you must also set the `diarizationEnabled` property to `true`.

+ * The value of the expiry time is determined by whether you're using an **Account key** or **User delegation key** **Signing method**:

+ * **Account key**: There's no imposed maximum time limit; however, best practices recommended that you configure an expiration policy to limit the interval and minimize compromise. [Configure an expiration policy for shared access signatures](/azure/storage/common/sas-expiration-policy).

+ * **User delegation key**: The value for the expiry time is a maximum of seven days from the creation of the SAS token. The SAS is invalid after the user delegation key expires, so a SAS with an expiry time of greater than seven days will still only be valid for seven days. For more information,*see* [Use Azure AD credentials to secure a SAS](/azure/storage/blobs/storage-blob-user-delegation-sas-create-cli#use-azure-ad-credentials-to-secure-a-sas).

+1. The **Allowed IP addresses** field is optional and specifies an IP address or a range of IP addresses from which to accept requests. If the request IP address doesn't match the IP address or address range specified on the SAS token, authorization fails. The IP address or a range of IP addresses must be public IPs, not private. For more information,*see*, [**Specify an IP address or IP range**](/rest/api/storageservices/create-account-sas#specify-an-ip-address-or-ip-range).

+| Switzerland | Toll-Free | - | - | Public Preview | Public Preview\* |

+| Luxembourg | Toll-Free | - | - | Public Preview | Public Preview\* |

+| Netherlands | Toll-Free | - | - | Public Preview | Public Preview\* |

+|Toll-Free |USD 20.00/mo |

+|Toll-free |Starting at USD 0.2300/min | USD 0.2800/min |

+|Toll-Free |USD 25.00/mo |

+|Toll-free |Starting at USD 0.3500/min |Starting at USD 0.0770/min |

+- **Rooms enable scheduled communication experience.** Rooms help service platforms deliver meeting-style experiences while still being suitably generic for a wide variety of industry applications. Services can schedule and manage rooms for patients seeking medical advice, financial planners working with clients, and lawyers providing legal services.

+- **Rooms enable an invite-only experience.** Rooms allow your services to control which users can join the room for a virtual appointment with doctors or financial consultants. This will allow only a subset of users with assigned Communication Services identities to join a room call.

+- Need structured communication through roles and permissions for users.

+| Capability | 1:N Call | 1:N Call <br>with ephemeral ID</br> | Room call |

+| List participants that joined the rooms call | ✔️ | ❌ |

+- Create

+Room participants can be assigned one of the following roles: **Presenter**, **Attendee** and **Consumer**. By default, a user is assigned an **Attendee** role, if no other role is assigned.

+[Voice and video calling events](../../../event-grid/communication-services-voice-video-events.md) published via [Event Grid](../../../event-grid/event-schema-communication-services.md) are annotated with room call information.

+zone_pivot_groups: acs-js-csharp-java-python-portal-rest

+In this quick start, you'll learn how to connect a verified domain in Azure Communication Services to send email.

+ Title: Quickstart - Look up operator information for a phone number using Azure Communication Services

+description: Learn how to look up operator information for any phone number using Azure Communication Services

+# Quickstart: Look up operator information for a phone number using Azure Communication Services

+Get started with the Phone Numbers client library for C# to look up operator information for phone numbers, which can be used to determine whether and how to communicate with that phone number. Follow these steps to install the package and look up operator information about a phone number.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- The latest version of [.NET Core client library](https://dotnet.microsoft.com/download/dotnet-core) for your operating system.

+- An active Communication Services resource and connection string. [Create a Communication Services resource](../create-communication-resource.md).

+### Prerequisite check

+- In a terminal or command window, run the `dotnet` command to check that the .NET SDK is installed.

+## Setting up

+To set up an environment for sending lookup queries, take the steps in the following sections.

+### Create a new C# application

+In a console window, such as cmd, PowerShell, or Bash, use the `dotnet new` command to create a new console app with the name `NumberLookupQuickstart`. This command creates a simple "Hello World" C# project with a single source file, **Program.cs**.

+```console

+dotnet new console -o NumberLookupQuickstart

+```

+Change your directory to the newly created app folder and use the `dotnet build` command to compile your application.

+```console

+cd NumberLookupQuickstart

+dotnet build

+```

+### Install the package

+While still in the application directory, install the Azure Communication Services PhoneNumbers client library for .NET package by using the following command.

+```console

+dotnet add package Azure.Communication.PhoneNumbers --version 1.0.0

+```

+Add a `using` directive to the top of **Program.cs** to include the `Azure.Communication` namespace.

+```csharp

+using System;

+using System.Threading.Tasks;

+using Azure.Communication.PhoneNumbers;

+```

+Update `Main` function signature to be async.

+```csharp

+static async Task Main(string[] args)

+{

+ ...

+}

+```

+## Code examples

+### Authenticate the client

+Phone Number clients can be authenticated using connection string acquired from an Azure Communication Services resource in the [Azure portal][azure_portal].

+It's recommended to use a `COMMUNICATION_SERVICES_CONNECTION_STRING` environment variable to avoid putting your connection string in plain text within your code.

+```csharp

+// This code retrieves your connection string from an environment variable.

+string connectionString = Environment.GetEnvironmentVariable("COMMUNICATION_SERVICES_CONNECTION_STRING");

+

+PhoneNumbersClient client = new PhoneNumbersClient(connectionString, new PhoneNumbersClientOptions(PhoneNumbersClientOptions.ServiceVersion.V2023_05_01_Preview));

+```

+Phone Number clients can also authenticate with Azure Active Directory Authentication. With this option,

+`AZURE_CLIENT_SECRET`, `AZURE_CLIENT_ID` and `AZURE_TENANT_ID` environment variables need to be set up for authentication.

+```csharp

+// Get an endpoint to our Azure Communication Services resource.

+Uri endpoint = new Uri("<endpoint_url>");

+TokenCredential tokenCredential = new DefaultAzureCredential();

+client = new PhoneNumbersClient(endpoint, tokenCredential);

+```

+### Look up operator information for a number

+To search for a phone number's operator information, call `SearchOperatorInformationAsync` from the `PhoneNumbersClient`.

+```csharp

+OperatorInformationResult searchResult = await client.SearchOperatorInformationAsync(new[] { "<target-phone-number>" });

+OperatorInformation operatorInformation = searchResult.Results[0];

+```

+Replace `<target-phone-number>` with the phone number you're looking up, usually a number you'd like to send a message to.

+> [!WARNING]

+> Provide phone numbers in E.164 international standard format, for example, +14255550123.

+### Use operator information

+You can now use the operator information. For this quickstart guide, we can print some of the details to the console.

+```csharp

+Console.WriteLine($"{operatorInformation.PhoneNumber} is a {operatorInformation.NumberType ?? "unknown"} number, operated by {operatorInformation.OperatorDetails.Name ?? "an unknown operator"}");

+```

+You may also use the operator information to determine whether to send an SMS. For more information on sending an SMS, see the [SMS Quickstart](../sms/send.md).

+## Run the code

+Run the application from your application directory with the `dotnet run` command.

+```console

+dotnet run

+```

+## Troubleshooting

+Common questions and issues:

+- The data returned by this endpoint is subject to various international laws and regulations, therefore the accuracy of the results depends on several factors. These factors include whether the number has been ported, the country code, and the approval status of the caller. Based on these factors, operator information may not be available for some phone numbers or may reflect the original operator of the phone number, not the current operator.

+## Next steps

+In this quickstart you learned how to:

+> [!div class="checklist"]

+> * Look up operator information for a phone number

+[!div class="nextstepaction"]

+[Send an SMS](../sms/send.md)

+- Windows Server 2019 Datacenter - x64 Gen 2

+- Windows Server 2019 Datacenter Server Core - x64 Gen 2

+- Windows Server 2022 Datacenter - x64 Gen 2

+- Windows Server 2022 Datacenter: Azure Edition Core - x64 Gen 2

+- Windows Server 2022 Datacenter: Azure Edition - x64 Gen 2

+- Windows Server 2022 Datacenter Server Core - x64 Gen 2

+- Windows 11 Enterprise N, version 22H2 -x64 Gen 2

+- Windows 11 Pro, version 22H2 ZH-CN -x64 Gen 2

+- Windows 11 Pro, version 22H2 -x64 Gen 2

+- Windows 11 Pro N, version 22H2 -x64 Gen 2

+- Windows 11 Enterprise, version 22H2 -x64 Gen 2

+- Windows 11 Enterprise multi-session, version 22H2 -x64 Gen 2

+ 1. For **Image**, select the OS image to use for your VM. Select **See all images** to open Azure Marketplace. Select the filter **Security Type** &gt; **Confidential** to show all available confidential VM images.

+- Ubuntu 20.04 LTS

+- Ubuntu 22.04 LTS

+- Windows Server 2019 Datacenter - x64 Gen 2

+- Windows Server 2019 Datacenter Server Core - x64 Gen 2

+- Windows Server 2022 Datacenter - x64 Gen 2

+- Windows Server 2022 Datacenter: Azure Edition Core - x64 Gen 2

+- Windows Server 2022 Datacenter: Azure Edition - x64 Gen 2

+- Windows Server 2022 Datacenter Server Core - x64 Gen 2

+- Windows 11 Enterprise N, version 22H2 -x64 Gen 2

+- Windows 11 Pro, version 22H2 ZH-CN -x64 Gen 2

+- Windows 11 Pro, version 22H2 -x64 Gen 2

+- Windows 11 Pro N, version 22H2 -x64 Gen 2

+- Windows 11 Enterprise, version 22H2 -x64 Gen 2

+- Windows 11 Enterprise multi-session, version 22H2 -x64 Gen 2

+- the container app name, for instance `https://<APP_NAME>` for internal requests

+There are two [change feed modes](./nosql/change-feed-modes.md) available: latest version mode and all versions and deletes mode. The mode that change feed is read in determines which operations changes are captured from and the metadata available for each change. It's possible to consume the change feed in different modes across multiple applications for the same Azure Cosmos DB container.

+|HTTPS/SSL/TLS encryption|All connections to Azure Cosmos DB support HTTPS. Azure Cosmos DB supports TLS levels up to 1.2 (included).<br>It's possible to enforce a minimum TLS level on server-side. To do so, refer to self service guide [Self-serve minimum TLS version enforcement in Azure Cosmos DB](./self-serve-minimum-tls-enforcement.md).|

+- Workloads reading the change feed

+> [!Note]

+> Do you have any feedback about change feed modes? We want to hear it! Feel free to share feedback directly with the Azure Cosmos DB engineering team: cosmoschangefeed@microsoft.com

+All versions and deletes mode (preview) is a persistent record of all changes to items from create, update, and delete operations. You get a record of each change to items in the order that it occurred, including intermediate changes to an item between change feed reads. For example, if an item is created and then updated before you read the change feed, both the create and the update versions of the item appear in the change feed. To read from the change feed in all versions and deletes mode, you must have [continuous backups](../continuous-backup-restore-introduction.md) configured for your Azure Cosmos DB account. Turning on continuous backups creates the all versions and deletes change feed. You can only read changes that occurred within the continuous backup period when using this change feed mode. This mode is only compatible with Azure Cosmos DB for NoSQL accounts. Learn more about how to [sign up for the preview](#getting-started).

+| [Change feed pull model](change-feed-pull-model.md) | [>= 3.32.0-preview](https://www.nuget.org/packages/Microsoft.Azure.Cosmos/3.32.0-preview) | [>= 4.42.0](https://mvnrepository.com/artifact/com.azure/azure-cosmos/4.37.0) | No | No |

+To get started using all versions and deletes change feed mode, enroll in the preview via the [Preview Features page](../../azure-resource-manager/management/preview-features.md) in your Azure Subscription overview page. Search for the **AllVersionsAndDeletesChangeFeed** feature and select **Register**.

+With the change feed pull model, you can consume the Azure Cosmos DB change feed at your own pace. Similar to the [change feed processor](change-feed-processor.md), you can use the change feed pull model to parallelize the processing of changes across multiple change feed consumers.

+Many scenarios can process the change feed using either the [change feed processor](change-feed-processor.md) or the pull model. The pull model's continuation tokens and the change feed processor's lease container are both "bookmarks" for the last processed item, or batch of items, in the change feed.

+To process the change feed using the pull model, create a `FeedIterator`. When you initially create a `FeedIterator`, you must specify a required `ChangeFeedStartFrom` value, which consists of both the starting position for reading changes and the desired `FeedRange`. The `FeedRange` is a range of partition key values and specifies the items that can be read from the change feed using that specific `FeedIterator`. You must also specify a required `ChangeFeedMode` value for the mode in which you want to process changes: [latest version](change-feed-modes.md#latest-version-change-feed-mode) or [all versions and deletes](change-feed-modes.md#all-versions-and-deletes-change-feed-mode-preview). Use either `ChangeFeedMode.LatestVersion` or `ChangeFeedMode.AllVersionsAndDeletes` to indicate which mode you want to read change feed in. When using all versions and deletes mode, you must select a change feed start from value of either `Now()` or from a specific continuation token.

+FeedIterator<User> InteratorWithPOCOS = container.GetChangeFeedIterator<User>(ChangeFeedStartFrom.Beginning(), ChangeFeedMode.LatestVersion);

+> [!TIP]

+> Prior to version `3.34.0`, latest version mode can be used by setting `ChangeFeedMode.Incremental`. Both `Incremental` and `LatestVersion` refer to latest version mode of the change feed and applications that use either mode will see the same behavior.

+All versions and deletes mode is in preview and can be used with preview .NET SDK versions >= `3.32.0-preview`. Here's an example for obtaining a `FeedIterator` in all versions and deletes mode that returns dynamic objects:

+FeedIterator iteratorWithStreams = container.GetChangeFeedStreamIterator(ChangeFeedStartFrom.Beginning(), ChangeFeedMode.LatestVersion);

+FeedIterator<User> iteratorForTheEntireContainer = container.GetChangeFeedIterator<User>(ChangeFeedStartFrom.Now(), ChangeFeedMode.LatestVersion);

+ ChangeFeedStartFrom.Beginning(FeedRange.FromPartitionKey(new PartitionKey("PartitionKeyValue")), ChangeFeedMode.LatestVersion));

+FeedIterator<User> iteratorA = container.GetChangeFeedIterator<User>(ChangeFeedStartFrom.Beginning(ranges[0]), ChangeFeedMode.LatestVersion);

+FeedIterator<User> iteratorB = container.GetChangeFeedIterator<User>(ChangeFeedStartFrom.Beginning(ranges[1]), ChangeFeedMode.LatestVersion);

+FeedIterator<User> iterator = container.GetChangeFeedIterator<User>(ChangeFeedStartFrom.Beginning(), ChangeFeedMode.LatestVersion);

+FeedIterator<User> iteratorThatResumesFromLastPoint = container.GetChangeFeedIterator<User>(ChangeFeedStartFrom.ContinuationToken(continuation), ChangeFeedMode.LatestVersion);

+ Title: Migrate applications to use passwordless authentication with Azure Cosmos DB for NoSQL

+description: Learn to migrate existing applications away from connection strings to instead use Azure AD and Azure RBAC for enhanced security.

+# Migrate an application to use passwordless connections with Azure Cosmos DB for NoSQL

+Application requests to Azure Cosmos DB for NoSQL must be authenticated. Although there are multiple options for authenticating to Azure Cosmos DB, you should prioritize passwordless connections in your applications when possible. Traditional authentication methods that use connection strings with passwords or secret keys create security risks and complications. Visit the [passwordless connections for Azure services](/azure/developer/intro/passwordless-overview) hub to learn more about the advantages of moving to passwordless connections.

+The following tutorial explains how to migrate an existing application to connect to Azure Cosmos DB for NoSQL using passwordless connections instead of a key-based solution.

+## Configure roles and users for local development authentication

+### Sign-in to Azure locally

+### Migrate the app code to use passwordless connections

+1. To use `DefaultAzureCredential` in a .NET application, install the `Azure.Identity` package:

+ ```dotnetcli

+ dotnet add package Azure.Identity

+ ```

+1. At the top of your file, add the following code:

+ ```csharp

+ using Azure.Identity;

+ ```

+1. Identify the locations in your code that create a `CosmosClient` object to connect to Azure Cosmos DB. Update your code to match the following example.

+ ```csharp

+ using CosmosClient client = new(

+ accountEndpoint: Environment.GetEnvironmentVariable("COSMOS_ENDPOINT"),

+ tokenCredential: new DefaultAzureCredential()

+ );

+ ```

+### Run the app locally

+After making these code changes, run your application locally. The new configuration should pick up your local credentials, such as the Azure CLI, Visual Studio, or IntelliJ. The roles you assigned to your local dev user in Azure allows your app to connect to the Azure service locally.

+## Configure the Azure hosting environment

+Once your application is configured to use passwordless connections and runs locally, the same code can authenticate to Azure services after it's deployed to Azure. The sections that follow explain how to configure a deployed application to connect to Azure Cosmos DB using a managed identity.

+### Create the managed identity

+#### Associate the managed identity with your web app

+You need to configure your web app to use the managed identity you created. Assign the identity to your app using either the Azure portal or the Azure CLI.

