- <TechnicalProfile Id="X-ID-Oauth2">

- <Protocol Name="OAuth2" />

-6. Update the **TechnicalProfileReferenceId** value to the technical profile ID you created (`X-ID-Oauth2`).

- <ClaimsExchange Id="X-IDExchange" TechnicalProfileReferenceId="X-ID-Oauth2" />

-# Enable Permissions Management in your organization

-This article describes how to enable Permissions Management in your organization. Once you've enabled Permissions Management, you can connect it to your Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) platforms.

-1. In the **Permissions Management Onboarding - GCP OIDC Account Details & IDP Access** page, enter the **OIDC Project ID** and **OIDC Project Number** of the GCP project in which the OIDC provider and pool will be created. You can change the role name to your requirements.

- You can either download and run the script at this point or you can do it in the Google Cloud Shell.

-1. Select **Next**.

-# What's Permissions Management?

-Permissions Management is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities. For example, over-privileged workload and user identities, actions, and resources across multicloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).

-Here, the configuration parameters reside in *.env* as environment variables:

-1. Create an *.env* file in the root of your project folder. Then add the following code:

-1. Create a new file named *auth.js* under the *routes* folder and add the following code there:

-2. Next, update the *index.js* route by replacing the existing code with the following code snippet:

-> If you're using an Azure AD-registered Windows 10 or later PC, you must enter credentials in the `AzureAD\UPN` format (for example, `AzureAD\john@contoso.com`). At this time, you can use Azure Bastion to log in with Azure AD authentication [via the Azure CLI and the native RDP client mstsc](../../bastion/connect-native-client-windows.md).

-To increase infrastructure resilience, set up monitoring of application sign-in health for your critical applications so that you receive an alert if an impacting incident occurs. To assist you in this effort, you can configure alerts based on the sign-in health workbook.

-This workbook enables administrators to monitor authentication requests for applications in your tenant. It provides these key capabilities:

-* Configure the workbook to monitor all or individual apps with near real-time data.

-* Configure alerts to notify you when authentication patterns change so that you can investigate and take action.

-* Compare trends over a period, for example week over week, which is the workbookΓÇÖs default setting.

-> To see all available workbooks, and the prerequisites for using them, please see [How to use Azure Monitor workbooks for reports](../reports-monitoring/howto-use-azure-monitor-workbooks.md).

-* The number of sign-ins for an application may drop precipitously because users can't sign in.

-* The number of sign-in failures can increase.

-This article walks through setting up the sign-in health workbook to monitor for disruptions to your usersΓÇÖ sign-ins.

-* An Azure AD tenant.

-* A user with global administrator or security administrator role for the Azure AD tenant.

-* A Log Analytics workspace in your Azure subscription to send logs to Azure Monitor logs.

- * Learn how to [create a Log Analytics workspace](../../azure-monitor/logs/quick-create-workspace.md)

-* Azure AD logs integrated with Azure Monitor logs

- * Learn how to [Integrate Azure AD Sign- in Logs with Azure Monitor Stream.](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)

-## Configure the App sign in health workbook

-To access workbooks, open the **Azure portal**, select **Azure Active Directory**, and then select **Workbooks**.

-You'll see workbooks under Usage, Conditional Access, and Troubleshoot. The App sign in health workbook appears in the usage section.

-Once you use a workbook, it may appear in the Recently modified workbooks section.

-

-The App sign in health workbook enables you to visualize what is happening with your sign-ins.

-By default the workbook presents two graphs. These graphs compare what is happening to your app(s) now, versus the same period a week ago. The blue lines are current, and the orange lines are the previous week.

-

-**The first graph is Hourly usage (number of successful users)**. Comparing your current number of successful users to a typical usage period helps you to spot a drop in usage that may require investigation. A drop in successful usage rate can help detect performance and utilization issues that the failure rate can't. For example if users can't reach your application to attempt to sign in, there would be no failures, only a drop in usage. A sample query for this data can be found in the following section.

-**The second graph is hourly failure rate**. A spike in failure rate may indicate an issue with your authentication mechanisms. Failure rate can only be measured if users can attempt to authenticate. If users Can't gain access to make the attempt, failures Won't show.

-You can configure an alert that notifies a specific group when the usage or failure rate exceeds a specified threshold. A sample query for this data can be found in the following section.

-You create alert rules in Azure Monitor and can automatically run saved queries or custom log searches at regular intervals.

-Use the following instructions to create email alerts based on the queries reflected in the graphs. Sample scripts below will send an email notification when

-* the successful usage drops by 90% from the same hour two days ago, as in the hourly usage graph in the previous section.

-* the failure rate increases by 90% from the same hour two days ago, as in the hourly failure rate graph in the previous section.

- To configure the underlying query and set alerts, complete the following steps. You'll use the Sample Query as the basis for your configuration. An explanation of the query structure appears at the end of this section.

-For more information on how to create, view, and manage log alerts using Azure Monitor see [Manage log alerts](../../azure-monitor/alerts/alerts-log.md).

-1. In the workbook, select **Edit**, then select the **query icon** just above the right-hand side of the graph.

- [](./media/monitor-sign-in-health-for-resilience/edit-workbook.png)

- The query log opens.

- [](./media/monitor-sign-in-health-for-resilience/query-log.png)

-ΓÇÄ

-2. Copy one of the sample scripts for a new Kusto query.

- * [Kusto query for increase in failure rate](#kusto-query-for-increase-in-failure-rate)

- * [Kusto query for drop in usage](#kusto-query-for-drop-in-usage)

-3. Paste the query in the window and select **Run**. Ensure you see the Completed message shown in the image below, and results below that message.

- [](./media/monitor-sign-in-health-for-resilience/run-query.png)

-4. Highlight the query, and select + **New alert rule**.

-

- [](./media/monitor-sign-in-health-for-resilience/new-alert-rule.png)

-5. Configure alert conditions.

-ΓÇÄIn the Condition section, select the link **Whenever the average custom log search is greater than logic defined count**. In the configure signal logic pane, scroll to Alert logic

- [](./media/monitor-sign-in-health-for-resilience/configure-alerts.png)

- * **Threshold value**: 0. This value will alert on any results.

- * **Evaluation period (in minutes)**: 2880. This value looks at an hour of time

- * **Frequency (in minutes)**: 60. This value sets the evaluation period to once per hour for the previous hour.

- * Select **Done**.

-6. In the **Actions** section, configure these settings:

- [](./media/monitor-sign-in-health-for-resilience/create-alert-rule.png)

- * Under **Actions**, choose **Select action group**, and add the group you want to be notified of alerts.

- * Under **Customize actions** select **Email alerts**.

- * Add a **subject line**.

-7. Under **Alert rule details**, configure these settings:

- * Add a descriptive name and a description.

- * Select the **resource group** to which to add the alert.

- * Select the default **severity** of the alert.

- * Select **Enable alert rule upon creation** if you want it live immediately, else select **Suppress alerts**.

-8. Select **Create alert rule**.

-9. Select **Save**, enter a name for the query, **Save as a Query with a category of Alert**. Then select **Save** again.

- [](./media/monitor-sign-in-health-for-resilience/save-query.png)

-Modify your queries and alerts for maximum effectiveness.

-* Be sure to test your alerts.

-* Modify alert sensitivity and frequency so that you get important notifications. Admins can become desensitized to alerts if they get too many and miss something important.

-* Ensure the email from which alerts come in your administratorΓÇÖs email clients is added to allowed senders list. Otherwise you may miss notifications due to a spam filter on your email client.

-* Alerts query in Azure Monitor can only include results from past 48 hours. [This is a current limitation by design](https://github.com/MicrosoftDocs/azure-docs/issues/22637).

- The ratio at the bottom can be adjusted as necessary and represents the percent change in traffic in the last hour as compared to the same time yesterday. 0.5 means that there is a 50% difference in the traffic.

-| where TimeGenerated between((ago(1h) - totimespan(1d))..(now() - totimespan(1d))) // Query failure rate at the same time yesterday

-| where abs(failureRate - failureRateYesterday) > 0.5

-In the following query, we are comparing traffic in the last hour to the same time yesterday.

-We are excluding Saturday, Sunday, and Monday because itΓÇÖs expected on those days that there would be large variability in the traffic at the same time the previous day.

-The ratio at the bottom can be adjusted as necessary and represents the percent change in traffic in the last hour as compared to the same time yesterday. 0.5 means that there is a 50% difference in the traffic.

-*You should adjust these values to fit your business operation model*.

-```Kusto

- let today = SigninLogs // Query traffic in the last hour

-| where TimeGenerated between((ago(1h) - totimespan(1d))..(now() - totimespan(1d))) // Count distinct users in the same hour yesterday

-| project TimeGenerated, users, usersYesterday, difference = abs(users - usersYesterday), max = max_of(users, usersYesterday)

-Once you have set up the query and alerts, create business processes to manage the alerts.

-* Who will monitor the workbook and when?

-* When an alert is generated, who will investigate?

-* What are the communication needs? Who will create the communications and who will receive them?

-* If an outage occurs, what business processes need to be triggered?

-### Review your Conditional Access policies (Preview)

-Contact WATS support to configure WATS to support provisioning with Azure AD.

-## Step 3. Add WATS from the Azure AD application gallery

-Add WATS from the Azure AD application gallery to start managing provisioning to WATS. If you have previously setup WATS for SSO you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

-## Step 4. Define who will be in scope for provisioning

-## Step 5. Configure automatic user provisioning to WATS

-## Step 6. Monitor your deployment

-|`uri`| string (uri) | uri of the logo (optional if image is specified) |

-|`image` | string | the base-64 encoded image (optional if uri is specified) |

-| `claims` | string| Optional. Used for the `ID token hint` flow to include a collection of assertions made about the subject in the verifiable credential. For PIN code flow, it's important that you provide the user's first name and last name. For more information, see [Verifiable credential names](verifiable-credentials-configure-issuer.md#verifiable-credential-names). |

-|`uri`| string (url) | url of the logo (optional if image is specified) |

-|`image` | string | the base-64 encoded image (optional if url is specified) |

-1. For **Key permissions**, verify that the following permissions are selected: **Create**, **Delete**, and **Sign**. By default, **Create** and **Delete** are already enabled. **Sign** should be the only key permission you need to update.

-To confirm which endpoint you should use, we recommend checking your Azure AD tenant's region as described above. If the Azure AD tenant is in the EU, you should use the Europe endpoint.

-We're making protocol updates in Microsoft Authenticator to support Single Long Form DID, thus deprecating the use of pairwise. With this update, your DID in Microsoft Authenticator will be used of every issuer and relaying party exchange. Holders of verifiable credentials using Microsoft Authenticator must get their verifiable credentials reissued as any previous credentials aren't going to continue working.

-If you want the remediator to reimage the node, you can add the `nodeCondition "customerMarkedAsUnhealthy": true`.

-description: Use Azure Event Grid to subscribe to Azure Kubernetes Service events

-In this quickstart, you'll create an AKS cluster and subscribe to AKS events.

-Create an AKS cluster using the [az aks create][az-aks-create] command. The following example creates a resource group *MyResourceGroup* and a cluster named *MyAKS* with one node in the *MyResourceGroup* resource group:

-```azurecli-interactive

-az group create --name MyResourceGroup --location eastus

-az aks create -g MyResourceGroup -n MyAKS --location eastus --node-count 1 --generate-ssh-keys

-```

-Create an AKS cluster using the [New-AzAksCluster][new-azakscluster] command. The following example creates a resource group *MyResourceGroup* and a cluster named *MyAKS* with one node in the *MyResourceGroup* resource group:

-```azurepowershell-interactive

-New-AzResourceGroup -Name MyResourceGroup -Location eastus

-New-AzAksCluster -ResourceGroupName MyResourceGroup -Name MyAKS -Location eastus -NodeCount 1 -GenerateSshKey

-```

-Create a namespace and event hub using [az eventhubs namespace create][az-eventhubs-namespace-create] and [az eventhubs eventhub create][az-eventhubs-eventhub-create]. The following example creates a namespace *MyNamespace* and an event hub *MyEventGridHub* in *MyNamespace*, both in the *MyResourceGroup* resource group.

-```azurecli-interactive

-az eventhubs namespace create --location eastus --name MyNamespace -g MyResourceGroup

-az eventhubs eventhub create --name MyEventGridHub --namespace-name MyNamespace -g MyResourceGroup

-```

-> [!NOTE]

-> The *name* of your namespace must be unique.

-Subscribe to the AKS events using [az eventgrid event-subscription create][az-eventgrid-event-subscription-create]:

-```azurecli-interactive

-SOURCE_RESOURCE_ID=$(az aks show -g MyResourceGroup -n MyAKS --query id --output tsv)

-ENDPOINT=$(az eventhubs eventhub show -g MyResourceGroup -n MyEventGridHub --namespace-name MyNamespace --query id --output tsv)

-az eventgrid event-subscription create --name MyEventGridSubscription \

-```

-Verify your subscription to AKS events using `az eventgrid event-subscription list`:

-```azurecli-interactive

-az eventgrid event-subscription list --source-resource-id $SOURCE_RESOURCE_ID

-```

-The following example output shows you're subscribed to events from the *MyAKS* cluster and those events are delivered to the *MyEventGridHub* event hub:

-```output

-[

- {

- "deadLetterDestination": null,

- "deadLetterWithResourceIdentity": null,

- "deliveryWithResourceIdentity": null,

- "destination": {

- "deliveryAttributeMappings": null,

- "endpointType": "EventHub",

- "resourceId": "/subscriptions/SUBSCRIPTION_ID/resourceGroups/MyResourceGroup/providers/Microsoft.EventHub/namespaces/MyNamespace/eventhubs/MyEventGridHub"

- },

- "eventDeliverySchema": "EventGridSchema",

- "expirationTimeUtc": null,

- "filter": {

- "advancedFilters": null,

- "enableAdvancedFilteringOnArrays": null,

- "includedEventTypes": [

- "Microsoft.ContainerService.NewKubernetesVersionAvailable"

- ],

- "isSubjectCaseSensitive": null,

- "subjectBeginsWith": "",

- "subjectEndsWith": ""

- },

- "id": "/subscriptions/SUBSCRIPTION_ID/resourceGroups/MyResourceGroup/providers/Microsoft.ContainerService/managedClusters/MyAKS/providers/Microsoft.EventGrid/eventSubscriptions/MyEventGridSubscription",

- "labels": null,

- "name": "MyEventGridSubscription",

- "provisioningState": "Succeeded",

- "resourceGroup": "MyResourceGroup",

- "retryPolicy": {

- "eventTimeToLiveInMinutes": 1440,

- "maxDeliveryAttempts": 30

- },

- "systemData": null,

- "topic": "/subscriptions/SUBSCRIPTION_ID/resourceGroups/MyResourceGroup/providers/microsoft.containerservice/managedclusters/MyAKS",

- "type": "Microsoft.EventGrid/eventSubscriptions"

- }

-]

-```

-Create a namespace and event hub using [New-AzEventHubNamespace][new-azeventhubnamespace] and [New-AzEventHub][new-azeventhub]. The following example creates a namespace *MyNamespace* and an event hub *MyEventGridHub* in *MyNamespace*, both in the *MyResourceGroup* resource group.

-```azurepowershell-interactive

-New-AzEventHubNamespace -Location eastus -Name MyNamespace -ResourceGroupName MyResourceGroup

-New-AzEventHub -Name MyEventGridHub -Namespace MyNamespace -ResourceGroupName MyResourceGroup

-```

-> [!NOTE]

-> The *name* of your namespace must be unique.

-Subscribe to the AKS events using [New-AzEventGridSubscription][new-azeventgridsubscription]:

-```azurepowershell-interactive

-$SOURCE_RESOURCE_ID = (Get-AzAksCluster -ResourceGroupName MyResourceGroup -Name MyAKS).Id

-$ENDPOINT = (Get-AzEventHub -ResourceGroupName MyResourceGroup -EventHubName MyEventGridHub -Namespace MyNamespace).Id

-$params = @{

- EventSubscriptionName = 'MyEventGridSubscription'

- ResourceId = $SOURCE_RESOURCE_ID

- EndpointType = 'eventhub'

- Endpoint = $ENDPOINT

-}

-New-AzEventGridSubscription @params

-```

-Verify your subscription to AKS events using `Get-AzEventGridSubscription`:

-```azurepowershell-interactive

-Get-AzEventGridSubscription -ResourceId $SOURCE_RESOURCE_ID | Select-Object -ExpandProperty PSEventSubscriptionsList

-```

-The following example output shows you're subscribed to events from the *MyAKS* cluster and those events are delivered to the *MyEventGridHub* event hub:

-```Output

-EventSubscriptionName : MyEventGridSubscription

-Id : /subscriptions/SUBSCRIPTION_ID/resourceGroups/MyResourceGroup/providers/Microsoft.ContainerService/managedClusters/MyAKS/providers/Microsoft.EventGrid/eventSubscriptions/MyEventGridSubscription

-Type : Microsoft.EventGrid/eventSubscriptions

-Topic : /subscriptions/SUBSCRIPTION_ID/resourceGroups/myresourcegroup/providers/microsoft.containerservice/managedclusters/myaks

-Filter : Microsoft.Azure.Management.EventGrid.Models.EventSubscriptionFilter

-Destination : Microsoft.Azure.Management.EventGrid.Models.EventHubEventSubscriptionDestination

-ProvisioningState : Succeeded

-Labels :

-EventTtl : 1440

-MaxDeliveryAttempt : 30

-EventDeliverySchema : EventGridSchema

-ExpirationDate :

-DeadLetterEndpoint :

-Endpoint : /subscriptions/SUBSCRIPTION_ID/resourceGroups/MyResourceGroup/providers/Microsoft.EventHub/namespaces/MyNamespace/eventhubs/MyEventGridHub

-```

-When AKS events occur, you'll see those events appear in your event hub. For example, when the list of available Kubernetes versions for your clusters changes, you'll see a `Microsoft.ContainerService.NewKubernetesVersionAvailable` event. For more information on the events AKS emits, see [Azure Kubernetes Service (AKS) as an Event Grid source][aks-events].

-Use the [az group delete][az-group-delete] command to remove the resource group, the AKS cluster, namespace, and event hub, and all related resources.

-```azurecli-interactive

-az group delete --name MyResourceGroup --yes --no-wait

-```

-Use the [Remove-AzResourceGroup][remove-azresourcegroup] cmdlet to remove the resource group, the AKS cluster, namespace, and event hub, and all related resources.

-```azurepowershell-interactive

-Remove-AzResourceGroup -Name MyResourceGroup

-```

-> [!NOTE]

-> When you delete the cluster, the Azure Active Directory service principal used by the AKS cluster is not removed. For steps on how to remove the service principal, see [AKS service principal considerations and deletion][sp-delete].

->

-> If you used a managed identity, the identity is managed by the platform and does not require removal.

-To learn more about AKS, and walk through a complete code to deployment example, continue to the Kubernetes cluster tutorial.

-| 1.27 Preview | Azure policy 1.0.1<br>Metrics-Server 0.6.3<br>KEDA 2.10.0<br>Open Service Mesh 1.2.3<br>Core DNS V1.9.4<br>0.12.0</br>Overlay VPA 0.11.0<br>Azure-Keyvault-SecretsProvider 1.4.1<br>Ingress AppGateway 1.2.1<br>Eraser v1.1.1<br>Azure Workload Identity V1.1.1<br>ASC Defender 1.0.56<br>AAD Pod Identity 1.8.13.6<br>Gitops 1.7.0<br>KMS 0.5.0|Cilium 1.12.8<br>CNI 1.4.44<br> Cluster Autoscaler 1.8.5.3<br> | OS Image Ubuntu 22.04 Cgroups V1 <br>ContainerD 1.7<br>|Keda 2.10.0 |None

-| .NET | [microsoft-authentication-library-for-dotnet](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet) | ghcr.io/azure/azure-workload-identity/msal-net | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-net/akvdotnet) | Yes |

-| Go | [microsoft-authentication-library-for-go](https://github.com/AzureAD/microsoft-authentication-library-for-go) | ghcr.io/azure/azure-workload-identity/msal-go | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-go) | Yes |

-| Java | [microsoft-authentication-library-for-java](https://github.com/AzureAD/microsoft-authentication-library-for-java) | ghcr.io/azure/azure-workload-identity/msal-java | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-java) | No |

-| JavaScript | [microsoft-authentication-library-for-js](https://github.com/AzureAD/microsoft-authentication-library-for-js) | ghcr.io/azure/azure-workload-identity/msal-node | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-node) | No |

-| Python | [microsoft-authentication-library-for-python](https://github.com/AzureAD/microsoft-authentication-library-for-python) | ghcr.io/azure/azure-workload-identity/msal-python | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-python) | No |

-The `apiVerionSets` folder contains a folder for each API version set created for an API, and contains the following items.

-> * If TLS renegotiation is disabled in your client, you may see TLS errors when requesting the certificate using the `context.Request.Certificate` property. If this occurs, enable TLS renegotation settings in the client.

-|WebAuthenticationInvalidEmailFormated|Email is invalid: {0}|

- --resource-group <rg-name> --name <extension-name> --extension-type Microsoft.ApiManagement.Gateway \

- --scope namespace --target-namespace <namespace> \

- --configuration-settings gateway.endpoint='<Configuration URL>' \

- --configuration-protected-settings gateway.authKey='<token>' \

- --configuration-settings service.type='LoadBalancer' --release-train preview

- > `-protected-` flag for `authKey` is optional, but recommended.

-1. In the left menu, select **Extensions (preview)** > **+ Add** > **API Management gateway (preview)**.

-| `gateway.endpoint` | The gateway endpoint's Configuration URL. |

-| `gateway.authKey` | Token for access to the gateway. |

-> API Management supports automated import of a Logic App (Consumption) resource. which runs in the multi-tenant Logic Apps environment. Learn more about [single-tenant versus muti-tenant Logic Apps](../logic-apps/single-tenant-overview-compare.md).

- namespace-prefix="namepsace prefix"

- :::image type="content" source="./media/import-api-from-oas/oas-api.png" alt-text="OpenAPI specifiction":::

-This article explains how the self-hosted gateway feature of Azure API Management enables hybrid and multi-cloud API management, presents its high-level architecture, and highlights its capabilities.

-## Hybrid and multi-cloud API management

-The self-hosted gateway feature expands API Management support for hybrid and multi-cloud environments and enables organizations to efficiently and securely manage APIs hosted on-premises and across clouds from a single API Management service in Azure.

-¹Preview versions are not officially supported and are for experimental purposes only.<br/>

-| Public IP address of the API Management instance | ✔️ | ✔️ | IP addresses of primary location is sufficient. |

-|-|-|-|

-> For web workloads, we highly recommend utilizing [**Azure DDoS protection**](../ddos-protection/ddos-protection-overview.md) and a [**web application firewall**](../web-application-firewall/overview.md) to safeguard against emerging DDoS attacks. Another option is to employ [**Azure Front Door**](../frontdoor/web-application-firewall.md) along with a web application firewall. Azure Front Door offers platform-level [**protection against network-level DDoS attacks**](../frontdoor/front-door-ddos.md).

-For more information, see [What is Azure Web Application Firewall?](../web-application-firewall/overview.md).

- ports:

- version: "3.9"

-

- azure-cognitive-service-receipt:

- container_name: azure-cognitive-service-id-document

- image: mcr.microsoft.com/azure-cognitive-services/form-recognizer/id-document-3.0

- environment:

- - EULA=accept

- - billing={FORM_RECOGNIZER_ENDPOINT_URI}

- - apiKey={FORM_RECOGNIZER_KEY}

- - AzureCognitiveServiceReadHost=http://azure-cognitive-service-read:5000

- ports:

- - "5000:5050"

- azure-cognitive-service-read:

- container_name: azure-cognitive-service-read

- image: mcr.microsoft.com/azure-cognitive-services/form-recognizer/read-3.0

- environment:

- - EULA=accept

- - billing={FORM_RECOGNIZER_ENDPOINT_URI}

- - apiKey={FORM_RECOGNIZER_KEY}

-ΓÇô az connectedmachine extension create --name ChangeTracking-Linux --publisher Microsoft.Azure.ChangeTrackingAndInventory --type ChangeTracking-Windows --machine-name <arc-server-name> --resource-group <resource-group-name> --location <arc-server-location> --enable-auto-upgrade true

-> API Management self-hosted gateway on Azure Arc is currently in public preview. During preview, the API Management gateway extension is available in the following regions: West Europe, East US.

-You can connect to your cache using the same [endpoints](cache-configure.md#properties), [ports](cache-configure.md#properties), and [keys](cache-configure.md#access-keys) that you use when connecting to a cache that doesn't have clustering enabled. Redis manages the clustering on the backend so you don't have to manage it from your client.

-Starting on April 30, 2023, Cloud Service caches receive only critical security updates and critical bug fixes. Cloud Service caches won't support any new features released after April 30, 2023. We highly recommend migrating your caches to Azure Virtual Machine Scale Set.

-The following example shows a C# function that binds to a `CloudEvent` using version 3.x of the extension, which is in preview:

-The following example shows a C# function that binds to an `EventGridEvent` using version 3.x of the extension, which is in preview:

-The following example shows a C# function that writes an [Microsoft.Azure.EventGrid.Models.EventGridEvent][EventGridEvent] message to an Event Grid custom topic, using the method return value as the output:

-The following example shows how to use the `IAsyncCollector` interface to send a batch of messages.

-You can also use a POJO class to send EventGrid messages.

-+ [Azure.Messaging.EventGrid][EventGridEvent2]

-[EventGridEvent]: /dotnet/api/microsoft.azure.eventgrid.models.eventgridevent

-description: Guidance for troubleshooting rsyslog issues on Linux virtual machines, scale sets with Azure Monitor agent and Data Collection Rules.

