+The [morgan package](https://www.npmjs.com/package/morgan) is an HTTP request logger middleware for Node.js.

+## Next steps

+For code samples in JavaScript and Node.js, please see: [Manage B2C user accounts with MSAL.js and Microsoft Graph SDK](https://github.com/Azure-Samples/ms-identity-b2c-javascript-nodejs-management)

+- **Access to header-based authentication applications should be restricted to only traffic from the connector or other permitted header-based authentication solution**. This is commonly done through restricting network access to the application using a firewall or IP restriction on the application server to avoid exposing to the attackers.

+| **HTTPS_COMMUNICATION_ERROR** | The NPS server is unable to receive responses from Azure AD MFA. Verify that your firewalls are open bidirectionally for traffic to and from `https://adnotifications.windowsazure.com` and that TLS 1.2 is enabled (default). If TLS 1.2 is disabled, user authentication will fail and event ID 36871 with source SChannel is entered in the System log in Event Viewer. To verify TLS 1.2 is enabled, see [TLS registry settings](/windows-server/security/tls/tls-registry-settings#tls-dtls-and-ssl-protocol-version-settings). |

+- Microsoft Lists

+This article helps you to add and remove a group from another group using Azure Active Directory.

+You can add an existing Security group to another existing Security group (also known as nested groups), creating a member group (subgroup) and a parent group. The member group inherits the attributes and properties of the parent group, saving you configuration time.

+>We don't currently support:<ul><li>Adding groups to a group synced with on-premises Active Directory.</li><li>Adding Security groups to Microsoft 365 groups.</li><li>Adding Microsoft 365 groups to Security groups or other Microsoft 365 groups.</li><li>Assigning apps to nested groups.</li><li>Applying licenses to nested groups.</li><li>Adding distribution groups in nesting scenarios.</li><li>Adding security groups as members of mail-enabled security groups</li><li> Adding groups as members of a role-assignable group.</li></ul>

+If you are reviewing access to an application, then before creating the review, see the article on how to [prepare for an access review of users' access to an application](access-reviews-application-preparation.md) to ensure the application is integrated with Azure AD.

+1. Or if you are conducting group membership review, you can create access reviews for only the inactive users in the group (preview). In the *Users scope* section, check the box next to **Inactive users (on tenant level)**. If you check the box, the scope of the review will focus on inactive users only, those who have not signed in either interactively or non-interactively to the tenant. Then, specify **Days inactive** with a number of days inactive up to 730 days (two years). Users in the group inactive for the specified number of days will be the only users in the review.

+1. You can create a single-stage or multi-stage review (preview). For a single stage review continue here. To create a multi-stage access review (preview), follow the steps in [Create a multi-stage access review (preview)](#create-a-multi-stage-access-review-preview)

+1. After you have selected the resource and scope of your review, move on to the **Reviews** tab.

+1. Click the checkbox next to **(Preview) Multi-stage review**.

+1. By default, you will see two stages when you create a multi-stage review. However, you can add up to three stages. If you want to add a third stage, click **+ Add a stage** and complete the required fields.

+1. You can decide to allow 2nd and 3rd stage reviewers to the see decisions made in the previous stage(s).If you want to allow them to see the decisions made prior, click the box next to **Show previous stage(s) decisions to later stage reviewers** under **Reveal review results**. Leave the box unchecked to disable this setting if youΓÇÖd like your reviewers to review independently.

+1. Specify the **Review recurrence**, the **Start date**, and **End date** for the review. The recurrence type must be at least as long as the total duration of the recurrence (i.e., the max duration for a weekly review recurrence is 7 days).

+1. Select **Teams + Groups** and then click **Select teams + groups** to set the **Review scope**. B2B direct connect users and teams are not included in reviews of **All Microsoft 365 groups with guest users**.

+1. Go on to the **Settings** tab and configure additional settings. Then go to the **Review and Create** tab to start your access review. For more detailed information about creating a review and configuration settings, see our [Create a single-stage access review](#create-a-single-stage-access-review).

+Azure Active Directory (Azure AD) simplifies how enterprises manage access to groups and applications in Azure AD and other Microsoft Online Services with a feature called Azure AD access reviews. This article will go over how a designated reviewer performs an access review for members of a group or users with access to an application. If you would like to review access to an access package read [Review access of an access package in Azure AD entitlement management](entitlement-management-access-reviews-review-access.md)

+1. Click the **Start review** link to open the access review.git pu

+After you open My Access under Groups and Apps you can see:

+- **Due** The due date for the review. After this date denied users could be removed from the group or app being reviewed.

+Click on the name of an access review to get started.

+Once that it opens, you will see the list of users in scope for the access review.

+ - If you are unsure if a user should continue to have access or not, you can click **Don't know**. The user gets to keep their access and your choice is recorded in the audit logs. It is important that you keep in mind that any information you provide will be available to other reviewers. They can read your comments and take them into account when they review the request.

+1. The administrator of the access review may require that you supply a reason in the **Reason** box for your decision. Even when a reason is not required. You can still provide a reason for your decision and the information that you include will be available to other approvers for review.

+1. Click **Submit**.

+1. Select one or more users and then Click **Accept recommendations**.

+1. Click **Submit** to accept the recommendations.

+You will review access either manually or accept the recommendations based on sign-in activity for the stage you are assigned as the reviewer.

+If you are the 2nd stage or 3rd stage reviewer, you will also see the decisions made by the reviewers in the prior stage(s) if the administrator enabled this setting when creating the access review. The decision made by a 2nd or 3rd stage reviewer will overwrite the previous stage. So, the decision the 2nd stage reviewer makes will overwrite the first stage, and the 3rd stage reviewer's decision will overwrite the second stage.

+1. As the reviewer, you should receive an email that requests you to review access for the team or group. Click the link in the email, or navigate directly to https://myaccess.microsoft.com/.

+If a Team you review has shared channels, all B2B direct connect users and teams that access those shared channels are part of the review. This includes B2B collaboration users and internal users. When a B2B direct connect user or team is denied access in an access review, the user will lose access to every shared channel in the Team. To learn more about B2B direct connect users, read [B2B direct connect](../external-identities/b2b-direct-connect-overview.md).

+When the access review is setup, the administrator has the option to use advanced settings to determine what will happen in the event a reviewer doesn't respond to an access review request.

+The administrator can set up the review so that if reviewers do not respond at the end of the review period, all unreviewed users can have an automatic decision made on their access. This includes the loss of access to the group or application under review.

+6. The password hash synchronization agent then combines the MD4 hash plus the per user salt, and inputs it into the [PBKDF2](https://www.ietf.org/rfc/rfc2898.txt) function. 1000 iterations of the [HMAC-SHA256](/dotnet/api/system.security.cryptography.hmacsha256) keyed hashing algorithm are used. For additional details, refer to the [Azure AD Whitepaper](https://aka.ms/aaddatawhitepaper).

+In this section, you'll learn how to enable and disable the system-assigned managed identity using Azure PowerShell.

+1. Create a user-assigned managed identity using the [New-AzUserAssignedIdentity](/powershell/module/az.managedserviceidentity/new-azuserassignedidentity) cmdlet. Note the `Id` in the output because you'll need this information in the next step.

+If your VM doesn't have a system-assigned managed identity and you want to remove all user-assigned managed identities from it, use the following command:

+With Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, you can configure roles to require approval for activation, and choose one or multiple users or groups as delegated approvers. Delegated approvers have 24 hours to approve requests. If a request is not approved within 24 hours, then the eligible user must re-submit a new request. The 24 hour approval time window is not configurable.

+With Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, you can view activity, activations, and audit history for Azure resources roles within your organization. This includes subscriptions, resource groups, and even virtual machines. Any resource within the Azure portal that leverages the Azure role-based access control functionality can take advantage of the security and lifecycle management capabilities in Privileged Identity Management. If you want to retain audit data for longer than the default retention period, you can use Azure Monitor to route it to an Azure storage account. For more information, see [Archive Azure AD logs to an Azure storage account](../reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md).

+Azure Active Directory (Azure AD), part of Microsoft Entra, lets you assign a cloud Azure AD security group to an Azure AD role. A Global Administrator or Privileged Role Administrator must create a new security group and make the group role-assignable at creation time. Only the Global Administrator, Privileged Role Administrator, or the group Owner role assignments can change the membership of the group. Also, no other users can reset the password of the users who are members of the group. This feature helps prevent an admin from elevating to a higher privileged role without going through a request and approval procedure.

+Use Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra,to allow eligible role members for privileged access groups to schedule role activation for a specified date and time. They can also select a activation duration up to the maximum duration configured by administrators.

+With Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, you can configure privileged access group members and owners to require approval for activation, and choose users or groups from your Azure AD organization as delegated approvers. We recommend selecting two or more approvers for each group to reduce workload for the privileged role administrator. Delegated approvers have 24 hours to approve requests. If a request is not approved within 24 hours, then the eligible user must re-submit a new request. The 24 hour approval time window is not configurable.

+Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, can help you manage the eligibility and activation of assignments to privileged access groups in Azure AD. You can assign eligibility to members or owners of the group.

+With Privileged Identity Management (PIM), you can view activity, activations, and audit history for Azure privileged access group members and owners within your organization in Azure Active Directory (Azure AD), part of Microsoft Entra.

+In Azure Active Directory (Azure AD), part of Microsoft Entra, you can assign Azure AD built-in roles to cloud groups to simplify how you manage role assignments. To protect Azure AD roles and to secure access, you can now use Privileged Identity Management (PIM) to manage just-in-time access for members or owners of these groups. To manage an Azure AD role-assignable group as a privileged access group in Privileged Identity Management, you must bring it under management in PIM.

+In Privileged Identity Management (PIM), you can now assign eligibility for membership or ownership of privileged access groups. Starting with this preview, you can assign built-in roles in Azure Active Directory (Azure AD), part of Microsoft Entra, to cloud groups and use PIM to manage group member and owner eligibility and activation. For more information about role-assignable groups in Azure AD, see [Use Azure AD groups to manage role assignments](../roles/groups-concept.md).

+> [!IMPORTANT]

+Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, provides controls to manage the access and assignment lifecycle for privileged access groups. Administrators can assign roles using start and end date-time properties. When the assignment end approaches, Privileged Identity Management sends email notifications to the affected users or groups. It also sends email notifications to administrators of the resource to ensure that appropriate access is maintained. Assignments might be renewed and remain visible in an expired state for up to 30 days, even if access is not extended.

+Role settings are the default settings that are applied to group owner and group member privileged access assignments in Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra. Use the following steps to set up the approval workflow to specify who can approve or deny requests to elevate privilege.

+ :::image type="content" source="./media/pim-create-azure-ad-roles-and-resource-roles-review/identity-governance.png" alt-text="Select Identity Governance in Azure Portal screenshot." lightbox="./media/pim-create-azure-ad-roles-and-resource-roles-review/identity-governance.png":::

+ :::image type="content" source="./media/pim-create-azure-ad-roles-and-resource-roles-review/access-reviews.png" alt-text="Azure AD roles - Access reviews list showing the status of all reviews screenshot.":::

+ :::image type="content" source="./media/pim-create-azure-ad-roles-and-resource-roles-review/name-description.png" alt-text="Create an access review - Review name and description screenshot.":::

+ :::image type="content" source="./media/pim-create-azure-ad-roles-and-resource-roles-review/start-end-dates.png" alt-text="Start date, frequency, duration, end, number of times, and end date screenshot.":::

+ :::image type="content" source="./media/pim-create-azure-ad-roles-and-resource-roles-review/users.png" alt-text="Users scope to review role membership of screenshot.":::

+ :::image type="content" source="./media/pim-create-azure-ad-roles-and-resource-roles-review/review-role-membership.png" alt-text="Review role memberships screenshot.":::

+ :::image type="content" source="./media/pim-create-azure-ad-roles-and-resource-roles-review/assignment-type-select.png" alt-text="Reviewers list of assignment types screenshot.":::

+ :::image type="content" source="./media/pim-create-azure-ad-roles-and-resource-roles-review/reviewers.png" alt-text="Reviewers list of selected users or members (self)":::

+ - **Members (self)** - Use this option to have the users review their own role assignments. This option is only available if the review is scoped to **Users and Groups** or **Users**. For **Azure AD roles**, role-assignable groups will not be a part of the review when this option is selected.

+ - **Manager** ΓÇô Use this option to have the userΓÇÖs manager review their role assignment. This option is only available if the review is scoped to **Users and Groups** or **Users**. Upon selecting Manager, you will also have the option to specify a fallback reviewer. Fallback reviewers are asked to review a user when the user has no manager specified in the directory. For **Azure AD roles**, role-assignable groups will be reviewed by the fallback reviewer if one is selected.

+ :::image type="content" source="./media/pim-create-azure-ad-roles-and-resource-roles-review/upon-completion-settings.png" alt-text="Upon completion settings to auto apply and should review not respond screenshot.":::

+3. Use the **If reviewer don't respond** list to specify what happens for users that are not reviewed by the reviewer within the review period. This setting does not impact users who were reviewed by the reviewers.

+4. Use the **Action to apply on denied guest users** list to specify what happens for guest users that are denied. This setting is not editable for Azure AD and Azure resource role reviews at this time; guest users, like all users, will always lose access to the resource if denied.

+ :::image type="content" source="./media/pim-create-azure-ad-roles-and-resource-roles-review/action-to-apply-on-denied-guest-users.png" alt-text="Upon completion settings - Action to apply on denied guest users screenshot.":::

+5. You can send notifications to additional users or groups to receive review completion updates. This feature allows for stakeholders other than the review creator to be updated on the progress of the review. To use this feature, select **Select User(s) or Group(s)** and add an additional user or group upon you want to receive the status of completion.

+ :::image type="content" source="./media/pim-create-azure-ad-roles-and-resource-roles-review/upon-completion-settings-additional-receivers.png" alt-text="Upon completion settings - Add additional users to receive notifications screenshot.":::

+1. To specify additional settings, expand the **Advanced settings** section.

+ :::image type="content" source="./media/pim-create-azure-ad-roles-and-resource-roles-review/advanced-settings.png" alt-text="Advanced settings for show recommendations, require reason on approval, mail notifications, and reminders screenshot.":::

+1. Set **Reminders** to **Enable** to have Azure AD send reminders of access reviews in progress to reviewers who have not completed their review.

+1. The content of the email sent to reviewers is auto-generated based on the review details, such as review name, resource name, due date, etc. If you need a way to communicate additional information such as additional instructions or contact information, you can specify these details in the **Additional content for reviewer email** which will be included in the invitation and reminder emails sent to assigned reviewers. The highlighted section below is where this information will be displayed.

+ :::image type="content" source="./media/pim-create-azure-ad-roles-and-resource-roles-review/email-info.png" alt-text="Content of the email sent to reviewers with highlights":::

+To manage a series of access reviews, navigate to the access review, and you will find upcoming occurrences in Scheduled reviews, and edit the end date or add/remove reviewers accordingly.

+ΓÇó For **Azure AD roles**, role-assignable groups can be assigned to the role using [role-assignable groups](../roles/groups-concept.md). When a review is created on an Azure AD role with role-assignable groups assigned, the group name shows up in the review without expanding the group membership. The reviewer can approve or deny access of the entire group to the role. Denied groups will lose their assignment to the role when review results are applied.

+ΓÇó For **Azure resource roles**, any security group can be assigned to the role. When a review is created on an Azure resource role with a security group assigned, the users assigned to that security group will be fully expanded and shown to the reviewer of the role. When a reviewer denies a user that was assigned to the role via the security group, the user will not be removed from the group, and therefore the apply of the deny result will be unsuccessful.

+> It is possible for a security group to have other groups assigned to it. In this case, only the users assigned directly to the security group assigned to the role will appear in the review of the role.

+- **Adding and removing reviewers** - When updating access reviews, you may choose to add a fallback reviewer in addition to the primary reviewer. Primary reviewers may be removed when updating an access review. However, fallback reviewers are not removable by design.

+- **Reminding the reviewers** - When updating access reviews, you may choose to enable the reminder option under Advanced Settings. Once enabled, users will receive an email notification at the midpoint of the review period, regardless of whether they have completed the review or not.

+Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in your organization in Azure Active Directory (Azure AD), part of Microsoft Entra. When an alert is triggered, it shows up on the Privileged Identity Management dashboard. Select the alert to see a report that lists the users or roles that triggered the alert.

+Privileged Identity Management (PIM) provides controls to manage the access and assignment lifecycle for roles in Azure Active Directory (Azure AD), part of Microsoft Entra. Administrators can assign roles using start and end date-time properties. When the assignment end approaches, Privileged Identity Management sends email notifications to the affected users or groups. It also sends email notifications to Azure AD administrators to ensure that appropriate access is maintained. Assignments might be renewed and remain visible in an expired state for up to 30 days, even if access is not extended.

+You can require that users complete a multifactor authentication challenge when they sign in. You can also require that users complete a multifactor authentication challenge when they activate a role in Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra. This way, even if the user didn't complete multifactor authentication when they signed in, they'll be asked to do it by Privileged Identity Management.

+You can use the Privileged Identity Management (PIM) audit history to see all role assignments and activations within the past 30 days for all privileged roles. If you want to retain audit data for longer than the default retention period, you can use Azure Monitor to route it to an Azure storage account. For more information, see [Archive Azure AD logs to an Azure storage account](../reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md). If you want to see the full audit history of activity in your organization in Azure Active Directory (Azure AD), part of Microsoft Entra, including administrator, end user, and synchronization activity, you can use the [Azure Active Directory security and activity reports](../reports-monitoring/overview-reports.md).

+Privileged Identity Management (PIM) simplifies how enterprises manage privileged access to resources in Azure Active Directory (AD), part of Microsoft Entra, and other Microsoft online services like Microsoft 365 or Microsoft Intune. Follow the steps in this article to perform reviews of access to roles.

+Use Privileged Identity Management (PIM) in Azure Active Diretory (Azure AD), part of Microsoft Entra, to allow eligible role members for Azure resources to schedule activation for a future date and time. They can also select a specific activation duration within the maximum (configured by administrators).

+With Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, you can configure roles to require approval for activation, and choose users or groups from your Azure AD organization as delegated approvers. We recommend selecting two or more approvers for each role to reduce workload for the privileged role administrator. Delegated approvers have 24 hours to approve requests. If a request is not approved within 24 hours, then the eligible user must re-submit a new request. The 24 hour approval time window is not configurable.

+With Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, can manage the built-in Azure resource roles, as well as custom roles, including (but not limited to):

+Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in your organization in Azure Active Directory (Azure AD), part of Microsoft Entra. When an alert is triggered, it shows up on the Alerts page.

+When you configure Azure resource role settings, you define the default settings that are applied to Azure role assignments in Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra. Use the following procedures to configure the approval workflow and specify who can approve or deny requests.

+You might need to apply stricter just-in-time settings to some users in a privileged role in your organization in Azure Active Directory (Azure AD), part of Microsoft Entra, while providing greater autonomy for others. For example, if your organization hired several contract associates to help develop an application that will run in an Azure subscription.

+Follow the steps outlined in the next section to set up targeted Privileged Identity Management (PIM) settings for Azure resource roles.

+You can use Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, to improve the protection of your Azure resources. This helps:

+You can use a resource dashboard to perform an access review in Privileged Identity Management (PIM). The Admin View dashboard in Azure Active Directory (Azure AD), part of Microsoft Entra, has three primary components:

+Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, provides controls to manage the access and assignment lifecycle for Azure resources. Administrators can assign roles using start and end date-time properties. When the assignment end approaches, Privileged Identity Management sends email notifications to the affected users or groups. It also sends email notifications to administrators of the resource to ensure that appropriate access is maintained. Assignments might be renewed and remain visible in an expired state for up to 30 days, even if access is not extended.

+You can manage just-in-time assignments to all [Azure AD roles](../roles/permissions-reference.md) and all [Azure roles](../../role-based-access-control/built-in-roles.md) using Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra. Azure roles include built-in and custom roles attached to your management groups, subscriptions, resource groups, and resources. However, there are few roles that you can't manage. This article describes the roles you can't manage in Privileged Identity Management.

+If you're starting out using Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, to manage role assignments in your organization, you can use the **Discovery and insights (preview)** page to get started. This feature shows you who is assigned to privileged roles in your organization and how to use PIM to quickly change permanent role assignments into just-in-time assignments. You can view or make changes to your permanent privileged role assignments in **Discovery and Insights (preview)**. It's an analysis tool and an action tool.

+Are you having a problem with Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsft Entra? The information that follows can help you to get things working again.

+This article tells you how to use PowerShell cmdlets to manage Azure AD roles using Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra. It also tells you how to get set up with the Azure AD PowerShell module.

+To use Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, a tenant must have a valid license. Licenses must also be assigned to the administrators and relevant users. This article describes the license requirements to use Privileged Identity Management.

+ 

+ 

+ 

+ 

+ Title: 'Tutorial: Configure Tableau Cloud for automatic user provisioning with Azure Active Directory | Microsoft Docs'

+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Tableau Cloud.

+ms.assetid: b4038c18-2bfd-47cb-8e74-3873dc85a796

+# Tutorial: Configure Tableau Cloud for automatic user provisioning

+This tutorial describes the steps you need to do in both Tableau Cloud and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Tableau Cloud](https://www.tableau.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+## Capabilities supported

+> [!div class="checklist"]

+> * Create users in Tableau Cloud.

+> * Remove users in Tableau Cloud when they do not require access anymore.

+> * Keep user attributes synchronized between Azure AD and Tableau Cloud.

+> * Provision groups and group memberships in Tableau Cloud.

+> * [Single sign-on](tableauonline-tutorial.md) to Tableau Cloud (recommended).

+The scenario outlined in this tutorial assumes that you already have the following prerequisites:

+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)

+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).

+* A [Tableau Cloud tenant](https://www.tableau.com/).

+* A user account in Tableau Cloud with Admin permission

+> [!NOTE]

+> The Azure AD provisioning integration relies on the [Tableau Cloud REST API](https://onlinehelp.tableau.com/current/api/rest_api/en-us/help.htm). This API is available to Tableau Cloud developers.

+## Step 1. Plan your provisioning deployment

+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).

+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. Determine what data to [map between Azure AD and Tableau Cloud](../app-provisioning/customize-application-attributes.md).

+## Step 2. Configure Tableau Cloud to support provisioning with Azure AD

+Use the following steps to enable SCIM support with Azure Active Directory:

+1. The SCIM functionality requires that you configure your site to support SAML single sign-on. If you have not done this yet, complete the following sections in [Configure SAML with Azure Active Directory](https://help.tableau.com/current/online/en-us/saml_config_azure_ad.htm):

+ * Step 1: [Open the Tableau Cloud SAML Settings](https://help.tableau.com/current/online/en-us/saml_config_azure_ad.htm#open-the-tableau-online-saml-settings).

+ * Step 2: [Add Tableau Cloud to your Azure Active Directory applications](https://help.tableau.com/current/online/en-us/saml_config_azure_ad.htm#add-tableau-online-to-your-azure-ad-applications).

+

+ > [!NOTE]

+ > If you donΓÇÖt set up SAML single sign-on, your user will be unable to sign into Tableau Cloud after they have been provisioned unless you manually change the userΓÇÖs authentication method from SAML to Tableau or Tableau MFA in Tableau Cloud.

+1. In Tableau Cloud, navigate to **Settings > Authentication** page, then under **Automatic Provisioning and Group Synchronization (SCIM)**, select the **Enable SCIM** check box. This populates the **Base URL** and **Secret** boxes with values you will use in the SCIM configuration of your IdP.

+ > [!NOTE]

+ > The secret token is displayed only immediately after it is generated. If you lose it before you can apply it to Azure Active Directory, you can select **Generate New Secret**. In addition, the secret token is tied to the Tableau Cloud user account of the site administrator who enables SCIM support. If that userΓÇÖs site role changes or the user is removed from the site, the secret token becomes invalid, and another site administrator must generate a new secret token and apply it to Azure Active Directory.

+## Step 3. Add Tableau Cloud from the Azure AD application gallery

+Add Tableau Cloud from the Azure AD application gallery to start managing provisioning to Tableau Cloud. If you have previously setup Tableau Cloud for SSO, you can use the same application. However it's recommended you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

+## Step 4. Define who will be in scope for provisioning

+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user and group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* If you need additional roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.

+## Step 5. Configure automatic user provisioning to Tableau Cloud

+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and groups in Tableau Cloud based on user and group assignments in Azure AD.

+> You must enable SAML-based single sign-on for Tableau Cloud. Follow the instructions in the [Tableau Cloud single sign-on tutorial](tableauonline-tutorial.md). If SAML isn't enabled, then the user that is provisioned will not be able to sign in.

+### To configure automatic user provisioning for Tableau Cloud in Azure AD:

+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.

+1. In the applications list, select **Tableau Cloud**.

+ 

+1. Select the **Provisioning** tab.

+ 

+1. Set the **Provisioning Mode** to **Automatic**.

+ 

+1. In the **Admin Credentials** section, input your Tableau Cloud Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Tableau Cloud. If the connection fails, ensure your Tableau Cloud account has Admin permissions and try again.

+ 

+ > [!NOTE]

+ > You will have 2 options for your Authentication Method: **Bearer Authentication** and **Basic Authentication**. Make sure that you select Bearer Authentication. Basic authentication will not work for the SCIM 2.0 endpoint.

+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.

+ 

+1. Select **Save**.

+1. In the **Mappings** section, select **Synchronize Azure Active Directory Users to Tableau Cloud**.

+1. Review the user attributes that are synchronized from Azure AD to Tableau Cloud in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Tableau Cloud for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you'll need to ensure that the Tableau Cloud API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by Tableau Cloud|

+ |||||

+ |userName|String|&check;|&check;

+ |active|Boolean||

+ |roles|String||

+ > [!NOTE]

+ > The displayName attribute in Tableau Cloud will be mapped to the userPrincipalName attribute in Azure AD. When a provisioned user signs into Azure AD for the first time, they will be asked to create an account where they will need to enter in a first name and last name. Tableau Cloud will automatically update the value of the displayName field based on the first name and last name values provided by the provisioned user. Therefore, the displayName you see in Azure AD may have differences with the displayName that appears in Tableau Cloud based on the userΓÇÖs input.

+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Tableau Cloud**.

+1. Review the group attributes that are synchronized from Azure AD to Tableau Cloud in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Tableau Cloud for update operations. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by Tableau Cloud|

+ |||||

+ |displayName|String|&check;

+ |members|Reference|

+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. To enable the Azure AD provisioning service for Tableau Cloud, change the **Provisioning Status** to **On** in the **Settings** section.

+ 

+1. Define the users and groups that you would like to provision to Tableau Cloud by choosing the desired values in **Scope** in the **Settings** section.

+ 

+1. When you're ready to provision, click **Save**.

+ 

+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to complete than next cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

+### Recommendations

+Tableau Cloud will only store the highest privileged role that is assigned to a user. In other words, if a user is assigned to two groups, the userΓÇÖs role will reflect the highest privileged role.

+To keep track of role assignments, you can create two purpose-specific groups for role assignments. For example, you can create groups such as Tableau ΓÇô Creator, and Tableau ΓÇô Explorer, etc. Assignment would then look like:

+* Tableau ΓÇô Creator: Creator

+* Tableau ΓÇô Explorer: Explorer

+* Etc.

+Once provisioning is set up, you will want to edit role changes directly in Azure Active Directory. Otherwise, you may end up with role inconsistencies between Tableau Cloud and Azure Active Directory.

+### Valid Tableau site role values

+On the **Select a Role** page in your Azure Active Directory portal, the Tableau Site Role values that are valid include the following: **Creator, SiteAdministratorCreator, Explorer, SiteAdministratorExplorer, ExplorerCanPublish, Viewer, or Unlicensed**.

+If you select a role that is not in the above list, such as a legacy (pre-v2018.1) role, you will experience an error.

+### Update a Tableau Cloud application to use the Tableau Cloud SCIM 2.0 endpoint

+>[!Note]

+>Be sure to note any changes that have been made to the settings listed above before completing the steps below. Failure to do so will result in the loss of customized settings.

+1. Sign into the [Azure portal](https://portal.azure.com).

+1. Navigate to your current Tableau Cloud app under **Azure Active Directory > Enterprise Applications**.

+1. In the Properties section of your new custom app, copy the **Object ID**.

+ 

+1. In a new web browser window, navigate to `https://developer.microsoft.com/graph/graph-explorer` and sign in as the administrator for the Azure AD tenant where your app is added.

+ 

+

+1. Check to make sure the account being used has the correct permissions. The permission **Directory.ReadWrite.All** is required to make this change.

+ 

+ 

+1. Using the ObjectID selected from the app previously, run the following command:

+ `GET https://graph.microsoft.com/beta/servicePrincipals/[object-id]/synchronization/jobs/`

+1. Taking the "id" value from the response body of the GET request from above, run the command below, replacing "[job-id]" with the id value from the GET request. The value should have the format of "Tableau.xxxxxxxxxxxxxxx.xxxxxxxxxxxxxxx":

+ `DELETE https://graph.microsoft.com/beta/servicePrincipals/[object-id]/synchronization/jobs/[job-id]`

+1. In the Graph Explorer, run the command below. Replace "[object-id]" with the service principal ID (object ID) copied from the third step.

+ `POST https://graph.microsoft.com/beta/servicePrincipals/[object-id]/synchronization/jobs { "templateId": "TableauOnlineSCIM" }`

+ 

+1. Return to the first web browser window and select the Provisioning tab for your application. Your configuration will have been reset. You can confirm the upgrade has taken place by confirming the Job ID starts with **TableauOnlineSCIM**.

+1. Under the Admin Credentials section, select "Bearer Authentication" as the authentication method and enter the Tenant URL and Secret Token of the Tableau instance you wish to provision to.

+ 

+1. Restore any previous changes you made to the application (Authentication details, Scoping filters, Custom attribute mappings) and re-enable provisioning.

+>[!Note]

+>Failure to restore the previous settings may results in attributes (name.formatted for example) updating in Workplace unexpectedly. Be sure to check the configuration before enabling provisioning

+## Step 6. Monitor your deployment

+Once you've configured provisioning, use the following resources to monitor your deployment:

+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully

+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion

+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

+* 06/24/2022 - Updated the ap to be SCIM 2.0 compliant.

+## More resources

+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)

+If you don't have an Azure Key Vault instance available, follow [these steps](../../key-vault/general/quick-create-portal.md) to create a key vault using the Azure portal.

+- We are adding support for the [did:web](https://w3c-ccg.github.io/did-method-web/) method. Any new tenant that starts using the Verifiable Credentials Service after June 14, 2022 will have Web as a new, default, trust system when [onboarding](verifiable-credentials-configure-tenant.md#set-up-verifiable-credentials). VC Administrators can still choose to use ION when setting a tenant. If you want to use did:web instead of ION or viceversa, you will need to [reconfigure your tenant](verifiable-credentials-faq.md?#how-do-i-reset-the-azure-ad-verifiable-credentials-service).

+- We are rolling out several features to improve the overall experience of creating verifiable credentials in the Entra Verified ID platform:

+ - Introducing Managed Credentials, Managed Credentials are verifiable credentials that no longer use of Azure Storage to store the [display & rules JSON definitions](rules-and-display-definitions-model.md). Their display and rule definitions are different from earlier versions.

+ - Create Managed Credentials using the [new quickstart experience](how-to-use-quickstart.md).

+ - Administrators can create a Verified Employee Managed Credential using the [new quick start](how-to-use-quickstart-verifiedemployee.md). The Verified Employee is a verifiable credential of type verifiedEmployee that is based on a pre-defined set of claims from your tenant's Azure Active Directory.

+>[!IMPORTANT]

+> You need to migrate your Azure Storage based credentials to become Managed Credentials. We'll soon provide migration instructions.

+- We made the following updates to our docs:

+ - (new) [Current supported open standards for Microsoft Entra Verified ID](verifiable-credentials-standards.md).

+ - (new) [How to create verifiable credentials for ID token hint](how-to-use-quickstart.md).

+ - (new) [How to create verifiable credentials for ID token](how-to-use-quickstart-idtoken.md).

+ - (new) [How to create verifiable credentials for self-asserted claims](how-to-use-quickstart-selfissued.md).

+ - (new) [Rules and Display definition model specification](rules-and-display-definitions-model.md).

+ - (new) [Creating an Azure AD tenant for development](how-to-create-a-free-developer-account.md).

+## Subscription

+ Title: API Server VNet Integration in Azure Kubernetes Service (AKS)

+description: Learn how to create an Azure Kubernetes Service (AKS) cluster with API Server VNet Integration

+# Create an Azure Kubernetes Service cluster with API Server VNet Integration (PREVIEW)

+An Azure Kubernetes Service (AKS) cluster with API Server VNet Integration configured projects the API server endpoint directly into a delegated subnet in the VNet where AKS is deployed. This enables network communication between the API server and the cluster nodes without any required private link or tunnel. The API server will be available behind an Internal Load Balancer VIP in the delegated subnet, which the nodes will be configured to utilize. By using API Server VNet Integration, you can ensure network traffic between your API server and your node pools remains on the private network only.

+## API server connectivity

+The control plane or API server is in an Azure Kubernetes Service (AKS)-managed Azure subscription. A customer's cluster or node pool is in the customer's subscription. The server and the virtual machines that make up the cluster nodes can communicate with each other through the API server VIP and pod IPs that are projected into the delegated subnet.

