+ Title: "Protected material detection in Azure AI Content Safety"

+description: Learn about Protected material detection and the related flags that the Azure AI Content Safety service returns.

+keywords:

+# Protected material detection

+The [Protected material text API](../quickstart-protected-material.md) flags known text content (for example, song lyrics, articles, recipes, and selected web content) that might be output by large language models. This guide provides details about the kind of content that the protected material API detects.

+## Protected material examples

+Refer to this table for details of the major categories of protected material text detection. All four categories are applied when you call the API.

+| Category | Scope | Considered acceptable | Considered harmful |

+||-||--|--|

+| Recipes | Copyrighted content related to Recipes. <br><br> Other harmful or sensitive text is out of scope for this task, unless it intersects with Recipes IP copyright harm. | <ul><li>Links to web pages that contain information about recipes  </li><li>Any content from recipes that have no or low IP/Copyright protections: <ul><li>Lists of ingredients</li><li>Basic instructions for combining and cooking ingredients</li></ul></li><li>Rejection or refusal to provide copyrighted content: <ul><li>Changing a topic to avoid sharing copyrighted content</li><li>Refusal to share copyrighted content</li><li>Providing nonresponsive information</li></ul></li></ul> | <ul><li>Other literary content in a recipe <ul><li>Matching anecdotes, stories, or personal commentary about the recipe (40 characters or more)</li><li>Creative names for the recipe that are not limited to the well-known name of the dish, or a plain descriptive summary of the dish indicating what the primary ingredient is (40 characters or more)</li><li>Creative descriptions of the ingredients or steps for combining or cooking ingredients, including descriptions that contain more information than needed to create the dish, rely on imprecise wording, or contain profanity (40 characters or more)</li></ul></li><li>Methods to access copyrighted content:<ul><li>Ways to bypass paywalls to access recipes</li></ul></li></ul> |

+| Web Content | All websites that have `webmd.com` as their URL domain name. Only focuses on issues of copyrighted content around Selected Web Content. <br><br> Other harmful or sensitive text is out of scope for this task, unless it intersects Selected Web Content harm. | <ul><li>Links to web pages </li><li>Short excerpts or snippets of Selected Web Content as long as:<ul><li>They are relevant to the user's query</li><li>They are fewer than 200 characters</li></ul></li></ul> | <ul><li>Substantial content of Selected Web Content  <ul><li>Response sections longer than 200 characters that bear substantial similarity to a block of text from the Selected Web Content</li><li>Excerpts from Selected Web Content that are longer than 200 characters</li><li>Quotes from Selected Web Content that are longer than 200 characters</li></ul></li><li>Methods to access copyrighted content:<ul><li>Ways to bypass paywalls or DRM protections to access copyrighted Selected Web Content</li></ul></li></ul> |

+| News | Only focus on issues of copyrighted content around News. <br><br> Other harmful or sensitive text is out of scope for this task, unless it intersects News IP Copyright harm. | <ul><li>Links to web pages that host news or information about news, magazines, or blog articles as long as:<ul><li>They have legitimate permissions</li><li>They have licensed news coverage</li><li>They are authorized platforms</li></ul></li><li>Links to authorized web pages that contain embedded audio/video players as long as:<ul><li>They have legitimate permissions</li><li>They have licensed news coverage</li><li>They are authorized streaming platforms</li><li>They are official YouTube channels</li></ul></li><li>Short excerpts/snippets like headlines or captions from news articles as long as:<ul><li>They are relevant to the user's query</li><li>They are not a substantial part of the article</li><li>They are not the entire article</li></ul></li><li>Summary of news articles as long as:<ul><li>It is relevant to the user's query</li><li>It is brief and factual</li><li>It does not copy/paraphrase a substantial part of the article</li><li>It is clearly and visibly cited as a summary</li></ul></li><li>Analysis/Critique/Review of news articles as long as:<ul><li>It is relevant to the user's query</li><li>It is brief and factual</li><li>It does not copy/paraphrase a substantial part of the article</li><li>It is clearly and visibly cited as an analysis/critique/review</li></ul></li><li>Any news content that has no IP/Copyright protections:<ul><li>News/Magazines/Blogs that are in the public domain</li><li>News/Magazines/Blogs for which Copyright protection has elapsed, been surrendered, or never existed</li></ul></li><li>Rejection or refusal to provide copyrighted content:<ul><li>Changing topic to avoid sharing copyrighted content</li><li>Refusal to share copyrighted content</li><li>Providing nonresponsive information</li></ul></li></ul> | <ul><li>Links to pdf or any other file containing full text of news/magazine/blog articles, unless:<ul><li>They are sourced from authorized platforms with legitimate permissions and licenses</li></ul></li><li>News content<ul><li>More than 200 characters taken verbatim from any news article</li><li>More than 200 characters substantially similar to a block of text from any news article</li><li>Direct access to news/magazine/blog articles that are behind paywalls</li></ul></li><li>Methods to access copyrighted content:<ul><li>Steps to download news from an unauthorized website</li><li>Ways to bypass paywalls or DRM protections to access copyrighted news or videos</li></ul></li></ul> |

+| Lyrics | Only focuses on issues of copyrighted content around Songs. <br><br> Other harmful or sensitive text is out of scope for this task, unless it intersects Songs IP Copyright harm. | <ul><li>Links to web pages that contain information about songs such as:<ul><li>Lyrics of the songs</li><li>Chords or tabs of the associated music</li><li>Analysis or reviews of the song/music</li></ul></li><li>Links to authorized web pages that contain embedded audio/video players as long as:<ul><li>They have legitimate permissions</li><li>They have licensed music</li><li>They are authorized streaming platforms</li><li>They are official YouTube channels</li></ul></li><li>Short excerpts or snippets from lyrics of the songs as long as:<ul><li>They are relevant to the user's query</li><li>They are not a substantial part of the lyrics</li><li>They are not the entire lyrics</li><li>They are not more than 11 words long</li></ul></li><li>Short excerpts or snippets from chords/tabs of the songs as long as:<ul><li>They are relevant to the user's query</li><li>They are not a substantial part of the chords/tabs</li><li>They are not the entire chords/tabs</li></ul></li><li>Any content from songs that have no IP/Copyright protections:<ul><li>Songs/Lyrics/Chords/Tabs that are in the public domain</li><li>Songs/Lyrics/Chords/Tabs for which Copyright protection has elapsed, been surrendered, or never existed</li></ul></li><li>Rejection or refusal to provide copyrighted content:<ul><li>Changing topic to avoid sharing copyrighted content</li><li>Refusal to share copyrighted content</li><li>Providing nonresponsive information</li></ul></li></ul> | <ul><li>Lyrics of a song<ul><li>Entire lyrics</li><li>Substantial part of the lyrics</li><li>Part of lyrics that contain more than 11 words</li></ul></li><li>Chords or Tabs of a song<ul><li>Entire chords/tabs</li><li>Substantial part of the chords/tabs</li></ul></li><li>Links to webpages that contain embedded audio/video players that:<ul><li>Do not have legitimate permissions</li><li>Do not have licensed music</li><li>Are not authorized streaming platforms</li><li>Are not official YouTube channels</li></ul></li><li>Methods to access copyrighted content:<ul><li>Steps to download songs from an unauthorized website</li><li>Ways to bypass paywalls or DRM protections to access copyrighted songs or videos</li></ul></li></ul> |

+## Next steps

+Follow the quickstart to get started using Azure AI Content Safety to detect protected material.

+> [!div class="nextstepaction"]

+> [Detect protected material](../quickstart-protected-material.md)

+> You don't need to specify a language code for text moderation and Prompt Shields. The service automatically detects your input language.

+| [Protected material text detection](/rest/api/cognitiveservices/contentsafety/text-operations/detect-text-protected-material) (preview) | Scans AI-generated text for [known text content](./concepts/protected-material.md) (for example, song lyrics, articles, recipes, selected web content). [Quickstart](./quickstart-protected-material.md)|

+ - Default minimum length: 110 characters (for scanning LLM completions, not user prompts).

+Protected material text describes language that matches known text content (for example, song lyrics, articles, recipes, selected web content). This feature can be used to identify and block known text content from being displayed in language model output (English content only).

+* [Function calling fine-tuning scenarios](https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/fine-tuning-with-function-calling-on-azure-openai-service/ba-p/4065968).

+* Explore the fine-tuning capabilities in the [Azure OpenAI fine-tuning tutorial](../tutorials/fine-tune.md).

+* Review fine-tuning [model regional availability](../concepts/models.md#fine-tuning-models).

+## Function calling support

+### Parallel function calling

+* `gpt-4` (vision-preview)

+* `gpt-4` (2024-04-09)

+* `gpt-4o` (2024-05-13)

+### Basic function calling with tools

+* All the models that support parallel function calling

+* `gpt-4` (0613)

+* `gpt-4-32k` (0613)

+* `gpt-35-turbo-16k` (0613)

+* `gpt-35-turbo` (0613)

+## Single tool/function calling example

+First we will demonstrate a simple toy function call that can check the time in three hardcoded locations with a single tool/function defined. We have added print statements to help make the code execution easier to follow:

+from openai import AzureOpenAI

+from datetime import datetime

+from zoneinfo import ZoneInfo

+# Initialize the Azure OpenAI client

+ azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT"),

+ api_key=os.getenv("AZURE_OPENAI_API_KEY"),

+ api_version="2024-05-01-preview"

+# Define the deployment you want to use for your chat completions API calls

+deployment_name = "<YOUR_DEPLOYMENT_NAME_HERE>"

+# Simplified timezone data

+TIMEZONE_DATA = {

+ "tokyo": "Asia/Tokyo",

+ "san francisco": "America/Los_Angeles",

+ "paris": "Europe/Paris"

+}

+def get_current_time(location):

+ """Get the current time for a given location"""

+ print(f"get_current_time called with location: {location}")

+ location_lower = location.lower()

+

+ for key, timezone in TIMEZONE_DATA.items():

+ if key in location_lower:

+ print(f"Timezone found for {key}")

+ current_time = datetime.now(ZoneInfo(timezone)).strftime("%I:%M %p")

+ return json.dumps({

+ "location": location,

+ "current_time": current_time

+ })

+

+ print(f"No timezone data found for {location_lower}")

+ return json.dumps({"location": location, "current_time": "unknown"})

+ # Initial user message

+ messages = [{"role": "user", "content": "What's the current time in San Francisco"}] # Single function call

+ #messages = [{"role": "user", "content": "What's the current time in San Francisco, Tokyo, and Paris?"}] # Parallel function call with a single tool/function defined

+ # Define the function for the model

+ "name": "get_current_time",

+ "description": "Get the current time in a given location",

+ "description": "The city name, e.g. San Francisco",

+ }

+ # First API call: Ask the model to use the function

+ model=deployment_name,

+ tool_choice="auto",

+ # Process the model's response

+ messages.append(response_message)

+ print("Model's response:")

+ print(response_message)

+ # Handle function calls

+ if response_message.tool_calls:

+ for tool_call in response_message.tool_calls:

+ if tool_call.function.name == "get_current_time":

+ function_args = json.loads(tool_call.function.arguments)

+ print(f"Function arguments: {function_args}")

+ time_response = get_current_time(

+ location=function_args.get("location")

+ )

+ messages.append({

+ "name": "get_current_time",

+ "content": time_response,

+ })

+ else:

+ print("No tool calls were made by the model.")

