->The [Azure Active Directory B2C community site on GitHub](https://azure-ad-b2c.github.io/azureadb2ccommunity.io/) also provides sample custom policies from the community.

- If you decide to migrate an App Service Environment, the old environment gets shut down and deleted and all of your apps are migrated to a new environment. Your old environment will no longer be accessible.

-> [Using an App Service Environment v3](using.md)

-Form Recognizer uses the [prebuilt-layout model](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v3-0-preview-2/operations/AnalyzeDocument) API to learn the expected sizes and positions of printed and handwritten text elements and extract tables. Then it uses user-specified labels to learn the key/value associations and tables in the documents. We recommend that you use five manually labeled forms of the same type (same structure) to get started with training a new model. Then, add more labeled data, as needed, to improve the model accuracy. Form Recognizer enables training a model to extract key-value pairs and tables using supervised learning capabilities.

-Form Recognizer uses the [Layout](concept-layout.md) API to learn the expected sizes and positions of printed and handwritten text elements and extract tables. Then it uses user-specified labels to learn the key/value associations and tables in the documents. We recommend that you use five manually labeled forms of the same type (same structure) to get started when training a new model and add more labeled data as needed to improve the model accuracy. Form Recognizer enables training a model to extract key value pairs and tables using supervised learning capabilities.

-The layout model extracts table structures, selection marks, printed and handwritten text, and bounding box coordinates from your documents.

-The layout model extracts text from documents and images with multiple text angles and colors. It accepts photos of documents, faxes, printed and/or handwritten (English only) text, and mixed modes. Printed and handwritten text is extracted from lines and words. The service then returns bounding box coordinates, confidence scores, and style (handwritten or other). All the text information is included in the `readResults` section of the JSON output.

-| 🆕[Read (preview)](#read-preview) | Extract printed and handwritten text lines, words, locations, and detected languages.|

-The Form Recognizer v3.0 preview includes the new Read OCR model. Form Recognizer Read builds on the success of Computer Vision Read and optimizes even more for analyzing documents, including new document formats in the future. It extracts printed and handwritten text from documents and images and can handle mixed languages in the documents and text line. The read model can detect lines, words, locations, and additionally detect languages. It is the foundational technology powering the text extraction in Form Recognizer Layout, prebuilt, general document, and custom models.

-description: Learn how to generate shared access signature (SAS) tokens for containers and blobs in the Azure portal.

-recommendations: false

-# Generate SAS tokens for storage containers

-In this article, you'll learn how to generate user delegation shared access signature (SAS) tokens for Azure Blob Storage containers. A user delegation SAS token is signed with Azure Active Directory (Azure AD) credentials instead of Azure Storage keys. It provides superior secure and delegated access to resources in your Azure storage account.

-At a high level, here's how it works: your application provides the SAS token to Azure Storage as part of a request. If the storage service verifies that the shared access signature is valid, the request is authorized. If the shared access signature is considered invalid, the request is declined with error code 403 (Forbidden).

-Azure Blob Storage offers three types of resources:

-* **Storage** accounts provide a unique namespace in Azure for your data.

-* **Containers** are located in storage accounts and organize sets of blobs.

-* **Blobs** are located in containers and store text and binary data.

-> [!NOTE]

->

-> * If your Azure storage account is protected by a virtual network or firewall, you can't grant access by using a SAS token. You'll have to use a [managed identity](managed-identity-byos.md) to grant access to your storage resource.

-> * [Managed identity](managed-identity-byos.md) supports both privately and publicly accessible Azure Blob Storage accounts.

->

-## When to use a shared access signature

-* If you're using storage containers with public access, you can opt to use a SAS token to grant limited access to your storage resources.

-* When you're training a custom model, your assembled set of training documents *must* be uploaded to an Azure Blob Storage container. You can grant permission to your training resources with a user delegation SAS token.

-## Prerequisites

-To get started, you'll need:

-* An active [Azure account](https://azure.microsoft.com/free/cognitive-services/). If you don't have one, you can [create a free account](https://azure.microsoft.com/free/).

-* A [Form Recognizer](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer) or [Cognitive Services multi-service](https://portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne) resource.

-* A **standard performance** [Azure Blob Storage account](https://portal.azure.com/#create/Microsoft.StorageAccount-ARM). You'll create containers to store and organize your blob data within your storage account. If you don't know how to create an Azure storage account with a container, following these quickstarts:

- * [Create a storage account](../../storage/common/storage-account-create.md). When you create your storage account, select **Standard** performance in the **Instance details** > **Performance** field.

- * [Create a container](../../storage/blobs/storage-quickstart-blobs-portal.md#create-a-container). When you create your container, set **Public access level** to **Container** (anonymous read access for containers and blobs) in the **New Container** window.

-## Upload your documents

-1. Go to the [Azure portal](https://portal.azure.com/#home). Select **Your storage account** > **Data storage** > **Containers**.

