-|Tenant size | You need to plan with Azure AD B2C tenant size in mind. By default, Azure AD B2C tenant can accommodate 1.25 million objects (user accounts and applications). You can increase this limit to 5.25 million objects by adding a custom domain to your tenant, and verifying it. If you need a bigger tenant size, you need to contact [Support](find-help-open-support-ticket.md).|

-If the application needs to validate an ID token or an access token, it should first validate the signature of the token and the issuer against the values in the OpenID discovery document. For example, the tenant-independent version of the document is located at [https://login.microsoftonline.com/common/.well-known/openid-configuration](https://login.microsoftonline.com/common/.well-known/openid-configuration).

-| User or admin revokes the refresh tokens by using [PowerShell](/powershell/module/microsoft.graph.users.actions/invoke-mginvalidateuserrefreshtoken) | Revoked | Revoked | Revoked | Revoked | Revoked |

-Currently, Azure AD Connect does not support synchronizing temporary passwords with Azure AD. A password is considered to be temporary if the **Change password at next logon** option is set on the on-premises Active Directory user. The following error is returned:

-zone_pivot_groups: enterprise-apps-minus-aad-powershell

-zone_pivot_groups: enterprise-apps-minus-aad-powershell

-zone_pivot_groups: enterprise-apps-minus-aad-powershell

-There may be situations while configuring or managing an application where you don't want tokens to be issued for an application. Or, you may want to block an application that you don't want your employees to try to access. To block user access to an application, you can disable user sign-in for the application, which will prevent all tokens from being issued for that application.

-In this article, you'll learn how to prevent users from signing in to an application in Azure Active Directory through both the Azure portal and PowerShell. If you're looking for how to block specific users from accessing an application, use [user or group assignment](./assign-user-or-group-access-portal.md).

-## Disable how a user signs in

-You may know the AppId of an app that doesn't appear on the Enterprise apps list. For example, you may have deleted the app or the service principal hasn't yet been created due to the app being pre-authorized by Microsoft, you can manually create the service principal for the app and then disable it by using the following Azure AD PowerShell cmdlet.

-You may know the AppId of an app that doesn't appear on the Enterprise apps list. For example, you may have deleted the app or the service principal hasn't yet been created due to the app being pre-authorized by Microsoft, you can manually create the service principal for the app and then disable it by using the following Microsoft Graph PowerShell cmdlet.

-You may know the AppId of an app that doesn't appear on the Enterprise apps list. For example, you may have deleted the app or the service principal hasn't yet been created due to the app being pre-authorized by Microsoft, you can manually create the service principal for the app and then disable it by using Microsoft Graph explorer.

-You'll need to consent to the `Application.ReadWrite.All` permission.

-zone_pivot_groups: enterprise-apps-minus-aad-powershell

-To revoke application permissions granted for the entire organization:

-To review application permissions:

- The attributes selected as **Matching** properties are used to match the user accounts between tenants and avoid creating duplicates.

-

-1. Go to **Azure AD** and select **Scenario Health** from the side menu.

-| Azure AD Premium P1 <br /> Azure AD Premium P2 | When you sign up for a subscription |

-> Risky users are not deleted until the risk has been remediated.

-## Can I see last month's data after getting an Azure AD premium license?

-> This integration is also available to use from Microsoft Entra ID US Government Cloud environment. You can find this application in the Microsoft Entra ID US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.

-description: Learn how to configure single sign-on between Azure Active Directory and Tanium Cloud SSO.

-# Azure Active Directory SSO integration with Tanium Cloud SSO

-In this article, you learn how to integrate Tanium Cloud SSO with Azure Active Directory (Azure AD). Tanium, the industryΓÇÖs only provider of converged endpoint management (XEM), leads the paradigm shift in legacy approaches to managing complex security and technology environments. When you integrate Tanium Cloud SSO with Azure AD, you can:

-* Control in Azure AD who has access to Tanium Cloud SSO.

-* Enable your users to be automatically signed-in to Tanium Cloud SSO with their Azure AD accounts.

-* Manage your accounts in one central location - the Azure portal.

-You'll configure and test Azure AD single sign-on for Tanium Cloud SSO in a test environment. Tanium Cloud SSO supports both **SP** and **IDP** initiated single sign-on and also **Just In Time** user provisioning.

-## Prerequisites

-To integrate Azure Active Directory with Tanium Cloud SSO, you need:

-* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

-* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

-* Tanium Cloud SSO single sign-on (SSO) enabled subscription.

-## Add application and assign a test user

-Before you begin the process of configuring single sign-on, you need to add the Tanium Cloud SSO application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

-### Add Tanium Cloud SSO from the Azure AD gallery

-Add Tanium Cloud SSO from the Azure AD application gallery to configure single sign-on with Tanium Cloud SSO. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

-### Create and assign Azure AD test user

-Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

-## Configure Azure AD SSO

-Complete the following steps to enable Azure AD single sign-on in the Azure portal.

-1. In the Azure portal, on the **Tanium Cloud SSO** application integration page, find the **Manage** section and select **single sign-on**.

-1. On the **Select a single sign-on method** page, select **SAML**.

-1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

- 

-1. On the **Basic SAML Configuration** section, perform the following steps:

- a. In the **Identifier** textbox, type a URL using the following pattern:

- `urn:amazon:cognito:sp:InstanceName`

- b. In the **Reply URL** textbox, type a URL using the following pattern:

- `https://<InstanceName>-tanium.auth.<SUBDOMAIN>.amazoncognito.com/saml2/idpresponse`

-1. If you wish to configure the application in **SP** initiated mode, then perform the following step:

- In the **Sign on URL** textbox, type a URL using the following pattern:

- `https://<InstanceName>.cloud.tanium.com`

- > [!NOTE]

- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Tanium Cloud SSO Client support team](mailto:integrations@tanium.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

- 

-## Configure Tanium Cloud SSO

-To configure single sign-on on **Tanium Cloud SSO** side, you need to send the **App Federation Metadata Url** to [Tanium Cloud SSO support team](mailto:integrations@tanium.com). They set this setting to have the SAML SSO connection set properly on both sides.

-### Create Tanium Cloud SSO test user

-In this section, a user called B.Simon is created in Tanium Cloud SSO. Tanium Cloud SSO supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Tanium Cloud SSO, a new one is created after authentication.

-## Test SSO

-In this section, you test your Azure AD single sign-on configuration with following options.

-#### SP initiated:

-* Click on **Test this application** in Azure portal. This will redirect to Tanium Cloud SSO Sign-on URL where you can initiate the login flow.

-* Go to Tanium Cloud SSO Sign-on URL directly and initiate the login flow from there.

-#### IDP initiated:

-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Tanium Cloud SSO for which you set up the SSO.

-You can also use Microsoft My Apps to test the application in any mode. When you click the Tanium Cloud SSO tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Tanium Cloud SSO for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-## Additional resources

-* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

-* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

-## Next steps

-Once you configure Tanium Cloud SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

-> This feature is not yet available in all regions.

-To keep up with application demands in Azure Kubernetes Service (AKS), you may need to adjust the number of nodes that run your workloads. The cluster autoscaler component can watch for pods in your cluster that can't be scheduled because of resource constraints. When issues are detected, the number of nodes in a node pool increases to meet the application demand. Nodes are also regularly checked for a lack of running pods, with the number of nodes then decreased as needed. This ability to automatically scale up or down the number of nodes in your AKS cluster lets you run an efficient, cost-effective cluster.

-This article requires that you're running the Azure CLI version 2.0.76 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].

-To adjust to changing application demands, such as between the workday and evening or on a weekend, clusters often need a way to automatically scale. AKS clusters can scale in one of two ways:

-Both the horizontal pod autoscaler and cluster autoscaler can decrease the number of pods and nodes as needed. The cluster autoscaler decreases the number of nodes when there has been unused capacity for a period of time. Pods on a node to be removed by the cluster autoscaler are safely scheduled elsewhere in the cluster.

-If the current node pool size is lower than the specified minimum or greater than the specified maximum when you enable autoscaling, the autoscaler waits to take effect until a new node is needed in the node pool or until a node can be safely deleted from the node pool.

-For more information about how scaling down works, see [How does scale-down work?](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-scale-down-work).

-For more information about how the cluster autoscaler may be unable to scale down, see [What types of pods can prevent the cluster autoscaler from removing a node?][autoscaler-scaledown].

-The cluster and horizontal pod autoscalers can work together and are often both deployed in a cluster. When combined, the horizontal pod autoscaler runs the number of pods required to meet application demand. The cluster autoscaler runs the number of nodes required to support the scheduled pods.

-| scale-down-unneeded-time | How long a node should be unneeded before it is eligible for scale down | 10 minutes |

-| scale-down-unready-time | How long an unready node should be unneeded before it is eligible for scale down | 20 minutes |

-| skip-nodes-with-local-storage | If true cluster autoscaler will never delete nodes with pods with local storage, for example, EmptyDir or HostPath | false |

-| skip-nodes-with-system-pods | If true cluster autoscaler will never delete nodes with pods from kube-system (except for DaemonSet or mirror pods) | true |

-| ok-total-unready-count | Number of allowed unready nodes, irrespective of max-total-unready-percentage | 3 nodes |

-> * The cluster autoscaler profile requires version *2.11.1* or greater of the Azure CLI. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].

-1. Set up a rule for resource logs to push cluster autoscaler logs to Log Analytics. Follow the [instructions here][aks-view-master-logs], and make sure you check the box for `cluster-autoscaler` when selecting options for "Logs".

-2. Select the "Logs" section on your cluster via the Azure portal.

-3. Input the following example query into Log Analytics:

- As long as there are logs to retrieve, you should see logs similar to the following:

-The cluster autoscaler also writes out the health status to a `configmap` named `cluster-autoscaler-status`. You can retrieve these logs using the following `kubectl` command:

-```bash

-kubectl get configmap -n kube-system cluster-autoscaler-status -o yaml

-```

-To learn more about the autoscaler logs, read the FAQ on the [Kubernetes/autoscaler GitHub project][kubernetes-faq].

-You can use the cluster autoscaler with [multiple node pools][aks-multiple-node-pools] enabled. When using both features together, you enable the cluster autoscaler on each individual node pool in the cluster and can pass unique autoscaling rules to each.

-* Update an existing node pool's settings using the [`az aks nodepool update`][az-aks-nodepool-update] command. The following command continues from the [previous steps](#enable-the-cluster-autoscaler-on-a-new-cluster) in this article:

-Re-enable the cluster autoscaler on a node pool using the [az aks nodepool update][az-aks-nodepool-update] command and specifying the `--enable-cluster-autoscaler`, `--min-count`, and `--max-count` parameters.