-# Syslog troubleshooting guide for Azure Monitor Linux Agent

-Overview of Azure Monitor Linux Agent syslog collection and supported RFC standards:

- > AMA uses local persistency by default, all events received from `rsyslog` / `syslog-ng` are queued in `/var/opt/microsoft/azuremonitoragent/events` if they fail to be uploaded.

-

-### Rsyslog data not uploaded due to full disk space issue on Azure Monitor Linux Agent

-**Syslog data is not uploading**: When inspecting the error logs at `/var/opt/microsoft/azuremonitoragent/log/mdsd.err`, you'll see entries about *Error while inserting item to Local persistent store…No space left on device* similar to the following snippet:

-Linux AMA buffers events to `/var/opt/microsoft/azuremonitoragent/events` prior to ingestion. On a default Linux AMA install, this directory will take ~650MB of disk space at idle. The size on disk will increase when under sustained logging load. It will get cleaned up about every 60 seconds and will reduce back to ~650 MB when the load returns to idle.

-#### Confirming the issue of full disk

-The `df` command shows almost no space available on `/dev/sda1`, as shown below:

-The `du` command can be used to inspect the disk to determine which files are causing the disk to be full. For example:

-In some cases, `du` may not report any significantly large files/directories. It may be possible that a [file marked as (deleted) is taking up the space](https://unix.stackexchange.com/questions/182077/best-way-to-free-disk-space-from-deleted-files-that-are-held-open). This issue can happen when some other process has attempted to delete a file, but there remains a process with the file still open. The `lsof` command can be used to check for such files. In the example below, we see that `/var/log/syslog` is marked as deleted, but is taking up 3.6 GB of disk space. It hasn't been deleted because a process with PID 1484 still has the file open.

-On some popular distros (for example Ubuntu 18.04 LTS), rsyslog ships with a default configuration file (`/etc/rsyslog.d/50-default.conf`) which logs events from nearly all facilities to disk at `/var/log/syslog`. Note that for RedHat/CentOS family syslog events will be stored under `/var/log/` but in a different file: `/var/log/messages`.

-AMA doesn't rely on syslog events being logged to `/var/log/`. Instead, it configures rsyslog service to forward events over a socket directly to the azuremonitoragent service process (mdsd).

-If you're sending a high log volume through rsyslog and your system is setup to log events for these facilities, consider modifying the default rsyslog config to avoid logging and storing them under `/var/log/`. The events for this facility would still be forwarded to AMA because rsyslog is using a different configuration for forwarding placed in `/etc/rsyslog.d/10-azuremonitoragent.conf`.

-1. For example, to remove local4 events from being logged at `/var/log/syslog` or `/var/log/messages`, change this line in `/etc/rsyslog.d/50-default.conf` from this:

- To this (add local4.none;):

-2. `sudo systemctl restart rsyslog`

-### Azure Monitor Linux Agent Event Buffer is Filling Disk

-If you observe the `/var/opt/microsoft/azuremonitor/events` directory growing unbounded (10 GB or higher) and not reducing in size, [file a ticket](#file-a-ticket) with **Summary** as 'AMA Event Buffer is filling disk' and **Problem type** as 'I need help configuring data collection from a VM'.

-description: Configure collection of syslog logs using a data collection rule on virtual machines with the Azure Monitor Agent.

-# Collect syslog with Azure Monitor Agent overview

-Syslog is an event logging protocol that's common to Linux. You can use the Syslog daemon built into Linux devices and appliances to collect local events of the types you specify, and have it send those events to Log Analytics Workspace. Applications send messages that might be stored on the local machine or delivered to a Syslog collector. When the Azure Monitor agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent when syslog collection is enabled in [data collection rule (DCR)](../essentials/data-collection-rule-overview.md). The Azure Monitor Agent then sends the messages to Azure Monitor/Log Analytics workspace where a corresponding syslog record is created in [Syslog table](https://learn.microsoft.com/azure/azure-monitor/reference/tables/syslog).

-For some device types that don't allow local installation of the Azure Monitor agent, the agent can be installed instead on a dedicated Linux-based log forwarder. The originating device must be configured to send Syslog events to the Syslog daemon on this forwarder instead of the local daemon. Please see [Sentinel tutorial](../../sentinel/forward-syslog-monitor-agent.md) for more information.

-The Azure Monitor agent for Linux will only collect events with the facilities and severities that are specified in its configuration. You can configure Syslog through the Azure portal or by managing configuration files on your Linux agents.

-Configure Syslog from the Data Collection Rules menu of the Azure Monitor. This configuration is delivered to the configuration file on each Linux agent.

-* Select Add data source.

-* For Data source type, select Linux syslog

-You can collect syslog events with different log level for each facility. By default, all syslog facility types will be collected. If you do not want to collect for example events of `auth` type, select `none` in the `Minimum log level` list box for `auth` facility and save the changes. If you need to change default log level for syslog events and collect only events with log level starting ΓÇ£NOTICEΓÇ¥ or higher priority, select ΓÇ£LOG_NOTICEΓÇ¥ in ΓÇ£Minimum log levelΓÇ¥ list box.

-Create a *data collection rule* in the same region as your Log Analytics workspace.

-A data collection rule is an Azure resource that allows you to define the way data should be handled as it's ingested into the workspace.

- :::image type="content" source="../../sentinel/media/forward-syslog-monitor-agent/create-data-collection-rule.png" alt-text="Screenshot of the data collections rules pane with the create option selected.":::

-1. Use the filters to find the virtual machine that you'll use to collect logs.

- :::image type="content" source="../../sentinel/media/forward-syslog-monitor-agent/create-rule-scope.png" alt-text="Screenshot of the page to select the scope for the data collection rule. ":::

-#### Add data source

- :::image type="content" source="../../sentinel/media/forward-syslog-monitor-agent/create-rule-data-source.png" alt-text="Screenshot of page to select data source type and minimum log level.":::

-#### Add destination

- :::image type="content" source="../../sentinel/media/forward-syslog-monitor-agent/create-rule-add-destination.png" alt-text="Screenshot of the destination tab with the add destination option selected.":::

-### Create rule

-1. Wait 20 minutes before moving on to the next section.

-If your VM doesn't have the Azure Monitor agent installed, the data collection rule deployment triggers the installation of the agent on the VM.

-## Configure Syslog on Linux Agent

-When the Azure Monitoring Agent is installed on Linux machine it installs a default Syslog configuration file that defines the facility and severity of the messages that are collected if syslog is enabled in DCR. The configuration file is different depending on the Syslog daemon that the client has installed.

-On many Linux distributions, the rsyslogd daemon is responsible for consuming, storing, and routing log messages sent using the Linux syslog API. Azure Monitor agent uses the unix domain socket output module (omuxsock) in rsyslog to forward log messages to the Azure Monitor Agent. The AMA installation includes default config files that get placed under the following directory:

-`/etc/opt/microsoft/azuremonitoragent/syslog/rsyslogconf/05-azuremonitoragent-loadomuxsock.conf`

-`/etc/opt/microsoft/azuremonitoragent/syslog/rsyslogconf/05-azuremonitoragent-loadomuxsock.conf`

-When syslog is added to data collection rule, these configuration files will be installed under `etc/rsyslog.d` system directory and rsyslog will be automatically restarted for the changes to take effect. These files are used by rsyslog to load the output module and forward the events to Azure Monitoring agent daemon using defined rules. The builtin omuxsock module cannot be loaded more than once. Therefore, the configurations for loading of the module and forwarding of the events with corresponding forwarding format template are split in two different files. Its default contents are shown in the following example. This example collects Syslog messages sent from the local agent for all facilities with all log levels.

-Note that on some legacy systems such as CentOS 7.3 we have seen rsyslog log formatting issues when using traditional forwarding format to send syslog events to Azure Monitor Agent and for these systems, Azure Monitor Agent is automatically placing legacy forwarder template instead:

-### Syslog-ng

-The configuration file for syslog-ng is installed at `/etc/opt/microsoft/azuremonitoragent/syslog/syslog-ngconf/azuremonitoragent.conf`. When Syslog collection is added to data collection rule, this configuration file will be placed under `/etc/syslog-ng/conf.d/azuremonitoragent.conf` system directory and syslog-ng will be automatically restarted for the changes to take effect. Its default contents are shown in this example. This example collects Syslog messages sent from the local agent for all facilities and all severities.

-Note* Azure Monitor supports collection of messages sent by rsyslog or syslog-ng, where rsyslog is the default daemon. The default Syslog daemon on version 5 of Red Hat Enterprise Linux, CentOS, and Oracle Linux version (sysklog) isn't supported for Syslog event collection. To collect Syslog data from this version of these distributions, the rsyslog daemon should be installed and configured to replace sysklog.

-Note*

-If you edit the Syslog configuration, you must restart the Syslog daemon for the changes to take effect.

-You will need:

-Learn more about:

-> If Log Analytics data stops coming in from a specific agent or management server, reset the Winsock Catalog by using `netsh winsock reset`. Then reboot the server. Resetting the Winsock Catalog allows network connections that were broken to be reestablished.

-To add functionality and gather data, see [Add Azure Monitor solutions from the Solutions Gallery](/previous-versions/azure/azure-monitor/insights/solutions).

-* **JavaScript**: Exceptions are caught automatically. If you want to disable automatic collection, add a line to the SDK Loader Script that you insert in your webpages:

-#### [SDK Loader Script](#tab/sdkloaderscript)

-Insert a telemetry initializer by adding the onInit callback function in the [SDK Loader Script configuration](./javascript-sdk.md?tabs=sdkloaderscript#sdk-loader-script-configuration):

-!function(v,y,T){<!-- Removed the SDK Loader Script code for brevity -->}(window,document,{

-The preceding steps are enough to help you start collecting server-side telemetry. If your application has client-side components, follow the next steps to start collecting [usage telemetry](./usage-overview.md) SDK Loader Script injection by configuration.

-The `.cshtml` file names referenced earlier are from a default MVC application template. Ultimately, if you want to properly enable client-side monitoring for your application, the JavaScript SDK Loader Script must appear in the `<head>` section of each page of your application that you want to monitor. Add the JavaScript SDK Loader Script to `_Layout.cshtml` in an application template to enable client-side monitoring.

-If your project doesn't include `_Layout.cshtml`, you can still add [client-side monitoring](./website-monitoring.md) by adding the JavaScript SDK Loader Script to an equivalent file that controls the `<head>` of all pages within your app. Alternatively, you can add the SDK Loader Script to multiple pages, but we don't recommend it.

-The previous sections provided guidance on methods to automatically and manually configure server-side monitoring. To add client-side monitoring, use the [client-side JavaScript SDK](javascript.md). You can monitor any web page's client-side transactions by adding a [JavaScript SDK Loader Script](./javascript-sdk.md?tabs=sdkloaderscript#get-started) before the closing `</head>` tag of the page's HTML.

-Although it's possible to manually add the SDK Loader Script to the header of each HTML page, we recommend that you instead add the SDK Loader Script to a primary page. That action injects the SDK Loader Script into all pages of a site.

-For the template-based ASP.NET MVC app from this article, the file that you need to edit is *_Layout.cshtml*. You can find it under **Views** > **Shared**. To add client-side monitoring, open *_Layout.cshtml* and follow the [SDK Loader Script-based setup instructions](./javascript-sdk.md?tabs=sdkloaderscript#get-started) from the article about client-side JavaScript SDK configuration.

-## SDK Loader Script injection by configuration

-If youΓÇÖre using the following supported SDKs, you can configure the SDK Loader Script to inject from the server-side SDK onto each page.

-# Feature extensions for the Application Insights JavaScript SDK (Click Analytics)

-## Get started

-Users can set up the Click Analytics Auto-Collection plug-in via SDK Loader Script or npm and then optionally add a framework extension.

-### [SDK Loader Script setup](#tab/sdkloaderscript)

- // Application Insights SDK Loader Script code

- !function(v,y,T){<!-- Removed the SDK Loader Script code for brevity -->}(window,document,{

-> To add or update SDK Loader Script configuration, see [SDK Loader Script configuration](./javascript-sdk.md?tabs=sdkloaderscript#sdk-loader-script-configuration).

-### [npm setup](#tab/npmsetup)

-## Add a framework extension

-### [React](#tab/react)

-> To add React configuration, see [React configuration](./javascript-framework-extensions.md?tabs=react#configuration). For more information on the React plug-in, see [React plug-in](./javascript-framework-extensions.md?tabs=react#react-application-insights-javascript-sdk-plug-in).

-### [React Native](#tab/reactnative)

-> To add React Native configuration, see [Enable Correlation for React Native](./javascript-framework-extensions.md?tabs=reactnative#enable-correlation). For more information on the React Native plug-in, see [React Native plug-in](./javascript-framework-extensions.md?tabs=reactnative#react-native-plugin-for-application-insights-javascript-sdk).

-### [Angular](#tab/angular)

-> To add Angular configuration, see [Enable Correlation for Angular](./javascript-framework-extensions.md?tabs=angular#enable-correlation). For more information on the Angular plug-in, see [Angular plug-in](./javascript-framework-extensions.md?tabs=angular#angular-plugin-for-application-insights-javascript-sdk).

-## Set the authenticated user context

-If you need to set this optional setting, see [Set the authenticated user context](https://github.com/microsoft/ApplicationInsights-JS/blob/master/API-reference.md#setauthenticatedusercontext). This setting isn't required to use Click Analytics.

-## What data does the plug-in collect?

-The following key properties are captured by default when the plug-in is enabled.

-### Custom event properties

-| Name | Description | Sample |

-| | |--|

-| Name | The name of the custom event. For more information on how a name gets populated, see [Name column](#name).| About |

-| itemType | Type of event. | customEvent |

-|sdkVersion | Version of Application Insights SDK along with click plug-in.|JavaScript:2_ClickPlugin2|

-### Custom dimensions

-| Name | Description | Sample |

-| | |--|

-| actionType | Action type that caused the click event. It can be a left or right click. | CL |

-| baseTypeSource | Base Type source of the custom event. | ClickEvent |

-| clickCoordinates | Coordinates where the click event is triggered. | 659X47 |

-| content | Placeholder to store extra `data-*` attributes and values. | [{sample1:value1, sample2:value2}] |

-| pageName | Title of the page where the click event is triggered. | Sample Title |

-| parentId | ID or name of the parent element. For more information on how a parentId is populated, see [parentId key](#parentid-key). | navbarContainer |

-### Custom measurements

-| Name | Description | Sample |

-| | |--|

-| timeToAction | Time taken in milliseconds for the user to click the element since the initial page load. | 87407 |

-## Advanced configuration

-[Simple web app with the Click Analytics Autocollection Plug-in enabled](https://go.microsoft.com/fwlink/?linkid=2152871)

-# Framework extensions for Application Insights JavaScript SDK

-## [React](#tab/react)

-### React Application Insights JavaScript SDK plug-in

-### Get started

-Install the npm package:

-### Basic usage

-Initialize a connection to Application Insights:

-### Enable correlation

-Correlation generates and sends data that enables distributed tracing and powers the [application map](../app/app-map.md), [end-to-end transaction view](../app/app-map.md#go-to-details), and other diagnostic tools.

-In JavaScript, correlation is turned off by default to minimize the telemetry we send by default. To enable correlation, see the [JavaScript client-side correlation documentation](./javascript.md#enable-distributed-tracing).

-#### Route tracking

-The React plug-in automatically tracks route changes and collects other React-specific telemetry.

-> [!NOTE]

-> `enableAutoRouteTracking` should be set to `false`. If it's set to `true`, then when the route changes, duplicate `PageViews` can be sent.

-For `react-router v6` or other scenarios where router history isn't exposed, you can add `enableAutoRouteTracking: true` to your [setup configuration](#basic-usage).

-#### PageView

-If a custom `PageView` duration isn't provided, `PageView` duration defaults to a value of `0`.

-### Sample app

-Check out the [Application Insights React demo](https://github.com/microsoft/applicationinsights-react-js/tree/main/sample/applicationinsights-react-sample).

-> [!TIP]

-> If you're adding the Click Analytics plug-in, see [Use the Click Analytics plug-in](./javascript-feature-extensions.md#use-the-plug-in) to continue with the setup process.

-## [React Native](#tab/reactnative)

-### React Native plugin for Application Insights JavaScript SDK

-The React Native plugin for Application Insights JavaScript SDK collects device information. By default, this plugin automatically collects:

-### Requirements

-You must be using a version >= 2.0.0 of `@microsoft/applicationinsights-web`. This plugin only works in react-native apps. It doesn't work with [apps using the Expo framework](https://docs.expo.io/) or Create React Native App, which is based on the Expo framework.

-### Getting started

-By default, this plugin relies on the [`react-native-device-info` package](https://www.npmjs.com/package/react-native-device-info). You must install and link to this package. Keep the `react-native-device-info` package up to date to collect the latest device names using your app.

-Since v3, support for accessing the DeviceInfo has been abstracted into an interface `IDeviceInfoModule` to enable you to use / set your own device info module. This interface uses the same function names and result `react-native-device-info`.

-```zsh

-npm install --save @microsoft/applicationinsights-react-native @microsoft/applicationinsights-web

-npm install --save react-native-device-info

-react-native link react-native-device-info

-```

-### Initializing the plugin

-To use this plugin, you need to construct the plugin and add it as an `extension` to your existing Application Insights instance.

-> [!TIP]

-> If you want to add the [Click Analytics plug-in](./javascript-feature-extensions.md), uncomment the lines for Click Analytics and delete `extensions: [RNPlugin]`.

-```typescript

-import { ApplicationInsights } from '@microsoft/applicationinsights-web';

-import { ReactNativePlugin } from '@microsoft/applicationinsights-react-native';

-var RNPlugin = new ReactNativePlugin();

-// Add the Click Analytics plug-in.

-/* var clickPluginInstance = new ClickAnalyticsPlugin();

-var clickPluginConfig = {

- autoCapture: true

-}; */

-var appInsights = new ApplicationInsights({

- config: {

- connectionString: 'YOUR_CONNECTION_STRING_GOES_HERE',

- // If you're adding the Click Analytics plug-in, delete the next line.

- extensions: [RNPlugin]

- // Add the Click Analytics plug-in.

- /* extensions: [RNPlugin, clickPluginInstance],

- extensionConfig: {

- [clickPluginInstance.identifier]: clickPluginConfig

- } */

- }

-});

-appInsights.loadAppInsights();

-```

-#### Disabling automatic device info collection

-```typescript

-import { ApplicationInsights } from '@microsoft/applicationinsights-web';

-var RNPlugin = new ReactNativePlugin();

-var appInsights = new ApplicationInsights({

- config: {

- instrumentationKey: 'YOUR_INSTRUMENTATION_KEY_GOES_HERE',

- disableDeviceCollection: true,

- extensions: [RNPlugin]

- }

-});

-appInsights.loadAppInsights();

-```

-#### Using your own device info collection class

-```typescript

-import { ApplicationInsights } from '@microsoft/applicationinsights-web';

-// Simple inline constant implementation

-const myDeviceInfoModule = {

- getModel: () => "deviceModel",

- getDeviceType: () => "deviceType",

- // v5 returns a string while latest returns a promise

- getUniqueId: () => "deviceId", // This "may" also return a Promise<string>

-};

-var RNPlugin = new ReactNativePlugin();

-RNPlugin.setDeviceInfoModule(myDeviceInfoModule);

-var appInsights = new ApplicationInsights({

- config: {

- instrumentationKey: 'YOUR_INSTRUMENTATION_KEY_GOES_HERE',

- extensions: [RNPlugin]

- }

-});

-appInsights.loadAppInsights();

-```

-### Enable Correlation

-Correlation generates and sends data that enables distributed tracing and powers the [application map](../app/app-map.md), [end-to-end transaction view](../app/app-map.md#go-to-details), and other diagnostic tools.

-JavaScript correlation is turned off by default in order to minimize the telemetry we send by default. To enable correlation, reference [JavaScript client-side correlation documentation](./javascript.md#enable-distributed-tracing).

-#### PageView

-If a custom `PageView` duration isn't provided, `PageView` duration defaults to a value of 0.

-> [!TIP]

-> If you're adding the Click Analytics plug-in, see [Use the Click Analytics plug-in](./javascript-feature-extensions.md#use-the-plug-in) to continue with the setup process.

-

-## [Angular](#tab/angular)

-## Angular plugin for Application Insights JavaScript SDK

-The Angular plugin for the Application Insights JavaScript SDK, enables:

-> [!WARNING]

-> Angular plugin is NOT ECMAScript 3 (ES3) compatible.

-> [!IMPORTANT]

-> When we add support for a new Angular version, our NPM package becomes incompatible with down-level Angular versions. Continue to use older NPM packages until you're ready to upgrade your Angular version.

-### Getting started

-Install npm package:

-```bash

-npm install @microsoft/applicationinsights-angularplugin-js

-```

-### Basic usage

-Set up an instance of Application Insights in the entry component in your app:

-> [!IMPORTANT]

-> When using the ErrorService, there is an implicit dependency on the `@microsoft/applicationinsights-analytics-js` extension. you MUST include either the `'@microsoft/applicationinsights-web'` or include the `@microsoft/applicationinsights-analytics-js` extension. Otherwise, unhandled errors caught by the error service will not be sent.

-> [!TIP]

-> If you want to add the [Click Analytics plug-in](./javascript-feature-extensions.md), uncomment the lines for Click Analytics and delete `extensions: [angularPlugin],`.

-```js

-import { Component } from '@angular/core';

-import { ApplicationInsights } from '@microsoft/applicationinsights-web';

-import { AngularPlugin } from '@microsoft/applicationinsights-angularplugin-js';

-import { Router } from '@angular/router';

-@Component({

- selector: 'app-root',

- templateUrl: './app.component.html',

- styleUrls: ['./app.component.css']

-})

-export class AppComponent {

- constructor(

- private router: Router

- ){

- var angularPlugin = new AngularPlugin();

- // Add the Click Analytics plug-in.

- /* var clickPluginInstance = new ClickAnalyticsPlugin();

- var clickPluginConfig = {

- autoCapture: true

- }; */

- const appInsights = new ApplicationInsights({

- config: {

- connectionString: 'YOUR_CONNECTION_STRING_GOES_HERE',

- // If you're adding the Click Analytics plug-in, delete the next line.

- extensions: [angularPlugin],

- // Add the Click Analytics plug-in.

- // extensions: [angularPlugin, clickPluginInstance],

- extensionConfig: {

- [angularPlugin.identifier]: { router: this.router }

- // Add the Click Analytics plug-in.

- // [clickPluginInstance.identifier]: clickPluginConfig

- }

- }

- });

- appInsights.loadAppInsights();

- }

-}

-```

-To track uncaught exceptions, set up ApplicationinsightsAngularpluginErrorService in `app.module.ts`:

-> [!IMPORTANT]

-> When using the ErrorService, there is an implicit dependency on the `@microsoft/applicationinsights-analytics-js` extension. you MUST include either the `'@microsoft/applicationinsights-web'` or include the `@microsoft/applicationinsights-analytics-js` extension. Otherwise, unhandled errors caught by the error service will not be sent.

-```js

-import { ApplicationinsightsAngularpluginErrorService } from '@microsoft/applicationinsights-angularplugin-js';

-@NgModule({

- ...

- providers: [

- {

- provide: ErrorHandler,

- useClass: ApplicationinsightsAngularpluginErrorService

- }

- ]

- ...

-})

-export class AppModule { }

-```

-To chain more custom error handlers, create custom error handlers that implement IErrorService:

-```javascript

-import { IErrorService } from '@microsoft/applicationinsights-angularplugin-js';

-export class CustomErrorHandler implements IErrorService {

- handleError(error: any) {

- ...

- }

-}

-```

-And pass errorServices array through extensionConfig:

-```javascript

-extensionConfig: {

- [angularPlugin.identifier]: {

- router: this.router,

- error

- }

- }

-```

-### Enable Correlation

-Correlation generates and sends data that enables distributed tracing and powers the [application map](../app/app-map.md), [end-to-end transaction view](../app/app-map.md#go-to-details), and other diagnostic tools.

-JavaScript correlation is turned off by default in order to minimize the telemetry we send by default. To enable correlation, reference [JavaScript client-side correlation documentation](./javascript.md#enable-distributed-tracing).

-#### Route tracking

-The Angular Plugin automatically tracks route changes and collects other Angular specific telemetry.

-> [!NOTE]

-> `enableAutoRouteTracking` should be set to `false` if it set to true then when the route changes duplicate PageViews may be sent.

-#### PageView

-If a custom `PageView` duration isn't provided, `PageView` duration defaults to a value of 0.

-> [!TIP]

-> If you're adding the Click Analytics plug-in, see [Use the Click Analytics plug-in](./javascript-feature-extensions.md#use-the-plug-in) to continue with the setup process.

-> Good news! We're making it even easier to enable JavaScript. Check out where [SDK Loader Script injection by configuration is available](./codeless-overview.md#sdk-loader-script-injection-by-configuration)!

-> If you have a React, React Native, or Angular application, you can [optionally add these plug-ins after you follow the steps to get started](#5-optional-advanced-sdk-configuration).

-| SDK Loader Script | For most customers, we recommend the SDK Loader Script because you never have to update the SDK and you get the latest updates automatically. Also, you have control over which pages you add the Application Insights JavaScript SDK to. |

-#### [SDK Loader Script](#tab/sdkloaderscript)

-1. Paste the SDK Loader Script at the top of each page for which you want to enable Application Insights.