+At this time, API Server VNet integration is only supported for private clusters. Unlike standard public clusters, the agent nodes communicate directly with the private IP address of the ILB VIP for communication to the API server without using DNS. External clients needing to communicate with the cluster should follow the same private DNS setup methodology as standard [private clusters](private-clusters.md).

+## Region availability

+API Server VNet Integration is available in the following regions at this time:

+- canary regions

+- eastus2

+- northcentralus

+- westcentralus

+- westus2

+## Prerequisites

+* Azure CLI with aks-preview extension 0.5.67 or later.

+* If using ARM or the REST API, the AKS API version must be 2022-04-02-preview or later.

+### Install the aks-preview CLI extension

+```azurecli-interactive

+# Install the aks-preview extension

+az extension add --name aks-preview

+# Update the extension to make sure you have the latest version installed

+az extension update --name aks-preview

+```

+### Register the `EnableAPIServerVnetIntegrationPreview` preview feature

+To create an AKS cluster with API Server VNet Integration, you must enable the `EnableAPIServerVnetIntegrationPreview` feature flag on your subscription.

+Register the `EnableAPIServerVnetIntegrationPreview` feature flag by using the `az feature register` command, as shown in the following example:

+```azurecli-interactive

+az feature register --namespace "Microsoft.ContainerService" --name "EnableAPIServerVnetIntegrationPreview"

+```

+It takes a few minutes for the status to show *Registered*. Verify the registration status by using the `az feature list` command:

+```azurecli-interactive

+az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/EnableAPIServerVnetIntegrationPreview')].{Name:name,State:properties.state}"

+```

+When the feature has been registered, refresh the registration of the *Microsoft.ContainerService* resource provider by using the `az provider register` command:

+```azurecli-interactive

+az provider register --namespace Microsoft.ContainerService

+```

+## Create an AKS cluster with API Server VNet Integration using Managed VNet

+AKS clusters with API Server VNet Integration can be configured in either managed VNet or bring-your-own VNet mode.

+### Create a resource group

+Create a resource group or use an existing resource group for your AKS cluster.

+```azurecli-interactive

+az group create -l westus2 -n <resource-group>

+```

+### Deploy the cluster

+```azurecli-interactive

+az aks create -n <cluster-name> \

+ -g <resource-group> \

+ -l <location> \

+ --network-plugin azure \

+ --enable-private-cluster \

+ --enable-apiserver-vnet-integration

+```

+Where `--enable-private-cluster` is a mandatory flag for a private cluster, and `--enable-apiserver-vnet-integration` configures API Server VNet integration for Managed VNet mode.

+## Create an AKS cluster with API Server VNet Integration using bring-your-own VNet

+When using bring-your-own VNet, an API server subnet must be created and delegated to `Microsoft.ContainerService/managedClusters`. This grants the AKS service permissions to inject the API server pods and internal load balancer into that subnet. The subnet may not be used for any other workloads, but may be used for multiple AKS clusters located in the same virtual network. An AKS cluster will require from 2-7 IP addresses depending on cluster scale. The minimum supported API server subnet size is a /28.

+Note that the cluster identity needs permissions to both the API server subnet and the node subnet. Lack of permissions at the API server subnet will cause a provisioning failure.

+> [!WARNING]

+> Running out of IP addresses may prevent API server scaling and cause an API server outage.

+### Create a resource group

+Create a resource group or use an existing resource group for your AKS cluster.

+```azurecli-interactive

+az group create -l <location> -n <resource-group>

+```

+### Create a virtual network

+```azurecli-interactive

+# Create the virtual network

+az network vnet create -n <vnet-name> \

+ -l <location> \

+ --address-prefixes 172.19.0.0/16

+# Create an API server subnet

+az network vnet subnet create --vnet-name <vnet-name> \

+ --name <apiserver-subnet-name> \

+ --delegations Microsoft.ContainerService/managedClusters \

+ --address-prefixes 172.19.0.0/28

+# Create a cluster subnet

+az network vnet subnet create --vnet-name <vnet-name> \

+ --name <cluster-subnet-name> \

+ --address-prefixes 172.19.1.0/24

+```

+### Create a managed identity and give it permissions on the virtual network

+```azurecli-interactive

+# Create the identity

+az identity create -n <managed-identity-name> -l <location>

+# Assign Network Contributor to the API server subnet

+az role assignment create --scope <apiserver-subnet-resource-id> \

+ --role "Network Contributor" \

+ --assignee <managed-identity-client-id>

+# Assign Network Contributor to the cluster subnet

+az role assignment create --scope <cluster-subnet-resource-id> \

+ --role "Network Contributor" \

+ --assignee <managed-identity-client-id>

+```

+### Create the AKS cluster

+```azurecli-interactive

+az aks create -n <cluster-name> \

+ -g <resource-group> \

+ -l <location> \

+ --network-plugin azure \

+ --enable-private-cluster \

+ --enable-apiserver-vnet-integration \

+ --vnet-subnet-id <cluster-subnet-resource-id> \

+ --apiserver-subnet-id <apiserver-subnet-resource-id> \

+ --assign-identity <managed-identity-resource-id>

+```

+## Limitations

+* Existing AKS clusters cannot be converted to API Server VNet Integration clusters at this time.

+* Only [private clusters](private-clusters.md) are supported at this time.

+* [Private Link Service][private-link-service] will not work if deployed against the API Server injected addresses at this time, so the API server cannot be exposed to other virtual networks via private link. To access the API server from outside the cluster network, utilize either [VNet peering][virtual-network-peering] or [AKS run command][command-invoke].

+<!-- LINKS - internal -->

+[az-provider-register]: /cli/azure/provider#az_provider_register

+[az-feature-register]: /cli/azure/feature#az_feature_register

+[az-feature-list]: /cli/azure/feature#az_feature_list

+[az-extension-add]: /cli/azure/extension#az_extension_add

+[az-extension-update]: /cli/azure/extension#az_extension_update

+[private-link-service]: ../private-link/private-link-service-overview.md#limitations

+[private-endpoint-service]: ../private-link/private-endpoint-overview.md

+[virtual-network-peering]: ../virtual-network/virtual-network-peering-overview.md

+[azure-bastion]: ../bastion/tutorial-create-host-portal.md

+[express-route-or-vpn]: ../expressroute/expressroute-about-virtual-network-gateways.md

+[devops-agents]: /azure/devops/pipelines/agents/agents

+[availability-zones]: availability-zones.md

+[command-invoke]: command-invoke.md

+[container-registry-private-link]: ../container-registry/container-registry-private-link.md

+[virtual-networks-name-resolution]: ../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server

+The target subnet to be deployed into is defined with the environment variable, `$SUBNETID`. We didn't define the `$SUBNETID` variable in the previous steps. To set the value for the subnet ID, you can use the following command:

+ --node-count 3 \

+> [!NOTE]

+> For creating and using your own VNet and route table where the resources are outside of the worker node resource group, the CLI will add the role assignment automatically. If you are using an ARM template or other client, you need to use the Principal ID of the cluster managed identity to perform a [role assignment.][add role to identity]

+>

+> If you are not using the CLI but using your own VNet or route table which are outside of the worker node resource group, it's recommended to use [user-assigned control plane identity][Bring your own control plane managed identity]. For system-assigned control plane identity, we cannot get the identity ID before creating cluster, which causes delay for role assignment to take effect.

+[add role to identity]: use-managed-identity.md#add-role-assignment-for-control-plane-identity

+[Bring your own control plane managed identity]: use-managed-identity.md#bring-your-own-control-plane-managed-identity

+You can verify your cluster is stopped using the [Get-AzAksCluster][get-azakscluster] cmdlet and confirming the `ProvisioningState` shows as `Succeeded` as shown in the following output:

+ProvisioningState : Succeeded

+## I'm receiving an error due to "PodDrainFailure"

+This error is due to the requested operation being blocked by a PodDisruptionBudget (PDB) that has been set on the deployments within the cluster. To learn more about how PodDisruptionBudgets work, please visit check out [the official Kubernetes example](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#pdb-example).

+You may use this command to find the PDBs applied on your cluster:

+```

+kubectl get poddisruptionbudgets --all-namespaces

+```

+or

+```

+kubectl get poddisruptionbudgets -n {namespace of failed pod}

+```

+Please view the label selector to see the exact pods that are causing this failure.

+There are a few ways this error can occur:

+1. Your PDB may be too restrictive such as having a high minAvailable pod count, or low maxUnavailable pod count. You can change it by updating the PDB with less restrictive.

+2. During an upgrade, the replacement pods may not be ready fast enough. You can investigate your Pod Readiness times to attempt to fix this situation.

+3. The deployed pods may not work with the new upgraded node version, causing Pods to fail and fall below the PDB.

+>[!NOTE]

+ > If the pod is failing from the namespace 'kube-system', please contact support. This is a namespace managed by AKS.

+For more information about PodDisruptionBudgets, please check out the [official Kubernetes guide on configuring a PDB](https://kubernetes.io/docs/tasks/run-application/configure-pdb/).

+To use Azure Network Policy, you must use the [Azure CNI plug-in][azure-cni]. Calico Network Policy could be used with either this same Azure CNI plug-in or with the Kubenet CNI plug-in.

+* Creates an AKS cluster with system-assigned identity and enables network policy.

+Instead of using a system-assigned identity, you can also use a user-assigned identity. For more information, see [Use managed identities](use-managed-identity.md).

+### Create an AKS cluster for Azure network policies

+You can replace the *RESOURCE_GROUP_NAME* and *CLUSTER_NAME* variables:

+Create the AKS cluster and specify *azure* for the network plugin and network policy.

+Create the AKS cluster and specify *azure* for the network plugin, and *calico* for the network policy. Using *calico* as the network policy enables Calico networking on both Linux and Windows node pools.

+## Create an AKS cluster with managed identity

+Instead of using a system-assigned identity, you can also use a user-assigned identity. For more information, see [Use managed identities](use-managed-identity.md).

+Use the [az aks create][az-aks-create] command to create an AKS cluster. The following example creates a cluster named *myAKSCluster* with one node. Replace `<subnetId>` with the ID obtained in the previous step.

+az resource delete --ids $SAL_ID --api-version 2021-10-01

+[virtual-nodes-networking-aci]: ../container-instances/container-instances-virtual-network-concepts.md

+| `type` | `war`\|`jar`\|`ear`\|`lib`\|`startup`\|`static`\|`zip` | The type of the artifact being deployed, this sets the default target path and informs the web app how the deployment should be handled. <br/> - `type=zip`: Deploy a ZIP package by unzipping the content to `/home/site/wwwroot`. `path` parameter is optional. <br/> - `type=war`: Deploy a WAR package. By default, the WAR package is deployed to `/home/site/wwwroot/app.war`. The target path can be specified with `path`. <br/> - `type=jar`: Deploy a JAR package to `/home/site/wwwroot/app.jar`. The `path` parameter is ignored <br/> - `type=ear`: Deploy an EAR package to `/home/site/wwwroot/app.ear`. The `path` parameter is ignored <br/> - `type=lib`: Deploy a JAR library file. By default, the file is deployed to `/home/site/libs`. The target path can be specified with `path`. <br/> - `type=static`: Deploy a static file (e.g. a script). By default, the file is deployed to `/home/site/wwwroot`. <br/> - `type=startup`: Deploy a script that App Service automatically uses as the startup script for your app. By default, the script is deployed to `D:\home\site\scripts\<name-of-source>` for Windows and `home/site/wwwroot/startup.sh` for Linux. The target path can be specified with `path`. | Yes | String |

+There are three variations of App Service that require slightly different configuration of the integration with Azure Application Gateway. The variations include regular App Service - also known as multi-tenant, Internal Load Balancer (ILB) App Service Environment and External App Service Environment. This article will walk through how to configure it with App Service (multi-tenant) using service endpoint to secure traffic. The article will also discuss considerations around using private endpoint and integrating with ILB, and External App Service Environment. Finally the article has considerations on scm/kudu site.

+Application Gateway will cache the DNS lookup results, so if you use FQDNs and rely on DNS lookup to get the private IP address, then you may need to restart the Application Gateway if the DNS update or link to Azure private DNS zone was done after configuring the backend pool. To restart the Application Gateway, you must start and stop the instance. You can do this with Azure CLI:

+```azurecli-interactive

+az network application-gateway stop --resource-group myRG --name myAppGw

+az network application-gateway start --resource-group myRG --name myAppGw

+```

+ILB App Service Environment isn't exposed to the internet and traffic between the instance and an Application Gateway is therefore already isolated to the Virtual Network. The following [how-to guide](../environment/integrate-with-application-gateway.md) configures an ILB App Service Environment and integrates it with an Application Gateway using Azure portal.

+If you want to ensure that only traffic from the Application Gateway subnet is reaching the App Service Environment, you can configure a Network security group (NSG) which affect all web apps in the App Service Environment. For the NSG, you are able to specify the subnet IP range and optionally the ports (80/443). Make sure you don't override the [required NSG rules](../environment/network-info.md#network-security-groups) for App Service Environment to function correctly.

+External App Service Environment has a public facing load balancer like multi-tenant App Service. Service endpoints don't work for App Service Environment, and that's why you'll have to use ip-based access restrictions using the public IP of the Application Gateway instance. To create an External App Service Environment using the Azure portal, you can follow this [Quickstart](../environment/create-external-ase.md)

+Through application routing or configuration routing options, you can configure what traffic will be sent through the virtual network integration. Traffic is only subject to [network routing](#network-routing) if it is sent through the virtual network integration.

+Application routing applies to traffic that is sent from your app after it has been started. See [configuration routing](#configuration-routing) for traffic during start up. When you configure application routing, you can either route all traffic or only private traffic (also known as [RFC1918](https://datatracker.ietf.org/doc/html/rfc1918#section-3) traffic) into your virtual network. You configure this behavior through the **Route All** setting. If **Route All** is disabled, your app only routes private traffic into your virtual network. If you want to route all your outbound app traffic into your virtual network, make sure that **Route All** is enabled.

+The following sections describe the various errors you might encounter. You can verify if your gateway has any such problem by visiting [**Azure Advisor**](./key-vault-certs.md#investigating-and-resolving-key-vault-errors) for your account, and use this troubleshooting article to fix the problem. We recommend configuring Azure Advisor alerts to stay informed when a key vault problem is detected for your gateway.

+Get started with Azure Form Recognizer using the programming language of your choice. Azure Form Recognizer is a cloud-based Azure Applied AI Service that uses machine learning to extract key-value pairs, text, and tables from your documents. You can easily call Form Recognizer models by integrating our client library SDKs into your workflows and applications. We recommend that you use the free service when you're learning the technology. Remember that the number of free pages is limited to 500 per month.

+Get started with Azure Form Recognizer using the C# programming language. Azure Form Recognizer is a cloud-based Azure Applied AI Service that uses machine learning to extract key-value pairs, text, and tables from your documents. You can easily call Form Recognizer models by integrating our client library SDKs into your workflows and applications. We recommend that you use the free service when you're learning the technology. Remember that the number of free pages is limited to 500 per month.

+In this quickstart, you'll use the following features to analyze and extract data and values from forms and documents:

+* [**Layout model**](#layout-model)ΓÇöAnalyze and extract tables, lines, words, and selection marks like radio buttons and check boxes in documents, without the need to train a model.

+> Create a Cognitive Services resource if you plan to access multiple cognitive services under a single endpoint/key. For Form Recognizer access only, create a Form Recognizer resource. Please note that you'll need a single-service resource if you intend to use [Azure Active Directory authentication](../../../active-directory/authentication/overview-authentication.md).

+Get started with Azure Form Recognizer using the Java programming language. Azure Form Recognizer is a cloud-based Azure Applied AI Service that uses machine learning to extract key-value pairs, text, and tables from your documents. You can easily call Form Recognizer models by integrating our client library SDKs into your workflows and applications. We recommend that you use the free service when you're learning the technology. Remember that the number of free pages is limited to 500 per month.

+In this quickstart you'll use the following features to analyze and extract data and values from forms and documents:

+* [**Layout**](#layout-model)ΓÇöAnalyze and extract tables, lines, words, and selection marks like radio buttons and check boxes in documents, without the need to train a model.

+ > Create a Cognitive Services resource if you plan to access multiple cognitive services under a single endpoint/key. For Form Recognizer access only, create a Form Recognizer resource. Please note that you'll need a single-service resource if you intend to use [Azure Active Directory authentication](../../../active-directory/authentication/overview-authentication.md).

+In this quickstart you'll use the following features to analyze and extract data and values from forms and documents:

+* [**Layout**](#layout-model)ΓÇöAnalyze and extract tables, lines, words, and selection marks like radio buttons and check boxes in documents, without the need to train a model.

+ > Create a Cognitive Services resource if you plan to access multiple cognitive services under a single endpoint/key. For Form Recognizer access only, create a Form Recognizer resource. Please note that you'll need a single-service resource if you intend to use [Azure Active Directory authentication](../../../active-directory/authentication/overview-authentication.md).

+Get started with Azure Form Recognizer using the Python programming language. Azure Form Recognizer is a cloud-based Azure Applied AI Service that uses machine learning to extract key-value pairs, text, and tables from your documents. You can easily call Form Recognizer models by integrating our client library SDKs into your workflows and applications. We recommend that you use the free service when you're learning the technology. Remember that the number of free pages is limited to 500 per month.

+In this quickstart you'll use the following features to analyze and extract data and values from forms and documents:

+* [**Layout**](#layout-model)ΓÇöAnalyze and extract tables, lines, words, and selection marks like radio buttons and check boxes in documents, without the need to train a model.

+> Create a Cognitive Services resource if you plan to access multiple cognitive services under a single endpoint/key. For Form Recognizer access only, create a Form Recognizer resource. Please note that you'll need a single-service resource if you intend to use [Azure Active Directory authentication](../../../active-directory/authentication/overview-authentication.md).

+> * To analyze a given file at a URI, you'll use the `begin_analyze_document_from_url` method and pass `prebuilt-invoice` as the model Id. The returned value is a `result` object containing data about the submitted document.

+Get started with Azure Form Recognizer using the REST API. Azure Form Recognizer is a cloud-based Azure Applied AI Service that uses machine learning to extract key-value pairs, text, and tables from your documents. You can easily call Form Recognizer models using the REST API or by integrating our client library SDKs into your workflows and applications. We recommend that you use the free service when you're learning the technology. Remember that the number of free pages is limited to 500 per month.

+> Create a Cognitive Services resource if you plan to access multiple cognitive services under a single endpoint/key. For Form Recognizer access only, create a Form Recognizer resource. Please note that you'll need a single-service resource if you intend to use [Azure Active Directory authentication](../../../active-directory/authentication/overview-authentication.md).

+ 1. [Configure](enable-managed-identity-for-automation.md#enable-a-system-assigned-managed-identity-for-an-azure-automation-account) a System-assigned Managed Identity for the Automation account.

+ 1. Grant this identity the [required permissions](enable-managed-identity-for-automation.md#assign-role-to-a-system-assigned-managed-identity) within the Subscription to perform its task.

+ 1. [Configure](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vmss#enable-system-assigned-managed-identity-on-an-existing-vm) a System Managed Identity for the VM.

+ 1. Grant this identity the [required permissions](../active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-arm.md#grant-your-vm-access-to-a-resource-group-in-resource-manager) within the subscription to perform its tasks.

+ 1. [Configure](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vmss#user-assigned-managed-identity) a User Managed Identity for the VM.

+ 1. Grant this identity the [required permissions](/azure/active-directory/managed-identities-azure-resources/howto-assign-access-portal) within the Subscription to perform its tasks.

+| [Azure Managed Instance for Apache Cassandra](../managed-instance-apache-cassandr) |  |

+To further secure your network connectivity to Azure Arc, instead of using public networks and proxy servers, you can implement an [Azure Arc Private Link Scope](private-link-security.md) .

+* To resolve problems, review the [agent connection issues troubleshooting guide](troubleshoot-agent-onboard.md).

+# Customer intent: As a developer, I want to understand how to configure monitoring for my functions correctly, so I can collect the data that I need.

+Azure Functions integrates with Application Insights to better enable you to monitor your function apps. Application Insights, a feature of Azure Monitor, is an extensible Application Performance Management (APM) service that collects data generated by your function app, including information your app writes to logs. Application Insights integration is typically enabled when your function app is created. If your app doesn't have the instrumentation key set, you must first [enable Application Insights integration](#enable-application-insights-integration).

+You can use Application Insights without any custom configuration. The default configuration can result in high volumes of data. If you're using a Visual Studio Azure subscription, you might hit your data cap for Application Insights. For information about Application Insights costs, see [Application Insights billing](../azure-monitor/logs/cost-logs.md#application-insights-billing). For more information, see [Solutions with high-volume of telemetry](#solutions-with-high-volume-of-telemetry).

+Later in this article, you learn how to configure and customize the data that your functions send to Application Insights. For a function app, logging is configured in the *[host.json]* file.

+> You can use specially configured application settings to represent specific settings in a *host.json* file for a specific environment. This lets you effectively change *host.json* settings without having to republish the *host.json* file in your project. For more information, see [Override host.json values](functions-host-json.md#override-hostjson-values).

+The Azure Functions logger includes a *category* for every log. The category indicates which part of the runtime code or your function code wrote the log. Categories differ between version 1.x and later versions. The following chart describes the main categories of logs that the runtime creates:

+| **`Function.<YOUR_FUNCTION_NAME>`** | **dependencies**| Dependency data is automatically collected for some services. For successful runs, these logs are at the `Information` level. For more information, see [Dependencies](functions-monitoring.md#dependencies). Exceptions are logged at the `Error` level. The runtime also creates `Warning` level logs, such as when queue messages are sent to the [poison queue](functions-bindings-storage-queue-trigger.md#poison-messages). |

+| **`Function.<YOUR_FUNCTION_NAME>`** | **customMetrics**<br/>**customEvents** | C# and JavaScript SDKs lets you collect custom metrics and log custom events. For more information, see [Custom telemetry data](functions-monitoring.md#custom-telemetry-data).|

+| **`Function.<YOUR_FUNCTION_NAME>`** | **traces**| Includes function started and completed logs for specific function runs. For successful runs, these logs are at the `Information` level. Exceptions are logged at the `Error` level. The runtime also creates `Warning` level logs, such as when queue messages are sent to the [poison queue](functions-bindings-storage-queue-trigger.md#poison-messages). |

+| **`Function.<YOUR_FUNCTION_NAME>.User`** | **traces**| User-generated logs, which can be any log level. For more information about writing to logs from your functions, see [Writing to logs](functions-monitoring.md#writing-to-logs). |

+| **`Microsoft`** | **traces** | Fully qualified log category that reflects a .NET runtime component invoked by the host. |

+| **`Worker`** | **traces** | Logs generated by the language worker process for non-.NET languages. Language worker logs might also be logged in a `Microsoft.*` category, such as `Microsoft.Azure.WebJobs.Script.Workers.Rpc.RpcFunctionInvocationDispatcher`. These logs are written at `Information` level.|

+> [!NOTE]

+> For .NET class library functions, these categories assume you're using `ILogger` and not `ILogger<T>`. For more information, see the [Functions ILogger documentation](functions-dotnet-class-library.md#ilogger).

+| **`Function`** | **traces**| User-generated logs, which can be any log level. For more information about writing to logs from your functions, see [Writing to logs](functions-monitoring.md#writing-to-logs). |

+The **Table** column indicates to which table in Application Insights the log is written.

+For each category, you indicate the minimum log level to send. The *host.json* settings vary depending on the [Functions runtime version](functions-versions.md).

+If *[host.json]* includes multiple logs that start with the same string, the more defined logs ones are matched first. Consider the following example that logs everything in the runtime, except `Host.Aggregator`, at the `Error` level:

+You can use a log level setting of `None` to prevent any logs from being written for a category.

+> Azure Functions integrates with Application Insights by storing telemetry events in Application Insights tables. Setting a category log level to any value different from `Information` will prevent the telemetry to flow to those tables. As outcome, you won't be able to see the related data in **Application Insights** or **Function Monitor** tab.

+> + If the `Host.Results` category is set to `Error` log level, it will only gather host execution telemetry events in the `requests` table for failed function executions, preventing to display host execution details of success executions in both the **Application Insights** and **Function Monitor** tab.

+> + If the `Function` category is set to `Error` log level, it will stop gathering function telemetry data related to `dependencies`, `customMetrics`, and `customEvents` for all the functions, preventing to see any of this data in Application Insights. It will only gather `traces` logged with `Error` level.

+> In both cases you will continue to collect errors and exceptions data in the **Application Insights** and **Function Monitor** tab. For more information, see [Solutions with high-volume of telemetry](#solutions-with-high-volume-of-telemetry).

+As noted in the previous section, the runtime aggregates data about function executions over a period of time. The default period is 30 seconds or 1,000 runs, whichever comes first. You can configure this setting in the *[host.json]* file. Here's an example:

+Application Insights has a [sampling](../azure-monitor/app/sampling.md) feature that can protect you from producing too much telemetry data on completed executions at times of peak load. When the rate of incoming executions exceeds a specified threshold, Application Insights starts to randomly ignore some of the incoming executions. The default setting for maximum number of executions per second is 20 (five in version 1.x). You can configure sampling in [*host.json*](./functions-host-json.md#applicationinsights). Here's an example:

+You can exclude certain types of telemetry from sampling. In this example, data of type `Request` and `Exception` is excluded from sampling. It will ensure that *all* function executions (requests) and exceptions are logged while other types of telemetry remain subject to sampling.

+# [v1.x](#tab/v1)

+For more information, see [Sampling in Application Insights](../azure-monitor/app/sampling.md).

+_This feature is in preview._

+To enable this feature, you can add an application setting named `SCALE_CONTROLLER_LOGGING_ENABLED` to your function app settings. The following value of the setting must be in the format `<DESTINATION>:<VERBOSITY>`:

+In this example, replace `<FUNCTION_APP_NAME>` and `<RESOURCE_GROUP_NAME>` with the name of your function app and the resource group name, respectively.

+With scale controller logging enabled, you're now able to [query your scale controller logs](analyze-telemetry-data.md#query-scale-controller-logs).

+When you create your function app in the [Azure portal](./functions-get-started.md) from the command line by using [Azure Functions Core Tools](./create-first-function-cli-csharp.md) or [Visual Studio Code](./create-first-function-vs-code-csharp.md), Application Insights integration is enabled by default. The Application Insights resource has the same name as your function app, and it's created either in the same region or in the nearest region.

+To review the Application Insights resource being created, select it to expand the **Application Insights** window. You can change the **New resource name** or select a different **Location** in an [Azure geography](https://azure.microsoft.com/global-infrastructure/geographies/) where you want to store your data.

+When you select **Create**, an Application Insights resource is created with your function app, which has the `APPINSIGHTS_INSTRUMENTATIONKEY` set in application settings. Everything is ready to go.

+1. In the [Azure portal](https://portal.azure.com), search for and select **function app**, and then select your function app.

+ :::image type="content" source="media/configure-monitoring/enable-application-insights.png" alt-text="Screenshot of enabling Application Insights from the portal.":::

+1. Expand **Change your resource** and create an Application Insights resource by using the settings specified in the following table:

+ | **New resource name** | Unique app name | It's easiest to use the same name as your function app, which must be unique in your subscription. |

+ | **Location** | West Europe | If possible, use the same [region](https://azure.microsoft.com/regions/) as your function app, or the one that's close to that region. |

+ :::image type="content" source="media/configure-monitoring/ai-general.png" alt-text="Screenshot of creating an Application Insights resource.":::

+1. Select **Apply**.

+ The Application Insights resource is created in the same resource group and subscription as your function app. After the resource is created, close the **Application Insights** window.

+> Early versions of Functions used built-in monitoring, which is no longer recommended. When you're enabling Application Insights integration for such a function app, you must also [disable built-in logging](#disable-built-in-logging).

+To disable built-in logging, delete the `AzureWebJobsDashboard` app setting. For more information about how to delete app settings in the Azure portal, see the **Application settings** section of [How to manage a function app](functions-how-to-use-azure-function-app-settings.md#settings). Before you delete the app setting, ensure that no existing functions in the same function app use the setting for Azure Storage triggers or bindings.

+## Solutions with high volume of telemetry

+Function apps are an essential part of solutions that can cause high volumes of telemetry such as IoT solutions, rapid event driven solutions, high load financial systems, and integration systems. In this case, you should consider extra configuration to reduce costs while maintaining observability.

+The generated telemetry can be consumed in real-time dashboards, alerting, detailed diagnostics, and so on. Depending on how the generated telemetry is going to be consumed, you'll need to define a strategy to reduce the volume of data generated. This strategy will allow you to properly monitor, operate, and diagnose your function apps in production. You can consider the following options:

+ The following screenshot shows `Host.Aggregator` telemetry data displayed in the function **Overview** tab:

+ The following screenshot shows `Host.Aggregator` telemetry data in Application Insights `customMetrics` table:

+ The following screenshot shows the `Host.Results` telemetry data displayed in the function **Monitor** tab:

+ The following screenshot shows `Host.Results` telemetry data displayed in Application Insights Performance dashboard:

+With this configuration, you'll have:

+ > [!NOTE]

+ > Configuration per function isn't supported in v1.x.

+ > [!NOTE]

+ > Metric counts such as request rate and exception rate are adjusted to compensate for the sampling rate, so that they show approximately correct values in Metric Explorer.

+> [!TIP]

+> Experiment with different configurations to ensure that you cover your requirements for logging, monitoring, and alerting. Also, ensure that you have detailed diagnostics in case of unexpected errors or malfunctioning.

+## Overriding monitoring configuration at runtime

+Finally, there could be situations where you need to quickly change the logging behavior of a certain category in production, and you don't want to make a whole deployment just for a change in the *host.json* file. For such cases, you can override the [host.json values](functions-host-json.md#override-hostjson-values).

+To configure these values at App settings level (and avoid redeployment on just *host.json* changes), you should override specific `host.json` values by creating an equivalent value as an application setting. When the runtime finds an application setting in the format `AzureFunctionsJobHost__path__to__setting`, it overrides the equivalent `host.json` setting located at `path.to.setting` in the JSON. When expressed as an application setting, the dot (`.`) used to indicate JSON hierarchy is replaced by a double underscore (`__`). For example, you can use the below app settings to configure individual function log levels as in `host.json` above.

+For more information about monitoring, see:

+We recommend that you [develop your functions locally](functions-develop-local.md) and publish to a function app in Azure.

+## Prerequisites

+1. From the left menu of the **Function App** window, select **Functions**, and then select **Create** from the top menu.

+1. From the **Create Function** window, leave the **Development environment** property as **Develop in portal**, and then select the **HTTP trigger** template.

+ :::image type="content" source="./media/functions-create-first-azure-function/function-app-http-trigger.png" alt-text="Screenshot of HTTP trigger function.":::

+1. Under **Template details** use `HttpExample` for **New Function**, select **Anonymous** from the **[Authorization level](functions-bindings-http-webhook-trigger.md#authorization-keys)** drop-down list, and then select **Create**.

+1. In your new HTTP trigger function, select **Code + Test** from the left menu, and then select **Get function URL** from the top menu.

+ :::image type="content" source="./media/functions-create-first-azure-function/function-app-http-example-get-function-url.png" alt-text="Screenshot of Get function URL window.":::

+1. In the **Get function URL** dialog, select **default** from the drop-down list, and then select the **Copy to clipboard** icon.

+ :::image type="content" source="./media/functions-create-first-azure-function/function-app-develop-tab-testing.png" alt-text="Screenshot of Copy the function URL window from the Azure portal.":::

+1. Paste the function URL into your browser's address bar. Add the query string value `?name=<your_name>` to the end of this URL and press Enter to run the request. The browser must display a response message that echoes back your query string value.

+ If the request URL included an [access key](functions-bindings-http-webhook-trigger.md#authorization-keys) (`?code=...`), it means you selected **Function** instead of **Anonymous** access level when creating the function. In this case, you must instead append `&name=<your_name>`.

+1. When your function runs, trace information is written to the logs. To see the trace output, return to the **Code + Test** page in the portal and expand the **Logs** arrow at the bottom of the page. Call your function again to see the trace output written to the logs.

+ :::image type="content" source="media/functions-create-first-azure-function/function-app-log-view.png" alt-text="Screenshot of Functions log viewer in the Azure portal.":::

+Azure Functions supports any language or runtime using [custom handlers](functions-custom-handlers.md). For some languages, such as the R programming language used in this tutorial, you need to install the runtime or more libraries as dependencies that require the use of a custom container.

+You can also use a default Azure App Service container as described in [Create your first function hosted on Linux](./create-first-function-cli-csharp.md?pivots=programming-language-python). Supported base images for Azure Functions are found in the [Azure Functions base images repo](https://hub.docker.com/_/microsoft-azure-functions-base).

+> * Create supporting resources in Azure for the function app.

+> * Add a Queue storage output binding.

+> * Create supporting resources in Azure for the function app.

+You can follow this tutorial on any computer running Windows, macOS, or Linux.

+You also need to get a Docker and Docker ID:

+In a terminal or command prompt, run the following command for your chosen language to create a function app project in the current folder:

+In an empty folder, run the following command to generate the Functions project from a [Maven archetype](https://maven.apache.org/guides/introduction/introduction-to-archetypes.html):

+Maven asks you for values needed to finish generating the project on deployment.