-> [!NOTE]

-> If you plan on using the cluster autoscaler with node pools that span multiple zones and leverage scheduling features related to zones such as volume topological scheduling, we recommend that you have one node pool per zone and enable the `--balance-similar-node-groups` through the autoscaler profile. This ensure the autoscaler can successfully scale up and keep the sizes of the node pools balanced.

-Kubernetes supports [horizontal pod autoscaling][kubernetes-hpa] to adjust the number of pods in a deployment depending on CPU utilization or other select metrics. The [Metrics Server][metrics-server] is used to provide resource utilization to Kubernetes. You can configure horizontal pod autoscaling through the `kubectl autoscale` command or through a manifest. For more details on using the horizontal pod autoscaler, see the [HorizontalPodAutoscaler Walkthrough][kubernetes-hpa-walkthrough].

-description: Learn how to integrate Azure Kubernetes Service (AKS) with Azure Container Registry (ACR)

-# Authenticate with Azure Container Registry from Azure Kubernetes Service

-When using [Azure Container Registry (ACR)][acr-intro] with Azure Kubernetes Service (AKS), you need to establish an authentication mechanism. Configuring the required permissions between ACR and AKS can be accomplished using the Azure CLI, Azure PowerShell, and Azure portal. This article provides examples to configure authentication between these Azure services using the Azure CLI or Azure PowerShell.

-> There is a latency issue with Azure Active Directory groups when attaching ACR. If the **AcrPull** role is granted to an Azure AD group and the kubelet identity is added to the group to complete the RBAC configuration, there may be a delay before the RBAC group takes effect. If you are running automation that requires the RBAC configuration to be complete, we recommended you use the [Bring your own kubelet identity][byo-kubelet-identity] as a workaround. You can pre-create a user-assigned identity, add it to the Azure AD group, then use the identity as the kubelet identity to create an AKS cluster. This ensures the identity is added to the Azure AD group before a token is generated by kubelet, which avoids the latency issue.

-* You need to have the [**Owner**][rbac-owner], [**Azure account administrator**][rbac-classic], or [**Azure co-administrator**][rbac-classic] role on your **Azure subscription**.

-## Create a new AKS cluster with ACR integration

-You can set up AKS and ACR integration during the creation of your AKS cluster. To allow an AKS cluster to interact with ACR, an Azure AD managed identity is used.

-### Create an ACR

-If you don't already have an ACR, create one using the following command.

-```azurecli

-# Set this variable to the name of your ACR. The name must be globally unique.

-# Connected registry name must use only lowercase

-MYACR=mycontainerregistry

-az acr create -n $MYACR -g myContainerRegistryResourceGroup --sku basic

-```

-```azurepowershell

-# Set this variable to the name of your ACR. The name must be globally unique.

-# Connected registry name must use only lowercase

-$MYACR = 'mycontainerregistry'

-New-AzContainerRegistry -Name $MYACR -ResourceGroupName myContainerRegistryResourceGroup -Sku Basic

-```

-### Create a new AKS cluster and integrate with an existing ACR

-If you already have an ACR, use the following command to create a new AKS cluster with ACR integration. This command allows you to authorize an existing ACR in your subscription and configures the appropriate **AcrPull** role for the managed identity. Supply valid values for your parameters below.

-```azurecli

-# Set this variable to the name of your ACR. The name must be globally unique.

-# Connected registry name must use only lowercase

-MYACR=mycontainerregistry

-# Create an AKS cluster with ACR integration.

-az aks create -n myAKSCluster -g myResourceGroup --generate-ssh-keys --attach-acr $MYACR

-```

-Alternatively, you can specify the ACR name using an ACR resource ID using the following format:

-`/subscriptions/\<subscription-id\>/resourceGroups/\<resource-group-name\>/providers/Microsoft.ContainerRegistry/registries/\<name\>`

-> [!NOTE]

-> If you're using an ACR located in a different subscription from your AKS cluster, use the ACR *resource ID* when attaching or detaching from the cluster.

->

-> ```azurecli

-> az aks create -n myAKSCluster -g myResourceGroup --generate-ssh-keys --attach-acr /subscriptions/<subscription-id>/resourceGroups/myContainerRegistryResourceGroup/providers/Microsoft.ContainerRegistry/registries/myContainerRegistry

-> ```

-This command may take several minutes to complete.

-```azurepowershell

-# Set this variable to the name of your ACR. The name must be globally unique.

-# Connected registry name must use only lowercase

-

-$MYACR = 'mycontainerregistry'

-# Create an AKS cluster with ACR integration.

-New-AzAksCluster -Name myAKSCluster -ResourceGroupName myResourceGroup -GenerateSshKey -AcrNameToAttach $MYACR

-```

-This command may take several minutes to complete.

-## Configure ACR integration for existing AKS clusters

-### Attach an ACR to an AKS cluster

-Integrate an existing ACR with an existing AKS cluster using the [`--attach-acr` parameter][cli-param] and valid values for **acr-name** or **acr-resource-id**.

-```azurecli

-# Attach using acr-name

-az aks update -n myAKSCluster -g myResourceGroup --attach-acr <acr-name>

-# Attach using acr-resource-id

-az aks update -n myAKSCluster -g myResourceGroup --attach-acr <acr-resource-id>

-```

-> [!NOTE]

-> The `az aks update --attach-acr` command uses the permissions of the user running the command to create the ACR role assignment. This role is assigned to the [kubelet][kubelet] managed identity. For more information on AKS managed identities, see [Summary of managed identities][summary-msi].

-Integrate an existing ACR with an existing AKS cluster using the [`-AcrNameToAttach` parameter][ps-attach] and valid values for **acr-name**.

-```azurepowershell

-Set-AzAksCluster -Name myAKSCluster -ResourceGroupName myResourceGroup -AcrNameToAttach <acr-name>

-```

-> [!NOTE]

-> Running the `Set-AzAksCluster -AcrNameToAttach` cmdlet uses the permissions of the user running the command to create the role ACR assignment. This role is assigned to the [kubelet][kubelet] managed identity. For more information on AKS managed identities, see [Summary of managed identities][summary-msi].

-Remove the integration between an ACR and an AKS cluster using the [`--detach-acr` parameter][cli-param] and valid values for **acr-name** or **acr-resource-id**.

-```azurecli

-# Detach using acr-name

-az aks update -n myAKSCluster -g myResourceGroup --detach-acr <acr-name>

-# Detach using acr-resource-id

-az aks update -n myAKSCluster -g myResourceGroup --detach-acr <acr-resource-id>

-```

-Remove the integration between an ACR and an AKS cluster using the [`-AcrNameToDetach` parameter][ps-detach] and valid values for **acr-name**.

-```azurepowershell

-Set-AzAksCluster -Name myAKSCluster -ResourceGroupName myResourceGroup -AcrNameToDetach <acr-name>

-```

-Run the following command to import an image from Docker Hub into your ACR.

-```azurecli

-az acr import -n <acr-name> --source docker.io/library/nginx:latest --image nginx:v1

-```

-```azurepowershell

-Import-AzContainerRegistryImage -RegistryName <acr-name> -ResourceGroupName myResourceGroup -SourceRegistryUri docker.io -SourceImage library/nginx:latest

-```

-Ensure you have the proper AKS credentials.

-```azurecli

-az aks get-credentials -g myResourceGroup -n myAKSCluster

-```

-#### [Azure PowerShell](#tab/azure-powershell)

-```azurepowershell

-Import-AzAksCredential -ResourceGroupName myResourceGroup -Name myAKSCluster

-```

-Create a file called **acr-nginx.yaml** using the sample YAML below. Replace **acr-name** with the name of your ACR.

-```yaml

-apiVersion: apps/v1

-kind: Deployment

-metadata:

- name: nginx0-deployment

- labels:

- app: nginx0-deployment

-spec:

- replicas: 2

- selector:

- matchLabels:

- app: nginx0

- template:

- app: nginx0

- containers:

- - name: nginx

- image: <acr-name>.azurecr.io/nginx:v1

- ports:

- - containerPort: 80

-```

-After creating the file, run the following deployment in your AKS cluster.

-```console

-kubectl apply -f acr-nginx.yaml

-```

-You can monitor the deployment by running `kubectl get pods`.

-```console

-kubectl get pods

-```

-The output should show two running pods.

-```output

-NAME READY STATUS RESTARTS AGE

-nginx0-deployment-669dfc4d4b-x74kr 1/1 Running 0 20s

-nginx0-deployment-669dfc4d4b-xdpd6 1/1 Running 0 20s

-```

-* Run the [`az aks check-acr`](/cli/azure/aks#az-aks-check-acr) command to validate that the registry is accessible from the AKS cluster.

-[AKS AKS CLI]: /cli/azure/aks#az_aks_create

-[byo-kubelet-identity]: use-managed-identity.md#use-a-pre-created-kubelet-managed-identity

-4. Force CoreDNS to reload the ConfigMap using the [`kubectl delete pod`][kubectl delete] command and the `kube-dns` label. This command deletes the `kube-dns` pods, and then the Kubernetes Scheduler recreates them. The new pods contain the change in TTL value.

- kubectl delete pod --namespace kube-system -l k8s-app=kube-dns

-3. Force CoreDNS to reload the ConfigMap using the [`kubectl delete pod`][kubectl delete] so the Kubernetes Scheduler can recreate them.

- kubectl delete pod --namespace kube-system -l k8s-app=kube-dns

-3. Force CoreDNS to reload the ConfigMap using the [`kubectl delete pod`][kubectl delete] so the Kubernetes Scheduler can recreate them.

- kubectl delete pod --namespace kube-system -l k8s-app=kube-dns

-3. Force CoreDNS to reload the ConfigMap using the [`kubectl delete pod`][kubectl delete] so the Kubernetes Scheduler can recreate them.

- kubectl delete pod --namespace kube-system -l k8s-app=kube-dns

- kubectl delete pod --namespace kube-system -l k8s-app=kube-dns

-[kubectl delete]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#delete

-## Use Web Application Routing with Draft to make your application accessible over the internet

-[Web Application Routing][web-app-routing] is the easiest way to get your web application up and running in Kubernetes securely. Web Application Routing removes the complexity of ingress controllers and certificate and DNS management, and it offers configuration for enterprises looking to bring their own. Web Application Routing offers a managed ingress controller based on nginx that you can use without restrictions and integrates out of the box with Open Service Mesh to secure intra-cluster communications.