+# [Azure portal](#tab/azure-portal-associate)

+Complete the following steps in the Azure portal to associate an identity with your app. These same steps apply to the following Azure

+* Azure Spring Apps

+* Azure Container Apps

+* Azure virtual machines

+* Azure Kubernetes Service

+1. Navigate to the overview page of your web app.

+1. Select **Identity** from the left navigation.

+1. On the **Identity** page, switch to the **User assigned** tab.

+1. Select **+ Add** to open the **Add user assigned managed identity** flyout.

+1. Select the subscription you used previously to create the identity.

+1. Search for the **MigrationIdentity** by name and select it from the search results.

+1. Select **Add** to associate the identity with your app.

+ :::image type="content" source="../../../articles/storage/common/media/create-user-assigned-identity-small.png" alt-text="Screenshot showing how to create a user assigned identity." lightbox="../../../articles/storage/common/media/create-user-assigned-identity.png":::

+# [Azure CLI](#tab/azure-cli-associate)

+### Assign roles to the managed identity

+Grant permissions to the managed identity by assigning it the custom role you created, just like you did with your local development user.

+To assign a role at the resource level using the Azure CLI, you first must retrieve the resource ID using the [az cosmosdb show](/cli/azure/cosmosdb) command. You can filter the output properties using the `--query` parameter.

+```azurecli

+az cosmosdb show \

+ --resource-group '<resource-group-name>' \

+ --name '<cosmosdb-name>' \

+ --query id

+```

+Copy the output ID from the preceding command. You can then assign roles using the [az role assignment](/cli/azure/role/assignment) command of the Azure CLI.

+```azurecli

+az role assignment create \

+ --assignee "<your-managed-identity-name>" \

+ --role "PasswordlessReadWrite" \

+ --scope "<cosmosdb-resource-id>"

+```

+### Update the application code

+You need to configure your application code to look for the specific managed identity you created when it's deployed to Azure. In some scenarios, explicitly setting the managed identity for the app also prevents other environment identities from accidentally being detected and used automatically.

+1. On the managed identity overview page, copy the client ID value to your clipboard.

+1. Update the `DefaultAzureCredential` object to specify this managed identity client ID:

+ ```csharp

+ // TODO: Update the <managed-identity-client-id> placeholder.

+ var credential = new DefaultAzureCredential(

+ new DefaultAzureCredentialOptions

+ {

+ ManagedIdentityClientId = "<managed-identity-client-id>"

+ });

+ ```

+3. Redeploy your code to Azure after making this change in order for the configuration updates to be applied.

+### Test the app

+After deploying the updated code, browse to your hosted application in the browser. Your app should be able to connect to Cosmos DB successfully. Keep in mind that it may take several minutes for the role assignments to propagate through your Azure environment. Your application is now configured to run both locally and in a production environment without the developers having to manage secrets in the application itself.

+## Next steps

+In this tutorial, you learned how to migrate an application to passwordless connections.

+You can read the following resources to explore the concepts discussed in this article in more depth:

+* [Authorize access to blobs using Azure Active Directory](../../storage/blobs/authorize-access-azure-active-directory.md))

+* To learn more about .NET, see [Get started with .NET in 10 minutes](https://dotnet.microsoft.com/learn/dotnet/hello-world-tutorial/intro).

+Computed properties must be at the top level in the item and can't have a nested path. Each computed property definition has two components: a name and a query. The name is the computed property name, and the query defines logic to calculate the property value for each item. Computed properties are scoped to an individual item and therefore can't use values from multiple items or rely on other computed properties. Every container can have a maximum of 20 computed properties.

+- Aggregate functions, spatial functions, non-deterministic functions and user defined functions aren't supported.

+|.NET SDK v3 |>= [3.34.0-preview](https://www.nuget.org/packages/Microsoft.Azure.Cosmos/3.34.0-preview) |Computed properties are currently only available in preview package versions. |

+ ComputedProperties = new Collection<ComputedProperty>

+ Container container = await client.GetDatabase("myDatabase").CreateContainerAsync(containerProperties);

+```

+Here's an example of how to update computed properties on an existing container using the .NET SDK:

+```csharp

+ var container = client.GetDatabase("myDatabase").GetContainer("myContainer");

+ // Read the current container properties

+ var containerProperties = await container.ReadContainerAsync();

+ // Make the necessary updates to the container properties

+ containerProperties.Resource.ComputedProperties = new Collection<ComputedProperty>

+ {

+ new ComputedProperty

+ {

+ Name = "cp_lowerName",

+ Query = "SELECT VALUE LOWER(c.name) FROM c"

+ },

+ new ComputedProperty

+ {

+ Name = "cp_upperName",

+ Query = "SELECT VALUE UPPER(c.name) FROM c"

+ }

+ };

+ // Update container with changes

+ await container.ReplaceContainerAsync(containerProperties);

+> [!TIP]

+> Every time you update container properties, the old values are overwritten.

+> If you have existing computed properties and want to add new ones, ensure you add both new and existing computed properties to the collection.

+Computed properties can be referenced in queries the same way as persisted properties. Values for computed properties that aren't indexed are evaluated during runtime using the computed property definition. If a computed property is indexed, the index is used in the same way as it is for persisted properties, and the computed property is evaluated on an as needed basis. It's recommended you [add indexes on your computed properties](#indexing-computed-properties) for the best cost and performance.

+ "path":"/cp_myComputedProperty"

+ "path":"/path/to/myPersistedProperty"

+> [!IMPORTANT]

+>

+> Even in the RO state in-flight transactions may continue writing to the database

+> thus decreasing further available storage. If available storage size continues

+> to decrease after the node was set to read-only, all existing sessions

+> would be disconnected and uncommitted transactions would be rolled back.

+If a node was set to RO state, you need to free some disk space to unblock writes on the node. Write access is re-enabled when node has more than 16 GiB of free storage on nodes with 256 GiB or greater and more than 7% of free storage on nodes with 128 GiB or smaller storage.

+The **minimum service-wide accepted version is TLS 1.0**. This selection can be changed on a per account basis, as discussed in the following section.

+### Set Minimal TLS Protocol in Azure Cosmos DB using the Portal

+This self-serve feature is available in the Portal while creating and editing an account. Azure Cosmos DB Accounts enforce the TLS 1.2 protocol. However, Azure Cosmos DB also supports the following TLS protocols depending on the API kind selected.

+- **MongoDB:** TLS 1.2

+- **Cassandra:** TLS 1.2

+- **Table, SQL and Graph:** TLS 1.0, TLS 1.1 and TLS 1.2

+

+### Steps to set Minimal TLS Protocol while creating an account

+If you're using an API Kind that only supports TLS 1.2, you'll notice in the Networking tab at the bottom the TLS protocol disabled.

+If you're using an API Kind that accepts multiple TLS protocols, then you can navigate to the Networking tab and the Minimum Transport Layer Security Protocol option is available. You can change the selected protocol by just clicking on the dropdown and selecting the desired protocol.

+After setting up your account, you can review in the Review + create tab, at the bottom inside the Networking section, that the selected TLS Protocol is set as you specified.

+### Steps to set the Minimal TLS Protocol while editing an account

+1. Navigate to your Azure Cosmos DB account on the Azure portal.

+2. Select Networking from the left menu, then select the Connectivity tab.

+3. You'll find the Minimum Transport Layer Security Protocol option. If you're using an API Kind that only supports TLS 1.2, you'll notice this option disabled. Otherwise, you'll be able to select the desired TLS Protocol by just clicking on it.

+ :::image type="content" source="media/self-serve-minimum-tls-enforcement/edit.png" alt-text="Screenshot of minimum transport layer security protocol option.":::

+

+4. Click Save once you changed the TLS protocol.

+ :::image type="content" source="media/self-serve-minimum-tls-enforcement/save.png" alt-text="Screenshot of save after change.":::

+

+5. Once it is saved, you'll receive a success notification. Still, this change can take up to 15 minutes to take effect after the configuration update is completed.

+ :::image type="content" source="media/self-serve-minimum-tls-enforcement/notification-success.png" alt-text="Screenshot of success notification.":::

+

+To set using Azure CLI, use the command:

+To set using Azure PowerShell, use the command:

+To set this property using an ARM template, update your existing template or export a new template for your current deployment, then add `"minimalTlsVersion"` to the properties for the `databaseAccounts` resources, with the desired minimum TLS version value. Provided here is a basic example of an Azure Resource Manager template with this property setting, using a parameter.

+To get the current value of the property using Azure CLI, run the command:

+To get the current value of the property using Azure PowerShell, run the command:

+Cost Management now remembers preview features across sessions in the preview portal. Select the preview features you're interested in from the **Try preview** menu and you'll see them enabled by default the next time you visit the portal. There's no need to enable the option ΓÇô preview features are remembered automatically.

+View more details about what costs are included and not included in the Cost analysis preview. You can enable this option from the Try Preview menu.

+Cost analysis is your tool for interactive analytics and insights. You've seen the addition of new views and capabilities, like anomaly detection, in the cost analysis preview. However, classic cost analysis is still the best tool for quick data exploration with simple filtering and grouping. While these capabilities are coming to the preview, we're introducing a new experience that allows you to select which view you want to start with. Whether that is a preview view, a built-in view, or a custom view you created.

+The first time you open the cost analysis preview, you see a list of all views. When you return, you see a list of the recently used views to help you get back to where you left off quicker than ever. You can pin any view or even rename or subscribe to alerts for your saved views.

+SQL databases are deployed as part of a SQL server instance, but usage is tracked at the database level. Additionally, you might also have charges on the parent server, like for Microsoft Defender for Cloud. To get the total cost for your SQL deployment in classic cost analysis, you need to manually sum up the cost of the server and each individual database. As an example, you can see the **aepool** elastic pool at the top of the following list and the **treyanalyticsengine** server lower down on the first page. What you don't see is another database even lower in the list. You can imagine how troubling this situation would be when you need the total cost of a large server instance with many databases.

+In addition to SQL servers, you also see other services with child resources, like App Service, Synapse, and VNet gateways. Each is similarly shown grouped together in the cost analysis preview.

+Group related resources, like disks under VMs or web apps under App Service plans, by adding a ΓÇ£cm-resource-parentΓÇ¥ tag to the child resources with a value of the parent resource ID. Wait 24 hours for tags to be available in usage and your resources are grouped. Leave feedback to let us know how we can improve this experience further for you.

+Some resources have related dependencies that aren't explicit children or nested under the logical parent in Azure Resource Manager. Examples include disks used by a virtual machine or web apps assigned to an App Service plan. Unfortunately, Cost Management isn't aware of these relationships and can't group them automatically. This experimental feature uses tags to summarize the total cost of your related resources together. You see a single row with the parent resource. When you expand the parent resource, you see each linked resource listed individually with their respective cost.

+In the following image, the left menu is classic cost analysis. The right menu is the streamlined menu.

+## Reservation utilization alerts

+[Azure reservations](../reservations/save-compute-costs-reservations.md) can provide cost savings by committing to one-year or three-year plans. However, reservations can sometimes go unutilized or underutilized, resulting in financial losses. As a [billing account](../reservations/reservation-utilization.md#view-utilization-as-billing-administrator) or [reservation user](../reservations/reservation-utilization.md#view-utilization-in-the-azure-portal-with-azure-rbac-access), you can [review the utilization percentage](../reservations/reservation-utilization.md) of your reservation purchases in the Azure portal, but you might miss out important changes. By enabling reservation utilization alerts, you solve this by receiving email notifications whenever any of your reservations exhibit low utilization. This allows you to take prompt action and optimize your reservation purchases for maximum efficiency.

+The alert email provides essential information including top unutilized reservations and a hyperlink to the list of reservations. By promptly optimizing your reservation purchases, you can avoid financial losses and ensure that your investments are delivering the expected cost savings. For more information, see [Reservation utilization alerts](reservation-utilization-alerts.md).

+- Take advantage of the **How would you rate…** prompts in the Azure portal to let us know how each experience is working for you. We monitor the feedback proactively to identify and prioritize changes. You see either a blue option in the bottom-right corner of the page or a banner at the top.

+Instead of canceling a subscription, you can remove all of its resources to [prevent unwanted charges](#prevent-unwanted-charges).

+## Prevent unwanted charges

+To prevent unwanted charges on a subscription, you can go to **Resources** menu for the subscription and select the resources that you want to delete. If don't want to have any charges for the subscription, select all of the subscription resources and then **Delete** them. The subscription essentially becomes an empty container with no charges.

+If you have a support plan, you might continue to get charged for it. To delete a support a plan, navigate to **Cost Management + Billing** and select **Recurring charges**. Select the support plan and turn off autorenewal.

+## Azure portal for Cost Management and Billing

+The Azure portal hierarchy for Cost Management consists of:

+- **Azure portal for Cost Management** - an online management portal that helps you manage costs for your Azure EA services. You can:

+- **Accounts** are organizational units in the Azure portal for Cost Management. You can use accounts to manage subscriptions and access reports.

+- **Subscriptions** are the smallest unit in the Azure portal for Cost Management. They're containers for Azure services managed by the Account Owner role, also known as the Subscription's service administrator.

+Use the Azure portal's Cost Management blade the [Azure portal](https://portal.azure.com) to manage Azure Enterprise Agreement roles.

+User roles are associated with a user account. To validate user authenticity, each user must have a valid work, school, or Microsoft account. Ensure that each account is associated with an email address that's actively monitored. Enrollment notifications are sent to the email address.

+> [!NOTE]

+> The Account Owner role is often assigned to a service account that doesn't have an actively monitored email.

+When setting up users, you can assign multiple accounts to the enterprise administrator role. An enrollment can have multiple account owners, for example, one per department. Also, you can assign both the enterprise administrator and account owner roles to a single account.

+Users with this role have the highest level of access to the Enrollment. They can:

+The EA administrator role automatically inherits all access and privilege of the department administrator role. So thereΓÇÖs no need to manually give an EA administrator the department administrator role.

+When new Account Owners (AO) are added to an Azure EA enrollment for the first time, their status appears as _pending_. When a new account owner receives the activation welcome email, they can sign in to activate their account.

+> [!NOTE]

+> If the Account Owner is a service account and doesn't have an email, use an In-Private session to log into the Azure portal and navigate to Cost Management to be prompted to accept the activation welcome email.

+Once they activate their account, the account status is updated from _pending_ to _active_. The account owner needs to read the 'Warning' message and select **Continue**. New users might get prompted to enter their first and last name to create a Commerce Account. If so, they must add the required information to continue and then the account is activated.

+> [!NOTE]

+> A subscription is associated with one and only one account. The warning message includes details that warn the Account Owner that accepting the offer will move the subscriptions associated with the Account to the new Enrollment.

+You may see different pricing in the Azure portal depending on your administrative role and how the view charges policies are set by the Enterprise Administrator. Enabling Department Administrator and Account Owner Roles to see the charges can be restricted by restricting access to billing information.

+1. Cable each node independently as you would for a single node device. Based on the workloads that you intend to deploy, cross connect the network interfaces on these devices via cables, and with or without switches. For detailed instructions, see [Cable your two-node cluster device](azure-stack-edge-gpu-deploy-install.md?pivots=twonode#cable-the-device).

+Use the following steps to configure TLS 1.2 on your client.

+ [System.Net.ServicePointManager]::SecurityProtocol = 'TLS12'

+- **Gaining intel for existing exploits of a vulnerability** - While vulnerability reporting tools can report the ever growing volume of vulnerabilities, the capacity to efficiently remediate them remains a challenge. These tools typically prioritize their remediation processes according to the severity of the vulnerability. MDVM provides additional context on the risk related with each vulnerability, leveraging intelligent assessment and risk-based prioritization against industry security benchmarks, based on three data sources: [exploit DB](https://www.exploit-db.com/), [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog), and [MSRC](https://www.microsoft.com/msrc?SilentAuth=1&wa=wsignin1.0)

+1. Vulnerability reports are refreshed daily for any image pushed during the last 90 days to a registry or currently running on a Kubernetes cluster monitored by Defender CSPM Agentless discovery and visibility for Kubernetes, or monitored by the Defender for Containers agent (profile or extension).

+The existing recommendation `Container registry images should have vulnerability findings resolved` is replaced by a new recommendation powered by MDVM:

+|**C5600** | [HPE ProLiant DL360](appliance-catalog/hpe-proliant-dl360.md) | **Max bandwidth**: Up to 3 Gbps <br>**Max devices**: 12K <br> 16C[32T] CPU/32G RAM/5.6TB | **Mounting**: 1U <br>**Ports**: 15x RJ45 or 8x SFP (OPT) |

+|**E1800** | [HPE ProLiant DL20 Gen10 Plus](appliance-catalog/hpe-proliant-dl20-plus-enterprise.md) (4SFF) <br><br> [Dell PowerEdge R350](appliance-catalog/dell-poweredge-r350-e1800.md) | **Max bandwidth**: Up to 1 Gbps<br>**Max devices**: 10K <br> 4C[8T] CPU/32G RAM/1.8TB | **Mounting**: 1U <br>**Ports**: 8x RJ45 or 6x SFP (OPT) |

+|**E500** | [Dell Edge 5200](appliance-catalog/dell-edge-5200.md) <br> (Rugged MIL-STD-810G) | **Max bandwidth**: Up to 1 Gbps<br>**Max devices**: 10K <br> 8C[8T] CPU/32G RAM/512GB | **Mounting**: Wall Mount<br>**Ports**: 3x RJ45 |

+|**L500** | [HPE ProLiant DL20 Gen10 Plus](appliance-catalog/hpe-proliant-dl20-plus-smb.md) <br> (NHP 2LFF) | **Max bandwidth**: Up to 200 Mbps<br>**Max devices**: 1,000 <br> 4C[8T] CPU/8G RAM/500GB | **Mounting**: 1U<br>**Ports**: 4x RJ45 |

+|**L100** | [YS-Techsystems YS-FIT2](appliance-catalog/ys-techsystems-ys-fit2.md) <br>(Rugged MIL-STD-810G) | **Max bandwidth**: Up to 10 Mbps <br>**Max devices**: 100 <br> 4C[4T] CPU/8G RAM/128GB | **Mounting**: DIN/VESA<br>**Ports**: 2x RJ45 |

+1. <a name="credentials"></a>The installation process starts running and then shows the credentials screen.