+Follow the prompts and provide the following information:

+| **version** | `1.0-SNAPSHOT` | Select the default value. |

+Maven creates the project files in a new folder named _artifactId_, which in this example is `fabrikam-functions`.

+The `--docker` option generates a *Dockerfile* for the project, which defines a suitable custom container for use with Azure Functions and the selected runtime.

+Use the following command to add a function to your project, where the `--name` argument is the unique name of your function and the `--template` argument specifies the function's trigger. `func new` creates a C# code file in your project.

+Use the following command to add a function to your project, where the `--name` argument is the unique name of your function and the `--template` argument specifies the function's trigger. `func new` creates a subfolder matching the function name that contains a configuration file named *function.json*.

+In a text editor, create a file in the project folder named *handler.R*. Add the following code as its content:

+To test the function locally, start the local Azure Functions runtime host in the root of the project folder.

+After you see the `HttpExample` endpoint appear in the output, navigate to `http://localhost:7071/api/HttpExample?name=Functions`. The browser must display a "hello" message that echoes back `Functions`, the value supplied to the `name` query parameter.

+Press **Ctrl**+**C** to stop the host.

+(Optional) Examine the *Dockerfile* in the root of the project folder. The *Dockerfile* describes the required environment to run the function app on Linux. The complete list of supported base images for Azure Functions can be found in the [Azure Functions base image page](https://hub.docker.com/_/microsoft-azure-functions-base).

+Examine the *Dockerfile* in the root of the project folder. The *Dockerfile* describes the required environment to run the function app on Linux. Custom handler applications use the `mcr.microsoft.com/azure-functions/dotnet:3.0-appservice` image as its base.

+Modify the *Dockerfile* to install R. Replace the contents of the *Dockerfile* with the following code:

+In the root project folder, run the [docker build](https://docs.docker.com/engine/reference/commandline/build/) command, provide a name as `azurefunctionsimage`, and tag as `v1.0.0`. Replace `<DOCKER_ID>` with your Docker Hub account ID. This command builds the Docker image for the container.

+To test the build, run the image in a local container using the [docker run](https://docs.docker.com/engine/reference/commandline/run/) command, replace `<docker_id>` again with your Docker Hub account ID, and add the ports argument as `-p 8080:80`:

+After the image starts in the local container, browse to `http://localhost:8080/api/HttpExample?name=Functions`, which must display the same "hello" message as before. Because the HTTP triggered function you created uses anonymous authorization, you can call the function running in the container without having to obtain an access key. For more information, see [authorization keys].

+After the image starts in the local container, browse to `http://localhost:8080/api/HttpExample`, which must display the same greeting message as before. Because the HTTP triggered function you created uses anonymous authorization, you can call the function running in the container without having to obtain an access key. For more information, see [authorization keys].

+After the image starts in the local container, browse to `http://localhost:8080/api/HttpExample?name=Functions`, which must display the same "hello" message as before. Because the HTTP triggered function you created uses anonymous authorization, you can call the function running in the container without having to obtain an access key. For more information, see [authorization keys].

+After verifying the function app in the container, press **Ctrl**+**C** to stop the docker.

+1. If you haven't already signed in to Docker, do so with the [docker login](https://docs.docker.com/engine/reference/commandline/login/) command, replacing `<docker_id>` with your Docker Hub account ID. This command prompts you for your username and password. A "Login Succeeded" message confirms that you're signed in.

+1. After you've signed in, push the image to Docker Hub by using the [docker push](https://docs.docker.com/engine/reference/commandline/push/) command, again replace the `<docker_id>` with your Docker Hub account ID.

+1. Depending on your network speed, pushing the image for the first time might take a few minutes (pushing subsequent changes is much faster). While you're waiting, you can proceed to the next section and create Azure resources in another terminal.

+* A [resource group](../azure-resource-manager/management/overview.md), which is a logical container for related resources.

+* A [Storage account](../storage/common/storage-account-create.md), which is used to maintain state and other information about your functions.

+* A function app, which provides the environment for executing your function code. A function app maps to your local function project and lets you group functions as a logical unit for easier management, deployment, and sharing of resources.

+1. If you haven't done already, sign in to Azure.

+1. Create a resource group named `AzureFunctionsContainers-rg` in your chosen region.

+1. Create a general-purpose storage account in your resource group and region.

+ In the previous example, replace `<STORAGE_NAME>` with a name that is appropriate to you and unique in Azure Storage. Storage names must contain 3 to 24 characters numbers and lowercase letters only. `Standard_LRS` specifies a general-purpose account [supported by Functions](storage-considerations.md#storage-account-requirements).

+ We use the Premium plan here, which can scale as needed. For more information about hosting, see [Azure Functions hosting plans comparison](functions-scale.md). For more information on how to calculate costs, see the [Functions pricing page](https://azure.microsoft.com/pricing/details/functions/).

+1. Create a function app using the following command:

+ In the [az functionapp create](/cli/azure/functionapp#az-functionapp-create) command, the *deployment-container-image-name* parameter specifies the image to use for the function app. You can use the [az functionapp config container show](/cli/azure/functionapp/config/container#az-functionapp-config-container-show) command to view information about the image used for deployment. You can also use the [az functionapp config container set](/cli/azure/functionapp/config/container#az-functionapp-config-container-set) command to deploy from a different image.

+ > [!NOTE]

+ > If you're using a custom container registry, then the *deployment-container-image-name* parameter will refer to the registry URL.

+ In this example, replace `<STORAGE_NAME>` with the name you used in the previous section for the storage account. Also, replace `<APP_NAME>` with a globally unique name appropriate to you, and `<DOCKER_ID>` with your Docker Hub account ID. When you're deploying from a custom container registry, use the `deployment-container-image-name` parameter to indicate the URL of the registry.

+ > You can use the [`DisableColor` setting](functions-host-json.md#console) in the *host.json* file to prevent ANSI control characters from being written to the container logs.

+ The connection string for the storage account is returned by using the [az storage account show-connection-string](/cli/azure/storage/account) command.

+ Replace `<STORAGE_NAME>` with the name of the storage account you created earlier.

+1. Use the following command to add the setting to the function app:

+ The [az functionapp config appsettings set](/cli/azure/functionapp/config/appsettings#az-functionapp-config-ppsettings-set) command creates the setting.

+> [!NOTE]

+> If you publish your custom image to a private container registry, you must use environment variables in the *Dockerfile* for the connection string instead. For more information, see the [ENV instruction](https://docs.docker.com/engine/reference/builder/#env). You must also set the `DOCKER_REGISTRY_SERVER_USERNAME` and `DOCKER_REGISTRY_SERVER_PASSWORD` variables. To use the values, you must rebuild the image, push the image to the registry, and then restart the function app on Azure.

+In your browser, navigate to the following URL:

+Replace `<APP_NAME>` with the name of your function app. When you navigate to this URL, the browser must display similar output as when you ran the function locally.

+1. Use the following command to enable continuous deployment and to get the webhook URL:

+ The `DOCKER_ENABLE_CI` application setting controls whether continuous deployment is enabled from the container repository. The [Get-AzWebAppContainerContinuousDeploymentUrl](/powershell/module/az.websites/get-azwebappcontainercontinuousdeploymenturl) cmdlet returns the URL of the deployment webhook.

+ As before, replace `<APP_NAME>` with your function app name.

+1. Open [Docker Hub](https://hub.docker.com/), sign in, and select **Repositories** on the navigation bar. Locate and select the image, select the **Webhooks** tab, specify a **Webhook name**, paste your URL in **Webhook URL**, and then select **Create**.

+ :::image type="content" source="./media/functions-create-function-linux-custom-image/dockerhub-set-continuous-webhook.png" alt-text="Screenshot showing how to add the webhook in your Docker Hub window.":::

+SSH enables secure communication between a container and a client. With SSH enabled, you can connect to your container using App Service Advanced Tools (Kudu). For easy connection to your container using SSH, Azure Functions provides a base image that has SSH already enabled. You only need to edit your *Dockerfile*, then rebuild, and redeploy the image. You can then connect to the container through the Advanced Tools (Kudu).

+1. In your *Dockerfile*, append the string `-appservice` to the base image in your `FROM` instruction.

+1. Rebuild the image by using the `docker build` command again, replace the `<docker_id>` with your Docker Hub account ID.

+1. Push the updated image to Docker Hub, which should take considerably less time than the first push. Only the updated segments of the image need to be uploaded now.

+1. In a browser, open `https://<app_name>.scm.azurewebsites.net/` and replace `<app_name>` with your unique name. This URL is the Advanced Tools (Kudu) endpoint for your function app container.

+1. Sign in to your Azure account, and then select the **SSH** to establish a connection with the container. Connecting might take a few moments if Azure is still updating the container image.

+1. After a connection is established with your container, run the `top` command to view the currently running processes.

+ :::image type="content" source="media/functions-create-function-linux-custom-image/linux-custom-kudu-ssh-top.png" alt-text="Screenshot that shows Linux top command running in an SSH session.":::

+Azure Functions lets you connect your functions to other Azure services and resources without having to write your own integration code. These *bindings*, which represent both input and output, are declared within the function definition. Data from bindings is provided to the function as parameters. A *trigger* is a special type of input binding. Although a function has only one trigger, it can have multiple input and output bindings. For more information, see [Azure Functions triggers and bindings concepts](functions-triggers-bindings.md).

+## Update the image in the registry

+1. In the root folder, run `docker build` again, and this time update the version in the tag to `v1.0.1`. As before, replace `<docker_id>` with your Docker Hub account ID.

+1. Push the updated image back to the repository with `docker push`.

+In a browser, use the same URL as before to invoke your function. The browser must display the same response as before, because you didn't modify that part of the function code. The added code, however, wrote a message using the `name` URL parameter to the `outqueue` storage queue.

+To avoid ongoing costs, delete the `AzureFunctionsContainers-rg` resource group to clean up all the resources in that group:

+az group delete --name AzureFunctionsContainers-rg

+Ensure that you have an Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+1. In your function app, select **Functions**, and then select **+ Create**.

+ :::image type="content" source="./media/functions-create-scheduled-function/function-create-function.png" alt-text="Screenshot of adding a function in the Azure portal." border="true":::

+1. Select the **Timer trigger** template.

+ :::image type="content" source="./media/functions-create-scheduled-function/function-select-timer-trigger-template.png" alt-text="Screenshot of select the timer trigger page in the Azure portal." border="true":::

+1. Configure the new trigger with the settings as specified in the table below the image, and then select **Create**.

+ :::image type="content" source="./media/functions-create-scheduled-function/function-configure-timer-trigger-new.png" alt-text="Screenshot that shows the New Function page with the Timer Trigger template selected." border="true":::

+1. In your function, select **Code + Test** and expand the **Logs**.

+ :::image type="content" source="./media/functions-create-scheduled-function/function-code-test-timer-trigger.png" alt-text="Screenshot of the Test the timer trigger page in the Azure portal." border="true":::

+ :::image type="content" source="./media/functions-create-scheduled-function/function-timer-logs-view.png" alt-text="Screenshot showing the View the timer trigger page in the Azure portal." border="true":::

+1. In your function, select **Integration**. Here, you define the input and output bindings for your function and also set the schedule.

+ :::image type="content" source="./media/functions-create-scheduled-function/function-update-timer-schedule-new.png" alt-text="Screenshot of Update the timer schedule page in the Azure portal." border="true":::

+ :::image type="content" source="./media/functions-create-scheduled-function/function-edit-timer-schedule.png" alt-text="Screenshot of the Update function timer schedule page in the Azure portal." border="true":::

+> [!IMPORTANT]

+> Beginning on December 3, 2022, function apps running on versions 2.x and 3.x of the Azure Functions runtime can no longer be supported. Before that time, please test, verify, and migrate your function apps to version 4.x of the Functions runtime. End of support for these runtime versions is due to the ending of support for .NET Core 3.1, which is required by these runtime versions. This requirement affects all Azure Functions runtime languages.

+>Functions version 1.x is still supported for C# function apps that require the .NET Framework. Preview support is now available in Functions 4.x to [run C# functions on .NET Framework 4.8](dotnet-isolated-process-guide.md#supported-versions).

+Application Insights is integrated with various resource providers and works on different environments. In essence, all you have to do is enable and - in some cases - configure the agent, which will collect the telemetry automatically. In no time, you'll see the metrics, requests, and dependencies in your Application Insights resource. This telemetry will allow you to spot the source of potential problems before they occur, and analyze the root cause with end-to-end transaction view.

+|Azure Kubernetes Service (AKS) | N/A | Not supported | Through agent | Not supported | Not supported |

+## Azure Kubernetes Service (AKS)

+Codeless instrumentation of Azure Kubernetes Service (AKS) is currently available for Java applications through the [standalone agent](./java-in-process-agent.md).

+Auto-instrumentation for Azure VMs and virtual machine scale set is available for [.NET](./azure-vm-vmss-apps.md) and [Java](./java-in-process-agent.md) - this experience isn't integrated into the portal. The monitoring is enabled through a few steps with a stand-alone solution and doesn't require any code changes.

+Every telemetry item may have a strongly typed context field. Every field enables a specific monitoring scenario. Use the custom properties collection to store custom or application-specific contextual information.

+The IP address of the client device. IPv4 and IPv6 are supported. When telemetry is sent from a service, the location context is about the user that initiated the operation in the service. Application Insights extract the geo-location information from the client IP and then truncate it. So client IP by itself can't be used as end-user identifiable information.

+A unique identifier of the root operation. This identifier allows grouping telemetry across multiple components. See [telemetry correlation](./correlation.md) for details. The operation ID is created by either a request or a page view. All other telemetry sets this field to the value for the containing request or page view.

+## Session ID

+## Anonymous user ID

+Anonymous user ID. (User.Id) Represents the end user of the application. When telemetry is sent from a service, the user context is about the user that initiated the operation in the service.

+> The count of anonymous user IDs is not the same as the number of unique application users. The count of anonymous user IDs is typically higher because each time the user opens your app on a different device or browser, or cleans up browser cookies, a new unique anonymous user id is allocated. This calculation may result in counting the same physical users multiple times.

+Authenticated user ID. The opposite of anonymous user ID, this field represents the user with a friendly name. This ID is only collected by default with the ASP.NET Framework SDK's [`AuthenticatedUserIdTelemetryInitializer`](https://github.com/microsoft/ApplicationInsights-dotnet/blob/develop/WEB/Src/Web/Web/AuthenticatedUserIdTelemetryInitializer.cs).

+Use the Application Insights SDK to initialize the Authenticated User ID with a value identifying the user persistently across browsers and devices. In this way, all telemetry items are attributed to that unique ID. This ID enables querying for all telemetry collected for a specific user (subject to [sampling configurations](./sampling.md) and [telemetry filtering](./api-filtering-sampling.md)).

+The account ID, in multi-tenant applications, is the tenant account ID or name that the user is acting with. It's used for more user segmentation when user ID and authenticated user ID aren't sufficient. For example, a subscription ID for Azure portal or the blog name for a blogging platform.

+Name of the role the application is a part of. Maps directly to the role name in Azure. Can also be used to distinguish micro services, which are part of a single application.

+This behavior is by design to help avoid unnecessary collection of personal data and ip address location information. Whenever possible, we recommend avoiding the collection of personal data.

+> Although the default is to not collect IP addresses, you can override this behavior. We recommend verifying that the collection doesn't break any compliance requirements or local regulations.

+While not collecting ip addresses will also not collect city and other geolocation attributes are populated by our pipeline by using the IP address, you can also mask IP collection at the source. This can be done by either removing the client IP initializer [Configuration with Applications Insights Configuration](configuration-with-applicationinsights-config.md), or providing your own custom initializer. For more information, see [API Filtering example.](api-filtering-sampling.md).

+Download the [applicationinsights-agent-3.3.0.jar](https://github.com/microsoft/ApplicationInsights-Java/releases/download/3.3.0/applicationinsights-agent-3.3.0.jar) file.

+> If you're upgrading from 3.2.x to 3.3.0:

+> - Starting from 3.3.0, `LoggingLevel` is not captured by default as part of Traces' custom dimension since that data is already captured in the `SeverityLevel` field. For details on how to re-enable this if needed, please see the [config options](./java-standalone-config.md#logginglevel)

+Add `-javaagent:path/to/applicationinsights-agent-3.3.0.jar` to your application's JVM args.

+ - Or you can create a configuration file named `applicationinsights.json`. Place it in the same directory as `applicationinsights-agent-3.3.0.jar` with the following content:

+Add the JVM arg `-javaagent:path/to/applicationinsights-agent-3.3.0.jar` somewhere before `-jar`, for example:

+java -javaagent:path/to/applicationinsights-agent-3.3.0.jar -jar <myapp.jar>

+If you're using the *exec* form, add the parameter `"-javaagent:path/to/applicationinsights-agent-3.3.0.jar"` to the parameter list somewhere before the `"-jar"` parameter, for example:

+ENTRYPOINT ["java", "-javaagent:path/to/applicationinsights-agent-3.3.0.jar", "-jar", "<myapp.jar>"]

+If you're using the *shell* form, add the JVM arg `-javaagent:path/to/applicationinsights-agent-3.3.0.jar` somewhere before `-jar`, for example:

+ENTRYPOINT java -javaagent:path/to/applicationinsights-agent-3.3.0.jar -jar <myapp.jar>

+JAVA_OPTS="$JAVA_OPTS -javaagent:path/to/applicationinsights-agent-3.3.0.jar"

+CATALINA_OPTS="$CATALINA_OPTS -javaagent:path/to/applicationinsights-agent-3.3.0.jar"

+If the file `<tomcat>/bin/setenv.sh` already exists, then modify that file and add `-javaagent:path/to/applicationinsights-agent-3.3.0.jar` to `CATALINA_OPTS`.

+set CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.3.0.jar

+set "CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.3.0.jar"

+If the file `<tomcat>/bin/setenv.bat` already exists, just modify that file and add `-javaagent:path/to/applicationinsights-agent-3.3.0.jar` to `CATALINA_OPTS`.

+Locate the file `<tomcat>/bin/tomcat8w.exe`. Run that executable and add `-javaagent:path/to/applicationinsights-agent-3.3.0.jar` to the `Java Options` under the `Java` tab.

+Add `-javaagent:path/to/applicationinsights-agent-3.3.0.jar` to the existing `JAVA_OPTS` environment variable in the file `JBOSS_HOME/bin/standalone.conf` (Linux) or `JBOSS_HOME/bin/standalone.conf.bat` (Windows):

+ JAVA_OPTS="-javaagent:path/to/applicationinsights-agent-3.3.0.jar -Xms1303m -Xmx1303m ..."

+Add `-javaagent:path/to/applicationinsights-agent-3.3.0.jar` to the existing `jvm-options` in `JBOSS_HOME/domain/configuration/host.xml`:

+ <option value="-javaagent:path/to/applicationinsights-agent-3.3.0.jar"/>

+-javaagent:path/to/applicationinsights-agent-3.3.0.jar

+Add `-javaagent:path/to/applicationinsights-agent-3.3.0.jar` to the existing `jvm-options` in `glassfish/domains/domain1/config/domain.xml`:

+ -javaagent:path/to/applicationinsights-agent-3.3.0.jar>

+-javaagent:path/to/applicationinsights-agent-3.3.0.jar

+-javaagent:path/to/applicationinsights-agent-3.3.0.jar

+By default, Application Insights Java 3.x expects the configuration file to be named `applicationinsights.json`, and to be located in the same directory as `applicationinsights-agent-3.3.0.jar`.

+If you specify a relative path, it will be resolved relative to the directory where `applicationinsights-agent-3.3.0.jar` is located.

+If you specify a relative path, it will be resolved relative to the directory where `applicationinsights-agent-3.3.0.jar` is located.

+Starting from version 3.3.0, `LoggingLevel` is not captured by default as part of Traces' custom dimension since that data is aleady captured in the `SeverityLevel` field.

+Starting from 3.3.0, you can capture request and response headers on your server (request) telemetry:

+Starting from version 3.3.0, you can change this behavior to capture them as success if you prefer:

+> Vertx HTTP Library instrumentation is available starting from version 3.3.0

+`applicationinsights-agent-3.3.0.jar` is located.

+that holds the `applicationinsights-agent-3.3.0.jar` file.

+`applicationinsights-agent-3.3.0.jar` file.

+- `proxies`: Specifies a sequence of proxies to use for sending data to Azure Monitor. For more information, see [proxies](https://requests.readthedocs.io/en/latest/user/advanced/#proxies).

+ Title: Advanced features of Metrics Explorer

+description: Metrics are a series of measured values and counts that Azure collects. Learn to use Metrics Explorer to investigate the health and usage of resources.

+# Advanced features of Metrics Explorer in Azure Monitor

+> This article assumes you're familiar with basic features of the Metrics Explorer feature of Azure Monitor. If you're a new user and want to learn how to create your first metric chart, see [Getting started with the Metrics Explorer](./metrics-getting-started.md).

+In the Azure portal, select **Metrics** from the **Monitor** menu or from the **Monitoring** section of a resource's menu. Then choose **Select a scope** to open the scope picker.

+Use the scope picker to select the resources whose metrics you want to see. If you opened the Azure Metrics Explorer from a resource's menu, the scope should be populated.

+### Select multiple resources

+In the Azure Metrics Explorer, you can create charts that plot multiple metric lines or show multiple metric charts at the same time. This functionality allows you to:

+For example, imagine you have five storage accounts, and you want to know how much space they consume together. You can create a stacked area chart that shows the individual values and the sum of all the values at points in time.

+> In these cases, consider using multiple charts instead. In Metrics Explorer, select **New chart** to create a new chart.

+To pan, select the left and right arrows at the edge of the chart. The arrow control moves the selected time range back and forward by one half the chart's time span. For example, if you're viewing the past 24 hours, clicking on the left arrow causes the time range to shift to span a day and a half to 12 hours ago.

+You can click and drag on the chart to zoom into a section of a chart. Zooming updates the chart's time range to span your selection. If the time grain is set to Automatic, zooming selects a smaller time grain. The new time range applies to all charts in Metrics.

+When you add a metric to a chart, Metrics Explorer applies a default aggregation. The default makes sense in basic scenarios. But you can use a different aggregation to gain more insights about the metric.

+Before you use different aggregations on a chart, you should understand how Metrics Explorer handles them. Metrics are a series of measurements (or "metric values") that are captured over a time period. When you plot a chart, the values of the selected metric are separately aggregated over the *time grain*.

+You select the size of the time grain by using Metrics Explorer's [time picker panel](./metrics-getting-started.md#select-a-time-range). If you don't explicitly select the time grain, the currently selected time range is used by default. After the time grain is determined, the metric values that were captured during each time grain are aggregated on the chart, one data point per time grain.

+- If the time granularity is set to 30 minutes, the chart is drawn from 48 aggregated data points. The line chart connects 48 dots in the chart plot area (24 hours x 2 data points per hour). Each data point represents the *average* of all captured response times for server requests that occurred during each of the relevant 30-minute time periods.

+Metrics Explorer has five basic statistical aggregation types: sum, count, min, max, and average. The *sum* aggregation is sometimes called the *total* aggregation. For many metrics, Metrics Explorer hides the aggregations that are irrelevant and can't be used.

+- **Sum**: The sum of all values captured during the aggregation interval.

+ 

+- **Count**: The number of measurements captured during the aggregation interval.

+ When the metric is always captured with the value of 1, the count aggregation is equal to the sum aggregation. This scenario is common when the metric tracks the count of distinct events and each measurement represents one event. The code emits a metric record every time a new request arrives.

+ 

+- **Average**: The average of the metric values captured during the aggregation interval.

+ 

+- **Min**: The smallest value captured during the aggregation interval.

+ 

+- **Max**: The largest value captured during the aggregation interval.

+ 

+You can apply filters to charts whose metrics have dimensions. For example, imagine a *Transaction count* metric that has a *Response type* dimension. This dimension indicates whether the response from transactions succeeded or failed. If you filter on this dimension, you'll see a chart line for only successful or only failed transactions.

+1. Select a dimension (property) to filter.

+1. Select the operator you want to apply against the dimension (property). The default operator is = (equals)

+1. Select which dimension values you want to apply to the filter when plotting the chart. This example shows filtering out the successful storage transactions.

+1. After selecting the filter values, click away from the filter selector to close it. Now the chart shows how many storage transactions have failed:

+1. Repeat these steps to apply multiple filters to the same charts.

+1. Choose a dimension on which to segment your chart:

+1. Choose a limit on the number of values to be displayed after splitting by selected dimension. The default limit is 10 as shown in the above chart. The range of limit is 1 - 50.

+1. Choose the sort order on segments: **Ascending** or **Descending**. The default selection is **Descending**.

+1. Click away from the grouping selector to close it.

+Locking the range of the value (y) axis becomes important in charts that show small fluctuations of large values.

+For example, a drop in the volume of successful requests from 99.99 percent to 99.5 percent might represent a significant reduction in the quality of service. Noticing a small numeric value fluctuation would be difficult or even impossible if you're using the default chart settings. In this case, you could lock the lowest boundary of the chart to 99 percent to make a small drop more apparent.

+Another example is a fluctuation in the available memory. In this scenario, the value technically never reaches 0. Fixing the range to a higher value might make drops in available memory easier to spot.

+To change the color of a chart line, select the colored bar in the legend that corresponds to the chart. The color picker dialog opens. Use the color picker to configure the line color.

+After you configure a chart, you might want to add it to a dashboard or workbook. By adding a chart to a dashboard or workbook, you can make it accessible to your team. You can also gain insights by viewing it in the context of other monitoring information.

+You can use your visualization criteria to create a metric-based alert rule. The new alert rule includes your chart's target resource, metric, splitting, and filter dimensions. You can modify these settings by using the alert rule creation pane.

+To help customers diagnose the root cause of anomalies in their metrics chart, we created the *Drill into Logs* feature. Drill into Logs allows customers to correlate spikes in their metrics chart to logs and queries.

+This table summarizes the types of logs and queries provided:

+| Activity logs | Provides insight into the operations on each Azure resource in the subscription from the outside (the management plane) in addition to updates on Service Health events. Use the Activity log to determine the what, who, and when for any write operations (PUT, POST, DELETE) taken on the resources in your subscription. There's a single Activity log for each Azure subscription. |

+| Diagnostic log | Provides insight into operations that were performed within an Azure resource (the data plane), for example getting a secret from a Key Vault or making a request to a database. The content of resource logs varies by the Azure service and resource type. **Note:** Must be provided by service and enabled by customer. |

+| Recommended log | Scenario-based queries that customer can use to investigate anomalies in their Metrics Explorer. |

+Currently, Drill into Logs is available for select resource providers. The resource providers that have the complete Drill into Logs experience are:

+- Application Insights

+- Autoscale

+- App Services

+- Storage

+This screenshot shows a sample for the Application Insights resource provider.

+

+1. To diagnose the spike in failed requests, select **Drill into Logs**.

+ 

+1. Select **Failures** to open a custom failure pane that provides you with the failed operations, top exceptions types, and dependencies.

+ 

+### Chart is segmented by a property that the metric doesn't define

+If you segment a chart by a property that the metric doesn't define, the chart displays no content.

+**Solution:** Clear the segmentation (splitting), or choose a different property.

+### Filter on another chart excludes all data

+Filters apply to all of the charts on the pane. If you set a filter on another chart, it could exclude all data from the current chart.

+**Solution:** Check the filters for all the charts on the pane. If you want different filters on different charts, create the charts in different panes. Save the charts as separate favorites. If you want, you can pin the charts to the dashboard so you can see them together.

+## Log and queries are disabled for Drill into Logs

+To view recommended logs and queries, you must route your diagnostic logs to Log Analytics.

+**Solution:** To route your diagnostic logs to Log Analytics, see [Diagnostic settings in Azure Monitor](./diagnostic-settings.md).

+## Only the Activity logs appear in Drill into Logs

+The Drill into Logs feature is only available for select resource providers. By default, activity logs are provided.

+**Solution:** This behavior is expected for some resource providers.

+Refer to the [VM insights log search documentation](/azure/azure-monitor/vm/vminsights-log-query) and the [VM insights alert documentation](../vm/monitor-virtual-machine-alerts.md) for additional example queries.

+ > [!NOTE]

+ > One alternative to mounting an NFS volume on Windows is to [Create a dual-protocol volume for Azure NetApp Files](create-volumes-dual-protocol.md), allowing the native access of SMB for Windows and NFS for Linux. However, if that is not possible, you can mount the NFS volume on Windows using the steps below.

+ * Set the permissions to allow the volume to be mounted on Windows

+ * Follow the steps to [Configure Unix permissions and change ownership mode for NFS and dual-protocol volumes](configure-unix-permissions-change-ownership-mode.md#unix-permissions) and set the permissions to '777' or '775'.

+ * Install NFS client on Windows

+ * Open PowerShell

+ * type: `Install-WindowsFeature -Name NFS-Client`

+ * Mount the volume via the NFS client on Windows

+ * Obtain the 'mount path' of the volume

+ * Open a Command prompt

+ * type: `mount -o anon -o mtype=hard \\$ANFIP\$FILEPATH $DRIVELETTER:\`

+ * `$ANFIP` is the IP address of the Azure NetApp Files volume found in the volume properties blade.

+ * `$FILEPATH` is the export path of the Azure NetApp Files volume.

+ * `$DRIVELETTER` is the drive letter where you would like the volume mounted within Windows.

+| North America | North Central US | East US 2|

+### Remarks

+To see a list of registered environments for your account, use [az cloud list](/cli/azure/cloud#az-cloud-list) or [Get-AzEnvironment](/powershell/module/az.accounts/get-azenvironment).

+# Custom resource cache reference

+This article will go through the requirements for endpoints implementing cache custom resources. If you're unfamiliar with Azure Custom Resource Providers, see [the overview on custom resource providers](overview.md).

+## Define a cache resource endpoint

+A proxy resource can be created by specifying the `routingType` to "Proxy, Cache".

+**Sample custom resource provider**:

+## Build a proxy resource endpoint

+An endpoint that implements a "Proxy, Cache" resource endpoint must handle the request and response for the new API in Azure. In this case, the **resourceType** will generate a new Azure resource API for `PUT`, `GET`, and `DELETE` to perform CRUD on a single resource, as well as `GET` to retrieve all existing resources.

+> The Azure API will generate the request methods `PUT`, `GET`, and `DELETE`, but the cache endpoint only needs to handle `PUT` and `DELETE`.

+> We recommended that the endpoint also implements `GET`.

+**Azure API incoming request**:

+This request will then be forwarded to the endpoint in the form:

+The response from the endpoint is then forwarded back to the customer. The response should return:

+**Endpoint response**:

+**Azure Custom Resource Provider response**:

+**Azure API incoming request**:

+This request will then be forwarded to the endpoint in the form:

+The response from the endpoint is then forwarded back to the customer. The response should return:

+- The Azure Custom Resource Provider will only remove the item from its cache if a 200-level response is returned. Even if the resource doesn't exist, the endpoint should return 204.

+**Endpoint response**:

+**Azure Custom Resource Provider response**:

+**Azure API incoming request**:

+The request will **not** be forwarded to the endpoint.

+Azure Custom Resource Provider response:

+**Azure API incoming request**:

+The request will **not** be forwarded to the endpoint.

+**Azure Custom Resource Provider response**:

+# Custom resource proxy reference

+This article will go through the requirements for endpoints implementing proxy custom resources. If you're unfamiliar with Azure Custom Resource Providers, see [the overview on custom resource providers](overview.md).

+## Define a proxy resource endpoint

+A proxy resource can be created by specifying the `routingType` to "Proxy".

+### Sample custom resource provider:

+## Build a proxy resource endpoint

+An endpoint that implements a "Proxy" resource endpoint must handle the request and response for the new API in Azure. In this case, the #*resourceType** will generate a new Azure resource API for `PUT`, `GET`, and `DELETE` to perform CRUD on a single resource, as well as `GET` to retrieve all existing resources.

+> The `id`, `name`, and `type` fields are not required, but they're needed to integrate the custom resource with an existing Azure ecosystem.

+**Sample resource**:

+**Parameter reference**:

+**Azure API incoming request**:

+This request will then be forwarded to the endpoint in the form:

+The response from the endpoint is then forwarded back to the customer. The response should return:

+**Endpoint response**:

+**Azure Custom Resource Provider response**:

+**Azure API incoming request**:

+This request will then be forwarded to the endpoint in the form:

+The response from the endpoint is then forwarded back to the customer. The response should return:

+**Endpoint response**:

+**Azure Custom Resource Provider response**:

+**Azure API incoming request**:

+This request will then be forwarded to the endpoint in the form:

+The response from the endpoint is then forwarded back to the customer. The response should return:

+**Endpoint response**:

+**Azure Custom Resource Provider response**:

+**Azure API incoming request**:

+This request will then be forwarded to the endpoint in the form:

+The response from the endpoint is then forwarded back to the customer. The response should return:

+**Endpoint response**:

+**Azure Custom Resource Provider response**:

+> - [Microsoft.App](#microsoftapp)

+## Microsoft.App

+> [!div class="mx-tableFixed"]

+> | Resource type | Resource group | Subscription | Region move |

+> | - | -- | - | -- |

+> | managedenvironments | Yes | Yes | No |

+> | sqlmigrationservices | No | No | No |

+> | mastersites | No | No | No |

+You can get a property from an object with dot notation.