-[web-app-routing]: web-app-routing.md

-> The HTTP application routing add-on is in the process of being retired and isn't recommended for production use. We recommend using the [Web Application Routing add-on](./web-app-routing.md) instead.

-* This article assumes you have an existing AKS cluster with an integrated Azure Container Registry (ACR). For more information on creating an AKS cluster with an integrated ACR, see [Authenticate with Azure Container Registry from Azure Kubernetes Service][aks-integrated-acr-ps].

-[aks-integrated-acr]: cluster-container-registry-integration.md?tabs=azure-cli#create-a-new-aks-cluster-with-acr-integration

-[aks-integrated-acr-ps]: cluster-container-registry-integration.md?tabs=azure-powershell#create-a-new-aks-cluster-with-acr-integration

-[aks-integrated-acr]: cluster-container-registry-integration.md?tabs=azure-cli#create-a-new-aks-cluster-with-acr-integration

-[aks-integrated-acr-ps]: cluster-container-registry-integration.md?tabs=azure-powershell#create-a-new-aks-cluster-with-acr-integration

-| web_application_routing | Use a managed NGINX ingress controller with your AKS cluster.| [Web Application Routing Overview][web-app-routing] |

-[aks-integrated-acr]: cluster-container-registry-integration.md?tabs=azure-cli#create-a-new-aks-cluster-with-acr-integration

- labels:

- azure.workload.identity/use: "true"

-By default, AKS sets *AllocatedOutboundPorts* on its load balancer to `0`, which enables [automatic outbound port assignment based on backend pool size][azure-lb-outbound-preallocatedports] when creating a cluster. For example, if a cluster has 50 or fewer nodes, 1024 ports are allocated to each node. As the number of nodes in the cluster increases, fewer ports are available per node. To show the *AllocatedOutboundPorts* value for the AKS cluster load balancer, use `az network lb outbound-rule list`.

-For more information on ingress and OSM, see [Using ingress to manage external access to services within the cluster][osm-ingress] and [Integrate OSM with Contour for ingress][osm-contour]. For an example of how to integrate OSM with ingress controllers using the `networking.k8s.io/v1` API, see [Ingress with Kubernetes Nginx ingress controller][osm-nginx]. For more information on using Web Application Routing, which automatically integrates with OSM, see [Web Application Routing][web-app-routing].

-[web-app-routing]: web-app-routing.md

-* [Web Application Routing][web-app-routing]

-[web-app-routing]: web-app-routing.md

-> You can't use [Azure Network Policy Manager (Azure NPM)][azure-npm] with clusters that have more than 500 nodes.

-3. Wait 12 hours from the time the last deprecated API usage was seen.

-You can also check past API usage by enabling [Container Insights][container-insights] and exploring kube audit logs.

-## Limitations:

-> * Azure Network Policy Manager pod logs will record an error if an unsupported policy is created.

-## Scale:

-With the current limits set on Azure Network Policy Manager for Linux, it can scale up to 500 Nodes and 40k Pods. You may see OOM kills beyond this scale. Please reach out to us on [aks-acn-github] if you'd like to increase your memory limit.

-# Use Key Vault references for App Service and Azure Functions

-This topic shows you how to work with secrets from Azure Key Vault in your App Service or Azure Functions application without requiring any code changes. [Azure Key Vault](../key-vault/general/overview.md) is a service that provides centralized secrets management, with full control over access policies and audit history.

-## Granting your app access to Key Vault

-In order to read secrets from Key Vault, you need to have a vault created and give your app permission to access it.

- Key Vault references will use the app's system assigned identity by default, but you can [specify a user-assigned identity](#access-vaults-with-a-user-assigned-identity).

-1. Create an [access policy in Key Vault](../key-vault/general/security-features.md#privileged-access) for the application identity you created earlier. Enable the "Get" secret permission on this policy. Do not configure the "authorized application" or `applicationId` settings, as this is not compatible with a managed identity.

-If your vault is configured with [network restrictions](../key-vault/general/overview-vnet-service-endpoints.md), you will also need to ensure that the application has network access. Vaults shouldn't depend on the app's public outbound IPs because the origin IP of the secret request could be different. Instead, the vault should be configured to accept traffic from a virtual network used by the app.

- Linux applications attempting to use private endpoints additionally require that the app be explicitly configured to have all traffic route through the virtual network. This requirement will be removed in a forthcoming update. To set this, use the following Azure CLI or Azure PowerShell command:

- az webapp config set --subscription <sub> -g MyResourceGroupName -n MyAppName --generic-configurations '{"vnetRouteAllEnabled": true}'

- Update-AzFunctionAppSetting -Name MyAppName -ResourceGroupName MyResourceGroupName -AppSetting @{vnetRouteAllEnabled = $true}

-2. Make sure that the vault's configuration accounts for the network or subnet through which your app will access it.

-> Windows container currently does not support Key Vault references over VNet Integration.

-Some apps need to reference secrets at creation time, when a system-assigned identity would not yet be available. In these cases, a user-assigned identity can be created and given access to the vault in advance.

-1. Configure the app to use this identity for Key Vault reference operations by setting the `keyVaultReferenceIdentity` property to the resource ID of the user-assigned identity.

- userAssignedIdentityResourceId=$(az identity show -g MyResourceGroupName -n MyUserAssignedIdentityName --query id -o tsv)

- appResourceId=$(az webapp show -g MyResourceGroupName -n MyAppName --query id -o tsv)

- az rest --method PATCH --uri "${appResourceId}?api-version=2021-01-01" --body "{'properties':{'keyVaultReferenceIdentity':'${userAssignedIdentityResourceId}'}}"

- $userAssignedIdentityResourceId = Get-AzUserAssignedIdentity -ResourceGroupName MyResourceGroupName -Name MyUserAssignedIdentityName | Select-Object -ExpandProperty Id

- $appResourceId = Get-AzFunctionApp -ResourceGroupName MyResourceGroupName -Name MyAppName | Select-Object -ExpandProperty Id

- Invoke-AzRestMethod -Method PATCH -Path $Path -Payload "{'properties':{'keyVaultReferenceIdentity':'$userAssignedIdentityResourceId'}}"

-This configuration will apply to all references for the app.

-## Reference syntax

-A Key Vault reference is of the form `@Microsoft.KeyVault({referenceString})`, where `{referenceString}` is replaced by one of the following options:

-> | SecretUri=_secretUri_ | The **SecretUri** should be the full data-plane URI of a secret in Key Vault, optionally including a version, e.g., `https://myvault.vault.azure.net/secrets/mysecret/` or `https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931` |

-> | VaultName=_vaultName_;SecretName=_secretName_;SecretVersion=_secretVersion_ | The **VaultName** is required and should the name of your Key Vault resource. The **SecretName** is required and should be the name of the target secret. The **SecretVersion** is optional but if present indicates the version of the secret to use. |

-For example, a complete reference would look like the following:

-## Rotation

-If a version is not specified in the reference, then the app will use the latest version that exists in the key vault. When newer versions become available, such as with a rotation event, the app will automatically update and begin using the latest version within 24 hours. The delay is because App Service caches the values of the key vault references and refetches it every 24 hours. Any configuration changes to the app that results in a site restart causes an immediate refetch of all referenced secrets.

-## Source Application Settings from Key Vault

-Key Vault references can be used as values for [Application Settings](configure-common.md#configure-app-settings), allowing you to keep secrets in Key Vault instead of the site config. Application Settings are securely encrypted at rest, but if you need secret management capabilities, they should go into Key Vault.

-To use a Key Vault reference for an [app setting](configure-common.md#configure-app-settings), set the reference as the value of the setting. Your app can reference the secret through its key as normal. No code changes are required.

-> [!TIP]

-> Most application settings using Key Vault references should be marked as slot settings, as you should have separate vaults for each environment.

-Apps can use the `WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` application setting to mount [Azure Files](../storage/files/storage-files-introduction.md) as the file system. This setting has additional validation checks to ensure that the app can be properly started. The platform relies on having a content share within Azure Files, and it assumes a default name unless one is specified via the `WEBSITE_CONTENTSHARE` setting. For any requests which modify these settings, the platform will attempt to validate if this content share exists, and it will attempt to create it if not. If it cannot locate or create the content share, the request is blocked.

-When using Key Vault references for this setting, this validation check will fail by default, as the secret itself cannot be resolved while processing the incoming request. To avoid this issue, you can skip the validation by setting `WEBSITE_SKIP_CONTENTSHARE_VALIDATION` to "1". This will bypass all checks, and the content share will not be created for you. You should ensure it is created in advance.

-As part of creating the site, it is also possible that attempted mounting of the content share could fail due to managed identity permissions not being propagated or the virtual network integration not being set up. You can defer setting up Azure Files until later in the deployment template to accommodate this. See [Azure Resource Manager deployment](#azure-resource-manager-deployment) to learn more. App Service will use a default file system until Azure Files is set up, and files are not copied over, so you will need to ensure that no deployment attempts occur during the interim period before Azure Files is mounted.

-Apps can use the `APPINSIGHTS_INSTRUMENTATIONKEY` or `APPLICATIONINSIGHTS_CONNECTION_STRING` application settings to integrate with [Application Insights](../azure-monitor/app/app-insights-overview.md). The portal experiences for App Service and Azure Functions also use these settings to surface telemetry data from the resource. If these values are referenced from Key Vault, these experiences are not available, and you instead need to work directly with the Application Insights resource to view the telemetry. However, these values are [not considered secrets](../azure-monitor/app/sdk-connection-string.md#is-the-connection-string-a-secret), so you might alternatively consider configuring them directly instead of using the Key Vault references feature.

-When automating resource deployments through Azure Resource Manager templates, you may need to sequence your dependencies in a particular order to make this feature work. Of note, you will need to define your application settings as their own resource, rather than using a `siteConfig` property in the site definition. This is because the site needs to be defined first so that the system-assigned identity is created with it and can be used in the access policy.

-An example pseudo-template for a function app might look like the following:

-## Troubleshooting Key Vault References

-If a reference is not resolved properly, the reference value will be used instead. This means that for application settings, an environment variable would be created whose value has the `@Microsoft.KeyVault(...)` syntax. This may cause the application to throw errors, as it was expecting a secret of a certain structure.

-Most commonly, this is due to a misconfiguration of the [Key Vault access policy](#granting-your-app-access-to-key-vault). However, it could also be due to a secret no longer existing or a syntax error in the reference itself.

-If the syntax is correct, you can view other causes for error by checking the current resolution status in the portal. Navigate to Application Settings and select "Edit" for the reference in question. Below the setting configuration, you should see status information, including any errors. The absence of these implies that the reference syntax is invalid.