-1. (Optional) Add or update optional [SDK Loader Script configuration](#sdk-loader-script-configuration), depending on if you need to optimize the loading of your web page or resolve loading errors.

- :::image type="content" source="media/javascript-sdk/sdk-loader-script-configuration.png" alt-text="Screenshot of the SDK Loader Script. The parameters for configuring the SDK Loader Script are highlighted." lightbox="media/javascript-sdk/sdk-loader-script-configuration.png":::

-#### SDK Loader Script configuration

- | name | string | Optional | The global name for the initialized SDK. Use this setting if you need to initialize two different SDKs at the same time.<br><br>The default value is appInsights, so ```window.appInsights``` is a reference to the initialized instance.<br><br> Note: If you assign a name value or if a previous instance has been assigned to the global name appInsightsSDK, the SDK initialization code requires it to be in the global namespace as `window.appInsightsSDK=<name value>` to ensure the correct SDK Loader Script skeleton, and proxy methods are initialized and updated.

- | ld | number in ms | Optional | Defines the load delay to wait before attempting to load the SDK. Use this setting when the HTML page is failing to load because the SDK Loader Script is loading at the wrong time.<br><br>The default value is 0ms after timeout. If you use a negative value, the script tag is immediately added to the <head> region of the page and blocks the page load event until the script is loaded or fails.

- | useXhr | boolean | Optional | This setting is used only for reporting SDK load failures. For example, this setting is useful when the SDK Loader Script is preventing the HTML page from loading, causing fetch() to be unavailable.<br><br>Reporting first attempts to use fetch() if available and then fallback to XHR. Set this setting to `true` to bypass the fetch check. This setting is only required if your application is being used in an environment where fetch would fail to send the failure events such as if the SDK Loader Script isn't loading successfully.

- | onInit | function(aiSdk) { ... } | Optional | This callback function is called after the main SDK script has been successfully loaded and initialized from the CDN (based on the src value). This callback function is useful when you need to insert a telemetry initializer. It's passed one argument, which is a reference to the SDK instance that's being called for and is also called before the first initial page view. If the SDK has already been loaded and initialized, this callback is still called. NOTE: During the processing of the sdk.queue array, this callback is called. You CANNOT add any more items to the queue because they're ignored and dropped. (Added as part of SDK Loader Script version 5--the sv:"5" value within the script). |

-The optional [SDK configuration](./javascript-sdk-advanced.md#sdk-configuration) is passed to the Application Insights JavaScript SDK during initialization.

-### 4. Confirm data is flowing

-1. From the **Event types** dropdown menu, select **Page View**.

-### 5. (Optional) Advanced SDK configuration

-If you want to use the extra features provided by plugins for specific frameworks, see:

-> [!TIP]

-> We collect page views by default. But if you want to also collect clicks by default, consider adding the [Click Analytics plug-in](javascript-feature-extensions.md).

-* [Track usage](usage-overview.md)

-* [Custom events and metrics](api-custom-events-metrics.md)

-* [JavaScript telemetry initializers](api-filtering-sampling.md#javascript-telemetry-initializers)

-* [Build-measure-learn](usage-overview.md)

-* [JavaScript SDK advanced topics](javascript-sdk-advanced.md)

- Automatic web Instrumentation can be enabled for node server via SDK Loader Script injection by configuration.

-> Unless you [set the authenticated user context](./javascript-feature-extensions.md#set-the-authenticated-user-context), you must select **Anonymous Users** from the **ConversionScope** dropdown to see telemetry data.

- A custom event represents one occurrence of something happening in your app. It's often a user interaction like a button selection or the completion of a task. You insert code in your app to [generate custom events](./api-custom-events-metrics.md#trackevent) or use the [Click Analytics](javascript-feature-extensions.md#feature-extensions-for-the-application-insights-javascript-sdk-click-analytics) extension.

-# Authentication for Azure Monitor - Container Insights

-Click on the relevant tab for instructions to enable Managed identity authentication on existing clusters.

-No action is needed when creating a cluster from the Portal. However, it isn't possible to switch to Managed Identity authentication from the Azure portal. Customers must use command line tools to migrate. See other tabs for migration instructions and templates.

-Container insights defaults to managed identity authentication. This secure and simplified authentication model has a monitoring agent that uses the cluster's managed identity to send data to Azure Monitor. It replaces the existing legacy certificate-based local authentication and removes the requirement of adding a *Monitoring Metrics Publisher* role to the cluster.

-Essentials|[Azure Active Directory authorization proxy](essentials/prometheus-authorization-proxy.md)|Aad auth proxy|

-Agents|[Troubleshoot issues with the Log Analytics agent for Windows](agents/agent-windows-troubleshoot.md)|Log Analytics will no longer accept connections from MMA versions that use old root CAs (MMA versions prior to the Winter 2020 release for Log Analytics agent, and prior to SCOM 2019 UR3 for SCOM). |

-General|[Migrate from System Center Operations Manager (SCOM) to Azure Monitor](azure-monitor-operations-manager.md)|Migrate from SCOM to Azure Monitor|

-Application-Insights|[Microsoft Azure Monitor Application Insights JavaScript SDK advanced topics](app/javascript-sdk-advanced.md)|JavaScript SDK advanced topics now include npm setup, cookie configuration and management, source map un-minify support, and tree shaking optimized code.|

-This article describes the commands you can use in the Bicep CLI. You must have the [Bicep CLI installed](./install.md) to run the commands.

-You can either run the Bicep CLI commands through Azure CLI or by calling Bicep directly. This article shows how to run the commands in Azure CLI. When running through Azure CLI, you start the commands with `az`. If you're not using Azure CLI, run the commands without `az` at the start of the command. For example, `az bicep build` becomes `bicep build`.

-The `generate-params` command builds *.parameters.json* file from the given bicep file, updates if there is an existing parameters.json file.

-az bicep generate-params --file main.bicep

-```powershell

-bicep restore <bicep-file> [--force]

-```powershell

-To deploy a local Bicep file, use the `--template-file` parameter in the deployment command. The following example also shows how to set a parameter value.

-To pass parameter values, you can use either inline parameters or a parameter file.

-### Parameter files

-Rather than passing parameters as inline values in your script, you may find it easier to use a JSON file that contains the parameter values. The parameter file must be a local file. External parameter files aren't supported with Azure CLI. Bicep file uses JSON parameter files.

-For more information about the parameter file, see [Create Resource Manager parameter file](./parameter-files.md).

-To pass a local parameter file, specify the path and file name. The following example shows a parameter file named _storage.parameters.json_. The file is in the same directory where the command is run.

-To deploy a local Bicep file, use the `-TemplateFile` parameter in the deployment command.

-To pass parameter values, you can use either inline parameters or a parameter file.

-### Parameter files

-Rather than passing parameters as inline values in your script, you may find it easier to use a JSON file that contains the parameter values. The parameter file can be a local file or an external file with an accessible URI. Bicep file uses JSON parameter files.

-For more information about the parameter file, see [Create Resource Manager parameter file](./parameter-files.md).

-To pass a local parameter file, use the `TemplateParameterFile` parameter:

-To pass an external parameter file, use the `TemplateParameterUri` parameter:

-Instead of putting a secure value (like a password) directly in your Bicep file or parameter file, you can retrieve the value from an [Azure Key Vault](../../key-vault/general/overview.md) during a deployment. When a [module](./modules.md) expects a `string` parameter with `secure:true` modifier, you can use the [getSecret function](bicep-functions-resource.md#getsecret) to obtain a key vault secret. The value is never exposed because you only reference its key vault ID.

-> This article focuses on how to pass a sensitive value as a template parameter. When the secret is passed as a parameter, the key vault can exist in a different subscription than the resource group you're deploying to.

-## Reference secrets in parameter file

-If you don't want to use a module, you can reference the key vault directly in the parameter file. The following image shows how the parameter file references the secret and passes that value to the Bicep file.

-Now, create a parameter file for the preceding Bicep file. In the parameter file, specify a parameter that matches the name of the parameter in the Bicep file. For the parameter value, reference the secret from the key vault. You reference the secret by passing the resource identifier of the key vault and the name of the secret:

-In the following parameter file, the key vault secret must already exist, and you provide a static value for its resource ID.

-Deploy the template and pass in the parameter file:

- --parameters <parameter-file>

- -TemplateParameterFile <parameter-file>

-description: Create parameter file for passing in values during deployment of a Bicep file

-# Create Bicep parameter file

-Rather than passing parameters as inline values in your script, you can use a JSON file that contains the parameter values. This article shows how to create a parameter file that you use with a Bicep file.

-## Parameter file

-A parameter file uses the following format:

-It's worth noting that the parameter file saves parameter values as plain text. For security reasons, this approach is not recommended for sensitive values such as passwords. If you must pass a parameter with a sensitive value, keep the value in a key vault. Instead of adding the sensitive value to your parameter file, use the [getSecret function](bicep-functions-resource.md#getsecret) to retrieve it. For more information, see [Use Azure Key Vault to pass secure parameter value during Bicep deployment](key-vault-parameter.md).

-To determine how to define the parameter names and values, open your Bicep file. Look at the parameters section of the Bicep file. The following examples show the parameters from a Bicep file.

-In the parameter file, the first detail to notice is the name of each parameter. The parameter names in your parameter file must match the parameter names in your Bicep file.

-Notice the parameter type. The parameter types in your parameter file must use the same types as your Bicep file. In this example, both parameter types are strings.

-Check the Bicep file for parameters with a default value. If a parameter has a default value, you can provide a value in the parameter file but it's not required. The parameter file value overrides the Bicep file's default value.

-> For inline comments, you can use either // or /* ... */. In Visual Studio Code, save the parameter files with the **JSONC** file type, otherwise you will get an error message saying "Comments not permitted in JSON".

-> Your parameter file can only contain values for parameters that are defined in the Bicep file. If your parameter file contains extra parameters that don't match the Bicep file's parameters, you receive an error.

-## Parameter type formats

-The following example shows the formats of different parameter types: string, integer, boolean, array, and object.

-```json

-{

- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "exampleString": {

- "value": "test string"

- },

- "exampleInt": {

- "value": 4

- },

- "exampleBool": {

- "value": true

- },

- "exampleArray": {

- "value": [

- "value 1",

- "value 2"

- ]

- },

- "exampleObject": {

- "value": {

- "property1": "value1",

- "property2": "value2"

- }

- }

- }

-}

-```

-## Deploy Bicep file with parameter file

-From Azure CLI, pass a local parameter file using `@` and the parameter file name. For example, `@storage.parameters.json`.

- --parameters @storage.parameters.json

-From Azure PowerShell, pass a local parameter file using the `TemplateParameterFile` parameter.

- -TemplateParameterFile C:\MyTemplates\storage.parameters.json

-## File name

-The general naming convention for the parameter file is to include _parameters_ in the Bicep file name. For example, if your Bicep file is named _azuredeploy.bicep_, your parameter file is named _azuredeploy.parameters.json_. This naming convention helps you see the connection between the Bicep file and the parameters.

-To deploy to different environments, you create more than one parameter file. When you name the parameter files, identify their use such as development and production. For example, use _azuredeploy.parameters-dev.json_ and _azuredeploy.parameters-prod.json_ to deploy resources.

-You can use inline parameters and a local parameter file in the same deployment operation. For example, you can specify some values in the local parameter file and add other values inline during deployment. If you provide values for a parameter in both the local parameter file and inline, the inline value takes precedence.

-It's possible to use an external parameter file, by providing the URI to the file. When you use an external parameter file, you can't pass other values either inline or from a local file. All inline parameters are ignored. Provide all parameter values in the external file.

-This command creates a parameter file in the same folder as the Bicep file. The new parameter file name is `<bicep-file-name>.parameters.json`.

-Consumers of your managed application may be reluctant to grant you permanent access to the managed resource group. As a publisher of a managed application, you might prefer that consumers know exactly when you need to access the managed resources. To give consumers greater control over granting access to managed resources, Azure Managed Applications provides a feature called just-in-time (JIT) access. This feature is currently in preview.

-To learn about approving requests for JIT access, see [Approve just-in-time access in Azure Managed Applications](approve-just-in-time-access.md).

->- Thisfeature is currently available in selected Azure regions only. [Learn more](#supported-scenarios).

-Yes. You can connect to a VM from your local computer using a native client. See [Connect to a VM using a native client](connect-native-client-windows.md).

-You can connect to VMs using a specified IP address with native client via SSH, RDP, or tunnelling. Note that this feature does not support Azure Active Directory authentication or custom port and protocol at the moment. To learn more about configuring native client support, see [Connect to a VM - native client](connect-native-client-windows.md). Use the following commands as examples:

-description: Learn how to connect to a VM from a Windows computer by using Bastion and a native client.

-# Connect to a VM using a native client

-This article helps you configure your Bastion deployment, and then connect to a VM in the VNet using the native client (SSH or RDP) on your local computer. The native client feature lets you connect to your target VMs via Bastion using Azure CLI, and expands your sign-in options to include local SSH key pair and Azure Active Directory (Azure AD). Additionally with this feature, you can now also upload or download files, depending on the connection type and client.

-Your capabilities on the VM when connecting via native client are dependent on what is enabled on the native client. Controlling access to features such as file transfer via Bastion isn't supported.

-> [!NOTE]

-> This configuration requires the Standard SKU tier for Azure Bastion.

-After you deploy this feature, there are two different sets of connection instructions.

-* [Connect to a VM from the native client on a Windows local computer](#connect). This lets you do the following:

- * Connect using SSH or RDP.

- * [Upload and download files](vm-upload-download-native.md#rdp) over RDP.

- * If you want to connect using SSH and need to upload files to your target VM, use the **az network bastion tunnel** command instead.

-* [Connect to a VM using the **az network bastion tunnel** command](#connect-tunnel). This lets you do the following:

- * Use native clients on *non*-Windows local computers (example: a Linux PC).

- * Use the native client of your choice. (This includes the Windows native client.)

- * Connect using SSH or RDP. (The bastion tunnel doesn't relay web servers or hosts.)

- * Set up concurrent VM sessions with Bastion.

- * [Upload files](vm-upload-download-native.md#tunnel-command) to your target VM from your local computer. File download from the target VM to the local client is currently not supported for this command.

-**Limitations**

-* Signing in using an SSH private key stored in Azure Key Vault isnΓÇÖt supported with this feature. Before signing in to your Linux VM using an SSH key pair, download your private key to a file on your local machine.

-* This feature isn't supported on Cloud Shell.

-## <a name="prereq"></a>Prerequisites

-Before you begin, verify that you have the following prerequisites:

-* The latest version of the CLI commands (version 2.32 or later) is installed. For information about installing the CLI commands, see [Install the Azure CLI](/cli/azure/install-azure-cli) and [Get Started with Azure CLI](/cli/azure/get-started-with-azure-cli).

-* An Azure virtual network.

-* A virtual machine in the virtual network.

-* The VM's Resource ID. The Resource ID can be easily located in the Azure portal. Go to the Overview page for your VM and select the *JSON View* link to open the Resource JSON. Copy the Resource ID at the top of the page to your clipboard to use later when connecting to your VM.

-* If you plan to sign in to your virtual machine using your Azure AD credentials, make sure your virtual machine is set up using one of the following methods:

- * [Enable Azure AD sign-in for a Windows VM](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md) or [Linux VM](../active-directory/devices/howto-vm-sign-in-azure-ad-linux.md).

- * [Configure your Windows VM to be Azure AD-joined](../active-directory/devices/concept-azure-ad-join.md).

- * [Configure your Windows VM to be hybrid Azure AD-joined](../active-directory/devices/concept-azure-ad-join-hybrid.md).

-## <a name="secure "></a>Secure your native client connection

-If you want to further secure your native client connection, you can limit port access by only providing access to port 22/3389. To restrict port access, you must deploy the following NSG rules on your AzureBastionSubnet to allow access to select ports and deny access from any other ports.

-## <a name="configure"></a>Configure the native client support feature

-You can configure this feature by either modifying an existing Bastion deployment, or you can deploy Bastion with the feature configuration already specified.

-### To modify an existing Bastion deployment

-If you've already deployed Bastion to your VNet, modify the following configuration settings:

-1. Navigate to the **Configuration** page for your Bastion resource. Verify that the SKU Tier is **Standard**. If it isn't, select **Standard**.

-1. Select the box for **Native Client Support**, then apply your changes.

- :::image type="content" source="./media/connect-native-client-windows/update-host.png" alt-text="Screenshot that shows settings for updating an existing host with Native Client Support box selected." lightbox="./media/connect-native-client-windows/update-host.png":::

-### To deploy Bastion with the native client feature

-If you haven't already deployed Bastion to your VNet, you can deploy with the native client feature specified by deploying Bastion using manual settings. For steps, see [Tutorial - Deploy Bastion with manual settings](tutorial-create-host-portal.md#createhost). When you deploy Bastion, specify the following settings:

-1. On the **Basics** tab, for **Instance Details -> Tier** select **Standard**. Native client support requires the Standard SKU.

- :::image type="content" source="./media/connect-native-client-windows/standard.png" alt-text="Settings for a new bastion host with Standard SKU selected." lightbox="./media/connect-native-client-windows/standard.png":::

-1. Before you create the bastion host, go to the **Advanced** tab and check the box for **Native Client Support**, along with the checkboxes for any other additional features that you want to deploy.

- :::image type="content" source="./media/connect-native-client-windows/new-host.png" alt-text="Screenshot that shows settings for a new bastion host with Native Client Support box selected." lightbox="./media/connect-native-client-windows/new-host.png":::

-1. Click **Review + create** to validate, then click **Create** to deploy your Bastion host.

-## <a name="verify"></a>Verify roles and ports

-Verify that the following roles and ports are configured in order to connect to the VM.

-### Required roles

-* Reader role on the virtual machine.

-* Reader role on the NIC with private IP of the virtual machine.

-* Reader role on the Azure Bastion resource.

-* Virtual Machine Administrator Login or Virtual Machine User Login role, if youΓÇÖre using the Azure AD sign-in method. You only need to do this if you're enabling Azure AD login using the processes outlined in one of these articles:

- * [Azure Windows VMs and Azure AD](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md)

- * [Azure Linux VMs and Azure AD](../active-directory/devices/howto-vm-sign-in-azure-ad-linux.md)

-### Ports

-To connect to a Linux VM using native client support, you must have the following ports open on your Linux VM:

-* Inbound port: SSH (22) *or*

-* Inbound port: Custom value (youΓÇÖll then need to specify this custom port when you connect to the VM via Azure Bastion)

-To connect to a Windows VM using native client support, you must have the following ports open on your Windows VM:

-* Inbound port: RDP (3389) *or*

-* Inbound port: Custom value (youΓÇÖll then need to specify this custom port when you connect to the VM via Azure Bastion)

-To learn about how to best configure NSGs with Azure Bastion, see [Working with NSG access and Azure Bastion](bastion-nsg.md).

-## <a name="connect"></a>Connect to VM - Windows native client

-This section helps you connect to your virtual machine from the native client on a local Windows computer. If you want to upload and download files after connecting, you must use an RDP connection. For more information about file transfers, see [Upload or download files](vm-upload-download-native.md).

-Use the example that corresponds to the type of target VM to which you want to connect.

-* [Windows VM](#connect-windows)

-* [Linux VM](#connect-linux)

-### <a name="connect-windows"></a>Connect to a Windows VM

-1. Sign in to your Azure account. If you have more than one subscription, select the subscription containing your Bastion resource.

- ```azurecli

- az login

- az account list

- az account set --subscription "<subscription ID>"

- ```

-1. Sign in to your target Windows VM using one of the following example options. If you want to specify a custom port value, you should also include the field **--resource-port** in the sign-in command.

- **RDP:**

- To connect via RDP, use the following command. YouΓÇÖll then be prompted to input your credentials. You can use either a local username and password, or your Azure AD credentials. For more information, see [Azure Windows VMs and Azure AD](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md).

- ```azurecli

- az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>"

- ```

- > [!IMPORTANT]

- > Remote connection to VMs that are joined to Azure AD is allowed only from Windows 10 or later PCs that are Azure AD registered (starting with Windows 10 20H1), Azure AD joined, or hybrid Azure AD joined to the *same* directory as the VM.

- **SSH:**

- The extension can be installed by running, ```az extension add --name ssh```. To sign in using an SSH key pair, use the following example.

- ```azurecli

- az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>" --auth-type "ssh-key" --username "<Username>" --ssh-key "<Filepath>"

- ```

- Once you sign in to your target VM, the native client on your computer opens up with your VM session; **MSTSC** for RDP sessions, and **SSH CLI extension (az ssh)** for SSH sessions.

-### <a name="connect-linux"></a>Connect to a Linux VM

-1. Sign in to your Azure account. If you have more than one subscription, select the subscription containing your Bastion resource.

- ```azurecli

- az login

- az account list

- az account set --subscription "<subscription ID>"

- ```

-1. Sign in to your target Linux VM using one of the following example options. If you want to specify a custom port value, you should also include the field **--resource-port** in the sign-in command.

- **Azure AD:**

- If youΓÇÖre signing in to an Azure AD login-enabled VM, use the following command. For more information, see [Azure Linux VMs and Azure AD](../active-directory/devices/howto-vm-sign-in-azure-ad-linux.md).

- ```azurecli

- az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --auth-type "AAD"

- ```

- **SSH:**

- The extension can be installed by running, ```az extension add --name ssh```. To sign in using an SSH key pair, use the following example.

- ```azurecli

- az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --auth-type "ssh-key" --username "<Username>" --ssh-key "<Filepath>"

- ```

- **Username/password:**

- If youΓÇÖre signing in using a local username and password, use the following command. YouΓÇÖll then be prompted for the password for the target VM.

- ```azurecli

- az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --auth-type "password" --username "<Username>"

- ```

- 1. Once you sign in to your target VM, the native client on your computer opens up with your VM session; **MSTSC** for RDP sessions, and **SSH CLI extension (az ssh)** for SSH sessions.

-## <a name="connect-tunnel"></a>Connect to VM - other native clients

-This section helps you connect to your virtual machine from native clients on *non*-Windows local computers (example: a Linux PC) using the **az network bastion tunnel** command. You can also connect using this method from a Windows computer. This is helpful when you require an SSH connection and want to upload files to your VM. The bastion tunnel supports RDP/SSH connection, but doesn't relay web servers or hosts.

-This connection supports file upload from the local computer to the target VM. For more information, see [Upload files](vm-upload-download-native.md).

-1. Sign in to your Azure account. If you have more than one subscription, select the subscription containing your Bastion resource.

- ```azurecli

- az login

- az account list

- az account set --subscription "<subscription ID>"

- ```

-1. Open the tunnel to your target VM using the following command.

- ```azurecli

- az network bastion tunnel --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --resource-port "<TargetVMPort>" --port "<LocalMachinePort>"

- ```

-1. Connect to your target VM using SSH or RDP, the native client of your choice, and the local machine port you specified in Step 2.

- For example, you can use the following command if you have the OpenSSH client installed on your local computer:

- ```azurecli

- ssh <username>@127.0.0.1 -p <LocalMachinePort>

- ```

-## <a name="connect-IP"></a>Connect to VM - IP Address

-This section helps you connect to your on-premises, non-Azure, and Azure virtual machines via Azure Bastion using a specified private IP address from native client. You can replace `--target-resource-id` with `--target-ip-address` in any of the above commands with the specified IP address to connect to your VM.

-> [!Note]

-> This feature does not support support Azure AD authentication or custom port and protocol at the moment. For more information on IP-based connection, see [Connect to a VM - IP address](connect-ip-address.md).

-Use the following commands as examples:

- **RDP:**

-

- ```azurecli

- az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-ip-address "<VMIPAddress>

- ```

-

- **SSH:**

-

- ```azurecli

- az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-ip-addres "<VMIPAddress>" --auth-type "ssh-key" --username "<Username>" --ssh-key "<Filepath>"

- ```

-

- **Tunnel:**

-

- ```azurecli

- az network bastion tunnel --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-ip-address "<VMIPAddress>" --resource-port "<TargetVMPort>" --port "<LocalMachinePort>"

- ```

-## Next steps

-[Upload or download files](vm-upload-download-native.md)

-Azure Bastion offers support for file transfer between your target VM and local computer using Bastion and a native RDP or native SSH client. To learn more about native client support, refer to [Connect to a VM using the native client](connect-native-client-windows.md). While it may be possible to use third-party clients and tools to upload or download files, this article focuses on working with supported native clients.

-The steps in this section apply when connecting to a target VM from a Windows local computer using the native Windows client and RDP. The **az network bastion rdp** command uses the native client MSTSC. Once connected to the target VM, you can upload and download files using **right-click**, then **Copy** and **Paste**. To learn more about this command and how to connect, see [Connect to a VM using a native client](connect-native-client-windows.md).

-This section helps you upload files from your local computer to your target VM over SSH or RDP using the **az network bastion tunnel** command. To learn more about the tunnel command and how to connect, see [Connect to a VM using a native client](connect-native-client-windows.md).

-> Call Automation currently doesn't interoperate with Microsoft Teams. Actions like making or redirecting a call to a Teams user or adding them to a call using Call Automation aren't supported.

-|AddParticipantFailed | Your application was unable to add a participant |

-| ParticipantUpdated | The status of a participant changed while your applicationΓÇÖs call leg was connected to a call |

-| PlayCanceled | Your application canceled the play operation |

-| RecognizeCanceled | Your application canceled the request to recognize user input |

-## Known issues

-1. Using the incorrect IdentifierType for endpoints for `Transfer` requests (like using CommunicationUserIdentifier to specify a phone number) returns a 500 error instead of a 400 error code. Solution: Use the correct type, CommunicationUserIdentifier for Communication Users and PhoneNumberIdentifier for phone numbers.