+1. On the Access configuration tab, select **Azure role-based access control**, and then select **Review + create**.

+This article describes how to set up and use a gateway for secure [remote desktop](/windows-server/remote/remote-desktop-services/Welcome-to-rds) access to lab virtual machines (VMs) in Azure DevTest Labs. Using a gateway improves security because you don't expose the VMs' remote desktop protocol (RDP) ports to the internet. This remote desktop gateway solution also supports token authentication.

+ |`alwaysOn` | |Whether to keep the created Azure Functions app warmed (on) or not. Keeping the app on avoids delays when users first try to connect to their lab VMs, but has cost implications. |

+ |`tokenLifetime` | |The length of time in HH:MM:SS format that the created token is valid. |

+1. Run the following Azure CLI command to deploy *azuredeploy.json*:

+After you create the remote desktop gateway farm and update DNS, configure Azure DevTest Labs to use the gateway.

+Before you update lab settings, store the key for the authentication token function in the lab's key vault. You can get the function key value on the function's **Function Keys** page in Azure portal. To find the ID of the lab's key vault, run the following Azure CLI command:

+Learn how to save a secret in a key vault in the article, [Add a secret to Key Vault](../key-vault/secrets/quick-create-portal.md#add-a-secret-to-key-vault). Record the secret name to use later. This value isn't the function key itself, but the name of the key vault secret that holds the function key.

+### Automate lab configuration

+- Powershell: [Set-DevTestLabGateway.ps1](https://github.com/Azure/azure-devtestlab/blob/master/samples/DevTestLabs/GatewaySample/tools/Set-DevTestLabGateway.ps1) is a sample PowerShell script to automatically set **Gateway hostname** and **Gateway token secret** settings.

+- ARM: Use the [Gateway sample ARM templates](https://github.com/Azure/azure-devtestlab/tree/master/samples/DevTestLabs/GatewaySample/arm/lab) in the Azure DevTest Labs GitHub repository to create or update labs with **Gateway hostname** and **Gateway token secret** settings.

+To further secure the lab, add a network security group (NSG) to the virtual network the lab VMs use as described in [Create, change, or delete a network security group](../virtual-network/manage-network-security-group.md). For example, an NSG could allow only traffic that first goes through the gateway to reach lab VMs. The rule source is the IP address of the gateway machine or load balancer for the gateway farm.

+An Event Grid namespace is a declarative space that provides a scope to all the nested resources or subresources such as topics, certificates, clients, client groups, topic spaces, permission bindings.

+| Resource | Protocol supported |

+| : | :: |

+| Namespace topics | HTTP |

+| Topic Spaces | MQTT |

+| Clients | MQTT |

+| Client Groups | MQTT |

+| CA Certificates | MQTT |

+| Permission bindings | MQTT |

+It gives you a unique FQDN. A Namespace exposes two endpoints:

+- An HTTP endpoint to support general messaging requirements using Namespace Topics.

+- An MQTT endpoint for IoT messaging or solutions that use MQTT.

+

+A Namespace also provides DNS-integrated network endpoints and a range of access control and network integration management features such as IP ingress filtering and private links. It's also the container of managed identities used for all contained resources that use them.

+Namespace is a tracked resource with 'tags' and a 'location' properties, and once created can be found on resources.azure.com.

+Client is a device or an application that can publish and/or subscribe MQTT messages. For more information about client configuration, see [MQTT clients](mqtt-clients.md).

+Certificate is a form of asymmetric credential. They're a combination of a public key from an asymmetric keypair and a set of metadata describing the valid uses of the keypair. If the keypair of the issuer is the same keypair as the certificate, the certificate is said to be "self-signed". Third-party certificate issuers are sometimes called Certificate Authorities (CA). For more information about client authentication, see [MQTT client authentication](mqtt-client-authentication.md).

+Client attributes represent a set of key-value pairs that provide descriptive information about the client. Client attributes are used in creating client groups and as variables in Topic Templates. For example, client type is an attribute that provides the client's type. For more information about client configuration, see [MQTT clients](mqtt-clients.md).

+Client group is a collection of clients. Clients can be grouped together using common client attribute(s). Client groups can be given permissions to publish and/or subscribe to a specific topic space. For more information about client groups configuration, see [MQTT client groups](mqtt-client-groups.md).

+Topic space is a set of topic templates. It's used to simplify access control management by enabling you to grant publish or subscribe access to a group of topics at once instead of individual topics. For more information about topic spaces configuration, see [MQTT topic spaces](mqtt-topic-spaces.md).

+Topic templates are an extension of the topic filter that supports variables. It's used for fine-grained access control within a client group.

+A Permission Binding grants access to a specific client group to either publish or subscribe on a specific topic space. For more information about permission bindings, see [MQTT access control](mqtt-access-control.md).

+The MQTT support in Event Grid is ideal for the implementation of automotive and mobility scenarios, among others. See [the reference architecture](mqtt-automotive-connectivity-and-data-solution.md) to learn how to build secure and scalable solutions for connecting millions of vehicles to the cloud, using AzureΓÇÖs messaging and data analytics services.

+ "state": "Enabled"

+ },

+ "isZoneRedundant": true

+ "state": "Enabled",

+ "authenticationName": "client1-authnID",

+ "clientCertificateAuthentication": {

+ "validationScheme": "ThumbprintMatch",

+ "allowedThumbprints": [

+ "{Your client 1 certificate thumbprint}"

+ ]

+az resource create --resource-type Microsoft.EventGrid/namespaces/clients --id /subscriptions/{Subscription ID}/resourceGroups/{Resource Group}/providers/Microsoft.EventGrid/namespaces/{Namespace Name}/clients/{Client Name} --api-version 2023-06-01-preview --properties @./resources/client1.json

+ "topicTemplates": [

+ "contosotopics/topic1"

+ ]

+az resource create --resource-type Microsoft.EventGrid/namespaces/topicSpaces --id /subscriptions/{Subscription ID}/resourceGroups/{Resource Group}/providers/Microsoft.EventGrid/namespaces/{Namespace Name}/topicSpaces/{Topic Space Name} --api-version 2023-06-01-preview --properties @./resources/topicspace.json

+ "clientGroupName": "$all",

+ "permission": "Publisher",

+ "topicSpaceName": "{Your topicspace name}"

+ "clientGroupName": "$all",

+ "permission": "Subscriber",

+ "topicSpaceName": "{Your topicspace name}"

+> [!IMPORTANT]

+> Please update the client certificate and key pem file paths depending on location of your client certificate files. Also, ensure the client authentication name, topic information match with your configuration.

+ .WithClientId(clientId)

+ .WithCredentials("client1-authnID", "") //use client authentication name in the username

+1. Configure client1 with

+1. Update the host name to MQTT hostname from the Overview page of the namespace.

+1. Update the port to 8883

+1. Toggle SSL/TLS to ON.

+1. Toggle SSL Secure to ON, to ensure service certificate validation.

+1. Select Certificate as Self signed.

+1. Provide the path to client.cer.pem file for Client Certificate File.

+1. Provide the path to client.key.pem file for Client key file.

+1. Rest of the settings can be left with predefined default values.

+1. Select Connect to connect the client to the Event Grid MQTT service.

+1. Repeat the above steps to connect the second client ΓÇ£client2ΓÇ¥, with corresponding authentication information as shown.

+ },

+ "isZoneRedundant": true

+- If a client resource is deleted without ending its session, other clients won't be able to use that session name until the session expires. For example, If client B creates a session with session name 123 then client B is deleted, client A won't be able to connect to session 123 until the session expires.

+Event Grid supports QoS 0 and 1, which define the guarantee of message delivery on PUBLISH and SUBSCRIBE packets between clients and Event Grid. QoS 0 guarantees at-most-once delivery; messages with QoS 0 arenΓÇÖt acknowledged by the subscriber nor get retransmitted by the publisher. QoS 1 guarantees at-least-once delivery; messages are acknowledged by the subscriber and get retransmitted by the publisher if they didnΓÇÖt get acknowledged. QoS enables your clients to control the efficiency and reliability of the communication.

+Event Grid supports persistent sessions for MQTT v3.1.1 such that Event Grid preserves information about a clientΓÇÖs session in case of disconnections to ensure reliability of the communication. This information includes the clientΓÇÖs subscriptions and missed/ unacknowledged QoS 1 messages. Clients can configure a persistent session through setting the cleanSession flag in the CONNECT packet to false.

+**Maximum session expiry interval:**

+On the Configuration page of an Event Grid namespace, you can configure the maximum session expiry interval at namespace scope. This setting will apply to all the clients within the namespace.

+If you are using MQTT v3.1.1, this setting provides the session expiration time and ensures that sessions for inactive clients are terminated once the time limit is reached.

+If you are using MQTT v5, this setting will provide the maximum limit for the Session Expiry Interval value. Any Session Expiry Interval chosen above this limit will be negotiated.

+The default value for this namespace property is 1 hour and can be extended up to 8 hours.

+Event Grid supports user properties on MQTT v5 PUBLISH packets that allow you to add custom key-value pairs in the message header to provide more context about the message. The use cases for user properties are versatile. You can use this feature to include the purpose or origin of the message so the receiver can handle the message without parsing the payload, saving computing resources. For example, a message with a user property indicating its purpose as a "warning" could trigger different handling logic than one with the purpose of "information."

+Event Grid enables your clients to communicate on [custom MQTT topic names](https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html#_Toc3901107) using a publish-subscribe messaging model. Event Grid supports clients that publish and subscribe to messages over MQTT v3.1.1, MQTT v3.1.1 over WebSockets, MQTT v5, and MQTT v5 over WebSockets. Event Grid allows you to send MQTT messages to the cloud for data analysis, storage, and visualizations, among other use cases.

+The MQTT support in Event Grid is ideal for the implementation of automotive and mobility scenarios, among others. See [the reference architecture](mqtt-automotive-connectivity-and-data-solution.md) to learn how to build secure and scalable solutions for connecting millions of vehicles to the cloud, using AzureΓÇÖs messaging and data analytics services.

+* Downgrade from Premium SKU to Standard.

+- [Azure DDoS Protection overview](../ddos-protection/ddos-protection-overview.md)

+- [Learn more about Azure network security](../networking/security/index.yml)

+- [Learn more about Azure network security](../networking/security/index.yml)

+- [Learn module: Introduction to Azure Firewall Manager](/training/modules/intro-to-azure-firewall-manager/)

+- Learn about [secured Virtual Hubs](secured-virtual-hub.md)

+- [Learn more about Azure network security](../networking/security/index.yml)

+- Learn how to deploy an Azure Firewall - [Tutorial: Secure your cloud network with Azure Firewall Manager using the Azure portal](secure-cloud-network.md)

+- [Learn more about Azure network security](../networking/security/index.yml)

+- [Learn more about Azure Firewall policy](policy-overview.md)

+- [Learn more about Azure network security](../networking/security/index.yml)

+- [Learn more about Azure network security](../networking/security/index.yml)

+- [Learn about secured Virtual Hubs](secured-virtual-hub.md)

+- [Learn more about Azure network security](../networking/security/index.yml)

+- [Azure Firewall Premium features](premium-features.md)

+- [Learn more about Azure network security](../networking/security/index.yml)

+- [Learn more about Azure network security](../networking/security/index.yml)

+- [Learn more about Azure network security](../networking/security/index.yml)

+- [Learn more about Azure network security](../networking/security/index.yml)

+- [Learn more about Azure network security](../networking/security/index.yml)

+- [Tutorial: Monitor Azure Firewall logs](./firewall-diagnostics.md)

+- [Learn more about Azure network security](../networking/security/index.yml)

+For an overview of the MedTech service FHIR destination mapping, see

+> [!div class="nextstepaction"]

+> [Overview of the MedTech service FHIR destination mapping](overview-of-fhir-destination-mapping.md)

+To learn about the MedTech service frequently asked questions (FAQs), see

+> [!div class="nextstepaction"]

+> [Frequently asked questions about the MedTech service](frequently-asked-questions.md)

+ Title: Tutorial - Visualize IoT data in a web app

+description: This tutorial uses a web application to visualize temperature and humidity data that is collected from a sensor and sent to your IoT hub.

+# Tutorial: Visualize real-time sensor data from your Azure IoT hub in a web application

+In this article, you learn how to visualize real-time sensor data that your IoT hub receives with a Node.js web app running on your local computer. After running the web app locally, you can host the web app in Azure App Service.

+

+This tutorial assumes that you already have an IoT hub instance in your Azure subscription and a registered IoT device sending temperature data.

+The web application sample for this tutorial is written in Node.js. The steps in this article assume a Windows development machine; however, you can also perform these steps on a Linux system in your preferred shell.

+* Use the [Raspberry Pi online simulator](iot-hub-raspberry-pi-web-simulator-get-started.md) or complete one of the [Send telemetry](../iot-develop/quickstart-send-telemetry-iot-hub.md) quickstarts to get a device sending temperature data to IoT Hub. These articles cover the following requirements:

+ * An active Azure subscription

+ * An IoT hub under your subscription

+ * A registered device running a client application that sends messages to your IoT hub

+* [Node.js](https://nodejs.org) version 14 or later. To check your node version run `node --version`.

+* [Git](https://www.git-scm.com/downloads).

+[Consumer groups](../event-hubs/event-hubs-features.md#event-consumers) provide independent views into the event stream that enable apps and Azure services to independently consume data from the same Event Hubs endpoint. In this section, you add a consumer group to your IoT hub's built-in endpoint that the web app uses to read data.

+az iot hub consumer-group create --hub-name YOUR_IOT_HUB_NAME --name YOUR_CONSUMER_GROUP_NAME

+Note down the name you choose, you need it later in this tutorial.

+az iot hub connection-string show --hub-name YOUR_IOT_HUB_NAME --policy-name service

+The service connection string should look similar to the following example:

+"HostName=YOUR_IOT_HUB_NAME.azure-devices.net;SharedAccessKeyName=service;SharedAccessKey=YOUR_SHARED_ACCESS_KEY"

+Note down the service connection string, you need it later in this tutorial.

+Download or clone the web app sample from GitHub: [web-apps-node-iot-hub-data-visualization](https://github.com/Azure-Samples/web-apps-node-iot-hub-data-visualization.git).

+On your development machine, navigate to the **web-apps-node-iot-hub-data-visualization** directory, then open the web app in your favorite editor. The following shows the file structure viewed in Visual Studio Code:

+

+* **server.js** is a service-side script that initializes the web socket and the Event Hubs wrapper class. It provides a callback to the Event Hubs wrapper class that the class uses to broadcast incoming messages to the web socket.

+* **scripts/event-hub-reader.js** is a service-side script that connects to the IoT hub's built-in endpoint using the specified connection string and consumer group. It extracts the DeviceId and EnqueuedTimeUtc from metadata on incoming messages and then relays the message using the callback method registered by server.js.

+* **public/js/chart-device-data.js** is a client-side script that listens on the web socket, keeps track of each DeviceId, and stores the last 50 points of incoming data for each device. It then binds the selected device data to the chart object.

+* **public/https://docsupdatetracker.net/index.html** handles the UI layout for the web page and references the necessary scripts for client-side logic.

+set IotHubConnectionString=YOUR_IOT_HUB_CONNECTION_STRING

+set EventHubConsumerGroup=YOUR_CONSUMER_GROUP_NAME

+ :::image type="content" source="./media/iot-hub-live-data-visualization-in-web-apps/web-app-console-start.png" alt-text="Screenshot showing the web app sample successfully running in the console.":::

+The [Azure App Service](../app-service/overview.md) provides a platform as a service (PAAS) for hosting web applications. Web applications hosted in App Service can benefit from powerful Azure features like security, load balancing, and scalability as well as Azure and partner DevOps solutions like continuous deployment, package management, and so on. App Service supports web applications developed in many popular languages and deployed on Windows or Linux infrastructure.

+In this section, you provision a web app in App Service and deploy your code to it by using Azure CLI commands. You can find details of the commands used in the [az webapp](/cli/azure/webapp) documentation.

+ To create an App Service plan using the Windows free tier, use the [az appservice plan create](/cli/azure/appservice/plan#az-appservice-plan-create) command. Use the same resource group your IoT hub is in. Your service plan name can contain upper and lower case letters, numbers, and hyphens.