-3. Choose **Availability and Performance** and select **Web app down.**

-4. Find **Key Vault Application Settings Diagnostics** and click **More info**.

-2. Navigate to **Platform features.**

-4. Choose **Availability and Performance** and select **Function app down or reporting errors.**

-5. Click on **Key Vault Application Settings Diagnostics.**

-1. Follow [these instructions to grant your app access](app-service-key-vault-references.md#granting-your-app-access-to-key-vault) to your key vault:

-It is best practice to periodically rotate the SAS key of your storage account. To ensure the web app does not inadvertently loose access, you must also update the SAS URL in Key Vault.

-1. Rotate the SAS key by navigating to your storage account in the Azure portal. Under **Settings** > **Access keys**, click the icon to rotate the SAS key.

-If you need to revoke the web app's access to your storage account, you can either revoke access to the key vault or rotate the storage account keys, which invalidates the SAS URL.

-First, follow the instructions for [granting your app access to Key Vault](app-service-key-vault-references.md#granting-your-app-access-to-key-vault) and [making a KeyVault reference to your secret in an Application Setting](app-service-key-vault-references.md#reference-syntax). You can validate that the reference resolves to the secret by printing the environment variable while remotely accessing the App Service terminal.

-## Static configuration

-Static IP configuration is recommended for Arc resource bridge, because the resource bridge needs three static IPs in the same subnet for the control plane, appliance VM, and reserved appliance VM.

-If using DHCP, reserve those IP addresses, ensuring the IPs are outside of the assignable DHCP range of IPs (i.e. the control plane IP should be treated as a reserved/static IP that no other machine on the network will use or receive from DHCP). DHCP is generally not recommended because a change in IP address (ex: due to an outage) impacts the resource bridge availability.

-1. Follow [these instructions to grant your app access](../app-service/app-service-key-vault-references.md#granting-your-app-access-to-key-vault) to your key vault:

-It is best practice to periodically rotate the SAS key of your storage account. To ensure the function app does not inadvertently loose access, you must also update the SAS URL in Key Vault.

-1. Rotate the SAS key by navigating to your storage account in the Azure portal. Under **Settings** > **Access keys**, click the icon to rotate the SAS key.

-If you need to revoke the function app's access to your storage account, you can either revoke access to the key vault or rotate the storage account keys, which invalidates the SAS URL.

-You should suppress this event when your function app uses an Azure Key Vault reference in the `AzureWebjobsStorage` app setting instead of a connection string. For more information, see [Source application settings from Key Vault](../../../app-service/app-service-key-vault-references.md?toc=%2Fazure%2Fazure-functions%2Ftoc.json#source-application-settings-from-key-vault)

-|CostAnalyticsFunction |Timer |This function calculates the cost to run the Start/Stop V2 solution on a monthly basis.|

-|SavingsAnalyticsFunction |Timer |This function calculates the total savings achieved by the Start/Stop V2 solution on a monthly basis.|

-This article shows you how to use the polygon extrusion layer to render areas of `Polygon` and `MultiPolygon` feature geometries as extruded shapes. The Azure Maps Web SDK supports rendering of Circle geometries as defined in the [extended GeoJSON schema](extend-geojson.md#circle). These circles can be transformed into polygons when rendered on the map. All feature geometries may be updated easily when wrapped with the [atlas.Shape](/javascript/api/azure-maps-control/atlas.shape) class.

-Connect the [polygon extrusion layer](/javascript/api/azure-maps-control/atlas.layer.polygonextrusionlayer) to a data source. Then, loaded it on the map. The polygon extrusion layer renders the areas of a `Polygon` and `MultiPolygon` features as extruded shapes. The `height` and `base` properties of the polygon extrusion layer define the base distance from the ground and height of the extruded shape in **meters**. The following code shows how to create a polygon, add it to a data source, and render it using the Polygon extrusion layer class.

-Azure Maps uses an extended version of the GeoJSON schema that provides a [definition for circles](./extend-geojson.md#circle). An extruded circle can be rendered on the map by creating a `point` feature with a `subType` property of `Circle` and a numbered `Radius` property representing the radius in **meters**. For example:

-> [Polygon](/javascript/api/azure-maps-control/atlas.data.polygon)

-> [polygon extrusion layer](/javascript/api/azure-maps-control/atlas.layer.polygonextrusionlayer)

-Additional resources:

-> [Azure Maps GeoJSON specification extension](extend-geojson.md#circle)

-[Create a Choropleth Map]: https://samples.azuremaps.com/?sample=create-a-choropleth-map

-[Polygon Extrusion Layer Options]: https://samples.azuremaps.com/?sample=polygon-extrusion-layer-options

-There are two different traffic controls that can be added to the map. The first control, `TrafficControl`, adds a toggle button that can be used to turn traffic on and off. Options for this control allow you to specify when traffic settings to use when show traffic. By default this control will display relative traffic flow and incident data, however, you could change this to show absolute traffic flow and no incidents if desired. The second control, `TrafficLegendControl`, adds a traffic flow legend to the map that helps user understand what the color code road highlights mean. This control will only appear on the map when traffic flow data is displayed on the map and will be hidden at all other times.

-> [Map](/javascript/api/azure-maps-control/atlas.map)

-> [TrafficOptions](/javascript/api/azure-maps-control/atlas.trafficoptions)

-> [Map interaction with mouse events](map-events.md)

-> [Building an accessible map](map-accessibility.md)

-> [Code sample page](https://aka.ms/AzureMapsSamples)

-[Traffic Overlay]: https://samples.azuremaps.com/traffic/traffic-overlay

-[Traffic controls source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Traffic/Traffic%20controls/Traffic%20controls.html

-[Traffic Overlay Options source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Traffic/Traffic%20Overlay%20Options/Traffic%20Overlay%20Options.html

-Here's an example of Bing Maps with the language set to "fr-FR".

-Azure Maps only provides options for setting the language and regional view of the map. A market parameter isn't used to limit features. There are two different ways of setting the language and regional view of the map. The first option is to add this information to the global `atlas` namespace that results in all map control instances in your app defaulting to these settings. The following sets the language to French ("fr-FR") and the regional view to `"Auto"`:

-Here's an example of Azure Maps with the language set to "fr" and the user region set to "fr-FR".

-The following example loads a GeoJSON feed of earthquake data from the past week and add it to the map. Clusters are rendered as scaled and colored circles depending on the number of points they contain.

-In Bing Maps, GeoJSON data can be loaded using the GeoJSON module. Pushpins can be clustered by loading in the clustering module and using the clustering layer it contains.

-* `clusterMaxZoom` - The maximum zoom level that clustering occurs. Any additional zooming results in all points being rendered as symbols.

-In Azure Maps, GeoJSON is the main data format used in the web SDK, additional spatial data formats can be easily integrated in using the [spatial IO module]. This module has functions for both reading and writing spatial data and also includes a simple data layer that can easily render data from any of these spatial data formats. To read the data in a spatial data file, pass in a URL, or raw data as string or blob into the `atlas.io.read` function. This returns all the parsed data from the file that can then be added to the map. KML is a bit more complex than most spatial data format as it includes a lot more styling information. The `SpatialDataLayer` class supports rendering most of these styles, however icons images have to be loaded into the map before loading the feature data, and ground overlays have to be added as layers to the map separately. When loading data via a URL, it should be hosted on a CORs enabled endpoint, or a proxy service should be passed in as an option into the read function.

-<!End Links-->

-[road tiles]: /rest/api/maps/render/getmaptile

-[satellite tiles]: /rest/api/maps/render/getmapimagerytile

-[Cesium]: https://www.cesium.com/

-<!--[Cesium code samples]: https://samples.azuremaps.com/?search=Cesium-->

-[Cesium plugin]: /samples/azure-samples/azure-maps-cesium/azure-maps-cesium-js-plugin

-[Leaflet]: https://leafletjs.com/

-[Leaflet code samples]: https://samples.azuremaps.com/?search=leaflet

-[Leaflet plugin]: /samples/azure-samples/azure-maps-leaflet/azure-maps-leaflet-plugin

-[OpenLayers]: https://openlayers.org/

-<!--[OpenLayers code samples]: https://samples.azuremaps.com/?search=openlayers-->

-[OpenLayers plugin]: /samples/azure-samples/azure-maps-OpenLayers/azure-maps-OpenLayers-plugin

-<! If developing using a JavaScript framework, one of the following open-source projects may be useful ->

-[ng-azure-maps]: https://github.com/arnaudleclerc/ng-azure-maps

-[AzureMapsControl.Components]: https://github.com/arnaudleclerc/AzureMapsControl.Components

-[Azure Maps React Component]: https://github.com/WiredSolutions/react-azure-maps

-[Vue Azure Maps]: https://github.com/rickyruiz/vue-azure-maps

-<!-- Key features support ->

-[Contour layer code samples]: https://samples.azuremaps.com/?search=contour

-[Gridded Data Source module]: https://github.com/Azure-Samples/azure-maps-gridded-data-source

-[Animation module]: https://github.com/Azure-Samples/azure-maps-animations

-[Spatial IO module]: how-to-use-spatial-io-module.md

-[open-source modules for the web SDK]: open-source-projects.md#open-web-sdk-modules

-<! Topics >

-[Load a map]: #load-a-map

-[Localizing the map]: #localizing-the-map

-[Setting the map view]: #setting-the-map-view

-[Adding a pushpin]: #adding-a-pushpin

-[Adding a polyline]: #adding-a-polyline

-[Pushpin clustering]: #pushpin-clustering

-[Add a heat map]: #add-a-heat-map

-[Overlay a tile layer]: #overlay-a-tile-layer

-[Show traffic data]: #show-traffic-data

-[Add a ground overlay]: #add-a-ground-overlay

-[Add KML data to the map]: #add-kml-data-to-the-map

-[Add drawing tools]: #add-drawing-tools

-<! Additional resources -->

-[Add a heat map layer]: map-add-heat-map-layer.md

-[Use data-driven style expressions]: data-driven-style-expressions-web-sdk.md

-[Choose a map style]: choose-map-style.md

-[Supported map styles]: supported-map-styles.md

-[Create a data source]: create-data-source-web-sdk.md

-[Add a Symbol layer]: map-add-pin.md

-[Add a Bubble layer]: map-add-bubble-layer.md

-[Cluster point data]: clustering-point-data-web-sdk.md

-[Symbol layer icon options]: /javascript/api/azure-maps-control/atlas.iconoptions

-[Symbol layer text option]: /javascript/api/azure-maps-control/atlas.textoptions