- :::image type="content" source="media/sas-tokens/data-storage-menu.png" alt-text="Screenshot that shows the Data storage menu in the Azure portal.":::

-1. Select a container from the list.

-1. Select **Upload** from the menu at the top of the page.

- :::image type="content" source="media/sas-tokens/container-upload-button.png" alt-text="Screenshot that shows the container Upload button in the Azure portal.":::

- The **Upload blob** window appears.

-1. Select your files to upload.

- :::image type="content" source="media/sas-tokens/upload-blob-window.png" alt-text="Screenshot that shows the Upload blob window in the Azure portal.":::

-> [!NOTE]

-> By default, the REST API uses form documents located at the root of your container. You can also use data organized in subfolders if specified in the API call. For more information, see [Organize your data in subfolders](./build-training-data-set.md#organize-your-data-in-subfolders-optional).

-## Create a shared access signature with the Azure portal

-> [!IMPORTANT]

->

-> Generate and retrieve the shared access signature for your container, not for the storage account itself.

-1. In the [Azure portal](https://portal.azure.com/#home), select **Your storage account** > **Containers**.

-1. Select a container from the list.

-1. Go to the right of the main window, and select the three ellipses associated with your chosen container.

-1. Select **Generate SAS** from the dropdown menu to open the **Generate SAS** window.

- :::image type="content" source="media/sas-tokens/generate-sas.png" alt-text="Screenshot that shows the Generate SAS token dropdown menu in the Azure portal.":::

-1. Select **Signing method** > **User delegation key**.

-1. Define **Permissions** by selecting or clearing the appropriate checkbox. Make sure the **Read**, **Write**, **Delete**, and **List** permissions are selected.

- :::image type="content" source="media/sas-tokens/sas-permissions.png" alt-text="Screenshot that shows the SAS permission fields in the Azure portal.":::

- >[!IMPORTANT]

- >

- > * If you receive a message similar to the following one, you'll need to assign access to the blob data in your storage account:

- >

- > :::image type="content" source="media/sas-tokens/need-permissions.png" alt-text="Screenshot that shows the lack of permissions warning.":::

- >

- > * [Azure role-based access control](../../role-based-access-control/overview.md) (Azure RBAC) is the authorization system used to manage access to Azure resources. Azure RBAC helps you manage access and permissions for your Azure resources.

- > * [Assign an Azure role for access to blob data](../../role-based-access-control/role-assignments-portal.md?tabs=current) shows you how to assign a role that allows for read, write, and delete permissions for your Azure storage container. For example, see [Storage Blob Data Contributor](../../role-based-access-control/built-in-roles.md#storage-blob-data-contributor).

-1. Specify the signed key **Start** and **Expiry** times. The value for the expiry time is a maximum of seven days from the start of the shared access signature.

-1. The **Allowed IP addresses** field is optional and specifies an IP address or a range of IP addresses from which to accept requests. If the request IP address doesn't match the IP address or address range specified on the SAS token, it won't be authorized.

-1. The **Allowed protocols** field is optional and specifies the protocol permitted for a request made with the shared access signature. The default value is HTTPS.

-1. Select **Generate SAS token and URL**.

-1. The **Blob SAS token** query string and **Blob SAS URL** appear in the lower area of the window. To use the Blob SAS token, append it to a storage service URI.

-1. Copy and paste the **Blob SAS token** and **Blob SAS URL** values in a secure location. They're displayed only once and can't be retrieved after the window is closed.

-## Create a shared access signature with the Azure CLI

-1. To create a user delegation SAS for a container by using the Azure CLI, make sure that you've installed version 2.0.78 or later. To check your installed version, use the `az --version` command.

-1. Call the [az storage container generate-sas](/cli/azure/storage/container#az-storage-container-generate-sas) command.

-1. The following parameters are required:

- * `auth-mode login`. This parameter ensures that requests made to Azure Storage are authorized with your Azure AD credentials.

- * `as-user`. This parameter indicates that the generated SAS is a user delegation SAS.

-1. Supported permissions for a user delegation SAS on a container include Add (a), Create (c), Delete (d), List (l), Read (r), and Write (w). Make sure **r**, **w**, **d**, and **l** are included as part of the permissions parameters.

-1. When you create a user delegation SAS with the Azure CLI, the maximum interval during which the user delegation key is valid is seven days from the start date. Specify an expiry time for the shared access signature that's within seven days of the start time. For more information, see [Create a user delegation SAS for a container or blob with the Azure CLI](../../storage/blobs/storage-blob-user-delegation-sas-create-cli.md#use-azure-ad-credentials-to-secure-a-sas).