-2. Taking a pre-call action like Answer/Reject on the original call after redirected it gives a 200 success instead of failing on 'call not found'.

-3. Transferring a call with more than two participants is currently not supported.

-4. After transferring a call, you may receive two `CallDisconnected` events and will need to handle this behavior by ignoring the duplicate.

-> By enabling this feature, you are acknowledging that you are enabling open/click tracking and giving consent to collect your customers' email activity

-**Your email domain is now ready to send emails with user engagement tracking.**

-> [Number Lookup SDK](../../concepts/numbers/number-lookup-sdk.md)

-User responses that were sent using AppInsights will be available under your App Insights workspace. You can use [Workbooks](../../update-center/workbooks.md) to query between multiple resources, correlate call ratings and custom survey data. Steps to correlate the call ratings and custom survey data:

-From July 2022, encrypted OS disks will incur higher costs. This change is because encrypted OS disks use more space, and compression isn't possible. For more information, see [the pricing guide for managed disks](https://azure.microsoft.com/pricing/details/managed-disks/).

-Your main application container application can call the side-car WEB API end points as defined in the example blow. Side-cars runs within the same container group and is a local endpoint to your application container. Full details of the API can be found [here](https://github.com/microsoft/confidential-sidecar-containers/blob/main/cmd/skr/README.md)

- --replica-retry-limit 0 \

-Before you can run a self-hosted agent in your new agent pool, you need to create a placeholder agent. Pipelines that use the agent pool fail when there's no placeholder agent. You can create a placeholder agent by running a job that registers an offline placeholder agent.

- --replica-retry-limit 0 \

- 1. Confirm that a placeholder agent named `placeholder-agent` is listed.

- --replica-retry-limit 0 \

-**Amortized cost** - Shows a reservation purchase split as an amortized cost over the duration of the reservation term. Using the same example above, cost analysis shows a $100 cost for each month throughout the year, if you purchased a one-year reservation for $1200 in January. If you group costs by VM in this example, you'd see cost attributed to each VM that received the reservation benefit.

-1. Billing administrators can take ownership of a savings plan by selecting one or multiple savings plans, selecting **Grant access** and selecting **Grant access** in the window that appears.

-description: Learn about the software and networking requirements for your Azure Data Box Disk

-description: Learn about important system requirements for your Azure Data Box and for clients that connect to the Data Box.

-> [!NOTE]

-> Protected resources include public IPs attached to an IaaS VM (except for single VM running behind a public IP), Load Balancer (Classic & Standard Load Balancers), Application Gateway (including WAF) cluster, Firewall, Bastion, VPN Gateway, Service Fabric, IaaS based Network Virtual Appliance (NVA) or Azure API Management (Premium tier only), connected to a virtual network (VNet) in the external mode. Protection also covers public IP ranges brought to Azure via Custom IP Prefixes (BYOIPs). PaaS services (multi-tenant), which includes Azure App Service Environment for Power Apps, Azure API Management in deployment modes other than those supported above, or Azure Virtual WAN are not supported at present.

-> Protected resources that include public IPs created from public IP address prefix are not supported at present.

- |`_artifactsLocation` |**Required** |The URI location to find artifacts this template requires. This value must be a fully qualified URI, not a relative path. The artifacts include other templates, PowerShell scripts, and the Remote Desktop Gateway Pluggable Authentication module, expected to be named *RDGatewayFedAuth.msi*, that supports token authentication. |

-If you can't apply an artifact to a VM, first check the following in the Azure portal:

- 

- 

-When DevTest Labs applies an artifact, it reads the artifact configuration and files from connected repositories. By default, DevTest Labs has access to the DevTest Labs [public Artifact repository](https://github.com/Azure/azure-devtestlab/tree/master/Artifacts). You can also connect a lab to a private repository to access custom artifacts. If a custom artifact fails to install, make sure the personal access token (PAT) for the private repository hasn't expired. If the PAT is expired, the artifact won't be listed, and any scripts that refer to artifacts from that repository will fail.

- 1. On the storage account **Overview** page, select **Firewalls and virtual networks** in the left navigation.

- 1. Ensure that **Firewalls and virtual networks** is set to **All networks**. Or, if the **Selected networks** option is selected, make sure the lab's virtual networks used to create VMs are added to the list.

- 

- 

- 

-

- 

- 

-> [!WARNING]

-> If you run this code on **Azure Stack Hub**, you will experience runtime errors unless you target a specific Storage API version. That's because the Event Hubs SDK uses the latest available Azure Storage API available in Azure that may not be available on your Azure Stack Hub platform. Azure Stack Hub may support a different version of Storage Blob SDK than those typically available on Azure. If you are using Azure Blob Storage as a checkpoint store, check the [supported Azure Storage API version for your Azure Stack Hub build](/azure-stack/user/azure-stack-acs-differences?#api-version) and target that version in your code.

->

-> For example, If you are running on Azure Stack Hub version 2005, the highest available version for the Storage service is version 2019-02-02. By default, the Event Hubs SDK client library uses the highest available version on Azure (2019-07-07 at the time of the release of the SDK). In this case, besides following steps in this section, you will also need to add code to target the Storage service API version 2019-02-02. For an example on how to target a specific Storage API version, see [this sample on GitHub](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/eventhub/Azure.Messaging.EventHubs.Processor/samples/).

-> [!NOTE]

-> If you are using Azure Blob Storage as the checkpoint store in an environment that supports a different version of Storage Blob SDK than those typically available on Azure, you'll need to use code to change the Storage service API version to the specific version supported by that environment. For example, if you are running [Event Hubs on an Azure Stack Hub version 2002](/azure-stack/user/event-hubs-overview), the highest available version for the Storage service is version 2017-11-09. In this case, you need to use code to target the Storage service API version to 2017-11-09. For an example on how to target a specific Storage API version, see these samples on GitHub:

-> - [.NET](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/eventhub/Azure.Messaging.EventHubs.Processor/samples/).

-> - [Java](https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/eventhubs/azure-messaging-eventhubs-checkpointstore-blob/src/samples/java/com/azure/messaging/eventhubs/checkpointstore/blob/)

-> - [JavaScript](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/eventhub/eventhubs-checkpointstore-blob/samples/v1/javascript) or [TypeScript](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/eventhub/eventhubs-checkpointstore-blob/samples/v1/typescript)

-> - [Python](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/eventhub/azure-eventhub-checkpointstoreblob-aio/samples/)

-> [!WARNING]

-> If you run this code on Azure Stack Hub, you will experience runtime errors unless you target a specific Storage API version. That's because the Event Hubs SDK uses the latest available Azure Storage API available in Azure that may not be available on your Azure Stack Hub platform. Azure Stack Hub may support a different version of Azure Blob Storage SDK than those typically available on Azure. If you are using Azure Blob Storage as a checkpoint store, check the [supported Azure Storage API version for your Azure Stack Hub build](/azure-stack/user/azure-stack-acs-differences?#api-version) and target that version in your code.

->

-> For example, If you are running on Azure Stack Hub version 2005, the highest available version for the Storage service is version 2019-02-02. By default, the Event Hubs SDK client library uses the highest available version on Azure (2019-07-07 at the time of the release of the SDK). In this case, besides following steps in this section, you will also need to add code to target the Storage service API version 2019-02-02. For an example on how to target a specific Storage API version, see [this sample on GitHub](https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/eventhubs/azure-messaging-eventhubs-checkpointstore-blob/src/samples/java/com/azure/messaging/eventhubs/checkpointstore/blob/EventProcessorWithCustomStorageVersion.java).

-> [!WARNING]

-> If you run this code on Azure Stack Hub, you will experience runtime errors unless you target a specific Storage API version. That's because the Event Hubs SDK uses the latest available Azure Storage API available in Azure that may not be available on your Azure Stack Hub platform. Azure Stack Hub may support a different version of Storage Blob SDK than those typically available on Azure. If you are using Azure Blog Storage as a checkpoint store, check the [supported Azure Storage API version for your Azure Stack Hub build](/azure-stack/user/azure-stack-acs-differences?#api-version) and target that version in your code.

->

-> For example, If you are running on Azure Stack Hub version 2005, the highest available version for the Storage service is version 2019-02-02. By default, the Event Hubs SDK client library uses the highest available version on Azure (2019-07-07 at the time of the release of the SDK). In this case, besides following steps in this section, you will also need to add code to target the Storage service API version 2019-02-02. For an example on how to target a specific Storage API version, see [JavaScript](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/eventhub/eventhubs-checkpointstore-blob/samples/v1/javascript/receiveEventsWithApiSpecificStorage.js) and [TypeScript](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/eventhub/eventhubs-checkpointstore-blob/samples/v1/typescript/src/receiveEventsWithApiSpecificStorage.ts) samples on GitHub.

-> [!WARNING]

-> If you run this code on Azure Stack Hub, you will experience runtime errors unless you target a specific Storage API version. That's because the Event Hubs SDK uses the latest available Azure Storage API available in Azure that may not be available on your Azure Stack Hub platform. Azure Stack Hub may support a different version of Storage Blob SDK than those typically available on Azure. If you are using Azure Blog Storage as a checkpoint store, check the [supported Azure Storage API version for your Azure Stack Hub build](/azure-stack/user/azure-stack-acs-differences?#api-version) and target that version in your code.

->

-> For example, If you are running on Azure Stack Hub version 2005, the highest available version for the Storage service is version 2019-02-02. By default, the Event Hubs SDK client library uses the highest available version on Azure (2019-07-07 at the time of the release of the SDK). In this case, besides following steps in this section, you will also need to add code to target the Storage service API version 2019-02-02. For an example on how to target a specific Storage API version, see the [synchronous](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/eventhub/azure-eventhub-checkpointstoreblob/samples/receive_events_using_checkpoint_store_storage_api_version.py) and [asynchronous](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/eventhub/azure-eventhub-checkpointstoreblob-aio/samples/receive_events_using_checkpoint_store_storage_api_version_async.py) samples on GitHub.

-> [!NOTE]

-> If you are using Azure Blob Storage as the checkpoint store in an environment that supports a different version of Storage Blob SDK than those typically available on Azure, you'll need to use code to change the Storage service API version to the specific version supported by that environment. For example, if you are running [Event Hubs on an Azure Stack Hub version 2002](/azure-stack/user/event-hubs-overview), the highest available version for the Storage service is version 2017-11-09. In this case, you need to use code to target the Storage service API version to 2017-11-09. For an example on how to target a specific Storage API version, see these samples on GitHub:

-> - [.NET](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/eventhub/Azure.Messaging.EventHubs.Processor/samples/).

-> - [Java](https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/eventhubs/azure-messaging-eventhubs-checkpointstore-blob/src/samples/java/com/azure/messaging/eventhubs/checkpointstore/blob/)

-> - [JavaScript](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/eventhub/eventhubs-checkpointstore-blob/samples/v1/javascript) or [TypeScript](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/eventhub/eventhubs-checkpointstore-blob/samples/v1/typescript)

-> - [Python](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/eventhub/azure-eventhub-checkpointstoreblob-aio/samples/)

-However, taking Murphy's popular adage--*if anything can go wrong, it will*--into consideration, in this article let us focus on solutions that go beyond failures that can be addressed using a single ExpressRoute circuit. We'll be looking into network architecture considerations for building robust backend network connectivity for disaster recovery using geo-redundant ExpressRoute circuits.

->[!NOTE]

->The concepts described in this article equally applies when an ExpressRoute circuit is created under Virtual WAN or outside of it.

-There are possibilities and instances where an ExpressRoute peering locations or an entire regional service (be it that of Microsoft, network service providers, customer, or other cloud service providers) gets degraded. The root cause for such regional wide service impact include natural calamity. That's why, for business continuity and mission critical applications it's important to plan for disaster recovery.

-If you rely on ExpressRoute connectivity between your on-premises network and Microsoft for mission critical operations, you need to consider the following to plan for disaster recovery over ExpressRoute

-When you interconnect the same set of networks using more than one connection, you introduce parallel paths between the networks. Parallel paths, when not properly architected, could lead to asymmetrical routing. If you have stateful entities (for example, NAT, firewall) in the path, asymmetrical routing could block traffic flow. Typically, over the ExpressRoute private peering path you won't come across stateful entities such as NAT or Firewalls. That's why, asymmetrical routing over ExpressRoute private peering doesn't necessarily block traffic flow.

-[Many metros](expressroute-locations-providers.md#global-commercial-azure) have two ExpressRoute locations. An example would be *Amsterdam* and *Amsterdam2*. When designing redundancy, you could build two parallel paths to Azure with both locations in the same metro. You could do this with the same provider or choose to work with a different service provider to improve resiliency. Another advantage of this design is when application failover happens, end-to-end latency between your on-premises applications and Microsoft stays approximately the same. However, if there is a natural disaster such as an earthquake, connectivity for both paths may no longer be available.

-When using different metros for redundancy, you should select the secondary location in the same [geo-political region](expressroute-locations-providers.md#locations). To choose a location outside of the geo-political region, you'll need to use Premium SKU for both circuits in the parallel paths. The advantage of this configuration is the chances of a natural disaster causing an outage to both links are much lower but at the cost of increased latency end-to-end.

->[!NOTE]

->Enabling BFD on the ExpressRoute circuits will help with faster link failure detection between Microsoft Enterprise Edge (MSEE) devices and the Customer/Partner Edge routers. However, the overall failover and convergence to redundant site may take up to 180 seconds under some failure conditions and you may experience increased latency or performance degradation during this time.

-By default, if you advertise routes identically over all the ExpressRoute paths, Azure will load-balance on-premises bound traffic across all the ExpressRoute paths using Equal-cost multi-path (ECMP) routing.

-The following diagram illustrates influencing ExpressRoute path selection using connection weight. The default connection weight is 0. In the example below, the weight of the connection for ExpressRoute 1 is configured as 100. When a VNet receives a route prefix advertised via more than one ExpressRoute circuit, the VNet will prefer the connection with the highest weight.

-How we architect the disaster recovery has an impact on how cross-regional to cross location (region1/region2 to location2/location1) traffic is routed. Let's consider two different disaster architectures that routes cross region-location traffic differently.

-The Scenario 2 is illustrated in the following diagram. In the diagram, green lines indicate paths for traffic flow between VNet1 and on-premises networks. The blue lines indicate paths for traffic flow between VNet2 and on-premises networks. In the steady-state (solid lines in the diagram), all the traffic between VNets and on-premises locations flow via Microsoft backbone for the most part, and flows through the interconnection between on-premises locations only in the failure state (dotted lines in the diagram) of an ExpressRoute.

-[con wgt]: ./expressroute-optimize-routing.md#solution-assign-a-high-weight-to-local-connection

-[AS Path Pre]: ./expressroute-optimize-routing.md#solution-use-as-path-prepending

-ExpressRoute is designed for high availability to provide carrier grade private network connectivity to Microsoft resources. In other words, there is no single point of failure in the ExpressRoute path within Microsoft network. To maximize the availability, the customer and the service provider segment of your ExpressRoute circuit should also be architected for high availability. In this article, first let's look into network architecture considerations for building robust network connectivity using an ExpressRoute, then let's look into the fine-tuning features that help you to improve the high availability of your ExpressRoute circuit.

->[!NOTE]

->The concepts described in this article equally applies when an ExpressRoute circuit is created under Virtual WAN or outside of it.

-For high availability, it's essential to maintain the redundancy of the ExpressRoute circuit throughout the end-to-end network. In other words, you need to maintain redundancy within your on-premises network, and shouldn't compromise redundancy within your service provider network. Maintaining redundancy at the minimum implies avoiding single point of network failures. Having redundant power and cooling for the network devices will further improve the high availability.

- If you terminate both the primary and secondary connections of an ExpressRoute circuits on the same Customer Premises Equipment (CPE), you're compromising the high availability within your on-premises network. Additionally, if you configure both the primary and secondary connections via the same port of a CPE (either by terminating the two connections under different subinterfaces or by merging the two connections within the partner network), you're forcing the partner to compromise high availability on their network segment as well. This compromise is illustrated in the following figure.

-Microsoft network is configured to operate the primary and secondary connections of ExpressRoute circuits in active-active mode. However, through your route advertisements, you can force the redundant connections of an ExpressRoute circuit to operate in active-passive mode. Advertising more specific routes and BGP AS path prepending are the common techniques used to make one path preferred over the other.

-To improve high availability, it's recommended to operate both the connections of an ExpressRoute circuit in active-active mode. If you let the connections operate in active-active mode, Microsoft network will load balance the traffic across the connections on per-flow basis.

-Alternatively, running the primary and secondary connections of an ExpressRoute circuit in active-active mode, results in only about half the flows failing and getting rerouted, following an ExpressRoute connection failure. Thus, active-active mode will significantly help improve the Mean Time To Recover (MTTR).

-> During a maintenance activity or in case of unplanned events impacting one of the connection, Microsoft will prefer to use AS path prepending to drain traffic over to the healthy connection. You will need to ensure the traffic is able to route over the healthy path when path prepend is configured from Microsoft and required route advertisements are configured appropriately to avoid any service disruption.

-Microsoft peering is designed for communication between public end-points. So commonly, on-premises private endpoints are Network Address Translated (NATed) with public IP on the customer or partner network before they communicate over Microsoft peering. Assuming you use both the primary and secondary connections in active-active mode, where and how you NAT has an impact on how quickly you recover following a failure in one of the ExpressRoute connections. Two different NAT options are illustrated in the following figure:

-NAT gets applied after splitting the traffic between the primary and secondary connections of the ExpressRoute circuit. To meet the stateful requirements of NAT, independent NAT pools are used for the primary and the secondary devices. The return traffic will arrive on the same edge device through which the flow egressed.

-If the ExpressRoute connection fails, the ability to reach the corresponding NAT pool is then broken. That's why all broken network flows have to be re-established either by TCP or by the application layer following the corresponding window timeout. During the failure, Azure can't reach the on-premises servers using the corresponding NAT until connectivity has been restored for either the primary or secondary connections of the ExpressRoute circuit.

-A common NAT pool is used before splitting the traffic between the primary and secondary connections of the ExpressRoute circuit. It's important to make the distinction that the common NAT pool before splitting the traffic doesn't mean it will introduce a single-point of failure as such compromising high-availability.

-The NAT pool is reachable even after the primary or secondary connection fail. That's why the network layer itself can reroute the packets and help recover faster following a failure.

-In this article, we discussed how to design for high availability of an ExpressRoute circuit connectivity. An ExpressRoute circuit peering point is pinned to a geographical location and therefore could be impacted by catastrophic failure that impacts the entire location.

-For design considerations to build geo-redundant network connectivity to Microsoft backbone that can withstand catastrophic failures, which impact an entire region, see [Designing for disaster recovery with ExpressRoute private peering][DR].

-description: Configure ExpressRoute and a Site-to-Site VPN connection that can coexist for the Resource Manager model using PowerShell.

-# Configure ExpressRoute and Site-to-Site coexisting connections using PowerShell

->

-This article helps you configure ExpressRoute and Site-to-Site VPN connections that coexist. Having the ability to configure Site-to-Site VPN and ExpressRoute has several advantages. You can configure Site-to-Site VPN as a secure failover path for ExpressRoute, or use Site-to-Site VPNs to connect to sites that are not connected through ExpressRoute. We will cover the steps to configure both scenarios in this article. This article applies to the Resource Manager deployment model.

-Configuring Site-to-Site VPN and ExpressRoute coexisting connections has several advantages:

-* You can configure a Site-to-Site VPN as a secure failover path for ExpressRoute.

-* Alternatively, you can use Site-to-Site VPNs to connect to sites that are not connected through ExpressRoute.

-The steps to configure both scenarios are covered in this article. This article applies to the Resource Manager deployment model and uses PowerShell. You can also configure these scenarios using the Azure portal, although documentation is not yet available. You can configure either gateway first. Typically, you will incur no downtime when adding a new gateway or gateway connection.

->[!NOTE]

->If you want to create a Site-to-Site VPN over an ExpressRoute circuit, please see [this article](site-to-site-vpn-over-microsoft-peering.md).

-* **ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU**.

-* **If you want to use transit routing between ExpressRoute and VPN, the ASN of Azure VPN Gateway must be set to 65515 and Azure Route Server should be used.** Azure VPN Gateway supports the BGP routing protocol. For ExpressRoute and Azure VPN to work together, you must keep the Autonomous System Number of your Azure VPN gateway at its default value, 65515. If you previously selected an ASN other than 65515 and you change the setting to 65515, you must reset the VPN gateway for the setting to take effect.

-* **The gateway subnet must be /27 or a shorter prefix**, (such as /26, /25), or you will receive an error message when you add the ExpressRoute virtual network gateway.

-* **Coexistence in a dual-stack vnet is not supported.** If you are using ExpressRoute IPv6 support and a dual-stack ExpressRoute gateway, coexistence with VPN Gateway will not be possible.

-### Configure a Site-to-Site VPN as a failover path for ExpressRoute

-You can configure a Site-to-Site VPN connection as a backup for ExpressRoute. This connection applies only to virtual networks linked to the Azure private peering path. There is no VPN-based failover solution for services accessible through Azure Microsoft peering. The ExpressRoute circuit is always the primary link. Data flows through the Site-to-Site VPN path only if the ExpressRoute circuit fails. To avoid asymmetrical routing, your local network configuration should also prefer the ExpressRoute circuit over the Site-to-Site VPN. You can prefer the ExpressRoute path by setting higher local preference for the routes received the ExpressRoute.

->[!NOTE]

-> If you have ExpressRoute Microsoft Peering enabled, you can receive the public IP address of your Azure VPN gateway on the ExpressRoute connection. To set up your site-to-site VPN connection as a backup, you must configure your on-premises network so that the VPN connection is routed to the Internet.

->

-> While ExpressRoute circuit is preferred over Site-to-Site VPN when both routes are the same, Azure will use the longest prefix match to choose the route towards the packet's destination.

-

-### Configure a Site-to-Site VPN to connect to sites not connected through ExpressRoute

-You can configure your network where some sites connect directly to Azure over Site-to-Site VPN, and some sites connect through ExpressRoute.

-

- If you donΓÇÖt already have a virtual network, this procedure walks you through creating a new virtual network using Resource Manager deployment model and creating new ExpressRoute and Site-to-Site VPN connections. To configure a virtual network, follow the steps in [To create a new virtual network and coexisting connections](#new).

- You may already have a virtual network in place with an existing Site-to-Site VPN connection or ExpressRoute connection. In this scenario if the gateway subnet prefix is /28 or longer (/29, /30, etc.), you have to delete the existing gateway. The [To configure coexisting connections for an already existing VNet](#add) section walks you through deleting the gateway, and then creating new ExpressRoute and Site-to-Site VPN connections.

- If you delete and recreate your gateway, you will have downtime for your cross-premises connections. However, your VMs and services will still be able to communicate out through the load balancer while you configure your gateway if they are configured to do so.

-## <a name="new"></a>To create a new virtual network and coexisting connections

-This procedure walks you through creating a VNet and Site-to-Site and ExpressRoute connections that will coexist. The cmdlets that you use for this configuration may be slightly different than what you might be familiar with. Be sure to use the cmdlets specified in these instructions.

-2. Set variables.

-3. Create a virtual network including Gateway Subnet. For more information about creating a virtual network, see [Create a virtual network](../virtual-network/manage-virtual-network.md#create-a-virtual-network). For more information about creating subnets, see [Create a subnet](../virtual-network/virtual-network-manage-subnet.md#add-a-subnet)

- > The Gateway Subnet must be /27 or a shorter prefix (such as /26 or /25).

- >

- Create a new VNet.

- Add subnets.

- Save the VNet configuration.

-4. <a name="vpngw"></a>Next, create your Site-to-Site VPN gateway. For more information about the VPN gateway configuration, see [Configure a VNet with a Site-to-Site connection](../vpn-gateway/vpn-gateway-create-site-to-site-rm-powershell.md). The GatewaySku is only supported for *VpnGw1*, *VpnGw2*, *VpnGw3*, *Standard*, and *HighPerformance* VPN gateways. ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU. The VpnType must be *RouteBased*.

- Azure VPN gateway supports BGP routing protocol. You can specify ASN (AS Number) for that Virtual Network by adding the -Asn switch in the following command. Not specifying that parameter will default to AS number 65515.

- $azureVpn = New-AzVirtualNetworkGateway -Name "VPNGateway" -ResourceGroupName $resgrp.ResourceGroupName -Location $location -IpConfigurations $gwConfig -GatewayType "Vpn" -VpnType "RouteBased" -GatewaySku "VpnGw1" -Asn $VNetASN

- > For coexisting gateways, you must use the default ASN of 65515. See [limits and limitations](#limits-and-limitations).

- You can find the BGP peering IP and the AS number that Azure uses for the VPN gateway in $azureVpn.BgpSettings.BgpPeeringAddress and $azureVpn.BgpSettings.Asn. For more information, see [Configure BGP](../vpn-gateway/vpn-gateway-bgp-resource-manager-ps.md) for Azure VPN gateway.

- If your local VPN device supports the BGP and you want to enable dynamic routing, you need to know the BGP peering IP and the AS number that your local VPN device uses.

-7. Link the Site-to-Site VPN gateway on Azure to the local gateway.

-8. If you are connecting to an existing ExpressRoute circuit, skip steps 8 & 9 and, jump to step 10. Configure ExpressRoute circuits. For more information about configuring ExpressRoute circuit, see [create an ExpressRoute circuit](expressroute-howto-circuit-arm.md).