-[Add HTML Markers]: map-add-custom-html.md

-[Add lines to the map]: map-add-line-layer.md

-[Add a polygon to the map]: map-add-shape.md#use-a-polygon-layer

-[Add a circle to the map]: map-add-shape.md#add-a-circle-to-the-map

-[Add a popup]: map-add-popup.md

-[Popup class]: /javascript/api/azure-maps-control/atlas.popup

-[Popup options]: /javascript/api/azure-maps-control/atlas.popupoptions

-[Add tile layers]: map-add-tile-layer.md

-[Tile layer class]: /javascript/api/azure-maps-control/atlas.layer.tilelayer

-[Tile layer options]: /javascript/api/azure-maps-control/atlas.tilelayeroptions

-[Traffic overlay options]: https://samples.azuremaps.com/?sample=traffic-overlay-options

-[Traffic control]: https://samples.azuremaps.com/?sample=traffic-controls

-[Overlay an image]: map-add-image-layer.md

-[Image layer class]: /javascript/api/azure-maps-control/atlas.layer.imagelayer

-[atlas.io.read function]: /javascript/api/azure-maps-spatial-io/atlas.io#read-stringarraybufferblob--spatialdatareadoptions-

-[Use the drawing tools module]: set-drawing-options.md

-[Drawing tools module code samples]: https://samples.azuremaps.com#drawing-tools-module

-<!>

-[free account]: https://azure.microsoft.com/free/

-[Azure Maps account]: quick-demo-map-app.md#create-an-azure-maps-account

-[Shared Key authentication]: azure-maps-authentication.md#shared-key-authentication

-[Azure Active Directory]: azure-maps-authentication.md#azure-ad-authentication

-[Use the Azure Maps map control]: how-to-use-map-control.md

-[atlas.data namespace]: /javascript/api/azure-maps-control/atlas.data

-[atlas.Shape]: /javascript/api/azure-maps-control/atlas.shape

-[atlas.data.Position.fromLatLng]: /javascript/api/azure-maps-control/atlas.data.position

-[Azure Maps Glossary]: glossary.md

-[Add controls to a map]: map-add-controls.md

-[Localization support in Azure Maps]: supported-languages.md

-[open-source Azure Maps Web SDK modules]: open-source-projects.md#open-web-sdk-modules

-[Clustering point data in the Web SDK]: clustering-point-data-web-sdk.md

-[atlas.layer.ImageLayer.getCoordinatesFromEdges]: /javascript/api/azure-maps-control/atlas.layer.imagelayer#getcoordinatesfromedges-number--number--number--number--number-

-* `countrySet` ΓÇô A comma-separated list of ISO2 countries codes in which to limit the search to.

-The Azure Maps routing API also supports truck routing within the same API. The following table cross-references the additional Bing Maps truck routing parameters with the comparable API parameters in Azure Maps.

-The Azure Maps routing API also supports truck routing parameter within the same API to ensure logical paths are calculated. The following table cross-references the additional Bing Maps truck routing parameters with the comparable API parameters in Azure Maps.

-This approach however will only snap to the road segments that are loaded within the map view. When zoomed out at country/region level there may be no road data, so snapping canΓÇÖt be done, however at that zoom level a single pixel can represent the area of several city blocks so snapping isnΓÇÖt needed. To address this, the snapping logic can be applied every time the map has finished moving. To see a fully functional example of this snapping logic, see the [Basic snap to road logic] sample in the Azure Maps samples.

-Additional styles can be used by adding more `pins` parameters to the URL with a different style and set of locations.

-More styles can be used by adding additional `drawCurve` parameters to the URL with a different style and set of locations.

-[subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account

-[Search]: /rest/api/maps/search

-[Route directions]: /rest/api/maps/route/getroutedirections

-[Route Matrix]: /rest/api/maps/route/postroutematrixpreview

-[Render]: /rest/api/maps/render/getmapimage

-[Route Range]: /rest/api/maps/route/getrouterange

-[POST Route directions]: /rest/api/maps/route/postroutedirections

-[Route]: /rest/api/maps/route

-[Time Zone]: /rest/api/maps/timezone

-[Spatial operations]: /rest/api/maps/spatial

-[Map Tiles]: /rest/api/maps/render/getmaptile

-[Map imagery tile]: /rest/api/maps/render/getmapimagerytile

-[Traffic]: /rest/api/maps/traffic

-[Geolocation API]: /rest/api/maps/geolocation/get-ip-to-location

-[Weather services]: /rest/api/maps/weather

-[Best practices for Azure Maps Search service]: how-to-use-best-practices-for-search.md

-[manage authentication in Azure Maps]: how-to-manage-authentication.md

-[Structured address geocoding]: /rest/api/maps/search/getsearchaddressstructured

-[Batch address geocoding]: /rest/api/maps/search/postsearchaddressbatchpreview

-[Fuzzy search]: /rest/api/maps/search/getsearchfuzzy

-[Authentication with Azure Maps]: azure-maps-authentication.md

-[Azure Maps supported views]: supported-languages.md#azure-maps-supported-views

-[Address reverse geocoder]: /rest/api/maps/search/getsearchaddressreverse

-[Cross street reverse geocoder]: /rest/api/maps/search/getsearchaddressreversecrossstreet

-[Batch address reverse geocoder]: /rest/api/maps/search/postsearchaddressreversebatchpreview

-[POI search]: /rest/api/maps/search/get-search-poi

-[Calculate route]: /rest/api/maps/route/getroutedirections

-[Batch route]: /rest/api/maps/route/postroutedirectionsbatchpreview

-[Snap points to logical route path]: https://samples.azuremaps.com/?sample=snap-points-to-logical-route-path

-[Basic snap to road logic]: https://samples.azuremaps.com/?sample=basic-snap-to-road-logic

-[turf js]: https://turfjs.org

-[NetTopologySuite]: https://github.com/NetTopologySuite/NetTopologySuite

-[Map image render]: /rest/api/maps/render/getmapimagerytile

-[Supported map styles]: supported-map-styles.md

-[Search within geometry]: /rest/api/maps/search/postsearchinsidegeometry

-[nearby search]: /rest/api/maps/search/getsearchnearby

-[Search Polygon API]: /rest/api/maps/search/getsearchpolygon

-[Time zone by ID]: /rest/api/maps/timezone/gettimezonebyid

-[Time zone Windows to IANA]: /rest/api/maps/timezone/gettimezonewindowstoiana

-[Time zone Enum IANA]: /rest/api/maps/timezone/gettimezoneenumiana

-[Time zone Enum Windows]: /rest/api/maps/timezone/gettimezoneenumwindows

-[Time zone IANA version]: /rest/api/maps/timezone/gettimezoneianaversion

-[Time zone by coordinate]: /rest/api/maps/timezone/gettimezonebycoordinates

-[Choose the right pricing tier in Azure Maps]: choose-pricing-tier.md

-[Azure SQL Spatial Data Types overview]: /sql/relational-databases/spatial/spatial-data-types-overview

-[Azure SQL Spatial ΓÇô Query nearest neighbor]: /sql/relational-databases/spatial/query-spatial-data-for-nearest-neighbor

-[Azure Cosmos DB geospatial capabilities overview]: ../cosmos-db/sql-query-geospatial-intro.md

-¹ While there is no direct replacement for the Bing Maps *Snap to road* service, this functionality can be implemented using the Azure Maps [Route - Get Route Directions] REST API. For a complete code sample demonstrating the snap to road functionality, see the [Basic snap to road logic] sample that demonstrates how to snap individual points to the rendered roads on the map. Also see the [Snap points to logical route path] sample that shows how to snap points to the road network to form a logical path.

-> [Migrate a web app](migrate-from-bing-maps-web-app.md)

-[subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account

-[free Azure account]: https://azure.microsoft.com/free/

-[Azure portal]: https://portal.azure.com/

-[manage authentication in Azure Maps]: how-to-manage-authentication.md

-[Microsoft Azure terms of use]: https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31

-[Azure pricing calculator]: https://azure.microsoft.com/pricing/calculator/?service=azure-maps

-[Azure Maps term of use]: https://www.microsoft.com/licensing/terms/productoffering/MicrosoftAzure/MCA

-[Choose the right pricing tier in Azure Maps]: choose-pricing-tier.md

-[azure.com]: https://azure.com

-[Azure Active Directory authentication]: azure-maps-authentication.md#azure-ad-authentication

-[Azure Maps product page]: https://azure.com/maps

-[Azure Maps product documentation]: https://aka.ms/AzureMapsDocs

-[Azure Maps code samples]: https://aka.ms/AzureMapsSamples

-[Azure Maps developer forums]: https://aka.ms/AzureMapsForums

-[Microsoft learning center shows]: https://aka.ms/AzureMapsVideos

-[Azure Maps Blog]: https://aka.ms/AzureMapsTechBlog

-[Azure Maps Feedback (UserVoice)]: https://aka.ms/AzureMapsFeedback

-[Route - Get Route Directions]: https://learn.microsoft.com/rest/api/maps/route/get-route-directions

-For more information on developing with the Android SDK by Azure Maps, see the [How-to guides for the Azure Maps Android SDK](how-to-use-android-map-control-library.md).

-Review the complete list of [Supported languages](supported-languages.md).

-* [Supported map styles](supported-map-styles.md)

-Custom images can be used to represent points on a map. The map in examples below uses a custom image to display a point on the map. The point is at latitude: 51.5 and longitude: -0.2. The anchor offsets the position of the marker, so that the point of the pushpin icon aligns with the correct position on the map.

-The stroke width and the dash array "pixel" units in the Azure Maps Web SDK, is the same as in the Google Maps service. Both accept the same values to produce the same results.