+ az appservice plan create --name NEW_NAME_FOR_YOUR_APP_SERVICE_PLAN --resource-group YOUR_RESOURCE_GROUP_NAME --sku FREE

+2. Use the [az webapp create](/cli/azure/webapp#az-webapp-create) command to provision a web app in your App Service plan. The `--deployment-local-git` parameter enables the web app code to be uploaded and deployed from a Git repository on your local machine. Your web app name must be globally unique and can contain upper and lower case letters, numbers, and hyphens. Be sure to specify Node version 14 or later for the `--runtime` parameter, depending on the version of the Node.js runtime you're using. You can use the `az webapp list-runtimes` command to get a list of supported runtimes.

+ az webapp create -n NEW_NAME_FOR_YOUR_WEB_APP -g YOUR_RESOURCE_GROUP_NAME -p YOUR_APP_SERVICE_PLAN_NAME --runtime "NODE:14LTS" --deployment-local-git

+3. Use the [az webapp config appsettings set](/cli/azure/webapp/config/appsettings#az-webapp-config-appsettings-set) command to add application settings for the environment variables that specify the IoT hub connection string and the Event hub consumer group. Individual settings are space-delimited in the `-settings` parameter. Use the service connection string for your IoT hub and the consumer group you created previously in this tutorial.

+ az webapp config appsettings set -n YOUR_WEB_APP_NAME -g YOUR_RESOURCE_GROUP_NAME --settings EventHubConsumerGroup=YOUR_CONSUMER_GROUP_NAME IotHubConnectionString="YOUR_IOT_HUB_CONNECTION_STRING"

+ az webapp config set -n YOUR_WEB_APP_NAME -g YOUR_RESOURCE_GROUP_NAME --web-sockets-enabled true

+ az webapp update -n YOUR_WEB_APP_NAME -g YOUR_RESOURCE_GROUP_NAME --https-only true

+5. To deploy the code to App Service, you use [user-level deployment credentials](../app-service/deploy-configure-credentials.md). Your user-level deployment credentials are different from your Azure credentials and are used for Git local and FTP deployments to a web app. Once set, they're valid across all of your App Service apps in all subscriptions in your Azure account. If you've previously set user-level deployment credentials, you can use them.

+ If you haven't previously set user-level deployment credentials or you can't remember your password, run the [az webapp deployment user set](/cli/azure/webapp/deployment/user#az-webapp-deployment-user-set) command. Your deployment user name must be unique within Azure, and it must not contain the ΓÇÿ\@ΓÇÖ symbol for local Git pushes. When you're prompted, enter and confirm your new password. The password must be at least eight characters long, with two of the following three elements: letters, numbers, and symbols.

+ az webapp deployment user set --user-name NAME_FOR_YOUR_USER_CREDENTIALS

+ az webapp deployment source config-local-git -n YOUR_WEB_APP_NAME -g YOUR_RESOURCE_GROUP_NAME

+7. Add a remote to your clone that references the Git repository for the web app in App Service. Replace the `GIT_ENDPOINT_URL` placeholder with the URL returned in the previous step. Make sure that you're in the sample directory, *web-apps-code-iot-hub-data-visualization*, then run the following command in your command window.

+ git remote add webapp GIT_ENDPOINT_URL

+8. To deploy the code to App Service, enter the following command in your command window. Make sure that you are in the sample directory *web-apps-code-iot-hub-data-visualization*. If you're prompted for credentials, enter the user-level deployment credentials that you created in step 5. Push to the main branch of the App Service remote.

+ ```cmd

+ git push webapp master:master

+ ```

+9. The progress of the deployment updates in your command window. A successful deployment ends with lines similar to the following output:

+ ```cmd

+ remote:

+ remote: Finished successfully.

+ remote: Running post deployment command(s)...

+ remote: Deployment successful.

+ To https://contoso-web-app-3.scm.azurewebsites.net/contoso-web-app-3.git

+ 6b132dd..7cbc994 master -> master

+ ```

+10. Run the following command to query the state of your web app and make sure it's running:

+ az webapp show -n YOUR_WEB_APP_NAME -g YOUR_RESOURCE_GROUP_NAME --query state

+If you come across any issues with this sample, try the steps in the following sections. If you still have problems, send us feedback at the bottom of this article.

+* If a device doesn't appear in the list, or no graph is being drawn, make sure the device code is running on your device.

+* In the browser, open the developer tools (in many browsers the F12 key opens it), and find the console. Look for any warnings or errors printed there.

+* If you see an error about not finding a package, you may have run the steps out of order. When the site is deployed (with `git push`) the app service runs `npm install`, which runs based on the current version of node it has configured. If that is changed in configuration later, you need to make a meaningless change to the code and push again.

+For another way to interact with data from Azure IoT Hub, see the following tutorial:

+> [!div class="nextstepaction"]

+> [Use Logic Apps for remote monitoring and notifications](./iot-hub-monitoring-notifications-with-azure-logic-apps.md)

+- *enabled*: boolean, optional, default is **true**. Specifies whether the key is enabled and useable for cryptographic operations. The *enabled* attribute is used with *nbf* and *exp*. When an operation occurs between *nbf* and *exp*, it will only be permitted if *enabled* is set to **true**. Operations outside the *nbf* / *exp* window are automatically disallowed, except for [decrypt, release, unwrap, and verify](#date-time-controlled-operations).

+- *nbf*: IntDate, optional, default is now. The *nbf* (not before) attribute identifies the time before which the key MUST NOT be used for cryptographic operations, except for [decrypt, release, unwrap, and verify](#date-time-controlled-operations). The processing of the *nbf* attribute requires that the current date/time MUST be after or equal to the not-before date/time listed in the *nbf* attribute. Key Vault MAY provide for some small leeway, normally no more than a few minutes, to account for clock skew. Its value MUST be a number containing an IntDate value.

+- *exp*: IntDate, optional, default is "forever". The *exp* (expiration time) attribute identifies the expiration time on or after which the key MUST NOT be used for cryptographic operation, except for [decrypt, release, unwrap, and verify](#date-time-controlled-operations). The processing of the *exp* attribute requires that the current date/time MUST be before the expiration date/time listed in the *exp* attribute. Key Vault MAY provide for some small leeway, typically no more than a few minutes, to account for clock skew. Its value MUST be a number containing an IntDate value.

+Not-yet-valid and expired keys, outside the *nbf* / *exp* window, will work for **decrypt**, **release**, **unwrap**, and **verify** operations (won't return 403, Forbidden). The rationale for using the not-yet-valid state is to allow a key to be tested before production use. The rationale for using the expired state is to allow recovery operations on data that was created when the key was valid. Also, you can disable access to a key using Key Vault policies, or by updating the *enabled* key attribute to **false**.

+az keyvault setting update --hsm-name <managed-hsm name> --name AllowKeyManagementOperationsThroughARM --value true

+az keyvault setting update --hsm-name <managed-hsm name> --name AllowKeyManagementOperationsThroughARM --value false

+## Prerequisites

+- To add lab creators to a lab plan, your Azure account needs to have the [Owner](./concept-lab-services-role-based-access-control.md#owner-role) Azure RBAC role assigned on the resource group. Learn more about the [Azure Lab Services built-in roles](./reliability-in-azure-lab-services.md).

+## Add Azure AD user account to Lab Creator role

+If you're using a lab account, assign the Lab Creator role on the lab account.

+## Add a guest user as a lab creator

+You can associate a lab plan with zero or more [labs](#lab). Each lab uses the configuration settings from the lab plan. Azure Lab Services uses Azure RBAC roles to grant permissions for creating labs. Learn more about [Azure Lab Services built-in roles](./concept-lab-services-role-based-access-control.md).

+To create labs in Azure Lab Services, your Azure account needs to have the Lab Creator Azure RBAC role, or you need to be the owner of the corresponding lab plan. Learn more about [Azure Lab Services built-in roles](./concept-lab-services-role-based-access-control.md).

+- To change settings for the lab plan, your Azure account needs the [Owner](/azure/role-based-access-control/built-in-roles#owner), [Contributor](/azure/role-based-access-control/built-in-roles#contributor), or [Lab Services Contributor](/azure/role-based-access-control/built-in-roles#lab-services-contributor) role on the lab plan. Learn more about the [Azure Lab Services built-in roles](./concept-lab-services-role-based-access-control.md).

+

+Users are auto-registered to the lab and VMs are automatically assigned when the VM pool syncs with the Azure AD group. Educators don't need to send invitations and students don't need to register for the lab separately.

+- To add a lab plan to Teams, your account should have the [Owner](./concept-lab-services-role-based-access-control.md#owner-role), [Lab Creator](./concept-lab-services-role-based-access-control.md#lab-creator-role), or [Contributor](./concept-lab-services-role-based-access-control.md#contributor-role) role on the lab plan. Learn more about [Azure Lab Services built-in roles](./concept-lab-services-role-based-access-control.md).

+## Prerequisites

+For more information about the lab plan Owner and Contributor roles, see [RBAC roles](./concept-lab-services-role-based-access-control.md).

+For more information about the Lab Creator role, see [RBAC roles](./concept-lab-services-role-based-access-control.md).

+For more information about the lab Owner and Contributor roles, see [RBAC roles](./concept-lab-services-role-based-access-control.md).

+If you don't already have a lab plan, you can create a temporary lab plan for requesting capacity, and delete the plan afterwards. Because capacity is assigned to your subscription, it's not affected when you create or delete lab plans. The first time you create a lab plan, a special Microsoft-managed Azure subscription is automatically created. This subscription isnΓÇÖt visible to you and is used internally to assign your [dedicated capacity](./capacity-limits.md#per-customer-assigned-capacity).

+- [Create a lab plan](./tutorial-setup-lab-plan.md).

+As a customer, you're now assigned your own [dedicated VM cores quota](./capacity-limits.md#per-customer-assigned-capacity). This quota is assigned per-subscription. The initial number of VM cores assigned to your subscription is limited, so you'll need to request a core limit increase. Even if you're already using lab accounts in the current version of Azure Lab Services, you'll still need to request a core limit increase; existing cores in a lab account won't be available when you create a lab plan.

+1. [Request a core limit increase](./how-to-request-capacity-increase.md?tabs=Labplans).

+You can reuse the same Azure Compute Gallery and licensing servers that you use with your lab accounts. Optionally, you can also [configure more licensing servers](./how-to-create-a-lab-with-shared-resource.md) and galleries based on your needs. For VMs that require access to a licensing server, you'll create lab plans with [advanced networking](./how-to-connect-vnet-injection.md#connect-the-virtual-network-during-lab-plan-creation) enabled as shown in the next step.

+1. [Create and configure lab plans](./tutorial-setup-lab-plan.md).

+ - If you plan to use a license server, don't forget to enable [advanced networking](./how-to-connect-vnet-injection.md#connect-the-virtual-network-during-lab-plan-creation) when creating your lab plans.

+ - The lab planΓÇÖs resource group name is significant because educators will select the resource group to [create a lab](./tutorial-setup-lab.md#create-a-lab).

+1. [Assign permissions](./tutorial-setup-lab-plan.md#add-a-user-to-the-lab-creator-role) to educators that will create labs.

+1. Enable [Azure Marketplace images](./specify-marketplace-images.md).

+1. [Configure regions for labs](./create-and-configure-labs-admin.md). You should enable your lab plans to use the regions that you specified in your capacity request.

+1. Optionally, [attach an Azure Compute Gallery](./how-to-attach-detach-shared-image-gallery.md).

+1. Optionally, configure [integration with Canvas](./lab-services-within-canvas-overview.md) including [adding the app and linking lab plans](./how-to-get-started-create-lab-within-canvas.md). Alternately, configure [integration with Teams](./lab-services-within-teams-overview.md) by [adding the app to Teams groups](./how-to-get-started-create-lab-within-teams.md).

+|[Virtual network peering](./how-to-connect-peer-virtual-network.md#configure-at-the-time-of-lab-account-creation)|Lab plans can reuse the same virtual network as lab accounts. </br> - [Setup advanced networking](./how-to-connect-vnet-injection.md#connect-the-virtual-network-during-lab-plan-creation) when you create the lab plan.|

+|[Role assignments](./concept-lab-services-role-based-access-control.md) </br> - Lab account owner\contributor. </br> - Lab creator\owner\contributor.|Lab plans include new specialized roles. </br>1. [Review roles](./concept-lab-services-role-based-access-control.md). </br>2. [Assign permissions](./tutorial-setup-lab-plan.md#add-a-user-to-the-lab-creator-role).|

+|Enabled Marketplace images. </br> - Lab accounts only support Gen1 images from the Marketplace.|Lab plans include settings to enable [Azure Marketplace images](./specify-marketplace-images.md). </br> - Lab plans support Gen1 and Gen2 Marketplace images, so the list of images will be different than what you would see if using lab accounts.|

+|[Location](./how-to-manage-lab-accounts.md#create-a-lab-account) </br> - Labs are automatically created within the same geolocation as the lab account. </br> - You can't specify the exact region where a lab is created. |Lab plans enable specific control over which regions labs are created. </br> - [Configure regions for labs](./create-and-configure-labs-admin.md).|

+|[Attached Azure Compute Gallery (Shared Image Gallery)](./how-to-attach-detach-shared-image-gallery-1.md)|Lab plans can be attached to the same gallery used by lab accounts. </br>1. [Attach an Azure Compute Gallery](./how-to-attach-detach-shared-image-gallery.md). </br>2. Ensure that you [enable images for the lab plan](./how-to-attach-detach-shared-image-gallery.md#enable-and-disable-images).|

+|Teams integration|Configure lab plans with [Teams integration](./lab-services-within-teams-overview.md) by [adding the app to Teams groups](./how-to-get-started-create-lab-within-teams.md).|

+|[Firewall settings](./how-to-configure-firewall-settings-1.md) </br> - Create inbound and outbound rules for the lab's public IP address and the port range 49152 - 65535.|[Firewall settings](./how-to-configure-firewall-settings.md) </br> - Create inbound and outbound rules for the lab's public IP address and the port ranges 4980-4989, 5000-6999, and 7000-8999.|

+Each of the VM sizes has been remapped to use a newer [Azure VM Compute SKU](./administrator-guide.md#vm-sizing). If you're using an [attached compute gallery](./how-to-attach-detach-shared-image-gallery.md), validate each of your customized images with the new VM Compute SKU by publishing a lab with the image and testing common student workloads. Before creating labs, verify that each image in the compute gallery is replicated to the same regions enabled in your lab plans.

+Once you have capacity assigned to your subscription, you can [create and publish](./tutorial-setup-lab.md) representative labs to validate the educator and student experience.

+Update reports to include the new cost entry type, `Microsoft.LabServices/labs`, for labs created using the August 2022 Update. [Built-in and custom tags](./cost-management-guide.md#understand-the-entries) allow for [grouping](/azure/cost-management-billing/costs/quick-acm-cost-analysis) in cost analysis. For more information about tracking costs, see [Cost management for Azure Lab Services](./cost-management-guide.md).

+In this tutorial, you have the Lab Creator Azure RBAC role to let you create labs for a lab plan. Depending on your organization, the responsibilities for creating lab plans and labs might be assigned to different people or teams. Learn more about [mapping permissions across your organization](./classroom-labs-scenarios.md#mapping-organizational-roles-to-permissions).

+| Medium term | - EDI and integration account enhancements <br>- Native XML support <br>- WCF and SOAP support <br>- Business Rules Engine support |

+> [Migration approaches for BizTalk Server to Azure Integration Services](biztalk-server-azure-integration-services-migration-approaches.md)

+This example workflow starts with the [built-in Request trigger](../connectors/connectors-native-reqres.md) named **When a HTTP request is received**. This trigger creates an endpoint that other services or logic app workflows can call and waits for those inbound calls or requests to arrive. Built-in operations run natively and directly within the Azure Logic Apps runtime.

+1. By using **request** as the search term, [follow these steps to add the built-in Request trigger named **When a HTTP request is received**](create-workflow-with-trigger-or-action.md?tabs=standard#add-trigger) to your workflow.

+ The **Add an action** pane opens so that you can select the next action.

+1. On the workflow designer, select the Request trigger that's named **When a HTTP request is received**.

+ Title: Create Standard workflows with Visual Studio Code

+description: Create Standard logic app workflows that run in single-tenant Azure Logic Apps using Visual Studio Code.

+# Create a Standard logic app workflow in single-tenant Azure Logic Apps using Visual Studio Code

+ 1. In Visual Studio Code, from the **View** menu, select **Command Palette**.

+ 1. After the command palette appears, enter **Azurite: Start**.

+For more information, review the [documentation for the Azurite extension in Visual Studio Code](https://github.com/Azure/Azurite#visual-studio-code-extension).

+ 1. In the extensions search box, enter **azure logic apps standard**. From the results list, select **Azure Logic Apps (Standard)** **>** **Install**.

+ 

+ Currently, you can have both Consumption (multi-tenant) and Standard (single-tenant) extensions installed at the same time. The development experiences differ from each other in some ways, but your Azure subscription can include both Standard and Consumption logic app types. In Visual Studio Code, the Azure window shows all the Azure-deployed and hosted logic apps in your Azure subscription, but organizes your apps in the following ways:

+ * **Logic Apps (Consumption)** section: All the Consumption logic apps in your subscription

+ * **Resources** section: All the Standard logic apps in your subscription. Previously, these logic apps appeared in the **Logic Apps (Standard)** section, which has now moved into the **Resources** section.