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "exampleObject": {

+ "type": "object",

+ "defaultValue": {

+ "name": "test name",

+ "id": "123-abc",

+ "isCurrent": true,

+ "tier": 1

+ }

+ }

+ },

+ "resources": [

+ ],

+ "outputs": {

+ "nameFromObject": {

+ "type": "string",

+ "value": "[parameters('exampleObject').name]"

+ }

+ }

+}

+```

+### Remarks

+To see a list of registered environments for your account, use [az cloud list](/cli/azure/cloud#az-cloud-list) or [Get-AzEnvironment](/powershell/module/az.accounts/get-azenvironment).

+You'll run the `Set-VMStoragePolicy` cmdlet to modify vSAN-based storage policies on a default cluster, individual VM, or group of VMs sharing a similar VM name. For example, if you have three VMs named "MyVM1", "MyVM2", and "MyVM3", supplying "MyVM*" to the VMName parameter would change the StoragePolicy on all three VMs.

+> [Tutorial: Create a simple chatroom with Azure Web PubSub](/azure/azure-web-pubsub/tutorial-build-chat)

+> [Azure Web PubSub bindings for Azure Functions](/azure/azure-web-pubsub/reference-functions-bindings)

+> [Explore more Azure Web PubSub samples](https://github.com/Azure/azure-webpubsub/tree/main/samples)

+ Title: Troubleshoot allocation failures for Cloud service in Azure

+- devx-track-azurepowershell

+- kr2b-contr-experiment

+# Troubleshoot LocationNotFoundForRoleSize when deploying a Cloud service to Azure

+This article troubleshoots allocation failures where a virtual machine (VM) size isn't available when you deploy an Azure Cloud service (classic).

+You might receive errors during these operations even before you reach the Azure subscription limit.

+In the [Azure portal](https://portal.azure.com/), navigate to your Cloud service (classic) and in the sidebar select **Operation log (classic)** to view the logs.

+When you inspect the logs of your Cloud service (classic), you'll see the following exception:

+|`LocationNotFoundForRoleSize` |The operation '`{Operation ID}`' failed: 'The requested VM tier is currently not available in Region (`{Region ID}`) for this subscription. Please try another tier or deploy to a different location.'.|

+There's a capacity issue with the region or cluster that you're deploying to. The `LocationNotFoundForRoleSize` exception occurs when the resource SKU you've selected, the virtual machine size, isn't available for the region specified.

+## Find SKUs in a region

+In this scenario, you should select a different region or SKU for your Cloud service (classic) deployment. Before you deploy or upgrade your Cloud service (classic), determine which SKUs are available in a region or availability zone. Follow the [Azure CLI](#list-skus-in-region-using-azure-cli), [PowerShell](#list-skus-in-region-using-powershell), or [REST API](#list-skus-in-region-using-rest-api) processes below.

+You can use the [az vm list-skus](/cli/azure/vm#az-vm-list-skus) command.

+This sample command produces the following results:

+```azurecli

+az vm list-skus --location southcentralus --size Standard_F --output table

+```

+This command filters by location:

+Find the locations that contain the size `Standard_DS14_v2`:

+Find the locations that contain the size `V3`:

+If your Azure issue isn't addressed in this article, visit the Azure forums on [MSDN and Stack Overflow](https://azure.microsoft.com/support/forums/). You can post your issue in these forums, or post to [@AzureSupport on Twitter](https://twitter.com/AzureSupport). You also can submit an Azure support request. To submit a support request, on the [Azure support](https://azure.microsoft.com/support/options/) page, select **Get support**.

+|PersonDirectory | This data structure is like **LargePersonGroup** but offers additional storage capacity and other added features. For more information, see [Use the PersonDirectory structure (preview)](./how-to/use-persondirectory.md).

+- [Use the PersonDirectory structure (preview)](use-persondirectory.md)

+# Use the PersonDirectory structure (preview)

+To perform face recognition operations such as Identify and Find Similar, Face API customers need to create an assorted list of **Person** objects. The new **PersonDirectory** is a data structure in Public Preview that contains unique IDs, optional name strings, and optional user metadata strings for each **Person** identity added to the directory.

+### PersonDirectory data structure (preview)

+Create a Visual Studio project for UWP development and [install the Speech SDK](/azure/cognitive-services/speech-service/quickstarts/setup-platform?pivots=programming-language-csharp&tabs=uwp).

+## Switch to a new voice model in your product

+Once you've updated your voice model to the latest engine version, or if you want to switch to a new voice in your product, you need to redeploy the new voice model to a new endpoint. Redeploying new voice model on your existing endpoint is not supported. After deployment, switch the traffic to the newly created endpoint. We recommend that you transfer the traffic to the new endpoint in a test environment first to ensure that the traffic works well, and then transfer to the new endpoint in the production environment. During the transition, you need to keep the old endpoint. If there are some problems with the new endpoint during transition, you can switch back to your old endpoint. If the traffic has been running well on the new endpoint for about 24 hours (recommended value), you can delete your old endpoint.

+> [!NOTE]

+> If your voice name is changed and you are using Speech Synthesis Markup Language (SSML), be sure to use the new voice name in SSML.

+1. If you haven't done so already, [download and install Go](https://go.dev/doc/install).

+1. If you haven't done so already, [download and install Go](https://go.dev/doc/install).

+> [Customize and improve translation](customization.md)

+* Authenticate with a [token](#authenticate-with-an-access-token)

+| Authorization | Use this header if you are using an access token. The steps to perform a token exchange are detailed in the following sections. The value provided follows this format: `Bearer <TOKEN>`. |

+## Authenticate with an access token

+Some Azure Cognitive Services accept, and in some cases require, an access token. Currently, these services support access tokens:

+> The services that support access tokens may change over time, please check the API reference for a service before using this authentication method.

+Both single service and multi-service subscription keys can be exchanged for access tokens in JSON Web Token (JWT) format. Access tokens are valid for 10 minutes.

+Access tokens are included in a request as the `Authorization` header. The token value provided must be preceded by `Bearer`, for example: `Bearer YOUR_AUTH_TOKEN`.

+Use this URL to exchange a subscription key for an access token: `https://YOUR-REGION.api.cognitive.microsoft.com/sts/v1.0/issueToken`.

+After you get an access token, you'll need to pass it in each request as the `Authorization` header. This is a sample call to the Translator service:

+> | [Custom NER](custom-named-entity-recognition/overview.md) | Build an AI model to extract custom entity categories, using unstructured text that you provide. | * [Language Studio](custom-named-entity-recognition/quickstart.md?pivots=language-studio) <br> * [REST API](custom-named-entity-recognition/quickstart.md?pivots=rest-api)<br> * [client-library (prediction only)](custom-named-entity-recognition/how-to/call-api.md) |

+> |[Custom text classification](custom-classification/overview.md) | Build an AI model to classify unstructured text into custom classes that you define. | * [Language Studio](custom-classification/quickstart.md?pivots=language-studio)<br> * [REST API](custom-classification/quickstart.md?pivots=rest-api) <br> * [client-library (prediction only)](custom-text-classification/how-to/call-api.md) |

+> | [Conversational language understanding](conversational-language-understanding/overview.md) | Build an AI model to bring the ability to understand natural language into apps, bots, and IoT devices. | * [Language Studio](conversational-language-understanding/quickstart.md?pivots=language-studio) <br> * [REST API](conversational-language-understanding/quickstart.md?pivots=rest-api) <br> * [client-library (prediction only)](conversational-language-understanding/how-to/call-api.md) |

+> | [Orchestration workflow](orchestration-workflow/overview.md) | Train language models to connect your applications to question answering, conversational language understanding, and LUIS | * [Language Studio](orchestration-workflow/quickstart.md?pivots=language-studio) <br> * [REST API](orchestration-workflow/quickstart.md?pivots=rest-api) <br> * [client-library (prediction only)](orchestration-workflow/how-to/call-api.md) |

+> [!Note]

+> We allow only connecting the domains in the same geography. Please ensure that Data location for Communication Resource and Email Communication Resource that was selected during resource creation are the same.

+In this quickstart, you'll learn how to implement raw media access using the Azure Communication Services Calling SDK for Android.

+### Supported Video Resolutions

+| Aspect Ratio | Resolution | Maximum FPS |

+| :--: | :-: | :-: |

+| 16x9 | 1080p | 30 |

+| 16x9 | 720p | 30 |

+| 16x9 | 540p | 30 |

+| 16x9 | 480p | 30 |

+| 16x9 | 360p | 30 |

+| 16x9 | 270p | 15 |

+| 16x9 | 240p | 15 |

+| 16x9 | 180p | 15 |

+| 4x3 | VGA (640x480) | 30 |

+| 4x3 | 424x320 | 15 |

+| 4x3 | QVGA (320x240) | 15 |

+| 4x3 | 212x160 | 15 |

+1. Create an array of `VideoFormat` with the video formats supported by the app. It is fine to have only one video format supported, but at least one of the provided video formats must be of the `VideoFrameKind::VideoSoftware` type. When multiple formats are provided, the order of the format in the list doesn't influence or prioritize which one will be used. The selected format is based on external factors like network bandwidth.

+3. Subscribe to `RawOutgoingVideoStreamOptions::addOnOutgoingVideoStreamStateChangedListener` delegate. This delegate will inform the state of the current stream, it's important that you don't send frames if the state is no equal to `OutgoingVideoStreamState.STARTED`.

+### Supported Video Resolutions

+| Aspect Ratio | Resolution | Maximum FPS |

+| :--: | :-: | :-: |

+| Anything | Anything | 30 |

+3. Request needed permissions for screen capture on Android, once this method is called Android will call automatically `onActivityResult` containing the request code we've sent and the result of the operation, expect `Activity.RESULT_OK` if the permission has been provided by the user if so attach the screenShareRawOutgoingVideoStream to the call and start your own foreground service to capture the frames.

+var endpoint = "<azure_cosmos_uri>"

+var key = "<azure_cosmos_primary_key"

+cred, err := azcosmos.NewKeyCredential(key)

+if err != nil {

+ log.Fatal("Failed to create a credential: ", err)

+}

+// Create a CosmosDB client

+client, err := azcosmos.NewClientWithKey(endpoint, cred, nil)

+if err != nil {

+ log.Fatal("Failed to create cosmos client: ", err)

+}

+// Create database client

+databaseClient, err := client.NewDatabase("<databaseName>")

+if err != nil {

+ log.fatal("Failed to create database client:", err)

+}

+// Create container client

+containerClient, err := client.NewContainer("<databaseName>", "<containerName>")

+if err != nil {

+ log.fatal("Failed to create a container client:", err)

+}

+ log.Fatal(err)

+ log.Fatal(err)

+ log.Fatal(err)

+ log.Fatal(err)

+ log.Fatal(err)

+ log.Fatal(err)

+ log.Fatal(err)

+err = json.Unmarshal(getResponse.Value, &getResponseBody)

+ log.Fatal(err)

+ log.Fatal(err)

+**Pending** - The enrollment administrator needs to sign in to the Azure EA portal. After the administrator signs in, the enrollment switches to **Active** status.

+- Renew the enrollment by adding more Azure Prepayment

+EA credit expires when the EA enrollment ends for all programs except the EU program.

+Use the feature if you set the same markup percentage on *all* commercial transactions in the EA. For example, if you mark-up the Azure Prepayment information, the meter rates, the order information, and so on.

+If you're using different rates for different meters, we recommend developing a custom solution based on the API key. The API key can be provided by the customer to pull consumption data and provide reports.

+Make sure to review the commercial information - monetary balance information, price list, etc. before publishing the marked-up prices to end customer.

+Both the service prices and the Prepayment balances will be marked up by the same percentages. If you have different percentages for monetary balance and meter rates, or different percentages for different services, then don't use this feature.

+Pricing with markup will be available to enterprise administrators immediately after selecting publish. Edits can't be made to markup. You must disable markup and begin from the first step.

+| Microsoft Azure Compute Instances | 20 concurrent small compute instances or their equivalent of the other compute instance sizes. | The following table provides how to calculate the equivalent number of small instances:<ul><li> Extra Small - one equivalent small instance </li><li> Small - one equivalent small instance </li><li> Medium - two equivalent small instances </li><li> Large - four equivalent small instances </li><li> Extra Large - eight equivalent small instances </li> </ul>|

+| Microsoft Azure Compute Instances v2 VMs | EA: 350 Cores | GA IaaS v2 VMs:<ul><li> A0\_A7 family - 350 cores </li><li> B\_A0\_A4 family - 350 cores </li><li> A8\_A9 family - 350 cores </li><li> DF family - 350 cores</li><li> GF - 350 cores </li></ul>|

+| Microsoft Azure Hosted Services | six hosted services | This limit of hosted services can't be increased beyond six for an individual subscription. If you require more hosted services, add more subscriptions. |

+| Microsoft Azure Storage | Five storage accounts, each of a maximum size of 100 TB each. | You can increase the number of storage accounts to up to 20 per subscription. If you require more storage accounts, add more subscriptions. |

+| SQL Azure | 149 databases of either type (for example, Web Edition or Business Edition). | |

+Microsoft will provide services to you up to at least the level of the associated usage included in the monthly Prepayment that you purchased (the Service Prepayment). However, all other increases in usage levels of service resources are subject to the availability of these service resources. For example, adding to the number of compute instances running, or increasing the amount of storage in use.

+Quotas described above aren't Service Prepayment. You can determine the number of simultaneous small compute instances, or their equivalent, that Microsoft provides as part of a Service Prepayment. Divide the number of committed small compute instance hours purchased for a month by the number of hours in the shortest month of the year. For example, February ΓÇô 672 hours.

+- The Microsoft account or work or school account associated with the account owner of your subscription. It's the email address used to sign in to the Microsoft Azure portal to manage your subscription(s). Verify that the account is associated with an EA enrollment.

+ - For information on how to obtain your subscription ID, [contact support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview).

+One example would be the Operations Management Suite (OMS) subscription. OMS offers a simple way to access a full set of cloud-based management capabilities. It includes analytics, configuration, automation, security, backup, and disaster recovery. OMS subscriptions include rights to System Center components to provide a complete solution for hybrid cloud environments.

+Enterprise Administrators can assign Account Owners to prepare previously purchased Plan SKUs in the Enterprise portal by following these steps:

+1. Select the **Download** symbol in the top-right corner of the page.

+1. Find the corresponding Plan SKU part numbers with filter on column **Included Quantity** and select values greater than 0 (zero).

+The first time you add a subscription to an account, you'll need to provide your contact information. When you add more subscriptions later, your contact information will be populated for you.

+The first time you add a subscription to your account, you'll be asked to accept the MOSA agreement and a Rate Plan. These sections aren't Applicable to Enterprise Agreement Customers, but are currently necessary to create your subscription. Your Microsoft Azure Enterprise Agreement Enrollment Amendment supersedes the above items and your contractual relationship won't change. Select the box indicating you accept the terms.

+All new subscriptions will be added with the default *Microsoft Azure Enterprise* subscription name. It's important to update the subscription name to differentiate it from the other subscriptions within your Enterprise Enrollment and ensure that it's recognizable on reports at the enterprise level.

+When new Account Owners (AO) are added to the enrollment for the first time, they'll always show as `pending` under status. When you receive the activation welcome email, the AO can sign in to activate their account. This activation will update their account status from `pending` to `active`.

+To validate if you're deploying under the right enrollment, you can check your included units information via the price sheet. Sign in as an Enterprise Administrator and select **Reports** on the left navigation and select **Price Sheet** tab. Select the Download symbol in the top-right corner and find the corresponding Plan SKU part numbers with filter on column "Included Quantity" and select values greater than "0".

+Ensure that your OMS plan is showing on the price sheet under included units. If there are no included units for OMS plan on your enrollment, your OMS plan may be under another enrollment. Contact Azure Enterprise Portal Support at [https://aka.ms/AzureEntSupport](https://aka.ms/AzureEntSupport).

+If the included units for the services on the price sheet don't match with what you have deployed, then you may have deployed services that aren't covered by the plan. For example, Operational Insights Premium Data Analyzed vs. Operational Insights Standard Data Analyzed. In this example, contact Azure Enterprise Portal Support at [https://aka.ms/AzureEntSupport](https://aka.ms/AzureEntSupport) so we can assist you further.

+If you have multiple enrollments and have deployed services under the wrong enrollment number, which doesn't have an OMS plan, contact Azure Enterprise Portal Support at [https://aka.ms/AzureEntSupport](https://aka.ms/AzureEntSupport).

+ Title: Troubleshoot the Snowflake connector

+description: Learn how to troubleshoot issues with the Snowflake connector in Azure Data Factory and Azure Synapse Analytics.

+# Troubleshoot the Snowflake connector in Azure Data Factory and Azure Synapse

+This article provides suggestions to troubleshoot common problems with the Snowflake connector in Azure Data Factory and Azure Synapse.

+## Error message: IP % is not allowed to access Snowflake. Contact your local security administrator.

+- **Symptoms**: The copy activity fails with the following error:

+ `Job failed due to reason: net.snowflake.client.jdbc.SnowflakeSQLException: IP % is not allowed to access Snowflake.  Contact your local security administrator. `

+- **Cause**: It's a connectivity issue and usually caused by firewall IP issues when integration runtimes access your Snowflake.

+- **Recommendation**:

+ - If you configure a [self-hosted integration runtime](create-self-hosted-integration-runtime.md) to connect to Snowflake, make sure to add your self-hosted integration runtime IPs to the allowed list in Snowflake.

+ - If you use an Azure Integration Runtime and the access is restricted to IPs approved in the firewall rules, you can add [Azure Integration Runtime IPs](azure-integration-runtime-ip-addresses.md) to the allowed list in Snowflake.

+ - If you use a managed private endpoint and a network policy is in place on your Snowflake account, ensure Managed VNet CIDR is allowed. For more steps, refer to [How To: Set up a managed private endpoint from Azure Data Factory or Synapse to Snowflake](https://community.snowflake.com/s/article/How-to-set-up-a-managed-private-endpoint-from-Azure-Data-Factory-or-Synapse-to-Snowflake).

+## Error message: Failed to access remote file: access denied.

+- **Symptoms**: The copy activity fails with the following error:

+ `ERROR [42501] Failed to access remote file: access denied. Please check your credentials,Source =SnowflakeODBC_sb64.dll..`

+- **Cause**: The error pops up by the Snowflake COPY command and is caused by missing access permission on source/sink when execute Snowflake COPY commands.

+- **Recommendation**: Check your source/sink to make sure that you have granted proper access permission to Snowflake.

+ - Direct copy: Make sure to grant access permission to Snowflake in the other source/sink.

+ - Staged copy: The staging Azure Blob storage linked service must use shared access signature authentication. When you generate the shared access signature, make sure to set the allowed permissions and IP addresses to Snowflake in the staging Azure Blob storage. To learn more about this, see this [article](https://docs.snowflake.com/en/user-guide/data-load-azure-config.html#option-2-generating-a-sas-token).

+## Next steps

+For more troubleshooting help, try these resources:

+- [Connector troubleshooting guide](connector-troubleshoot-guide.md)

+- [Data Factory blog](https://azure.microsoft.com/blog/tag/azure-data-factory/)

+- [Data Factory feature requests](/answers/topics/azure-data-factory.html)

+- [Azure videos](https://azure.microsoft.com/resources/videos/index/?sort=newest&services=data-factory)

+- [Microsoft Q&A page](/answers/topics/azure-data-factory.html)

+- [Stack Overflow forum for Data Factory](https://stackoverflow.com/questions/tagged/azure-data-factory)

+- [Twitter information about Data Factory](https://twitter.com/hashtag/DataFactory)

+## Time to live (preview)

+ Title: Create an Azure Data Factory using Bicep

+description: Create a sample Azure Data Factory pipeline using Bicep.

+tags: azure-resource-manager

+# Quickstart: Create an Azure Data Factory using Bicep

+This quickstart describes how to use Bicep to create an Azure data factory. The pipeline you create in this data factory **copies** data from one folder to another folder in an Azure blob storage. For a tutorial on how to **transform** data using Azure Data Factory, see [Tutorial: Transform data using Spark](transform-data-using-spark.md).

+> [!NOTE]

+> This article does not provide a detailed introduction of the Data Factory service. For an introduction to the Azure Data Factory service, see [Introduction to Azure Data Factory](introduction.md).

+## Prerequisites

+### Azure subscription

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+## Review the Bicep file

+The Bicep file used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/data-factory-v2-blob-to-blob-copy/).

+There are several Azure resources defined in the Bicep file:

+- [Microsoft.Storage/storageAccounts](/azure/templates/microsoft.storage/storageaccounts): Defines a storage account.

+- [Microsoft.DataFactory/factories](/azure/templates/microsoft.datafactory/factories): Create an Azure Data Factory.

+- [Microsoft.DataFactory/factories/linkedServices](/azure/templates/microsoft.datafactory/factories/linkedservices): Create an Azure Data Factory linked service.

+- [Microsoft.DataFactory/factories/datasets](/azure/templates/microsoft.datafactory/factories/datasets): Create an Azure Data Factory dataset.

+- [Microsoft.DataFactory/factories/pipelines](/azure/templates/microsoft.datafactory/factories/pipelines): Create an Azure Data Factory pipeline.

+## Create a file

+Open a text editor such as **Notepad**, and create a file named **emp.txt** with the following content:

+```emp.txt

+John, Doe

+Jane, Doe

+```

+Save the file locally. You'll use it later in the quickstart.

+## Deploy the Bicep file

+1. Save the Bicep file from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/data-factory-v2-blob-to-blob-copy/) as **main.bicep** to your local computer.

+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

+ # [CLI](#tab/CLI)

+ ```azurecli

+ az group create --name exampleRG --location eastus

+ az deployment group create --resource-group exampleRG --template-file main.bicep

+ ```

+ # [PowerShell](#tab/PowerShell)

+ ```azurepowershell

+ New-AzResourceGroup -Name exampleRG -Location eastus

+ New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep

+ ```

+

+ When the deployment finishes, you should see a message indicating the deployment succeeded.

+## Review deployed resources

+Use the Azure CLI or Azure PowerShell to list the deployed resources in the resource group.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az resource list --resource-group exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Get-AzResource -ResourceGroupName exampleRG

+```

+You can also use the Azure portal to review the deployed resources.

+1. Sign in to the Azure portal.

+1. Navigate to your resource group.

+1. You'll see your resources listed. Select each resource to see an overview.

+## Upload a file

+Use the Azure portal to upload the **emp.txt** file.

+1. Navigate to your resource group and select the storage account created. Then, select the **Containers** tab on the left panel.

+ :::image type="content" source="media/quickstart-create-data-factory-bicep/data-factory-containers-bicep.png" alt-text="Containers tab":::

+2. On the **Containers** page, select the blob container created. The name is in the format - blob\<uniqueid\>.

+ :::image type="content" source="media/quickstart-create-data-factory-bicep/data-factory-bicep-blob-container.png" alt-text="Blob container":::

+3. Select **Upload**, and then select the **Files** box icon in the right pane. Navigate to and select the **emp.txt** file that you created earlier.

+4. Expand the **Advanced** heading.

+5. In the **Upload to folder** box, enter *input*.

+6. Select the **Upload** button. You should see the **emp.txt** file and the status of the upload in the list.

+7. Select the **Close** icon (an **X**) to close the **Upload blob** page.

+ :::image type="content" source="media/quickstart-create-data-factory-bicep/data-factory-bicep-upload-blob-file.png" alt-text="Upload file to input folder":::

+Keep the container page open because you can use it to verify the output at the end of this quickstart.

+## Start trigger

+1. Navigate to the resource group page, and select the data factory you created.

+2. Select **Open** on the **Open Azure Data Factory Studio** tile.

+ :::image type="content" source="media/quickstart-create-data-factory-bicep/data-factory-open-tile-bicep.png" alt-text="Author & Monitor":::

+3. Select the **Author** tab :::image type="icon" source="media/quickstart-create-data-factory-bicep/data-factory-author-bicep.png" border="false":::.

+4. Select the pipeline created: **ArmtemplateSampleCopyPipeline**.

+ :::image type="content" source="media/quickstart-create-data-factory-bicep/data-factory-bicep-pipelines.png" alt-text="Bicep pipeline":::

+5. Select **Add Trigger** > **Trigger Now**.

+ :::image type="content" source="media/quickstart-create-data-factory-bicep/data-factory-trigger-now-bicep.png" alt-text="Trigger":::

+6. In the right pane under **Pipeline run**, select **OK**.

+## Monitor the pipeline

+1. Select the **Monitor** tab. :::image type="icon" source ="media/quickstart-create-data-factory-bicep/data-factory-monitor-bicep.png" border="false":::

+2. You see the activity runs associated with the pipeline run. In this quickstart, the pipeline only has one activity of type **Copy**. You should see a run for that activity.

+ :::image type="content" source="media/quickstart-create-data-factory-bicep/data-factory-bicep-successful-run.png" alt-text="Successful run":::

+## Verify the output file

+The pipeline automatically creates an output folder in the blob container. It then copies the **emp.txt** file from the input folder to the output folder.

+1. On the **Containers** page in the Azure portal, select **Refresh** to see the output folder.

+2. Select **output** in the folder list.

+3. Confirm that the **emp.txt** is copied to the output folder.

+ :::image type="content" source="media/quickstart-create-data-factory-bicep/data-factory-bicep-output.png" alt-text="Output":::

+## Clean up resources

+When no longer needed, use the Azure CLI or Azure PowerShell to delete the resource group and all of its resources.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az group delete --name exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name exampleRG

+```

+You can also use the Azure portal to delete the resource group.

+1. In the Azure portal, navigate to your resource group.

+1. Select **Delete resource group**.

+1. A tab will appear. Enter the resource group name and select **Delete**.

+## Next steps

+In this quickstart, you created an Azure Data Factory using Bicep and validated the deployment. To learn more about Azure Data Factory and Bicep, continue on to the articles below.

+- [Azure Data Factory documentation](index.yml)

+- Learn more about [Bicep](../azure-resource-manager/bicep/overview.md)

+npm install @azure/arm-datalake-analytics

+ const { DefaultAzureCredential } = require("@azure/identity");

+ var credentials = new DefaultAzureCredential();

+const { DataLakeAnalyticsAccountManagementClient } = require("@azure/arm-datalake-analytics");

+var accountClient = new DataLakeAnalyticsAccountManagementClient(credentials, 'your-subscription-id');

+client.accounts.beginCreateAndWait(resourceGroupName, accountName, accountToCreate).then((result)=>{

+ console.log('result is: ' + util.inspect(result, {depth: null}));

+}).catch((err)=>{

+ console.log(err);

+})

+* [Microsoft Azure SDK for Node.js](https://github.com/Azure/azure-sdk-for-js)

+| **Attempt to create a new Linux namespace from a container detected**<br>(K8S.NODE_NamespaceCreation) ^{[1](#footnote1)} | Analysis of processes running within a container in Kubernetes cluster detected an attempt to create a new Linux namespace. While this behavior might be legitimate, it might indicate that an attacker tries to escape from the container to the node. Some CVE-2022-0185 exploitations use this technique. | PrivilegeEscalation | Medium |

+| **A history file has been cleared**<br>(K8S.NODE_HistoryFileCleared) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected that the command history log file has been cleared. Attackers may do this to cover their tracks. The operation was performed by the specified user account. | DefenseEvasion | Medium |

+| **An uncommon connection attempt detected**<br>(K8S.NODE_SuspectConnection) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected an uncommon connection attempt utilizing a socks protocol. This is very rare in normal operations, but a known technique for attackers attempting to bypass network-layer detections. | Execution, Exfiltration, Exploitation | Medium |

+| **Anomalous pod deployment (Preview)**<br>(K8S_AnomalousPodDeployment) ^{[3](#footnote3)} | Kubernetes audit log analysis detected pod deployment which is anomalous based on previous pod deployment activity. This activity is considered an anomaly when taking into account how the different features seen in the deployment operation are in relations to one another. The features monitored include the container image registry used, the account performing the deployment, day of the week, how often this account performs pod deployments, user agent used in the operation, whether this is a namespace to which pod deployments often occur, and other features. Top contributing reasons for raising this alert as anomalous activity are detailed under the alertΓÇÖs extended properties. | Execution | Medium |

+| **Attempt to stop apt-daily-upgrade.timer service detected**<br>(K8S.NODE_TimerServiceDisabled) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected an attempt to stop apt-daily-upgrade.timer service. Attackers have been observed stopping this service to download malicious files and grant execution privileges for their attacks. This activity can also happen if the service is updated through normal administrative actions. | DefenseEvasion | Informational |

+| **Behavior similar to Fairware ransomware detected**<br>(K8S.NODE_FairwareMalware) ^{[1](#footnote1)} | Analysis of processes running within a container detected the execution of rm -rf commands applied to suspicious locations. As rm -rf will recursively delete files, it is normally used on discrete folders. In this case, it is being used in a location that could remove a lot of data. Fairware ransomware is known to execute rm -rf commands in this folder. | Execution | Medium |

+| **Command within a container running with high privileges**<br>(K8S.NODE_PrivilegedExecutionInContainer) ^{[1](#footnote1)} | Machine logs indicate that a privileged command was run in a Docker container. A privileged command has extended privileges on the host machine. | PrivilegeEscalation | Low |

+| **Container running in privileged mode**<br>(K8S.NODE_PrivilegedContainerArtifacts) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected the execution of a Docker command that is running a privileged container. The privileged container has full access to the hosting pod or host resource. If compromised, an attacker may use the privileged container to gain access to the hosting pod or host. | PrivilegeEscalation, Execution | Low |

+| **CoreDNS modification in Kubernetes detected**<br>(K8S_CoreDnsModification) ^{[2](#footnote2)} ^{[4](#footnote4)} | Kubernetes audit log analysis detected a modification of the CoreDNS configuration. The configuration of CoreDNS can be modified by overriding its configmap. While this activity can be legitimate, if attackers have permissions to modify the configmap, they can change the behavior of the clusterΓÇÖs DNS server and poison it. | Lateral Movement | Low |

+| **Creation of admission webhook configuration detected**<br>(K8S_AdmissionController) ^{[4](#footnote4)} | Kubernetes audit log analysis detected a new admission webhook configuration. Kubernetes has two built-in generic admission controllers: MutatingAdmissionWebhook and ValidatingAdmissionWebhook. The behavior of these admission controllers is determined by an admission webhook that the user deploys to the cluster. The usage of such admission controllers can be legitimate, however attackers can use such webhooks for modifying the requests (in case of MutatingAdmissionWebhook) or inspecting the requests and gain sensitive information (in case of ValidatingAdmissionWebhook). | Credential Access, Persistence | Low |

+| **Detected file download from a known malicious source**<br>(K8S.NODE_SuspectDownload) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a download of a file from a source frequently used to distribute malware. | PrivilegeEscalation, Execution, Exfiltration, Command And Control | Medium |

+| **Detected suspicious file download**<br>(K8S.NODE_SuspectDownloadArtifacts) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious download of a remote file. | Persistence | Low |

+| **Detected suspicious use of the nohup command**<br>(K8S.NODE_SuspectNohup) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious use of the nohup command. Attackers have been seen using the command nohup to run hidden files from a temporary directory to allow their executables to run in the background. It is rare to see this command run on hidden files located in a temporary directory. | Persistence, DefenseEvasion | Medium |

+| **Detected suspicious use of the useradd command**<br>(K8S.NODE_SuspectUserAddition) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious use of the useradd command. | Persistence | Medium |

+| **Digital currency mining container detected**<br>(K8S_MaliciousContainerImage) ^{[3](#footnote3)} | Kubernetes audit log analysis detected a container that has an image associated with a digital currency mining tool. | Execution | High |

+| **Digital currency mining related behavior detected**<br>(K8S.NODE_DigitalCurrencyMining) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected an execution of a process or command normally associated with digital currency mining. | Execution | High |

+| **Docker build operation detected on a Kubernetes node**<br>(K8S.NODE_ImageBuildOnNode) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a build operation of a container image on a Kubernetes node. While this behavior might be legitimate, attackers might build their malicious images locally to avoid detection. | DefenseEvasion | Low |

+| **Excessive role permissions assigned in Kubernetes cluster (Preview)**<br>(K8S_ServiceAcountPermissionAnomaly) ^{[4](#footnote4)} | Analysis of the Kubernetes audit logs detected an excessive permissions role assignment to your cluster. The listed permissions for the assigned roles are uncommon to the specific service account. This detection considers previous role assignments to the same service account across clusters monitored by Azure, volume per permission, and the impact of the specific permission. The anomaly detection model used for this alert takes into account how this permission is used across all clusters monitored by Microsoft Defender for Cloud. | Privilege Escalation | Low |

+| **Indicators associated with DDOS toolkit detected**<br>(K8S.NODE_KnownLinuxDDoSToolkit) ^{[1](#footnote1)} ^{[3](#footnote3)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected file names that are part of a toolkit associated with malware capable of launching DDoS attacks, opening ports and services, and taking full control over the infected system. This could also possibly be legitimate activity. | Persistence, LateralMovement, Execution, Exploitation | Medium |