-### Example

-Generate a user delegation SAS. Replace the placeholder values in the brackets with your own values:

-```azurecli-interactive

-az storage container generate-sas \

- --account-name <storage-account> \

- --name <container> \

- --permissions rwdl \

- --expiry <date-time> \

- --auth-mode login \

- --as-user

-```

-## Use your Blob SAS URL

-Two options are available:

-* To use your Blob SAS URL with the [REST API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/TrainCustomModelAsync), add the SAS URL to the request body:

- ```json

- {

- "source":"<BLOB SAS URL>"

- }

- ```

-* To use your Blob SAS URL with the [Form Recognizer labeling tool](https://fott-2-1.azurewebsites.net/connections/create), add the SAS URL to the **Connection Settings** > **Azure blob container** > **SAS URI** field:

- :::image type="content" source="media/sas-tokens/fott-add-sas-uri.png" alt-text="Screenshot that shows the SAS URI field.":::

-That's it. You've learned how to generate SAS tokens to authorize how clients access your data.

-## Next step

-> [!div class="nextstepaction"]

-> [Build a training data set](build-training-data-set.md)

- In this how-to guide, you'll learn to use Azure Form Recognizer's [read model](../concept-read.md) to extract printed and handwritten text from documents. The read model can detect lines, words, locations, and languages. You can use a programming language of your choice or the REST API. We recommend that you use the free service when you're learning the technology. Remember that the number of free pages is limited to 500 per month.

-* [**Read model**](concept-read.md) | Extract printed and handwritten text lines, words, locations, and detected languages from documents and images.

-* 🆕 Read—Analyze and extract printed and handwritten text lines, words, locations, and detected languages.

- :::image type="content" source="media/public-ip-usage/avs-private-cloud-resource.png" alt-text="Screenshot of the Azure VMware Solution private cloud." lightbox="media/public-ip-usage/avs-private-cloud-resource.png":::

- :::image type="content" source="media/public-ip-usage/secure-hubs-with-azure-firewall-polcy.png" alt-text="Screenshot that shows the selected hubs that will be converted to Secured Virtual Hubs." lightbox="media/public-ip-usage/secure-hubs-with-azure-firewall-polcy.png":::

-In this article, you'll learn how to create shared access signature (SAS) tokens using the Azure Storage Explorer or the Azure portal. A SAS token provides secure, delegated access to resources in your Azure storage account.

-## Create your SAS tokens with Azure Storage Explorer

-### Prerequisites

-* You'll need a [**Azure Storage Explorer**](../../../vs-azure-tools-storage-manage-with-storage-explorer.md) app installed in your Windows, macOS, or Linux development environment. Azure Storage Explorer is a free tool that enables you to easily manage your Azure cloud storage resources.

-* After the Azure Storage Explorer app is installed, [connect it the storage account](../../../vs-azure-tools-storage-manage-with-storage-explorer.md?tabs=windows#connect-to-a-storage-account-or-service) you're using for Document Translation.

-### Create your tokens

-### [SAS tokens for containers](#tab/Containers)

-1. A new window will appear with the **Container** name, **URI**, and **Query string** for your container.

-1. To construct a SAS URL, append the SAS token (URI) to the URL for a storage service.

-### [SAS tokens for blobs](#tab/blobs)

-1. Select the blob where you wish to delegate SAS access and right-click to display the options menu.

-1. A new window will appear with the **Blob** name, **URI**, and **Query string** for your blob.

-1. To construct a SAS URL, append the SAS token (URI) to the URL for a storage service.

-## Create SAS tokens for blobs in the Azure portal

-<!-- markdownlint-disable MD024 -->

-### Prerequisites

-To get started, you'll need:

-* An active [**Azure account**](https://azure.microsoft.com/free/cognitive-services/). If you don't have one, you can [**create a free account**](https://azure.microsoft.com/free/).

-* A [**Translator**](https://portal.azure.com/#create/Microsoft) service resource (**not** a Cognitive Services multi-service resource. *See* [Create a new Azure resource](../../cognitive-services-apis-create-account.md#create-a-new-azure-cognitive-services-resource).

-* An [**Azure Blob Storage account**](https://portal.azure.com/#create/Microsoft.StorageAccount-ARM). You will create containers to store and organize your blob data within your storage account.

-### Create your tokens

-Go to the [Azure portal](https://portal.azure.com/#home) and navigate as follows:

- **Your storage account** → **containers** → **your container** → **your blob**

-1. Select **Generate SAS** from the menu near the top of the page.

-1. Select **Signing method** → **User delegation key**.

-1. Define **Permissions** by checking and/or clearing the appropriate check box.

-1. Specify the signed key **Start** and **Expiry** times.

-1. The **Allowed IP addresses** field is optional and specifies an IP address or a range of IP addresses from which to accept requests. If the request IP address doesn't match the IP address or address range specified on the SAS token, it won't be authorized.

-1. The **Allowed protocols** field is optional and specifies the protocol permitted for a request made with the SAS. The default value is HTTPS.

-1. Review then select **Generate SAS token and URL**.

-1. The **Blob SAS token** query string and **Blob SAS URL** will be displayed in the lower area of window.

-1. **Copy and paste the Blob SAS token and URL values in a secure location. They'll only be displayed once and cannot be retrieved once the window is closed.**

-1. To construct a SAS URL, append the SAS token (URI) to the URL for a storage service.