+ 

+ 

+1. In the Azure window, under **Resources**, select **Sign in to Azure**. When the Visual Studio Code authentication page appears, sign in with your Azure account.

+ 

+ After you sign in, the Azure window shows the Azure subscriptions associated with your Azure account. If the expected subscriptions don't appear, or you want the pane to show only specific subscriptions, follow these steps:

+ 

+1. In the Azure window, on the **Workspace** section toolbar, select **Create New Project** (folder icon).

+ 

+ 

+ 

+1. Provide a name for your workflow and press Enter. This example uses **Stateful-Workflow** as the name.

+ 

+1. If Visual Studio Code prompts you to open your project in the current Visual Studio Code or in a new Visual Studio Code window, select **Open in current window**. Otherwise, select **Open in new window**.

+ Visual Studio Code finishes creating your project.

+1. From the Visual Studio Activity Bar, open the Explorer pane, if not already open.

+ 

+1. In the Explorer pane, at your project's root, move your mouse pointer over any blank area below all the other files and folders, open the shortcut menu, and select **Convert to NuGet-based Logic App project**.

+ 

+1. Expand your workflow's project folder, which is named **Stateful-Workflow** in this example, and open the **workflow.json** file.

+1. Open the **workflow.json** file's shortcut menu, and select **Open Designer**.

+ 

+1. After the **Enable connectors in Azure** list opens, select **Use connectors from Azure**, which applies to all the managed or "shared" connectors, which are hosted and run in Azure versus the built-in, native, or "in-app" connectors, which run directly with the Azure Logic Apps runtime.

+ 

+ > Stateless workflows currently support only *actions* from [managed connectors](../connectors/managed.md), not triggers.

+ > Although you have the option to enable connectors in Azure for your stateless workflow,

+1. After the **Select subscription** list opens, select the Azure subscription to use for your logic app project.

+ 

+1. After the resource groups list opens, select **Create new resource group**.

+ 

+ 

+ After the designer appears, the **Add a trigger** prompt appears on the designer.

+1. On the designer, select **Add a trigger**, which opens the **Add a trigger** pane and a gallery showing all the connectors that have triggers for you to select.

+ 

+After you open a blank workflow in the designer, the **Add a trigger** prompt appears on the designer. You can now start creating your workflow by adding a trigger and actions.

+> [!IMPORTANT]

+> To locally run a workflow that uses a webhook-based trigger or actions, such as the

+> [built-in HTTP Webhook trigger or action](../connectors/connectors-native-webhook.md),

+> you must enable this capability by [setting up forwarding for the webhook's callback URL](#webhook-setup).

+The workflow in this example uses the following trigger and actions:

+* The [Request built-in connector trigger named **When an HTTP request is received**](../connectors/connectors-native-reqres.md), which can receive inbound calls or requests and creates an endpoint that other services or logic app workflows can call.

+* The [Office 365 Outlook managed connector action named **Send an email**](../connectors/connectors-create-api-office365-outlook.md). To follow this how-to guide, you need an Office 365 Outlook email account. If you have an email account that's supported by a different connector, you can use that connector, but that connector's user experience will differ from the steps in this example.

+* The [Request built-in connector action named **Response**](../connectors/connectors-native-reqres.md), which you use to send a reply and return data back to the caller.

+1. On the workflow designer, in the **Add a trigger** pane, open the **Runtime** list, and select **In-App** so that you view only the available built-in connector triggers.

+1. Find the Request trigger named **When an HTTP request is received** by using the search box, and add that trigger to your workflow. For more information, see [Build a workflow with a trigger and actions](create-workflow-with-trigger-or-action.md?tabs=standard#add-trigger).

+ 

+ When the trigger appears on the designer, the trigger's information pane opens and shows the trigger's parameters, settings, and other related tasks.

+ 

+ > If the information pane doesn't appear, makes sure that the trigger is selected on the designer.

+1. Save your workflow. On the designer toolbar, select **Save**.

+If you need to delete an item from the designer, [follow these steps for deleting items from the designer](#delete-from-designer).

+### Add the Office 365 Outlook action

+1. On the designer, under the Request trigger, select the plus sign (**+**) > **Add an action**.

+1. In the **Add an action** pane that opens, from the **Runtime** list, select **Shared** so that you view only the available managed connector actions.

+1. Find the Office 365 Outlook managed connector action named **Send an email (V2)** by using the search box, and add that action to your workflow. For more information, see [Build a workflow with a trigger and actions](create-workflow-with-trigger-or-action.md?tabs=standard#add-action).

+ 

+1. When the action's authentication pane opens, select **Sign in** to create a connection to your email account.

+ 

+1. Follow the subsequent prompts to select your account, allow access, and allow returning to Visual Studio Code.

+ > [!NOTE]

+ > If too much time passes before you complete the prompts, the authentication process times out

+ > and fails. In this case, return to the designer and retry signing in to create the connection.

+ 1. When the Microsoft prompt appears, select the user account for Office 365 Outlook, and then select **Allow access**.

+ 1. When Azure Logic Apps prompts to open a Visual Studio Code link, select **Open**.

+ 

+ 1. When Visual Studio Code prompts to open the Microsoft Azure Tools, select **Open**.

+ 

+ > To skip such future prompts, select the following options when the associated prompts appear:

+ >

+ > - Permission to open link for Visual Studio Code: Select **Always allow logic-apis-westcentralus.consent.azure-apim.net to open links of this type in the associated app**. This domain changes based on the Azure region that you selected for your logic app resource.

+ >

+ > - Permission to open Microsoft Azure Tools: Select **Don't ask again for this extension**.

+ After Visual Studio Code creates your connection, some connectors show the message that **The connection will be valid for {n} days only**. This time limit applies only to the duration while you author your logic app workflow in Visual Studio Code. After deployment, this limit no longer applies because your workflow can authenticate at runtime by using its automatically enabled [system-assigned managed identity](create-managed-service-identity.md). This managed identity differs from the authentication credentials or connection string that you use when you create a connection. If you disable this system-assigned managed identity, connections won't work at runtime.

+1. On the action information pane, on the **Parameters** tab, provide the required information for the action, for example:

+ 

+ | **To** | Yes | <*your-email-address*> | The email recipient, which can be your email address for test purposes. This example uses the fictitious email, **sophia.owen@fabrikam.com**. |

+ > If you make any changes on the **Testing** tab, make sure that you select **Save**

+ > to commit those changes before you switch tabs or change focus to the designer.

+1. Save your workflow. On the designer, select **Save**.

+1. Make sure that your Azurite emulator is running. For more information, review [Storage requirements](#storage-requirements).

+ 

+ 

+ 

+ 

+ 

+1. To review the statuses for each step in a specific run and the step's inputs and outputs, select the ellipses (**...**) button for that run, and select **Show run**.

+ 

+ 

+1. To review the inputs and outputs for each step, select the step that you want to inspect. To further review the raw inputs and outputs for that step, select **Show raw inputs** or **Show raw outputs**.

+ 

+When you have a workflow that starts with the Request trigger, you can return a response to the caller that sent a request to your workflow by using the [Request built-in action named **Response**](../connectors/connectors-native-reqres.md).

+1. In the workflow designer, under the **Send an email** action, select the plus sign (**+**) > **Add an action**.

+ The **Add an action** pane opens so that you can select the next action.

+1. In the **Add an action** pane, from the **Runtime** list, select **In-App**. Find and add the **Response** action.

+ After the **Response** action appears on the designer, the action's details pane automatically opens.

+ 

+ This example returns the **Body** parameter value, which is the output from the **Send an email** action.

+ 1. For the **Body** parameter, select inside the edit box, and select the lightning icon, which opens the dynamic content list. This list shows the available output values from the preceding trigger and actions in the workflow.

+ 

+ 

+1. If you created a stateful workflow, on the workflow's overview page, check the status for the most recent run. To view the status, inputs, and outputs for each step in that run, select the ellipses (**...**) button for that run, and select **Show run**.

+ 

+From Visual Studio Code, you can directly publish your project to Azure to deploy your Standard logic app resource. You can publish your logic app as a new resource, which automatically creates any necessary resources, such as an [Azure Storage account, similar to function app requirements](../azure-functions/storage-considerations.md). Or, you can publish your logic app to a previously deployed Standard logic app resource, which overwrites that logic app.

+1. On the Visual Studio Code Activity Bar, select the Azure icon to open the Azure window.

+1. In the **Workspace** section, on the toolbar, select **Deploy** > **Deploy to Logic App**.

+ 

+ 

+ 

+ 

+ 

+1. In the Azure window, in the **Workspace** section, on the toolbar, select **Create Workflow** (Azure Logic Apps icon).

+1. On the Visual Studio Code Activity Bar, select the Azure icon. In the **Resources**, expand your subscription, and then expand **Logic App**, which shows all the logic apps deployed in Azure for that subscription.

+ 

+ 

+ 

+ 1. On the Visual Studio Code Activity Bar, select the Azure icon to open the Azure window.

+ 1. In the **Resources** section, expand your subscription, which shows all the deployed logic apps for that subscription.

+ 

+ 

+ 

+ 

+ 

+ 

+Through the Azure portal, you can add blank workflows to a Standard logic app resource that you deployed from Visual Studio Code and build those workflows in the Azure portal.

+1. In the [Azure portal](https://portal.azure.com), select your deployed Standard logic app resource.

+1. On the logic app resource menu, select **Workflows**. On the **Workflows** pane, select **Add**.

+ 

+ 

+ 

+1. In the [Azure portal](https://portal.azure.com), open the Standard logic app resource.

+1. On the logic app resource menu, under **API**, select **CORS**.

+ 

+ 

+In a logic app, each workflow always starts with a single [trigger](#logic-app-concepts). A trigger fires when a condition is met, for example, when a specific event happens or when data meets specific criteria. Many triggers include [scheduling capabilities](concepts-schedule-automated-recurring-tasks-workflows.md) that control how often your workflow runs. After the trigger fires, one or more [actions](#logic-app-concepts) run operations that process, handle, or convert data that travels through the workflow, or that advance the workflow to the next step. Azure Logic Apps implements and uses the "at-least-once" message delivery semantic. Rarely does the service deliver a message more than one time, but no messages are lost. If your business doesn't or can't handle duplicate messages, you need to implement idempotence, so that repeating the same exact operation doesn't change the result after the first execution.

+### [Standard](#tab/standard)

+### [Standard](#tab/standard)

+### [Standard](#tab/standard)

+### [Standard](#tab/standard)

+### [Standard](#tab/standard)

+### [Standard](#tab/standard)

+Tracked properties can only reference the parameters, inputs, and outputs for its own trigger or action.

+Tracked properties aren't allowed on a trigger or action that has secure inputs, secure outputs, or both. They're also not allowed to reference another trigger or action that has secure inputs, secure outputs, or both.

+### [Standard](#tab/standard)

+ENDPOINT_CRED=$(az ml online-endpoint get-credentials -n $ENDPOINT_NAME -g $RESOURCE_GROUP -w $WORKSPACE_NAME -o tsv --query primaryKey)

+ENDPOINT_CRED=$(az ml online-endpoint get-credentials -n $ENDPOINT_NAME -g $RESOURCE_GROUP -w $WORKSPACE_NAME -o tsv --query accessToken)

+type: azuresqldb

+ type: sql_auth

+- [Import data assets on a schedule](reference-yaml-schedule-data-import.md)

+- [Import data assets on a schedule](reference-yaml-schedule-data-import.md)

+ > Before updating an existing workspace to use a managed virtual network, you must delete all computing resources for the workspace. This includes compute instance, compute cluster, and managed online endpoints.

+ destination:

+ service_resource_id: /subscriptions/{subscription ID}/resourceGroups/{resource group name}/providers/Microsoft.Storage/storageAccounts/{storage account name}

+ spark_enabled: true

+ subresource_target: blob

+ type: private_endpoint

+The 'Model catalog' (preview) in Azure Machine Learning Studio is a hub for discovering Foundation Models. The Open Source Models collection is a repository of the most popular open source Foundation Models curated by Azure Machine Learning. These models are packaged for out of the box usage and are optimized for use in Azure Machine Learning. Currently, it includes the top open source large language models, with support for other tasks coming soon. You can view the complete list of supported open source Foundation Models in the [Model catalog](https://ml.azure.com/model/catalog), under the `Open Source Models` collection.

+You no longer need to [create and manage compute](./how-to-create-attach-compute-cluster.md) to train your model in a scalable way. Your job can instead be submitted to a new compute target type, called _serverless compute_. Serverless compute is the easiest way to run training jobs on Azure Machine Learning. Serverless compute is a compute resource that you don't need to manage. It's created, scaled, and managed by Azure Machine Learning for you. Through model training with serverless compute, machine learning professionals can focus on their expertise of building machine learning models and not have to learn about compute infrastructure or setting it up.

+Serverless compute can be used to run command, sweep, AutoML, pipeline, distributed training, and interactive jobs from Azure Machine Learning studio, SDK and CLI. Serverless jobs consume the same quota as Azure Machine Learning compute quota. You can choose standard (dedicated) tier or spot (low-priority) VMs. Managed identity and user identity are supported for serverless jobs. Billing model is the same as Azure Machine Learning compute.

+* You don't need to learn about various compute types and related properties.

+* Lesser wait times before job starts executing in some cases

+* With managed network isolation you can streamline and automate your network isolation configuration

+ Title: 'CLI (v2) schedule YAML schema for data import (preview)'

+description: Reference documentation for the CLI (v2) data import schedule YAML schema.

+# CLI (v2) import schedule YAML schema

+The source JSON schema can be found at https://azuremlschemas.azureedge.net/latest/schedule.schema.json.

+## YAML syntax

+| Key | Type | Description | Allowed values |

+| | - | -- | -- |

+| `$schema` | string | The YAML schema. | |

+| `name` | string | **Required.** Name of the schedule. | |

+| `version` | string | Version of the schedule. If omitted, Azure Machine Learning autogenerates a version. | |

+| `description` | string | Description of the schedule. | |

+| `tags` | object | Dictionary of tags for the schedule. | |

+| `trigger` | object | The trigger configuration to define rule when to trigger job. **One of `RecurrenceTrigger` or `CronTrigger` is required.** | |

+| `import_data` | object or string | **Required.** The definition of the import data action that a schedule has triggered. **One of `string` or `ImportDataDefinition` is required.**| |

+### Trigger configuration

+#### Recurrence trigger

+| Key | Type | Description | Allowed values |

+| | - | -- | -- |

+| `type` | string | **Required.** Specifies the schedule type. |recurrence|

+|`frequency`| string | **Required.** Specifies the unit of time that describes how often the schedule fires.|`minute`, `hour`, `day`, `week`, `month`|

+|`interval`| integer | **Required.** Specifies the interval at which the schedule fires.| |

+|`start_time`| string |Describes the start date and time with timezone. If start_time is omitted, the first job will run instantly, and the future jobs trigger based on the schedule, saying start_time will match the job created time. If the start time is in the past, the first job runs at the next calculated run time.|

+|`end_time`| string |Describes the end date and time with timezone. If end_time is omitted, the schedule runs until it's explicitly disabled.|

+|`timezone`| string |Specifies the time zone of the recurrence. If omitted, by default is UTC. |See [appendix for timezone values](#timezone)|

+|`pattern`|object|Specifies the pattern of the recurrence. If pattern is omitted, the job(s) is triggered according to the logic of start_time, frequency and interval.| |

+#### Recurrence schedule

+Recurrence schedule defines the recurrence pattern, containing `hours`, `minutes`, and `weekdays`.

+- When frequency is `day`, pattern can specify `hours` and `minutes`.

+- When frequency is `week` and `month`, pattern can specify `hours`, `minutes` and `weekdays`.

+| Key | Type | Allowed values |

+| | - | -- |

+|`hours`|integer or array of integer|`0-23`|

+|`minutes`|integer or array of integer|`0-59`|

+|`week_days`|string or array of string|`monday`, `tuesday`, `wednesday`, `thursday`, `friday`, `saturday`, `sunday`|

+#### CronTrigger

+| Key | Type | Description | Allowed values |

+| | - | -- | -- |

+| `type` | string | **Required.** Specifies the schedule type. |cron|

+| `expression` | string | **Required.** Specifies the cron expression to define how to trigger jobs. expression uses standard crontab expression to express a recurring schedule. A single expression is composed of five space-delimited fields:`MINUTES HOURS DAYS MONTHS DAYS-OF-WEEK`||

+|`start_time`| string |Describes the start date and time with timezone. If start_time is omitted, the first job will run instantly and the future jobs trigger based on the schedule, saying start_time will match the job created time. If the start time is in the past, the first job runs at the next calculated run time.|

+|`end_time`| string |Describes the end date and time with timezone. If end_time is omitted, the schedule continues to run until it's explicitly disabled.|

+|`timezone`| string |Specifies the time zone of the recurrence. If omitted, by default is UTC. |See [appendix for timezone values](#timezone)|

+### Import data definition (preview)

+Customer can directly use `import_data: ./<data_import>.yaml` or can use the following properties to define the data import definition.