+| **K8S API requests from proxy IP address detected**<br>(K8S_TI_Proxy) ^{[4](#footnote4)} | Kubernetes audit log analysis detected API requests to your cluster from an IP address that is associated with proxy services, such as TOR. While this behavior can be legitimate, it's often seen in malicious activities, when attackers try to hide their source IP. | Execution | Low |

+| **Kubernetes events deleted**<br>(K8S_DeleteEvents) ^{[2](#footnote2)} ^{[4](#footnote4)} | Defender for Cloud detected that some Kubernetes events have been deleted. Kubernetes events are objects in Kubernetes which contain information about changes in the cluster. Attackers might delete those events for hiding their operations in the cluster. | Defense Evasion | Low |

+| **Manipulation of host firewall detected**<br>(K8S.NODE_FirewallDisabled) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a possible manipulation of the on-host firewall. Attackers will often disable this to exfiltrate data. | DefenseEvasion, Exfiltration | Medium |

+| **Microsoft Defender for Cloud test alert (not a threat).**<br>(K8S.NODE_EICAR) ^{[1](#footnote1)} | This is a test alert generated by Microsoft Defender for Cloud. No further action is needed. | Execution | High |

+| **New container in the kube-system namespace detected**<br>(K8S_KubeSystemContainer) ^{[3](#footnote3)} | Kubernetes audit log analysis detected a new container in the kube-system namespace that isnΓÇÖt among the containers that normally run in this namespace. The kube-system namespaces should not contain user resources. Attackers can use this namespace for hiding malicious components. | Persistence | Low |

+| **New high privileges role detected**<br>(K8S_HighPrivilegesRole) ^{[4](#footnote4)} | Kubernetes audit log analysis detected a new role with high privileges. A binding to a role with high privileges gives the user\group high privileges in the cluster. Unnecessary privileges might cause privilege escalation in the cluster. | Persistence | Low |

+| **Possible attack tool detected**<br>(K8S.NODE_KnownLinuxAttackTool) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious tool invocation. This tool is often associated with malicious users attacking others. | Execution, Collection, Command And Control, Probing | Medium |

+| **Possible backdoor detected**<br>(K8S.NODE_LinuxBackdoorArtifact) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious file being downloaded and run. This activity has previously been associated with installation of a backdoor. | Persistence, DefenseEvasion, Execution, Exploitation | Medium |

+| **Possible command line exploitation attempt**<br>(K8S.NODE_ExploitAttempt) ^{[1](#footnote1)}| Analysis of processes running within a container or directly on a Kubernetes node, has detected a possible exploitation attempt against a known vulnerability. | Exploitation | Medium |

+| **Possible credential access tool detected**<br>(K8S.NODE_KnownLinuxCredentialAccessTool) ^{[1](#footnote1)}| Analysis of processes running within a container or directly on a Kubernetes node, has detected a possible known credential access tool was running on the container, as identified by the specified process and commandline history item. This tool is often associated with attacker attempts to access credentials. | CredentialAccess | Medium |

+| **Possible Cryptocoinminer download detected**<br>(K8S.NODE_CryptoCoinMinerDownload) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected download of a file normally associated with digital currency mining. | DefenseEvasion, Command And Control, Exploitation | Medium |

+| **Possible data exfiltration detected**<br>(K8S.NODE_DataEgressArtifacts) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a possible data egress condition. Attackers will often egress data from machines they have compromised. | Collection, Exfiltration | Medium |

+| **Possible Log Tampering Activity Detected**<br>(K8S.NODE_SystemLogRemoval) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a possible removal of files that tracks user's activity during the course of its operation. Attackers often try to evade detection and leave no trace of malicious activities by deleting such log files. | DefenseEvasion | Medium |

+| **Possible password change using crypt-method detected**<br>(K8S.NODE_SuspectPasswordChange) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a password change using the crypt method. Attackers can make this change to continue access and gain persistence after compromise. | CredentialAccess | Medium |

+| **Potential port forwarding to external IP address**<br>(K8S.NODE_SuspectPortForwarding) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected an initiation of port forwarding to an external IP address. | Exfiltration, Command And Control | Medium |

+| **Potential reverse shell detected**<br>(K8S.NODE_ReverseShell) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a potential reverse shell. These are used to get a compromised machine to call back into a machine an attacker owns. | Exfiltration, Exploitation | Medium |

+| **Process associated with digital currency mining detected**<br>(K8S.NODE_CryptoCoinMinerArtifacts) ^{[1](#footnote1)} | Analysis of processes running within a container detected the execution of a process normally associated with digital currency mining. | Execution, Exploitation | Medium |

+| **Process seen accessing the SSH authorized keys file in an unusual way**<br>(K8S.NODE_SshKeyAccess) ^{[1](#footnote1)} | An SSH authorized_keys file was accessed in a method similar to known malware campaigns. This access could signify that an actor is attempting to gain persistent access to a machine. | Unknown | Low |

+| **Security-related process termination detected**<br>(K8S.NODE_SuspectProcessTermination) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected an attempt to terminate processes related to security monitoring on the container. Attackers will often try to terminate such processes using predefined scripts post-compromise. | Persistence | Low |

+| **SSH server is running inside a container**<br>(K8S.NODE_ContainerSSH) ^{[1](#footnote1)} | Analysis of processes running within a container detected an SSH server running inside the container. | Execution | Medium |

+| **Suspicious file timestamp modification**<br>(K8S.NODE_TimestampTampering) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious timestamp modification. Attackers will often copy timestamps from existing legitimate files to new tools to avoid detection of these newly dropped files. | Persistence, DefenseEvasion | Low |

+| **Suspicious request to Kubernetes API**<br>(K8S.NODE_KubernetesAPI) ^{[1](#footnote1)} | Analysis of processes running within a container indicates that a suspicious request was made to the Kubernetes API. The request was sent from a container in the cluster. Although this behavior can be intentional, it might indicate that a compromised container is running in the cluster. | LateralMovement | Medium |

+| **Suspicious request to the Kubernetes Dashboard**<br>(K8S.NODE_KubernetesDashboard) ^{[1](#footnote1)} | Analysis of processes running within a container indicates that a suspicious request was made to the Kubernetes Dashboard. The request was sent from a container in the cluster. Although this behavior can be intentional, it might indicate that a compromised container is running in the cluster. | LateralMovement | Medium |

+| **Potential crypto coin miner started**<br>(K8S.NODE_CryptoCoinMinerExecution) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a process being started in a way normally associated with digital currency mining. | Execution | Medium |

+| **Suspicious password access**<br>(K8S.NODE_SuspectPasswordFileAccess) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected suspicious attempt to access encrypted user passwords. | Persistence | Informational |

+| **Suspicious use of DNS over HTTPS**<br>(K8S.NODE_SuspiciousDNSOverHttps) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected the use of a DNS call over HTTPS in an uncommon fashion. This technique is used by attackers to hide calls out to suspect or malicious sites. | DefenseEvasion, Exfiltration | Medium |

+| **A possible connection to malicious location has been detected.**<br>(K8S.NODE_ThreatIntelCommandLineSuspectDomain) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a connection to a location that has been reported to be malicious or unusual. This is an indicator that a compromise may have occured. | InitialAccess | Medium |

+| **Possible malicious web shell detected.**<br>(K8S.NODE_Webshell) ^{[1](#footnote1)} | Analysis of processes running within a container detected a possible web shell. Attackers will often upload a web shell to a compute resource they have compromised to gain persistence or for further exploitation. | Persistence, Exploitation | Medium |

+| **Burst of multiple reconnaissance commands could indicate initial activity after compromise**<br>(K8S.NODE_ReconnaissanceArtifactsBurst) ^{[1](#footnote1)} | Analysis of host/device data detected execution of multiple reconnaissance commands related to gathering system or host details performed by attackers after initial compromise. | Discovery, Collection | Low |

+| **Suspicious Download Then Run Activity**<br>(K8S.NODE_DownloadAndRunCombo) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a file being downloaded then run in the same command. While this isn't always malicious, this is a very common technique attackers use to get malicious files onto victim machines. | Execution, CommandAndControl, Exploitation | Medium |

+| **Digital currency mining activity**<br>(K8S.NODE_CurrencyMining) ^{[1](#footnote1)} | Analysis of DNS transactions detected digital currency mining activity. Such activity, while possibly legitimate user behavior, is frequently performed by attackers following compromise of resources. Typical related attacker activity is likely to include the download and execution of common mining tools. | Exfiltration | Low |

+| **Access to kubelet kubeconfig file detected**<br>(K8S.NODE_KubeConfigAccess) ^{[1](#footnote1)} | Analysis of processes running on a Kubernetes cluster node detected access to kubeconfig file on the host. The kubeconfig file, normally used by the Kubelet process, contains credentials to the Kubernetes cluster API server. Access to this file is often associated with attackers attempting to access those credentials, or with security scanning tools which check if the file is accessible. | CredentialAccess | Medium |

+| **Access to cloud metadata service detected**<br>(K8S.NODE_ImdsCall) ^{[1](#footnote1)} | Analysis of processes running within a container detected access to the cloud metadata service for acquiring identity token. The container doesn't normally perform such operation. While this behavior might be legitimate, attackers might use this technique to access cloud resources after gaining initial access to a running container. | CredentialAccess | Medium |

+^{<a name="footnote1"></a>1}: **Preview for non-AKS clusters**: This alert is generally available for AKS clusters, but it is in preview for other environments, such as Azure Arc, EKS and GKE.

+^{<a name="footnote2"></a>2}: **Limitations on GKE clusters**: GKE uses a Kuberenetes audit policy that doesn't support all alert types. As a result, this security alert, which is based on Kubernetes audit events, are not supported for GKE clusters.

+^{<a name="footnote3"></a>3}: This alert is supported on Windows nodes/containers.

+^{<a name="footnote4"></a>4}: Control plane alert (OS agnostic).

+You can learn more from the product manager about Defender for Servers, by watching [Microsoft Defender for Servers](episode-five.md). You can also watch [Enhanced workload protection features in Defender for Servers](episode-twelve.md), or learn how to [deploy in Defender for Servers in AWS and GCP](episode-fourteen.md).

+ Title: Defender for Servers deployment in AWS and GCP

+description: Learn about the capabilities available for Defender for Servers deployment within AWS and GCP.

+# Defender for Servers deployment in AWS and GCP

+**Episode description**: In this episode of Defender for Cloud in the Field, Ortal Parpara joins Yuri Diogenes to talk about the options to deploy Defender for Servers in AWS and GCP. Ortal talks about the new capability that allows you to select a different Defender for Server plan per connector, demonstrates how to customize the deployment and how this feature helps to deploy Azure Arc.

+<br>

+<br>

+<iframe src="https://aka.ms/docs/player?id=2426d341-bdb6-4795-bc08-179cfe7b99ba" width="1080" height="530" allowFullScreen="true" frameBorder="0"></iframe>

+- [00:00](/shows/mdc-in-the-field/defenders-for-servers-deploy-aws-gcp#time=00m00s) - Introduction

+- [01:30](/shows/mdc-in-the-field/defenders-for-servers-deploy-aws-gcp#time=01m30s) - Selecting the appropriate plan for AWS and GCP

+- [03:05](/shows/mdc-in-the-field/defenders-for-servers-deploy-aws-gcp#time=03m05s) - Is it necessary to make any action to apply this change?

+- [03:23](/shows/mdc-in-the-field/defenders-for-servers-deploy-aws-gcp#time=03m23s) - Supported scenarios

+- [03:40](/shows/mdc-in-the-field/defenders-for-servers-deploy-aws-gcp#time=03m40s) - What changes should you expect to see on your environment?

+- [05:49](/shows/mdc-in-the-field/defenders-for-servers-deploy-aws-gcp#time=05m49s) - Demonstration

+## Recommended resources

+

+[Enhanced workload protection features in Defender for Servers](episode-twelve.md).

+- Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqa0ZoTml2Qm9kZ2pjRzNMUXFqVUwyNl80YVNtd3xBQ3Jtc0trVm9QM2Z0NlpOeC1KSUE2UEd1cVJ5aHQ0MTN6WjJEYmNlOG9rWC1KZ1ZqaTNmcHdOOHMtWXRLSGhUTVBhQlhhYzlUc2xmTHZtaUpkd1c4LUQzLWt1YmRTbkVQVE5EcTJIM0Foc042SGdQZU5acVRJbw&q=https%3A%2F%2Faka.ms%2FSubscribeMicrosoftSecurity)

+- Follow us on social media:

+ [LinkedIn](https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbFk5TXZuQld2NlpBRV9BQlJqMktYSm95WWhCZ3xBQ3Jtc0tsQU13MkNPWGNFZzVuem5zc05wcnp0VGxybHprVTkwS2todWw0b0VCWUl4a2ZKYVktNGM1TVFHTXpmajVLcjRKX0cwVFNJaDlzTld4MnhyenBuUGRCVmdoYzRZTjFmYXRTVlhpZGc4MHhoa3N6ZDhFMA&q=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F)

+ [Twitter](https://twitter.com/msftsecurity)

+- Join our [Tech Community](https://aka.ms/SecurityTechCommunity)

+- For more about [Microsoft Security](https://msft.it/6002T9HQY)

+## Next steps

+> [!div class="nextstepaction"]

+> [New AWS Connector in Microsoft Defender for Cloud](episode-one.md)

+> [Defender for Servers deployment in AWS and GCP](episode-fourteen.md)

+With Microsoft Defender for Servers, you can deploy [Microsoft Defender for Endpoint Plan 2](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) to your server resources. Microsoft Defender for Endpoint is a holistic, cloud-delivered, endpoint security solution. Its main features are:

+[Microsoft Defender for Endpoint Plan 2](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) protects your Windows and Linux machines whether they're hosted in Azure, hybrid clouds (on-premises), or AWS. Protections include:

+1. For Windows servers, make sure that your servers meet the requirements for [onboarding Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-server-endpoints#windows-server-2012-r2-and-windows-server-2016)

+[The new MDE unified solution](/microsoft-365/security/defender-endpoint/configure-server-endpoints#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution) doesn't use or require installation of the Log Analytics agent. The unified solution is automatically deployed for all Windows servers connected through Azure Arc and multicloud servers connected through the multicloud connectors, except for Windows 2012 R2 and 2016 servers on Azure that are protected by Defender for Servers Plan 2. You can choose to deploy the MDE unified solution to those machines.

+1. Follow the steps in [Offboard devices from the Microsoft Defender for Endpoint service](/microsoft-365/security/defender-endpoint/offboard-machines) from the Defender for Endpoint documentation.

+### Which Microsoft Defender for Endpoint plan is supported in Defender for Servers?

+Defender for Servers Plan 1 and Plan 2 provides the capabilities of [Microsoft Defender for Endpoint Plan 2](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint). -->

+|Required roles and permissions:|**Security admin role** or **Owner** on the resource group<br>Must also have write permissions for the target resource<br><br>To work with Azure Logic Apps workflows, you must also have the following Logic Apps roles/permissions:<br> - [Logic App Operator](../role-based-access-control/built-in-roles.md#logic-app-operator) permissions are required or Logic App read/trigger access (this role can't create or edit logic apps; only *run* existing ones)<br> - [Logic App Contributor](../role-based-access-control/built-in-roles.md#logic-app-contributor) permissions are required for Logic App creation and modification<br>If you want to use Logic App connectors, you may need other credentials to sign in to their respective services (for example, your Outlook/Teams/Slack instances)|

+ From this page you can create new automation rules, enable, disable, or delete existing ones.

+1. To define a new workflow, select **Add workflow automation**. The options pane for your new automation opens.

+ :::image type="content" source="./media/workflow-automation/add-workflow.png" alt-text="Add workflow automations pane." lightbox="media/workflow-automation/add-workflow.png":::

+ :::image type="content" source="media/workflow-automation/visit-logic.png" alt-text="Screenshot that shows where on the screen you need to select the visit the logic apps page in the actions section of the add workflow automation screen." border="true":::

+1. Select **(+) Add**.

+ :::image type="content" source="media/workflow-automation/logic-apps-create-new.png" alt-text="Screenshot of the create a logic app screen." lightbox="media/workflow-automation/logic-apps-create-new.png":::

+1. Fill out all required fields and select **Review + Create**.

+1. Review the information you entered and select **Create**.

+ In your new logic app, you can choose from built-in, predefined templates from the security category. Or you can define a custom flow of events to occur when this process is triggered.

+ The logic app designer supports the following Defender for Cloud triggers:

+1. After you've defined your logic app, return to the workflow automation definition pane ("Add workflow automation"). Select **Refresh** to ensure your new Logic App is available for selection.

+1. Select your logic app and save the automation. The Logic App dropdown only shows Logic Apps with supporting Defender for Cloud connectors mentioned above.

+To manually run a Logic App, open an alert or a recommendation and select **Trigger Logic App**:

+ 1. In the Parameters tab, enter the required information.

+ :::image type="content" source="media/workflow-automation/parameters-tab.png" alt-text="Screenshot of the parameters tab.":::

+ 1. (Optional), Apply this assignment to an existing subscription in the **Remediation** tab and select the option to create a remediation task.

+1. Review the summary page and select **Create**.

+To view the raw event schemas of the security alerts or recommendations events passed to the Logic App instance, visit the [Workflow automation data types schemas](https://aka.ms/ASCAutomationSchemas). This can be useful in cases where you aren't using Defender for Cloud's built-in Logic App connectors mentioned above, but instead are using Logic App's generic HTTP connector - you could use the event JSON schema to manually parse it as you see fit.

+| Suspicion of Malicious Activity | Suspicious network activity was detected. This activity may be associated with an attack that triggered known 'Indicators of Compromise' (IOCs). Alert metadata should be reviewed by the security team. | Major |

+| Suspicious Traffic Detected | Suspicious network activity was detected. This activity may be associated with an attack that triggered known 'Indicators of Compromise' (IOCs). Alert metadata should be reviewed by the security team | Critical |

+Learn how to [Forward alert information](how-to-forward-alert-information-to-partners.md).

+- **Read only**: Read-only users perform tasks such as viewing alerts and devices on the device map. These users have access to options displayed under **Discover**.

+- **Security analyst**: Security Analysts have Read-only user permissions. They can also perform actions on devices, acknowledge alerts, and use investigation tools. These users have access to options displayed under **Discover** and **Analyze**.

+First, open **Azure Digital Twins Explorer** for your Azure Digital Twins instance in the [Azure portal](https://portal.azure.com). To do so, navigate to the Azure Digital Twins instance in the portal by searching for its name in the portal search bar. Then, select the **Open Azure Digital Twins Explorer (preview)** button.

+| **[Tata Teleservices](https://www.tatatelebusiness.com/data-services/ez-cloud-connect/)** | Tata Communications | Chennai, Mumbai |

+The following Resource Provider modes are currently supported as a **[preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)**:

+- `Microsoft.Network.Data` for managing [Azure Virtual Network Manager](../../../virtual-network-manager/overview.md) custom membership policies using Azure Policy.

+- `Microsoft.Kubernetes.Data` for Azure Policy components that target [Azure Kubernetes Service (AKS)](../../../aks/intro-kubernetes.md) resources such as pods, namespaces, and ingresses.

+- `portalReview` (string): Determines whether parameters should be reviewed in the portal, regardless of the required input.

+Now we use the SparkR [read.df()](https://spark.apache.org/docs/3.3.0/api/R/reference/read.df.html) function to import the weather and airline data to Spark DataFrames. This function, like many other Spark methods, is executed lazily, meaning that they're queued for execution but not executed until required.

+We now use the SparkR [join()](https://spark.apache.org/docs/3.3.0/api/R/reference/join.html) function to do a left outer join of the airline and weather data by departure AirportID and datetime. The outer join allows us to retain all the airline data records even if there's no matching weather data. Following the join, we remove some redundant columns, and rename the kept columns to remove the incoming DataFrame prefix introduced by the join.

+ Title: Deploy Azure Health Data Services FHIR service using Bicep

+description: Learn how to deploy FHIR service by using Bicep

+# Deploy a FHIR service within Azure Health Data Services using Bicep

+In this article, you'll learn how to deploy FHIR service within the Azure Health Data Services using Bicep.

+[Bicep](../../azure-resource-manager/bicep/overview.md) is a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources. It provides concise syntax, reliable type safety, and support for code reuse. Bicep offers the best authoring experience for your infrastructure-as-code solutions in Azure.

+## Prerequisites

+# [PowerShell](#tab/PowerShell)

+* An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/).

+* If you want to run the code locally:

+ * [Azure PowerShell](/powershell/azure/install-az-ps).

+# [CLI](#tab/CLI)

+* An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/).

+* If you want to run the code locally:

+ * A Bash shell (such as Git Bash, which is included in [Git for Windows](https://gitforwindows.org)).

+ * [Azure CLI](/cli/azure/install-azure-cli).

+## Review the Bicep file

+The Bicep file used in this article is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/azure-api-for-fhir/).

+The Bicep file defines three Azure resources:

+* [Microsoft.HealthcareApis/workspaces](/azure/templates/microsoft.healthcareapis/workspaces): create a Microsoft.HealthcareApis/workspaces resource.

+* [Microsoft.HealthcareApis/workspaces/fhirservices](/azure/templates/microsoft.healthcareapis/workspaces/fhirservices): create a Microsoft.HealthcareApis/workspaces/fhirservices resource.

+* [Microsoft.Storage/storageAccounts](/azure/templates/microsoft.storage/storageaccounts): create a Microsoft.Storage/storageAccounts resource.

+## Deploy the Bicep file

+1. Save the Bicep file as **main.bicep** to your local computer.

+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

+ # [CLI](#tab/CLI)

+ ```azurecli

+ az group create --name exampleRG --location eastus

+ az deployment group create --resource-group exampleRG --template-file main.bicep --parameters serviceName=<service-name> location=<location>

+ ```

+ # [PowerShell](#tab/PowerShell)

+ ```azurepowershell

+ New-AzResourceGroup -Name exampleRG -Location eastus

+ New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -serviceName "<service-name>" -location "<location>"

+ ```

+

+ Replace **\<service-name\>** with the name of the service. Replace **\<location\>** with the location of the Azure API for FHIR. Location options include:

+ * australiaeast

+ * eastus

+ * eastus2

+ * japaneast

+ * northcentralus

+ * northeurope

+ * southcentralus

+ * southeastasia

+ * uksouth

+ * ukwest

+ * westcentralus

+ * westeurope

+ * westus2

+ > [!NOTE]

+ > When the deployment finishes, you should see a message indicating the deployment succeeded.

+## Review the deployed resources

+Use the Azure portal, Azure CLI, or Azure PowerShell to list the deployed resources in the resource group.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az resource list --resource-group exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Get-AzResource -ResourceGroupName exampleRG

+```

+> [!NOTE]

+> You can also verify that the FHIR service is up and running by opening a browser and navigating to `https://<yourfhirservice>.azurehealthcareapis.com/metadata`. If the

+> capability statement is automatically displayed or downloaded, your deployment was successful. Make sure to replace **\<yourfhirservice\>** with the **\<service-name\>** you

+> used in the deployment step of this quickstart.

+## Clean up the resources

+When no longer needed, use the Azure portal, Azure CLI, or Azure PowerShell to delete the resource group and its resources.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az group delete --name exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name exampleRG

+```

+## Next steps

+In this quickstart guide, you've deployed the FHIR service within Azure Health Data Services using Bicep. For more information about FHIR service supported features, proceed to the following article:

+>[!div class="nextstepaction"]

+>[Supported FHIR Features](fhir-features-supported.md)

+ Title: Best practices for large-scale Microsoft Azure IoT device deployments

+description: This article describes best practices, patterns, and sample code you can use to help with large-scale deployments.

+# Best practices for large-scale IoT device deployments

+Scaling an IoT solution to millions of devices can be challenging. Large-scale solutions often need to be designed in accordance with service and subscription limits. When customers use Azure IoT Device Provisioning Service, they use it in combination with other Azure IoT platform services and components, such as IoT Hub and Azure IoT device SDKs. This article describes best practices, patterns, and sample code you can incorporate in your design to take advantage of these services and allow your deployments to scale out. By following these simple patterns and practices right from the design phase of the project, you can maximize the performance of your IoT devices.

+## First-time device provisioning

+First-time provisioning is the process of onboarding a device for the first time as a part of an IoT solution. When working with large-scale deployments, it's important to schedule the provisioning process to avoid overload situations caused by all the devices attempting to connect at the same time.

+### Device deployment using a staggered provisioning schedule

+For deployment of devices in the scale of millions, registering all the devices at once may result in the DPS instance being overwhelmed due to throttling (HTTP response code `429, Too Many Requests`) and a failure to register your devices. To prevent such throttling, you should use a staggered registration schedule for the devices. The recommended batch size should be in accordance with DPS [quotas and limits](about-iot-dps.md#quotas-and-limits). For instance, if the registration rate is 200 devices per minute, the batch size for onboarding would be 200 devices per batch.

+### Timing logic when retrying operations

+If transient faults occur due to a service being busy, a retry logic enables devices to successfully connect to the IoT cloud. However, a large number of retries could further degrade a busy service that's running close to or at its capacity. As with any Azure service, you should implement an intelligent retry mechanism with exponential backoff. More information on different retry patterns can be found in [the Retry design pattern](/azure/architecture/patterns/retry) and [transient fault handling](/azure/architecture/best-practices/transient-faults).

+Rather than immediately retrying a deployment when throttled, you should wait until the time specified in the `retry-after` header. If there's no retry header available from the service, this algorithm can help achieve a smoother device onboarding experience:

+```console

+min_retry_delay_msec = 1000

+max_retry_delay_msec = (1.0 / <load>) * <T> * 1000

+max_random_jitter_msec = max_retry_delay_msec

+```

+Where `<load>` is a configurable factor with values > 0 (indicates that the load will perform at an average of load time multiplied by the number of connections per second) and `<T>` is the absolute minimum time to cold boot the devices (calculated as `T = N / cps` where `N` is the total number of devices and `cps` is the service limit for number of connections per second). In this case, devices should delay reconnecting for a random amount of time, between `min_retry_delay_msec` and `max_retry_delay_msec`.

+For more information on the timing of retry operations, see [Retry timing](https://github.com/Azure/azure-sdk-for-c/blob/main/sdk/docs/iot/mqtt_state_machine.md#retry-timing).

+## Reprovisioning devices

+Reprovisioning is the process where the device needs to be provisioned to an IoT Hub after having been successfully connected previously. There can be many reasons that result in a need for device to reconnect to an IoT Hub, such as:

+- A device could reboot due to power outage, loss in network connectivity, geo-relocation, firmware updates, factory reset, or certificate key rotation.

+- The IoT Hub instance could be unavailable due to an unplanned IoT Hub outage.

+You shouldn't need to provision every time the device reboots. Most devices that are reprovisioned end up connected to the same IoT hub in most scenarios. Instead, the device should attempt to directly connect to its IoT hub using the information that was cached from a previous successful connection.

+### Devices that can store a connection string

+If the devices have the ability to store the connection string to the previously provisioned and connected IoT Hub, use the same string to skip the entire reprovisioning process and directly connect to the IoT Hub. This reduces the latency in successfully connecting to the appropriate IoT Hub. There are two possible cases here:

+- The IoT Hub to connect upon device reboot is the same as the previously connected IoT Hub.

+ The connection string retrieved from the cache should work fine and the device must attempt to reconnect to the same endpoint. No need for a fresh start for the provisioning process.

+- The IoT Hub to connect upon device reboot is different from the previously connected IoT Hub.

+ The connection string stored in memory is inaccurate. Attempting to connect to the same endpoint won't be successful and so the retry mechanism for the IoT Hub connection is triggered. Once the threshold for the IoT Hub connection failure is reached, the retry mechanism automatically triggers a fresh start to the provisioning process.

+### Devices that can't store a connection string

+In certain scenarios, devices don't have a large enough footprint or memory to accommodate caching of the connection string from a past successful IoT Hub connection. You can use the [Device Registration Status Lookup API](/rest/api/iot-dps/device/runtime-registration/device-registration-status-lookup) to retrieve the connection string from the previous time the device was provisioned and then attempt a connection to that IoT Hub. At every device reboot, that API needs to be invoked to get the device registration status. If data related to a previously connected IoT Hub was returned by the API call, you can connect to the same IoT Hub. If the API returns a null payload, then there's no previous connection available and the reprovisioning process through DPS is automatically triggered.

+### Reprovisioning sample

+These code examples show a class for reading to and writing from the device cache, followed by code that attempts to reconnect a device to the IoT Hub if a connection string is found and reprovisioning through DPS if it isn't.

+```csharp

+using Newtonsoft.Json;

+using System;

+using System.Collections.Generic;

+using System.IO;

+using System.Linq;

+using System.Text;

+namespace ProvisioningCache

+{

+ public class ProvisioningDetailsFileStorage : IProvisioningDetailCache

+ {

+ private string dataDirectory = null;

+ public ProvisioningDetailsFileStorage()

+ {

+ dataDirectory = Environment.GetEnvironmentVariable("ProvisioningDetailsDataDirectory");

+ }

+ public ProvisioningResponse GetProvisioningDetailResponseFromCache(string registrationId)

+ {

+ try

+ {

+ var provisioningResponseFile = File.ReadAllText(Path.Combine(dataDirectory, registrationId));

+ ProvisioningResponse response = JsonConvert.DeserializeObject<ProvisioningResponse>(provisioningResponseFile);

+ return response;

+ }

+ catch (Exception ex)

+ {

+ return null;

+ }

+ }

+ public void SetProvisioningDetailResponse(string registrationId, ProvisioningResponse provisioningDetails)

+ {

+ var provisioningDetailsJson = JsonConvert.SerializeObject(provisioningDetails);

+ File.WriteAllText(Path.Combine(dataDirectory, registrationId), provisioningDetailsJson);

+ }

+ }

+}

+```

+You could use code similar to the following to determine how to proceed with reconnecting a device after determining whether there's connection info in the cache:

+```csharp

+IProvisioningDetailCache provisioningDetailCache = new ProvisioningDetailsFileStorage();

+var provisioningDetails = provisioningDetailCache.GetProvisioningDetailResponseFromCache(registrationId);

+// If no info is available in cache, go through DPS for provisioning

+if(provisioningDetails == null)

+{

+ logger.LogInformation($"Initializing the device provisioning client...");

+ using var transport = new ProvisioningTransportHandlerAmqp();

+ ProvisioningDeviceClient provClient = ProvisioningDeviceClient.Create(dpsEndpoint, dpsScopeId, security, transport);

+ logger.LogInformation($"Initialized for registration Id {security.GetRegistrationID()}.");

+ logger.LogInformation("Registering with the device provisioning service... ");

+ // This method will attempt to retry in case of a transient fault

+ DeviceRegistrationResult result = await registerDevice(provClient);

+ provisioningDetails = new ProvisioningResponse() { iotHubHostName = result.AssignedHub, deviceId = result.DeviceId };

+ provisioningDetailCache.SetProvisioningDetailResponse(registrationId, provisioningDetails);

+}

+// If there was IoT Hub info from previous provisioning in the cache, try connecting to the IoT Hub directly

+// If trying to connect to the IoT Hub returns status 429, make sure to retry operation honoring

+// the retry-after header

+// If trying to connect to the IoT Hub returns a 500-series server error, have an exponential backoff with

+// at least 5 seconds of wait-time

+// For all response codes 429 and 5xx, reprovision through DPS

+// Ideally, you should also support a method to manually trigger provisioning on demand

+if (provisioningDetails != null)

+{

+ logger.LogInformation($"Device {provisioningDetails.deviceId} registered to {provisioningDetails.iotHubHostName}.");

+ logger.LogInformation("Creating TPM authentication for IoT Hub...");

+ IAuthenticationMethod auth = new DeviceAuthenticationWithTpm(provisioningDetails.deviceId, security);

+ logger.LogInformation($"Testing the provisioned device with IoT Hub...");

+ DeviceClient iotClient = DeviceClient.Create(provisioningDetails.iotHubHostName, auth, TransportType.Amqp);

+ logger.LogInformation($"Registering the Method Call back for Reprovisioning...");

+ await iotClient.SetMethodHandlerAsync("Reprovision",reprovisionDirectMethodCallback, iotClient);

+ // Now you should start a thread into this method and do your business while the DeviceClient is still connected

+ await startBackgroundWork(iotClient);

+ logger.LogInformation("Wait until closed...");

+ // Wait until the app unloads or is cancelled

+ var cts = new CancellationTokenSource();

+ AssemblyLoadContext.Default.Unloading += (ctx) => cts.Cancel();

+ Console.CancelKeyPress += (sender, cpe) => cts.Cancel();

+ await WhenCancelled(cts.Token);

+ await iotClient.CloseAsync();

+ Console.WriteLine("Finished.");

+}

+```

+## IoT Hub connectivity considerations

+- Any single IoT hub is limited to 1 million devices plus modules. If you plan to have more than a million devices, cap the number of devices to 1 million per hub and add hubs as needed when increasing the scale of your deployment. For more information, see [IoT Hub quotas](../iot-hub/iot-hub-devguide-quotas-throttling.md).

+- If you have plans for more than a million devices and you need to support them in a specific region (such as in an EU region for data residency requirements), you can [contact us](../iot-fundamentals/iot-support-help.md) to ensure that the region you're deploying to has the capacity to support your current and future scale.