+ # Second API call: Get the final response from the model

+ final_response = client.chat.completions.create(

+ model=deployment_name,

+ messages=messages,

+ )

+ return final_response.choices[0].message.content

+# Run the conversation and print the result

+print(run_conversation())

+**Output:**

+```output

+Model's response:

+ChatCompletionMessage(content=None, role='assistant', function_call=None, tool_calls=[ChatCompletionMessageToolCall(id='call_pOsKdUlqvdyttYB67MOj434b', function=Function(arguments='{"location":"San Francisco"}', name='get_current_time'), type='function')])

+Function arguments: {'location': 'San Francisco'}

+get_current_time called with location: San Francisco

+Timezone found for san francisco

+The current time in San Francisco is 09:24 AM.

+```

+If we are using a model deployment that supports parallel function calls we could convert this into a parallel function calling example by changing the messages array to ask for the time in multiple locations instead of one.

+To accomplish this swap the comments in these two lines:

+ messages = [{"role": "user", "content": "What's the current time in San Francisco"}] # Single function call

+ #messages = [{"role": "user", "content": "What's the current time in San Francisco, Tokyo, and Paris?"}] # Parallel function call with a single tool/function defined

+To look like this, and run the code again:

+ #messages = [{"role": "user", "content": "What's the current time in San Francisco"}] # Single function call

+ messages = [{"role": "user", "content": "What's the current time in San Francisco, Tokyo, and Paris?"}] # Parallel function call with a single tool/function defined

+This generates the following output:

+**Output:**

+```output

+Model's response:

+ChatCompletionMessage(content=None, role='assistant', function_call=None, tool_calls=[ChatCompletionMessageToolCall(id='call_IjcAVz9JOv5BXwUx1jd076C1', function=Function(arguments='{"location": "San Francisco"}', name='get_current_time'), type='function'), ChatCompletionMessageToolCall(id='call_XIPQYTCtKIaNCCPTdvwjkaSN', function=Function(arguments='{"location": "Tokyo"}', name='get_current_time'), type='function'), ChatCompletionMessageToolCall(id='call_OHIB5aJzO8HGqanmsdzfytvp', function=Function(arguments='{"location": "Paris"}', name='get_current_time'), type='function')])

+Function arguments: {'location': 'San Francisco'}

+get_current_time called with location: San Francisco

+Timezone found for san francisco

+Function arguments: {'location': 'Tokyo'}

+get_current_time called with location: Tokyo

+Timezone found for tokyo

+Function arguments: {'location': 'Paris'}

+get_current_time called with location: Paris

+Timezone found for paris

+As of now, the current times are:

+- **San Francisco:** 11:15 AM

+- **Tokyo:** 03:15 AM (next day)

+- **Paris:** 08:15 PM

+Parallel function calls allow you to perform multiple function calls together, allowing for parallel execution and retrieval of results. This reduces the number of calls to the API that need to be made and can improve overall performance.

+For example in our simple time app we retrieved multiple times at the same time. This resulted in a chat completion message with three function calls in the `tool_calls` array, each with a unique `id`. If you wanted to respond to these function calls, you would add three new messages to the conversation, each containing the result of one function call, with a `tool_call_id` referencing the `id` from `tools_calls`.

+To force the model to call a specific function set the `tool_choice` parameter with a specific function name. You can also force the model to generate a user-facing message by setting `tool_choice: "none"`.

+> [!NOTE]

+> The default behavior (`tool_choice: "auto"`) is for the model to decide on its own whether to call a function and if so which function to call.

+## Parallel function calling with multiple functions

+Now we will demonstrate another toy function calling example this time with two different tools/functions defined.

+```python

+import os

+import json

+from openai import AzureOpenAI

+from datetime import datetime, timedelta

+from zoneinfo import ZoneInfo

+# Initialize the Azure OpenAI client

+client = AzureOpenAI(

+ azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT"),

+ api_key=os.getenv("AZURE_OPENAI_API_KEY"),

+ api_version="2024-05-01-preview"

+)

+# Provide the model deployment name you want to use for this example

+deployment_name = "YOUR_DEPLOYMENT_NAME_HERE"

+# Simplified weather data

+WEATHER_DATA = {

+ "tokyo": {"temperature": "10", "unit": "celsius"},

+ "san francisco": {"temperature": "72", "unit": "fahrenheit"},

+ "paris": {"temperature": "22", "unit": "celsius"}

+}

+# Simplified timezone data

+TIMEZONE_DATA = {

+ "tokyo": "Asia/Tokyo",

+ "san francisco": "America/Los_Angeles",

+ "paris": "Europe/Paris"

+}

+def get_current_weather(location, unit=None):

+ """Get the current weather for a given location"""

+ print(f"get_current_weather called with location: {location}, unit: {unit}")

+

+ for key in WEATHER_DATA:

+ if key in location_lower:

+ print(f"Weather data found for {key}")

+ weather = WEATHER_DATA[key]

+ return json.dumps({

+ "location": location,

+ "temperature": weather["temperature"],

+ "unit": unit if unit else weather["unit"]

+ })

+

+ print(f"No weather data found for {location_lower}")

+ return json.dumps({"location": location, "temperature": "unknown"})

+def get_current_time(location):

+ """Get the current time for a given location"""

+ print(f"get_current_time called with location: {location}")

+ location_lower = location.lower()

+

+ for key, timezone in TIMEZONE_DATA.items():

+ if key in location_lower:

+ print(f"Timezone found for {key}")

+ current_time = datetime.now(ZoneInfo(timezone)).strftime("%I:%M %p")

+ return json.dumps({

+ "location": location,

+ "current_time": current_time

+ })

+

+ print(f"No timezone data found for {location_lower}")

+ return json.dumps({"location": location, "current_time": "unknown"})

+def run_conversation():

+ # Initial user message

+ messages = [{"role": "user", "content": "What's the weather and current time in San Francisco, Tokyo, and Paris?"}]

+ # Define the functions for the model

+ tools = [

+ "type": "function",

+ "function": {

+ "name": "get_current_weather",

+ "description": "Get the current weather in a given location",

+ "parameters": {

+ "type": "object",

+ "properties": {

+ "location": {

+ "type": "string",

+ "description": "The city name, e.g. San Francisco",

+ },

+ "unit": {"type": "string", "enum": ["celsius", "fahrenheit"]},

+ },

+ "required": ["location"],

+ },

+ }

+ },

+ "type": "function",

+ "function": {

+ "name": "get_current_time",

+ "description": "Get the current time in a given location",

+ "parameters": {

+ "type": "object",

+ "properties": {

+ "location": {

+ "type": "string",

+ "description": "The city name, e.g. San Francisco",

+ },

+ },

+ "required": ["location"],

+ },

+ }

+ ]

+ # First API call: Ask the model to use the functions

+ response = client.chat.completions.create(

+ model=deployment_name,

+ messages=messages,

+ tools=tools,

+ tool_choice="auto",

+ )

+ # Process the model's response

+ response_message = response.choices[0].message

+ messages.append(response_message)

+ print("Model's response:")

+ print(response_message)

+ # Handle function calls

+ if response_message.tool_calls:

+ for tool_call in response_message.tool_calls:

+ function_name = tool_call.function.name

+ function_args = json.loads(tool_call.function.arguments)

+ print(f"Function call: {function_name}")

+ print(f"Function arguments: {function_args}")

+

+ if function_name == "get_current_weather":

+ function_response = get_current_weather(

+ location=function_args.get("location"),

+ unit=function_args.get("unit")

+ )

+ elif function_name == "get_current_time":

+ function_response = get_current_time(

+ location=function_args.get("location")

+ )

+ else:

+ function_response = json.dumps({"error": "Unknown function"})

+

+ messages.append({

+ "tool_call_id": tool_call.id,

+ "role": "tool",

+ "name": function_name,

+ "content": function_response,

+ })

+ else:

+ print("No tool calls were made by the model.")

+ # Second API call: Get the final response from the model

+ final_response = client.chat.completions.create(

+ model=deployment_name,

+ messages=messages,

+ )

+ return final_response.choices[0].message.content

+# Run the conversation and print the result

+print(run_conversation())

+**Output**

+```Output

+Model's response:

+ChatCompletionMessage(content=None, role='assistant', function_call=None, tool_calls=[ChatCompletionMessageToolCall(id='call_djHAeQP0DFEVZ2qptrO0CYC4', function=Function(arguments='{"location": "San Francisco", "unit": "celsius"}', name='get_current_weather'), type='function'), ChatCompletionMessageToolCall(id='call_q2f1HPKKUUj81yUa3ITLOZFs', function=Function(arguments='{"location": "Tokyo", "unit": "celsius"}', name='get_current_weather'), type='function'), ChatCompletionMessageToolCall(id='call_6TEY5Imtr17PaB4UhWDaPxiX', function=Function(arguments='{"location": "Paris", "unit": "celsius"}', name='get_current_weather'), type='function'), ChatCompletionMessageToolCall(id='call_vpzJ3jElpKZXA9abdbVMoauu', function=Function(arguments='{"location": "San Francisco"}', name='get_current_time'), type='function'), ChatCompletionMessageToolCall(id='call_1ag0MCIsEjlwbpAqIXJbZcQj', function=Function(arguments='{"location": "Tokyo"}', name='get_current_time'), type='function'), ChatCompletionMessageToolCall(id='call_ukOu3kfYOZR8lpxGRpdkhhdD', function=Function(arguments='{"location": "Paris"}', name='get_current_time'), type='function')])

+Function call: get_current_weather

+Function arguments: {'location': 'San Francisco', 'unit': 'celsius'}

+get_current_weather called with location: San Francisco, unit: celsius

+Weather data found for san francisco

+Function call: get_current_weather

+Function arguments: {'location': 'Tokyo', 'unit': 'celsius'}

+get_current_weather called with location: Tokyo, unit: celsius

+Weather data found for tokyo

+Function call: get_current_weather

+Function arguments: {'location': 'Paris', 'unit': 'celsius'}

+get_current_weather called with location: Paris, unit: celsius

+Weather data found for paris

+Function call: get_current_time

+Function arguments: {'location': 'San Francisco'}

+get_current_time called with location: San Francisco

+Timezone found for san francisco

+Function call: get_current_time

+Function arguments: {'location': 'Tokyo'}

+get_current_time called with location: Tokyo

+Timezone found for tokyo

+Function call: get_current_time

+Function arguments: {'location': 'Paris'}

+get_current_time called with location: Paris

+Timezone found for paris

+Here's the current information for the three cities:

+### San Francisco

+- **Time:** 09:13 AM

+- **Weather:** 72┬░C (quite warm!)

+### Tokyo

+- **Time:** 01:13 AM (next day)

+- **Weather:** 10┬░C

+### Paris

+- **Time:** 06:13 PM

+- **Weather:** 22┬░C

+Is there anything else you need?

+> [!IMPORTANT]

+> The JSON response might not always be valid so you need to add additional logic to your code to be able to handle errors. For some use cases you may find you need to use fine-tuning to improve [function calling performance](./fine-tuning-functions.md).