+| Key | Type | Description | Allowed values |

+| | - | -- | -- |

+|`type`| string | **Required.** Specifies the data asset type that you want to import the data as. It can be mltable when importing from a Database source, or uri_folder when importing from a FileSource.|`mltable`, `uri_folder`|

+| `name` | string | **Required.** Data asset name to register the imported data under. | |

+| `path` | string | **Required.** The path to the datastore that takes in the imported data, specified in one of two ways: <br><br> - **Required.** A URI of datastore path. Only supported URI type is `azureml`. For more information on how to use the `azureml://` URI format, see [Core yaml syntax](reference-yaml-core-syntax.md). To avoid an over-write, a unique path for each import is recommended. To do this, parameterize the path as shown in this example - `azureml://datastores/<datastore_name>/paths/<source_name>/${{name}}`. The "datastore_name" in the example can be a datastore that you have created or can be workspaceblobstore. Alternately a "managed datastore" can be selected by referencing as shown: `azureml://datastores/workspacemanagedstore`, where the system automatically assigns a unique path. | Azure Machine Learning://<>|

+| `source` | object | External source details of the imported data source. See [Attributes of the `source`](#attributes-of-source-preview) for the set of source properties. | |

+### Attributes of `source` (preview)

+| Key | Type | Description | Allowed values | Default value |

+| | - | -- | -- | - |

+| `type` | string | The type of external source from where you intend to import data from. Only the following types are allowed at the moment - `Database` or `FileSystem`| `Database`, `FileSystem` | |

+| `query` | string | Define this value only when the `type` defined above is `database` The query in the external source of type `Database` that defines or filters data that needs to be imported.| | |

+| `path` | string | Define this value only when the `type` defined above is `FileSystem` The folder path of the folder in the external source of type `FileSystem` where the file(s) or data that needs to be imported resides.| | |

+| `connection` | string | **Required.** The connection property for the external source referenced in the format of `azureml:<connection_name>` | | |

+## Remarks

+The `az ml schedule` command can be used for managing Azure Machine Learning models.

+## Examples

+Examples are available in the [examples GitHub repository](https://github.com/Azure/azureml-examples/blob/main/cli/assets/dat). A couple are shown below.

+## YAML: Schedule for a data import with recurrence pattern

+## YAML: Schedule for data import with recurrence pattern (preview)

+```yml

+$schema: https://azuremlschemas.azureedge.net/latest/schedule.schema.json

+name: simple_recurrence_import_schedule

+display_name: Simple recurrence import schedule

+description: a simple hourly recurrence import schedule

+trigger:

+ type: recurrence

+ frequency: day #can be minute, hour, day, week, month

+ interval: 1 #every day

+ schedule:

+ hours: [4,5,10,11,12]

+ minutes: [0,30]

+ start_time: "2022-07-10T10:00:00" # optional - default will be schedule creation time

+ time_zone: "Pacific Standard Time" # optional - default will be UTC

+import_data: ./my-snowflake-import-data.yaml

+```

+## YAML: Schedule for data import definition inline with recurrence pattern on managed datastore (preview)

+```yml

+$schema: https://azuremlschemas.azureedge.net/latest/schedule.schema.json

+name: inline_recurrence_import_schedule

+display_name: Inline recurrence import schedule

+description: an inline hourly recurrence import schedule

+trigger:

+ type: recurrence

+ frequency: day #can be minute, hour, day, week, month

+ interval: 1 #every day

+ schedule:

+ hours: [4,5,10,11,12]

+ minutes: [0,30]

+ start_time: "2022-07-10T10:00:00" # optional - default will be schedule creation time

+ time_zone: "Pacific Standard Time" # optional - default will be UTC

+import_data:

+ type: mltable

+ name: my_snowflake_ds

+ path: azureml://datastores/workspacemanagedstore

+ source:

+ type: database

+ query: select * from TPCH_SF1.REGION

+ connection: azureml:my_snowflake_connection

+```

+## YAML: Schedule for a data import with cron expression

+## YAML: Schedule for data import with cron expression (preview)

+```yml

+$schema: https://azuremlschemas.azureedge.net/latest/schedule.schema.json

+name: simple_cron_import_schedule

+display_name: Simple cron import schedule

+description: a simple hourly cron import schedule

+trigger:

+ type: cron

+ expression: "0 * * * *"

+ start_time: "2022-07-10T10:00:00" # optional - default will be schedule creation time

+ time_zone: "Pacific Standard Time" # optional - default will be UTC

+import_data: ./my-snowflake-import-data.yaml

+```

+## YAML: Schedule for data import definition inline with cron expression (preview)

+```yml

+$schema: https://azuremlschemas.azureedge.net/latest/schedule.schema.json

+name: inline_cron_import_schedule

+display_name: Inline cron import schedule

+description: an inline hourly cron import schedule

+trigger:

+ type: cron

+ expression: "0 * * * *"

+ start_time: "2022-07-10T10:00:00" # optional - default will be schedule creation time

+ time_zone: "Pacific Standard Time" # optional - default will be UTC

+import_data:

+ type: mltable

+ name: my_snowflake_ds

+ path: azureml://datastores/workspaceblobstore/paths/snowflake/${{name}}

+ source:

+ type: database

+ query: select * from TPCH_SF1.REGION

+ connection: azureml:my_snowflake_connection

+```

+## Appendix

+### Timezone

+The current schedule supports the timezones in this table. The key can be used directly in the Python SDK, while the value can be used in the data import YAML. The table is sorted by UTC (Coordinated Universal Time).

+| UTC | Key | Value |

+|-||--|

+| UTC -12:00 | DATELINE_STANDARD_TIME | "Dateline Standard Time" |

+| UTC -11:00 | UTC_11 | "UTC-11" |

+| UTC - 10:00 | ALEUTIAN_STANDARD_TIME | Aleutian Standard Time |

+| UTC - 10:00 | HAWAIIAN_STANDARD_TIME | "Hawaiian Standard Time" |

+| UTC -09:30 | MARQUESAS_STANDARD_TIME | "Marquesas Standard Time" |

+| UTC -09:00 | ALASKAN_STANDARD_TIME | "Alaskan Standard Time" |

+| UTC -09:00 | UTC_09 | "UTC-09" |

+| UTC -08:00 | PACIFIC_STANDARD_TIME_MEXICO | "Pacific Standard Time (Mexico)" |

+| UTC -08:00 | UTC_08 | "UTC-08" |

+| UTC -08:00 | PACIFIC_STANDARD_TIME | "Pacific Standard Time" |

+| UTC -07:00 | US_MOUNTAIN_STANDARD_TIME | "US Mountain Standard Time" |

+| UTC -07:00 | MOUNTAIN_STANDARD_TIME_MEXICO | "Mountain Standard Time (Mexico)" |

+| UTC -07:00 | MOUNTAIN_STANDARD_TIME | "Mountain Standard Time" |

+| UTC -06:00 | CENTRAL_AMERICA_STANDARD_TIME | "Central America Standard Time" |

+| UTC -06:00 | CENTRAL_STANDARD_TIME | "Central Standard Time" |

+| UTC -06:00 | EASTER_ISLAND_STANDARD_TIME | "Easter Island Standard Time" |

+| UTC -06:00 | CENTRAL_STANDARD_TIME_MEXICO | "Central Standard Time (Mexico)" |

+| UTC -06:00 | CANADA_CENTRAL_STANDARD_TIME | "Canada Central Standard Time" |

+| UTC -05:00 | SA_PACIFIC_STANDARD_TIME | "SA Pacific Standard Time" |

+| UTC -05:00 | EASTERN_STANDARD_TIME_MEXICO | "Eastern Standard Time (Mexico)" |

+| UTC -05:00 | EASTERN_STANDARD_TIME | "Eastern Standard Time" |

+| UTC -05:00 | HAITI_STANDARD_TIME | "Haiti Standard Time" |

+| UTC -05:00 | CUBA_STANDARD_TIME | "Cuba Standard Time" |

+| UTC -05:00 | US_EASTERN_STANDARD_TIME | "US Eastern Standard Time" |

+| UTC -05:00 | TURKS_AND_CAICOS_STANDARD_TIME | "Turks And Caicos Standard Time" |

+| UTC -04:00 | PARAGUAY_STANDARD_TIME | "Paraguay Standard Time" |

+| UTC -04:00 | ATLANTIC_STANDARD_TIME | "Atlantic Standard Time" |

+| UTC -04:00 | VENEZUELA_STANDARD_TIME | "Venezuela Standard Time" |

+| UTC -04:00 | CENTRAL_BRAZILIAN_STANDARD_TIME | "Central Brazilian Standard Time" |

+| UTC -04:00 | SA_WESTERN_STANDARD_TIME | "SA Western Standard Time" |

+| UTC -04:00 | PACIFIC_SA_STANDARD_TIME | "Pacific SA Standard Time" |

+| UTC -03:30 | NEWFOUNDLAND_STANDARD_TIME | "Newfoundland Standard Time" |

+| UTC -03:00 | TOCANTINS_STANDARD_TIME | "Tocantins Standard Time" |

+| UTC -03:00 | E_SOUTH_AMERICAN_STANDARD_TIME | "E. South America Standard Time" |

+| UTC -03:00 | SA_EASTERN_STANDARD_TIME | "SA Eastern Standard Time" |

+| UTC -03:00 | ARGENTINA_STANDARD_TIME | "Argentina Standard Time" |

+| UTC -03:00 | GREENLAND_STANDARD_TIME | "Greenland Standard Time" |

+| UTC -03:00 | MONTEVIDEO_STANDARD_TIME | "Montevideo Standard Time" |

+| UTC -03:00 | SAINT_PIERRE_STANDARD_TIME | "Saint Pierre Standard Time" |

+| UTC -03:00 | BAHIA_STANDARD_TIM | "Bahia Standard Time" |

+| UTC -02:00 | UTC_02 | "UTC-02" |

+| UTC -02:00 | MID_ATLANTIC_STANDARD_TIME | "Mid-Atlantic Standard Time" |

+| UTC -01:00 | AZORES_STANDARD_TIME | "Azores Standard Time" |

+| UTC -01:00 | CAPE_VERDE_STANDARD_TIME | "Cape Verde Standard Time" |

+| UTC | UTC | UTC |

+| UTC +00:00 | GMT_STANDARD_TIME | "GMT Standard Time" |

+| UTC +00:00 | GREENWICH_STANDARD_TIME | "Greenwich Standard Time" |

+| UTC +01:00 | MOROCCO_STANDARD_TIME | "Morocco Standard Time" |

+| UTC +01:00 | W_EUROPE_STANDARD_TIME | "W. Europe Standard Time" |

+| UTC +01:00 | CENTRAL_EUROPE_STANDARD_TIME | "Central Europe Standard Time" |

+| UTC +01:00 | ROMANCE_STANDARD_TIME | "Romance Standard Time" |

+| UTC +01:00 | CENTRAL_EUROPEAN_STANDARD_TIME | "Central European Standard Time" |

+| UTC +01:00 | W_CENTRAL_AFRICA_STANDARD_TIME | "W. Central Africa Standard Time" |

+| UTC +02:00 | NAMIBIA_STANDARD_TIME | "Namibia Standard Time" |

+| UTC +02:00 | JORDAN_STANDARD_TIME | "Jordan Standard Time" |

+| UTC +02:00 | GTB_STANDARD_TIME | "GTB Standard Time" |

+| UTC +02:00 | MIDDLE_EAST_STANDARD_TIME | "Middle East Standard Time" |

+| UTC +02:00 | EGYPT_STANDARD_TIME | "Egypt Standard Time" |

+| UTC +02:00 | E_EUROPE_STANDARD_TIME | "E. Europe Standard Time" |

+| UTC +02:00 | SYRIA_STANDARD_TIME | "Syria Standard Time" |

+| UTC +02:00 | WEST_BANK_STANDARD_TIME | "West Bank Standard Time" |

+| UTC +02:00 | SOUTH_AFRICA_STANDARD_TIME | "South Africa Standard Time" |

+| UTC +02:00 | FLE_STANDARD_TIME | "FLE Standard Time" |

+| UTC +02:00 | ISRAEL_STANDARD_TIME | "Israel Standard Time" |

+| UTC +02:00 | KALININGRAD_STANDARD_TIME | "Kaliningrad Standard Time" |

+| UTC +02:00 | LIBYA_STANDARD_TIME | "Libya Standard Time" |

+| UTC +03:00 | TÜRKIYE_STANDARD_TIME | "Türkiye Standard Time" |

+| UTC +03:00 | ARABIC_STANDARD_TIME | "Arabic Standard Time" |

+| UTC +03:00 | ARAB_STANDARD_TIME | "Arab Standard Time" |

+| UTC +03:00 | BELARUS_STANDARD_TIME | "Belarus Standard Time" |

+| UTC +03:00 | RUSSIAN_STANDARD_TIME | "Russian Standard Time" |

+| UTC +03:00 | E_AFRICA_STANDARD_TIME | "E. Africa Standard Time" |

+| UTC +03:30 | IRAN_STANDARD_TIME | "Iran Standard Time" |

+| UTC +04:00 | ARABIAN_STANDARD_TIME | "Arabian Standard Time" |

+| UTC +04:00 | ASTRAKHAN_STANDARD_TIME | "Astrakhan Standard Time" |

+| UTC +04:00 | AZERBAIJAN_STANDARD_TIME | "Azerbaijan Standard Time" |

+| UTC +04:00 | RUSSIA_TIME_ZONE_3 | "Russia Time Zone 3" |

+| UTC +04:00 | MAURITIUS_STANDARD_TIME | "Mauritius Standard Time" |

+| UTC +04:00 | GEORGIAN_STANDARD_TIME | "Georgian Standard Time" |

+| UTC +04:00 | CAUCASUS_STANDARD_TIME | "Caucasus Standard Time" |

+| UTC +04:30 | AFGHANISTAN_STANDARD_TIME | "Afghanistan Standard Time" |

+| UTC +05:00 | WEST_ASIA_STANDARD_TIME | "West Asia Standard Time" |

+| UTC +05:00 | EKATERINBURG_STANDARD_TIME | "Ekaterinburg Standard Time" |

+| UTC +05:00 | PAKISTAN_STANDARD_TIME | "Pakistan Standard Time" |

+| UTC +05:30 | INDIA_STANDARD_TIME | "India Standard Time" |

+| UTC +05:30 | SRI_LANKA_STANDARD_TIME | "Sri Lanka Standard Time" |

+| UTC +05:45 | NEPAL_STANDARD_TIME | "Nepal Standard Time" |

+| UTC +06:00 | CENTRAL_ASIA_STANDARD_TIME | "Central Asia Standard Time" |

+| UTC +06:00 | BANGLADESH_STANDARD_TIME | "Bangladesh Standard Time" |

+| UTC +06:30 | MYANMAR_STANDARD_TIME | "Myanmar Standard Time" |

+| UTC +07:00 | N_CENTRAL_ASIA_STANDARD_TIME | "N. Central Asia Standard Time" |

+| UTC +07:00 | SE_ASIA_STANDARD_TIME | "SE Asia Standard Time" |

+| UTC +07:00 | ALTAI_STANDARD_TIME | "Altai Standard Time" |

+| UTC +07:00 | W_MONGOLIA_STANDARD_TIME | "W. Mongolia Standard Time" |

+| UTC +07:00 | NORTH_ASIA_STANDARD_TIME | "North Asia Standard Time" |

+| UTC +07:00 | TOMSK_STANDARD_TIME | "Tomsk Standard Time" |

+| UTC +08:00 | CHINA_STANDARD_TIME | "China Standard Time" |

+| UTC +08:00 | NORTH_ASIA_EAST_STANDARD_TIME | "North Asia East Standard Time" |

+| UTC +08:00 | SINGAPORE_STANDARD_TIME | "Singapore Standard Time" |

+| UTC +08:00 | W_AUSTRALIA_STANDARD_TIME | "W. Australia Standard Time" |

+| UTC +08:00 | TAIPEI_STANDARD_TIME | "Taipei Standard Time" |

+| UTC +08:00 | ULAANBAATAR_STANDARD_TIME | "Ulaanbaatar Standard Time" |

+| UTC +08:45 | AUS_CENTRAL_W_STANDARD_TIME | "Aus Central W. Standard Time" |

+| UTC +09:00 | NORTH_KOREA_STANDARD_TIME | "North Korea Standard Time" |

+| UTC +09:00 | TRANSBAIKAL_STANDARD_TIME | "Transbaikal Standard Time" |

+| UTC +09:00 | TOKYO_STANDARD_TIME | "Tokyo Standard Time" |

+| UTC +09:00 | KOREA_STANDARD_TIME | "Korea Standard Time" |

+| UTC +09:00 | YAKUTSK_STANDARD_TIME | "Yakutsk Standard Time" |

+| UTC +09:30 | CEN_AUSTRALIA_STANDARD_TIME | "Cen. Australia Standard Time" |

+| UTC +09:30 | AUS_CENTRAL_STANDARD_TIME | "AUS Central Standard Time" |

+| UTC +10:00 | E_AUSTRALIAN_STANDARD_TIME | "E. Australia Standard Time" |

+| UTC +10:00 | AUS_EASTERN_STANDARD_TIME | "AUS Eastern Standard Time" |

+| UTC +10:00 | WEST_PACIFIC_STANDARD_TIME | "West Pacific Standard Time" |

+| UTC +10:00 | TASMANIA_STANDARD_TIME | "Tasmania Standard Time" |

+| UTC +10:00 | VLADIVOSTOK_STANDARD_TIME | "Vladivostok Standard Time" |

+| UTC +10:30 | LORD_HOWE_STANDARD_TIME | "Lord Howe Standard Time" |

+| UTC +11:00 | BOUGAINVILLE_STANDARD_TIME | "Bougainville Standard Time" |

+| UTC +11:00 | RUSSIA_TIME_ZONE_10 | "Russia Time Zone 10" |

+| UTC +11:00 | MAGADAN_STANDARD_TIME | "Magadan Standard Time" |

+| UTC +11:00 | NORFOLK_STANDARD_TIME | "Norfolk Standard Time" |

+| UTC +11:00 | SAKHALIN_STANDARD_TIME | "Sakhalin Standard Time" |

+| UTC +11:00 | CENTRAL_PACIFIC_STANDARD_TIME | "Central Pacific Standard Time" |

+| UTC +12:00 | RUSSIA_TIME_ZONE_11 | "Russia Time Zone 11" |

+| UTC +12:00 | NEW_ZEALAND_STANDARD_TIME | "New Zealand Standard Time" |

+| UTC +12:00 | UTC_12 | "UTC+12" |

+| UTC +12:00 | FIJI_STANDARD_TIME | "Fiji Standard Time" |

+| UTC +12:00 | KAMCHATKA_STANDARD_TIME | "Kamchatka Standard Time" |

+| UTC +12:45 | CHATHAM_ISLANDS_STANDARD_TIME | "Chatham Islands Standard Time" |

+| UTC +13:00 | TONGA__STANDARD_TIME | "Tonga Standard Time" |

+| UTC +13:00 | SAMOA_STANDARD_TIME | "Samoa Standard Time" |

+| UTC +14:00 | LINE_ISLANDS_STANDARD_TIME | "Line Islands Standard Time" |

+description: Reference documentation for the CLI (v2) job schedule YAML schema.