-## <a name="add"></a>To configure coexisting connections for an already existing VNet

-If you have a virtual network that has only one virtual network gateway (let's say, Site-to-Site VPN gateway) and you want to add another gateway of a different type (let's say, ExpressRoute gateway), check the gateway subnet size. If the gateway subnet is /27 or larger, you can skip the steps below and follow the steps in the previous section to add either a Site-to-Site VPN gateway or an ExpressRoute gateway. If the gateway subnet is /28 or /29, you have to first delete the virtual network gateway and increase the gateway subnet size. The steps in this section show you how to do that.

-The cmdlets that you use for this configuration may be slightly different than what you might be familiar with. Be sure to use the cmdlets specified in these instructions.

-1. Delete the existing ExpressRoute or Site-to-Site VPN gateway.

- >

-You can follow the steps below to add Point-to-Site configuration to your VPN gateway in a coexistence setup. To upload the VPN root certificate, you must either install PowerShell locally to your computer, or use the Azure portal.

-2. Upload the VPN [root certificate](../vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps.md#Certificates) to Azure for your VPN gateway. In this example, it's assumed that the root certificate is stored in the local machine where the following PowerShell cmdlets are run and that you are running PowerShell locally. You can also upload the certificate using the Azure portal.

-If you want to enable connectivity between one of your local network that is connected to ExpressRoute and another of your local network that is connected to a site-to-site VPN connection, you'll need to set up [Azure Route Server](../route-server/expressroute-vpn-support.md).

-* If your provider is not an ExpressRoute connectivity partner, you can still connect to the Microsoft cloud through a [cloud exchange provider](expressroute-locations.md#connectivity-through-exchange-providers).

-* **NAT**: Microsoft only accepts public IP addresses through Microsoft peering. If you are using private IP addresses in your on-premises network, you or your provider needs to translate the private IP addresses to the public IP addresses [using the NAT](expressroute-nat.md).

-This article helps you verify and troubleshoot Azure ExpressRoute connectivity. ExpressRoute extends an on-premises network into the Microsoft Cloud over a private connection that's commonly facilitated by a connectivity provider. ExpressRoute connectivity traditionally involves three distinct network zones:

-> In the ExpressRoute direct connectivity model (offered at a bandwidth of 10/100 Gbps), customers can directly connect to the port for Microsoft Enterprise Edge (MSEE) routers. The direct connectivity model includes only customer and Microsoft network zones.

-Depending on the ExpressRoute connectivity model, network points 3 and 4 might be switches (layer 2 devices) or routers (layer 3 devices). The ExpressRoute connectivity models are cloud exchange co-location, point-to-point Ethernet connection, or any-to-any (IPVPN).

-If the cloud exchange co-location, point-to-point Ethernet, or direct connectivity model is used, CEs (2) establish Border Gateway Protocol (BGP) peering with MSEEs (5).

->[!TIP]

->If you're looking for the name of a resource group, you can get it by using the `Get-AzResourceGroup` command to list all the resource groups in your subscription.

-> After you configure an ExpressRoute circuit, if **Circuit status** is stuck in a **Not enabled** status, contact [Microsoft Support][Support]. If **Provider status** is stuck in **Not provisioned** status, contact your service provider.

-After the service provider has completed provisioning the ExpressRoute circuit, multiple routing configurations based on external BGP (eBGP) can be created over the ExpressRoute circuit between CEs/MSEE-PEs (2/4) and MSEEs (5). Each ExpressRoute circuit can have one or both of the following:

-If a peering isn't configured, you'll get an error message. Here's an example response when the stated peering (Azure public peering in this case) isn't configured within the circuit:

-Test your private peering connectivity by counting packets arriving at and leaving the Microsoft edge of your ExpressRoute circuit on the MSEE devices. This diagnostic tool works by applying an ACL to the MSEE to count the number of packets that hit specific ACL rules. Using this tool will allow you to confirm connectivity by answering questions such as:

-When your results are ready, you'll have two sets of them for the primary and secondary MSEE devices. Review the number of matches in and out, and use the following scenarios to interpret the results:

-Your test results for each MSEE device will look like the following example:

-The ExpressRoute virtual network gateway facilitates the management and control plane connectivity to private link services and private IPs deployed to an Azure virtual network. The virtual network gateway infrastructure is managed by Microsoft and sometimes undergoes maintenance.

-During a maintenance period, performance of the virtual network gateway might be reduced. To troubleshoot connectivity issues to the virtual network and reactively detect if recent maintenance events reduced capacity for the virtual network gateway:

- If maintenance on your virtual network gateway occurred during a period when you experienced packet loss or latency, it's possible that the reduced capacity of the gateway contributed to connectivity issues you're experiencing with the target virtual network. Follow the recommended steps. To support a higher network throughput and avoid connectivity issues during future maintenance events, consider upgrading the [virtual network gateway SKU](expressroute-about-virtual-network-gateways.md#gwsku).

-[2]: ./media/expressroute-troubleshooting-expressroute-overview/portal-all-resources.png "All resources icon"

-[5]: ./media/expressroute-troubleshooting-expressroute-overview/portal-private-peering.png "Screenshot that shows an example ExpressRoute peerings listed in the Azure portal."

-[DR-Pvt]: ./designing-for-disaster-recovery-with-expressroute-privatepeering.md

-* Protect your apps from malicious actors with Bot manager rules based on MicrosoftΓÇÖs own Threat Intelligence.

-Sometimes multiple effects can be valid for a given policy definition. Parameters are often used to specify allowed effect values so that a single definition can be more versatile. However, it's important to note that not all effects are interchangeable. Resource properties and logic in the policy rule can determine whether a certain effect is considered valid to the policy definition. For example, policy definitions with effect **AuditIfNotExists** require additional details in the policy rule that aren't required for policies with effect **Audit**. The effects also behave differently. **Audit** policies will assess a resource's compliance based on its own properties, while **AuditIfNotExists** policies will assess a resource's compliance based on a child or extension resource's properties.

-Below is some general guidance around interchangeable effects:

-**AuditIfNotExists** and **DeployIfNotExists** evaluate to determine whether additional compliance

-Additionally, `PATCH` requests that only modify `tags` related fields restricts policy evaluation to

-Append is used to add additional fields to the requested resource during creation or update. A

-array, use the **\[\*\]** version of the alias.

-Example 1: Single **field/value** pair using a non-**\[\*\]**

-account. When the non-**\[\*\]** alias is an array, the effect appends the **value** as the entire

-Example 2: Single **field/value** pair using an **\[\*\]** [alias](definition-structure.md#aliases)

-with an array **value** to set IP rules on a storage account. By using the **\[\*\]** alias, the

-For a Resource Manager mode, the audit effect doesn't have any additional properties for use in the

-additional subproperties of **details**. Use of `templateInfo` is required for new or updated policy

- - Can't be used with `templateInfo`.

- - Must be replaced with `templateInfo` when creating or updating a policy definition.

- - The Constraint template CustomResourceDefinition (CRD) that defines new Constraints. The

- template defines the Rego logic, the Constraint schema, and the Constraint parameters that are

- passed via **values** from Azure Policy.

-For a Resource Manager mode, the deny effect doesn't have any additional properties for use in the

-additional subproperties of **details**. Use of `templateInfo` is required for new or updated policy

- - Can't be used with `templateInfo`.

- - Must be replaced with `templateInfo` when creating or updating a policy definition.

- - The Constraint template CustomResourceDefinition (CRD) that defines new Constraints. The

- template defines the Rego logic, the Constraint schema, and the Constraint parameters that are

- passed via **values** from Azure Policy. It's recommended to use the newer `templateInfo` to

- replace `constraintTemplate`.

-`DenyAction` is used to block requests on intended action to resources. The only supported action today is `DELETE`. This effect will help prevent any accidental deletion of critical resources.

-Example: Deny any delete calls targeting database accounts that have a tag environment that equals prod. Since cascade behavior is set to deny, block any DELETE call that targets a resource group with an applicable database account.

-Example: Evaluates SQL Server databases to determine whether transparentDataEncryption is enabled.

-> additional operation types and the ability to remediate existing resources. However, Append is

-is applied only when evaluating requests with API version greater or equals to '2019-04-01':

- - Restricts resource location to 'westus'

- - Restricts resource location to 'eastus'

- non-compliant to policy 1 if not in 'westus'

-the definition location to target for assignment.

-So how do you choose whether to use an exclusion or exemption? Typically exclusions are recommended to permanently bypass evaluation for a broad scope like a test environment which doesn't require the same level of governance. Exemptions are recommended for time-bound or more specific scenarios where a resource or resource hierarchy should still be tracked and would otherwise be evaluated, but there is a specific reason it should not be assessed for compliance.

-control of an action is required based on user information, then Azure RBAC is the correct tool to use. Even if an individual has access to perform an action, if the result is a non-compliant resource, Azure Policy still

-blocks the create or update.

-Azure Policy operations can have a significant impact on your Azure environment. Only the minimum set of

-permissions necessary to perform a task should be assigned and these permissions should not be granted

-to users who do not need them.

-Azure Policy evaluates all Azure resources at or below subscription-level, including Arc enabled

-resources. For certain resource providers such as

-[Machine configuration](../machine-configuration/overview.md),

-[Azure Kubernetes Service](../../aks/intro-kubernetes.md), and

-[Azure Key Vault](../../key-vault/general/overview.md), there's a deeper integration for managing

-settings and objects. To find out more, see

-[Resource Provider modes](./concepts/definition-structure.md).

-To implement these policy definitions (both built-in and custom definitions), you'll need to assign

-evaluating resources. If a policy definition that is already assigned is changed all existing

-Client applications can read these logs at any time, either in streaming, or in batch mode. The Change Feed enables you to build efficient and scalable solutions that process change events that occur in your DICOM service.

-The API exposes two `GET` endpoints for interacting with the Change Feed. A typical flow for consuming the Change Feed is [provided below](#example-usage-flow).

-GET | /changefeed | JSON Array | [Read the Change Feed](#read-change-feed)

-GET | /changefeed/latest | JSON Object | [Read the latest entry in the Change Feed](#get-latest-change-feed-item)

-Sequence | int | The sequence ID that can be used for paging (via offset) or anchoring

-### Read Change Feed

-**Route**: /changefeed?offset={int}&limit={int}&includemetadata={**true**|false}

- "actual": "metadata"

- "actual": "metadata"

- }

- ...

-Name | Type | Description

-:-- | : | :

-offset | int | The number of records to skip before the values to return

-limit | int | The number of records to return (default: 10, min: 1, max: 100)

-includemetadata | bool | Whether or not to include the metadata (default: true)

-### Get latest Change Feed item

-**Route**: /changefeed/latest?includemetadata={**true**|false}

- "actual": "metadata"

-#### Parameters

-Name | Type | Description

-:-- | : | :

-includemetadata | bool | Whether or not to include the metadata (default: true)

-### Example usage flow

-Below is the usage flow for an example application that does other processing on the instances within DICOM service.

-1. Application that wants to monitor the Change Feed starts.

-2. It determines if there's a current state that it should start with:

- * If it has a state, it uses the offset (sequence) stored.

- * If it has never started and wants to start from beginning, it uses `offset=0`.

- * If it only wants to process from now, it queries `/changefeed/latest` to obtain the last sequence.

-3. It queries the Change Feed with the given offset `/changefeed?offset={offset}`

-4. If there are entries:

- * It performs extra processing.

- * It updates its current state.

- * It starts again above at step 2.

-5. If there are no entries, it sleeps for a configured amount of time and starts back at step 2.

-description: This article provides answers to the frequently asked questions about Events.

-### Can I use Events with a different FHIR/DICOM service other than the Azure Health Data Services FHIR/DICOM service?

-### What FHIR resource events does Events support?

-### Does Events support FHIR bundles?

-### What DICOM image events does Events support?

-### What is the payload of an Events message?

-### What is the throughput for the Events messages?

-### How am I charged for using Events?

-### How do I subscribe to multiple FHIR and/or DICOM services in the same workspace separately?

-### Can I use the same subscriber for multiple workspaces, FHIR accounts, or DICOM accounts?

-### Is Event Grid compatible with HIPAA and HITRUST compliance obligations?

-### What is the expected time to receive an Events message?

-### Is it possible to receive duplicate Events messages?

-### More frequently asked questions

-The MedTech service enables IoT devices to seamless integration with FHIR services. This reference architecture is designed to accelerate adoption of Internet of Things (IoT) projects. This solution uses Azure Databricks for the Machine Learning (ML) compute. However, Azure Machine Learning Services with Kubernetes or a partner ML solution could fit into the Machine Learning Scoring Environment.

-**Data ingest ΓÇô Steps 1 through 5**

-4. PHI IoT payload moves from Azure IoT Hub to the MedTech service. The MedTech service icon represents multiple Azure services.

-5. Three parts to number 5:

- a. The MedTech service requests Patient resource from the FHIR service.

- b. The FHIR service sends Patient resource back to the MedTech service.

- c. IoT Patient Observation is record in the FHIR service.

-**Machine Learning and AI Data Route ΓÇô Steps 6 through 11**

-8. IoT payload with PHI is sent to an event hub for distribution to Machine Learning compute and storage.

-9. PHI IoT payload is sent to Azure Data Lake Storage Gen 2 for scoring observation over longer time windows.

-10. PHI IoT payload is sent to Azure Databricks for windowing, data fitting, and data scoring.

-11. The Azure Databricks requests more patient data from data lake as needed. a. Azure Databricks also sends a copy of the scored data to the data lake.

-**Notification and Care Coordination ΓÇô Steps 12 - 18**

-13. RiskAssessment and/or Flag resource submitted to FHIR service. a. For each observation window, a RiskAssessment resource is submitted to the FHIR service. b. For observation windows where the risk assessment is outside the acceptable range a Flag resource should also be submitted to the FHIR service.

-In this article, we explore using the MedTech service and Microsoft Power Business Intelligence (BI).

-You can even embed Power BI dashboards inside the Microsoft Teams client to further enhance care team coordination. For more information on embedding Power BI in Teams, visit [here](/power-bi/collaborate-share/service-embed-report-microsoft-teams).

-You can even embed Power BI Dashboards inside the Microsoft Teams client. For more information on embedding Power BI in Microsoft Team visit [here](/power-bi/collaborate-share/service-embed-report-microsoft-teams).

-### Where is the MedTech service available?

-### Can I use the MedTech service with a different FHIR service other than the Azure Health Data Services FHIR service?

-### What versions of FHIR does the MedTech service support?

-### Why do I have to provide device and FHIR destination mappings to the MedTech service?

-### Is JsonPathContent still supported by the MedTech service device mapping?

-### How long does it take for device data to show up in the FHIR service?

-### Why are the device messages added to the event hub not showing up as FHIR Observations in the FHIR service?

-### Does the MedTech service perform backups of device messages?

-### What are the subscription quota limits for the MedTech service?

-### Can I use the MedTech service with device messages from Apple&#174;, Google&#174;, or Fitbit&#174; devices?

-For frequently asked questions, see [Peering Service - FAQ](service-faqs.yml).

-description: Azure Internet peering for Communications Services walkthrough.

-# Azure Internet peering for Communications Services walkthrough

-This section explains the steps a Communications Services Provider needs to follow to establish a Direct interconnect with Microsoft.

-**Communications Services Providers:** Communications Services Providers are the organizations which offer communication services (Communications, messaging, conferencing etc.) and are looking to integrate their communications services infrastructure (SBC/SIP Gateway etc.) with Azure Communication Services and Microsoft Teams.

-Azure Internet peering support Communications Services Providers to establish direct interconnect with Microsoft at any of its edge sites (pop locations). The list of all the public edges sites is available in [PeeringDB](https://www.peeringdb.com/net/694).

-The Azure Internet peering provides highly reliable and QoS (Quality of Service) enabled interconnect for Communications services to ensure high quality and performance centric services.

-The technical requirements to establish direct interconnect for Communication Services are as following:

-## Establishing Direct Interconnect with Microsoft for Communications Services.

-To establish a direct interconnect using Azure Internet peering please follow the below steps:

-**1. Associate Peer public ASN to the Azure Subscription:**

-In case Peer already associated public ASN to Azure subscription, please ignore this step.

-[Associate peer ASN to Azure subscription using the portal - Azure | Microsoft Docs](./howto-subscription-association-portal.md)

-The next step is to create a Direct peering connection for Peering Service.

-> [!NOTE]

-> Once ASN association is approved, email us at peeringservice@microsoft.com with your ASN and subscription ID to associate your subscription with Communications services.

-**2. Create Direct peering connection for Peering Service:**

-Follow the instructions to [Create or modify a Direct peering using the portal](./howto-direct-portal.md)

-Ensure it meets high-availability requirement.

-Please ensure you are selecting following options on ΓÇ£Create a PeeringΓÇ¥ Page:

-Peering Type: **Direct**

-Microsoft Network: **8075 (with Voice)**

-SKU: **Premium Free**

-Under ΓÇ£Direct Peering Connection PageΓÇ¥ select following options:

-Session Address provider: **Microsoft**

-Use for Peering

-> [!NOTE]

-> Ignore the following message while selecting for activating for Peering Services.

-> *Do not enable unless you have contacted peering@microsoft.com about becoming a MAPS provider.*

-**3. Register your prefixes for Optimized Routing**

-For optimized routing for your Communication services infrastructure prefixes, you should register all your prefixes with your peering interconnects.

-Please ensure that the prefixes registered are being announced over the direct interconnects established in that location.

-If the same prefix is announced in multiple peering locations, it is sufficient to register them with just one of the peerings in order to retrieve the unique prefix keys after validation.

-> [!NOTE]

-> The Connection State of your peering connections must be Active before registering any prefixes.

-**Prefix Registration**

-1. If you are an Operator Connect Partner, you would be able to see the ΓÇ£Register PrefixΓÇ¥ tab on the left panel of your peering resource page.

- :::image type="content" source="media/registered-prefixes-under-direct-peering.png" alt-text="Screenshot of registered prefixes tab under a peering enabled for Peering Service." :::

-2. Register prefixes to access the activation keys.

- :::image type="content" source="media/registered-prefixes-blade.png" alt-text="Screenshot of registered prefixes blade with a list of prefixes and keys." :::

- :::image type="content" source="media/registered-prefix-example.png" alt-text="Screenshot showing a sample prefix being registered." :::

- :::image type="content" source="media/prefix-after-registration.png" alt-text="Screenshot of registered prefixes blade showing a new prefix added." :::

-**Prefix Activation**

-In the previous steps, you registered the prefix and generated the prefix key. The prefix registration DOES NOT activate the prefix for optimized routing (and will not even accept <\/24 prefixes) and it requires prefix activation and alignment to the right partner (In this case the OC partner) and the appropriate interconnect location (to ensure cold potato routing).

-Below are the steps to activate the prefix.

-1. Look for ΓÇ£Peering ServicesΓÇ¥ resource

- :::image type="content" source="media/peering-service-search.png" alt-text="Screenshot on searching for Peering Service on Azure portal." :::

-

- :::image type="content" source="media/peering-service-list.png" alt-text="Screenshot of a list of existing peering services." :::

-2. Create a new Peering Service resource

- :::image type="content" source="media/create-peering-service.png" alt-text="Screenshot showing how to create a new peering service." :::

-3. Provide details on the location, provider and primary and backup interconnect location. If backup location is set to ΓÇ£noneΓÇ¥, the traffic will fail over the internet.

- If you are an Operator Connect partner, you would be able to see yourself as the provider.

- The prefix key should be the same as the one obtained in the "Prefix Registration" step.

- :::image type="content" source="media/peering-service-properties.png" alt-text="Screenshot of the fields to be filled to create a peering service." :::

- :::image type="content" source="media/peering-service-deployment.png" alt-text="Screenshot showing the validation of peering service resource before deployment." :::

-## FAQs:

-**A.** Yes, Microsoft Azure Peering service supports smaller prefix routing also. Please ensure that you are registering the smaller prefixes for routing and the same are announced over the interconnects.

-**A.** Microsoft announces all of Microsoft's public service prefixes over these interconnects. This will ensure not only Communications but other cloud services are accessible from the same interconnect.

-**A.** Yes, a private ASN cannot be in the AS path. For registered prefixes smaller than /24, the AS path must be less than four.

-**A.** 10Gbps.

-**A.** Settlement free and entire path is optimized for voice traffic over Microsoft WAN and convergence is tuned for sub-second with BFD.

-**A.** Time will be variable depending on number and location of sites, and if Peer is migrating existing private peerings or establishing new cabling. Carrier should plan for 3+ weeks.

-**A.** Currently there is no API support, and configuration must be performed via web portal.

-The error codes listed in the following table may be returned by an operation on Azure key vault

-1. Select the Private Endpoint radio button in the Networking tab.

-1. Select the "+ Add" Button to add a private endpoint.

- 

-1. If there are any connections that are pending, you will see a connection listed with "Pending" in the provisioning state.

-If you run the ns lookup command to resolve the IP address of a key vault over a public endpoint, you will see a result that looks like this:

-If you run the ns lookup command to resolve the IP address of a key vault over a private endpoint, you will see a result that looks like this:

- 4. You may also navigate to the private endpoint resource and review same properties there, and double-check that the virtual network matches the one you are using.

-* Check to make sure the Private DNS Zone is linked to the Virtual Network. This may be the issue if you are still getting the public IP address returned.

- 1. If the Private Zone DNS is not linked to the virtual network, the DNS query originating from the virtual network will return the public IP address of the key vault.

-* Check to make sure the Private DNS Zone is not missing an A record for the key vault.

- 2. Select Overview and check if there is an A record with the simple name of your key vault (i.e. fabrikam). Do not specify any suffix.

-* If you are connecting from an on-prem resource to a Key Vault, ensure you have all required conditional forwarders in the on-prem environment enabled.

- 1. Review [Azure Private Endpoint DNS configuration](../../private-link/private-endpoint-dns.md#azure-services-dns-zone-configuration) for the zones needed, and make sure you have conditional forwarders for both `vault.azure.net` and `vaultcore.azure.net` on your on-prem DNS.

- 

- 

-* Export a service from one member cluster to the Fleet resource. Once successfully exported, the service and its endpoints are synced to the hub, which other member clusters (or any Fleet resource-scoped load balancer) can consume.

-[Create an Azure Kubernetes Fleet Manager resource and group multiple AKS clusters as member clusters of the fleet](./quickstart-create-fleet-and-members.md).

-* UDP traffic isn't supported on Cross-region Load Balancer.

-1. To SNC from SAP, you need to download the following files and have them ready to upload to your logic app resource. For more information, see [SNC prerequisites](#snc-prerequisites-standard):

-description: Identify and manage common pitfalls of ML models with Azure Machine Learning's automated machine learning solutions.

-# Prevent overfitting and imbalanced data with automated machine learning

-Overfitting and imbalanced data are common pitfalls when you build machine learning models. By default, Azure Machine Learning's automated machine learning provides charts and metrics to help you identify these risks, and implements best practices to help mitigate them.

-Overfitting in machine learning occurs when a model fits the training data too well, and as a result can't accurately predict on unseen test data. In other words, the model has simply memorized specific patterns and noise in the training data, but is not flexible enough to make predictions on real data.

-Considering model **A**, there is a common misconception that if test accuracy on unseen data is lower than training accuracy, the model is overfitted. However, test accuracy should always be less than training accuracy, and the distinction for overfit vs. appropriately fit comes down to *how much* less accurate.

-When comparing models **A** and **B**, model **A** is a better model because it has higher test accuracy, and although the test accuracy is slightly lower at 95%, it is not a significant difference that suggests overfitting is present. You wouldn't choose model **B** simply because the train and test accuracies are closer together.

-Model **C** represents a clear case of overfitting; the training accuracy is very high but the test accuracy isn't anywhere near as high. This distinction is subjective, but comes from knowledge of your problem and data, and what magnitudes of error are acceptable.

-In the most egregious cases, an overfitted model assumes that the feature value combinations seen during training will always result in the exact same output for the target.

-The best way to prevent overfitting is to follow ML best-practices including:

-In the context of automated ML, the first three items above are **best-practices you implement**. The last three bolded items are **best-practices automated ML implements** by default to protect against overfitting. In settings other than automated ML, all six best-practices are worth following to avoid overfitting models.

-Using **more data** is the simplest and best possible way to prevent overfitting, and as an added bonus typically increases accuracy. When you use more data, it becomes harder for the model to memorize exact patterns, and it is forced to reach solutions that are more flexible to accommodate more conditions. It's also important to recognize **statistical bias**, to ensure your training data doesn't include isolated patterns that won't exist in live-prediction data. This scenario can be difficult to solve, because there may not be overfitting between your train and test sets, but there may be overfitting present when compared to live test data.

-**Target leakage** is a similar issue, where you may not see overfitting between train/test sets, but rather it appears at prediction-time. Target leakage occurs when your model "cheats" during training by having access to data that it shouldn't normally have at prediction-time. For example, if your problem is to predict on Monday what a commodity price will be on Friday, but one of your features accidentally included data from Thursdays, that would be data the model won't have at prediction-time since it cannot see into the future. Target leakage is an easy mistake to miss, but is often characterized by abnormally high accuracy for your problem. If you are attempting to predict stock price and trained a model at 95% accuracy, there is likely target leakage somewhere in your features.

-**Removing features** can also help with overfitting by preventing the model from having too many fields to use to memorize specific patterns, thus causing it to be more flexible. It can be difficult to measure quantitatively, but if you can remove features and retain the same accuracy, you have likely made the model more flexible and have reduced the risk of overfitting.

-## Best practices automated ML implements

-**Regularization** is the process of minimizing a cost function to penalize complex and overfitted models. There are different types of regularization functions, but in general they all penalize model coefficient size, variance, and complexity. Automated ML uses L1 (Lasso), L2 (Ridge), and ElasticNet (L1 and L2 simultaneously) in different combinations with different model hyperparameter settings that control overfitting. In simple terms, automated ML will vary how much a model is regulated and choose the best result.