+## Prompt engineering with functions

+Azure OpenAI Service provides REST API access to OpenAI's powerful language models including GPT-4o, GPT-4 Turbo with Vision, GPT-4, GPT-3.5-Turbo, and Embeddings model series. These models can be easily adapted to your specific task including but not limited to content generation, summarization, image understanding, semantic search, and natural language to code translation. Users can access the service through REST APIs, Python SDK, or our web-based interface in the Azure OpenAI Studio.

+| Models available | **GPT-4o**<br> **GPT-4 series (including GPT-4 Turbo with Vision)** <br>**GPT-3.5-Turbo series**<br> Embeddings series <br> Learn more in our [Models](./concepts/models.md) page.|

+| Fine-tuning | `GPT-4` (preview) <br>`GPT-3.5-Turbo` (0613) <br> `babbage-002` <br> `davinci-002`.|

+1. If you have a flow that contains one of the deprecated legacy index tools ( the Vector Index Lookup tool, Vector DB Lookup tool, and Faiss Index Lookup tool) you will first need to [upgrade your flow](#upgrade-your-tools).

+To enable application routing on an existing cluster, use the [`az aks approuting enable`][az-aks-approuting-enable] or the [`az aks enable-addons`][az-aks-enable-addons] command with the `--addons` parameter set to `http_application_routing`.

+# az aks approuting enable

+# az aks enable-addons

+az aks enable-addons --resource-group <ResourceGroupName> --name <ClusterName> --addons http_application_routing

+### How can I automate adding a bring-your-owncertificate to an app?

+### Can I use a private CA (certificate authority) certificate for inbound TLS on my app?

+You can use a private CA certificate for inbound TLS in an [App Service Environment version 3 (ASEv3)](./environment/overview-certificates.md). This isn't possible in App Service (multi-tenant). For more information on App Service multi-tenant vs. single-tenant, see [App Service Environment v3 and App Service public multitenant comparison](./environment/ase-multi-tenant-comparison.md).

+

+### Can I make outbound calls using a private CA (certificate authority) client certificate from my app?

+This is only supported for Windows container apps in multi-tenant App Service. In addition, you can make outbound calls using a private CA client certificate with both code-based and container-based apps in an [App Service Environment version 3 (ASEv3)](./environment/overview-certificates.md). For more information on App Service multi-tenant vs. single-tenant, see [App Service Environment v3 and App Service public multitenant comparison](./environment/ase-multi-tenant-comparison.md).

+

+### Can I load a private CA (certificate authority) certificate in my App Service Trusted Root Store?

+You can load your own CA certificate into the Trusted Root Store in an [App Service Environment version 3 (ASEv3)](./environment/overview-certificates.md). You can't modify the list of Trusted Root Certificates in App Service (multi-tenant). For more information on App Service multi-tenant vs. single-tenant, see [App Service Environment v3 and App Service public multitenant comparison](./environment/ase-multi-tenant-comparison.md).

+|Python 3 (preview)|Yes, required for these distros only: SUSE LES 15, RHEL 8|

+- Red Hat, Oracle:

+- Red Hat, Oracle:

+| &#9679; Windows Server 2022 (including Server Core) <br> &#9679; Windows Server 2019 (including Server Core) <br> &#9679; Windows Server 2016, version 1709, and 1803 (excluding Server Core) <br> &#9679; Windows Server 2012, 2012 R2 (excluding Server Core) <br> &#9679; Windows 10 Enterprise (including multi-session) and Pro | &#9679; Debian GNU/Linux 8, 9, 10, and 11 <br> &#9679; Ubuntu 18.04 LTS, 20.04 LTS, and 22.04 LTS <br> &#9679; SUSE Linux Enterprise Server 15.2, and 15.3 <br> &#9679; Red Hat Enterprise Linux Server 7, 8, and 9ΓÇ»<br> &#9679; SUSE Linux Enterprise Server (SLES) 15 <br> &#9679; Rocky Linux 9 </br> &#9679; Oracle Linux 7 and 8 <br> *Hybrid Worker extension would follow support timelines of the OS vendor*.|

+| &#9679; Windows Server 2022 (including Server Core) <br> &#9679; Windows Server 2019 (including Server Core) <br> &#9679; Windows Server 2016, version 1709 and 1803 (excluding Server Core) <br> &#9679; Windows Server 2012, 2012 R2 (excluding Server Core) <br> &#9679; Windows 10 Enterprise (including multi-session) and Pro| &#9679; Debian GNU/Linux 8,9,10, and 11 <br> &#9679; Ubuntu 18.04 LTS, 20.04 LTS, and 22.04 LTS <br> &#9679; SUSE Linux Enterprise Server 15.2, and 15.3 <br> &#9679; Red Hat Enterprise Linux Server 7, 8, and 9 <br> &#9679; SUSE Linux Enterprise Server (SLES) 15 <br> &#9679; Rocky Linux 9 </br> &#9679; Oracle Linux 7 and 8 <br> *Hybrid Worker extension would follow support timelines of the OS vendor*.ΓÇ»|

+* An Azure Resource Manager virtual machine running Red Hat Enterprise Linux, or Oracle Linux. For instructions on creating a VM, see [Create your first Linux virtual machine in the Azure portal](../../virtual-machines/linux/quick-create-portal.md)

+For YUM, the following command returns a non-zero list of updates categorized as **Security** by Red Hat.

+Deploying updates to Linux by classification ("Critical and security updates") has important caveats. These limitations are documented on the [Update Management overview page](../update-management/overview.md#update-classifications).

+| Retention | [Configure retention from 30 days to two years](data-retention-archive.md). | Retention fixed at thirty days.<br/>When you change an existing table's plan to Basic logs, [Azure archives data](data-retention-archive.md) that's more than thirty days old but still within the table's original retention period. |

+- You don't require more than thirty days of data retention for the table.

+When you change a table's plan from Analytics to Basic, Log Analytics immediately archives any data that's older than thirty days and up to original data retention of the table. In other words, the total retention period of the table remains unchanged, unless you explicitly [modify the archive period](../logs/data-retention-archive.md).

+ "retentionInDays": 30,

+# Auto-enable backup on VM creation using Azure Policy

+> - Azure Policy can also be used on existing VMs, using [remediation](../governance/policy/how-to/remediate-resources.md).

+> - It's recommended that this policy not be assigned to more than 200 VMs at a time. If the policy is assigned to more than 200 VMs, it can result in the backup being triggered a few hours later than that specified by the schedule.

+## Next step

+## Next step

+ var token = await GetAccessToken(new string[] { $"{BatchResourceUri}/.default" });

+| **Batch Python** |[Azure SDK for Python - Docs](/python/api/overview/azure/batch) |[PyPI](https://pypi.org/project/azure-batch/) |[Tutorial](tutorial-parallel-python.md)|[GitHub](https://github.com/Azure-Samples/azure-batch-samples/tree/master/Python/Batch) | [Readme](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/batch/azure-batch/README.md) |

+To recover an unusable node in [VirtualMachineConfiguration](/rest/api/batchservice/pool/add#virtualmachineconfiguration) pools, you can remove the node from the pool by using the [Pool - Remove Nodes](/rest/api/batchservice/pool/removenodes) API. Then you can grow the pool again to replace the bad node with a fresh one.

+> [!Important]

+> Reimage isn't currently supported for [VirtualMachineConfiguration](/rest/api/batchservice/pool/add#virtualmachineconfiguration) pools.

+Alternatively, use the REST API to obtain the experiment's execution details. Learn more in the [REST API sample article](chaos-studio-samples-rest-api.md).

+```azurecli

+az rest --method post --url "https://management.azure.com/{experimentId}/executions/{executionDetailsId}/getExecutionDetails?api-version={apiVersion}"

+```

+### The experiment didn't start or failed immediately

+After starting an experiment, you might see an error message like: `The long-running operation has failed. InternalServerError. The target resource(s) could not be resolved. Error Code: OperationFailedException`. Usually, this indicates that the experiment's identity doesn't have the necessary permissions.

+To resolve this error, ensure that the experiment's system-assigned or user-assigned managed identity has permission to all resources in the experiment. Learn more about permissions here: [Permissions and security in Azure Chaos Studio](chaos-studio-permissions-security.md). For example, if the experiment targets a virtual machine, navigate to the virtual machine's identity page and assign the "Virtual Machine Contributor" role to the experiment's managed identity.

+ Title: AI agent

+# AI agent

+Unlike standalone large language models (LLMs) or rule-based software/hardware systems, AI agent possesses the follow common features:

+- [Planning](#reasoning-and-planning). AI agent can plan and sequence actions to achieve specific goals. The integration of LLMs has revolutionized their planning capabilities.

+- [Tool usage](#frameworks). Advanced AI agent can utilize various tools, such as code execution, search, and computation capabilities, to perform tasks effectively. Tool usage is often done through function calling.

+- [Perception](#frameworks). AI agent can perceive and process information from their environment, including visual, auditory, and other sensory data, making them more interactive and context aware.

+- [Memory](#ai-agent-memory-system). AI agent possess the ability to remember past interactions (tool usage and perception) and behaviors (tool usage and planning). It stores these experiences and even perform self-reflection to inform future actions. This memory component allows for continuity and improvement in agent performance over time.

+> The usage of the term "memory" in the context of AI agent should not be confused with the concept of computer memory (like volatile, non-volatile, and persistent memory).

+## Implement AI agent

+Various frameworks and tools can facilitate the development and deployment of AI agent.

+However, this practice of using a complex web of standalone databases can hurt AI agent's performance. Integrating all these disparate databases into a cohesive, interoperable, and resilient memory system for AI agent is a significant challenge in and of itself. Moreover, many of the frequently used database services are not optimal for the speed and scalability that AI agent systems need. These databases' individual weaknesses are exacerbated in multi-agent systems:

+In-memory databases are excellent for speed but may struggle with the large-scale data persistence that AI agent requires.

+Azure Cosmos DB simplifies and expedites your application development by being the single database for your operational data needs, from [geo-replicated distributed caching](https://medium.com/@marcodesanctis2/using-azure-cosmos-db-as-your-persistent-geo-replicated-distributed-cache-b381ad80f8a0) to backup to [vector indexing and search](vector-database.md). It provides the data infrastructure for modern applications like [AI agent](ai-agents.md), digital commerce, Internet of Things, and booking management. It can accommodate all your operational data models, including relational, document, vector, key-value, graph, and table.

+> [!IMPORTANT]

+> To enable AI security posture management's capabilities on an AWS account that already:

+> - Is connected to your Azure account.

+> - Has Defender CSPM enabled.

+> - Has permissions type set as **Least privilege access**.

+>

+> You must reconfigure the permissions on that connector to enable the relevant permissions using these steps:

+> 1. In the Azure Portal navigate to Environment Settings page and select the appropriate AWS connector.

+> 1. Select **Configure access**.

+> 1. Ensure the permissions type is set to **Least privilege access**.

+> 1. [Follow steps 5 - 8](quickstart-onboard-aws.md#select-defender-plans) to finish the configuration.

+| [Data security posture management (DSPM), Sensitive data scanning](concept-data-security-posture.md) | - | :::image type="icon" source="./media/icons/yes-icon.png"::: | Azure, AWS, GCP^{[1](#footnote1)} |

+^{<a name="footnote1"></a>1}: GCP sensitive data discovery [only supports Cloud Storage](concept-data-security-posture-prepare.md#whats-supported).