-## Learn more

-* [Create SAS tokens for blobs or containers programmatically](../../../storage/blobs/sas-service-create.md)

-* [Permissions for a directory, container, or blob](/rest/api/storageservices/create-service-sas#permissions-for-a-directory-container-or-blob)

->

-## Translator resource types

-* **Single-service** resource types enable access to a single service API key and endpoint.

-* **Multi-service** resource types enable access to multiple Cognitive Services using a single API key and endpoint. The Cognitive Services resource is currently available for the following

- * Language ([Translator](../translator/translator-overview.md), [Language Understanding (LUIS)](../luis/what-is-luis.md), [Language service](../text-analytics/overview.md))

- * Vision ([Computer Vision](../computer-vision/overview.md)), ([Face](../face/overview.md))

- * Decision ([Content Moderator](../content-moderator/overview.md))

-## Create your resource

-* Navigate directly to the [**Create Translator**](https://portal.azure.com/#create/Microsoft.CognitiveServicesTextTranslation) page in the Azure portal to complete your project details.

-* Navigate directly to the [**Create Cognitive Services**](https://portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne) page in the Azure portal to complete your project details.

->[!TIP]

->If you prefer, you can start on the Azure Portal home page to begin the **Create** process as follows:

->

-> 1. Navigate to the [**Azure Portal**](https://portal.azure.com/#home) home page.

-> 1. Select Γ₧ò**Create a resource** from the Azure services menu.

->1. In the **Search the Marketplace** search box, enter and select **Translator** (single-service resource) or **Cognitive Services** (multi-service resource). *See* [Choose your resource type](#create-your-resource), above.

-> 1. Select **Create** and you will be taken to the project details page.

-><br/><br/>

-We recommending using OpenSSL to generate certificates. If you have git installed, you can run OpenSSL in the git shell. Otherwise, you can install OpenSSL for your OS.

-> [!IMPORTANT]

-> A logic app workflow can't directly access a storage account behind a firewall if they're both in the same region.

-> As a workaround, your logic app and storage account can be in different regions. For more information about enabling

-> access from Azure Logic Apps to storage accounts behind firewalls, review the [Access storage accounts behind firewalls](#access-storage-accounts-behind-firewalls) section later in this topic.

-For more technical details about this connector, such as triggers, actions, and limits, review the [connector's reference page](/connectors/azureblobconnector/). If you don't want to use the Blob operations, you can use the [use HTTP trigger or action along with a a managed identity for blob operations instead](#access-blob-storage-with-managed-identities).

- | Check the root folder for a newly added blob. | **<*container-name*>** |

-1. Under the trigger or action where you want to add the Blob action, select **New step** or **Add an action**, if between steps.

- - [Access storage accounts with managed identities](#access-blob-storage-with-managed-identities)

-### Access Blob Storage with managed identities

-When transforming data in mapping data flow, you can read and write to tables from Dynamics. For more information, see the [source transformation](data-flow-source.md) and [sink transformation](data-flow-sink.md) in mapping data flows. You can choose to use a Dynamics dataset or an [inline dataset](data-flow-source.md#inline-datasets) as source and sink type.

-| Table | If you select Table as input, data flow fetches all the data from the table specified in the dataset. | No | - | tableName |

-| Entity | The logical name of the entity to retrieve. | Yes when use inline mode | - | entity|

-When you use Dynamics as source type, the associated data flow script is:

-source(

- output(

- new_name as string,

- new_dataflowtestid as string

- ),

- store: 'dynamics',

- format: 'dynamicsformat',

- baseUrl: $baseUrl,

- cloudType:'AzurePublic',

- servicePrincipalId:$servicePrincipalId,

- servicePrincipalCredential:$servicePrincipalCredential,

- entity:'new_datalowtest'

-query:' <fetch mapping='logical' count='3 paging-cookie=''><entity name='new_dataflow_crud_test'><attribute name='new_name'/><attribute name='new_releasedate'/></entity></fetch> '

- ) ~> movies

-| Entity | The logical name of the entity to retrieve. | Yes when use inline mode | - | entity|

-| Request interval | The interval time between API requests in millisecond. | No | - | requestInterval|

-| Update method | Specify what operations are allowed on your database destination. The default is to only allow inserts.<br>To update, upsert, or delete rows, an [Alter row transformation](data-flow-alter-row.md) is required to tag rows for those actions. | Yes | `true` or `false` | insertable <br/>updateable<br/>upsertable<br>deletable|

-When you use Dynamics as sink type, the associated data flow script is:

-moviesAltered sink(

- input(new_name as string,

- new_id as string,

- new_releasedate as string

- ),

- store: 'dynamics',

- format: 'dynamicsformat',

- baseUrl: $baseUrl,

- cloudType:'AzurePublic',

- servicePrincipalId:$servicePrincipalId,

- servicePrincipalCredential:$servicePrincipalCredential,

- updateable: true,

- upsertable: true,

- insertable: true,

- deletable:true,

- alternateKey:'new_testalternatekey',

- entity:'new_dataflow_crud_test',

-requestInterval:1000

- ) ~> movieDB

-### Add and remove the Defender profile for AKS clusters from the CLI

-|**Performance** | Max bandwidth: 3Gbp/s <br> Max devices: 12,000 |

-|**Performance** | As required for your organization. For more information, see [Which appliances do I need?](../ot-appliance-sizing.md) |

-These commands set the name of the newly added adapter hardware to be `Monitor`. If you are using Hyper-V Manager, the name of the newly added adapter hardware is set to `Network Adapter`.