-> [Get started with Azure Maps Android SDK](how-to-use-android-map-control-library.md)

-[subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account

-<br/>

-| `google.maps.Map` | [atlas.Map](/javascript/api/azure-maps-control/atlas.map) |

-| `google.maps.InfoWindow` | [atlas.Popup](/javascript/api/azure-maps-control/atlas.popup) |

-| `google.maps.InfoWindowOptions` | [atlas.PopupOptions](/javascript/api/azure-maps-control/atlas.popupoptions) |

-| `google.maps.LatLng` | [atlas.data.Position](/javascript/api/azure-maps-control/atlas.data.position) |

-| `google.maps.LatLngBounds` | [atlas.data.BoundingBox](/javascript/api/azure-maps-control/atlas.data.boundingbox) |

-| `google.maps.MapOptions` | [atlas.CameraOptions](/javascript/api/azure-maps-control/atlas.cameraoptions)<br/>[atlas.CameraBoundsOptions](/javascript/api/azure-maps-control/atlas.cameraboundsoptions)<br/>[atlas.ServiceOptions](/javascript/api/azure-maps-control/atlas.serviceoptions)<br/>[atlas.StyleOptions](/javascript/api/azure-maps-control/atlas.styleoptions)<br/>[atlas.UserInteractionOptions](/javascript/api/azure-maps-control/atlas.userinteractionoptions) |

-| `google.maps.Point` | [atlas.Pixel](/javascript/api/azure-maps-control/atlas.pixel) |

-| `google.maps.Marker` | [atlas.HtmlMarker](/javascript/api/azure-maps-control/atlas.htmlmarker)<br/>[atlas.data.Point](/javascript/api/azure-maps-control/atlas.data.point) |

-| `google.maps.MarkerOptions` | [atlas.HtmlMarkerOptions](/javascript/api/azure-maps-control/atlas.htmlmarkeroptions)<br/>[atlas.layer.SymbolLayer](/javascript/api/azure-maps-control/atlas.layer.symbollayer)<br/>[atlas.SymbolLayerOptions](/javascript/api/azure-maps-control/atlas.symbollayeroptions)<br/>[atlas.IconOptions](/javascript/api/azure-maps-control/atlas.iconoptions)<br/>[atlas.TextOptions](/javascript/api/azure-maps-control/atlas.textoptions)<br/>[atlas.layer.BubbleLayer](/javascript/api/azure-maps-control/atlas.layer.bubblelayer)<br/>[atlas.BubbleLayerOptions](/javascript/api/azure-maps-control/atlas.bubblelayeroptions) |

-| `google.maps.Polygon` | [atlas.data.Polygon](/javascript/api/azure-maps-control/atlas.data.polygon) |

-| `google.maps.PolygonOptions` |[atlas.layer.PolygonLayer](/javascript/api/azure-maps-control/atlas.layer.polygonlayer)<br/> [atlas.PolygonLayerOptions](/javascript/api/azure-maps-control/atlas.polygonlayeroptions)<br/> [atlas.layer.LineLayer](/javascript/api/azure-maps-control/atlas.layer.linelayer)<br/> [atlas.LineLayerOptions](/javascript/api/azure-maps-control/atlas.linelayeroptions)|

-| `google.maps.Polyline` | [atlas.data.LineString](/javascript/api/azure-maps-control/atlas.data.linestring) |

-| `google.maps.PolylineOptions` | [atlas.layer.LineLayer](/javascript/api/azure-maps-control/atlas.layer.linelayer)<br/>[atlas.LineLayerOptions](/javascript/api/azure-maps-control/atlas.linelayeroptions) |

-| `google.maps.ImageMapType` | [atlas.TileLayer](/javascript/api/azure-maps-control/atlas.layer.tilelayer) |

-| `google.maps.ImageMapTypeOptions` | [atlas.TileLayerOptions](/javascript/api/azure-maps-control/atlas.tilelayeroptions) |

-| `google.maps.GroundOverlay` | [atlas.layer.ImageLayer](/javascript/api/azure-maps-control/atlas.layer.imagelayer)<br/>[atlas.ImageLayerOptions](/javascript/api/azure-maps-control/atlas.imagelayeroptions) |

-| Google Maps | Azure Maps |

-|-|-|

-| `google.maps.Geocoder` | [atlas.service.SearchUrl](/javascript/api/azure-maps-rest/atlas.service.searchurl) |

-| `google.maps.GeocoderRequest` | [atlas.SearchAddressOptions](/javascript/api/azure-maps-rest/atlas.service.searchaddressoptions)<br/>[atlas.SearchAddressRevrseOptions](/javascript/api/azure-maps-rest/atlas.service.searchaddressreverseoptions)<br/>[atlas.SearchAddressReverseCrossStreetOptions](/javascript/api/azure-maps-rest/atlas.service.searchaddressreversecrossstreetoptions)<br/>[atlas.SearchAddressStructuredOptions](/javascript/api/azure-maps-rest/atlas.service.searchaddressstructuredoptions)<br/>[atlas.SearchAlongRouteOptions](/javascript/api/azure-maps-rest/atlas.service.searchalongrouteoptions)<br/>[atlas.SearchFuzzyOptions](/javascript/api/azure-maps-rest/atlas.service.searchfuzzyoptions)<br/>[atlas.SearchInsideGeometryOptions](/javascript/api/azure-maps-rest/atlas.service.searchinsidegeometryoptions)<br/>[atlas.SearchNearbyOptions](/javascript/api/azure-maps-rest/atlas.service.searchnearbyoptions)<br/>[atlas.SearchPOIOptions](/javascript/api/azure-maps-rest/atlas.service.searchpoioptions)<br/>[atlas.SearchPOICategoryOptions](/javascript/api/azure-maps-rest/atlas.service.searchpoicategoryoptions) |

-| `google.maps.DirectionsService` | [atlas.service.RouteUrl](/javascript/api/azure-maps-rest/atlas.service.routeurl) |

-| `google.maps.DirectionsRequest` | [atlas.CalculateRouteDirectionsOptions](/javascript/api/azure-maps-rest/atlas.service.calculateroutedirectionsoptions) |

-| `google.maps.places.PlacesService` | [f](/javascript/api/azure-maps-rest/atlas.service.searchurl) |

-| Google Maps | Azure Maps |

-|--|--|

-| Drawing library | [Drawing tools module](set-drawing-options.md) |

-| Geometry library | [atlas.math](/javascript/api/azure-maps-control/atlas.math) |

-| Visualization library | [Heat map layer](map-add-heat-map-layer.md) |

-> [Migrate a web service](migrate-from-google-maps-web-services.md)

-[Azure Maps account]: quick-demo-map-app.md#create-an-azure-maps-account

-[subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account

-[free account]: https://azure.microsoft.com/free/

-[manage authentication in Azure Maps]: how-to-manage-authentication.md

-[road tiles]: /rest/api/maps/render/getmaptile

-[satellite tiles]: /rest/api/maps/render/getmapimagerytile

-[Cesium documentation]: https://www.cesium.com/

-[Leaflet code sample]: https://samples.azuremaps.com/?sample=render-azure-maps-in-leaflet

-[Leaflet documentation]: https://leafletjs.com/

-[OpenLayers documentation]: https://openlayers.org/

-[ng-azure-maps]: https://github.com/arnaudleclerc/ng-azure-maps

-[AzureMapsControl.Components]: https://github.com/arnaudleclerc/AzureMapsControl.Components

-[Azure Maps React Component]: https://github.com/WiredSolutions/react-azure-maps

-[Vue Azure Maps]: https://github.com/rickyruiz/vue-azure-maps

-[atlas.data.Position.fromLatLng]: /javascript/api/azure-maps-control/atlas.data.position

-[npm module]: how-to-use-map-control.md

-[Load a map]: #load-a-map

-[Localizing the map]: #localizing-the-map

-[Setting the map view]: #setting-the-map-view

-[Adding a marker]: #adding-a-marker

-[Adding a custom marker]: #adding-a-custom-marker

-[Adding a polyline]: #adding-a-polyline

-[Adding a polygon]: #adding-a-polygon

-[Display an info window]: #display-an-info-window

-[Import a GeoJSON file]: #import-a-geojson-file

-[Marker clustering]: #marker-clustering

-[Add a heat map]: #add-a-heat-map

-[Overlay a tile layer]: #overlay-a-tile-layer

-[Show traffic data]: #show-traffic-data

-[Add KML data to the map]: #add-kml-data-to-the-map

-[Use the Azure Maps map control]: how-to-use-map-control.md

-[Localization support in Azure Maps]: supported-languages.md

-[Supported map styles]: supported-map-styles.md

-[Create a data source]: create-data-source-web-sdk.md

-[Add a Symbol layer]: map-add-pin.md

-[Add a Bubble layer]: map-add-bubble-layer.md

-[Add HTML Markers]: map-add-custom-html.md

-[Use data-driven style expressions]: data-driven-style-expressions-web-sdk.md

-[Symbol layer icon options]: /javascript/api/azure-maps-control/atlas.iconoptions

-[Symbol layer text option]: /javascript/api/azure-maps-control/atlas.textoptions

-[Add lines to the map]: map-add-line-layer.md

-[Add a polygon to the map]: map-add-shape.md

-[Add a circle to the map]: map-add-shape.md#add-a-circle-to-the-map

-[Add a popup]: map-add-popup.md

-[Popup class]: /javascript/api/azure-maps-control/atlas.popup

-[Popup options]: /javascript/api/azure-maps-control/atlas.popupoptions

-[Add a heat map layer]: map-add-heat-map-layer.md

-[Heat map layer class]: /javascript/api/azure-maps-control/atlas.layer.heatmaplayer

-[Heat map layer options]: /javascript/api/azure-maps-control/atlas.heatmaplayeroptions

-[Add tile layers]: map-add-tile-layer.md

-[Show traffic on the map]: map-show-traffic.md

-[`atlas.layer.ImageLayer.getCoordinatesFromEdges`]: /javascript/api/azure-maps-control/atlas.layer.imagelayer#getcoordinatesfromedges-number--number--number--number--number-

-[Overlay an image]: map-add-image-layer.md

-[Image layer class]: /javascript/api/azure-maps-control/atlas.layer.imagelayer

-[atlas.io.read function]: /javascript/api/azure-maps-spatial-io/atlas.io#read-stringarraybufferblob--spatialdatareadoptions-

-[SimpleDataLayer]: /javascript/api/azure-maps-spatial-io/atlas.layer.simpledatalayer

-[SimpleDataLayerOptions]: /javascript/api/azure-maps-spatial-io/atlas.simpledatalayeroptions

-[Drawing tools]: map-add-drawing-toolbar.md

-[Limit Map to Two Finger Panning]: https://samples.azuremaps.com/?sample=limit-map-to-two-finger-panning

-[Limit Scroll Wheel Zoom]: https://samples.azuremaps.com/?sample=limit-scroll-wheel-zoom

-[Create a Fullscreen Control]: https://samples.azuremaps.com/?sample=fullscreen-control

-[Search for points of interest]: map-search-location.md

-[Get information from a coordinate (reverse geocode)]: map-get-information-from-coordinate.md

-[Show directions from A to B]: map-route.md

-[Search Autosuggest with JQuery UI]: https://samples.azuremaps.com/?sample=search-autosuggest-and-jquery-ui