+- For the [resource group and access management setup process](#allow-access-to-the-iot-hub), you need the following roles:

+ - To add role assignments, you need the Owner, Role Based Access Control Administrator and User Access Administrator roles.

+ - To register resource providers, you need th Owner and Contributor roles.

+

+ Learn more about [privileged administrator roles in Azure](../../role-based-access-control/role-assignments-steps.md#privileged-administrator-roles).

+1. Follow these steps to [allow access to the IoT Hub](#allow-access-to-the-iot-hub).

+1. Follow these steps to [allow access to the IoT Hub](#allow-access-to-the-iot-hub).

+ The **Secure your IoT solution** button will only appear if the IoT Hub hasn't already been onboarded, or if you set the Defender for IoT toggle to **Off** while onboarding.

+ :::image type="content" source="media/quickstart-onboard-iot-hub/toggle-is-off.png" alt-text="If your toggle was set to off during onboarding.":::

+## Set up resource providers and access control

+To set up permissions needed to access the IoT hub:

+1. [Set up resource providers and access control for the IoT hub](#allow-access-to-the-iot-hub).

+1. To allow access to a Log Analytics workspace, also [set up resource providers and access control for Log Analytics workspace](#allow-access-to-a-log-analytics-workspace).

+Learn more about [resource providers and resource types](../../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider).

+### Allow access to the IoT Hub

+To allow access to the IoT Hub:

+#### Set up resource providers for the IoT hub

+1. Sign in to the [Azure portal](https://portal.azure.com/) and navigate to the **Subscriptions** page.

+1. In the subscriptions table, select your subscription.

+1. In the subscription page that opens, from the left menu bar, select **Resource providers**.

+1. In the search bar, type: *Microsoft.iot*.

+1. Select the **Microsoft.IoTSecurity** provider and verify that its status is **Registered**.

+#### Set up access control for the IoT hub

+1. In your IoT hub, from the left menu bar, select **Access control (IAM)**, and from the top menu, select **Add > Add role assignment**.

+1. In the **Role tab**, select the **Privileged administrator roles** tab, and select the **Contributor** role.

+1. Select the **Members** tab, and next to **Members**, select **Select members**.

+1. In the **Select members** page, in the **Select** field, type *Azure security*, select **Azure Security for IoT**, and select **Select** at the bottom.

+1. Back in the **Members** tab, select **Review + assign** at the bottom of the tab, in the **Review and assign tab**, select **Review + assign** at the bottom again.

+### Allow access to a Log Analytics workspace

+To connect to a Log Analytics workspace:

+#### Set up resource providers for the Log Analytics workspace

+1. In the Azure portal, navigate to the **Subscriptions** page.

+1. In the subscriptions table, select your subscription.

+1. In the subscription page that opens, from the left menu bar, select **Resource providers**.

+1. In the search bar, type: *Microsoft.OperationsManagement*.

+1. Select the **Microsoft.OperationsManagement** provider and verify that its status is **Registered**.

+#### Set up access control for the Log Analytics workspace

+1. In the Azure portal, search for and navigate to the **Log analytics workspaces** page, select your workspace, and from the left menu, select **Access control (IAM)**.

+1. From the top menu, select **Add > Add role assignment**.

+

+1. In the **Role tab**, under **Job function roles**, search for *Log analytics*, and select the **Log Analytics Contributor** role.

+1. Select the **Members** tab, and next to **Members**, select **Select members**.

+1. In the **Select members** page, in the **Select** field, type *Azure security*, select **Azure Security for IoT**, and select **Select** at the bottom.

+1. Back in the **Members** tab, select **Review + assign** at the bottom of the tab, in the **Review and assign tab**, select **Review + assign** at the bottom again.

+#### Enable Defender for IoT

+1. In your IoT hub, from the left menu, select **Settings**, and in the **Settings page**, select **Data Collection**.

+1. Toggle on **Enable Microsoft Defender for IoT**, and select **Save** at the bottom.

+1. Under **Choose the Log Analytics workspace you want to connect to**, set the toggle to **On**.

+1. Select the subscription for which you [set up the resource provider](#set-up-resource-providers-for-the-log-analytics-workspace) and workspace.

+| **Aruba ClearPass** (on-premises) | View Defender for IoT data together with Aruba ClearPass data by doing one of the following:<br><br>- Configure your sensor to send syslog files directly to ClearPass. <br> | - OT networks <br>- Cloud-connected or locally managed OT sensors | Microsoft | [Forward on-premises OT alert information](how-to-forward-alert-information-to-partners.md) <br><br>[Defender for IoT API reference](references-work-with-defender-for-iot-apis.md)|

+* A specific virtual network can be linked to only one private DNS zone when automatic registration is enabled. You can, however, link multiple virtual networks to a single DNS zone.

+description: In this quickstart, you create and test a private DNS zone and record in Azure DNS. This article is a step-by-step guide to create and manage your first private DNS zone and record using the Azure portal.

+This quickstart walks you through the steps to create your first private DNS zone and record using the Azure portal.

+A DNS zone is used to host the DNS records for a particular domain. Public DNS zones have unique names and are visible on the Internet. However, a private DNS zone name must only be unique within its resource group and the DNS records are not visible on the Internet. To start hosting your private domain in Azure Private DNS, you first need to create a DNS zone for that domain name. Next, the DNS records for your private domain are created inside this DNS zone.

+> When you create a private DNS zone, Azure stores the zone data as a global resource. This means that the private zone isn't dependent on a single virtual network or region. You can link the same private zone to multiple virtual networks in different regions. If service is interrupted in one virtual network, your private zone is still available. For more information, see [Azure Private DNS zone resiliency](private-dns-resiliency.md).

+## Virtual private links

+To resolve DNS records in a private DNS zone, resources must typically be *linked* to the private zone. Linking is accomplished by creating a [virtual network link](private-dns-virtual-network-links.md) that associates the virtual network to the private zone.

+When you create a virtual network link, you can (optionally) enable autoregistration of DNS records for devices in the virtual network. If autoregistration is enabled, Azure private DNS updates DNS records whenever a virtual machine inside the linked virtual network is created, changes its IP address, or is deleted. For more information, see [What is the autoregistration feature in Azure DNS private zones](private-dns-autoregistration.md).

+> [!NOTE]

+> Other methods are available for resolving DNS records in private DNS zones that don't always require a virtual network link. These methods are beyond the scope of this quickstart article. For more information, see [What is Azure DNS Private Resolver](dns-private-resolver-overview.md).

+In this article, a virtual machines is used in a single virtual network. The virtual network is linked to your private DNS zone with autoregistration enabled. The setup is summarized in the following figure.

+The following example creates a DNS zone called **private.contoso.com** in a resource group called **MyResourceGroup**.

+1. On the portal search bar, type **private dns zones** in the search text box and press **Enter**.

+2. Under **Marketplace**, select **Private DNS zone**. The **Create Private DNS Zone** page opens.

+ 

+3. On the **Create Private DNS Zone** page, type or select the following values:

+ - **Resource group**: Select an existing resource group, or choose **Create new**. Enter a resource group name, and then select **OK**. For example: **MyResourceGroup**. The resource group name must be unique within the Azure subscription.

+ - **Name**: Type **private.contoso.com** for this example.

+4. The **Resource group location** is selected already if you use an existing resource group. If you created a new resource group, choose a location, for example: **(US) West US**.

+ 

+5. Select **Review + Create** and then select **Create**. It might take a few minutes to create the zone.

+## Create the virtual network and subnet

+1. From the Azure portal home page, select **Create a resource** > **Networking** > **Virtual network**, or search for **Virtual network** in the search box and then select **+ Create**.

+2. On the **Create virtual network** page, enter the following:

+- **Subscription**: Select your Azure subscription.

+- **Resource group**: Select an existing resource group or create a new one. The resource group doesn't need to be the same as the one used for the private DNS zone. In this example the same resource group is used (**MyResourceGroup**).

+- **Virtual network name**: Enter a name for the new virtual network. **MyVNet** is used in this example.

+- **Region**: If you created a new resource group, choose a location. **(US) West US** is used in this example.

+ 

+3. Select the **IP addresses** tab, and under **Add IPv4 address space** edit the default address space by entering **10.2.0.0/16**.

+ 

+4. In the subnets area, select the pen icon to edit the name of the default subnet, or delete the default subnet and select **+ Add a subnet**. The **Edit subnet** or **Add a subnet** pane opens, respectively. The Edit subnet pane is shown in this example.

+5. Next to Name, enter mySubnet and verify that the **Subnet address range** is **10.2.0.0 - 10.2.0.255**. The **Size** should be **/24 (256 addresses)**. These values are set by default based on the parent VNet address range.

+ 

+6. Select **Save**, select **Review + create**, and then select **Create**.

+Next, link the private DNS zone to the virtual network by adding a virtual network link.

+1. Search for and select **Private DNS zones** and then select your private zone. For example: **private.contoso.com**.

+2. Under **DNS Management**, select **Virtual Network Links** and then select **+ Add**.

+3. Enter the following parameters:

+- **Link name**: Provide a name for the link, for example: **MyVNetLink**.

+- **Subscription**: Select our subscription.

+- **Virtual Network**: Select the virtual network that you created, for example: **MyVNet**.

+4. Under **Configuration**, select the checkbox next to **Enable auto registration**.

+ 

+5. Select **Create**, wait until the virtual link is created, and then verify that it is listed on the **Virtual Network Links** page.

+## Create the test virtual machine

+Now, create a virtual machine to test autoregistgration in your private DNS zone:

+1. On the portal page upper left, select **Create a resource**, and then select **Windows Server 2019 Datacenter**.

+2. Select **MyResourceGroup** for the resource group.

+3. Type **myVM01** - for the name of the virtual machine.

+4. Select ***(US) West US** for the **Region**.

+5. Enter a name for the administrator user name.

+6. Enter a password and confirm the password.

+7. For **Public inbound ports**, select **Allow selected ports**, and then select **RDP (3389)** for **Select inbound ports**.

+8. Accept the other defaults for the page and then click **Next: Disks >**.

+9. Accept the defaults on the **Disks** page, then click **Next: Networking >**.

+10. Make sure that **myAzureVNet** is selected for the virtual network.

+11. Accept the other defaults for the page, and then click **Next: Management >**.

+12. For **Boot diagnostics**, select **Disable**, accept the other defaults, and then select **Review + create**.

+13. Review the settings and then click **Create**. It will take a few minutes for the virtual machine allocation to complete.

+14. Search for and select **Virtual machines** and then verify that the VM status is **Running**. If it isn't running, start the virtual machine.

+## Review autoregistion

+1. Search for or select **Private DNS zones** and then select the **private.contoso.com** zone.

+2. Under DNS Management, select Recordsets.

+3. Verify that a DNS record exists of **Type** **A** with an **Auto registered** value of **True**. See the following example:

+ 

+## Create another DNS record

+ You can also add records to the private DNS zone manually. The following example creates a record with the hostname **db** in the DNS Zone **private.contoso.com**. The fully qualified name of the record set is **db.private.contoso.com**. The record type is **A**, with an IP address corresponding to the autoregistered IP address of **myVM01.private.contoso.com**.

+1. Search for or select **Private DNS zones** and then select the **private.contoso.com** zone.

+2. Under **DNS Management**, select **Recordsets**.