+Recommended device logic when connecting to IoT Hub via DPS:

+- On first boot, devices should go use the [DPS registration API](/rest/api/iot-dps/device/runtime-registration/register-device) to register.

+- On subsequent boots, devices should:

+ - If possible, cache their provisioning details and connect using this information from this cache.

+ - If they can't cache IoT hub connection information, use the [Device Registration Status Lookup API](/rest/api/iot-dps/device/runtime-registration/device-registration-status-lookup) to return connection information once registration has been done. This API call is a much lighter weight operation for DPS than a full device registration operation.

+ - For devices in either case described above, devices should use the following logic in response to error codes when connecting:

+ - When receiving any of the 500-series of server error responses, retry the connection using either cached credentials or the results of a Device Registration Status Lookup API call.

+ - When receiving `401, Unauthorized` or `403, Forbidden` or `404, Not Found`, perform a full re-registration by calling the [DPS registration API](/rest/api/iot-dps/device/runtime-registration/register-device).

+- At any time, devices should be capable of responding to a user-initiated reprovisioning command.

+Other IoT Hub scenarios when using DPS:

+- IoT Hub failover: Devices should continue to work as connection information shouldn't change and logic is in place to retry the connection once the hub is available again.

+- Change of IoT Hub: Assigning devices to a different IoT Hub should be done by using a [custom allocation policy](tutorial-custom-allocation-policies.md).

+- Retry IoT Hub connection: You shouldn't use an aggressive retry strategy, instead allowing a gap of at least a minute before a retry.

+- IoT Hub partitions: If your device strategy leans heavily on telemetry, the number of device-to-cloud partitions should be increased.

+## Monitoring devices

+An important part of the overall deployment is monitoring the solution end-to-end to make sure that the system is performing appropriately. There are several ways to monitor the health of a service for large-scale deployment of IoT devices. The following patterns have proven effective in monitoring the service:

+- Create an application to query each enrollment group on a DPS instance, get the total devices registered to that group, and then aggregate the numbers from across various enrollment groups. This number provides an exact count of the devices that are currently registered via DPS and can be used to monitor the state of the service.

+- Monitor device registrations over a specific period. For instance, monitor registration rates for a DPS instance over the prior five days. Note that this approach only provides an approximate figure and is also capped to a time period.

+## Next steps

+- [Provision devices across load-balanced IoT Hubs](tutorial-provision-multiple-hubs.md)

+- [Retry timing](https://github.com/Azure/azure-sdk-for-c/blob/main/sdk/docs/iot/mqtt_state_machine.md#retry-timing) when retrying operations

+For each loopback interface, repeat these commands, which assign the floating IP to the loopback alias:

+- Learn more about [Network Security Groups](../virtual-network/network-security-groups-overview.md).

+## 2022-06-27

+ + **azureml-automl-dnn-nlp**

+ + Remove duplicate labels column from multi-label predictions

+ + **azureml-contrib-automl-pipeline-steps**

+ + Many Models now provides the capability to generate prediction output in csv format as well. - Many Models prediction will now include column names in the output file in case of **csv** file format.

+ + **azureml-core**

+ + ADAL authentication is now deprecated and all authentication classes now use MSAL authentication. Please install azure-cli>=2.30.0 to utilize MSAL based authentication when using AzureCliAuthentication class.

+ + Added fix to force environment registration when `Environment.build(workspace)`. The fix solves confusion of the latest environment built instead of the asked one when environment is cloned or inherited from another instance.

+ + SDK warning message to restart Compute Instance before May 31, 2022, if it was created before September 19, 2021

+ + **azureml-interpret**

+ + Updated azureml-interpret package to interpret-community 0.26.*

+ + In the azureml-interpret package, add ability to get raw and engineered feature names from scoring explainer. Also, add example to the scoring notebook to get feature names from the scoring explainer and add documentation about raw and engineered feature names.

+ + **azureml-mlflow**

+ + azureml-core as a dependency of azureml-mlflow has been removed. - MLflow projects and local deployments will require azureml-core and needs to be installed separately.

+ + Adding support for creating endpoints and deploying to them via the MLflow client plugin.

+ + **azureml-responsibleai**

+ + Updated azureml-responsibleai package and environment images to latest responsibleai and raiwidgets 0.19.0 release

+ + **azureml-train-automl-client**

+ + Now OutputDatasetConfig is supported as the input of the MM/HTS pipeline builder. The mappings are: 1) OutputTabularDatasetConfig -> treated as unpartitioned tabular dataset. 2) OutputFileDatasetConfig -> treated as filed dataset.

+ + **azureml-train-automl-runtime**

+ + Added data validation that requires the number of minority class samples in the dataset to be at least as much as the number of CV folds requested.

+ + Automatic cross-validation parameter configuration is now available for automl forecasting tasks. Users can now specify "auto" for n_cross_validations and cv_step_size or leave them empty, and automl will provide those configurations base on your data. However, currently this feature is not supported when TCN is enabled.

+ + Forecasting Parameters in Many Models and Hierarchical Time Series can now be passed via object rather than using individual parameters in dictionary.

+ + Enabled forecasting model endpoints with quantiles support to be consumed in PowerBI.

+ + Updated automl scipy dependency upper bound to 1.5.3 from 1.5.2

+Since this classifier was trained on the ImageNet data set, map the classes to human-readable labels.

+> [!NOTE]

+> Azure Managed Grafana doesn't support personal [Microsoft accounts](https://account.microsoft.com) currently.

+> [!NOTE]

+> Azure Managed Grafana doesn't support personal [Microsoft accounts](https://account.microsoft.com) currently.

+- Get questions answered in the [Azure Migrate forum](https://social.msdn.microsoft.com/forums/azure/home?forum=AzureMigrate)

+- Use **Azure VM assessments** when you want to assess servers from your on-premises [VMware](how-to-set-up-appliance-vmware.md) and [Hyper-V](how-to-set-up-appliance-hyper-v.md) environment, and [physical servers](how-to-set-up-appliance-physical.md) for migration to Azure VMs. [Learn More](concepts-assessment-calculation.md).

+- Use assessment type **Azure SQL** when you want to assess your on-premises SQL Server from your VMware environment for migration to SQL Server on Azure VM or Azure SQL Database or Azure SQL Managed Instance. [Learn More](concepts-azure-sql-assessment-calculation.md).

+- Use assessment type **Azure App Service** when you want to assess your on-premises ASP.NET web apps running on IIS web server from your VMware environment for migration to Azure App Service. [Learn More](concepts-assessment-calculation.md).

+- Use **Azure VMware Solution (AVS)** assessments when you want to assess your on-premises [VMware VMs](how-to-set-up-appliance-vmware.md) for migration to [Azure VMware Solution (AVS)](../azure-vmware/introduction.md) using this assessment type. [Learn more](concepts-azure-vmware-solution-assessment-calculation.md).

+- If only memory counters are missing and you are trying to assess servers in Hyper-V environment. In this scenario, enable dynamic memory on the servers and 'Recalculate' the assessment to reflect the latest changes. The appliance can collect memory utilization values for severs in Hyper-V environment only when the server has dynamic memory enabled.

+To ensure performance data is collected, check:

+- If the SQL Servers are powered on for the duration for which you are creating the assessment.

+- If the connection status of the SQL agent in Azure Migrate is 'Connected', and check the last heartbeat.

+- If Azure Migrate connection status for all SQL instances is 'Connected' in the discovered SQL instance blade.

+- If all of the performance counters are missing, ensure that outbound connections on ports 443 (HTTPS) are allowed.

+- You did not profile your environment for the duration for which you are creating the assessment. For example, if you are creating an assessment with performance duration set to one week, you need to wait for at least a week after you start the discovery for all the data points to get collected. If you cannot wait for the duration, change the performance duration to a smaller period and **Recalculate** the assessment.

+- Assessment is not able to collect the performance data for some or all the servers in the assessment period. For a high confidence rating, ensure that:

+ - For Hyper-V Servers, dynamic memory is enabled

+ **Recalculate** the assessment to reflect the latest changes in confidence rating.

+- For Azure VM and AVS assessments, few servers were created after discovery had started. For example, if you are creating an assessment for the performance history of last one month, but few servers were created in the environment only a week ago. In this case, the performance data for the new servers will not be available for the entire duration and the confidence rating would be low. [Learn more](./concepts-assessment-calculation.md#confidence-ratings-performance-based).

+- For Azure SQL assessments, few SQL instances or databases were created after discovery had started. For example, if you are creating an assessment for the performance history of last one month, but few SQL instances or databases were created in the environment only a week ago. In this case, the performance data for the new servers will not be available for the entire duration and the confidence rating would be low. [Learn more](./concepts-azure-sql-assessment-calculation.md#confidence-ratings).

+ To remediate this, click the total number of assessments to navigate to all the assessments and recalculate the Azure VM or AVS assessment. The discovery and assessment tool will then show the correct count for that assessment type.

+Discovery and assessment of SQL Server instances and databases running in your VMware environment is now in preview. Get started with [this tutorial](tutorial-discover-vmware.md). If you want to try out this feature in an existing project, ensure that you have completed the [prerequisites](how-to-discover-sql-existing-project.md) in this article.

+Discovery and assessment of .NET web apps running in your VMware environment is now in preview. Get started with [this tutorial](tutorial-discover-vmware.md). If you want to try out this feature in an existing project, ensure that you have completed the [prerequisites](how-to-discover-sql-existing-project.md) in this article.

+- Azure SQL assessment can only be done on servers running where SQL instances were discovered. If you don't see the servers and SQL instances that you wish to assess, wait for some time for the discovery to get completed and then create the assessment.

+- If you are not able to see a previously created group while creating the assessment, remove any non-VMware server or any server without a SQL instance from the group.

+- Azure App Service assessment can only be done on servers running where web server role was discovered. If you don't see the servers that you wish to assess, wait for some time for the discovery to get completed and then create the assessment.

+- If you are not able to see a previously created group while creating the assessment, remove any non-VMware server or any server without a web app from the group.

+The readiness for your SQL instances has been computed after doing a feature compatibility check with the targeted Azure SQL deployment type (SQL Server on Azure VM or Azure SQL Managed Instance or Azure SQL Database). [Learn more](./concepts-azure-sql-assessment-calculation.md#calculate-readiness).

+**Recalculate** the assessment to reflect the latest changes in the assessment.

+**Recalculate** the assessment to reflect the latest changes in the assessment.

+Azure Migrate recommends a specific Azure SQL deployment type that is compatible with your SQL instance. Migrating to a Microsoft recommended target reduces your overall migration effort. This Azure SQL configuration (SKU) has been recommended after considering the performance characteristics of your SQL instance and the databases it manages. If multiple Azure SQL configurations are eligible, we recommend the one, which is the most cost effective. [Learn more](./concepts-azure-sql-assessment-calculation.md#calculate-sizing).

+The Azure SQL assessment only includes databases that are in online status. In case the database is in any other status, the assessment ignores the readiness, sizing, and cost calculation for such databases. In case you wish you assess such databases, change the status of the database and recalculate the assessment in some time.

+## I want to compare costs for running my SQL instances on Azure VM vs Azure SQL Database/Azure SQL Managed Instance

+You can create an assessment with type **Azure VM** on the same group that was used in your **Azure SQL** assessment. You can then compare the two reports side by side. Though, Azure VM assessments in Azure Migrate are currently lift-and-shift focused and will not consider the specific performance metrics for running SQL instances and databases on the Azure virtual machine. When you run an Azure VM assessment on a server, the recommended size and cost estimates will be for all instances running on the server and can be migrated to an Azure VM using the Server Migration tool. Before you migrate, [review the performance guidelines](/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist.md) for SQL Server on Azure virtual machines.

+For Azure SQL Managed Instance, there is no storage cost added for the first 32 GB/instance/month storage and additional storage cost is added for storage in 32 GB increments. [Learn More](https://azure.microsoft.com/pricing/details/azure-sql/sql-managed-instance/single/).

+For example, if an on-premises server has 4 cores and 8 GB of memory at 50% CPU utilization and 50% memory utilization:

+- As-on-premises sizing will recommend an Azure VM SKU that has 4 cores and 8 GB of memory.

+- Performance-based sizing will recommend a VM SKU that has 2 cores and 4 GB of memory because the utilization percentage is considered.

+For agentless visualization, you can view the dependency map of a single server from a duration of between an hour and 30 days.

+> If you import servers by using a CSV file, the performance values you specify (CPU utilization, Memory utilization, Disk IOPS and throughput) are used if you choose performance-based sizing. You will not be able to provide performance history and percentile information.

+This article provides an overview of assessments for migrating on-premises SQL Server instances from a VMware environment to SQL Server on Azure VM or Azure SQL Database or Azure SQL Managed Instance using the [Azure Migrate: Discovery and assessment tool](./migrate-services-overview.md#azure-migrate-discovery-and-assessment-tool).

+**Azure SQL** | Assessments to migrate your on-premises SQL servers from your VMware environment to SQL Server on Azure VM or Azure SQL Database or Azure SQL Managed Instance. <br/><br/> If your SQL servers are running on a non-VMware platform, you can assess readiness by using the [Data Migration Assistant](/sql/dma/dma-assess-sql-data-estate-to-sqldb).

+**Azure VMware Solution (AVS)** | Assessments to migrate your on-premises servers to [Azure VMware Solution (AVS)](../azure-vmware/introduction.md). <br/><br/> You can assess your on-premises [VMware VMs](how-to-set-up-appliance-vmware.md) for migration to Azure VMware Solution (AVS) using this assessment type. [Learn more](concepts-azure-vmware-solution-assessment-calculation.md).

+You can assess your on-premises SQL Server instances by using the configuration and utilization data collected by a lightweight Azure Migrate appliance. The appliance discovers on-premises SQL server instances and databases and sends the configuration and performance data to Azure Migrate. [Learn More](how-to-set-up-appliance-vmware.md).

+The Azure SQL assessment properties include:

+**Section** | **Property** | **Details**

+| | |

+Target and pricing settings | **Target location** | The Azure region to which you want to migrate. Azure SQL configuration and cost recommendations are based on the location that you specify.

+Target and pricing settings | **Environment type** | The environment for the SQL deployments to apply pricing applicable to Production or Dev/Test.

+Target and pricing settings | **Offer/Licensing program** |The Azure offer if you're enrolled. Currently the field is defaulted to Pay-as-you-go, which will give you retail Azure prices. <br/><br/>You can avail additional discount by applying reserved capacity and Azure Hybrid Benefit on top of Pay-as-you-go offer.<br/>You can apply Azure Hybrid Benefit on top of Pay-as-you-go offer and Dev/Test environment. The assessment does not support applying Reserved Capacity on top of Pay-as-you-go offer and Dev/Test environment. <br/>If the offer is set to *Pay-as-you-go* and Reserved capacity is set to *No reserved instances*, the monthly cost estimates are calculated by multiplying number of hours chosen in the VM uptime field with the hourly price of the recommended SKU.

+Target and pricing settings | **Reserved Capacity** | You can specify reserved capacity so that cost estimations in the assessment take them into account.<br/><br/> If you select a reserved capacity option, you can't specify "Discount (%)" or "VM uptime". <br/>If the Reserved capacity is set to *1 year reserved* or *3 years reserved*, the monthly cost estimates are calculated by multiplying 744 hours in the VM uptime field with the hourly price of the recommended SKU.

+Target and pricing settings | **Currency** | The billing currency for your account.

+Target and pricing settings | **Discount (%)** | Any subscription-specific discounts you receive on top of the Azure offer. The default setting is 0%.

+Target and pricing settings | **VM uptime** | You can specify the duration (days per month/hour per day) that servers/VMs will run. This is useful for computing cost estimates for SQL Server on Azure VM where you are aware that Azure VMs might not run continuously. <br/> Cost estimates for servers where recommended target is *SQL Server on Azure VM* are based on the duration specified. Default is 31 days per month/24 hours per day.

+Target and pricing settings | **Azure Hybrid Benefit** | You can specify whether you already have a Windows Server and/or SQL Server license. Azure Hybrid Benefit is a licensing benefit that helps you to significantly reduce the costs of running your workloads in the cloud. It works by letting you use your on-premises Software Assurance-enabled Windows Server and SQL Server licenses on Azure. For example, if you have SQL Server license and they're covered with active Software Assurance of SQL Server Subscriptions, you can apply for the Azure Hybrid Benefit when you bring licenses to Azure.

+Assessment criteria | **Sizing criteria** | Defaulted to *Performance-based*, which means Azure migrate will collect performance metrics pertaining to SQL instances and the databases managed by it to recommend an optimal-sized SQL Server on Azure VM and/or Azure SQL Database and/or Azure SQL Managed Instance configuration.

+Assessment criteria | **Performance history** | You can indicate the data duration on which you want to base the assessment. (Default is one day)

+Assessment criteria | **Percentile utilization** | You can indicate the percentile value you want to use for the performance sample. (Default is 95th percentile)

+Assessment criteria | **Comfort factor** | You can indicate the buffer you want to use during assessment. This accounts for issues like seasonal usage, short performance history, and likely increases in future usage.

+Azure SQL Managed Instance sizing | **Service Tier** | You can choose the most appropriate service tier option to accommodate your business needs for migration to Azure SQL Managed Instance:<br/><br/>Select *Recommended* if you want Azure Migrate to recommend the best suited service tier for your servers. This can be General purpose or Business critical.<br/><br/>Select *General Purpose* if you want an Azure SQL configuration designed for budget-oriented workloads.<br/><br/>Select *Business Critical* if you want an Azure SQL configuration designed for low-latency workloads with high resiliency to failures and fast failovers.

+Azure SQL Managed Instance sizing | **Instance type** | Defaulted to *Single instance*.

+Azure SQL Managed Instance sizing | **Pricing Tier** | Defaulted to *Standard*.

+SQL Server on Azure VM sizing | **VM series** | You can specify the Azure VM series you want to consider for *SQL Server on Azure VM* sizing. Based on the configuration and performance requirements of your SQL Server or SQL Server instance, the assessment will recommend a VM size from the selected list of VM series. <br/>You can edit settings as needed. For example, if you don't want to include D-series VM, you can exclude D-series from this list.<br/> As Azure SQL assessments are intended to give the best performance for your SQL workloads, the VM series list only has VMs that are optimized for running your SQL Server on Azure Virtual Machines (VMs). [Learn more](https://docs.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#vm-size&preserve-view=true).

+SQL Server on Azure VM sizing | **Storage Type** | Defaulted to *Recommended*, which means the assessment will recommend the best suited Azure Managed Disk based on the chosen environment type, on-premises disk size, IOPS and throughput.

+Azure SQL Database sizing | **Service Tier** | You can choose the most appropriate service tier option to accommodate your business needs for migration to Azure SQL Database:<br/><br/>Select **Recommended** if you want Azure Migrate to recommend the best suited service tier for your servers. This can be General purpose or Business critical.<br/><br/>Select **General Purpose** if you want an Azure SQL configuration designed for budget-oriented workloads.<br/><br/>Select **Business Critical** if you want an Azure SQL configuration designed for low-latency workloads with high resiliency to failures and fast failovers.

+Azure SQL Database sizing | **Instance type** | Defaulted to *Single database*.

+Azure SQL Database sizing | **Purchase model** | Defaulted to *vCore*.

+Azure SQL Database sizing | **Compute tier** | Defaulted to *Provisioned*.

+> The assessment only includes databases that are in online status. In case the database is in any other status, the assessment ignores the readiness, sizing and cost calculation for such databases. > In case you wish you assess such databases, change the status of the database and recalculate the assessment in some time.

+Readiness checks for different migration strategies:

+#### Recommended deployment, Instances to SQL Server on Azure VM, Instances to Azure SQL MI, Database to Azure SQL DB:

+Azure SQL readiness for SQL instances and databases is based on a feature compatibility check with SQL Server on Azure VM, Azure SQL Database and Azure SQL Managed Instance:

+1. If there are no compatibility issues found, the readiness is marked as **Ready** for the target deployment type (SQL Server on Azure VM or Azure SQL Database or Azure SQL Managed Instance)

+1. If there are non-critical compatibility issues, such as deprecated or unsupported features that do not block the migration to a specific target deployment type, the readiness is marked as **Ready** (hyperlinked) with **warning** details and recommended remediation guidance.

+1. If there are any compatibility issues that may block the migration to a specific target deployment type, the readiness is marked as **Ready with conditions** with **issue** details and recommended remediation guidance.

+ - In the Recommended deployment, Instances to Azure SQL MI, and Instances to SQL Server on Azure VM readiness reports, if there is even one database in an SQL instance, which is not ready for a particular target deployment type, the instance is marked as **Ready with conditions** for that deployment type.

+1. **Not ready**: The assessment could not find a SQL Server on Azure VM/Azure SQL MI/Azure SQL DB configuration meeting the desired configuration and performance characteristics. You can review the recommendation to make the instance/server ready for the desired target deployment type.

+> [!NOTE]

+> In the recommended deployment strategy, migrating instances to SQL Server on Azure VM is the recommended strategy for migrating SQL Server instances. Though, when SQL Server credentials are not available, the Azure SQL assessment provides right-sized lift-and-shift ie "Server to SQL Server on Azure VM" recommendations.

+#### All servers to SQL Server on Azure VM:

+Refer to readiness [here](concepts-assessment-calculation.md#calculate-readiness).

+### Recommended deployment type

+For the recommended deployment migration strategy, the assessment recommends an Azure SQL deployment type that is the most compatible with your SQL instance and is the most cost-effective. Migrating to a Microsoft-recommended target reduces your overall migration effort. If your instance is ready for SQL Server on Azure VM, Azure SQL Managed Instance and Azure SQL Database, the target deployment type, which has the least migration readiness issues and is the most cost-effective is recommended.

+If you select the target deployment type as **Recommended** in the Azure SQL assessment properties, Azure Migrate recommends an Azure SQL deployment type that is compatible with your SQL instance. Migrating to a Microsoft-recommended target reduces your overall migration effort.

+> [!NOTE]

+> In the recommended deployment strategy, if the source SQL Server is good fit for all three deployment targets- SQL Server on Azure VM, Azure SQL Managed Instance and Azure SQL Database, the assessment recommends a specific option that optimizes your cost and fits within the size and performance boundaries.

+### Instances to Azure SQL MI and Databases to Azure SQL DB configuration

+### Instances to SQL Server on Azure VM configuration

+*Instance to SQL Server on Azure VM* assessment report covers the ideal approach for migrating SQL Server instances and databases to SQL Server on Azure VM, adhering to the best practices. [Learn more](https://docs.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#vm-size&preserve-view=true).

+#### Storage sizing

+For storage sizing, the assessment maps each of the instance disk to an Azure disk. Sizing works as follows:

+- Assessment adds the read and write IOPS of a disk to get the total IOPS required. Similarly, it adds the read and write throughput values to get the total throughput of each disk. The disk size needed for each of the disks is the size of SQL Data and SQL Log drives.

+- The assessment recommends creating a storage disk pool for all SQL Log and SQL Data drives. For temp drives, the assessment recommends storing the files in the local drive.

+

+- If the assessment can't find a disk for the required size, IOPS and throughput, it marks the instance as unsuitable for migrating to SQL Server on Azure VM

+- If the assessment finds a set of suitable disks, it selects the disks that support the location specified in the assessment settings.

+- If the environment type is *Production*, the assessment tries to find Premium disks to map each of the disks, else it tries to find a suitable disk, which could either be Premium or Standard SSD disk.

+ - If there are multiple eligible disks, assessment selects the disk with the lowest cost.

+#### Compute sizing

+After it calculates storage requirements, the assessment considers CPU and RAM requirements of the instance to find a suitable VM size in Azure.

+- The assessment looks at the effective utilized cores and RAM to find a suitable Azure VM size. *Effective utilized RAM or memory* for an instance is calculated by aggregating the buffer cache (buffer pool size in MB) for all the databases running in an instance.

+- If no suitable size is found, the server is marked as unsuitable for Azure.

+- If a suitable size is found, Azure Migrate applies the storage calculations. It then applies location and pricing-tier settings for the final VM size recommendation.

+- If there are multiple eligible Azure VM sizes, the one with the lowest cost is recommended.

+> [!NOTE]

+>As Azure SQL assessments are intended to give the best performance for your SQL workloads, the VM series list only has VMs that are optimized for running your SQL Server on Azure Virtual Machines (VMs). [Learn more](https://docs.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#vm-size&preserve-view=true).

+### Servers to SQL Server on Azure VM configuration

+For *All serves to SQL Server on Azure VM* migration strategy, refer compute and storage sizing [here](concepts-assessment-calculation.md#calculate-sizing-performance-based).

+- The Assessment is not able to collect the performance data for some or all the servers in the assessment period. For a high confidence rating, ensure that:

+ - Servers are powered on for the duration of the assessment.

+ - Outbound connections on ports 443 are allowed.

+ - If Azure Migrate connection status of the SQL agent in Azure Migrate is "Connected" and check the last heartbeat.

+ - If Azure Migrate connection status for all SQL instances is "Connected" in the discovered SQL instance blade.

+ **Recalculate** the assessment to reflect the latest changes in confidence rating.

+- Some databases or instances were created during the time for which the assessment was calculated. For example, you created an assessment for the performance history of the last month, but some databases or instances were created only a week ago. In this case, the performance data for the new servers will not be available for the entire duration and the confidence rating would be low.

+ - Azure Hybrid Benefit for SQL and Windows licenses

+ - Environment type

+ - A minimum of 5GB storage cost is added in the cost estimate and additional storage cost is added for storage in 1GB increments. [Learn More](https://azure.microsoft.com/pricing/details/sql-database/single/).

+ - There is no storage cost added for the first 32 GB/instance/month storage and additional storage cost is added for storage in 32GB increments. [Learn More](https://azure.microsoft.com/pricing/details/azure-sql/sql-managed-instance/single/).

+ :::image type="content" source="./media/tutorial-assess-sql/assess-migrate-inline.png" alt-text="Screenshot of Overview page for Azure Migrate." lightbox="./media/tutorial-assess-sql/assess-migrate-expanded.png":::

+

+ :::image type="content" source="./media/tutorial-assess-sql/assess-inline.png" alt-text="Screenshot of Dropdown to choose assessment type as Azure SQL." lightbox="./media/tutorial-assess-sql/assess-expanded.png":::

+3. In **Assess servers**, you will be able to see the assessment type pre-selected as **Azure SQL** and the discovery source defaulted to **Servers discovered from Azure Migrate appliance**.

+

+ :::image type="content" source="./media/tutorial-assess-sql/assess-servers-sql-inline.png" alt-text="Screenshot of Edit button from where assessment settings can be customized." lightbox="./media/tutorial-assess-sql/assess-servers-sql-expanded.png":::

+ - The Sizing criteria is defaulted to **Performance-based** which means Azure migrate will collect performance metrics pertaining to SQL instances and the databases managed by it to recommend an optimal-sized Azure SQL Database and/or SQL Managed Instance configuration. You can specify:

+ - In **Service Tier**, choose the most appropriate service tier option to accommodate your business needs for migration to Azure SQL Database and/or SQL Managed Instance:

+

+ :::image type="content" source="./media/tutorial-assess-sql/view-all-inline.png" alt-text="Screenshot to save the assessment properties." lightbox="./media/tutorial-assess-sql/view-all-expanded.png":::

+

+ :::image type="content" source="./media/tutorial-assess-sql/assessment-add-servers-inline.png" alt-text="Screenshot of Location of New group button." lightbox="./media/tutorial-assess-sql/assessment-add-servers-expanded.png":::

+

+ :::image type="content" source="./media/tutorial-assess-sql/assessment-sql-summary-inline.png" alt-text="Screenshot of Overview of SQL assessment." lightbox="./media/tutorial-assess-sql/assessment-sql-summary-expanded.png":::

+**Recommended** | Ready for Azure SQL Database, Ready for SQL Managed Instance, Potentially ready for Azure VM, Readiness unknown (In case the discovery is in progress or there are some discovery issues to be fixed)

+**Azure SQL DB** or **Azure SQL MI** | Ready for Azure SQL Database or SQL Managed Instance, Not ready for Azure SQL Database or SQL Managed Instance, Readiness unknown (In case the discovery is in progress or there are some discovery issues to be fixed)

+You can drill down to understand details around migration issues/warnings that you can remediate before migration to Azure SQL. [Learn More](concepts-azure-sql-assessment-calculation.md)

+The monthly cost estimate includes compute and storage costs for Azure SQL configurations corresponding to the recommended Azure SQL Database and/or SQL Managed Instance deployment type. [Learn More](concepts-azure-sql-assessment-calculation.md#calculate-monthly-costs)

+

+ :::image type="content" source="./media/tutorial-assess-sql/assessment-sql-readiness-inline.png" alt-text="Screenshot with Details of Azure SQL readiness" lightbox="./media/tutorial-assess-sql/assessment-sql-readiness-expanded.png":::

+ Not ready | Not ready | Potentially ready for Azure VM [Learn more](concepts-azure-sql-assessment-calculation.md#calculate-readiness) | No

+4. Click on the instance name and drill down to see the number of user databases, instance details including instance properties, compute (scoped to instance) and source database storage details.

+ :::image type="content" source="./media/tutorial-assess-sql/assessment-sql-cost-inline.png" alt-text="Screenshot of cost details." lightbox="./media/tutorial-assess-sql/assessment-sql-cost-expanded.png":::

+ - **Servers, databases and web apps**: Assess on-premises servers including web apps and SQL Server instances and migrate them to Azure virtual machines or Azure VMware Solution (AVS) (Preview).

+ - **Databases**: Assess on-premises SQL Server instances and databases to migrate them to an SQL Server on an Azure VM or an Azure SQL Managed Instance or to an Azure SQL Database.

+Movere is a Software as a Service (SaaS) platform. It increases business intelligence by accurately presenting entire IT environments within a single day. Organizations and enterprises grow, change, and digitally optimize. As they do so, Movere provides them with the needed confidence to see and control their environments, whatever the platform, application, or geography.

+## Why are some of my assessments marked as "to be upgraded to latest assessment version"?

+Recalculate your assessment to view the upgraded Azure SQL assessment experience to identify the ideal migration target for your SQL deployments across Azure SQL Managed Instances, SQL Server on Azure VM, and Azure SQL DB:

+ - We recommended migrating instances to *SQL Server on Azure VM* as per the Azure best practices.

+ - *Right sized Lift and Shift* - Server to *SQL Server on Azure VM*. We recommend this when SQL Server credentials are not available.

+ - Enhanced user-experience that covers readiness and cost estimates for multiple migration targets for SQL deployments in one assessment.

+We recommend that you export your existing assessment before recalculating.

+- Enter ```nslookup <storage-account-name>_.blob.core.windows.net.``` Replace ```<storage-account-name>``` with the name of the storage account used for Azure Migrate.

+ Title: Tutorial to assess SQL instances for migration to SQL Server on Azure VM, Azure SQL Managed Instance and Azure SQL Database

+This article shows you how to assess discovered SQL Server instances and databases in preparation for migration to Azure SQL, using the Azure Migrate: Discovery and assessment tool.

+> * Run an assessment based on configuration and performance data.

+> * Review an Azure SQL assessment.

+> If SQL Servers are running on non-VMware platforms, [assess the readiness of a SQL Server data estate migrating to Azure SQL Database using the Data Migration Assistant](/sql/dma/dma-assess-sql-data-estate-to-sqldb).

+- Before you follow this tutorial to assess your SQL Server instances for migration to Azure SQL, make sure you've discovered the SQL instances you want to assess using the Azure Migrate appliance, [follow this tutorial](tutorial-discover-vmware.md).

+- If you want to try out this feature in an existing project, ensure that you have completed the [prerequisites](how-to-discover-sql-existing-project.md) in this article.

+1. On the **Overview** page > **Servers, databases and web apps**, select **Assess and migrate servers**.

+

+ :::image type="content" source="./media/tutorial-assess-sql/assess-migrate-inline.png" alt-text="Screenshot of Overview page for Azure Migrate." lightbox="./media/tutorial-assess-sql/assess-migrate-expanded.png":::

+1. In **Azure Migrate: Discovery and assessment**, select **Assess** and choose the assessment type as **Azure SQL**.

+

+ :::image type="content" source="./media/tutorial-assess-sql/assess-inline.png" alt-text="Screenshot of Dropdown to choose assessment type as Azure SQL." lightbox="./media/tutorial-assess-sql/assess-expanded.png":::

+

+1. In **Assess servers**, the assessment type is pre-selected as **Azure SQL** and the discovery source is defaulted to **Servers discovered from Azure Migrate appliance**.

+1. Select **Edit** to review the assessment settings.

+ :::image type="content" source="./media/tutorial-assess-sql/assess-servers-sql-inline.png" alt-text="Screenshot of Edit button from where assessment settings can be customized." lightbox="./media/tutorial-assess-sql/assess-servers-sql-expanded.png":::

+1. In **Assessment settings** > **Target and pricing settings**, do the following:

+ - In **Environment type**, specify the environment for the SQL deployments to apply pricing applicable to Production or Dev/Test.

+ - In **Offer/Licensing program**, specify the Azure offer if you're enrolled. Currently the field is defaulted to Pay-as-you-go, which will give you retail Azure prices.