-[subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account

-[free account]: https://azure.microsoft.com/free/

-[manage authentication in Azure Maps]: how-to-manage-authentication.md

-[Route]: /rest/api/maps/route

-[Route Matrix]: /rest/api/maps/route/postroutematrixpreview

-[Search]: /rest/api/maps/search

-[Calculate routes and directions]: #calculate-routes-and-directions

-[Reverse geocode a coordinate]: #reverse-geocode-a-coordinate

-[Render]: /rest/api/maps/render/getmapimage

-[Time Zone]: /rest/api/maps/timezone

-[Spatial operations]: /rest/api/maps/spatial

-[Traffic]: /rest/api/maps/traffic

-[Search for a location using Azure Maps Search services]: how-to-search-for-address.md

-[best practices for search]: how-to-use-best-practices-for-search.md

-[Localization support in Azure Maps]: supported-languages.md

-[Authentication with Azure Maps]: azure-maps-authentication.md

-[supported search categories]: supported-search-categories.md

-[Free-form address geocoding]: /rest/api/maps/search/getsearchaddress

-[Structured address geocoding]: /rest/api/maps/search/getsearchaddressstructured

-[Fuzzy search]: /rest/api/maps/search/getsearchfuzzy

-[Fuzzy batch search]: /rest/api/maps/search/postsearchfuzzybatchpreview

-[Address reverse geocoder]: /rest/api/maps/search/getsearchaddressreverse

-[Cross street reverse geocoder]: /rest/api/maps/search/getsearchaddressreversecrossstreet

-[POI search]: /rest/api/maps/search/getsearchpoi

-[POI category search]: /rest/api/maps/search/getsearchpoicategory

-[Nearby search]: /rest/api/maps/search/getsearchnearby

-[Search within geometry]: /rest/api/maps/search/postsearchinsidegeometry

-[Search along route]: /rest/api/maps/search/postsearchalongroute

-[supporting points]: /rest/api/maps/route/postroutedirections#supportingpoints

-[Calculate route]: /rest/api/maps/route/getroutedirections

-[calculating routable ranges]: /rest/api/maps/route/getrouterange

-[Render custom data on a raster map]: how-to-render-custom-data.md

-[Map tile]: /rest/api/maps/render/getmaptile

-[Upload pins and path data]: how-to-render-custom-data.md#upload-pins-and-path-data

-[documentation]: how-to-use-services-module.md

-[npm package]: https://www.npmjs.com/package/azure-maps-rest

-[GitHub project]: https://github.com/perfahlen/AzureMapsRestServices

-[NuGet package]: https://www.nuget.org/packages/AzureMapsRestToolkit

-[Azure Maps account]: quick-demo-map-app.md#create-an-azure-maps-account

-[subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account

-[free account]: https://azure.microsoft.com/free/

-[Azure subscription]: https://azure.com

-[Azure portal]: https://portal.azure.com/

-[Manage authentication in Azure Maps]: how-to-manage-authentication.md

-[terms of use]: https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=46

-[Azure pricing calculator]: https://azure.microsoft.com/pricing/calculator/?service=azure-maps

-[Azure Maps term of use]: https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=46

-[Choose the right pricing tier in Azure Maps]: choose-pricing-tier.md

-[Azure Maps product page]: https://azure.com/maps

-[Azure Maps Web SDK code samples]: https://aka.ms/AzureMapsSamples

-[Azure Maps developer forums]: https://aka.ms/AzureMapsForums

-[Microsoft learning center shows]: https://aka.ms/AzureMapsVideos

-[Azure Maps Blog]: https://aka.ms/AzureMapsBlog

-description: In this article, you will learn how to use the 3D column layer in an Azure Maps Power BI visual.

-The **3D column layer** is useful for taking data to the next dimension by allowing visualization of location data as 3D cylinders on the map. Similar to the bubble layer, the 3D column chart can easily visualize two metrics at the same time using color and relative height. In order for the columns to have height, a measure needs to be added to the **Size** bucket of the **Fields** pane. If a measure is not provided, columns with no height show as flat squares or circles depending on the **Shape** option.

-| Column shape | The shape of the 3D column.<br/><br/>&nbsp;&nbsp;&nbsp;&nbsp;ΓÇó Box ΓÇô columns rendered as rectangular boxes.<br/>&nbsp;&nbsp;&nbsp;&nbsp;ΓÇó Cylinder ΓÇô columns rendered as cylinders. |

-| Height | The height of each column. If a field is passed into the **Size** bucket of the **Fields** pane, columns will be scaled relative to this height value. |

-| Fill color | Color of each column. This option is hidden when a field is passed into the **Legend** bucket of the **Fields** pane and a separate **Data colors** section will appear in the **Format** pane. |

-> We recommend [Bicep](../bicep/overview.md) because it offers the same capabilities as ARM templates and the syntax is easier to use. To learn more, see [date](../bicep/bicep-functions-date.md) functions.

-There is no retention cost for the default duration of *14* days, after which, it incurs regular backup charges. For soft delete retention *>14* days, the default period applies to the *last 14 days* of the continuous retention configured in soft delete, and then backups are permanently deleted.

-1. Go to **Backup center** and click **+Backup** from the **Overview** tab.

-1. Select **Azure Virtual machines** as the **Datasource type** and select the vault you have created. Then click **Continue**.

-1. Right-click the relevant row or select the more icon (…), and then click **Backup Now**.

->- Original Location Recovery (OLR) is currently not supported for HSR. Select **Alternate location** restore, and then select the source VM as your *Host* from the list.

-You can also switch the protection of SAP HANA database on Azure VM (standalone) on Azure Backup to HSR. [Learn more](#possible-scenarios-to-protect-hsr-nodes-on-azure-backup).

- `-bk CUSTOM_BACKUP_KEY_NAME` or `-backup-key CUSTOM_BACKUP_KEY_NAME`

- :::image type="content" source="./media/sap-hana-database-with-hana-system-replication-backup/pass-custom-backup-user-key-to-script-as-parameter-architecture.png" alt-text="Disgram explains the flow to pass the custom backup user key to the script as a parameter." lightbox="./media/sap-hana-database-with-hana-system-replication-backup/pass-custom-backup-user-key-to-script-as-parameter-architecture.png":::

-## Possible scenarios to protect HSR nodes on Azure Backup

- >HSR-based attributes are added to the latest preregistration script -

- >HSR-based attributes are added to the latest preregistration script - //link here )

-The **Email** tab displays delivery status, email size, and email count:

-> The following refers to logs enabled through [Azure Monitor](../../../../azure-monitor/overview.md) (see also [FAQ](../../../../azure-monitor/faq.yml)). To enable these logs for your Communications Services, see: [Enable logging in Diagnostic Settings](../enable-logging.md)

-| `Category` | The log category of the event. Category is the granularity at which you can enable or disable logs on a particular resource. The properties that appear within the properties blob of an event are the same within a particular log category and resource type. |

-| `OperationName` | The operation associated with log record. |

-| `Category` | The log category of the event. Category is the granularity at which you can enable or disable logs on a particular resource. The properties that appear within the properties blob of an event are the same within a particular log category and resource type. |

-| `Size` | Represents the total size in megabytes of the email body, subject, headers and attachments. |

-| `UniqueRecipientsCount` | This is the deduplicated total recipient count for the To, Cc and Bcc address fields. |

-| `OperationName` | The operation associated with log record. |

-| `Category` | The log category of the event. Category is the granularity at which you can enable or disable logs on a particular resource. The properties that appear within the properties blob of an event are the same within a particular log category and resource type. |

-| `OperationName` | The operation associated with log record. |

-| `Category` | The log category of the event. Category is the granularity at which you can enable or disable logs on a particular resource. The properties that appear within the properties blob of an event are the same within a particular log category and resource type. |

-The user identity is intended to act as a primary key for logs and metrics collected through Azure Monitor. If you'd like to get a view of all of a specific user's calls, for example, you should set up your authentication in a way that maps a specific Azure Communication Services identity (or identities) to a singular user. Learn more about [log analytics](../concepts/analytics/query-call-logs.md), and [metrics](../concepts/metrics.md) available to you.

-Businesses are looking for innovative ways to increase the efficiency of their customer service operations. Azure Communication Services Call Automation provides developers the ability to build programmable customer interactions using real-time event triggers to perform actions based on custom business logic. For example, with support for interoperability with Microsoft Teams, developers can use Call Automation APIs to add subject matter experts (SMEs). These SMEs, who use Microsoft Teams, can be added to an existing customer service call to provide to resolve a customer issue.

-1. the call, the customer service agent needs expert help from one of the domain experts part of an engineering team. The agent is able to identify a knowledge worker who is available on Teams (presence via Graph APIs) and tries to add them to the call.

-1. Once the Teams has provided their expertise, they leave the call. The customer service agent and customer continue wrap up their conversation.

-> [Get started with Adding a Microsoft Teams user to an ongoing call using Call Automation](./../../how-tos/call-automation/teams-interop-call-automation.md)

-Azure Communication Services currently provides metrics for all ACS primitives. [Azure Metrics Explorer](../../azure-monitor/essentials/metrics-getting-started.md) can be used to plot your own charts, investigate abnormalities in your metric values, and understand your API traffic by using the metrics data that Chat and SMS requests emit.

-Today there are various types of requests that are represented within Communication Services metrics: **Chat API requests** , **SMS API requests** , **Authentication API requests**, **Call Automation API requests** and **Network Traversal API requests**.

-### Chat API request metric operations

-The following operations are available on Chat API request metrics:

-| Operation / Route | Description |

-| -- | - |

-| GetChatMessage | Gets a message by message ID. |

-| ListChatMessages | Gets a list of chat messages from a thread. |

-| SendChatMessage | Sends a chat message to a thread. |

-| UpdateChatMessage | Updates a chat message. |

-| DeleteChatMessage | Deletes a chat message. |

-| GetChatThread | Gets a chat thread. |

-| ListChatThreads | Gets the list of chat threads of a user. |

-| UpdateChatThread | Updates a chat thread's properties. |

-| CreateChatThread | Creates a chat thread. |

-| DeleteChatThread | Deletes a thread. |

-| GetReadReceipts | Gets read receipts for a thread. |

-| SendReadReceipt | Sends a read receipt event to a thread, on behalf of a user. |

-| SendTypingIndicator | Posts a typing event to a thread, on behalf of a user. |

-| ListChatThreadParticipants | Gets the members of a thread. |

-| AddChatThreadParticipants | Adds thread members to a thread. If members already exist, no change occurs. |

-| RemoveChatThreadParticipant | Remove a member from a thread. |

-If a request is made to an operation that isn't recognized, you receive a "Bad Route" value response.