+3. Select **+ Add**.

+3. Under **Name**, enter **db**.

+4. Next to **IP Address**, type the IP address you see for **myVM01**.

+5. Select **OK**.

+## Search and display records

+By default, the **Recordsets** node displays all record sets in the zone. A record set is a collection of records that have the same name and are the same type. Record sets are automatically fetched in batches of 100 as you scroll through the list.

+You can also search and display specific DNS record sets in the zone by entering a value in the search box. In the following example, one record with the name **db** is displayed:

+ 

+You can search by name, type, TTL, value, or autoregistration status. For example, the record **db** in this example is also displayed by searching for **A** (display all records of type A), **3600** (the record's TTL value), **10.2.0.5** (the IP address of the A record), or **False** (non-autoregistered records). All records in the zone that match the search criteria are displayed in batches of 100.

+## Test the private zone

+Now you can test the name resolution for your **private.contoso.com** private zone.

+You can use the ping command to test name resolution. You can do this by connecting to the virtual machine and opening a command prompt, or by using the **Run command** on this virtual machine.

+To use the Run command:

+1. Select **Virtual machines**, select your virtual machine, and then under **Operations** select **Run command**.

+2. Select **RunPowerShellScript**, under **Run Command Script** enter **ping myvm01.private.contoso.com** and then select **Run**. See the following example:

+ [  ](./media/private-dns-portal/ping-vm.png#lightbox)

+3. Now ping the **db** name you created previously:

+ ```

+ Pinging db.private.contoso.com [10.10.2.5] with 32 bytes of data:

+ Reply from 10.10.2.5: bytes=32 time<1ms TTL=128

+ Reply from 10.10.2.5: bytes=32 time<1ms TTL=128

+ Reply from 10.10.2.5: bytes=32 time<1ms TTL=128

+ Reply from 10.10.2.5: bytes=32 time<1ms TTL=128

+ Ping statistics for 10.10.2.5:

+When no longer needed, delete the **MyResourceGroup** resource group to delete the resources created in this quickstart.

+ Title: Import and export a private DNS zone file - Azure portal

+description: Learn how to import and export a private DNS (Domain Name System) zone file to Azure DNS by using Azure portal.

+# Import and export a private DNS zone file using the Azure portal

+In this article, you learn how to import and export a DNS zone file in Azure Private DNS using Azure portal. You can also [import and export a zone file using Azure CLI](private-dns-import-export.md).

+## Introduction to DNS zone migration

+A DNS zone file is a text file containing information about every DNS record in the zone. It follows a standard format, making it suitable for transferring DNS records between DNS systems. Using a zone file is a fast and convenient way to import DNS zones into Azure DNS. You can also export a zone file from Azure DNS to use with other DNS systems.

+Azure DNS supports importing and exporting zone files via the Azure CLI and the Azure portal.

+## Obtain your existing DNS zone file

+Before you import a DNS zone file into Azure DNS, you need to obtain a copy of the zone file. The source of this file depends on where the DNS zone is hosted.

+* If your DNS zone is hosted by a partner service, the service should provide a way for you to download the DNS zone file. Partner services include domain registrar, dedicated DNS hosting provider, or an alternative cloud provider.

+* If your DNS zone is hosted on Windows DNS, the default folder for the zone files is **%systemroot%\system32\dns**. The full path to each zone file is also shown on the **General** tab of the DNS console.

+* If your DNS zone is hosted using BIND, the location of the zone file for each zone gets specified in the BIND configuration file **named.conf**.

+> [!IMPORTANT]

+> If the zone file that you import contains CNAME entries that point to names in a another zone, Azure DNS must be able to resolve resource records in the other zone.

+## Import a DNS zone file into Azure DNS

+Importing a zone file creates a new zone in Azure DNS if the zone doesn't already exist. If the zone exists, then the record sets in the zone file are merged with the existing record sets.

+### Merge behavior

+* By default, the new record sets get merged with the existing record sets. Identical records within a merged record set aren't duplicated.

+* When record sets are merged, the time to live (TTL) of pre-existing record sets is used.

+* Start of Authority (SOA) parameters, except `host` are always taken from the imported zone file. The name server record set at the zone apex also always uses the TTL taken from the imported zone file.

+* An imported CNAME record will replace the existing CNAME record that has the same name.

+* When a conflict happens between a CNAME record and another record with the same name of different type, the existing record gets used.

+### Additional information about importing

+The following notes provide more details about the zone import process.

+* The `$TTL` directive is optional, and is supported. When no `$TTL` directive is given, records without an explicit TTL are imported set to a default TTL of 3600 seconds. When two records in the same record set specify different TTLs, the lower value is used.

+* The `$ORIGIN` directive is optional, and is supported. When no `$ORIGIN` is set, the default value used is the zone name as specified on the command line, including the ending dot (.).

+* The `$INCLUDE` and `$GENERATE` directives aren't supported.

+* The following record types are supported: A, AAAA, CAA, CNAME, MX, NS, SOA, SRV, and TXT.

+* The SOA record is created automatically by Azure DNS when a zone is created. When you import a zone file, all SOA parameters are taken from the zone file *except* the `host` parameter. This parameter uses the value provided by Azure DNS because it needs to refer to the primary name server provided by Azure DNS.

+* The name server record set at the zone apex is also created automatically by Azure DNS when the zone is created. Only the TTL of this record set is imported. These records contain the name server names provided by Azure DNS. The record data isn't overwritten by the values contained in the imported zone file.

+* Azure DNS supports only single-string TXT records. Multistring TXT records are to be concatenated and truncated to 255 characters.

+* The zone file to be imported must contain 10k or fewer lines with no more than 3k record sets.

+## Import a zone file

+1. Obtain a copy of the zone file for the zone you wish to import.

+

+ > [!NOTE]

+ > If the Start of Authority (SOA) record is present in the zone, it is overwritten with values that are compatible with Azure Private DNS. Nameserver (NS) records must be removed prior to import. Compatible resource record types for Azure Private DNS include A, AAAA, CNAME, MX, PTR, SOA, SRV, and TXT. Incompatible records are underlined in red in the Private DNS Zone Editor.

+ The following small zone file and resource records are used in this example:

+ ```text

+ ; MX Records

+ ; A Records

+ aa1 3600 IN A 10.10.0.1

+ db1002 3600 IN A 10.1.1.2

+ myvm 10 IN A 10.10.2.5

+ server1 3600 IN A 10.0.1.1

+ server2 3600 IN A 10.0.1.2

+ ; AAAA Records

+ ; CNAME Records

+ app1 3600 IN CNAME aa1.private.contoso.com.

+ ; PTR Records

+ ; TXT Records

+ ; SRV Records

+ ```

+ Names used:

+ - Origin zone name:ΓÇ»**private.contoso.com**ΓÇ»

+ - Destination zone name: **private.contoso.com**

+ - Zone filename:ΓÇ»**private.contoso.com.txt**ΓÇ»

+ - Resource group:ΓÇ»**myresourcegroup**

+2. Open the **Private DNS zones** overview page and select **Create**.

+3. On the **Create DNS zone** page, type or select the following values:

+ - **Resource group**: Choose an existing resource group, or select **Create new**, enter **myresourcegroup**, and select **OK**.

+ - **Name**: Type **private.contoso.com** for this example.

+4. Select the **Private DNS Zone Editor** tab and then drag and drop or browse and select the **private.contoso.com.txt** file. The **Private DNS Zone Editor** opens.

+5. If changes to the zone are needed, you can edit the values that are displayed.

+ 

+6. Select **Review + Create** and then select **Create**.

+7. When deployment is complete, select **Go to resource** and then select **Recordsets**. An SOA record compatible with Azure Private DNS is automatically added to the zone. See the following example:

+ [  ](./media/private-dns-import-export-portal/recordsets.png#lightbox)

+## Export a zone file

+1. Open the **Private DNS zones** overview page and select the zone you wish to export. For example, **private.contoso.com**. See the following example:

+ 

+2. Select **Export**. The file is downloaded to your default downloads directory as a text file with the name AzurePrivateDnsZone-private.contoso.com-`number`.txt where `number` is an autogenerated index number.

+3. Open the file to view the contents. See the following example:

+ ```text

+ ; Exported zone file from Azure Private DNS

+ ; Zone name: private.contoso.com

+ ; Date and time (UTC): Mon, 17 Jun 2024 20:35:47 GMT

+ $TTL 10

+ $ORIGIN private.contoso.com

+ ; SOA Record

+ @ 3600 IN SOA azureprivatedns.net azureprivatedns-host.microsoft.com (

+ 1 ;serial

+ 3600 ;refresh

+ 300 ;retry

+ 2419200 ;expire

+ 10 ;minimum ttl

+ )

+ ; MX Records

+ ; A Records

+ aa1 3600 IN A 10.10.0.1

+ db1002 3600 IN A 10.1.1.2

+ myvm 10 IN A 10.10.2.5

+ server1 3600 IN A 10.0.1.1

+ server2 3600 IN A 10.0.1.2

+ ; AAAA Records

+ ; CNAME Records

+ app1 3600 IN CNAME aa1.private.contoso.com.