-These fields should be configured in the partner solution to display the alert group name. If there is no alert associated with an alert group, the field in the partner solution will display **NA**.

-Use custom alert rule actions to for IT to take specific action when the alert is triggered, such as allowing users to access PCAP files from the alert, assigning alert severity, or generating an event that shows in the event timeline. Alert messages indicate that the alert was generated from a custom alert rule.

- - When a process or machine is not working correctly (to see who carried out the last update and when)

-Unauthorized programming events are carried out by devices that have not been learned or manually defined as programming devices. Authorized programming events are carried out by devices that were resolved or manually defined as programming devices.

-Defining dynamic IP addresses on each sensor enables comprehensive, transparent support in instances of IP address changes. This ensures comprehensive reporting for each unique device.

-If a sensor cannot connect to the primary on-premises management console, it automatically connects to the secondary. Your system will be supported by both the primary and secondary simultaneously, if less than half of the sensors are communicating with the secondary. The secondary takes over when more than half of the sensors are communicating with it. Fail over from the primary to the secondary takes approximately three minutes. When the failover occurs, the primary on-premises management console freezes. When this happens, you can sign in to the secondary using the same sign-in credentials.

-Verify that you have met the following high availability requirements:

- - ΓÇ£**u_id**ΓÇ¥ - the internal id of the device.

- - ΓÇ£**u_sensor_id**ΓÇ¥ - the id of the sensor that saw the device.

- - ΓÇ£**u_id**ΓÇ¥ - the id of the deleted device.

- - ΓÇ£**u_id**ΓÇ¥ - internal sensor id, to be used in the devices API.

-The `network capture-filter` command allows administrators to eliminate network traffic that doesn't need to be analyzed. You can filter traffic by using an include list, or an exclude list. This command does not support the malware detection engine.

-In most common use cases, we recommend that you select `all`. Selecting `all` does not include the malware detection engine, which is not supported by this command.

-### Custom base capture filter

-This unique solution for developing protocols as plugins, does not require dedicated developer teams or version releases in order to support a new protocol. Developers, partners, and customers can securely develop protocols and share insights and knowledge using Horizon.

-## Regulation does not allow us to connect our system to the Internet. Can we still utilize Defender for IoT?

-1. Determine which folder in the troubling node contributes to most of the disk space. SSH to the node first, then run `df` to list disk usage for all mounts. Usually it is `/mnt` which is a temp disk used by OSS. You can enter into a folder, then type `sudo du -hs` to show summarized file sizes under a folder. If you see a folder similar to `/mnt/resource/hadoop/yarn/local/usercache/livy/appcache/application_1537280705629_0007`, this means the application is still running. This could be due to RDD persistence or intermediate shuffle files.

- Add the following 2 properties to the custom yarn-site.xml section and save:

-1. If the above does not permanently fix the issue, optimize your application.

-Code snippets for this additional SDK functionality can be found in the [HDInsight SDK for Java reference documentation](/java/api/overview/azure/hdinsight).

-Code snippets for this additional SDK functionality can be found in the [HDInsight SDK for Python reference documentation](/python/api/overview/azure/hdinsight).

-* [Track and debug jobs running on an Apache Spark cluster in HDInsight](apache-spark-job-debugging.md)

-* [Track and debug jobs running on an Apache Spark cluster in HDInsight](apache-spark-job-debugging.md)

-* [Track and debug jobs that run on an Apache Spark cluster in HDInsight](apache-spark-job-debugging.md)

- * If you want to delete all the resources, use the [az group delete](/cli/azure/groupt#az-group-delete) command.

-> make sure that you also set up your storage account with the [exception that allows access by trusted Microsoft services](../connectors/connectors-create-api-azureblobstorage.md#access-blob-storage-with-managed-identities).

->* If there's a failure, the time needed for the standby replica to take over the role of primary depends on the binary log application on the standby. So we recommend that you use primary keys on all tables to reduce failover time. Failover times are typically between 60 and 120 seconds.To create primary keys for tables you can use [invisible column](https://dev.mysql.com/doc/refman/8.0/en/invisible-columns.html) if your MySQL version is greater than 8.0.23.

-For successful connection to Azure database for MySQL Single server using `mysqlnd_azure.enableRedirect` you need to follow mandatory steps of combining your root certificate as per the compliance requirements. For more details on please visit [link](./concepts-certificate-rotation.md#do-i-need-to-make-any-changes-on-my-client-to-maintain-connectivity).

-Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Network Watcher is designed to monitor and repair the network health of IaaS (Infrastructure-as-a-Service) products which includes Virtual Machines, Virtual Networks, Application Gateways, Load balancers, etc. Note: It is not intended for and will not work for PaaS monitoring or Web analytics.

-## Logs

-## Supported regions: NSG

-You can use traffic analytics for NSGs in any of the following supported regions:

- :::column span="":::

- Australia Central

- Australia East

- Australia Southeast

- Brazil South

- Brazil Southeast

- Canada Central

- Canada East

- Central India

- Central US

- China East 2

- China North

- China North 2

- :::column-end:::

- :::column span="":::

- East Asia

- East US

- East US 2

- East US 2 EUAP

- France Central

- Germany West Central

- Japan East

- Japan West

- Korea Central

- Korea South

- North Central US

- North Europe

- :::column-end:::

- :::column span="":::

- Norway East

- South Africa North

- South Central US

- South India

- Southeast Asia

- Switzerland North

- Switzerland West

- UAE Central

- UAE North

- UK South

- UK West

- USGov Arizona

- :::column-end:::

- :::column span="":::

- USGov Texas

- USGov Virginia

- USNat East

- USNat West

- USSec East

- USSec West

- West Central US

- West Europe

- West US

- West US 2

- West US 3

- :::column-end:::

-## Supported regions: Log Analytics Workspaces

-The Log Analytics workspace must exist in the following regions:

- :::column span="":::

- Australia Central

- Australia East

- Australia Southeast

- Brazil South

- Brazil Southeast

- Canada East

- Canada Central

- Central India

- Central US

- China East 2

- China North

- China North 2

- :::column-end:::

- :::column span="":::

- East Asia

- East US

- East US 2

- East US 2 EUAP

- France Central

- Germany West Central

- Japan East

- Japan West

- Korea Central

- Korea South

- North Central US

- North Europe

- :::column-end:::

- :::column span="":::

- Norway East

- South Africa North

- South Central US

- South India

- Southeast Asia

- Switzerland North

- Switzerland West

- UAE Central

- UAE North

- UK South

- UK West

- USGov Arizona

- :::column-end:::

- :::column span="":::

- USGov Texas

- USGov Virginia

- USNat East

- USNat West

- USSec East

- USSec West

- West Central US

- West Europe

- West US

- West US 2

- :::column-end:::

-> [!NOTE]

-> If NSGs support a region but the log analytics workspace does not support that region for traffic analytics as per above lists, then you can use log analytics workspace of any other supported region as a workaround.

-### Enable Network Watcher

-To analyze traffic, you need to have an existing network watcher, or [enable a network watcher](network-watcher-create.md) in each region that you have NSGs that you want to analyze traffic for. Traffic analytics can be enabled for NSGs hosted in any of the [supported regions](#supported-regions-nsg).

-### Select a network security group

-Before enabling NSG flow logging, you must have a network security group to log flows for. If you don't have a network security group, see [Create a network security group](../virtual-network/manage-network-security-group.md#create-a-network-security-group) to create one.

-In Azure portal, go to **Network watcher**, and then select **NSG flow logs**. Select the network security group that you want to enable an NSG flow log for, as shown in the following picture:

-

-If you try to enable traffic analytics for an NSG that is hosted in any region other than the [supported regions](#supported-regions-nsg), you receive a "Not found" error.

-## Enable flow log settings

-Before enabling flow log settings, you must complete the following tasks:

-Register the Azure Insights provider, if it's not already registered for your subscription:

-```azurepowershell-interactive

-Register-AzResourceProvider -ProviderNamespace Microsoft.Insights

-```

-If you don't already have an Azure Storage account to store NSG flow logs in, you must create a storage account. You can create a storage account with the command that follows. Before running the command, replace `<replace-with-your-unique-storage-account-name>` with a name that is unique across all Azure locations, between 3-24 characters in length, using only numbers and lower-case letters. You can also change the resource group name, if necessary.

-```azurepowershell-interactive

-New-AzStorageAccount `

- -Location westcentralus `

- -Name <replace-with-your-unique-storage-account-name> `

- -ResourceGroupName myResourceGroup `

- -SkuName Standard_LRS `

- -Kind StorageV2

-```

-Select the following options, as shown in the picture:

-1. Select *On* for **Status**

-2. Select *Version 2* for **Flow Logs version**. Version 2 contains flow-session statistics (Bytes and Packets)

-3. Select an existing storage account to store the flow logs in. Ensure that your storage does not have "Data Lake Storage Gen2 Hierarchical Namespace Enabled" set to true.

-4. Set **Retention** to the number of days you want to store data for. If you want to store the data forever, set the value to *0*. You incur Azure Storage fees for the storage account.

-5. Select *On* for **Traffic Analytics Status**.

-6. Select processing interval. Based on your choice, flow logs will be collected from storage account and processed by Traffic Analytics. You can choose processing interval of every 1 hour or every 10 mins.