+# CLI (v2) job schedule YAML schema

+> To use [serverless compute (preview)](./how-to-use-serverless-compute.md), delete `compute="cpu-cluster"` in this code. Serverless is the simplest way to run jobs on AzureML.

+## 2023-05-20

+### Azure Machine Learning SDK for Python v1.51.0

+ + **azureml-automl-core**

+ + AutoML forecasting task now supports rolling forecast and partial support for quantile forecasts for hierarchical time series (HTS).

+ + Disallow using non-tabular datasets to customers for Classification (multi-class and multi-label) scenarios

+ + **azureml-automl-dnn-nlp**

+ + Disallow using non-tabular datasets to customers for Classification (multi-class and multi-label) scenarios

+ + **azureml-contrib-automl-pipeline-steps**

+ + AutoML forecasting task now supports rolling forecast and partial support for quantile forecasts for hierarchical time series (HTS).

+ + **azureml-fsspec**

+ + Replaces all user caused errors in MLTable & FSSpec with a custom UserErrorException imported from azureml-dataprep.

+ + **azureml-interpret**

+ + updated azureml-interpret package to interpret-community 0.29.*

+ + **azureml-pipeline-core**

+ + Fix `pipeline_version` not taking effect when calling `pipeline_endpoint.submit()`.

+ + **azureml-train-automl-client**

+ + AutoML forecasting task now supports rolling forecast and partial support for quantile forecasts for hierarchical time series (HTS).

+ + **azureml-train-automl-runtime**

+ + AutoML forecasting task now supports rolling forecast and partial support for quantile forecasts for hierarchical time series (HTS).

+ + **mltable**

+ + Additional encoding variants like `utf-8` are now supported when loading MLTable files.

+ + Replaces all user caused errors in MLTable & FSSpec with a custom UserErrorException imported from azureml-dataprep.

+- With **public access**, ensure that the source server has a public IP address, that DNS is publicly accessible, or that the source server has a fully qualified domain name (FQDN).

+- With **private access**, ensure that the source server name can be resolved and is accessible from the VNet where the Azure Database for MySQL instance is running. (For more details, visit [Name resolution for resources in Azure virtual networks](../../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md)).

+2. Set source server to read/write mode.

+[!NOTE]

+> Before the server is set back to read/write mode, you can retrieve the GTID information using global variable GTID_EXECUTED. The same will be used at the later stage to set GTID on the replica server

+3. Restore dump file to new server.

+## Set GTID in Replica Server

+3. Use this GTID information from the source to execute GTID reset on the replica server using the following CLI command:

+ az mysql flexible-server gtid reset --resource-group <resource group> --server-name <replica server name> --gtid-set <gtid set from the source server> --subscription <subscription id>

+description: Learn about data residency for the Azure Network Watcher.

+Azure Network Watcher doesn't store customer data, except for the Connection monitor.

+## Connection monitor data residency

+Connection monitor stores customer data. This data is automatically stored by Network Watcher in a single region. So Connection Monitor automatically satisfies in-region data residency requirements, including requirements specified on the [Microsoft Trust Center](https://www.microsoft.com/trust-center).

+## Data residency in Azure

+In Azure, single region data residency is currently provided by default only in the Southeast Asia Region (Singapore) of the Asia Pacific Geo and Brazil South (Sao Paulo State) Region of Brazil Geo. For all other regions, customer data is stored in Geo. For more information, see the [Data residency in Azure](https://azure.microsoft.com/explore/global-infrastructure/data-residency).

+To learn more about Network Watcher features and capabilities, see [Network Watcher overview](./network-watcher-monitoring-overview.md).

+You can enable Network Watcher for a region by creating a Network Watcher instance in that region. You can create a Network Watcher instance using the [Azure portal](?tabs=portal#enable-network-watcher-for-your-region), [PowerShell](?tabs=powershell#enable-network-watcher-for-your-region), the [Azure CLI](?tabs=cli#enable-network-watcher-for-your-region), [REST API](/rest/api/network-watcher/network-watchers/create-or-update), or Azure Resource Manager (ARM) template.

+ :::image type="content" source="./media/network-watcher-create/create-network-watcher.png" alt-text="Screenshot shows how to create a Network Watcher in the Azure portal." lightbox="./media/network-watcher-create/create-network-watcher.png":::

+# Create a resource group for the Network Watcher instance (if it doesn't already exist).

+az group create --name 'NetworkWatcherRG' --location 'eastus'

+You can disable Network Watcher for a region by deleting the Network Watcher instance in that region. You can delete a Network Watcher instance using the [Azure portal](?tabs=portal#disable-network-watcher-for-your-region), [PowerShell](?tabs=powershell#disable-network-watcher-for-your-region), the [Azure CLI](?tabs=cli#disable-network-watcher-for-your-region), or [REST API](/rest/api/network-watcher/network-watchers/delete).

+1. In the **Overview** page, select the Network Watcher instances that you want to delete, then select **Disable**.

+ :::image type="content" source="./media/network-watcher-create/delete-network-watcher.png" alt-text="Screenshot shows how to delete a Network Watcher instance in the Azure portal." lightbox="./media/network-watcher-create/delete-network-watcher.png":::

+1. Enter *yes*, then select **Delete**.

+ :::image type="content" source="./media/network-watcher-create/confirm-delete-network-watcher.png" alt-text="Screenshot showing the confirmation page before deleting a Network Watcher in the Azure portal." lightbox="./media/network-watcher-create/confirm-delete-network-watcher.png":::

+# Register the "DisableNetworkWatcherAutocreation" feature.

+# Register the "Microsoft.Network" resource provider.

+# Register the "DisableNetworkWatcherAutocreation" feature.

+# Register the "Microsoft.Network" resource provider.

+## List Network Watcher instances

+You can view all regions where Network Watcher is enabled in your subscription by listing available Network Watcher instances in your subscription. Use the [Azure portal](?tabs=portal#list-network-watcher-instances), [PowerShell](?tabs=powershell#list-network-watcher-instances), the [Azure CLI](?tabs=cli#list-network-watcher-instances) or [REST API](/rest/api/network-watcher/network-watchers/list-all) to list Network Watcher instances in your subscription.

+# [**Portal**](#tab/portal)

+1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** in the search results.

+1. In the **Overview** page, you can see all Network Watcher instances in your subscription.

+ :::image type="content" source="./media/network-watcher-create/list-network-watcher.png" alt-text="Screenshot shows how to list all Network Watcher instances in your subscription in the Azure portal." lightbox="./media/network-watcher-create/list-network-watcher.png":::

+# [**PowerShell**](#tab/powershell)

+List all Network Watcher instances in your subscription using [Get-AzNetworkWatcher](/powershell/module/az.network/get-aznetworkwatcher).

+```azurepowershell-interactive

+# List all Network Watcher instances in your subscription.

+Get-AzNetworkWatcher

+```

+# [**Azure CLI**](#tab/cli)

+List all Network Watcher instances in your subscription using [az network watcher list](/cli/azure/network/watcher#az-network-watcher-list).

+```azurecli-interactive

+# List all Network Watcher instances in your subscription.

+az network watcher list --out table

+```

+ Title: "Azure Operator Nexus: How to create route policy in Network Fabric"

+description: Learn to create, view, list, update, delete commands for Network Fabric.

+# Route Policy in Network Fabric

+Route policies provides Operators the capability to allow or deny routes in regards to Layer 3 isolation domains in Network Fabric.

+With route policies, routes are tagged with certain attributes via community values

+and extended community values when they're distributed via Border Gateway Patrol (BGP).

+Similarly, on the BGP listener side, route policies can be authored to discard/allow

+routes based on community values and extended community value attributes.

+Route policies enable operators to control routes learnt/distributed via BGP.

+Each route policy is modeled as a separate top level Azure Resource Manager (ARM) resource under

+`Microsoft.managednetworkfabric`.

+Operators can create, read, and delete route policy resources.

+The operator creates a route policy ARM resource and then sets the ID in the L3 isolation

+domain at the required enforcement point.

+A route policy can only be applied at a single enforcement point.

+A route policy can't be applied at multiple enforcement points.

+In a network fabric, route policies can be enforced at the following endpoints of a

+layer 3 isolation domain:

+**External networks** (option **A** and option **B**):

+For egress, set the `exportRoutePolicyId` property of the external network resource

+to the route policy resource ID created for egress direction.

+Set the `importRoutePolicyId` property of the external network resource to the

+route policy resource ID created for ingress direction.

+**Internal networks:**

+For egress, set the `exportRoutePolicyId` property of the internal network resource to the

+route policy resource ID created for egress direction.

+Set the `importRoutePolicyId` property of the internal network resource to the

+route policy resource ID created for ingress direction.

+**Connected subnets across all internal networks:**

+For egress, set the `connectedSubnetRoutePolicy` property of the L3 isolation domain

+to the route policy resource ID created for egress direction.

+## Conditions and actions of a route policy

+The following combinations of conditions can be specified:

+* _IP Prefix_

+* _IP community_

+* _Extended community list_

+### Actions

+The following actions can be specified when there's a match of conditions:

+* _Discard the route_

+* _Permit the route and apply one of the following specific actions_

+* _Add/Remove specified community values and extended community values_

+* _Overwrite specified community values and extended community values_

+## IP prefix

+IP prefixes are used in specifying match conditions for route policies.

+An IP prefix resource allows operators to manipulate routes based on the IP prefix (IPv4 and IPv6).

+The IP prefixes enable operators to drop certain prefixes from being propagated up-stream/down-stream or tag them with specific community or extended community values.

+The operator must create an ARM resource of the type IP-Prefix by providing a list of prefixes with sequence numbers and action.

+The prefixes in the list are processed in ascending order and the matching process stops after the first match. If the first match condition is "deny", the route is dropped and isn't propagated further. If the first match condition is "allow", further matching is aborted and the route is handled based on the action part of the route policies.

+IP prefixes specify only the match conditions of route policies. They don't specify the action part of route policies.

+### Parameters for IP prefix

+| Parameter | Description | Example | Required |

+|--|-||-|

+| resource-group | Use an appropriate resource group name specifically for the IP prefix of your choice | ResourceGroupName |True |

+| resource-name | Resource Name of the IP prefix | ipprefixv4-1204-cn1 |True |

+| location | Azure region used during NFC creation | eastus |True |

+| action | Action to be taken for the prefix ΓÇô Permit | Deny or Permit |True |

+| sequenceNumber | Sequence in which the prefixes are processed. Prefix lists are evaluated starting with the lowest sequence number and continue down the list until a match is made. Once a match is made, the permit or deny statement is applied to that network and the rest of the list is ignored | 100 |True |

+| networkPrefix | Network Prefix specifying IPv4/IPv6 packets to be permitted or denied. | 1.1.1.0/24 |True |

+| condition | Specified prefix list bounds- EqualTo \| GreaterThanOrEqualTo \| LesserThanOrEqualTo | EqualTo | |

+| subnetMaskLength | SubnetMaskLength specifies the minimum networkPrefix length to be matched. Required when condition is specified. | 32| |

+### Create IP Prefix

+This command creates an IP prefix resource with IPv4 prefix rules:

+```azurecli

+az nf ipprefix create \

+--resource-group "ResourceGroupName" \

+--resource-name "ipprefixv4-1204-cn1" \

+--location "eastus" \

+--ip-prefix-rules '[{"action": "Permit", "sequenceNumber": 10, "networkPrefix": "10.10.10.0/28", "condition": "EqualTo", "subnetMaskLength": 28}, {"action": "Permit", "sequenceNumber": 12, "networkPrefix": "20.20.20.0/24", "condition": "EqualTo", "subnetMaskLength": 24}]'

+```

+Expected output:

+```output

+{

+ "annotation": null,

+ "id": "/subscriptions/xxxx-xxxx/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedNetworkFabric/ipPrefixes/ipprefixv4-1204-cn1",

+ "ipPrefixRules": [

+ {

+ "action": "Permit",

+ "condition": "GreaterThanOrEqualTo",

+ "networkPrefix": "10.10.10.0/28",

+ "sequenceNumber": 10,

+ "subnetMaskLength": 28

+ }

+ ],

+ "location": "eastus",

+ "name": " ipprefixv4-1204-cn1",

+ "provisioningState": "Succeeded",

+ "resourceGroup": "ResourceGroupName",

+ "systemData": {

+ "createdAt": "2023-XX-XXT09:34:19.095543+00:00",

+ "createdBy": "user@address.com",

+ "createdByType": "User",

+ "lastModifiedAt": "2023-XX-XXT09:34:19.095543+00:00",

+ "lastModifiedBy": "user@address.com",

+ "lastModifiedByType": "User"

+ },

+ "tags": null,

+ "type": "microsoft.managednetworkfabric/ipprefixes"

+}

+```

+This command creates an IP prefix resource with IPv6 prefix rules,

+```azurecli

+az nf ipprefix create \

+--resource-group "ResourceGroupName" \

+--resource-name "ipprefixv6-2701-cn1" \

+--location "eastus" \

+--ip-prefix-rules '[{"action": "Permit", "sequenceNumber": 10, "networkPrefix": "fda0:d59c:da12:20::/64", "condition": "GreaterThanOrEqualTo", "subnetMaskLength": 68}]'

+```

+Expected Output

+```output

+{

+ "annotation": null,

+ "id": "/subscriptions/xxxx-xxxx/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedNetworkFabric/ipPrefixes/ipprefixv6-2701-cn1",

+ "ipPrefixRules": [

+ {

+ "action": "Permit",

+ "condition": "GreaterThanOrEqualTo",

+ "networkPrefix": "fda0:d59c:da12:20::/64",

+ "sequenceNumber": 10,

+ "subnetMaskLength": 68

+ }

+ ],

+ "location": "eastus",

+ "name": "ipprefixv6-2701-cn1",

+ "provisioningState": "Succeeded",

+ "resourceGroup": "ResourceGroupName",

+ "systemData": {

+ "createdAt": "2023-XX-XXT09:34:19.095543+00:00",

+ "createdBy": "user@address.com",

+ "createdByType": "User",

+ "lastModifiedAt": "2023-XX-XXT09:34:19.095543+00:00",

+ "lastModifiedBy": "user@address.com",

+ "lastModifiedByType": "User"

+ },

+ "tags": null,

+ "type": "microsoft.managednetworkfabric/ipprefixes"

+}

+```

+## IP Community

+IP community resource allows operators to manipulate routes based on Community values tagged to routes. This community resource enables operators to specify conditions and actions for adding/removing routes as they're propagated up-stream/down-stream or tag them with specific community values. The operator must create an ARM resource of the type IP-Community. The operator specifies conditions and actions for adding/removing routes as they're propagated up-stream/down-stream or tags them with specific community values.