-Automated ML also implements explicit **model complexity limitations** to prevent overfitting. In most cases this implementation is specifically for decision tree or forest algorithms, where individual tree max-depth is limited, and the total number of trees used in forest or ensemble techniques are limited.

-**Cross-validation (CV)** is the process of taking many subsets of your full training data and training a model on each subset. The idea is that a model could get "lucky" and have great accuracy with one subset, but by using many subsets the model won't achieve this high accuracy every time. When doing CV, you provide a validation holdout dataset, specify your CV folds (number of subsets) and automated ML will train your model and tune hyperparameters to minimize error on your validation set. One CV fold could be overfitted, but by using many of them it reduces the probability that your final model is overfitted. The tradeoff is that CV does result in longer training times and thus greater cost, because instead of training a model once, you train it once for each *n* CV subsets.

-> Cross-validation is not enabled by default; it must be configured in automated ML settings. However, after cross-validation is configured and a validation data set has been provided, the process is automated for you. Learn more about [cross validation configuration in Auto ML (SDK v1)](./v1/how-to-configure-cross-validation-data-splits.md?view=azureml-api-1&preserve-view=true)

-In addition, automated ML jobs generate the following charts automatically, which can help you understand the correctness of the classifications of your model, and identify models potentially impacted by imbalanced data.

-As part of its goal of simplifying the machine learning workflow, **automated ML has built in capabilities** to help deal with imbalanced data such as,

-The following techniques are additional options to handle imbalanced data **outside of automated ML**.

-See examples and learn how to build models using automated machine learning:

-+ Follow the [Tutorial: Train an object detection model with AutoML and Python](tutorial-auto-train-image-models.md).

-monikerRange: 'azureml-api-2'

-When deleting a workspace from the Azure Portal, check __Delete the workspace permanently__. You can permanently delete only one workspace at a time, and not using a batch operation.

-If you are using the [Azure Machine Learning SDK or CLI](https://learn.microsoft.com/python/api/azure-ai-ml/azure.ai.ml.operations.workspaceoperations#azure-ai-ml-operations-workspaceoperations-begin-delete), you can set the `permanently_delete` flag.

-Automated ML supports NLP which allows ML professionals and data scientists to bring their own text data and build custom models for tasks such as, multi-class text classification, multi-label text classification, and named entity recognition (NER).

-You can seamlessly integrate with the [Azure Machine Learning data labeling](how-to-create-text-labeling-projects.md) capability to label your text data or bring your existing labeled data. Automated ML provides the option to use distributed training on multi-GPU compute clusters for faster model training. The resulting model can be operationalized at scale by leveraging Azure Machine Learning's MLOps capabilities.

-* An Azure Machine Learning workspace with a GPU training compute. To create the workspace, see [Create workspace resources](quickstart-create-resources.md). See [GPU optimized virtual machine sizes](../virtual-machines/sizes-gpu.md) for more details of GPU instances provided by Azure.

-* An Azure Machine Learning workspace with a GPU training compute. To create the workspace, see [Create workspace resources](quickstart-create-resources.md). See [GPU optimized virtual machine sizes](../virtual-machines/sizes-gpu.md) for more details of GPU instances provided by Azure.

- * Create a compute instance, which automatically installs the SDK and is pre-configured for ML workflows. See [Create and manage an Azure Machine Learning compute instance](how-to-create-manage-compute-instance.md) for more information.

-Multi-class text classification | CLI v2: `text_classification` <br> SDK v2: `text_classification()`| There are multiple possible classes and each sample can be classified as exactly one class. The task is to predict the correct class for each sample. <br> <br> For example, classifying a movie script as "Comedy" or "Romantic".

-Multi-label text classification | CLI v2: `text_classification_multilabel` <br> SDK v2: `text_classification_multilabel()`| There are multiple possible classes and each sample can be assigned any number of classes. The task is to predict all the classes for each sample<br> <br> For example, classifying a movie script as "Comedy", or "Romantic", or "Comedy and Romantic".

-Thresholding is the multi-label feature that allows users to pick the threshold above which the predicted probabilities will lead to a positive label. Lower values allow for more labels, which is better when users care more about recall, but this option could lead to more false positives. Higher values allow fewer labels and hence better for users who care about precision, but this option could lead to more false negatives.

-For NLP experiments in automated ML, you can bring your data in `.csv` format for multi-class and multi-label classification tasks. For NER tasks, two-column `.txt` files that use a space as the separator and adhere to the CoNLL format are supported. The following sections provide additional detail for the data format accepted for each task.

-Before training, automated ML applies data validation checks on the input data to ensure that the data can be preprocessed correctly. If any of these checks fail, the run fails with the relevant error message. The following are the requirements to pass data validation checks for each task.

-Multi-label only | - The label column format must be in [accepted format](#multi-label) <br> - At least one sample should have 0 or 2+ labels, otherwise it should be a `multiclass` task <br> - All labels should be in `str` or `int` format, with no overlapping. You should not have both label `1` and label `'1'`

-NER only | - The file should not start with an empty line <br> - Each line must be an empty line, or follow format `{token} {label}`, where there is exactly one space between the token and the label and no white space after the label <br> - All labels must start with `I-`, `B-`, or be exactly `O`. Case sensitive <br> - Exactly one empty line between two samples <br> - Exactly one empty line at the end of the file

-* You can ignore `primary_metric`, as it is only for reporting purposes. Currently, automated ML only trains one model per run for NLP and there is no model selection.

- * In order to use the long range text feature, you should use a NC6 or higher/better SKUs for GPU such as: [NCv3](../virtual-machines/ncv3-series.md) series or [ND](../virtual-machines/nd-series.md) series.

-For CLI v2 AutoML jobs you configure your experiment in a YAML file like the following.

-For AutoML jobs via the SDK, you configure the job with the specific NLP task function. The following example demonstrates the configuration for `text_classification`.

-Note that the large models are significantly larger than their base counterparts. They are typically more performant, but they take up more GPU memory and time for training. As such, their SKU requirements are more stringent: we recommend running on ND-series VMs for the best results.

-| gradient_accumulation_steps | The number of backward operations whose gradients are to be summed up before performing one step of gradient descent by calling the optimizer's step function. <br><br> This is leveraged to use an effective batch size which is gradient_accumulation_steps times larger than the maximum size that fits the GPU. | Must be a positive integer.

-You can configure all the sweep-related parameters. Multiple model subspaces can be constructed with hyperparameters conditional to the respective model, as seen below in each example.

-AutoML NLP also supports `trial_timeout_minutes`, the maximum amount of time in minutes an individual trial can run before being terminated, and `max_nodes`, the maximum number of nodes from the backing compute cluster to leverage for the job. These parameters also belong to the `limits` section.

-You can configure all the sweep related parameters as shown in the example below.

-Dealing with very low scores, or higher loss values:

-For certain datasets, regardless of the NLP task, the scores produced may be very low, sometimes even zero. This would be accompanied by higher loss values implying that the neural network failed to converge. This can happen more frequently on certain GPU SKUs.

-While such cases are uncommon, they're possible and the best way to handle it is to leverage hyperparameter tuning and provide a wider range of values, especially for hyperparameters like learning rates. Until our hyperparameter tuning capability is available in production we recommend users, who face such issues, to leverage the NC6 or ND6 compute clusters, where we've found training outcomes to be fairly stable.

-+ [Troubleshoot automated ML experiments (SDK v1)](./v1/how-to-troubleshoot-auto-ml.md?view=azureml-api-1&preserve-view=true)

-The preceding registration of the environment specifies a non-GPU docker image `mcr.microsoft.com/azureml/openmpi3.1.2-ubuntu18.04:20210727.v1` by passing the value to the `environment-version.json` template using the `dockerImage` parameter. For a GPU compute, provide a value for a GPU docker image to the template (using the `dockerImage` parameter) and provide a GPU compute type SKU to the `online-endpoint-deployment.json` template (using the `skuName` parameter).

-> * [Virtual network overview](how-to-network-security-overview.md)

-* [Virtual network overview](how-to-network-security-overview.md)

-> [!TIP]

-> CORS (Cross-origin resource sharing) is a way to allow resources on a webpage to be requested from another domain. CORS works via HTTP headers sent with the client request and returned with the service response. For more information on CORS and valid headers, see [Cross-origin resource sharing](https://en.wikipedia.org/wiki/Cross-origin_resource_sharing) in Wikipedia. See [here](v1/how-to-deploy-advanced-entry-script.md#cross-origin-resource-sharing-cors) for an example of the scoring script.

-5. Select the training applications you want to use to interact with the job.

-> [!TIP]

-> For information on logging metrics in Azure Machine Learning designer, see [How to log metrics in the designer](./v1/how-to-track-designer-experiments.md).

-* Learn how to enable [interpretability for automated machine learning models](./v1/how-to-machine-learning-interpretability-automl.md).

- image: mcr.microsoft.com/azureml/openmpi3.1.2-ubuntu18.04:20210727.v1

- image="mcr.microsoft.com/azureml/openmpi3.1.2-ubuntu18.04:20210727.v1",

- image: mcr.microsoft.com/azureml/openmpi3.1.2-ubuntu18.04:20210727.v1

- image="mcr.microsoft.com/azureml/openmpi3.1.2-ubuntu18.04:20210727.v1",

-If you accidentally deleted your workspace, are still able to retrieve your notebooks. For more information, see the [workspace deletion](./v1/how-to-high-availability-machine-learning.md#workspace-deletion) section of the disaster recovery article.

-If you accidentally deleted your workspace, you may still be able to retrieve your notebooks. For details, see [Failover for business continuity and disaster recovery](./v1/how-to-high-availability-machine-learning.md#workspace-deletion).

-description: Learn how to discover, evaluate, fine-tune and deploy Open Source Foundation Models in Azure Machine Learning

-# How to use Open Source Foundation Models curated by Azure Machine Learning (preview)

-In this article, you learn how to access and evaluate Foundation Models using Azure Machine Learning automated ML in the [Azure Machine Learning studio](overview-what-is-azure-machine-learning.md#studio). Additionally, you learn how to fine-tune each model and how to deploy the model at scale.

-Foundation Models are machine learning models that have been pre-trained on vast amounts of data, and that can be fine tuned for specific tasks with relatively small amount of domain specific data. These models serve as a starting point for custom models and accelerate the model building process for a variety of tasks including natural language processing, computer vision, speech and generative AI tasks. Azure Machine Learning provides the capability to easily integrate these pre-trained Foundation Models into your applications. **Foundation Models in Azure Machine Learning** provides Azure Machine Learning native capabilities that enable customers to discover, evaluate, fine tune, deploy and operationalize open-source Foundation Models at scale.

-## How to access Foundation Models in Azure Machine Learning

-The 'Model catalog' (preview) in Azure Machine Learning Studio is a hub for discovering Foundation Models. The Open Source Models collection is a repository of the most popular open source Foundation Models curated by Azure Machine Learning. These models are packaged for out of the box usage and are optimized for use in Azure Machine Learning. Currently, it includes the top open source large language models, with support for other tasks coming soon. You can view the complete list of supported open source Foundation Models in the [Model catalog](https://ml.azure.com/model/catalog), under the `Open Source Models` collection.

-You can filter the list of models in the Model catalog by Task, or by license. Select a specific model name and the see a model card for the selected model, which lists detailed information about the model. For example:

->If you are using a private workspace, your virtual network needs to allow outbound access in order to use Foundation Models in Azure Machine Learning

-## How to evaluate Foundation Models using your own test data

-### Evaluating using UI wizard

-You can invoke the Evaluate UI wizard by clicking on the 'Evaluate' button on the model card for any foundation model.

-An image of the Evaluation Settings wizard:

-1. Select 'Finish' in the Evaluate wizard to submit your evaluation job. Once the job completes, you can view evaluation metrics for the model. Based on the evaluation metrics, you might decide if you would like to finetune the model using your own training data. Additionally, you can decide if you would like to register the model and deploy it to an endpoint.

-To enable users to get started with model evaluation, we have published samples (both Python notebooks and CLI examples) in the [Evaluation samples in azureml-examples git repo](https://github.com/Azure/azureml-examples/tree/main/sdk/python/foundation-models/system/evaluation). Each model card also links to Evaluation samples for corresponding tasks

-## How to finetune Foundation Models using your own training data

-In order to improve model performance in your workload, you might want to fine tune a foundation model using your own training data. You can easily finetune these Foundation Models by using either the Finetune UI wizard or by using the code based samples linked from the model card.

-### Finetuning using the UI wizard

-You can invoke the Finetune UI wizard by clicking on the 'Finetune' button on the model card for any foundation model.

-**Finetuning Settings:**

-* Validation data: Pass in the data you would like to use to validate your model. Selecting 'Automatic split' reserves an automatic split of training data for validation. Alternatively, you can provide a different validation dataset.

-* Test data: Pass in the test data you would like to use to evaluate your finetuned model. Selecting 'Automatic split' reserves an automatic split of training data for test.

-* Compute: Provide the Azure Machine Learning Compute cluster you would like to use for finetuning the model. Fine tuning needs to run on GPU compute. We recommend using compute SKUs with A100 / V100 GPUs when fine tuning. Ensure that you have sufficient compute quota for the compute SKUs you wish to use.

-3. Select 'Finish' in the Finetune Wizard to submit your finetuning job. Once the job completes, you can view evaluation metrics for the finetuned model. You can then go ahead and register the finetuned model output by the finetuning job and deploy this model to an endpoint for inferencing.

-**Advanced Finetuning Parameters:**

-The Finetuning UI wizard, allows you to perform basic finetuning by providing your own training data. Additionally, there are several advanced finetuning parameters, such as learning rate, epochs, batch size, etc., described in the Readme file for each task [here](https://github.com/Azure/azureml-assets/tree/main/training/finetune_acft_hf_nlp/components/finetune). Each of these settings has default values, but can be customized via code based samples, if needed.

-To enable users to quickly get started with fine tuning, we have published samples (both Python notebooks and CLI examples) for each task in the [azureml-examples git repo Finetune samples](https://github.com/Azure/azureml-examples/tree/main/sdk/python/foundation-models/system/finetune). Each model card also links to Finetuning samples for supported finetuning tasks.

-## Deploying Foundation Models to endpoints for inferencing

-You can deploy Foundation Models (both pre-trained models from the model catalog, and finetuned models, once they're registered to your workspace) to an endpoint that can then be used for inferencing. Deployment to both real time endpoints and batch endpoints is supported. You can deploy these models by using either the Deploy UI wizard or by using the code based samples linked from the model card.

-### Deploying using the UI wizard

-## Import Foundation Models

-If you're looking to use an open source model that isn't included in the Model Catalog, you can import the model from Hugging Face into your Azure Machine Learning workspace. Hugging Face is an open-source library for natural language processing (NLP) that provides pre-trained models for popular NLP tasks. Currently, model import supports importing models for the following tasks, as long as the model meets the requirements listed in the Model Import Notebook:

-You can select the "Import" button on the top-right of the Model Catalog to use the Model Import Notebook.

-To learn about how foundation model compares to other methods of training, visit [Foundation Models.](./concept-foundation-models.md)

-## Azure Government

-| [Custom Cognitive Search](how-to-deploy-model-cognitive-search.md) | Public Preview | YES | YES |

-| Disable/control internet access (inbound and outbound) and specific VNet | PARTIAL| PARTIAL | |

-| Maintain the security of deployed systems (instances, endpoints, etc.), including endpoint protection, patching, and logging | PARTIAL| PARTIAL |ACI behind VNet currently not available |

-| Control (disable/limit/restrict) the use of ACI/AKS integration | PARTIAL| PARTIAL |ACI behind VNet currently not available|

-| Control access to ACR images used by ML Service (Azure provided/maintained versus custom) |PARTIAL| PARTIAL | |

-## Azure China 21Vianet

-If you accidentally deleted your workspace, are still able to retrieve your notebooks. For more information, see the [workspace deletion](how-to-high-availability-machine-learning.md#workspace-deletion) section of the disaster recovery article.

-If you accidentally deleted your workspace, you may still be able to retrieve your notebooks. For details, see [Failover for business continuity and disaster recovery](how-to-high-availability-machine-learning.md#workspace-deletion).

-description: This article provides the list of Azure Network Watcher traffic analytics supported regions.

-# Azure Network Watcher traffic analytics supported regions

-This article provides the list of regions supported by Traffic Analytics. You can view the list of supported regions of both NSG and Log Analytics Workspaces below.

-## Supported regions: NSG

-You can use traffic analytics for NSGs in any of the following supported regions:

-## Supported regions: Log Analytics Workspaces

-The Log Analytics workspace must exist in the following regions:

-> If NSGs support a region, but the log analytics workspace does not support that region for traffic analytics as per above lists, then you can use log analytics workspace of any other supported region as a workaround.

-| Sweden Central | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: |

-In the context of *Azure Monitor for SAP solutions*, a *provider* contains the connection information for a corresponding component and helps to collect data from there. There are multiple provider types. For example, an SAP HANA provider is configured for a specific component within the SAP landscape, like an SAP HANA database. You can configure an Azure Monitor for SAP solutions resource (also known as SAP monitor resource) with multiple providers of the same type or multiple providers of multiple types.

-You can choose to configure different provider types for data collection from the corresponding component in their SAP landscape. For example, you can configure one provider for the SAP HANA provider type, another provider for high availability cluster provider type, and so on.

-

-It's recommended to configure at least one provider when you deploy an Azure Monitor for SAP solutions resource. By configuring a provider, you start data collection from the corresponding component for which the provider is configured.

-If you don't configure any providers at the time of deployment, the Azure Monitor for SAP solutions resource is still deployed, but no data is collected. You can add providers after deployment through the SAP monitor resource within the Azure portal. You can add or delete providers from the SAP monitor resource at any time.

-You can configure one or more providers of provider type SAP NetWeaver to enable data collection from SAP NetWeaver layer. Azure Monitor for SAP solutions NetWeaver provider uses the existing

-You can get the following data with the SAP NetWeaver provider:

-For SOAP Web Methods:

- - Fully Qualified Domain Name of SAP Web dispatcher OR SAP Application server.

- - SAP System ID, Instance no.

- - Host file entries of all SAP application servers that get listed via SAPcontrol "GetSystemInstanceList" web method.

- - Fully Qualified Domain Name of SAP Web dispatcher OR SAP Application server.

- - SAP System ID, Instance no.

- - SAP Client ID, HTTP port, SAP Username and Password for login.

- - Host file entries of all SAP application servers that get listed via SAPcontrol "GetSystemInstanceList" web method.

-Check [SAP NetWeaver provider](provider-netweaver.md) creation for more detail steps.

-

-You can configure one or more providers of provider type *SAP HANA* to enable data collection from SAP HANA database. The SAP HANA provider connects to the SAP HANA database over SQL port, pulls data from the database, and pushes it to the Log Analytics workspace in your subscription. The SAP HANA provider collects data every 1 minute from the SAP HANA database.

-You can see the following data with the SAP HANA provider:

-Configuring the SAP HANA provider requires:

-It's recommended to configure the SAP HANA provider against **SYSTEMDB**. However, more providers can be configured against other database tenants.

-Check [SAP HANA provider](provider-hana.md) creation for more detail steps.

-

-## Provider type: Microsoft SQL server

-You can configure one or more Microsoft SQL Server providers to enable data collection from [SQL Server on Virtual Machines](https://azure.microsoft.com/services/virtual-machines/sql-server/). The SQL Server provider connects to Microsoft SQL Server over the SQL port. It then pulls data from the database and pushes it to the Log Analytics workspace in your subscription. Configure SQL Server for SQL authentication and for signing in with the SQL Server username and password. Set the SAP database as the default database for the provider. The SQL Server provider collects data from every 60 seconds up to every hour from the SQL server.

-You can get the following data with the SQL Server provider:

-Configuring Microsoft SQL Server provider requires:

-Check [SQL Database provider](provider-sql-server.md) creation for more detail steps.

-

-You can configure one or more providers of provider type *High-availability cluster* to enable data collection from Pacemaker cluster within the SAP landscape. The High-availability cluster provider connects to Pacemaker using the [ha_cluster_exporter](https://github.com/ClusterLabs/ha_cluster_exporter) for **SUSE** based clusters and by using [Performance co-pilot](https://access.redhat.com/articles/6139852) for **RHEL** based clusters. Azure Monitor for SAP solutions then pulls data from cluster and pushes it to Log Analytics workspace in your subscription. The High-availability cluster provider collects data every 60 seconds from Pacemaker.

-You can get the following data with the High-availability cluster provider:

-

-To configure a High-availability cluster provider, two primary steps are involved:

- You have two options for installing ha_cluster_exporter:

-2. Configure a High-availability cluster provider for *each* node within the Pacemaker cluster.

- To configure the High-availability cluster provider, the following information is required:

- - **Name**. A name for this provider. It should be unique for this Azure Monitor for SAP solutions instance.

- - **Prometheus Endpoint**. `http://<servername or ip address>:9664/metrics`.

- - **SID**. For SAP systems, use the SAP SID. For other systems (for example, NFS clusters), use a three-character name for the cluster. The SID must be distinct from other clusters that are monitored.

- - **Cluster name**. The cluster name used when creating the cluster. The cluster name can be found in the cluster property `cluster-name`.

- - **Hostname**. The Linux hostname of the virtual machine (VM).

- Check [High Availability Cluster provider](provider-ha-pacemaker-cluster.md) creation for more detail steps.

-You can configure one or more providers of provider type OS (Linux) to enable data collection from a BareMetal or VM node. The OS (Linux) provider connects to BareMetal or VM nodes using the [Node_Exporter](https://github.com/prometheus/node_exporter) endpoint. It then pulls data from the nodes and pushes it to Log Analytics workspace in your subscription. The OS (Linux) provider collects data every 60 seconds for most of the metrics from the nodes.

-You can get the following data with the OS (Linux) provider:

- - CPU usage, CPU usage by process

- - Disk usage, I/O read & write

- - Memory distribution, memory usage, swap memory usage

- - Network usage, network inbound & outbound traffic details

- You have two options for installing [Node_exporter](https://github.com/prometheus/node_exporter):

- - For automated installation with Ansible, use [Node_Exporter](https://github.com/prometheus/node_exporter) on each BareMetal or VM node to install the OS (Linux) Provider.

- - **Name**: a name for this provider, unique to the Azure Monitor for SAP solutions instance.

- - **Node Exporter endpoint**: usually `http://<servername or ip address>:9100/metrics`.

-Port 9100 is exposed for the **Node_Exporter** endpoint.

-Check [Operating System provider](provider-linux.md) creation for more detail steps.

-> Make sure **Node-Exporter** keeps running after the node reboot.

-You can configure one or more IBM Db2 providers to enable data collection from IBM Db2 servers. The Db2 Server provider connects to database over given port. It then pulls data from the database and pushes it to the Log Analytics workspace in your subscription. The Db2 Server provider collects data from every 60 seconds up to every hour from the DB2 server.

-You can get the following data with the IBM Db2 provider:

-Configuring IBM Db2 provider requires:

-Check [IBM Db2 provider](provider-ibm-db2.md) creation for more detail steps.

-

-# Set up network for Azure Monitor for SAP solutions

-In this how-to guide, you'll learn how to configure an Azure virtual network so that you can deploy *Azure Monitor for SAP solutions*.

-## Create new subnet

-Azure Functions is the data collection engine for Azure Monitor for SAP solutions. You'll need to create a new subnet to host Azure Functions.

-[Craete a new subnet](../../azure-functions/functions-networking-options.md#subnets) with an **IPv4/25** block or larger. Since we need atleast 100 IP addresses for monitoring resources.

-After subnet creation is successful, verify the below steps to ensure connectivity between Azure Monitor for SAP solutions subnet to your SAP environment subnet.

-## Using Custom DNS for Virtual Network

-This section only applies to if you are using Custom DNS for your Virtual Network. Add the IP Address 168.63.129.16 which points to Azure DNS Server. This will resolve the storage account and other resource urls which are required for proper functioning of Azure Monitor for SAP Solutions. see below reference image.

-> 

-In many use cases, you might choose to restrict or block outbound internet access to your SAP network environment. However, Azure Monitor for SAP solutions requires network connectivity between the [subnet that you configured](#create-new-subnet) and the systems that you want to monitor. Before you deploy an Azure Monitor for SAP solutions resource, you need to configure outbound internet access, or the deployment will fail.

-### Allow Inbound Traffic

-In case you have NSG or User Defined Route rules that block inbound traffic to your SAP Environment, then you need to modify the rules to allow the inbound traffic, also depending on the types of providers you are trying to onboard you have to unblock a few ports as mentioned below.

-| **Provider Type** | **Port Number** |

-| SQL Server | 1433 (can be different if you are not using the default port) |

-| DB2 Server | 25000 (can be different if you are not using the default port) |

-If you use NSGs, you can create Azure Monitor for SAP solutions-related [virtual network service tags](../../virtual-network/service-tags-overview.md) to allow appropriate traffic flow for your deployment. A service tag represents a group of IP address prefixes from a given Azure service.

-You can use this option after you've deployed an Azure Monitor for SAP solutions resource.

- 1. On the app's page, select the **Networking** tab. Then, select **VNET Integration**.

- 1. Review and note the subnet details. You'll need the subnet's IP address to create rules in the next step.