-7. Select an existing Log Analytics (OMS) Workspace, or select **Create New Workspace** to create a new one. A Log Analytics workspace is used by Traffic Analytics to store the aggregated and indexed data that is then used to generate the analytics. If you select an existing workspace, it must exist in one of the [supported regions](#supported-regions-log-analytics-workspaces) and have been upgraded to the new query language. If you do not wish to upgrade an existing workspace, or do not have a workspace in a supported region, create a new one. For more information about query languages, see [Azure Log Analytics upgrade to new log search](../azure-monitor/logs/log-query-overview.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json).

-> [!NOTE]

->The log analytics workspace hosting the traffic analytics solution and the NSGs do not have to be in the same region. For example, you may have traffic analytics in a workspace in the West Europe region, while you may have NSGs in East US and West US. Multiple NSGs can be configured in the same workspace.

-8. Select **Save**.

- 

-Repeat the previous steps for any other NSGs for which you wish to enable traffic analytics for. Data from flow logs is sent to the workspace, so ensure that the local laws and regulations in your country/region permit data storage in the region where the workspace exists. If you have set different processing intervals for different NSGs, data will be collected at different intervals. For example: You can choose to enable processing interval of 10 mins for critical VNETs and 1 hour for noncritical VNETs.

-You can also configure traffic analytics using the [Set-AzNetworkWatcherConfigFlowLog](/powershell/module/az.network/set-aznetworkwatcherconfigflowlog) PowerShell cmdlet in Azure PowerShell. Run `Get-Module -ListAvailable Az` to find your installed version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-Az-ps).

-## View traffic analytics

-To view Traffic Analytics, search for **Network Watcher** in the portal search bar. Once inside Network Watcher, to explore traffic analytics and its capabilities, select **Traffic Analytics** from the left menu.

-

-The dashboard may take up to 30 minutes to appear the first time because Traffic Analytics must first aggregate enough data for it to derive meaningful insights, before it can generate any reports.

-## Usage scenarios

-Some of the insights you might want to gain after Traffic Analytics is fully configured, are as follows:

-### Find traffic hotspots

-**Look for**

- - Check comparative chart for hosts, subnet, virtual network and virtual machine scale set. Understanding which hosts, subnets, virtual networks and virtual machine scale set are sending or receiving the most traffic can help you identify the hosts that are processing the most traffic, and whether the traffic distribution is done properly.

- - You can evaluate if the volume of traffic is appropriate for a host. Is the volume of traffic normal behavior, or does it merit further investigation?

- - Is the host expected to receive more inbound traffic than outbound, or vice-versa?

- - Why is a host blocking a significant volume of benign traffic? This behavior requires further investigation and probably optimization of configuration

- - Why is a host receiving malicious traffic and why are flows from malicious sources allowed? This behavior requires further investigation and probably optimization of configuration.

- Select **See all**, under **IP**, as shown in the following picture:

- 

- The following picture shows time trending for the top five talking hosts and the flow-related details (allowed ΓÇô inbound/outbound and denied - inbound/outbound flows) for a host:

- Select **See more**, under **Details of top 5 talking IPs**, as shown in the following picture to get insights about all the hosts:

- 

-

-**Look for**

- - Expected behavior like front-end or back-end communication or irregular behavior, like back-end internet traffic.

- - Why a host is allowing or blocking significant traffic volume

- - Are these applications allowed on this network?

- - Are the applications configured properly? Are they using the appropriate protocol for communication? Select **See all** under **Frequent conversation**, as show in the following picture:

- 

- 

-**Look for**

- - Are these applications allowed on this network?

- - Are the applications configured properly? Are they using the appropriate protocol for communication? Expected behavior is common ports such as 80 and 443. For standard communication, if any unusual ports are displayed, they might require a configuration change. Select **See all** under **Application port**, in the following picture:

- 

- 

- 

-**Look for**

- - Each VPN SKU allows a certain amount of bandwidth. Are the VPN gateways underutilized?

- - Are your gateways reaching capacity? Should you upgrade to the next higher SKU?

- - Is this pattern normal? Select **See all** under **VPN gateway**, as shown in the following picture:

- 

- 

-### Visualize traffic distribution by geography

-**Look for**

- - If you observe more load on a data center, you can plan for efficient traffic distribution.

- - If rogue networks are conversing in the data center, then correct NSG rules to block them.

- Select **View map** under **Your environment**, as shown in the following picture:

- 

- 

- 

- 

-

- 

-### Visualize traffic distribution by virtual networks

-**Look for**

- - Knowing which virtual network is conversing to which virtual network. If the conversation is not expected, it can be corrected.

- - If rogue networks are conversing with a virtual network, you can correct NSG rules to block the rogue networks.

-

- Select **View VNets** under **Your environment**, as shown in the following picture:

- 

- Flow Type (InterVNet, IntraVNET, and so on), Flow Direction (Inbound, Outbound), Flow Status (Allowed, Blocked), VNETs (Targeted and Connected), Connection Type (Peering or Gateway - P2S and S2S), and NSG. Use these filters to focus on VNets that you want to examine in detail.