+ ; PTR Records

+ ; TXT Records

+ ; SRV Records

+ ```

+## Next steps

+* Learn how to [manage record sets and records](./dns-getstarted-cli.md) in your DNS zone.

+The Domain Name System (DNS) is responsible for translating (resolving) a service name to an IP address. Azure DNS is a hosting service for domains and provides naming resolution using the Microsoft Azure infrastructure. Azure DNS not only supports internet-facing DNS domains, but it also supports private DNS zones.

+To resolve the records of a private DNS zone from your virtual network, you must link the virtual network with the zone. Linked virtual networks have full access and can resolve all DNS records published in the private zone. You can also enable [autoregistration](private-dns-autoregistration.md) on a [virtual network link](private-dns-virtual-network-links.md). When you enable autoregistration on a virtual network link, the DNS records for the virtual machines in that virtual network are registered in the private zone. When autoregistration gets enabled, Azure DNS will update the zone record whenever a virtual machine gets created, changes its' IP address, or gets deleted.

+All outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP (Source Network Address Translation). You can identify and allow traffic originating from your virtual network to remote Internet destinations. When Azure Firewall has multiple public IPs configured for providing outbound connectivity, it will use the Public IPs as needed based on available ports. It will **randomly pick the first Public IP** and only use the **next available Public IP** after no more connections can be made from the current public IP **due to SNAT port exhaustion**.

+In scenarios where you have high throughput or dynamic traffic patterns, it is recommended to use an [Azure NAT Gateway](/azure/nat-gateway/nat-overview). Azure NAT Gateway dynamically selects public IPs for providing outbound connectivity. To learn more about how to integrate NAT Gateway with Azure Firewall, see [Scale SNAT ports with Azure NAT Gateway](/azure/firewall/integrate-with-nat-gateway).

+> [!NOTE]

+> Azure Firewall uses public IPs as needed based on available ports. After randomly selecting a public IP to connect outbound from, it will only use the next available public IP after no more connections can be made from the current public IP. In scenarios with high traffic volume and throughput, it is recommended to use a NAT Gateway to provide outbound connectivity. SNAT ports are dynamically allocated across all public IPs associated with NAT Gateway. To learn more see [integrate NAT Gateway with Azure Firewall](/azure/firewall/integrate-with-nat-gateway).

+- June 26, 2024: Adapt [Azure Storage types for SAP workload](./planning-guide-storage.md) to latest features, like snapshot capabilities for Premium SSD v2 and Ultra disk. Adapt ANF to support of mix of NFS and block storage between /hana/data and /hana/log

+- June 26, 2024: Fix wrong memory stated for some VMs in [SAP HANA Azure virtual machine Premium SSD storage configurations](./hana-vm-premium-ssd-v1.md) and [SAP HANA Azure virtual machine Premium SSD v2 storage configurations](./hana-vm-premium-ssd-v2.md)

+This document is about HANA storage configurations for Azure premium storage or premium ssd as it was introduced years back as low latency storage for database management systems (DBMS) and other applications that need low latency storage. For general considerations around stripe sizes when using Logical Volume Manager (LVM), HANA data volume partitioning or other considerations that are independent of the particular storage type, check these two documents:

+> The suggestions for the storage configurations in this document are meant as directions to start with. Running workload and analyzing storage utilization patterns, you might realize that you aren't utilizing all the storage bandwidth or IOPS (I/O operations per second) provided. You might consider downsizing on storage then. Or in contrary, your workload might need more storage throughput than suggested with these configurations. As a result, you might need to deploy more capacity, IOPS or throughput. In the field of tension between storage capacity required, storage latency needed, storage throughput and IOPS required and least expensive configuration, Azure offers enough different storage types with different capabilities and different price points to find and adjust to the right compromise for you and your HANA workload.

+Azure Write Accelerator is a functionality that is available for Azure M-Series Virtual Machines (VM) exclusively in combination with Azure premium storage. As the name states, the purpose of the functionality is to improve I/O latency of writes against the Azure premium storage. For SAP HANA, Write Accelerator is supposed to be used against the **/hana/log** volume only. Therefore, the **/hana/data** and **/hana/log** are separate volumes with Azure Write Accelerator supporting the **/hana/log** volume only.

+For Azure premium storage disks smaller or equal to 512 GiB in capacity, burst functionality is offered. The exact way how disk bursting works is described in the article [Disk bursting](../../virtual-machines/disk-bursting.md). When you read the article, you understand the concept of accruing I/O Operations per second (IOPS) and throughput in the times when your I/O workload is below the nominal IOPS and throughput of the disks (for details on the nominal throughput see [Managed Disk pricing](https://azure.microsoft.com/pricing/details/managed-disks/)). You're going to accrue the delta of IOPS and throughput between your current usage and the nominal values of the disk. The bursts are limited to a maximum of 30 minutes.

+- Bursts of write triggered by database checkpoints or savepoints that are issued regularly

+| M176(d)s_4_v3 | 3,892 GiB | 4,000 MBps | 4 x P30 | 800 MBps | no bursting | 20,000 | no bursting |

+¹ VM type not available by default. Contact your Microsoft account team

+| M176(d)s_4_v3 | 3,892 GiB | 4,000 MBps | 3 x P15 | 375 MBps | 510 MBps | 3,300 | 10,500 |

+¹ VM type not available by default. Contact your Microsoft account team

+| M176(d)s_4_v3 | 3,892 GiB | 4,000 MBps | 1 x P30 | 1 x P10 | 1 x P6 |

+¹ VM type not available by default. Contact your Microsoft account team

+| M128ms, M128(d)ms_v2 | 3,892 GiB | 2,000 MB/s | 5 x P30 | 1 x E30 | 1 x E10 | 1 x E6 | Using Write Accelerator for combined data and log volume will limit IOPS rate to 20,000² |

+| M176(d)s_4_v3 | 3,892 GiB | 4,000 MBps | 5 x P30 | 1 x E30 | 1 x E10 | 1 x E6 | Using Write Accelerator for combined data and log volume will limit IOPS rate to 20,000² |

+This document is about HANA storage configurations for Azure Premium SSD v2. Azure Premium SSD v2 is a new storage that was developed to more flexible block storage with submillisecond latency for general purpose and DBMS workload. Premium SSD v2 simplifies the way how you build storage architectures and let's you tailor and adapt the storage capabilities to your workload. Premium SSD v2 allows you to configure and pay for capacity, IOPS (I/O operations per second), and throughput independent of each other.

+- With Premium SSD v2, the same storage configuration applies to the HANA certified Ev4, Ev5, and M-series virtual machines (VM) that offer the same memory

+| M32(d)ms_v2 | 875 GiB | 500 MBps | 30,000 | 1,056 GB | 425 MBps | 3,000 |

+| M48(d)s_1_v3, M96(d)s_1_v3 | 974 GiB | 1,560 MBps | 65,000 | 1,232 GB | 600 MBps | 5,000 |

+| M64s, M64(d)s_v2 | 1,024 GiB | 1,000 MBps | 40,000 | 1,232 GB | 600 MBps | 5,000 |

+| M64ms, M64(d)ms_v2 | 1,792 GiB | 1,000 MBps | 50,000 | 2,144 GB | 600 MBps | 5,000 |

+| M96(d)s_2_v3 | 1,946 GiB | 3,120 MBps | 130,000 | 2,464 GB | 800 MBps | 12,000|

+| M128s, M128(d)s_v2 | 2,048 GiB | 2,000 MBps | 80,000 | 2,464 GB | 800 MBps | 12,000|

+| M192i(d)s_v2 | 2,048 GiB | 2,000 MBps | 80,000| 2,464 GB | 800 MBps | 12,000|

+| M176(d)s_3_v3 | 2,794 GiB | 4,000 MBps | 130,000 | 3,424 GB | 1,000 MBps| 15,000 |

+| M176(d)s_4_v3 | 3,892 GiB | 4,000 MBps | 130,000 | 4,672 GB | 800 MBps | 12,000 |

+| M128ms, M128(d)ms_v2 | 3,892 GiB | 2,000 MBps | 80,000 | 4,672 GB | 800 MBps | 12,000 |

+| M192i(d)ms_v2 | 4,096 GiB | 2,000 MBps | 80,000 | 4,912 GB | 800 MBps | 12,000 |

+| M208s_v2 | 2,850 GiB | 1,000 MBps | 40,000 | 3,424 GB | 1,000 MBps| 15,000 |

+¹ VM type not available by default. Contact your Microsoft account team

+| M176(d)s_4_v3 | 3,892 GiB | 4,000 MBps | 130,000 | 512 GB | 300 MBps | 4,000 | 1,024 GB |

+¹ VM type not available by default. Contact your Microsoft account team

+| M832ixs¹ | 14,902 GiB | 2 | 7,451 GB | 40,000 | 6,000 | 34,000 | 2,000 MBps | 250 MBps | 1,750 MBps |

+| M832ixs¹ | 14,902 GiB | 4 | 3,726 GB | 40,000 | 12,000 | 28,000 | 2,000 MBps | 500 MBps | 1,500 MBps |

+| M832ixs¹ | 14,902 GiB | 8 | 1,863 GB | 40,000 | 24,000 | 16,000 | 2,000 MBps | 1,000 MBps | 1,000 MBps |

+¹ VM type not available by default. Contact your Microsoft account team

+| DBMS Data volume SAP HANA M/Mv2 VM families | Not supported | Not supported | Recommended | Recommended | Recommended | Recommended | Not supported |

+| DBMS log volume SAP HANA M/Mv2 VM families | Not supported | Not supported | Recommended¹ | Recommended | Recommended | Recommended | Not supported |

+| DBMS Data volume SAP HANA Esv3/Edsv4 VM families | Not supported | Not supported | Recommended | Recommended | Recommended | Recommended | Not supported |

+| DBMS log volume SAP HANA Esv3/Edsv4 VM families | Not supported | Not supported | Not supported | Recommended | Recommended | Recommended | Not supported |

+| HANA shared volume | Not supported | Not supported | Recommended | Recommended | Recommended | Recommended | Recommended |

+| Disk snapshots possible | Yes | Yes | Yes | Yes³ | No² | Yes | No |

+² Creation of different Azure NetApp Files capacity pools doesn't guarantee deployment of capacity pools onto different storage units

+³ (Incremental) Snapshots of a Premium SSD v2 or an Ultra disk can't be used immediately after they're created. The background copy must complete before you can create a disk from the snapshot

+| Disk snapshots possible | Yes¹ | - |

+| Azure Backup VM snapshots possible | Yes | - |

+¹ (Incremental) Snapshots of a Premium SSD v2 or an Ultra disk can't be used immediately after they're created. The background copy must complete before you can create a disk from the snapshot

+| Disk bursting | Yes | - |

+| Disk snapshots possible | Yes¹ | - |

+| Azure Backup VM snapshots possible | Yes | - |

+¹ (Incremental) Snapshots of a Premium SSD v2 or an Ultra disk can't be used immediately after they're created. The background copy must complete before you can create a disk from the snapshot

+**Summary:** Azure ultra disks are a suitable storage with low submillisecond latency for all kinds of SAP workload. So far, Ultra disk can only be used in combinations with VMs that have been deployed through Availability Zones (zonal deployment). In opposite to all other storage, Ultra disk can't be used for the base VHD disk. Ultra disk is ideal for cases where I/O workload fluctuates a lot and you want to adapt deployed storage throughput or IOPS to storage workload patterns instead of sizing for maximum usage of bandwidth and IOPS.

+- SAP HANA deployments using NFS v4.1 shares for /han)

+> Even for non-DBMS usage, you should use the functionality that allows you to create the NFS share in the same Azure Availability Zones as you placed your VM(s) that should mount the NFS shares into. This functionality is documented in the article [Manage availability zone volume placement for Azure NetApp Files](../../azure-netapp-files/manage-availability-zone-volume-placement.md). The motivation to have this type of Availability Zone alignment is the reduction of risk surface by having the NFS shares yet in another AvZone where you don't run VMs in.

+| Disk snapshots possible | Yes | - |

+- No in-VM configured storage redundancy should be used since Azure storage keeps the data disk redundant already at the Azure storage backend

+[Learn more](https://www.microsoft.com/security/business/partnerships) about Microsoft Services Security consulting services.

+Based on our experience with ransomware attacks, we find that prioritization should focus on: 1) prepare, 2) limit, 3) prevent. This may seem counterintuitive, since most people want to prevent an attack and move on. Unfortunately, we must assume breach (a key Zero Trust principle) and focus on reliably mitigating the most damage first. This prioritization is critical because of the high likelihood of a worst-case scenario with ransomware. While it's not a pleasant truth to accept, we're facing creative and motivated human attackers who are adept at finding a way to control the complex real-world environments in which we operate. Against that reality, it's important to prepare for the worst and establish frameworks to contain and prevent attackers' ability to get what they're after.

+While these priorities should govern what to do first, we encourage organizations to run steps in parallel where possible, including pulling quick wins forward from step 1 when you can.

+Prevent a ransomware attacker from entering your environment and rapidly respond to incidents to remove attacker access before they can steal and encrypt data. This causes attackers to fail earlier and more often, undermining the profit of their attacks. While prevention is the preferred outcome, it's a continuous journey and may not be possible to achieve 100% prevention and rapid response across a real-world organizations (complex multi-platform and multicloud estate with distributed IT responsibilities).

+To achieve this, organizations should identify and execute quick wins to strengthen security controls to prevent entry, and rapidly detect/evict attackers while implementing a sustained program that helps them stay secure. Microsoft recommends organizations follow the principles outlined in the Zero Trust strategy [here](https://aka.ms/zerotrust). Specifically, against Ransomware, organizations should prioritize:

+- Implementing Protection, Detection and Response controls for their digital assets that can protect against commodity and advanced threats, provide visibility and alerting on attacker activity and respond to active threats.