+ - You can avail additional discount by applying reserved capacity and Azure Hybrid Benefit on top of Pay-as-you-go offer.

+ - You can apply Azure Hybrid Benefit on top of the Pay-as-you-go offer and Dev/Test environment. The assessment does not support applying Reserved Capacity on top of the Pay-as-you-go offer and Dev/Test environment.

+ - If the offer is set to *Pay-as-you-go* and Reserved capacity is set to *No reserved instances*, the monthly cost estimates are calculated by multiplying the number of hours chosen in the VM uptime field with the hourly price of the recommended SKU.

+ - If you select a reserved capacity option, you can't specify "Discount (%)" or "VM uptime".

+ - If the Reserved capacity is set to *1 year reserved* or *3 years reserved*, the monthly cost estimates are calculated by multiplying 744 hours in the VM uptime field with the hourly price of the recommended SKU.

+ - In **Currency**, select the billing currency for your account.

+ - In **Discount (%)**, add any subscription-specific discounts you receive on top of the Azure offer. The default setting is 0%.

+ - In **VM uptime**, specify the duration (days per month/hour per day) that servers/VMs will run. This is useful for computing cost estimates for SQL Server on Azure VM where you are aware that Azure VMs might not run continuously.

+ - Cost estimates for servers where recommended target is *SQL Server on Azure VM* are based on the duration specified.

+ - Default is 31 days per month/24 hours per day.

+ - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server and/or an SQL Server license. Azure Hybrid Benefit is a licensing benefit that helps you to significantly reduce the costs of running your workloads in the cloud. It works by letting you use your on-premises Software Assurance-enabled Windows Server and SQL Server licenses on Azure. For example, if you have an SQL Server license and they're covered with active Software Assurance of SQL Server Subscriptions, you can apply for the Azure Hybrid Benefit when you bring licenses to Azure.

+1. In **Assessment settings** > **Assessment criteria**,

+ - The **Sizing criteria** is defaulted to *Performance-based*, which means Azure migrate will collect performance metrics pertaining to SQL instances and the databases managed by it to recommend an optimal-sized SQL Server on Azure VM and/or Azure SQL Database and/or Azure SQL Managed Instance configuration. You can specify:

+ - **Performance history** to indicate the data duration on which you want to base the assessment. (Default is one day.)

+ - **Percentile utilization**, to indicate the percentile value you want to use for the performance sample. (Default is 95th percentile.)

+ - In **Comfort factor**, indicate the buffer you want to use during assessment. This accounts for issues such as seasonal usage, short performance history, and likely increases in future usage. For example, the following table displays values if you use a comfort factor of two:

+1. In **Assessment settings** > **Azure SQL Managed Instance sizing**,

+ - In **Service Tier**, choose the most appropriate service tier option to accommodate your business needs for migration to Azure SQL Managed Instance:

+ - Select *Recommended* if you want Azure Migrate to recommend the best suited service tier for your servers. This can be General purpose or Business critical.

+ - Select *General Purpose* if you want an Azure SQL configuration designed for budget-oriented workloads.

+ - Select *Business Critical* if you want an Azure SQL configuration designed for low-latency workloads with high resiliency to failures and fast failovers.

+ - **Instance type** - Default value is *Single instance*.

+1. In **Assessment settings** > **SQL Server on Azure VM sizing**:

+ - **Pricing Tier** - Default value is *Standard*.

+ - In **VM series**, specify the Azure VM series you want to consider for *SQL Server on Azure VM* sizing. Based on the configuration and performance requirements of your SQL Server or SQL Server instance, the assessment will recommend a VM size from the selected list of VM series.

+ - You can edit settings as needed. For example, if you don't want to include D-series VM, you can exclude D-series from this list.

+ > [!NOTE]

+ > As Azure SQL assessments are intended to give the best performance for your SQL workloads, the VM series list only has VMs that are optimized for running your SQL Server on Azure Virtual Machines (VMs). [Learn more](https://docs.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#vm-size&preserve-view=true).

+ - **Storage Type** is defaulted to *Recommended*, which means the assessment will recommend the best suited Azure Managed Disk based on the chosen environment type, on-premises disk size, IOPS, and throughput.

+1. In **Assessment settings** > **Azure SQL Database sizing**,

+ - In **Service Tier**, choose the most appropriate service tier option to accommodate your business needs for migration to Azure SQL Database.

+ - Select **Recommended** if you want Azure Migrate to recommend the best suited service tier for your servers. This can be General purpose or Business critical.

+ - **Instance type** - Default value is *Single database*.

+ - **Purchase model** - Default value is *vCore*.

+ - **Compute tier** - Default value is *Provisioned*.

+ - Select **Save** if you made changes.

+ :::image type="content" source="./media/tutorial-assess-sql/view-all-inline.png" alt-text="Screenshot to save the assessment properties." lightbox="./media/tutorial-assess-sql/view-all-expanded.png":::

+8. In **Assess Servers**, select **Next**.

+ :::image type="content" source="./media/tutorial-assess-sql/assessment-add-servers-inline.png" alt-text="Screenshot of Location of New group button." lightbox="./media/tutorial-assess-sql/assessment-add-servers-expanded.png":::

+11. Select the appliance and select the servers you want to add to the group and select **Next**.

+12. In **Review + create assessment**, review the assessment details, and select **Create Assessment** to create the group and run the assessment.

+13. After the assessment is created, go to **Servers, databases and web apps** > **Azure Migrate: Discovery and assessment**, select the number next to Azure SQL assessment. If you do not see the number populated, select **Refresh** to get the latest updates.

+ :::image type="content" source="./media/tutorial-assess-sql/assessment-sql-navigation.png" alt-text="Screenshot of Navigation to created assessment.":::

+15. Select the assessment name, which you wish to view.

+1. In **Servers, databases and web apps** > **Azure Migrate: Discovery and assessment**, select the number next to Azure SQL assessment.

+2. Select the assessment name, which you wish to view. As an example(estimations and costs, for example, only):

+

+ :::image type="content" source="./media/tutorial-assess-sql/assessment-sql-summary-inline.png" alt-text="Screenshot of Overview of SQL assessment." lightbox="./media/tutorial-assess-sql/assessment-sql-summary-expanded.png":::

+3. Review the assessment summary. You can also edit the assessment settings or recalculate the assessment.

+### Discovered entities

+This indicates the number of SQL servers, instances, and databases that were assessed in this assessment.

+### SQL Server migration scenarios

+This indicates the different migration strategies that you can consider for your SQL deployments. You can review the readiness for target deployment types and the cost estimates for SQL Servers/Instances/Databases that are marked ready or ready with conditions:

+1. **Recommended deployment**:

+This is a strategy where an Azure SQL deployment type that is the most compatible with your SQL instance. It is the most cost-effective and is recommended. Migrating to a Microsoft-recommended target reduces your overall migration effort. If your instance is ready for SQL Server on Azure VM, Azure SQL Managed Instance and Azure SQL Database, the target deployment type, which has the least migration readiness issues and is the most cost-effective is recommended.

+You can see the SQL Server instance readiness for different recommended deployment targets and monthly cost estimates for SQL instances marked *Ready* and *Ready with conditions*.

+ - You can go to the Readiness report to:

+ - Review the recommended Azure SQL configurations for migrating to SQL Server on Azure VM and/or Azure SQL databases and/or Azure SQL Managed Instances.

+ - Understand details around migration issues/warnings that you can remediate before migration to the different Azure SQL targets. [Learn More](concepts-azure-sql-assessment-calculation.md).

+ - You can go to the cost estimates report to review cost of each of the SQL instance after migrating to the recommended deployment target.

+ > [!NOTE]

+ > In the recommended deployment strategy, migrating instances to SQL Server on Azure VM is the recommended strategy for migrating SQL Server instances. When the SQL Server credentials are not available, the Azure SQL assessment provides right-sized lift-and-shift, that is, *Server to SQL Server on Azure VM* recommendations.

+1. **Migrate all instances to Azure SQL MI**:

+In this strategy, you can see the readiness and cost estimates for migrating all SQL Server instances to Azure SQL Managed Instance.

+1. **Migrate all instances to SQL Server on Azure VM**:

+In this strategy, you can see the readiness and cost estimates for migrating all SQL Server instances to SQL Server on Azure VM.

+1. **Migrate all servers to SQL Server on Azure VM**:

+In this strategy, you can see how you can rehost the servers running SQL Server to SQL Server on Azure VM and review the readiness and cost estimates.

+Even when SQL Server credentials are not available, this report will provide right-sized lift-and-shift, that is, "Server to SQL Server on Azure VM" recommendations. The readiness and sizing logic is similar to Azure VM assessment type.

+1. **Migrate all SQL databases to Azure SQL Database**

+In this strategy, you can see how you can migrate individual databases to Azure SQL Database and review the readiness and cost estimates.

+You can review readiness reports for different migration strategies:

+1. Select the **Readiness** report for any of the migration strategies.

+ :::image type="content" source="./media/tutorial-assess-sql/assessment-sql-readiness-inline.png" alt-text="Screenshot with Details of Azure SQL readiness" lightbox="./media/tutorial-assess-sql/assessment-sql-readiness-expanded.png":::

+1. Review the readiness columns in the respective reports:

+ **Migration strategy** | **Readiness Columns (Respective deployment target)**

+ |

+ Recommended | MI readiness (Azure SQL MI), VM readiness (SQL Server on Azure VM), DB readiness (Azure SQL DB).

+ Instances to Azure SQL MI | MI readiness (Azure SQL Managed Instance)

+ Instances to SQL Server on Azure VM | VM readiness (SQL Server on Azure VM).

+ Servers to SQL Server on Azure VM | Azure VM readiness (SQL Server on Azure VM).

+ Databases to Azure SQL DB | DB readiness (Azure SQL Database)

+1. Review the readiness for the assessed SQL instances/SQL Servers/Databases:

+ - **Ready**: The instance/server is ready to be migrated to SQL Server on Azure VM/Azure SQL MI/Azure SQL DB without any migration issues or warnings.

+ - Ready: The instance is ready to be migrated to Azure VM/Azure SQL MI/Azure SQL DB without any migration issues but has some migration warnings that you need to review. You can select the hyperlink to review the migration warnings and the recommended remediation guidance.

+ - **Ready with conditions**: The instance/server has one or more migration issues for migrating to Azure VM/Azure SQL MI/Azure SQL DB. You can select on the hyperlink and review the migration issues and the recommended remediation guidance.

+ - **Not ready**: The assessment could not find a SQL Server on Azure VM/Azure SQL MI/Azure SQL DB configuration meeting the desired configuration and performance characteristics. Select the hyperlink to review the recommendation to make the instance/server ready for the desired target deployment type.

+ - **Unknown**: Azure Migrate can't assess readiness, because the discovery is in progress or there are issues during discovery that need to be fixed from the notifications blade. If the issue persists, contact [Microsoft support](https://support.microsoft.com).

+1. Select the instance name and drill-down to see the number of user databases, instance details including instance properties, compute (scoped to instance) and source database storage details.

+1. Click the number of user databases to review the list of databases and their details.

+1. Click review details in the **Migration issues** column to review the migration issues and warnings for a particular target deployment type.

+The assessment summary shows the estimated monthly compute and storage costs for Azure SQL configurations corresponding to the recommended SQL Server on Azure VM and/or Azure SQL Managed Instances and/or Azure SQL Database deployment type.

+ - Cost estimates are based on the recommended Azure SQL configuration for an instance/server/database.

+ - Estimated total(compute and storage) monthly costs are displayed. As an example:

+ :::image type="content" source="./media/tutorial-assess-sql/assessment-sql-cost-inline.png" alt-text="Screenshot of cost details." lightbox="./media/tutorial-assess-sql/assessment-sql-cost-expanded.png":::

+ - The compute and storage costs are split in the individual cost estimates reports and at instance/server/database level.

+## Update (May 2022)

+- Upgraded the Azure SQL assessment experience to identify the ideal migration target for your SQL deployments across Azure SQL MI, SQL Server on Azure VM, and Azure SQL DB:

+ - We recommended migrating instances to *SQL Server on Azure VM* as per the Azure best practices.

+ - *Right sized Lift and Shift* - Server to *SQL Server on Azure VM*. We recommend this when SQL Server credentials are not available.

+ - Enhanced user-experience that covers readiness and cost estimates for multiple migration targets for SQL deployments in one assessment.

+

+Bug fix release: 5.7.37

+Refer to the MySQL [release notes](https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-37.html) to learn more about improvements and fixes in this version.

+## MySQL Version 8

+Bug fix release: 8.0.28

+Refer to the MySQL [release notes](https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-28.html) to learn more about improvements and fixes in this version.

+ az mysql flexible-server create --name myservername --sku-name Standard_D2ds_v4 --tier GeneralPurpose --resource-group myresourcegroup --high-availability ZoneRedundant --location eastus

+> App services deployed under App Service Plan do not support NSG Flow Logs. Please refer [this documentaion](/azure/app-service/overview-vnet-integration#how-regional-virtual-network-integration-works.md) for additional details.

+description: Learn about traffic analytics. Gain an overview of this solution for viewing network activity, securing networks, and optimizing performance.

+ - references_regions

+ - devx-track-azurepowershell

+ - kr2b-contr-experiment

+# Traffic analytics

+Traffic analytics is a cloud-based solution that provides visibility into user and application activity in your cloud networks. Specifically, traffic analytics analyzes Azure Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud. With traffic analytics, you can:

+- Visualize network activity across your Azure subscriptions.

+- Identify hot spots.

+- Secure your network by using information about the following components to identify threats:

+ - Open ports

+ - Applications that attempt to access the internet

+ - Virtual machines (VMs) that connect to rogue networks

+- Optimize your network deployment for performance and capacity by understanding traffic flow patterns across Azure regions and the internet.

+- Pinpoint network misconfigurations that can lead to failed connections in your network.

+> Traffic analytics now supports collecting NSG flow logs data at a frequency of every 10 minutes.

+It's vital to monitor, manage, and know your own network for uncompromised security, compliance, and performance. Knowing your own environment is of paramount importance to protect and optimize it. You often need to know the current state of the network, including the following information:

+- Who is connecting to the network?

+- Where are they connecting from?

+- Which ports are open to the internet?

+- What's the expected network behavior?

+- Is there any irregular network behavior?

+- Are there any sudden rises in traffic?

+Cloud networks are different from on-premises enterprise networks. In on-premises networks, routers and switches support NetFlow and other, equivalent protocols. You can use these devices to collect data about IP network traffic as it enters or exits a network interface. By analyzing traffic flow data, you can build an analysis of network traffic flow and volume.

+With Azure virtual networks, NSG flow logs collect data about the network. These logs provide information about ingress and egress IP traffic through an NSG that's associated with individual network interfaces, VMs, or subnets. After analyzing raw NSG flow logs, traffic analytics combines the log data with intelligence about security, topology, and geography. Traffic analytics then provides you with insights into traffic flow in your environment.

+Traffic analytics provides the following information:

+- Most-communicating hosts

+- Most-communicating application protocols

+- Most-conversing host pairs

+- Allowed and blocked traffic

+- Inbound and outbound traffic

+- Open internet ports

+- Most-blocking rules

+- Traffic distribution per Azure datacenter, virtual network, subnets, or rogue network

+- **Network security group (NSG)**: A resource that contains a list of security rules that allow or deny network traffic to resources that are connected to an Azure virtual network. NSGs can be associated with subnets, individual VMs (classic), or individual network interfaces (NICs) that are attached to VMs (Resource Manager). For more information, see [Network security group overview](../virtual-network/network-security-groups-overview.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json).

+- **NSG flow logs**: Recorded information about ingress and egress IP traffic through an NSG. NSG flow logs are written in JSON format and include:

+ - Outbound and inbound flows on a per rule basis.

+ - The NIC that the flow applies to.

+ - Information about the flow, such as the source and destination IP address, the source and destination port, and the protocol.

+ - The status of the traffic, such as allowed or denied.

+ For more information about NSG flow logs, see [NSG flow logs](network-watcher-nsg-flow-logging-overview.md).

+- **Log Analytics**: A tool in the Azure portal that you use to work with Azure Monitor Logs data. Azure Monitor Logs is an Azure service that collects monitoring data and stores the data in a central repository. This data can include events, performance data, or custom data that's provided through the Azure API. After this data is collected, it's available for alerting, analysis, and export. Monitoring applications such as network performance monitor and traffic analytics use Azure Monitor Logs as a foundation. For more information, see [Azure Monitor Logs](../azure-monitor/logs/log-query-overview.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json). Log Analytics provides a way to edit and run queries on logs. You can also use this tool to analyze query results. For more information, see [Overview of Log Analytics in Azure Monitor](../azure-monitor/logs/log-analytics-overview.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json).

+- **Log Analytics workspace**: The environment that stores Azure Monitor log data that pertains to an Azure account. For more information about Log Analytics workspaces, see [Create a Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json).

+- **Network Watcher**: A regional service that you can use to monitor and diagnose conditions at a network-scenario level in Azure. You can use Network Watcher to turn NSG flow logs on and off. For more information, see [Network Watcher](network-watcher-monitoring-overview.md).

+Traffic analytics examines raw NSG flow logs. It then reduces the log volume by aggregating flows that have a common source IP address, destination IP address, destination port, and protocol.

+An example might involve Host 1 at IP address 10.10.10.10 and Host 2 at IP address 10.10.20.10. Suppose these two hosts communicate 100 times over a period of one hour. The raw flow log has 100 entries in this case. If these hosts use the HTTP protocol on port 80 for each of those 100 interactions, the reduced log has one entry. That entry states that Host 1 and Host 2 communicated 100 times over a period of one hour by using the HTTP protocol on port 80.

+Reduced logs are enhanced with geography, security, and topology information and then stored in a Log Analytics workspace. The following diagram shows the data flow:

+Before you use traffic analytics, ensure your environment meets the following requirements.

+One of the following [Azure built-in roles](../role-based-access-control/built-in-roles.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json) needs to be assigned to your account:

+If none of the preceding built-in roles are assigned to your account, assign a [custom role](../role-based-access-control/custom-roles.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json) to your account. The custom role should support the following actions at the subscription level:

+- `Microsoft.Network/applicationGateways/read`

+- `Microsoft.Network/connections/read`

+- `Microsoft.Network/loadBalancers/read`

+- `Microsoft.Network/localNetworkGateways/read`

+- `Microsoft.Network/networkInterfaces/read`

+- `Microsoft.Network/networkSecurityGroups/read`

+- `Microsoft.Network/publicIPAddresses/read"`

+- `Microsoft.Network/routeTables/read`

+- `Microsoft.Network/virtualNetworkGateways/read`

+- `Microsoft.Network/virtualNetworks/read`

+- `Microsoft.Network/expressRouteCircuits/read`

+For information about how to check user access permissions, see [Traffic analytics FAQ](traffic-analytics-faq.yml).

+To get answers to frequently asked questions about traffic analytics, see [Traffic analytics FAQ](traffic-analytics-faq.yml).

+- To learn how to turn on flow logs, see [Enable NSG flow log](network-watcher-nsg-flow-logging-portal.md#enable-nsg-flow-log).

+- To understand the schema and processing details of traffic analytics, see [Traffic analytics schema](traffic-analytics-schema.md).

+# Configure OVN-Kubernetes network provider for Azure Red Hat OpenShift clusters (preview)

+## About the OVN-Kubernetes default Container Network Interface (CNI) network provider

+OVN-Kubernetes Container Network Interface (CNI) for Azure Red Hat OpenShift cluster is now available for preview.

+1. Verify your permissions.

+2. Register the resource providers.

+3. Create a virtual network containing two empty subnets.

+4. Create an Azure Red Hat OpenShift cluster by using OVN CNI network provider.

+5. Verify the Azure Red Hat OpenShift cluster is using OVN CNI network provider.

+ --pull-secret @pull-secret.txt

+## Recommended content

+[Tutorial: Create an Azure Red Hat OpenShift 4 cluster](tutorial-create-cluster.md)

+ Title: What is the Space Partner Community?

+description: Overview of the Azure Space Partner Community

+# Customer intent: Educate potential partners on how to engage with the Azure Space partner Communities.

+# What is the Azure Space Partner Community?

+## Why join the Azure Space Partner Community?

+We believe in a better together story for Space and Spectrum partners running on Azure. By joining the community, you can gain access to various benefits such as:

+To join the community, we ask partners to commit to:

+- Reach out to [Azure Space Partner Community](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR5Mbl7o3PghInEJV6ey1cpVUMVIzNU5XR0JWQ05RQjU3VDNaT1hDUE1BQS4u) to learn more and sign a non-disclosure agreement

+ Title: Azure Data Factory

+description: Step-by-step guide for using Azure Data Factory for ingestion on Hyperscale Citus

+# How to ingest data using Azure Data Factory

+[Azure Data Factory](../../data-factory/introduction.md) (ADF) is a cloud-based

+ETL and data integration service. It allows you to create data-driven workflows

+to move and transform data at scale.

+Using Azure Data Factory, you can create and schedule data-driven workflows

+(called pipelines) that ingest data from disparate data stores. Pipelines can

+run on-premises, in Azure, or on other cloud providers for analytics and

+reporting.

+ADF has a data sink for Hyperscale (Citus). The data sink allows you to bring

+your data (relational, NoSQL, data lake files) into Hyperscale (Citus) tables

+for storage, processing, and reporting.

+

+## ADF for real-time ingestion to Hyperscale (Citus)

+Here are key reasons to choose Azure Data Factory for ingesting data into

+Hyperscale (Citus):

+* **Easy-to-use** - Offers a code-free visual environment for orchestrating and automating data movement.

+* **Powerful** - Uses the full capacity of underlying network bandwidth, up to 5 GiB/s throughput.

+* **Built-in Connectors** - Integrates all your data sources, with more than 90 built-in connectors.

+* **Cost Effective** - Supports a pay-as-you-go, fully managed serverless cloud service that scales on demand.

+## Steps to use ADF with Hyperscale (Citus)

+In this article, we'll create a data pipeline by using the Azure Data Factory

+user interface (UI). The pipeline in this data factory copies data from Azure

+Blob storage to a database in Hyperscale (Citus). For a list of data stores

+supported as sources and sinks, see the [supported data

+stores](../../data-factory/copy-activity-overview.md#supported-data-stores-and-formats)

+table.

+In Azure Data Factory, you can use the **Copy** activity to copy data among

+data stores located on-premises and in the cloud to Hyperscale Citus. If you're

+new to Azure Data Factory, here's a quick guide on how to get started:

+1. Once ADF is provisioned, go to your data factory. You'll see the Data

+ Factory home page as shown in the following image:

+ :::image type="content" source="../media/howto-hyperscale-ingestion/azure-data-factory-home.png" alt-text="Landing page of Azure Data Factory." border="true":::

+2. On the home page, select **Orchestrate**.

+ :::image type="content" source="../media/howto-hyperscale-ingestion/azure-data-factory-orchestrate.png" alt-text="Orchestrate page of Azure Data Factory." border="true":::

+3. In the General panel under **Properties**, specify the desired pipeline name.

+4. In the **Activities** toolbox, expand the **Move and Transform** category,

+ and drag and drop the **Copy Data** activity to the pipeline designer

+ surface. Specify the activity name.

+ :::image type="content" source="../media/howto-hyperscale-ingestion/azure-data-factory-pipeline-copy.png" alt-text="Pipeline in Azure Data Factory." border="true":::

+5. Configure **Source**

+ :::image type="content" source="../media/howto-hyperscale-ingestion/azure-data-factory-configure-source.png" alt-text="Configuring Source in of Azure Data Factory." border="true":::

+ 1. Go to the Source tab. Select** + New **to create a source dataset.

+ 2. In the **New Dataset** dialog box, select **Azure Blob Storage**, and then select **Continue**.

+ 3. Choose the format type of your data, and then select **Continue**.

+ 4. Under the **Linked service** text box, select **+ New**.

+ 5. Specify Linked Service name and select your storage account from the **Storage account name** list. Test connection

+ 6. Next to **File path**, select **Browse** and select the desired file from BLOB storage.

+ 7. Select **Ok** to save the configuration.

+6. Configure **Sink**

+ :::image type="content" source="../media/howto-hyperscale-ingestion/azure-data-factory-configure-sink.png" alt-text="Configuring Sink in of Azure Data Factory." border="true":::

+ 1. Go to the Sink tab. Select **+ New** to create a source dataset.

+ 2. In the **New Dataset** dialog box, select **Azure Database for PostgreSQL**, and then select **Continue**.

+ 3. Under the **Linked service** text box, select **+ New**.

+ 4. Specify Linked Service name and select your server group from the list for Hyperscale (Citus) server groups. Add connection details and test the connection

+ > [!NOTE]

+ >

+ > If your server group is not present in the drop down, use the **Enter

+ > manually** option to add server details.

+ 5. Select the table name where you want to ingest the data.

+ 6. Specify **Write method** as COPY command.

+ 7. Select **Ok** to save the configuration.

+7. From the toolbar above the canvas, select **Validate** to validate pipeline

+ settings. Fix errors (if any), revalidate and ensure that the pipeline has

+ been successfully validated.

+8. Select Debug from the toolbar execute the pipeline.

+ :::image type="content" source="../media/howto-hyperscale-ingestion/azure-data-factory-execute.png" alt-text="Debug and Execute in of Azure Data Factory." border="true":::

+9. Once the pipeline can run successfully, in the top toolbar, select **Publish

+ all**. This action publishes entities (datasets, and pipelines) you created

+ to Data Factory.

+## Calling a Stored Procedure in ADF

+In some specific scenarios, you might want to call a stored procedure/function

+to push aggregated data from staging table to summary table. As of today, ADF

+doesn't offer Stored Procedure activity for Azure Database for Postgres, but as

+a workaround we can use Lookup Activity with query to call a stored procedure

+as shown below:

+## Next steps

+Learn how to create a [real-time

+dashboard](tutorial-design-database-realtime.md) with Hyperscale (Citus).

+| Azure Storage | Microsoft.Storage/storageAccounts | Blob (blob, blob_secondary)<BR> Table (table, table_secondary)<BR> Queue (queue, queue_secondary)<BR> File (file, file_secondary)<BR> Web (web, web_secondary)<BR> Dfs (dfs, dfs_secondary) |

+Azure RBAC is an authorization system built on [Azure Resource Manager](../azure-resource-manager/management/overview.md) that provides fine-grained access management to Azure resources.

+AI enrichment is an extension of an [**indexer pipeline**](search-indexer-overview.md). It has all of the base components (indexer, data source, index), plus a [**skillset**](cognitive-search-working-with-skillsets.md) that specifies atomic enrichment steps.

+The following diagram shows the progression of AI enrichment:

+ :::image type="content" source="media/cognitive-search-intro/cognitive-search-enrichment-architecture.png" alt-text="Diagram of an enrichment pipeline." border="true":::

+**Import** is the first step. Here, the indexer connects to a data source and pulls content (documents) into the search service. [Azure Blob Storage](../storage/blobs/storage-blobs-overview.md) is the most common resource used in AI enrichment scenarios, but any supported data source can provide content.

+**Enrich & Index** covers most of the AI enrichment pipeline:

+ Enriched content is generated during skillset execution, and is temporary unless you save it. In order for enriched content to appear in a search index, the indexer must have mapping information so that it can send enriched content to a field in a search index. Output field mappings set up these associations.

+**Exploration** is the last step. Output is always a [search index](search-what-is-an-index.md) that you can query from a client app. Output can optionally be a [knowledge store](knowledge-store-concept-intro.md) consisting of blobs and tables in Azure Storage that are accessed through data exploration tools or downstream processes. [Field mappings](search-indexer-field-mappings.md), [output field mappings](cognitive-search-output-field-mapping.md), and [projections](knowledge-store-projection-overview.md) determine the data paths that direct content out of the pipeline and into a search index or knowledge store. The same enriched content can appear in both, using implicit or explicit field mappings to send the content to the correct fields.

+<!--  -->

+Enrichment is useful if raw content is unstructured text, image content, or content that needs language detection and translation. Applying AI through the [*built-in skills*](cognitive-search-predefined-skills.md) can unlock this content for full text search and data science applications.

+Enrichment also unlocks external processing that you provide. Open-source, third-party, or first-party code can be integrated into the pipeline as a custom skill. Classification models that identify salient characteristics of various document types fall into this category, but any external package that adds value to your content could be used.

+Built-in skills are based on the Cognitive Services APIs: [Computer Vision](../cognitive-services/computer-vision/index.yml) and [Language Service](../cognitive-services/language-service/overview.md). Unless your content input is small, expect to [attach a billable Cognitive Services resource](cognitive-search-attach-cognitive-services.md) to run larger workloads.

+A [skillset](cognitive-search-defining-skillset.md) that's assembled using built-in skills is well suited for the following application scenarios:

+[**Custom skills**](cognitive-search-create-custom-skill-example.md) execute external code that you provide. Custom skills can support more complex scenarios, such as recognizing forms, or custom entity detection using a model that you provide and wrap in the [custom skill web interface](cognitive-search-custom-skill-interface.md). Several examples of custom skills include:

+Custom skills arenΓÇÖt always complex. For example, if you have an existing package that provides pattern matching or a document classification model, you can wrap it in a custom skill.

+## Storing output

+In Azure Cognitive Search, an indexer saves the output it creates. A single indexer run can create up to three data structures that contain enriched and indexed output.

+| Data store | Required | Location | Description |

+||-|-|-|

+| [**searchable index**](search-what-is-an-index.md) | Required | Search service | Used for full text search and other query forms. Specifying an index is an indexer requirement. Index content is populated from skill outputs, plus any source fields that are mapped directly to fields in the index. |

+| [**knowledge store**](knowledge-store-concept-intro.md) | Optional | Azure Storage | Used for downstream apps like knowledge mining or data science. A knowledge store is defined within a skillset. Its definition determines whether your enriched documents are projected as tables or objects (files or blobs) in Azure Storage. |

+| [**enrichment cache**](cognitive-search-incremental-indexing-conceptual.md) | Optional | Azure Storage | Used for caching enrichments for reuse in subsequent skillset executions. The cache stores imported, unprocessed content (cracked documents). It also stores the enriched documents created during skillset execution. Caching is particularly helpful if you're using image analysis or OCR, and you want to avoid the time and expense of reprocessing image files. |

+## Exploring content

+After you've defined and loaded a [search index](search-what-is-an-index.md) or a [knowledge store](knowledge-store-concept-intro.md), you can explore its data.

+### Query a search index

+### Use data exploration tools on a knowledge store

+## Availability and pricing

+Enrichment is available in regions that have Azure Cognitive Services. You can check the availability of enrichment on the [Azure products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=search) page. Enrichment is available in all regions except:

+Billing follows a pay-as-you-go pricing model. The costs of using built-in skills are passed on when a multi-region Cognitive Services key is specified in the skillset. There are also costs associated with image extraction, as metered by Cognitive Search. Text extraction and utility skills, however, aren't billable. For more information, see [How you're charged for Azure Cognitive Search](search-sku-manage-costs.md#how-youre-charged-for-azure-cognitive-search).

+An enrichment pipeline consists of [*indexers*](search-indexer-overview.md) that have [*skillsets*](cognitive-search-working-with-skillsets.md). A skillset defines the enrichment steps, and the indexer drives the skillset. When configuring an indexer, you can include properties like output field mappings that send enriched content to a [search index](search-what-is-an-index.md) or projections that define data structures in a [knowledge store](knowledge-store-concept-intro.md).

+Post-indexing, you can access content via search requests through all [query types supported by Azure Cognitive Search](search-query-overview.md).

+1. Start with a subset of data. Indexer and skillset design is an iterative process, and the work goes faster with a small representative data set.

+1. Create a [skillset](cognitive-search-defining-skillset.md) to add enrichment steps. If you're using a knowledge store, you'll specify it in this step. Unless you're doing a small proof-of-concept exercise, you'll want to [attach a multi-region Cognitive Services resource](cognitive-search-attach-cognitive-services.md) to the skillset.

+1. Create an [index schema](search-how-to-create-search-index.md) that defines a search index.

+1. Create and run the [indexer](search-howto-create-indexers.md) to bring all of the above components together. This step retrieves the data, runs the skillset, and loads the index. An indexer is also where you specify field mappings and output field mappings that set up the data path to a search index.

+ If possible, [enable enrichment caching](cognitive-search-incremental-indexing-conceptual.md) in the indexer configuration. This step allows you to reuse existing enrichments later on.

+1. Run [queries](search-query-create.md) to evaluate results and modify code to update skillsets, schema, or indexer configuration.

+1. To repeat any of the above steps, [reset the indexer](search-howto-reindex.md) before you run it. Or, delete and recreate the objects on each run (recommended if youΓÇÖre using the free tier). If you enabled caching the indexer will pull from the cache if data is unchanged at the source, and if your edits to the pipeline don't invalidate the cache.