- 

-

- 

- 

-**Look for**

- - Knowing which subnet is conversing to which subnet. If you see unexpected conversations, you can correct your configuration.

- - If rogue networks are conversing with a subnet, you are able to correct it by configuring NSG rules to block the rogue networks.

- 

-**Look for**

-Traffic distribution per Application gateway & Load Balancer, topology, top sources of traffic, top rogue networks conversing to the Application gateway & Load Balancer, and top conversing application protocols.

-

- 

-### View ports and virtual machines receiving traffic from the internet

-**Look for**

- - If unexpected ports are found open, you can correct your configuration:

- 

- 

-**Look for**

-Do you have malicious traffic in your environment? Where is it originating from? Where is it destined to?

-

-### View information about public IPs interacting with your deployment

-**Look for**

- - The Public IP Information section, gives a summary of all types of public IPs present in your network traffic.

- Select the public IP type of interest to view details. This [schema document](./traffic-analytics-schema.md#public-ip-details-schema) defines the data fields presented.

-

- :::image type="content" source="./media/traffic-analytics/public-ip-information.png" alt-text="Public IP information" lightbox="./media/traffic-analytics/public-ip-information.png":::

-

- - On the traffic analytics dashboard, click on any IP to view its information

-

- :::image type="content" source="./media/traffic-analytics/external-public-ip-details.png" alt-text="external IP information in tool tip" lightbox="./media/traffic-analytics/external-public-ip-details.png":::

-

- :::image type="content" source="./media/traffic-analytics/malicious-ip-details.png" alt-text="malicious IP information in tool tip" lightbox="./media/traffic-analytics/malicious-ip-details.png":::

-### Visualize the trends in NSG/NSG rules hits

-**Look for**

- 

- - Quickly detect which NSGs and NSG rules are traversing malicious flows and which are the top malicious IP addresses accessing your cloud environment

- - Identify which NSG/NSG rules are allowing/blocking significant network traffic

- - Select top filters for granular inspection of an NSG or NSG rules

- 

- 

-To get answers to frequently asked questions, see [Traffic analytics FAQ](traffic-analytics-faq.yml).

-| **Azure SQL Managed Instance** (Microsoft.Sql/managedInstances) | privatelink.{dnsPrefix}.database.windows.net | {instanceName}.{dnsPrefix}.database.windows.net |

-| Azure Static Web Apps (Microsoft.Web/Staticsites) / staticSites | privatelink.1.azurestaticapps.net | 1.azurestaticapps.net |

-description: Learn about how to advertise a default route to Azure VMware Solution with Azure Route Server.

-# Injecting a default route to Azure VMware Solution

-[Azure VMware Solution](../azure-vmware/introduction.md) is an Azure service where native VMware vSphere workloads run and communicate with other Azure services. This communication happens over ExpressRoute, and Azure Route Server can be used to modify the default behavior of Azure VMware Solution networking. For example, a default route can be injected from a Network Virtual Appliance (NVA) in Azure to attract traffic from AVS and inspect it before sending it out to the public Internet, or to analyze traffic between AVS and the on-premises network.

-Additionally, similar designs can be used to interconnect AVS and on-premises networks sending traffic through an NVA, either because traffic inspection isn't required or because ExpressRoute Global Reach isn't available in the relevant regions.

-## Topology

-## Communication between Azure VMware Solution and the on-premises network via NVA

-There are two main scenarios for this pattern:

-1. If you donΓÇÖt already have an Azure Storage account, [create a storage account](../storage/common/storage-account-create.md). The storage account can be in a different resource group or region from your workspace in Microsoft Sentinel.

-1. If you donΓÇÖt already have a storage container, create one by running the following command.

-1. If you donΓÇÖt already have an existing storage container, [create a container](../storage/blobs/storage-quickstart-blobs-portal.md#create-a-container). For the level of public access to the container, we recommend the default which is that the level is set to Private (no anonymous access).

-1. Follow the steps in [Create SAS tokens for blobs in the Azure portal](../cognitive-services/translator/document-translation/create-sas-tokens.md?tabs=blobs#create-sas-tokens-for-blobs-in-the-azure-portal).

-description: Learn how to choose the right appliance for on-premises data transfer to Azure between Data Box Edge, Azure File Sync, and StorSimple 8000 series.

-# Compare StorSimple with Azure File Sync and Data Box Edge data transfer options

-This document provides an overview of options for on-premises data transfer to Azure, comparing: Data Box Edge vs. Azure File Sync vs. StorSimple 8000 series.

-| |StorSimple 8000 |Azure File Sync |Data Box Edge |

-To enable media optimization for Teams, set the following registry key on the host:

->Azure Hybrid Benefit for BYOS VMs is in Public Preview now. You can start using the capability on Azure by following steps provided in the [section below](#get-started).