+Ensure you have strong controls (prevent, detect, respond) for privileged accounts like IT Admins and other roles with control of business-critical systems. This slows and/or blocks attackers from gaining complete access to your resources to steal and encrypt them. Taking away the attackers' ability to use IT Admin accounts as a shortcut to resources drastically lowers the chances they're successful at attacking you and demanding payment / profiting.

+Plan for the worst-case scenario and expect that it happens (at all levels of the organization). This helps your organization and others in the world you depend on:

+- Limits damage for the worst-case scenario ΓÇô While restoring all systems from backups is highly disruptive to business, this is more effective and efficient than trying to recovery using (low quality) attacker-provided decryption tools after paying to get the key. Note: Paying is an uncertain path ΓÇô You have no formal or legal guarantee that the key works on all files, the tools work effectively, or that the attacker (who may be an amateur affiliate using a professional's toolkit) will act in good faith.

+- Limit the financial return for attackers ΓÇô If an organization can restore business operations without paying the attackers, the attack fails and results in zero return on investment (ROI) for the attackers. This makes it less likely that they'll target the organization in the future (and deprives them of more funding to attack others).

+- Test 'Recover from Zero' Scenario ΓÇô test to ensure your business continuity / disaster recovery (BC/DR) can rapidly bring critical business operations online from zero functionality (all systems down). Conduct practice exercises to validate cross-team processes and technical procedures, including out-of-band employee and customer communications (assume all email/chat/etc. is down).

+ It's critical to protect (or print) supporting documents and systems required for recovery including restoration procedure documents, CMDBs, network diagrams, SolarWinds instances, etc. Attackers destroy these regularly.

+## Promote awareness and ensure there's no knowledge gap

+As most ransomware variants rely on end-users to install the ransomware or connect to compromised Web sites, all end users should be educated about the dangers. This would typically be part of annual security awareness training as well as ad hoc training available through the company's learning management systems. The awareness training should also extend to the company's customers via the company's portals or other appropriate channels.

+SOC analysts and others involved in ransomware incidents should know the fundamentals of malicious software and ransomware specifically. They should be aware of major variants/families of ransomware, along with some of their typical characteristics. Customer call center staff should also be aware of how to handle ransomware reports from the company's end users and customers.

+There are a wide variety of technical controls that should be in place to protect, detect, and respond to ransomware incidents with a strong emphasis on prevention. At a minimum, SOC analysts should have access to the telemetry generated by antimalware systems in the company, understand what preventive measures are in place, understand the infrastructure targeted by ransomware, and be able to assist the company teams to take appropriate action.

+ - Next generation intrusion detection and prevention systems

+ - Static and dynamic malware analysis tools

+ - Internal Configuration Management Databases (CMDBs) containing endpoint device info

+- Data protection

+Ensure your organization undertakes a number of activities roughly following the incident response steps and guidance described in the US National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide (Special Publication 800-61r2) to prepare for potential ransomware incidents. These steps include:

+1. **Preparation**: This stage describes the various measures that should be put into place prior to an incident. This may include both technical preparations (such as the implementation of suitable security controls and other technologies) and non-technical preparations (such as the preparation of processes and procedures).

+1. **Triggers / Detection**: This stage describes how this type of incident may be detected and what triggers may be available that should be used to initiate either further investigation or the declaration of an incident. These are generally separated into high-confidence and low-confidence triggers.

+1. **Investigation / Analysis**: This stage describes the activities that should be undertaken to investigate and analyze available data when it isn't clear that an incident has occurred, with the goal of either confirming that an incident should be declared or concluded that an incident hasn't occurred.

+1. **Incident Declaration**: This stage covers the steps that must be taken to declare an incident, typically with the raising of a ticket within the enterprise incident management (ticketing) system and directing the ticket to the appropriate personnel for further evaluation and action.

+1. **Containment / Mitigation**: This stage covers the steps that may be taken either by the Security Operations Center (SOC), or by others, to contain or mitigate (stop) the incident from continuing to occur or limiting the effect of the incident using available tools, techniques, and procedures.

+1. **Remediation / Recovery**: This stage covers the steps that may be taken to remediate or recover from damage that was caused by the incident before it was contained and mitigated.

+1. **Post-Incident Activity**: This stage covers the activities that should be performed once the incident has been closed. This can include capturing the final narrative associated with the incident as well as identifying lessons learned.

+Ensure that you have appropriate processes and procedures in place. Almost all ransomware incidents result in the need to restore compromised systems. So appropriate and tested backup and restore processes and procedures should be in place for most systems. There should also be suitable containment strategies in place with suitable procedures to stop ransomware from spreading and recovery from ransomware attacks.

+Ensure that you have well-documented procedures for engaging any third-party support, particularly support from threat intelligence providers, antimalware solution providers and from the malware analysis provider. These contacts may be useful if the ransomware variant may have known weaknesses or decryption tools may be available.

+The Azure platform provides backup and recovery options through Azure Backup as well built-in within various data services and workloads.

+- On-premises Windows Servers (back up to cloud using MARS agent)

+Ransomware and extortion are a high profit, low-cost business, which has a debilitating impact on targeted organizations, national/regional security, economic security, and public health and safety. What started as simple, single-PC ransomware grew to include various extortion techniques directed at all types of corporate networks and cloud platforms.

+To ensure customers running on Azure are protected against ransomware attacks, Microsoft invests heavily on the security of our cloud platforms, and provides security controls you need to protect your Azure cloud workloads

+By using Azure native ransomware protections and implementing the best practices recommended in this article, you're taking measures that positions your organization to prevent, protect, and detect potential ransomware attacks on your Azure assets.

+This article lays out key Azure native capabilities and defenses for ransomware attacks and guidance on how to proactively use these to protect your assets on Azure cloud.

+Ransomware attacks are one of the biggest security challenges facing businesses today. When successful, ransomware attacks can disable a business core IT infrastructure, and cause destruction that could have a debilitating impact on the physical, economic security or safety of a business. Ransomware attacks are targeted to businesses of all types. This requires that all businesses take preventive measures to ensure protection.

+Recent trends on the number of attacks are alarming. While 2020 wasn't a good year for ransomware attacks on businesses, 2021 started on a bad trajectory. On May 7, the Colonial pipeline (Colonial) attack shut down services such as pipeline transportation of diesel, gasoline, and jet fuel were temporary halted. Colonial shut the critical fuel network supplying the populous eastern states.

+Historically, cyberattacks were seen as a sophisticated set of actions targeting particular industries, which left the remaining industries believing they were outside the scope of cybercrime, and without context about which cybersecurity threats they should prepare for. Ransomware represents a major shift in this threat landscape, and it's made cyberattacks a real and omnipresent danger for everyone. Encrypted and lost files and threatening ransom notes have now become the top-of-mind fear for most executive teams.

+Ransomware is a type of malware that infects a computer and restricts a user's access to the infected system or specific files in order to extort them for money. After the target system is compromised, it typically locks out most interaction and displays an on-screen alert, typically stating that the system is locked or that all of their files have been encrypted. It then demands a substantial ransom be paid before the system is released or files decrypted.

+Ransomware will typically exploit the weaknesses or vulnerabilities in your organization's IT systems or infrastructures to succeed. The attacks are so obvious that it doesn't take much investigation to confirm that your business has been attacked or that an incident should be declared. The exception would be a spam email that demands ransom in exchange for supposedly compromising materials. In this case, these types of incidents should be dealt with as spam unless the email contains highly specific information.

+1. Exposure is where attackers look for opportunities to gain access to your infrastructure. For example, attackers know customer-facing applications must be open for legitimate users to access them. Those applications are exposed to the Internet and therefore susceptible to attacks.

+1. Attackers try to exploit an exposure to gain access to your public cloud infrastructure. This can be done through compromised user credentials, compromised instances, or misconfigured resources.

+1. During the lateral movement stage, attackers discover what resources they have access to and what the scope of that access is. Successful attacks on instances give attackers access to databases and other sensitive information. The attacker then searches for other credentials. Our Microsoft Defender for Cloud data shows that without a security tool to quickly notify you of the attack, it takes organizations on average 101 days to discover a breach. Meanwhile, in just 24-48 hours after a breach, the attacker usually have complete control of the network.

+- The attack surface is increased as more businesses offer more services through digital outlets

+- The option to use cryptocurrency for blackmail payments openes new avenues for exploit

+- Prevalence of old, outdated, and antiquated infrastructure systems and software

+- Outdated or old operating systems that are close to or have gone beyond end-of-support dates

+- Knowledge gap

+There are varying opinions on what the best option is when confronted with this vexing demand. The Federal Bureau of Investigation (FBI) advises victims not to pay ransom but to instead be vigilant and take proactive measures to secure their data before an attack. They contend that paying doesn't guarantee that locked systems and encrypted data are released again. The FBI says another reason not to pay is that payments to cyber criminals incentivize them to continue to attack organizations

+The best way to prevent paying ransom isn't to fall victim by implementing preventive measures and having tool saturation to protect your organization from every step that attacker takes wholly or incrementally to hack into your system. In addition, having the ability to recover impacted assets ensure restoration of business operations in a timely fashion. Azure Cloud has a robust set of tools to guide you all the way.

+Colonial Pipeline paid about $4.4 Million in ransom to have their data released. This doesn't include the cost of downtime, lost productive, lost sales and the cost of restoring services. More broadly, a significant impact is the "knock-on effect" of impacting high numbers of businesses and organizations of all kinds including towns and cities in their local areas. The financial impact is also staggering. According to Microsoft, the global cost associated with ransomware recovery is projected to exceed $20 billion in 2021.

+> This article references CentOS, a Linux distribution that has reached End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+ - CentOS distributions **are no longer supported**, as they have reached End Of Life (EOL) status. See note at the beginning of this article.

+> This article references CentOS, a Linux distribution that has reached End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that has reached End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+For example, if your log messages aren't appearing in the *Syslog* or *CommonSecurityLog* tables, your data source might not be connecting properly. There might also be another reason your data isn't being received.

+Other symptoms of a failed connector deployment include when either the **security_events.conf** or the **security-omsagent.config.conf** files are missing, or if the rsyslog server isn't listening on port 514.

+If you deployed your connector using a different method than the documented procedure, and if you're having issues, we recommend that you scrap the deployment and start over, this time following the documented instructions.

+When information in this article is relevant only for Syslog or only for CEF connectors, it's presented in separate tabs. Make sure that you're using the instructions on the correct tab for your connector type.