+### Parameters for IP community

+| Parameter | Description | Example | Required |

+|--|-||-|

+| resource-group | Use an appropriate resource group name specifically for your IP prefix | ResourceGroupName |True |

+| resource-name | Resource Name of the IP-Prefix | ipprefixv4-1204-cn1 |True |

+| location | AzON Azure Region used during NFC Creation | eastus |True |

+| action | Action to be taken for the IP community ΓÇô Permit | Deny or Permit |True |

+| wellKnownCommunities | Supported well known community list.`Internet` - Advertise routes to internet community. `LocalAS` - Advertise routes to only localAS peers. `NoAdvertise` - Don't advertise routes to any peer. `NoExport` - Don't export to next AS. `GShut` - Graceful Shutdown (GSHUT) withdraw routes before terminating BGP connection| LocalAS |True |

+| communityMembers | List the communityMembers of the IP community. The expected formats are "AA:nn" >> example "65535:65535", \<integer32> >> example 4294967040. The possible values of "AA:nn" is 0-65535, and of \<integer32> 1-4294967040. | 65535:65535 |True |

+> [!NOTE]

+> Either `wellKnownCommunities` or `communityMembers` parameter has to be passed for creating an IP community resource.

+### Create IP community

+This command creates an IP community resource:

+```azurecli

+az nf ipcommunity create \

+--resource-group "ResourceGroupName" \

+--resource-name "ipcommunity-2701" \

+--location "eastus" \

+--action "Permit" \

+--well-known-communities "Internet" "LocalAS" "GShut" \

+--community-members "65500:12701"

+```

+Expected output:

+```output

+{

+ "action": "Permit",

+ "annotation": null,

+ "communityMembers": [

+ "65500:12701"

+ ],

+ "id": "/subscriptions/9531faa8-8c39-4165-b033-48697fe943db/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedNetworkFabric/ipCommunities/ipcommunity-2701",

+ "location": "eastus",

+ "name": "ipcommunity-2701",

+ "provisioningState": "Succeeded",

+ "resourceGroup": "ResourceGroupName",

+ "systemData": {

+ "createdAt": "2023-XX-XXT09:48:15.472935+00:00",

+ "createdBy": "user@address.com",

+ "createdByType": "User",

+ "lastModifiedAt": "2023-XX-XXT09:48:15.472935+00:00",

+ "lastModifiedBy": "user@address.com",

+ "lastModifiedByType": "User"

+ },

+ "tags": null,

+ "type": "microsoft.managednetworkfabric/ipcommunities",

+ "wellKnownCommunities": [

+ "Internet",

+ "LocalAS",

+ "GShut"

+ ]

+}

+```

+### Show IP community

+This command displays an IP community resource:

+```azurecli

+az nf ipcommunity show --resource-group "ResourceGroupName" --resource-name "ipcommunity-2701"

+```

+Expected output:

+```output

+{

+ "action": "Permit",

+ "annotation": null,

+ "communityMembers": [

+ "65500:12701"

+ ],

+ "id": "/subscriptions/9531faa8-8c39-4165-b033-48697fe943db/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedNetworkFabric/ipCommunities/ipcommunity-2701",

+ "location": "eastus",

+ "name": "ipcommunity-2701",

+ "provisioningState": "Succeeded",

+ "resourceGroup": "ResourceGroupName",

+ "systemData": {

+ "createdAt": "2023-XX-XXT09:48:15.472935+00:00",

+ "createdBy": "user@address.com",

+ "createdByType": "User",

+ "lastModifiedAt": "2023-XX-XXT09:48:15.472935+00:00",

+ "lastModifiedBy": "user@address.com",

+ "lastModifiedByType": "User"

+ },

+ "tags": null,

+ "type": "microsoft.managednetworkfabric/ipcommunities",

+ "wellKnownCommunities": [

+ "Internet",

+ "LocalAS",

+ "GShut"

+ ]

+}

+```

+## IP extended community

+The `IPExtendedCommunity`resource allows operators to manipulate routes based on route targets. Operators use it to specify conditions and actions for adding/removing routes as they're propagated up-stream/down-stream or tag them with specific extended community values. The operator must create an ARM resource of the type `I`PExtendedCommunityList` by providing a list of community values and specific properties. ExtendedCommunityLists are used in specifying match conditions and the action properties for route policies.

+### Parameters for IP extended community

+| Parameter | Description | Example | Required |

+|--|-||-|

+| resource-group | Use an appropriate resource group name specifically for your IP prefix | ResourceGroupName |True |

+| resource-name | Resource Name of the ipPrefix | ipprefixv4-1204-cn1 |True |

+| location | AzON Azure Region used during NFC Creation | eastus |True |

+| action | Action to be taken for the IP extended community ΓÇô Permit | Deny or Permit |True |

+| routeTargets | Route Target List. The expected formats are "ASN(plain):nn" >> example "4294967294:50", "ASN.ASN:nn" >> example "65533.65333:40", "IP-address:nn" >> example "10.10.10.10:65535". The possible values of "nn" are within "0-65535" range, and "ASN(plain)" within "0-4294967295" range. | "1234:5678" |True |

+### Create IP extended community

+This command creates an IP extended community resource:

+```azurecli

+az nf ipextendedcommunity create \

+--resource-group "ResourceGroupName" \

+--resource-name "ipextcommunity-2701" \

+--location "eastus" \

+--action "Permit" \

+--route-targets "65046:45678"

+```

+Expected output:

+```output

+{

+ "action": "Permit",

+ "annotation": null,

+ "id": "/subscriptions/9531faa8-8c39-4165-b033-48697fe943db/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedNetworkFabric/ipExtendedCommunities/ipextcommunity-2701",

+ "location": "eastus",

+ "name": "ipextcommunity-2701",

+ "provisioningState": "Succeeded",

+ "resourceGroup": "ResourceGroupName",

+ "routeTargets": [

+ "65046:45678"

+ ],

+ "systemData": {

+ "createdAt": "2023-XX-XXT09:52:30.385929+00:00",

+ "createdBy": "user@address.com",

+ "createdByType": "User",

+ "lastModifiedAt": "2023-XX-XXT09:52:30.385929+00:00",

+ "lastModifiedBy": "user@address.com",

+ "lastModifiedByType": "User"

+ },

+ "tags": null,

+ "type": "microsoft.managednetworkfabric/ipextendedcommunities"

+}

+```

+### Show IP extended community

+This command displays an IP extended community resource:

+```azurecli

+az nf ipextendedcommunity show --resource-group "ResourceGroupName" --resource-name "ipextcommunity-2701"

+```

+Expected output:

+```output

+{

+ "action": "Permit",

+ "annotation": null,

+ "id": "/subscriptions/9531faa8-8c39-4165-b033-48697fe943db/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedNetworkFabric/ipExtendedCommunities/ipextcommunity-2701",

+ "location": "eastus",

+ "name": "ipextcommunity-2701",

+ "provisioningState": "Succeeded",

+ "resourceGroup": "ResourceGroupName",

+ "routeTargets": [

+ "65046:45678"

+ ],

+ "systemData": {

+ "createdAt": "2023-XX-XXT09:52:30.385929+00:00",

+ "createdBy": "user@address.com",

+ "createdByType": "User",

+ "lastModifiedAt": "2023-XX-XXT09:52:30.385929+00:00",

+ "lastModifiedBy": "user@address.com",

+ "lastModifiedByType": "User"

+ },

+ "tags": null,

+ "type": "microsoft.managednetworkfabric/ipextendedcommunities"

+}

+```

+## Route policy

+Route policy resource enables an operator to specify conditions and actions based on IP prefixes, IP community list and IP extended community lists. Each route policy consists of multiple statements. Each statement consists of a sequence number, conditions, and actions. The conditions can be combinations of IP prefixes, IP communities, and IP extended communities and are applied in ascending order of sequence numbers. The action corresponding to the first matched condition is executed. If the conditions that matched has deny as action, the route is discarded and no further processing takes place. If the action in the Route policy corresponding to the matched condition is "Permit", the following combinations of actions are allowed:

+* Updating local preference

+* Add/delete or Set of IpCommunityLists

+* Add/delete or Set of IpExtendedCommunityLists

+### Parameters for Route policy

+| Parameter | Description | Example | Required |

+|--|-||-|

+| resource-group | Use an appropriate resource group name specifically for your IP prefix | ResourceGroupName |True |

+| resource-name | Resource Name of the IP-Prefix | ipprefixv4-1204-cn1 |True |

+| location | AzON Azure Region used during NFC Creation | eastus |True |

+| statements | List of one or more route Policy statements | |True |

+| sequenceNumber | Sequence in which route policy statements are processed. Statements are evaluated starting with the lowest sequence number and continue down the list until a match condition is met. Once a match is made, the action is applied and the rest of the list is ignored | 1 |True |

+| condition | Route policy condition properties. That contains a list of IP community ARM IDs or ipExtendedCommmunicty ARM IDs or ipPrefix ARM ID. One of the three(ipCommunityIds, ipCommunityIds, ipPrefixId) is required in a condition. If more than one is specified, the condition is matched if any one of the resources has a match. | 1234:5678 |True |

+| ipCommunityIds | List of IP community resource IDs | |False|

+| ipExtendedCommunityIds | List of IPExtendedCommunity resource IDs | |False|

+| ipPrefixId | Arm Resource ID of IpPrefix | |False|

+| action | Route policy action properties. This property describes the action to be performed if there's a match of the condition in the statement. At least one of localPreference, ipCommunityProperties, or ipExtendedCommunityProperties needs to be enabled | Permit |True |

+| localPreference | Local preference to be set as part of action | 10 |False |

+| ipCommunityProperties | Details of IP communities that need to be added, removed, or set as part of action | |False|

+| add | Applicable when the action is to add IP communities or IP extended communities | ||

+| delete | Applicable when the action is to delete IP communities or IP extended communities | ||

+| set | Applicable when the action is to set IP communities or IP extended communities | ||

+| ipCommunityIds | IP community ARM resource Ids that need to be added or deleted or set | ||

+| ipExtendedCommunityProperties | Details of IP Extended communities that need to be added, removed, or set as part of action | ||

+| ipExtendedCommunityIDs | IP extended community ARM resource Ids that need to be added or deleted or set | ||

+### Create route policy

+This command creates route policies:

+```azurecli

+az nf routepolicy create \

+--resource-group "ResourceGroupName" \

+--resource-name "rcf-Fab3-l3domain-v6-connsubnet-ext-policy" \

+--location "eastus" \

+--statements '[ \{"sequenceNumber": 10, "condition":{"ipPrefixId": "/subscriptions/<subscription-id>/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedNetworkFabric/ipPrefixes/ipprefixv6-2701-staticsubnet"}, \

+ "action": {"actionType": "Permit", "ipCommunityProperties": {"set": \

+ {"ipCommunityIds": ["/subscriptions/<subscription-id>/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedNetworkFabric/ipCommunities/ipcommunity-2701-staticsubnet"]}}}}, \

+ {"sequenceNumber": 30, "condition":{"ipPrefixId": "/subscriptions/<subscription-id>/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedNetworkFabric/ipPrefixes/ipprefixv6-2701-connsubnet"}, \

+ "action": {"actionType": "Permit", "ipCommunityProperties": {"set": \

+ {"ipCommunityIds": ["/subscriptions/<subscription-id>/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedNetworkFabric/ipCommunities/ipcommunity-connsubnet-2701"]}}}},\

+]'

+```

+Expected output:

+```output

+{

+ "annotation": null,

+ "id": "/subscriptions/9531faa8-8c39-4165-b033-48697fe943db/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedNetworkFabric/routePolicies/rcf-Fab3-l3domain-v6-connsubnet-ext-policy",

+ "location": "eastus",

+ "name": "rcf-Fab3-l3domain-v6-connsubnet-ext-policy",

+ "provisioningState": "Accepted",

+ "resourceGroup": "ResourceGroupName",

+ "statements": [

+ {

+ "action": {

+ "actionType": "Permit",

+ "ipCommunityProperties": {

+ "add": null,

+ "delete": null,

+ "set": {

+ "ipCommunityIds": [

+ "/subscriptions/<subscription-id>/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedNetworkFabric/ipCommunities/ipcommunity-2701-staticsubnet"

+ ]

+ }

+ },

+ "ipExtendedCommunityProperties": null,

+ "localPreference": null

+ },

+ "annotation": null,

+ "condition": {

+ "ipCommunityIds": null,

+ "ipExtendedCommunityIds": null,

+ "ipPrefixId": "/subscriptions/<subscription-id>/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedNetworkFabric/ipPrefixes/ipprefixv6-2701-staticsubnet"

+ },

+ "sequenceNumber": 10

+ },

+ {

+ "action": {

+ "actionType": "Permit",

+ "ipCommunityProperties": {

+ "add": null,

+ "delete": null,

+ "set": {

+ "ipCommunityIds": [

+ "/subscriptions/<subscription-id>/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedNetworkFabric/ipCommunities/ipcommunity-connsubnet-2701"

+ ]

+ }

+ },

+ "ipExtendedCommunityProperties": null,

+ "localPreference": null

+ },

+ "annotation": null,

+ "condition": {

+ "ipCommunityIds": null,

+ "ipExtendedCommunityIds": null,

+ "ipPrefixId": "/subscriptions/<subscription-id>/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedNetworkFabric/ipPrefixes/ipprefixv6-2701-connsubnet"

+ },

+ "sequenceNumber": 30

+ }

+ ],

+ "systemData": {

+ "createdAt": "2023-XX-XXT10:10:21.123560+00:00",

+ "createdBy": "user@address.com",

+ "createdByType": "User",

+ "lastModifiedAt": "2023-XX-XXT10:10:21.123560+00:00",

+ "lastModifiedBy": "user@address.com",

+ "lastModifiedByType": "User"

+ },

+ "tags": null,

+ "type": "microsoft.managednetworkfabric/routepolicies"

+}

+```

+### Show route policy

+This command displays route policies:

+```Azurecli

+az nf routepolicy show --resource-group "ResourceGroupName" --resource-name "rcf-Fab3-l3domain-v6-connsubnet-ext-policy"

+```

+Expected output:

+```Output

+{

+ "annotation": null,

+ "id": "/subscriptions/9531faa8-8c39-4165-b033-48697fe943db/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedNetworkFabric/routePolicies/rcf-Fab3-l3domain-v6-connsubnet-ext-policy",

+ "location": "eastus",

+ "name": "rcf-Fab3-l3domain-v6-connsubnet-ext-policy",

+ "provisioningState": "Succeeded",

+ "resourceGroup": "ResourceGroupName",

+ "statements": [

+ {

+ "action": {

+ "actionType": "Permit",

+ "ipCommunityProperties": {

+ "add": null,

+ "delete": null,

+ "set": {

+ "ipCommunityIds": [

+ "/subscriptions/<subscription-id>/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedNetworkFabric/ipCommunities/ipcommunity-2701-staticsubnet"

+ ]

+ }

+ },

+ "ipExtendedCommunityProperties": null,

+ "localPreference": null

+ },

+ "annotation": null,

+ "condition": {

+ "ipCommunityIds": null,

+ "ipExtendedCommunityIds": null,

+ "ipPrefixId": "/subscriptions/<subscription-id>/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedNetworkFabric/ipPrefixes/ipprefixv6-2701-staticsubnet"

+ },

+ "sequenceNumber": 10

+ },

+ {

+ "action": {

+ "actionType": "Permit",

+ "ipCommunityProperties": {

+ "add": null,

+ "delete": null,

+ "set": {

+ "ipCommunityIds": [

+ "/subscriptions/<subscription-id>/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedNetworkFabric/ipCommunities/ipcommunity-connsubnet-2701"

+ ]

+ }

+ },

+ "ipExtendedCommunityProperties": null,

+ "localPreference": null

+ },

+ "annotation": null,

+ "condition": {

+ "ipCommunityIds": null,

+ "ipExtendedCommunityIds": null,

+ "ipPrefixId": "/subscriptions/<subscription-id>/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedNetworkFabric/ipPrefixes/ipprefixv6-2701-connsubnet"

+ },

+ "sequenceNumber": 30

+ }

+ ],

+ "systemData": {

+ "createdAt": "2023-XX-XXT10:10:21.123560+00:00",

+ "createdBy": "user@address.com",

+ "createdByType": "User",

+ "lastModifiedAt": "2023-XX-XXT10:10:21.123560+00:00",

+ "lastModifiedBy": "user@addresscom",

+ "lastModifiedByType": "User"

+ },

+ "tags": null,

+ "type": "microsoft.managednetworkfabric/routepolicies"

+}

+```

+- **Power operations**: [Power operations](how-to-stop-start-server-portal.md), including start and stop actions, can be applied to both the primary server and its replica servers. However, to preserve system integrity, a specific sequence should be followed. Prior to stopping the read replicas, ensure the primary server is stopped first. When commencing operations, initiate the start action on the replica servers before starting the primary server.

+### Resource move

+Moving replica(s) to another resource group or subscription, as well as the primary that has read replica(s) is not currently supported.

+* General availability :[Azure Key Vault Managed HSM](./concepts-data-encryption.md#using-azure-key-vault-managed-hsm) with Azure Database for PostgreSQL- Flexible server

+description: Learn how to monitor your Azure Route Server using Azure Monitor and understand available metrics.

+> [!NOTE]

+> Using **Classic Metrics** is not recommended.

+Once a metric is selected, the default aggregation is applied. Optionally, you can apply splitting, which shows the metric with different dimensions.