-3. Set new NSG rules for outbound network traffic:

- 1. Select the **Add** button to add the following new rules:

-| **Priority** | **Name** | **Port** | **Protocol** | **Source** | **Destination** | **Action** |

-|--|--|-|--||-||

-| 450 | allow_monitor | 443 | TCP | Azure Function subnet | Azure Monitor | Allow |

-| 501 | allow_keyVault | 443 | TCP | Azure Function subnet | Azure Key Vault | Allow |

-| 550 | allow_storage | 443 | TCP | Azure Function subnet | Storage | Allow |

-| 600 | allow_azure_controlplane | 443 | Any | Azure Function subnet | Azure Resource Manager | Allow |

-| 650 | allow_ams_to_source_system | Any | Any | Azure Function subnet | Virtual Network or comma separated IP addresses of the source system. | Allow |

-| 660 | deny_internet | Any | Any | Any | Internet | Deny |

-For the rules that you create, **allow_vnet** must have a lower priority than **deny_internet**. All other rules also need to have a lower priority than **allow_vnet**. However, the remaining order of these other rules is interchangeable.

-### Use private endpoint

-1. Create a Azure Private DNS zone which will contain the private endpoint records. You can follow the steps in [Create a private DNS zone](../../dns/private-dns-getstarted-portal.md) to create a private DNS zone. Make sure to link the private DNS zone to the virtual networks that contain you SAP System and Azure Monitor for SAP solutions resources.

- > 

-1. Create a subnet in the virtual network, that will be used for the private endpoint. Note down the subnet ID and Private IP Address for these subnets.

-2. To find the resources in the Azure portal, go to your Azure Monitor for SAP solutions resource.

-3. On the **Overview** page for the Azure Monitor for SAP solutions resource, select the **Managed resource group**.

-#### Create key vault endpoint

-You can follow the steps in [Create a private endpoint for Azure Key Vault](../../key-vault/general/private-link-service.md) to configure the endpoint and test the connectivity to key vault.

-#### Create storage endpoint

-It's necessary to create a separate private endpoint for each Azure Storage account resource, including the queue, table, storage blob, and file. If you create a private endpoint for the storage queue, it's not possible to access the resource from systems outside of the virtual networking, including the Azure portal. However, other resources in the same storage account are accessible.

- > 

-1. After the deployment is complete, Navigate back to Storage Account. On the **Networking** page, select the **Firewalls and virtual networks** tab.

-1. Make sure to create private endpoints for all storage sub-resources (table, queue, blob, and file)

-#### Create log analytics endpoint

-It's not possible to create a private endpoint directly for a Log Analytics workspace. To enable a private endpoint for this resource, you can connect the resource to an [Azure Monitor Private Link Scope (AMPLS)](../../azure-monitor/logs/private-link-security.md). Then, you can create a private endpoint for the AMPLS resource.

-If possible, create the private endpoint before you allow any system to access the Log Analytics workspace through a public endpoint. Otherwise, you'll need to restart the Function App before you can access the Log Analytics workspace through the private endpoint.

-1. Select the appropriate scope for the endpoint. Then, select **Apply**.

-1. In the resource menu, under **Configure**, select **Private Endpoint connections**.

-1. On the **Virtual Network** tab, select the virtual network and the subnet that you created specifically for the endpoint. It's not possible to use the same subnet as the Azure Functions app.

-1. In the resource's menu, under **Settings**, select **Network Isolation**.

-If you enable a private endpoint after any system accessed the Log Analytics workspace through a public endpoint, restart the Function App before moving forward. Otherwise, you can't access the Log Analytics workspace through the private endpoint.

-1. On the managed resource group's page, select the **Function App**.

-1. On the Function App's **Overview** page, select **Restart**.

- 1. In the resource group's menu, under **Settings**, select **DNS configuration**.

-1. Find the subnet for the log analytics private endpoint.

- 2. On the private endpoint's menu, under **Settings**, select **DNS configuration**.

- 3. On the **DNS configuration** page, note the associated IP addresses.

- 4. Go to the Azure Monitor for SAP solutions resource in the Azure portal.

- 5. On the **Overview** page, select the **vNet/subnet** to go to that resource.

- 6. On the virtual network page, select the subnet that you used to create the Azure Monitor for SAP solutions resource.

-1. In the NSG menu, under **Settings**, select **Outbound security rules**.

- | 550 | Allow the source IP for making calls to source system to be monitored. |

- | 600 | Allow the source IP for making calls Azure Resource Manager service tag. |

- | 650 | Allow the source IP to access key-vault resource using private endpoint IP. |

- | 700 | Allow the source IP to access storage-account resources using private endpoint IP. (Include IPs for each of storage account sub resources: table, queue, file, and blob) |

- | 800 | Allow the source IP to access log-analytics workspace resource using private endpoint IP. |

-### DNS Configuration for Private Endpoints

-After creating the private endpoints, you need to configure DNS to resolve the private endpoint IP addresses. You can use either Azure Private DNS or custom DNS servers. Refer to [Configure DNS for private endpoints](../../private-link/private-endpoint-dns.md) for more information.

-tags: azure-resource-manager

-keywords: ''

-3. Create an availability set. To achieve redundancy for each tier in a multi-instance deployment, place virtual machines for each tier in an availability set. Make sure you separate the availability sets for each tier based on your architecture.

-5. Deploy Azure NetApp Files volumes by following the instructions in [Create an NFS volume for Azure NetApp Files](../../azure-netapp-files/azure-netapp-files-create-volumes.md).

- >[!NOTE]

- >If you have a network security group (NSG) enabled for the subnet, it will be disabled for private endpoints on this subnet only. Other resources on the subnet will still have NSG enforcement.

-9. Select your **private DNS zone** from the dropdown list.

-To reduce the impact of downtime due to one or more events, it's a good idea to:

->[!Important]

->The concepts of Azure availability zones and Azure availability sets are mutually exclusive. You can deploy a pair or multiple VMs into either a specific availability zone or an availability set, but you can't do both.

-> [!Important]

-> SMB Protocol for Azure Files is generally available, but NFS Protocol support for Azure Files is currently in preview. For more information, see [NFS 4.1 support for Azure Files is now in preview](https://azure.microsoft.com/blog/nfs-41-support-for-azure-files-is-now-in-preview/).

- - v1 SKU supports high-availability scenarios when you've deployed two or more instances. Azure distributes these instances across update and fault domains to ensure that instances don't all fail at the same time. You achieve redundancy within the zone.

- - v2 SKU automatically ensures that new instances are spread across fault domains and update domains. If you choose zone redundancy, the newest instances are also spread across availability zones to offer zonal failure resiliency. For more details, see [Autoscaling and Zone-redundant Application Gateway v2](../../application-gateway/application-gateway-autoscaling-zone-redundant.md).

-The following diagram shows the setup of SAP BOBI platform when you're using an availability set running on Linux server. The architecture showcases the use of different services, like Azure Application Gateway, Azure NetApp Files, and Azure Database for MySQL. These services offer built-in redundancy, which reduces the complexity of managing different high availability solutions.

-Notice that the incoming traffic (HTTPS - TCP/443) is load-balanced by using Azure Application Gateway v1 SKU, which is highly available when deployed on two or more instances. Multiple instances of the web server, management servers, and processing servers are deployed in separate VMs to achieve redundancy, and each tier is deployed in separate availability sets. Azure NetApp Files has built-in redundancy within the datacenter, so your Azure NetApp Files volumes for the file repository server will be highly available. The CMS database is provisioned on Azure Database for MySQL, which has inherent high availability. For more information, see [High availability in Azure Database for MySQL](../../mysql/concepts-high-availability.md).

->[!Important]

->The availability of each component in the SAP BOBI platform should be factored in the secondary region, and you must thoroughly test the entire disaster recovery strategy.

-tags: azure-resource-manager

-keywords: ''

-1. Create an availability set:

- - To achieve redundancy for each tier in a multi-instance deployment, place VMs for each tier in an availability set. Make sure you separate the availability sets for each tier based on your architecture.

- For Premium FileStorage, LRS and ZRS are the only options available. Based on your deployment strategy (availability set or availability zone), choose the appropriate redundancy level. For more information, see [Azure Storage redundancy](../../storage/common/storage-redundancy.md).

-SAP BOBI application servers require database client/drivers to access the CMS or audit database. A Microsoft ODBC driver is used to access CMS and audit databases running on SQL Database. This section provides instructions on how to download and set up an ODBC driver on Windows.

-1. Go to the **System DSN** tab.

-Repeat the preceding steps to create a connection for the audit database on the server azuswinboap1. Similarly, install and configure both ODBC data sources (bocms and boaudit) on all BI application servers (azuswinboap2).

-In a multi-instance deployment of the SAP BOBI platform, you want to run several CMS servers together in a cluster. A cluster consists of two or more CMS servers working together against a common CMS system database. If a node that's running on CMS fails, a node with another CMS will continue to service BI platform requests. By default in an SAP BOBI platform, a cluster name reflects the hostname of the first CMS that you install.

-To configure the cluster name on Windows, follow the instructions in the [SAP Business Intelligence Platform Administrator Guide](https://help.sap.com/viewer/2e167338c1b24da9b2a94e68efd79c42/4.3.1/en-US). After you configure the cluster name, follow SAP Note [1660440](https://launchpad.support.sap.com/#/notes/1660440) to set the default system entry on the CMC or BI Launchpad sign-in page.

- > Choose the storage redundancy for Azure Premium Files (LRS or ZRS) based on your VM's deployment (availability set or availability zone).

-* [Load Balancer](../../load-balancer/load-balancer-overview.md) is a high-performance, low-latency, layer 4 (TCP, UDP) load balancer that distributes traffic among healthy VMs. A load balancer health probe monitors a given port on each VM and only distributes traffic to operational VMs. You can choose either a public load balancer or an internal load balancer depending on whether you want the SAP BI platform accessible from the internet or not. It's zone redundant, which ensures high availability across availability zones.

-* [Application Gateway](../../application-gateway/overview.md) provides an application delivery controller as a service, which is used to help applications direct user traffic to one or more web application servers. It offers various layer 7 load-balancing capabilities like TLS/SSL offloading, Web Application Firewall, and cookie-based session affinity for your applications.

-* **Azure NetApp Files**: For Azure NetApp Files, you can create on-demand snapshots and schedule an automatic snapshot by using snapshot policies. Snapshot copies provide a point-in-time copy of your Azure NetApp Files volume. For more information, see [Manage snapshots by using Azure NetApp Files](../../azure-netapp-files/azure-netapp-files-manage-snapshots.md).

-* **Azure Files**: Azure Files backup is integrated with a native instance of [Backup](../../backup/backup-overview.md), which centralizes the backup and restore function along with VM backup and simplifies operation work. For more information, see [Azure file share backup](../../backup/azure-file-share-backup-overview.md) and [FAQs: Back up Azure Files](../../backup/backup-azure-files-faq.yml).

-* **SQL Database** uses SQL Server technology to create [full backups](/sql/relational-databases/backup-restore/full-database-backups-sql-server?preserve-view=true&view=sql-server-ver15) every week, [differential backups](/sql/relational-databases/backup-restore/differential-backups-sql-server?preserve-view=true&view=sql-server-ver15) every 12 to 24 hours, and [transaction log](/sql/relational-databases/backup-restore/transaction-log-backups-sql-server?preserve-view=true&view=sql-server-ver15) backups every 5 to 10 minutes. The frequency of transaction log backups is based on the compute size and the amount of database activity.

-

-* **Azure Database for MySQL** automatically creates server backups and stores in user-configured LRS or GRS. Azure Database for MySQL takes backups of the data files and the transaction log. Depending on the supported maximum storage size, it either takes full and differential backups (4-TB max storage servers) or snapshot backups (up to 16-TB max storage servers). These backups allow you to restore a server at any point in time within your configured backup retention period. The default backup retention period is 7 days, which you can [optionally configure](../../mysql/howto-restore-server-portal.md#set-backup-configuration) up to 35 days. All backups are encrypted by using AES 256-bit encryption. These backup files aren't user exposed and can't be exported. These backups can only be used for restore operations in Azure Database for MySQL. You can use [mysqldump](../../mysql/concepts-migrate-dump-restore.md) to copy a database. For more information, see [Backup and restore in Azure Database for MySQL](../../mysql/concepts-backup.md).

-* **For a database installed on an Azure VM**, you can use standard backup tools or [Backup](../../backup/sap-hana-db-about.md) for supported databases. Also, if the Azure services and tools don't meet your requirements, you can use supported third-party backup tools that provide an agent for backup and recovery of all SAP BOBI platform components.

-BI and web application servers don't need a specific high-availability solution, no matter whether they're installed separately or together. You can achieve high availability by redundancy, that is, by configuring multiple instances of BI and web servers in various Azure VMs. You can deploy the VMs in either [availability sets](sap-high-availability-architecture-scenarios.md#multiple-instances-of-virtual-machines-in-the-same-availability-set) or [availability zones](sap-high-availability-architecture-scenarios.md#azure-availability-zones) based on business-required RTO. For deployment across availability zones, make sure all other components in the SAP BOBI platform are designed to be zone redundant too.

-> [!Important]

-> The concepts of Azure availability zones and Azure availability sets are mutually exclusive. That means you can either deploy a pair or multiple VMs into a specific availability zone or an Azure availability set, but not both.

-If you're using an Azure database as a solution for your CMS and audit database, a locally redundant high-availability framework is provided by default. Select the region and service inherent high-availability, redundancy, and resiliency capabilities without requiring you to configure any more components. If the deployment strategy for an SAP BOBI platform is across an availability zone, make sure you achieve zone redundancy for your CMS and audit database. For more information on high availability for supported database offerings in Azure, see [High availability for Azure SQL Database](/azure/azure-sql/database/high-availability-sla) and [High availability in Azure Database for MySQL](../../mysql/concepts-high-availability.md).

-* **Load Balancer**: Redundancy can be achieved by configuring the Standard Load Balancer front end as zone redundant. For more information, see [Standard Load Balancer and availability zones](../../load-balancer/load-balancer-standard-availability-zones.md).

-* **Application Gateway**: High availability can be achieved based on the type of tier selected during deployment:

- * The v1 SKU supports high-availability scenarios when you've deployed two or more instances. Azure distributes these instances across update and fault domains to ensure that instances don't all fail at the same time. With this SKU, redundancy can be achieved within the zone.

- * The v2 SKU automatically ensures that new instances are spread across fault domains and update domains. If you choose zone redundancy, the newest instances are also spread across availability zones to offer zonal failure resiliency. For more information, see [Autoscaling and zone-redundant Application Gateway v2](../../application-gateway/application-gateway-autoscaling-zone-redundant.md).

- * Fully or selectively use Lifecycle Management or federation to promote or distribute the content from the primary system.

- * Periodically copy over the CMS and FRS contents.

->[!Important]

->Availability of each component in the SAP BOBI platform should be factored in to the secondary region. The entire DR strategy must be thoroughly tested.

- >[!Important]

- >Geo-restore is available for SQL databases configured with geo-redundant [backup storage](/azure/azure-sql/database/automated-backups-overview#backup-storage-redundancy).

-Option 2: [Geo-replication](/azure/azure-sql/database/active-geo-replication-overview) or an [autofailover group](/azure/azure-sql/database/auto-failover-group-overview)

- Geo-replication is a SQL Database feature that allows you to create readable secondary databases of individual databases on a server in the same or different region. If geo-replication is enabled for the CMS and audit database, the application can initiate failover to a secondary database in a different Azure region. Geo-replication is enabled for individual databases, but to enable transparent and coordinated failover of multiple databases (CMS and audit) for an SAP BOBI application, it's advisable to use an autofailover group. It provides the group semantics on top of active geo-replication, which means the entire SQL server (all databases) is replicated to another region instead of individual databases. Check the capabilities table that [compares geo-replication with failover groups](/azure/azure-sql/database/business-continuity-high-availability-disaster-recover-hadr-overview#compare-geo-replication-with-failover-groups).

- Autofailover groups provide read/write and read-only listener endpoints that remain unchanged during failover. The read/write endpoint can be maintained as a listener in the ODBC connection entry for the CMS and audit database. So whether you use manual or automatic failover activation, failover switches all secondary databases in the group to primary. After the database failover is completed, the DNS record is automatically updated to redirect the endpoints to the new region. The application is automatically connected to the CMS database as the read/write endpoint is maintained as a listener in the ODBC connection.

- In the following image, an autofailover group for the SQL server (azussqlbodb) running on the East US 2 region is replicated to the East US secondary region (DR site). The read/write listener endpoint is maintained as a listener in an ODBC connection for the BI application server running on Windows. After failover, the endpoint will remain the same. No manual intervention is required to connect the BI application to the SQL database on the secondary region.

- 

- This option provides a lower RTO and RPO than option 1. For more information about this option, see [Use autofailover groups to enable transparent and coordinated failover of multiple databases](/azure/azure-sql/database/auto-failover-group-overview).

-* Enable cross-region read replicas to enhance your business continuity and DR planning. You can replicate from a source server up to five replicas. Read replicas are updated asynchronously by using the Azure Database for MySQL binary log replication technology. Replicas are new servers that you manage similar to regular Azure Database for MySQL servers. To learn more about read replicas, available regions, restrictions, and how to fail over, see [Read replicas in Azure Database for MySQL](../../mysql/concepts-read-replicas.md).

-* Use the Azure Database for MySQL geo-restore feature that restores the server by using geo-redundant backups. These backups are accessible even when the region on which your server is hosted is offline. You can restore from these backups to any other region and bring your server back online.

- > [!Important]

-| Azure SQL Database | Geo-replication/autofailover groups *or* geo-restore |

-## Overview

-In below figure, architecture of large-scale deployment of SAP BOBI Platform on Azure virtual machines is shown, where each component is distributed and placed in availability sets that can sustain failover if there's service disruption.

- The web server hosts the web applications of SAP BOBI Platform like CMC and BI Launch Pad. To achieve high availability for web server, you must deploy at least two web application servers to manage redundancy and load balancing. In Azure, these web application servers can be placed either in availability sets or availability zones for better availability.

-> [!Tip]

-> [!Note]

-> [!Note]

-> [!Important]

-> The concepts of Azure Availability Zones and Azure availability sets are mutually exclusive. That means, you can either deploy a pair or multiple VMs into a specific Availability Zone or an Azure availability set. But not both.

-Azure offers several different SLAs for VMs. For more information, see the most recent release of [SLA for Virtual Machines](https://azure.microsoft.com/support/legal/sl).

-For information on how to set up Azure availability sets, see [this tutorial](../../virtual-machines/windows/tutorial-availability-sets.md).

-Use two VMs for your production DBMS deployment within an Azure availability set or between two Azure Availability Zones. Also use separate routing for the SAP application layer and the management and operations traffic to the two DBMS VMs. See the following image:

-

-To achieve high availability, IBM Db2 LUW with HADR is installed on at least two Azure virtual machines, which are deployed in an [Azure availability set](../../virtual-machines/windows/tutorial-availability-sets.md) or across [Azure Availability Zones](./high-availability-zones.md).

-1. Create an Azure availability set or deploy an availability zone.

- + For the availability set, set the maximum update domains to 2.

- + Select the Azure availability set you created in step 3, or select Availability Zone.

- + Select the Azure availability set you in created in step 3, or select Availability Zone (not the same zone as in step 3).

-<code><pre>sudo service pacemaker start</code></pre>

-Using SQL Server in Azure IaaS deployments for SAP, you have several different possibilities to add to deploy the DBMS layer highly available. Azure provides different up-time SLAs for a single VM using different Azure block storages, a pair of VMs deployed in an Azure availability set, or a pair of VMs deployed across Azure Availability Zones. For production systems, we expect you to deploy a pair of VMs within an availability set or across two Availability Zones. One VM will run the active SQL Server Instance. The other VM will run the passive Instance

-1. Create an Availability Set

- Set max update domain

- Select Availability Set created earlier

- Select Availability Set created earlier

-To achieve high availability, IBM Db2 LUW with HADR is installed on at least two Azure virtual machines, which are deployed in an [Azure availability set](../../virtual-machines/windows/tutorial-availability-sets.md) or across [Azure Availability Zones](./high-availability-zones.md).

-1. Create an Azure availability set or deploy an availability zone.

- + For the availability set, set the maximum update domains to 2.

- + Select the Azure availability set you created in step 3, or select Availability Zone.

- + Select the Azure availability set you in created in step 3, or select Availability Zone (not the same zone as in step 3).

-1. Deploy your VMs. You can deploy VMs in availability sets, or in availability zones, if the Azure region supports these options. If you need additional IP addresses for your VMs, deploy and attach a second NIC. DonΓÇÖt add secondary IP addresses to the primary NIC. [Azure Load Balancer Floating IP doesn't support this scenario](../../load-balancer/load-balancer-multivip-overview.md#limitations).

-1. Create an Availability Set

- Set max update domain

- Select Availability Set created earlier

- Select Availability Set created earlier

-2. **[1]** Create the SAP cluster resources

- If using enqueue server 1 architecture (ENSA1), define the resources as follows:

-<pre><code>sudo pcs property set maintenance-mode=true

- - Depending on the type of your deployment (availability set or availability zones), choose the appropriate redundant storage for an Azure shared disk as your SBD device.

-By default, neither managed identity norservice principal have permissions to access your Azure resources. You need to give the managed identity or service principal permissions to start and stop (deallocate) all virtual machines in the cluster. If you didn't already create the custom role, you can do so by using [PowerShell](../../role-based-access-control/custom-roles-powershell.md#create-a-custom-role) or the [Azure CLI](../../role-based-access-control/custom-roles-cli.md).

-3. Create an availability set. Set the max update domain.

-3. Create an availability set. Set the max update domain.

-1. Create an availability set.

- Set the max update domain.

- Select the availability set created in step 3.

- Select the availability set created in step 3.

-1. To set up standard load balancer, follow these configuration steps:

-2. On testing server crash, second virtual IP resources (**secvip_HN1_03**) and azure load balancer port resource (**secnc_HN1_03**) will run on primary server alongside the primary virtual IP resources. So, till the time secondary server is down, application that are connected to read-enabled HANA database will connect to primary HANA database. The behavior is expected as you do not want applications that are connected to read-enabled HANA database to be inaccessible till the time secondary server is unavailable.

-3. During failover and fallback of second virtual IP address, it may happen that the existing connections on applications that uses second virtual IP to connect to the HANA database may get interrupted.

-1. Create an availability set.

- - Set the max update domain.

- - Select the availability set you created in step 3.

- - Select the availability set you created in step 3.

-To create an object that sends events to Application Insights by using the SDK Loader Script, see [Microsoft Azure Monitor Application Insights JavaScript SDK](../azure-monitor/app/javascript-sdk.md?tabs=sdkloaderscript#get-started).

-Azure Firewall is offered in two SKUs: Standard and Premium. [Azure Firewall Standard](../../firewall/features.md) provides L3-L7 filtering and threat intelligence feeds directly from Microsoft Cyber Security. [Azure Firewall Premium](../../firewall/premium-features.md) provides advanced capabilities include signature-based IDPS to allow rapid detection of attacks by looking for specific patterns.

-description: In this tutorial, you'll learn how to monitor linux-based devices by forwarding syslog data to a Log Analytics workspace.

-#Customer intent: As a security-engineer, I want to get syslog data into Microsoft Sentinel so that I can use the data with other data to do attack detection, threat visibility, proactive hunting, and threat response. As an IT administrator, I want to get syslog data into my Log Analytics workspace to monitor my linux-based devices.

-# Tutorial: Forward syslog data to a Log Analytics workspace with Microsoft Sentinel by using the Azure Monitor agent

-In this tutorial, you'll configure a Linux virtual machine (VM) to forward syslog data to your workspace by using the Azure Monitor agent. These steps allow you to collect and monitor data from Linux-based devices where you can't install an agent like a firewall network device.

-

-Configure your linux-based device to send data to a Linux VM. The Azure Monitor agent on the VM forwards the syslog data to the Log Analytics workspace. Then use Microsoft Sentinel or Azure Monitor to monitor the device from the data stored in the Log Analytics workspace.

-> * Create a data collection rule

-> * Verify the Azure Monitor agent is running

-> * Enable log reception on port 514

-> * Verify syslog data is forwarded to your Log Analytics workspace

-To complete the steps in this tutorial, you must have the following resources and roles.

- |Built-in Role |Scope |Reason |

- |- [Virtual Machine Contributor](../role-based-access-control/built-in-roles.md)</br>- [Azure Connected Machine Resource Administrator](../role-based-access-control/built-in-roles.md) | - Virtual machines</br>- Scale sets</br>- Arc-enabled servers | To deploy the agent |

- |Any role that includes the action Microsoft.Resources/deployments/* | - Subscription and/or</br>- Resource group and/or</br>- An existing data collection rule | To deploy ARM templates |

- |[Monitoring Contributor ](../role-based-access-control/built-in-roles.md) |- Subscription and/or </br>- Resource group and/or</br>- An existing data collection rule | To create or edit data collection rules |

- - [Supported Linux operating systems for Azure Monitor agent](../azure-monitor/agents/agents-overview.md#linux)

- - [Create a Linux virtual machine in the Azure portal](../virtual-machines/linux/quick-create-portal.md) or

- - Onboard an on-premises Linux server to Azure Arc. See [Quickstart: Connect hybrid machines with Azure Arc-enabled servers](../azure-arc/servers/learn/quick-enable-hybrid-vm.md)

-See step by step guide [here](../azure-monitor/agents/data-collection-syslog.md#create-a-data-collection-rule).

-## Verify the Azure Monitor agent is running

-In Microsoft Sentinel or Azure Monitor, verify that the Azure Monitor agent is running on your VM.

-1. In the Azure portal, search for and open **Microsoft Sentinel** or **Monitor**.

-1. Close the **Queries** page so that the **New Query** tab is displayed.

-1. Run the following query where you replace the computer value with the name of your Linux virtual machine.