+For example, if you're troubleshooting a CEF connector, start with [Validate CEF connectivity](#validate-cef-connectivity). If you're troubleshooting a Syslog connector, start with [Verify your data connector prerequisites](#verify-your-data-connector-prerequisites).

+After you [deploy your log forwarder](connect-common-event-format.md) and [configure your security solution to send it CEF messages](./connect-common-event-format.md), use the steps in this section to verify connectivity between your security solution and Microsoft Sentinel.

+ - You might need the Workspace ID and Workspace Primary Key at some point in this process. You can find them in the workspace resource, under **Agents management**.

+1. From the Microsoft Sentinel navigation menu, open **Logs**. Run a query using the **CommonSecurityLog** schema to see if you're receiving logs from your security solution.

+ It might take about 20 minutes until your logs start to appear in **Log Analytics**.

+1. If you don't see any results from the query, verify that your security solution is generating log messages. Or, try taking some actions to generate log messages, and verify that the messages are forwarded to your designated Syslog forwarder machine.

+1. To check connectivity between your security solution, the log forwarder, and Microsoft Sentinel, run the following script on the log forwarder (applying the Workspace ID in place of the placeholder). This script checks that the daemon is listening on the correct ports, that the forwarding is properly configured, and that nothing is blocking communication between the daemon and the Log Analytics agent. It also sends mock messages 'TestCommonEventFormat' to check end-to-end connectivity. <br>

+ - You might get a message directing you to run a command to correct an issue with the **mapping of the *Computer* field**. See the [explanation in the validation script](#mapping-command) for details.

+ - You might get a message directing you to run a command to correct an issue with the **parsing of Cisco ASA firewall logs**. See the [explanation in the validation script](#parsing-command) for details.

+ - <a name="parsing-command"></a>If there's an issue with the parsing, the script produces an error message directing you to **manually run the following command** (applying the Workspace ID in place of the placeholder). The command ensures the correct parsing and restarts the agent.

+ - <a name="mapping-command"></a>If there's an issue with the mapping, the script produces an error message directing you to **manually run the following command** (applying the Workspace ID in place of the placeholder). The command ensures the correct mapping and restarts the agent.

+ - <a name="parsing-command"></a>If there's an issue with the parsing, the script produces an error message directing you to **manually run the following command** (applying the Workspace ID in place of the placeholder). The command ensures the correct parsing and restarts the agent.

+ - <a name="mapping-command"></a>If there's an issue with the mapping, the script produces an error message directing you to **manually run the following command** (applying the Workspace ID in place of the placeholder). The command ensures the correct mapping and restarts the agent.

+If you're troubleshooting a Syslog data connector, start with verifying your prerequisites in the [next section](#verify-your-data-connector-prerequisites), using the information in the **Syslog** tab.

+If you're using an on-premises machine or a non-Azure virtual machine for your data connector, make sure that you've run the installation script on a fresh installation of a supported Linux operating system:

+- While you're setting up your Syslog data connector, make sure to turn off your [Microsoft Defender for Cloud auto-provisioning settings](../security-center/security-center-enable-data-collection.md) for the [MM#connector-options).

+ - If you don't see any packets arriving, confirm the NSG security group permissions and the routing path to the Syslog Collector.

+ - If you do see packets arriving, confirm that they aren't being rejected.

+ If you see rejected packets, confirm that the IP tables aren't blocking the connections.

+ To confirm that packets aren't being rejected, run:

+ If the connection is blocked, you may have a [blocked SELinux connection to the OMS agent](#selinux-blocking-connection-to-the-oms-agent), or a [blocked firewall process](#blocked-firewall-policy). Use the relevant instructions further on to determine the issue.

+ - If you don't see any packets arriving, confirm the NSG security group permissions and the routing path to the Syslog Collector.

+ - If you do see packets arriving, confirm that they aren't being rejected.

+ If you see rejected packets, confirm that the IP tables aren't blocking the connections.

+ To confirm that packets aren't being rejected, run:

+If the steps described earlier in this article don't solve your issue, you may have a connectivity problem between the OMS Agent and the Microsoft Sentinel workspace.

+If the steps described earlier in this article don't solve your issue, you may have a connectivity problem between the OMS Agent and the Microsoft Sentinel workspace.

+If the troubleshooting steps in this article haven't helped your issue, open a support ticket or use the Microsoft Sentinel community resources. For more information, see [Useful resources for working with Microsoft Sentinel](resources.md).

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers :heavy_check_mark: Azure VMs.

+Pre and post events allows you to execute user-defined actions before and after the scheduled maintenance configuration. For more information, go through the [workings of a pre and post event in Azure Update Manager](pre-post-scripts-overview.md).

+This article describes on how to create and manage the pre and post events in Azure Update Manager.

+## Event Grid in schedule maintenance configurations

+Azure Update Manager leverages Event grid to create and manage pre and post events. For more information, go through the [overview of Event Grid](../event-grid/overview.md). To trigger an event either before or after a schedule maintenance window, you require the following:

+1. **Schedule maintenance configuration** - You can create Pre and post events for a schedule maintenance configuration in Azure Update Manager. For more information, see [schedule updates using maintenance configurations](scheduled-patching.md).

+1. **Actions to be performed in the pre or post event** - You can use the [Event handlers](../event-grid/event-handlers.md) (Endpoints) supported by Event Grid to define actions or tasks. Here are examples on how to create Azure Automation Runbooks via Webhooks and Azure Functions. Within these Event handlers/Endpoints, you must define the actions that should be performed as part of pre and post events.

+ 1. **Webhook** - Create a PowerShell 7.2 Runbook.[Learn more](../automation/automation-runbook-types.md#powershell-runbooks) and link the Runbook to a webhook. [Learn more](../automation/automation-webhooks.md).

+ 1. **Azure Function** - Create an Azure Function. [Learn more][Create your first function in the Azure portal](../azure-functions/functions-create-function-app-portal.md).

+1. **Pre and post event** - You can follow the steps shared in the following section to create a pre and post event for schedule maintenance configuration. For more information in the Basics tab of Event

+- Based on upstream Ubuntu and AlmaLinux marketplace VM images.

+This article describes how to expand managed disks for a Linux virtual machine (VM). You can [add data disks](add-disk.md) to provide for more storage space, and you can also expand an existing data disk. The default virtual hard disk size for the operating system (OS) is typically 30 GB on a Linux VM in Azure. This article covers expanding either OS disks or data disks. You can't expand the size of striped volumes.

+An OS disk has a maximum capacity of 4,095 GiB. However, many operating systems are partitioned with [master boot record (MBR)](https://wikipedia.org/wiki/Master_boot_record) by default. MBR limits the usable size to 2 TiB. If you need more than 2 TiB, consider attaching data disks for data storage. If you do need to store data on the OS disk and require extra space, convert it to GUID Partition Table (GPT).

+When expanding a data disk, when there are several data disks present on the VM, it may be difficult to relate the Azure LUNs to the Linux devices. If the OS disk needs expansion, it is clearly labeled in the Azure portal as the OS disk.

+Here we can see, for example, the `/opt/db/data` filesystem is nearly full, and is located on the `/dev/sdd1` partition. The output of `df` shows the device path whether the disk is mounted using the device path or the (preferred) UUID in the fstab. Also take note of the Type column, indicating the format of the filesystem. The format is important later.

+Now locate the LUN that correlates to `/dev/sdd` by examining the contents of `/dev/disk/azure/scsi1`. The output of the following `ls` command shows that the device known as `/dev/sdd` within the Linux OS is located at LUN1 when looking in the Azure portal.

+> While there are many tools that may be used for performing the partition resizing, the tools detailed in the remainder of this document are the same tools used by certain automated processes such as cloud-init. As described here, the `growpart` tool with the `gdisk` package provides universal compatibility with GUID Partition Table (GPT) disks, as older versions of some tools such as `fdisk` did not support GPT.

+If a data disk was expanded without downtime using the procedure mentioned previously, the reported disk size doesn't change until the device is rescanned, which normally only happens during the boot process. This rescan can be called on-demand with the following procedure. In this example, we find using the methods in this document that the data disk is currently `/dev/sda` and was resized from 256 GiB to 512 GiB.

+1. Insert a `1` character into the rescan file for this device. Note the reference to sda in the example. The disk identifier would change if a different disk device was resized.

+1. Verify that the new disk size is now recognized

+The remainder of this article uses the OS disk for the examples of the procedure for increasing the size of a volume at the OS level. If the expanded disk is a data disk, use the [previous guidance for identifying the data disk device](#identifyDisk), and follow these instructions as a guideline, substituting the data disk device (for example `/dev/sda`), partition numbers, volume names, mount points, and filesystem formats, as necessary.

+All Linux OS guidance should be viewed as generic and may apply on any distribution, but generally matches the conventions of the named marketplace publisher. Reference the Red Hat documents for the package requirements on any distribution based on Red Hat or claiming Red Hat compatibility.

+On Ubuntu 16.x and newer, the root partition of the OS disk and filesystems are automatically expanded to utilize all free contiguous space on the root disk by cloud-init, provided there's a small bit of free space for the resize operation. In this case, the sequence is simply

+As shown in the following example, the OS disk was resized from the portal to 100 GB. The **/dev/sda1** file system mounted on **/** now displays 97 GB.

+1. Follow the procedure previously described to expand the disk in the Azure infrastructure.

+1. Use the following command to install the **growpart** package, which is used to resize the partition, if it isn't already present:

+1. Run the `lsblk` command again to check whether the partition was increased.

+ The following output shows that the **/dev/sda4** partition was resized to 46.5 GB:

+ In the preceding example, we can see that the file system size for the OS disk was increased.

+# [Red Hat with LVM](#tab/rhellvm)

+1. Follow the procedure previously described to expand the disk in the Azure infrastructure.

+1. Check whether there's free space in the LVM volume group (VG) containing the root partition. If there's free space, skip to step 12.

+1. Install the **cloud-utils-growpart** package to provide the **growpart** command, which is required to increase the size of the OS disk and the gdisk handler for GPT disk layouts This package is preinstalled on most marketplace images

+ dnf install cloud-utils-growpart gdisk

+ In Red Hat versions 7 and below you can use `yum` command instead of `dnf`.

+1. Verify that the partition has resized to the expected size by using the `lsblk` command again. Notice that in the example **sda4** changed from 63G to 95G.

+1. Expand the LV by the required amount, which doesn't need to be all the free space in the volume group. In the following example, **/dev/mapper/rootvg-rootlv** is resized from 2 GB to 12 GB (an increase of 10 GB) through the following command. This command also resizes the file system on the LV.

+# [Red Hat without LVM](#tab/rhelraw)

+1. Follow the procedure previously described to expand the disk in the Azure infrastructure.

+1. When the VM restarts completely, perform the following steps:

+ dnf install cloud-utils-growpart gdisk

+ In Red Hat versions 7 and below you can use `yum` command instead of `dnf`.

+

+1. For verification, start by listing the partition table of the sda disk with **gdisk**. In this example, we see a 48.0 GiB disk with partition #2 sized 29.0 GiB. The disk was expanded from 30 GB to 48 GB in the Azure portal.

+1. Expand the partition for root, in this case sda2 by using the **growpart** command. Using this command expands the partition to use all of the contiguous space on the disk.

+1. Now print the new partition table with **gdisk** again. Notice that partition 2 has is now sized 47.0 GiB

+> Azure Firewall randomly selects one of its associated Public IPs for outbound connectivity and only uses the next available Public IP after no more connections can be made from the current public IP due to SNAT port exhaustion. It is recommended to instead use NAT Gateway to provide dynamic scalability of your outbound connectivity.

+> Protocols other than Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) in network filter rules are unsupported for SNAT to the public IP of the firewall.