+| `defaultLanguageCode` | A string indicating the language to return. The service returns recognition results in a specified language. If this parameter isn't specified, the default value is "en". <br/><br/>Supported languages include all generally available languages documented under the [Cognitive Services Computer Vision language support documentation](../cognitive-services/computer-vision/language-support.md#image-analysis).|

+| `visualFeatures` | An array of strings indicating the visual feature types to return. Valid visual feature types include: <ul><li>*adult* - detects if the image is pornographic (depicts nudity or a sex act), gory (depicts extreme violence or blood) or suggestive (also known as racy content). </li><li>*brands* - detects various brands within an image, including the approximate location. </li><li> *categories* - categorizes image content according to a [taxonomy](../cognitive-services/Computer-vision/Category-Taxonomy.md) defined by Cognitive Services. </li><li>*description* - describes the image content with a complete sentence in supported languages.</li><li>*faces* - detects if faces are present. If present, generates coordinates, gender and age. </li><li>*objects* - detects various objects within an image, including the approximate location. </li><li> *tags* - tags the image with a detailed list of words related to the image content.</li></ul> Names of visual features are case-sensitive. Both *color* and *imageType* visual features have been deprecated, but you can access this functionality through a [custom skill](./cognitive-search-custom-skill-interface.md). Refer to the [Computer Vision Image Analysis documentation](../cognitive-services/computer-vision/language-support.md#image-analysis) on which visual features are supported with each `defaultLanguageCode`.|

+| `objects` | Output is an array of [visual feature objects](../cognitive-services/computer-vision/concept-object-detection.md). Each object is a complex type, consisting of `object` (string), `confidence` (double), `rectangle` (with four bounding box coordinates indicating placement inside the image), and a `parent` that contains an object name and confidence . |

+An OCR skill uses the machine learning models provided by [Computer Vision](../cognitive-services/computer-vision/overview.md) API [v3.2](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/5d986960601faab4bf452005) in Cognitive Services. The **OCR** skill maps to the following functionality:

+| `detectOrientation` | Detects image orientation. Valid values are `true` or `false`. <br/><br/> This parameter only applies if the [legacy OCR](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/56f91f2e778daf14a499f20d) API is used. |

+| `defaultLanguageCode` | Language code of the input text. Supported languages include all generally available languages documented under the [Cognitive Services Computer Vision language support documentation](../cognitive-services/computer-vision/language-support.md#optical-character-recognition-ocr) and `unk` (Unknown). <br/><br/> If the language code is unspecified or null, the language is set to English. If the language is explicitly set to `unk`, all languages found are auto-detected and returned. </p> |

+Unfamiliar with relevance concepts? The following video segment fast-forwards to how scoring profiles work in Azure Cognitive Search, but the video also covers basic concepts. You might also want to review [Relevance and scoring in Azure Cognitive Search](index-similarity-and-scoring.md) for more background.

+A scoring profile is part of the index definition and is composed of weighted fields, functions, and parameters. The purpose of a scoring profile is to boost or amplify matching documents based on criteria you provide.

+The following definition shows a simple profile named 'geo'. This example boosts results that have the search term in the hotelName field. It also uses the `distance` function to favor results that are within 10 kilometers of the current location. If someone searches on the term 'inn', and 'inn' happens to be part of the hotel name, documents that include hotels with 'inn' within a 10 KM radius of the current location will appear higher in the search results.

+This query searches on the term "inn" and passes in the current location. Notice that this query includes other parameters, such as scoringParameter. Query parameters, including "scoringParameter", are described in [Search Documents (REST API)](/rest/api/searchservice/Search-Documents).

+> [!TIP]

+Relevancy-based ordering in a search page is also implemented through scoring profiles. Consider search results pages youΓÇÖve used in the past that let you sort by price, date, rating, or relevance. In Azure Cognitive Search, scoring profiles can be used to drive the ΓÇÿrelevanceΓÇÖ option. The definition of relevance is user-defined, predicated on business objectives and the type of search experience you want to deliver.

+Use weighted fields when field context is important and queries are full text search. For example, if a query includes the term "airport", you might want "airport" in the Description field to have more weight than in the HotelName.

+Use functions when simple relative weights are insufficient or don't apply, as is the case of distance and freshness, which are calculations over numeric data. You can specify multiple functions per scoring profile.

+| "freshness" | Boosts by values in a datetime field (`Edm.DateTimeOffset`). This function has a "boostingDuration" attribute so that you can specify a value representing a timespan over which boosting occurs. |

+| "magnitude" | Boosts based on how high or low a numeric value is. Scenarios that call for this function include boosting by profit margin, highest price, lowest price, or a count of downloads. This function can only be used with `Edm.Double` and `Edm.Int` fields. For the magnitude function, you can reverse the range, high to low, if you want the inverse pattern (for example, to boost lower-priced items more than higher-priced items). Given a range of prices from $100 to $1, you would set "boostingRangeStart" at 100 and "boostingRangeEnd" at 1 to boost the lower-priced items. |

+| "distance" | Boosts by proximity or geographic location. This function can only be used with `Edm.GeographyPoint` fields. |

+| "tag" | Boosts by tags that are common to both search documents and query strings. Tags are provided in a "tagsParameter". This function can only be used with search fields of type `Edm.String` and `Collection(Edm.String)`. |

+| name | Required. This is the name of the scoring profile. It follows the same naming conventions of a field. It must start with a letter, can't contain dots, colons or @ symbols, and can't start with the phrase azureSearch (case-sensitive).|

+| functions > boost | Required for scoring functions. A positive number used as multiplier for raw score. It can't be equal to 1.|

+| functions > distance | The distance scoring function is used to affect the score of documents based on how close or far they are relative to a reference geographic location. The reference location is given as part of the query in a parameter (using the scoringParameter query parameter) as a `lon,lat` argument.|

+|functions > distance > referencePointParameter | A parameter to be passed in queries to use as reference location (using the scoringParameter query parameter). |

+| functions > tag > tagsParameter | A parameter to be passed in queries to specify tags for a particular request (using the scoringParameter query parameter). The parameter consists of a comma-delimited list of whole terms. If a given tag within the list is itself a comma-delimited list, you can [use a text normalizer](search-normalizers.md) on the field to strip out the commas at query time (map the comma character to a space). This approach will "flatten" the list so that all terms are a single, long string of comma-delimited terms. |

+| <a name=eventresultdetails></a>**EventResultDetails** | Mandatory | Enumerated | For DNS events, this field provides the [DNS response code](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml). <br><br>**Notes**:<br>- IANA doesn't define the case for the values, so analytics must normalize the case.<br> - If the source provides only a numerical response code and not a response code name, the parser must include a lookup table to enrich with this value. <br>- If this record represents a request and not a response, set to **NA**. <br><br>Example: `NXDOMAIN` |

+| **DstRiskLevel** | Optional | Integer | The risk level associated with the destination. The value should be adjusted to a range of 0 to 100, which 0 being benign and 100 being a high risk.<br><br>Example: `90` |

+| <a name=query></a>**DnsQuery** | Mandatory | String | The domain that the request tries to resolve. <br><br>**Notes**:<br> - Some sources send valid FQDN queries in a different format. For example, in the DNS protocol itself, the query includes a dot (**.**) at the end, which must be removed.<br>- While the DNS protocol limits the type of value in this field to an FQDN, most DNS servers allow any value, and this field is therefore not limited to FQDN values only. Most notably, DNS tunneling attacks may use invalid FQDN values in the query field.<br>- While the DNS protocol allows for multiple queries in a single request, this scenario is rare, if it's found at all. If the request has multiple queries, store the first one in this field, and then and optionally keep the rest in the [AdditionalFields](normalization-common-fields.md#additionalfields) field.<br><br>Example: `www.malicious.com` |

+| **DnsQueryTypeName** | Recommended | Enumerated | The [DNS Resource Record Type](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml) names. <br><br>**Notse**:<br> -IANA doesn't define the case for the values, so analytics must normalize the case as needed.<br>- The value `ANY` is supported for the response code 255.<br> - The value `TYPExxxx` is supported for unmapped response codes, where `xxxx` is the numerical value of the response code. This conforms to BIND's logging practice.<br> -If the source provides only a numerical query type code and not a query type name, the parser must include a lookup table to enrich with this value.<br><br>Example: `AAAA`|

+ <parser name> | limit <X> | invoke ASimDataTester ( ['<schema>'] )

+Specifying a schema is optional. If a schema is not specified, the `EventSchema` field is used to identify the schema the event should adhere to. Ig an event does not include an `EventSchema` field, only common fields will be verified. If a schema is specified as a parameter, this schema will be used to test all records. This is useful for older parsers that do not set the `EventSchema` field.

+> [!NOTE]

+> Even when a schema is not specified, empty parentheses are needed after the function name.

+>

+- The role-based access control (RBAC) settings are not migrated, so you will need to add them manually after the migration.

+### RBAC settings

+The role-based access control (RBAC) settings on the namespace aren't migrated to the premium namespace. You'll need to add them manually after the migration.

+- RSA keys must be minimum 2048 bits in length.

+- User supplied passwords are not supported. Passwords are generated by Azure and are minimum 88 characters in length.

+

+- TLS and SSL are not related to SFTP.

+ If you select **SSH Password**, then your password will appear when you've completed all of the steps in the **Add local user** configuration pane. Note that SSH passwords are generated by Azure and are minimum 88 characters in length.

+ > You can't retrieve this password later, so make sure to copy the password, and then store it in a place where you can find it. If you lose this password, you'll have to generate a new one. Note that SSH passwords are generated by Azure and are minimum 88 characters in length.

+ > You can't retrieve this password later, so make sure to copy the password, and then store it in a place where you can find it. If you lose this password, you'll have to generate a new one. Note that SSH passwords are generated by Azure and are minimum 88 characters in length.

+## Networking considerations

+When using SFTP, you may want to limit public access through configuration of a firewall, virtual network, or private endpoint. These settings are enforced at the application layer, which means they are not specific to SFTP and will impact connectivity to all Azure Storage Endpoints. For more information on firewalls and network configuration, see [Configure Azure Storage firewalls and virtual networks](../common/storage-network-security.md).

+> [!NOTE]

+> Audit tools that attempt to determine TLS support at the protocol layer may return TLS versions in addition to the minimum required version when run directly against the storage account endpoint. For more information, see [Enforce a minimum required version of Transport Layer Security (TLS) for requests to a storage account](../common/transport-layer-security-configure-minimum-version.md).

+| rsa-sha2-256 ¹ | ecdh-sha2-nistp384 | aes128-gcm@openssh.com | hmac-sha2-256 | ssh-rsa ¹ |

+| rsa-sha2-512 ¹ | ecdh-sha2-nistp256 | aes256-gcm@openssh.com | hmac-sha2-512 | ecdsa-sha2-nistp256 |

+¹ Requires minimum key length of 2048 bits.

+SFTP support for Azure Blob Storage currently limits its cryptographic algorithm support based on security considerations. We strongly recommend that customers utilize [Microsoft Security Development Lifecycle (SDL) approved algorithms](/security/sdl/cryptographic-recommendations) to securely access their data.

+> [!IMPORTANT]

+> At this time, we do not plan on supporting the following: `ssh-dss`, `diffie-hellman-group14-sha1`, `diffie-hellman-group1-sha1`, `hmac-sha1`, `hmac-sha1-96`.

+Algorithm support is subject to change in the future.

+# Use GitHub Actions workflow to deploy your static website in Azure Storage

+`DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;BlobEndpoint=http://127.0.0.1:10000/devstoreaccount1;QueueEndpoint=http://127.0.0.1:10001/devstoreaccount1;TableEndpoint=http://127.0.0.1:10002/devstoreaccount1;`

+`DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;TableEndpoint=http://127.0.0.1:10002/devstoreaccount1;`

+>Media optimization for Teams is supported for Microsoft 365 Government (GCC) and GCC-High environments. Media optimization for Teams isn't supported for Microsoft 365 DoD.

+>- macOS Remote Desktop client, version 10.7.7 or later.

+- Install the [Remote Desktop client](./user-documentation/connect-windows-7-10.md) on a Windows 10, Windows 10 IoT Enterprise, Windows 11, or macOS 10.14 or later device that meets the [hardware requirements for Microsoft Teams](/microsoftteams/hardware-requirements-for-the-teams-app#hardware-requirements-for-teams-on-a-windows-pc/).

+ There are two flags that may be set when installing teams, **ALLUSER=1** and **ALLUSERS=1**. It's important to understand the difference between these parameters. The **ALLUSER=1** parameter is used only in VDI environments to specify a per-machine installation. The **ALLUSERS=1** parameter can be used in non-VDI and VDI environments. When you set this parameter, **Teams Machine-Wide Installer** appears in Program and Features in Control Panel as well as Apps & features in Windows Settings. All users with admin credentials on the machine can uninstall Teams.

+ If optimizations don't load, uninstall then reinstall Teams and check again.

+- Use of explicit HTTP proxies defined on the client endpoint device isn't supported.

+- New Meeting Experience (NME) isn't currently supported in VDI environments.

+### Known issues for Teams for macOS

+Enabling device redirections isn't required when using Teams with media optimization. If you're using Teams without media optimization, set the following RDP properties to enable microphone and camera redirection:

+Force delete allows you to forcefully delete your virtual machine, reducing delete latency and immediately freeing up attached resources. For VMs that do not require graceful shutdown, Force Delete aims to delete the VM as fast as possible while relieving the logical resources from the VM, bypassing some of the cleanup operations. Force delete should only be used when you are not intending to re-use virtual hard disks. You can use force delete through Portal, CLI, PowerShell, and REST API.

+ Title: 'Quickstart: Create a virtual network using Bicep'

+description: Learn how to use Bicep to create an Azure virtual network.

+# Quickstart: Create a virtual network - Bicep

+In this quickstart, you learn how to create a virtual network with two subnets using Bicep. A virtual network is the fundamental building block for your private network in Azure. It enables Azure resources, like VMs, to securely communicate with each other and with the internet.

+## Prerequisites

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+## Review the Bicep file

+The Bicep file used in this quickstart is from [Azure Quickstart Templates](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.network/vnet-two-subnets)

+The following Azure resources have been defined in the Bicep file:

+- [**Microsoft.Network/virtualNetworks**](/azure/templates/microsoft.network/virtualnetworks): Create an Azure virtual network.

+- [**Microsoft.Network/virtualNetworks/subnets**](/azure/templates/microsoft.network/virtualnetworks/subnets): Create a subnet.

+## Deploy the Bicep file

+1. Save the Bicep file as **main.bicep** to your local computer.

+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

+ # [CLI](#tab/CLI)

+ ```azurecli

+ az group create --name exampleRG --location eastus

+ az deployment group create --resource-group exampleRG --template-file main.bicep

+ ```

+ # [PowerShell](#tab/PowerShell)

+ ```azurepowershell

+ New-AzResourceGroup -Name exampleRG -Location eastus

+ New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep

+ ```

+

+ When the deployment finishes, you should see a message indicating the deployment succeeded.

+## Review deployed resources

+Use Azure CLI or Azure PowerShell to review the deployed resources.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az resource list --resource-group exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Get-AzResource -ResourceGroupName exampleRG

+```

+You can use the Azure portal to explore the resources by browsing the settings blades for **VNet1**.

+1. On the **Overview** tab, you will see the defined address space of **10.0.0.0/16**.

+2. On the **Subnets** tab, you will see the deployed subnets of **Subnet1** and **Subnet2** with the appropriate values from the Bicep file.

+## Clean up resources

+When you no longer need the resources that you created with the virtual network, use Azure portal, Azure CLI, or Azure PowerShell to delete the resource group. This removes the virtual network and all the related resources.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az group delete --name exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name exampleRG

+```

+## Next steps

+In this quickstart, you deployed an Azure virtual network with two subnets. To learn more about Azure virtual networks, continue to the tutorial for virtual networks.

+> [!div class="nextstepaction"]

+> [Filter network traffic](tutorial-filter-network-traffic.md)

+>

+> - The API data represents those tags that can be used with NSG rules in your region. Use the API data as the source of truth for available Service Tags as it may be different than the JSON downloadable file.

+> - It takes up to 4 weeks for new Service Tag data to propagate in the API results across all Azure regions. Because of this process, your API data results may be out of sync with the downloadable JSON file as the API data represents a subset of the tags currently in the downloadable JSON file.

+ Title: 'Tutorial: Route network traffic with a route table - Azure portal'

+# Customer intent: I want to route traffic from one subnet, to a different subnet, through a network virtual appliance.

+Azure routes traffic between all subnets within a virtual network, by default. You can create your own routes to override Azure's default routing. Custom routes are helpful when, for example, you want to route traffic between subnets through a network virtual appliance (NVA).

+In this tutorial, you learn how to:

+> * Create a virtual network and subnets

+> * Deploy virtual machines (VMs) into different subnets

+This tutorial uses the Azure portal. You can also complete it using the [Azure CLI](tutorial-create-route-table-cli.md) or [PowerShell](tutorial-create-route-table-powershell.md).

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+* An Azure subscription

+Sign in to the [Azure portal](https://portal.azure.com).

+In this section, you'll create a virtual network, three subnets, and a bastion host. You'll use the bastion host to securely connect to the virtual machines.

+1. From the Azure portal menu, select **+ Create a resource** > **Networking** > **Virtual network**, or search for *Virtual Network* in the portal search box.

+2. On the **Basics** tab of **Create virtual network**, enter or select this information:

+ | Resource group | Select **Create new**, enter *myResourceGroup*. </br> Select **OK**. |

+ | Name | Enter *myVirtualNetwork*. |

+ | Region | Select **East US**.|

+4. In **IPv4 address space**, select the existing address space and change it to *10.0.0.0/16*.

+4. Select **+ Add subnet**, then enter *Public* for **Subnet name** and *10.0.0.0/24* for **Subnet address range**.

+6. Select **+ Add subnet**, then enter *Private* for **Subnet name** and *10.0.1.0/24* for **Subnet address range**.

+8. Select **+ Add subnet**, then enter *DMZ* for **Subnet name** and *10.0.2.0/24* for **Subnet address range**.

+ | Bastion name | Enter *myBastionHost*. |

+ | AzureBastionSubnet address space | Enter *10.0.3.0/24*. |

+ | Public IP Address | Select **Create new**. </br> Enter *myBastionIP* for **Name**. </br> Select **OK**. |

+## Create an NVA virtual machine

+Network virtual appliances (NVAs) are virtual machines that help with network functions, such as routing and firewall optimization. In this section, you'll create an NVA using a **Windows Server 2019 Datacenter** virtual machine. You can select a different operating system if you want.

+1. From the Azure portal menu, select **+ Create a resource** > **Compute** > **Virtual machine**, or search for *Virtual machine* in the portal search box.

+1. Select **Create**.

+2. On the **Basics** tab of **Create a virtual machine**, enter or select this information:

+ | Subscription | Select your subscription. |

+ | Resource Group | Select **myResourceGroup**. |

+ | Virtual machine name | Enter *myVMNVA*. |

+ | Region | Select **(US) East US**. |

+ | Availability Options | Select **No infrastructure redundancy required**. |

+ | Security type | Select **Standard**. |

+ | Image | Select **Windows Server 2019 Datacenter - Gen2**. |

+ | Azure Spot instance | Select **No**. |

+ | Size | Choose VM size or take default setting. |

+ | Username | Enter a username. |

+ | Password | Enter a password. The password must be at least 12 characters long and meet the [defined complexity requirements](../virtual-machines/windows/faq.yml?toc=%2fazure%2fvirtual-network%2ftoc.json#what-are-the-password-requirements-when-creating-a-vm-).|

+ | Confirm password | Reenter password. |

+5. Select the **Review + create** tab, or select **Review + create** button at the bottom of the page.

+In this section, you'll create a route table.

+1. From the Azure portal menu, select **+ Create a resource** > **Networking** > **Route table**, or search for *Route table* in the portal search box.

+3. Select **Create**.

+4. On the **Basics** tab of **Create route table**, enter or select this information:

+ | Name | Enter *myRouteTablePublic*. |

+ :::image type="content" source="./media/tutorial-create-route-table-portal/create-route-table.png" alt-text="Screenshot showing Basics tab of Create route table in Azure portal." border="true":::

+In this section, you'll create a route in the route table that you created in the previous steps.

+1. Select **Go to resource** or Search for *myRouteTablePublic* in the portal search box.

+3. In the **myRouteTablePublic** page, select **Routes** from the **Settings** section.

+4. In the **Routes** page, select the **+ Add** button.

+ | Route name | Enter *ToPrivateSubnet*. |

+ | Address prefix destination | Select **IP Addresses**. |

+ | Destination IP addresses/CIDR ranges| Enter *10.0.1.0/24* (The address range of the **Private** subnet created earlier). |

+ | Next hop address | Enter *10.0.2.4* (The address of **myVMNVA** VM created earlier in the **DMZ** subnet). |

+ :::image type="content" source="./media/tutorial-create-route-table-portal/add-route-inline.png" alt-text="Screenshot showing Add route configuration in Azure portal." lightbox="./media/tutorial-create-route-table-portal/add-route-expanded.png":::

+6. Select **Add**.

+In this section, you'll associate the route table that you created in the previous steps to a subnet.

+1. Search for *myVirtualNetwork* in the portal search box.

+3. In the **myVirtualNetwork** page, select **Subnets** from the **Settings** section.

+5. In **Route table**, select **myRouteTablePublic** that you created in the previous steps.

+ :::image type="content" source="./media/tutorial-create-route-table-portal/associate-route-table-inline.png" alt-text="Screenshot showing Associate route table to the Public subnet in the virtual network in Azure portal." lightbox="./media/tutorial-create-route-table-portal/associate-route-table-expanded.png":::

+You'll create two virtual machines in **myVirtualNetwork** virtual network, then you'll allow Internet Control Message Protocol (ICMP) on them so you can use *tracert* tool to trace traffic.

+> [!NOTE]

+> For production environments, we don't recommend allowing ICMP through the Windows Firewall.

+### Create public virtual machine

+1. From the Azure portal menu, select **Create a resource** > **Compute** > **Virtual machine**.

+2. In **Create a virtual machine**, enter or select this information in the **Basics** tab:

+ | Subscription | Select your subscription. |

+ | Resource Group | Select **myResourceGroup**. |

+ | Virtual machine name | Enter *myVMPublic*. |

+ | Region | Select **(US) East US**. |

+ | Availability Options | Select **No infrastructure redundancy required**. |

+ | Security type | Select **Standard**. |

+ | Image | Select **Windows Server 2019 Datacenter - Gen2**. |

+ | Azure Spot instance | Select **No**. |

+ | Size | Choose VM size or take default setting. |

+ | Username | Enter a username. |

+ | Password | Enter a password. The password must be at least 12 characters long and meet the [defined complexity requirements](../virtual-machines/windows/faq.yml?toc=%2fazure%2fvirtual-network%2ftoc.json#what-are-the-password-requirements-when-creating-a-vm-).|

+ | Confirm password | Reenter password. |

+ | Subnet | Select **Public**. |

+ | Public IP | Select **None**. |

+ | NIC network security group | Select **Basic**. |

+### Create private virtual machine

+1. From the Azure portal menu, select **Create a resource** > **Compute** > **Virtual machine**.

+2. In **Create a virtual machine**, enter or select this information in the **Basics** tab:

+ | Subscription | Select your subscription. |

+ | Resource Group | Select **myResourceGroup**. |

+ | Virtual machine name | Enter *myVMPrivate*. |

+ | Region | Select **(US) East US**. |

+ | Availability Options | Select **No infrastructure redundancy required**. |

+ | Security type | Select **Standard**. |

+ | Image | Select **Windows Server 2019 Datacenter - Gen2**. |

+ | Azure Spot instance | Select **No**. |

+ | Size | Choose VM size or take default setting. |

+ | Username | Enter a username. |

+ | Password | Enter a password. The password must be at least 12 characters long and meet the [defined complexity requirements](../virtual-machines/windows/faq.yml?toc=%2fazure%2fvirtual-network%2ftoc.json#what-are-the-password-requirements-when-creating-a-vm-).|

+ | Confirm password | Reenter password. |

+ | Subnet | Select **Private**. |

+ | Public IP | Select **None**. |

+ | NIC network security group | Select **Basic**. |

+### Allow ICMP in Windows firewall

+1. Select **Go to resource** or Search for *myVMPrivate* in the portal search box.

+1. In the **Overview** page of **myVMPrivate**, select **Connect** then **Bastion**.

+1. Enter the username and password you created for **myVMPrivate** virtual machine previously.

+1. Select **Connect** button.

+1. Open Windows PowerShell after you connect.

+1. Enter this command:

+ ```powershell

+ New-NetFirewallRule ΓÇôDisplayName "Allow ICMPv4-In" ΓÇôProtocol ICMPv4

+ ```

+1. From PowerShell, open a remote desktop connection to the **myVMPublic** virtual machine:

+ ```powershell

+ mstsc /v:myvmpublic

+ ```

+1. After you connect to **myVMPublic** VM, open Windows PowerShell and enter the same command from step 6.

+1. Close the remote desktop connection to **myVMPublic** VM.

+## Turn on IP forwarding

+To route traffic through the NVA, turn on IP forwarding in Azure and in the operating system of **myVMNVA** virtual machine. Once IP forwarding is enabled, any traffic received by **myVMNVA** VM that's destined for a different IP address, won't be dropped and will be forwarded to the correct destination.

+### Turn on IP forwarding in Azure

+In this section, you'll turn on IP forwarding for the network interface of **myVMNVA** virtual machine in Azure.

+1. Search for *myVMNVA* in the portal search box.

+3. In the **myVMNVA** overview page, select **Networking** from the **Settings** section.

+4. In the **Networking** page of **myVMNVA**, select the network interface next to **Network Interface:**. The name of the interface will begin with **myvmnva**.

+ :::image type="content" source="./media/tutorial-create-route-table-portal/virtual-machine-networking.png" alt-text="Screenshot showing Networking page of network virtual appliance virtual machine in Azure portal." border="true":::

+5. In the network interface overview page, select **IP configurations** from the **Settings** section.

+6. In the **IP configurations** page, set **IP forwarding** to **Enabled**, then select **Save**.

+ :::image type="content" source="./media/tutorial-create-route-table-portal/enable-ip-forwarding.png" alt-text="Screenshot showing Enabled I P forwarding in Azure portal." border="true":::

+### Turn on IP forwarding in the operating system

+In this section, you'll turn on IP forwarding for the operating system of **myVMNVA** virtual machine to forward network traffic. You'll use the same bastion connection to **myVMPrivate** VM, that you started in the previous steps, to open a remote desktop connection to **myVMNVA** VM.

+1. From PowerShell on **myVMPrivate** VM, open a remote desktop connection to the **myVMNVA** VM:

+2. After you connect to **myVMNVA** VM, open Windows PowerShell and enter this command to turn on IP forwarding:

+3. Restart **myVMNVA** VM.

+## Test the routing of network traffic

+You'll test routing of network traffic using [tracert](/windows-server/administration/windows-commands/tracert) tool from **myVMPublic** VM to **myVMPrivate** VM, and then you'll test the routing in the opposite direction.

+### Test network traffic from myVMPublic VM to myVMPrivate VM

+1. From PowerShell on **myVMPrivate** VM, open a remote desktop connection to the **myVMPublic** VM:

+ mstsc /v:myvmpublic

+2. After you connect to **myVMPublic** VM, open Windows PowerShell and enter this *tracert* command to trace the routing of network traffic from **myVMPublic** VM to **myVMPrivate** VM:

+

+ You can see that there are two hops in the above response for *tracert* ICMP traffic from **myVMPublic** VM to **myVMPrivate** VM. The first hop is **myVMNVA** VM, and the second hop is the destination **myVMPrivate** VM.

+ Azure sent the traffic from **Public** subnet through the NVA and not directly to **Private** subnet because you previously added **ToPrivateSubnet** route to **myRouteTablePublic** route table and associated it to **Public** subnet.

+1. Close the remote desktop connection to **myVMPublic** VM.

+### Test network traffic from myVMPrivate VM to myVMPublic VM

+1. From PowerShell on **myVMPrivate** VM, and enter this *tracert* command to trace the routing of network traffic from **myVmPrivate** VM to **myVmPublic** VM.

+ The response is similar to this example:

+ ```powershell

+ You can see that there's one hop in the above response, which is the destination **myVMPublic** virtual machine.

+ Azure sent the traffic directly from **Private** subnet to **Public** subnet. By default, Azure routes traffic directly between subnets.

+1. Close the bastion session.

+1. Enter *myResourceGroup* in the **Search** box at the top of the Azure portal. When you see **myResourceGroup** in the search results, select it.

+1. Select **Delete resource group**.

+1. Enter *myResourceGroup* for **TYPE THE RESOURCE GROUP NAME:** and select **Delete**.

+To learn how to restrict network access to PaaS resources with virtual network service endpoints, advance to the next tutorial.

+> [Restrict network access using service endpoints](tutorial-restrict-network-access-to-resources.md)

+ | **Subnet address range** | <p>The range must be unique within the address space for the virtual network. The range can't overlap with other subnet address ranges within the virtual network. The address space must be specified by using Classless Inter-Domain Routing (CIDR) notation.</p><p>For example, in a virtual network with address space *10.0.0.0/16*, you might define a subnet address space of *10.0.0.0/22*. The smallest range you can specify is */29*, which provides eight IP addresses for the subnet. Azure reserves the first and last address in each subnet for protocol conformance. Three more addresses are reserved for Azure service usage. As a result, defining a subnet with a */29* address range results in three usable IP addresses in the subnet.</p><p>If you plan to connect a virtual network to a VPN gateway, you must create a gateway subnet. Learn more about [specific address range considerations for gateway subnets](../vpn-gateway/vpn-gateway-about-vpn-gateway-settings.md?toc=%2fazure%2fvirtual-network%2ftoc.json#gwsub). You can change the address range after the subnet is added, under specific conditions. To learn how to change a subnet address range, see [Change subnet settings](#change-subnet-settings).</p> |

+ | **Add IPv6 address space** | You can create a virtual network that's dual-stack (supports IPv4 and IPv6) by adding an existing IPv6 address space. You can also add IPv6 support later, after creating the virtual network. Currently, IPv6 isn't fully supported for all services in Azure. To learn more about IPv6 and its limitations, see [Overview of IPv6 for Azure Virtual Network](ip-services/ipv6-overview.md)|

+ | **NAT gateway** | To provide Network Address Translation (NAT) to resources on a subnet, you may associate an existing NAT gateway to a subnet. The NAT gateway must exist in the same subscription and location as the virtual network. Learn more about [Virtual Network NAT](./nat-gateway/nat-overview.md) and [how to create a NAT gateway](./nat-gateway/quickstart-create-nat-gateway-portal.md)

+ | **Network policy for private endpoints**| To control traffic going to a private endpoint, you can use network security groups, application security groups, or user defined routes. Set the private endpoint network policy to *Enabled* to use these controls on a subnet. Once enabled, network policy applies to all private endpoints on the subnet. To learn more, see [Manage network policies for private endpoints](../private-link/disable-private-endpoint-network-policy.md). |

+ | **Subnet address range** | If no resources are deployed within the subnet, you can change the address range. If any resources exist in the subnet, you must either move the resources to another subnet, or delete them from the subnet first. The steps you take to move or delete a resource vary depending on the resource. To learn how to move or delete resources that are in subnets, read the documentation for each of those resource types. See the constraints for **Address range** in step 4 of [Add a subnet](#add-a-subnet). |

+ | **Users** | You can control access to the subnet by using built-in roles or your own custom roles. Access **Manage Users** by selecting the ellipse (...) to the right of the **Route table** column. To learn more about assigning roles and users to access the subnet, see [Assign Azure roles](../role-based-access-control/role-assignments-portal.md?toc=%2fazure%2fvirtual-network%2ftoc.json). |

+ | **Add IPv6 address space**, **NAT Gateway**, **Network security group**, and **Route table** | See step 4 of [Add a subnet](#add-a-subnet). |

+ | **Subnet delegation** | Subnet delegation can be modified to zero or multiple delegations enabled for it. If a resource for a service is already deployed in the subnet, subnet delegation can't be added or removed until all the resources for the service are removed. To delegate for a different service, select the service you want to delegate to from the **Services** list. |

+ | **Network policy for private endpoints**| See step 4 of [Add a subnet](#add-a-subnet). |

+> Inter-region traffic **cannot** be inspected by Azure Firewall or NVA. Additionally, configuring both private and internet routing policies is currently **not** supported in most Azure regions. Doing so will put Gateways (ExpressRoute, Site-to-site VPN and Point-to-sive VPN) in a failed state and break connectivity from on-premises branches to Azure. Please ensure you only have one type of routing policy on each Virtual WAN hub. For more information, please contact previewinterhub@microsoft.com.

+* If you are using Private Routing Policies with ExpressRoute, please note that your ExpressRoute circuit cannot advertise exact address ranges for the RFC1918 address ranges (you cannot advertise 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). Please ensure you are advertising more specific subnets (within RFC1918 ranges) as opposed to aggregate supernets. Additionally, if your ExpressRoute circuit is advertising a non-RFC1918 prefix to Azure, please make sure the address ranges that you put in the Private Traffic Prefixes text box are less specific than ExpressRoute advertised routes. For example, if the ExpressRoute Circuit is advertising 40.0.0.0/24 from on-premises, put a a /23 CIDR range or larger in the Private Traffic Prefix text box (example: 40.0.0.0/23).

+* Make sure you do not have both private and internet routing policies configured on a single Virtual WAN hub. Configuring both private and internet routing policies on the same hub is currently unsupported and will cause Point-to-site VPN, ExpressRoute and Site-to-site VPN gateways to go into a failed state and interrupt datapath connectivity to Azure.