-Verify that the VM that's collecting the log data allows reception on port 514 TCP or UDP depending on the syslog source. Then configure the built-in Linux syslog daemon on the VM to listen for syslog messages from your devices. After you complete those steps, configure your linux-based device to send logs to your VM.

-The following two sections cover how to add an inbound port rule for an Azure VM and configure the built-in Linux syslog daemon.

-### Allow inbound syslog traffic on the VM

-If you're forwarding syslogs to an Azure VM, use the following steps to allow reception on port 514.

- |Protocol | TCP or UDP depending on syslog source |

-### Configure Linux syslog daemon

-> [!NOTE]

-> To avoid [Full Disk scenarios](../azure-monitor/agents/azure-monitor-agent-troubleshoot-linux-vm-rsyslog.md) where the agent can't function, we recommend that you set the `syslog-ng` or `rsyslog` configuration not to store unneeded logs. A Full Disk scenario disrupts the function of the installed AMA.

-> Read more about [RSyslog](https://www.rsyslog.com/doc/master/configuration/actions.html) or [Syslog-ng](

-https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.26/administration-guide/34#TOPIC-1431029).

-Connect to your Linux VM and run the following command to configure the Linux syslog daemon:

-## Verify syslog data is forwarded to your Log Analytics workspace

-After you configured your linux-based device to send logs to your VM, verify that the Azure Monitor agent is forwarding syslog data to your workspace.

-1. Close the **Queries** page so that the **New Query** tab is displayed.

-1. Run the following query where you replace the computer value with the name of your Linux virtual machine.

-Evaluate whether you still need the resources you created like the virtual machine. Resources you leave running can cost you money. Delete the resources you don't need individually. Or delete the resource group to delete all the resources you've created.

-Learn more about:

-> [Collect syslog with Azure Monitor Agent overview](../azure-monitor/agents/data-collection-syslog.md)

-To get a v2.0 token, use Microsoft Authentication Library [MSAL](../active-directory/develop/msal-overview.md) or can send requests to the REST API in the following format:

-> Java applications leveraging JMS 2.0 API can connect to Azure Service Bus using the connection string, or using a `TokenCredential` for leveraging Azure Active Directory (AAD) backed authentication. When using AAD backed authentication, ensure to [assign roles and permissions](service-bus-managed-service-identity.md#assigning-azure-roles-for-access-rights) to the identity as needed.

-1. [Add the application to the `Service Bus Data Owner` role](service-bus-managed-service-identity.md#to-assign-azure-roles-using-the-azure-portal).

-[Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md) is a cross-Azure feature that enables you to create a secure identity associated with the deployment under which your application code runs. You can then associate that identity with access-control roles that grant custom permissions for accessing specific Azure resources that your application needs.

-With managed identities, the Azure platform manages this runtime identity. You do not need to store and protect access keys in your application code or configuration, either for the identity itself, or for the resources you need to access. A Service Bus client app running inside an Azure App Service application or in a virtual machine with enabled managed entities for Azure resources support does not need to handle SAS rules and keys, or any other access tokens. The client app only needs the endpoint address of the Service Bus Messaging namespace. When the app connects, Service Bus binds the managed entity's context to the client in an operation that is shown in an example later in this article. Once it is associated with a managed identity, your Service Bus client can do all authorized operations. Authorization is granted by associating a managed entity with Service Bus roles.

-> [!IMPORTANT]

-> You can disable local or SAS key authentication for a Service Bus namespace and allow only Azure Active Directory authentication. For step-by-step instructions, see [Disable local authentication](disable-local-authentication.md).

-## Overview

-When a security principal (a user, group, or application) attempts to access a Service Bus entity, the request must be authorized. With Azure AD, access to a resource is a two-step process.

- 1. First, the security principalΓÇÖs identity is authenticated, and an OAuth 2.0 token is returned. The resource name to request a token is `https://servicebus.azure.net`.

- 1. Next, the token is passed as part of a request to the Service Bus service to authorize access to the specified resource.

-The authentication step requires that an application request contains an OAuth 2.0 access token at runtime. If an application is running within an Azure entity such as an Azure VM, a virtual machine scale set, or an Azure Function app, it can use a managed identity to access the resources.

-The authorization step requires that one or more Azure roles be assigned to the security principal. Azure Service Bus provides Azure roles that encompass sets of permissions for Service Bus resources. The roles that are assigned to a security principal determine the permissions that the principal will have. To learn more about assigning Azure roles to Azure Service Bus, see [Azure built-in roles for Azure Service Bus](#azure-built-in-roles-for-azure-service-bus).

-Native applications and web applications that make requests to Service Bus can also authorize with Azure AD. This article shows you how to request an access token and use it to authorize requests for Service Bus resources.

-## Assigning Azure roles for access rights

-Azure Active Directory (Azure AD) authorizes access rights to secured resources through [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md). Azure Service Bus defines a set of Azure built-in roles that encompass common sets of permissions used to access Service Bus entities and you can also define custom roles for accessing the data.

-When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of subscription, the resource group, or the Service Bus namespace. An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.

-For Azure Service Bus, the management of namespaces and all related resources through the Azure portal and the Azure resource management API is already protected using the Azure RBAC model. Azure provides the below Azure built-in roles for authorizing access to a Service Bus namespace:

-Before you assign an Azure role to a security principal, determine the scope of access that the security principal should have. Best practices dictate that it's always best to grant only the narrowest possible scope.

- ```azurecli

- az role assignment create \

- --role $service_bus_role \

- --assignee $assignee_id \

- --scope /subscriptions/$subscription_id/resourceGroups/$resource_group/providers/Microsoft.ServiceBus/namespaces/$service_bus_namespace/topics/$service_bus_topic/subscriptions/$service_bus_subscription

- ```

-> [!NOTE]

-> Keep in mind that Azure role assignments may take up to five minutes to propagate.

-For more information about how built-in roles are defined, see [Understand role definitions](../role-based-access-control/role-definitions.md#control-and-data-actions). For information about creating Azure custom roles, see [Azure custom roles](../role-based-access-control/custom-roles.md).

-## Enable managed identities on a VM

-Before you can use managed identities for Azure Resources to authorize Service Bus resources from your VM, you must first enable managed identities for Azure Resources on the VM. To learn how to enable managed identities for Azure Resources, see one of these articles:

-## Grant permissions to a managed identity in Azure AD

-To authorize a request to the Service Bus service from a managed identity in your application, the managed identity needs to be added to a Service Bus RBAC role (Azure Service Bus Data Owner, Azure Service Bus Data Sender, Azure Service Bus Data Receiver) at the appropriate scope (subscription, resource group, or namespace). When the Azure role is assigned to a managed identity, the managed identity is granted access to Service Bus entities at the specified scope. For descriptions of Service Bus roles, see the [Azure built-in roles for Azure Service Bus](#azure-built-in-roles-for-azure-service-bus) section. For more information about assigning Azure roles, see [Authenticate and authorize with Azure Active Directory for access to Service Bus resources](authenticate-application.md#azure-built-in-roles-for-azure-service-bus).

-## Use Service Bus with managed identities for Azure resources

-To use Service Bus with managed identities, you need to assign the identity the role and the appropriate scope. The procedure in this section uses a simple application that runs under a managed identity and accesses Service Bus resources.

-Here we're using a sample web application hosted in [Azure App Service](https://azure.microsoft.com/services/app-service/). For step-by-step instructions for creating a web application, see [Create an ASP.NET Core web app in Azure](../app-service/quickstart-dotnetcore.md)

-Once the application is created, follow these steps:

-1. Go to **Settings** and select **Identity**.

-1. Select the **Status** to be **On**.

-1. Select **Save** to save the setting.

- 

-Once you've enabled this setting, a new service identity is created in your Azure Active Directory (Azure AD) and configured into the App Service host.

-### To Assign Azure roles using the Azure portal

-Assign one of the [Service Bus roles](#azure-built-in-roles-for-azure-service-bus) to the managed service identity at the desired scope (Service Bus namespace, resource group, subscription). For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

-> For a list of services that support managed identities, see [Services that support managed identities for Azure resources](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md).

-### Run the app

-Now, modify the default page of the ASP.NET application you created. You can use the web application code from [this GitHub repository](https://github.com/Azure-Samples/app-service-msi-servicebus-dotnet).

-The Default.aspx page is your landing page. The code can be found in the Default.aspx.cs file. The result is a minimal web application with a few entry fields, and with **send** and **receive** buttons that connect to Service Bus to either send or receive messages.

-Note how the [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient) object is initialized by using a constructor that takes a TokenCredential. The DefaultAzureCredential derives from TokenCredential and can be passed here. As such, there are no secrets to retain and use. The flow of the managed identity context to Service Bus and the authorization handshake are automatically handled by the token credential. It is a simpler model than using SAS.

-After you make these changes, publish and run the application. You can obtain the correct publishing data easily by downloading and then importing a publishing profile in Visual Studio:

-

-

-To send or receive messages, enter the name of the namespace and the name of the entity you created. Then, click either **send** or **receive**.

-> [!NOTE]

-> - The managed identity works only inside the Azure environment, on App services, Azure VMs, and scale sets. For .NET applications, the Microsoft.Azure.Services.AppAuthentication library, which is used by the Service Bus NuGet package, provides an abstraction over this protocol and supports a local development experience. This library also allows you to test your code locally on your development machine, using your user account from Visual Studio, Azure CLI 2.0 or Active Directory Integrated Authentication. For more on local development options with this library, see [Service-to-service authentication to Azure Key Vault using .NET](/dotnet/api/overview/azure/service-to-service-authentication).

-To learn more about Service Bus messaging, see the following topics:

-* [Service Bus queues, topics, and subscriptions](service-bus-queues-topics-subscriptions.md)

-* [Get started with Service Bus queues](service-bus-dotnet-get-started-with-queues.md)

-* [How to use Service Bus topics and subscriptions](service-bus-dotnet-how-to-use-topics-subscriptions.md)

-A *SQL filter* is one of the available filter types for Service Bus topic subscriptions. It's a text expression that leans on a subset of the SQL-92 standard. Filter expressions are used with the `sqlExpression` element of the 'sqlFilter' property of a Service Bus `Rule` in an [Azure Resource Manager template](service-bus-resource-manager-namespace-topic-with-rule.md), or the Azure CLI `az servicebus topic subscription rule create` command's [`--filter-sql-expression`](/cli/azure/servicebus/topic/subscription/rule#az-servicebus-topic-subscription-rule-create) argument, and several SDK functions that allow managing subscription rules.

-1. Accept the legal terms and privacy statements for the Enterprise plan.

- > [!NOTE]

- > This step is necessary only if your subscription has never been used to create an Enterprise plan instance of Azure Spring Apps.

-1. Use the following command to create an Azure Spring Apps Enterprise plan service instance:

- - **Subscription**: Select the subscription you want to be billed for this resource.

- - **Resource group**: Creating new resource groups for new resources is a best practice.

- - **Service Name**: Specify the service instance name. You use this name later in this article where the *\<Azure-Spring-Apps-instance-name\>* placeholder appears. The name must be between 4 and 32 characters long and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number.

- - **Region**: Select the region for your service instance.

- :::image type="content" source="media/quickstart/portal-start.png" alt-text="Screenshot of Azure portal showing Azure Spring Apps Create page." lightbox="media/quickstart/portal-start.png":::

-1. Select **Review and create**.

-## Upload a block blob with index tags

-The following example uploads a block blob with index tags set using `BlobUploadFromFileOptions`:

-## Upload a block blob by staging blocks and committing

-You can have greater control over how to divide uploads into blocks by manually staging individual blocks of data. When all of the blocks that make up a blob are staged, you can commit them to Blob Storage. You can use this approach to enhance performance by uploading blocks in parallel.

-| Service | Resource provider name | Purpose |

-| :-- | :- | :-- |

-| Azure API Management | `Microsoft.ApiManagement/service` | Enables access to storage accounts behind firewalls via policies. [Learn more](../../api-management/authentication-managed-identity-policy.md#use-managed-identity-in-send-request-policy). |

-| Azure Cognitive Search | `Microsoft.Search/searchServices` | Enables access to storage accounts for indexing, processing, and querying. |

-| Azure Cognitive Services | `Microsoft.CognitiveService/accounts` | Enables access to storage accounts. [Learn more](../..//cognitive-services/cognitive-services-virtual-networks.md).|

-| Azure Container Registry | `Microsoft.ContainerRegistry/registries` | Through the ACR Tasks suite of features, enables access to storage accounts when you're building container images. |

-| Azure Data Factory | `Microsoft.DataFactory/factories` | Enables access to storage accounts through the Data Factory runtime. |

-| Azure Data Share | `Microsoft.DataShare/accounts` | Enables access to storage accounts. |

-| Azure DevTest Labs | `Microsoft.DevTestLab/labs` | Enables access to storage accounts. |

-| Azure Event Grid | `Microsoft.EventGrid/topics` | Enables access to storage accounts. |

-| Azure Healthcare APIs | `Microsoft.HealthcareApis/services` | Enables access to storage accounts. |

-| Azure IoT Central | `Microsoft.IoTCentral/IoTApps` | Enables access to storage accounts. |

-| Azure IoT Hub | `Microsoft.Devices/IotHubs` | Allows data from an IoT hub to be written to Blob Storage. [Learn more](../../iot-hub/virtual-network-support.md#egress-connectivity-from-iot-hub-to-other-azure-resources). |

-| Azure Logic Apps | `Microsoft.Logic/workflows` | Enables logic apps to access storage accounts. [Learn more](../../logic-apps/create-managed-service-identity.md#authenticate-access-with-managed-identity). |

-| Azure Machine Learning | `Microsoft.MachineLearningServices` | Enables authorized Azure Machine Learning workspaces to write experiment output, models, and logs to Blob Storage and read the data. [Learn more](../../machine-learning/how-to-network-security-overview.md#secure-the-workspace-and-associated-resources). |

-| Azure Media Services | `Microsoft.Media/mediaservices` | Enables access to storage accounts. |

-| Azure Migrate | `Microsoft.Migrate/migrateprojects` | Enables access to storage accounts. |

-| Microsoft Purview | `Microsoft.Purview/accounts` | Enables access to storage accounts. |

-| Azure Site Recovery | `Microsoft.RecoveryServices/vaults` | Enables access to storage accounts. |

-| Azure SQL Database | `Microsoft.Sql` | Allows [writing audit data to storage accounts behind a firewall](/azure/azure-sql/database/audit-write-storage-account-behind-vnet-firewall). |

-| Azure Synapse Analytics | `Microsoft.Sql` | Allows import and export of data from specific SQL databases via the `COPY` statement or PolyBase (in a dedicated pool), or the `openrowset` function and external tables in a serverless pool. [Learn more](/azure/azure-sql/database/vnet-service-endpoint-rule-overview). |

-| Azure Stream Analytics | `Microsoft.StreamAnalytics` | Allows data from a streaming job to be written to Blob Storage. [Learn more](../../stream-analytics/blob-output-managed-identity.md). |

-| Azure Synapse Analytics | `Microsoft.Synapse/workspaces` | Enables access to data in Azure Storage. |

-| 0x80070003 | -2147942403 | ERROR_PATH_NOT_FOUND | Deletion of a file or directory can't be synced because the item was already deleted in the destination and sync isn't aware of the change. | No action required. Sync will stop logging this error once change detection runs on the destination and sync detects the item was deleted. |

-This [feature](storage-files-identity-auth-azure-active-directory-enable.md) builds on top of [FSLogix profile container support](../../virtual-desktop/create-profile-container-azure-ad.md) released in December 2022 and expands it to support more use cases (SMB only). Hybrid identities, which are user identities created in Active Directory Domain Services (AD DS) and synced to Azure AD, can mount and access Azure file shares without the need for line-of-sight to an Active Directory domain controller. While the initial support is limited to hybrid identities, itΓÇÖs a significant milestone as we simplify identity-based authentication for Azure Files customers. [Read the blog post](https://techcommunity.microsoft.com/t5/azure-storage-blog/general-availability-azure-active-directory-kerberos-with-azure/ba-p/3612111).

-To learn how to enable Azure AD DS authentication, see [Enable Azure Active Directory Domain Services authentication on Azure Files](storage-files-identity-auth-active-directory-domain-service-enable.md).

-To learn how to enable Azure AD Kerberos authentication for hybrid identities, see [Enable Azure Active Directory Kerberos authentication for hybrid identities on Azure Files](storage-files-identity-auth-azure-active-directory-enable.md).

-Learn more about [on-premises Active Directory authentication](storage-files-identity-auth-active-directory-enable.md) and [Azure AD DS authentication](storage-files-identity-auth-active-directory-domain-service-enable.md) for Azure file shares.

-|  | Incorta Intelligent Ingest for Azure Synapse |

-|  | Informatica Intelligent Data Management Cloud |

-|  | Qlik Data Integration (formerly Attunity) |

-### Security

-## Starting a new partner trial

-To learn more about some of our other partners, see [Data integration partners](data-integration.md), [Data management partners](data-management.md), and [Machine Learning and AI partners](machine-learning-ai.md).

-|  |**AtScale**<br>AtScale provides a single, secured, and governed workspace for distributed data. AtScale's Cloud OLAP, Autonomous Data Engineering&trade;, and Universal Semantic Layer&trade; powers business intelligence results for faster, more accurate business decisions. |[Product page](https://www.atscale.com/partners/microsoft/)<br> |

-|  |**Birst**<br>Birst connects the entire organization through a network of interwoven virtualized BI instances on-top of a shared common analytical fabric|[Product page](https://www.infor.com/solutions/advanced-analytics/business-intelligence/birst)<br> |

-|  |**Count**<br> Count is the next generation SQL editor, giving you the fastest way to explore and share your data with your team. At Count's core is a data notebook built for SQL, allowing you to structure your code, iterate quickly and stay in flow. Visualize your results instantly or customize them to build beautifully detailed charts in just a few clicks. Instantly share anything from one-off queries to full interactive data stories built off any of your Azure Synapse data sources. |[Product page](https://count.co/)<br>|

-|  |**Dremio**<br> Analysts and data scientists can discover, explore and curate data using Dremio's intuitive UI, while IT maintains governance and security. Dremio makes it easy to join ADLS with Blob Storage, Azure SQL Database, Azure Synapse SQL, HDInsight, and more. With Dremio, Power BI analysts can search for new datasets stored on ADLS, immediately access that data in Power BI with no preparation by IT, create visualizations, and iteratively refine reports in real-time. And analysts can create new reports that combine data between ADLS and other databases. |[Product page](https://www.dremio.com/azure/)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/dremiocorporation.dremio_ce)<br> |

-|  |**Dundas BI**<br>Dundas Data Visualization is a leading, global provider of Business Intelligence and Data Visualization software. Dundas dashboards, reporting, and visual data analytics provide seamless integration into business applications, enabling better decisions and faster insights.|[Product page](https://www.dundas.com/dundas-bi)<br> |

-|  |**IBM Cognos Analytics**<br>Cognos Analytics includes self-service capabilities that make it simple, clear, and easy to use, whether you're an experienced business analyst examining a vast supply chain, or a marketer optimizing a campaign. Cognos Analytics uses AI and other capabilities to guide data exploration. It makes it easier for users to get the answers they need|[Product page](https://www.ibm.com/products/cognos-analytics)<br>|

-|  |**Information Builders (WebFOCUS)**<br>WebFOCUS business intelligence helps companies use data more strategically across and beyond the enterprise. It allows users and administrators to rapidly create dashboards that combine content from multiple data sources and formats. It also provides robust security and comprehensive governance that enables seamless and secure sharing of any BI and analytics content|[Product page](https://www.informationbuilders.com/products/bi-and-analytics-platform)<br> |

-|  |**Jinfonet JReport**<br>JReport is an embeddable BI solution for the enterprise. The solution offers capabilities such as report creation, dashboards, and data analysis on cloud, big data, and transactional data sources. By visualizing data, you can conduct your own reporting and data discovery for agile, on-the-fly decision making. |[Product page](https://www.logianalytics.com/jreport/)<br> |

-|  |**Logi Analytics**<br>Together, Logi Analytics enables your organization to collect, analyze, and immediately act on the largest and most diverse data sets in the world. |[Product page](https://www.logianalytics.com/)<br>|

-|  |**Looker BI**<br>Looker gives everyone in your company the ability to explore and understand the data that drives your business. Looker also gives the data analyst a flexible and reusable modeling layer to control and curate that data. Companies have fundamentally transformed their culture using Looker as the catalyst.|[Product page](https://looker.com/)<br> [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/aad.lookeranalyticsplatform)<br> |

-|  |**MicroStrategy**<br>The MicroStrategy platform offers a complete set of business intelligence and analytics capabilities that enable organizations to get value from their business data. MicroStrategy's powerful analytical engine, comprehensive toolsets, variety of data connectors, and open architecture ensures you have everything you need to extend access to analytics across every team.|[Product page](https://www.microstrategy.com/us/product/analytics)<br> [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/microstrategy.microstrategy_cloud_environment_mce)<br> |

-|  |**Mode**<br>Mode is a modern analytics and BI solution that helps teams make decisions through unreasonably fast and unexpectedly delightful data analysis. Data teams move faster through a preferred workflow that combines SQL, Python, R, and visual analysis, while stakeholders work alongside them exploring and sharing data on their own. With data more accessible to everyone, we shorten the distance from questions to answers and help businesses make better decisions, faster.|[Product page](https://mode.com/)<br> |

-|  |**Pyramid Analytics**<br>Pyramid 2020 is the trusted analytics platform that connects your teams, drives confident decisions, and produces winning results. Business users can do high-end, cloud-scale analytics and data science without IT help ΓÇö on any browser or device. Data scientists can take advantage of machine learning algorithms and scripting to understand difficult business problems. Power users can prepare and model their own data to create illuminating analytic content. Non-technical users can benefit from stunning visualizations and guided analytic presentations. It's the next generation of self-service analytics with governance. |[Product page](https://www.pyramidanalytics.com/resources/analyst-reports/)<br> [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/pyramidanalytics.pyramid2020-25-102) |

-|  |**Qlik Sense Enterprise**<br>Drive insight discovery with the data visualization app that anyone can use. With Qlik Sense, everyone in your organization can easily create flexible, interactive visualizations and make meaningful decisions. |[Product page](https://www.qlik.com/us/products/qlik-sense/enterprise)<br> [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/qlik.qlik-sense) |

-|  |**SAS® Viya®**<br>SAS® Viya® is an AI, analytic, and data management solution running on a scalable, cloud-native architecture. It enables you to operationalize insights, empowering everyone – from data scientists to business users – to collaborate and realize innovative results faster. Using open source or SAS models, SAS® Viya® can be accessed through APIs or interactive interfaces to transform raw data into actions. |[Product page](https://www.sas.com/microsoft)<br> [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/sas-institute-560503.sas-viya-saas?tab=Overview)<br>|

-|  |**SiSense**<br>SiSense is a full-stack Business Intelligence software that comes with tools that a business needs to analyze and visualize data: a high-performance analytical database, the ability to join multiple sources, simple data extraction (ETL), and web-based data visualization. Start to analyze and visualize large data sets with SiSense BI and Analytics today. |[Product page](https://www.sisense.com/)<br> |

-|  |**Tableau**<br>Tableau's self-service analytics help anyone see and understand their data, across many kinds of data from flat files to databases. Tableau has a native, optimized connector to Synapse SQL pool that supports both live data and in-memory analytics. |[Product page](https://www.tableau.com/)<br> [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/tableau.tableau-server)<br>|

-|  |**Targit (Decision Suite)**<br>Targit Decision Suite provides a BI platform that delivers real-time dashboards, self-service analytics, user-friendly reporting, stunning mobile capabilities, and simple data-discovery technology. Everything in a single, cohesive solution. Targit gives companies the courage to act. |[Product page](https://www.targit.com/targit-decision-suite/analytics)<br> [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/targit.targit-decision-suite)<br> |

-|  |**ThoughtSpot**<br>Use search to get granular insights from billions of rows, or let AI uncover insights from questions you might not have thought about. ThoughtSpot helps businesspeople find insights hidden in their company data in seconds. Use search to analyze your data and get automated insights when you need them.|[Product page](https://www.thoughtspot.com)<br>|

-|  |**Yellowfin**<br>Yellowfin is a top rated Cloud BI vendor for _ad hoc_ Reporting and Dashboards by BARC; The BI Survey. Connect to a dedicated SQL pool in Azure Synapse Analytics, then create and share beautiful reports and dashboards with award winning collaborative BI and location intelligence features. |[Product page](https://www.yellowfinbi.com/)<br> [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/yellowfininternationalptyltd1616363974066.yellowfin-for-azure-byol-v2) |

-## Next Steps

-To learn more about some of our other partners, see [Data Integration partners](data-integration.md), [Data Management partners](data-management.md), and [Machine Learning and AI partners](machine-learning-ai.md).

-See how to [discover partner solutions through Synapse Studio](browse-partners.md).

-This article lists known issues you may come across when using third-party applications with Azure Synapse Analytics.

-## Tableau error: ΓÇ£An attempt to complete a transaction has failed. No corresponding transaction foundΓÇ¥

-### Cause

-### Solution

-* [To learn how to make global customizations with a TDC file on Tableau Desktop, refer to Tableau Desktop documentation.](https://help.tableau.com/current/pro/desktop/en-us/odbc_customize.htm)

-* [To learn how to make global customizations with a TDC file on Tableau Server, refer to Using a .TDC File with Tableau Server.](https://kb.tableau.com/articles/howto/using-a-tdc-file-with-tableau-server)

- <vendor name='azure_sql_dw' />

- <driver name='azure_sql_dw' />

- <customizations>

- </customizations>

-## See also