-### SMS API requests

-The following operations are available on SMS API request metrics:

-| Operation / Route | Description |

-| -- | - |

-| SMSMessageSent | Sends an SMS message. |

-| SMSDeliveryReportsReceived | Gets SMS Delivery Reports |

-| SMSMessagesReceived | Gets SMS messages. |

-### Authentication API requests

-The following operations are available on Authentication API request metrics:

-| Operation / Route | Description |

-| -- | - |

-| CreateIdentity | Creates an identity representing a single user. |

-| DeleteIdentity | Deletes an identity. |

-| CreateToken | Creates an access token. |

-| RevokeToken | Revokes all access tokens created for an identity before a time given. |

-| ExchangeTeamsUserAccessToken | Exchange an Azure Active Directory (Azure AD) access token of a Teams user for a new Communication Identity access token with a matching expiration time.|

-### Call Automation API requests

-The following operations are available on Call Automation API request metrics:

-| Operation / Route | Description |

-| -- | - |

-| Create Call | Create an outbound call to user.

-| Answer Call | Answer an inbound call. |

-| Redirect Call | Redirect an inbound call to another user. |

-| Reject Call | Reject an inbound call. |

-| Transfer Call To Participant | Transfer 1:1 call to another user. |

-| Play | Play audio to call participants. |

-| PlayPrompt | Play a prompt to users as part of the Recognize action. |

-| Recognize | Recognize user input from call participants. |

-| Add Participants | Add a participant to a call. |

-| Remove Participants | Remove a participant from a call. |

-| HangUp Call | Hang up your call leg. |

-| Terminate Call | End the call for all participants. |

-| Get Call | Get details about a call. |

-| Get Participant | Get details on a call participant. |

-| Get Participants | Get all participants in a call. |

-| Delete Call | Delete a call. |

-| Cancel All Media Operations | Cancel all ongoing or queued media operations in a call. |

-### Network Traversal API requests

-The following operations are available on Network Traversal API request metrics:

-| Operation / Route | Description |

-| -- | - |

-| IssueRelayConfiguration | Issue configuration for an STUN/TURN server. |

-### Rooms API requests

-The following operations are available on Rooms API request metrics:

-| Operation / Route | Description |

-| -- | - |

-| CreateRoom | Creates a Room. |

-| DeleteRoom | Deletes a Room. |

-| GetRoom | Gets a Room by Room ID. |

-| PatchRoom | Updates a Room by Room ID. |

-| ListRooms | Lists all the Rooms for an ACS Resource. |

-| AddParticipants | Adds participants to a Room.|

-| RemoveParticipants | Removes participants from a Room. |

-| GetParticipants | Gets list of participants for a Room. |

-| UpdateParticipants | Updates list of participants for a Room. |

-Before you launch and scale your Azure Communication Services calling

-In this quickstart, we use the Azure Communication Services Call Automation APIs to add, remove and transfer to a Teams user.

-| Environments | GLobal | Up to 20 | Yes | Limit up to 20 environments per subscription accross all regions |

-For more information about Azure Storage durability, click [here](https://learn.microsoft.com/azure/storage/common/storage-redundancy).

- .Match(change => change.OperationType == ChangeStreamOperationType.Insert || change.OperationType == ChangeStreamOperationType.Update || change.OperationType == ChangeStreamOperationType.Replace)

- "{ $project: { '_id': 1, 'fullDocument': 1, 'ns': 1, 'documentKey': 1 }}");

-var options = new ChangeStreamOptions{

- FullDocument = ChangeStreamFullDocumentOption.UpdateLookup

- };

-var enumerator = coll.Watch(pipeline, options).ToEnumerable().GetEnumerator();

-while (enumerator.MoveNext()){

- Console.WriteLine(enumerator.Current);

- }

-enumerator.Dispose();

-|[Tallan](https://www.tallan.com/) | App development | USA |

-| CostInBillingCurrency | MCA | Cost of the charge in the billing currency before credits or taxes. |

-> As of April 24, 2023 EA customers won't be able to manage their Azure Government EA enrollments from [Azure portal](https://portal.azure.com) instead they can manage it from [Azure Government portal](https://portal.azure.us).

-## Delta format

-### The sink does not support the schema drift with upsert or update

-#### Symptoms

-You may face the issue that the delta sink in mapping data flows does not support schema drift with upsert/update. The problem is that the schema drift does not work when the delta is the target in a mapping data flow and user configure an update/upsert. 

-If a column is added to the source after an "initial" load to the delta, the subsequent jobs just fail with an error that it cannot find the new column, and this happens when you upsert/update with the alter row. It seems to work for inserts only.

-#### Error message

-`DF-SYS-01 at Sink 'SnkDeltaLake': org.apache.spark.sql.AnalysisException: cannot resolve target.BICC_RV in UPDATE clause given columns target. `

-#### Cause

-This is an issue for delta format because of the limitation of io delta library used in the data flow runtime. This issue is still in fixing.

-#### Recommendation

-To solve this problem, you need to update the schema firstly and then write the data. You can follow the steps below: <br/>

-1. Create one data flow that includes an insert-only delta sink with the merge schema option to update the schema. 

-1. After Step 1, use delete/upsert/update to modify the target sink without changing the schema. <br/>

-7. Add FQDN of your target on-premises SQL Server.

-You're now all set to start pushing sensor data for all sensors using the respective connection string provided for each sensor. However, sensor data should be sent in a JSON format as defined by Data Manager for Agriculture. Refer to the telemetry schema that follows:

-Queries will need to be updated to include both the old and new `resourceID` to show both, for example, total over time.

-description: Learn how to install the Azure CLI and the Azure Deployment Environments CLI extension so you can create Deployment Environments resources from the command line.

-Customer intent: As a dev infra admin, I want to install the Deployment Environments CLI extension so that I can create Deployment Environments resources from the command line.

-In addition to the Azure admin portal and the developer portal, you can use the Deployment Environments Azure CLI extension to create resources. Azure Deployment Environments and Microsoft Dev Box use the same Azure CLI extension, which is called `devcenter`.

-## Install the Deployment Environments CLI extension

-To install the Deployment Environments Azure CLI extension, you first need to install the Azure CLI. The following steps show you how to install the Azure CLI, then the Deployment Environments CLI extension.

-1. Install the Deployment Environments CLI extension

-1. Check that the `devcenter` extension is installed

-### Update the Deployment Environments CLI extension

-You can update the Deployment Environments CLI extension if you already have it installed.

-### Remove the Deployment Environments CLI extension

-## Get started with the Deployment Environments CLI extension

-You might find the following commands useful as you work with the Deployment Environments CLI extension.

-description: Learn how to install the Azure CLI and the Microsoft Dev Box CLI extension so you can create Dev Box resources from the command line.

-# Configure Microsoft Dev Box from the command-line with the Azure CLI extension

-In addition to the Azure admin portal and the developer portal, you can use the Dev Box Azure CLI extension to create resources. Microsoft Dev Box and Azure Deployment Environments use the same Azure CLI extension, which is called `devcenter`.

-## Install the Dev Box CLI extension

-To install the Dev Box Azure CLI extension, you first need to install the Azure CLI. The following steps show you how to install the Azure CLI, then the Dev Box CLI extension.

-1. Install the Dev Box CLI extension

-1. Check that the `devcenter` extension is installed

-### Update the Dev Box CLI extension

-You can update the Dev Box CLI extension if you already have it installed.

-### Remove the Dev Box CLI extension

-## Get started with the Dev Box CLI extension

-You might find the following commands useful as you work with the Dev Box CLI extension.

-| SQL Server | Azure SQL DB | [SQL Database Projects extension](/sql/azure-data-studio/extensions/sql-database-project-extension)<br/>[DMA](/sql/dm)<br/>[DMA](/sql/dma/dma-overview)<br/>[Cloudamize*](https://www.cloudamize.com/) | [Cloudamize*](https://www.cloudamize.com/)<br/>[Attunity*](https://www.attunity.com/products/replicate/)<br/>[Striim*](https://www.striim.com/partners/striim-for-microsoft-azure/) |

-| SQL Server | Azure SQL MI | [Azure SQL Migration extension](./migration-using-azure-data-studio.md)<br/>[Cloudamize*](https://www.cloudamize.com/) | [Azure SQL Migration extension](./migration-using-azure-data-studio.md)<br/>[Cloudamize*](https://www.cloudamize.com/) | [Azure SQL Migration extension](./migration-using-azure-data-studio.md)<br/>[Cloudamize*](https://www.cloudamize.com/)<br/>[Attunity*](https://www.attunity.com/products/replicate/)<br/>[Striim*](https://www.striim.com/partners/striim-for-microsoft-azure/) |

-| SQL Server | Azure SQL VM | [Azure SQL Migration extension](./migration-using-azure-data-studio.md)<br/>[DMA](/sql/dm)<br/>[Cloudamize*](https://www.cloudamize.com/)<br/>[Attunity*](https://www.attunity.com/products/replicate/)<br/>[Striim*](https://www.striim.com/partners/striim-for-microsoft-azure/) |

-| Amazon RDS for SQL Server| Azure SQL DB | [SQL Database Projects extension](/sql/azure-data-studio/extensions/sql-database-project-extension)<br/>[DMA](/sql/dm)<br/>[DMA](/sql/dma/dma-overview)| [Attunity*](https://www.attunity.com/products/replicate/)<br/>[Striim*](https://www.striim.com/partners/striim-for-microsoft-azure/) |

-| Amazon RDS for SQL | Azure SQL MI |[Azure SQL Migration extension](./migration-using-azure-data-studio.md) | [Azure SQL Migration extension](./migration-using-azure-data-studio.md) | [Azure SQL Migration extension](./migration-using-azure-data-studio.md)<br/>[Attunity*](https://www.attunity.com/products/replicate/)<br/>[Striim*](https://www.striim.com/partners/striim-for-microsoft-azure/) |

-| Amazon RDS for SQL Server | Azure SQL VM | [Azure SQL Migration extension](./migration-using-azure-data-studio.md)<br/>[DMA](/sql/dm)<br/>[Attunity*](https://www.attunity.com/products/replicate/)<br/>[Striim*](https://www.striim.com/partners/striim-for-microsoft-azure/) |

-| Oracle | Azure SQL DB, MI, VM | [SSMA](/sql/ssma/sql-server-migration-assistant)<br/>[SharePlex*](https://www.quest.com/products/shareplex/)<br/>[Ispirer*](https://www.ispirer.com/blog/migration-to-the-microsoft-technology-stack) | [SSMA](/sql/ssma/sql-server-migration-assistant)<br/>[SharePlex*](https://www.quest.com/products/shareplex/)<br/>[Ispirer*](https://www.ispirer.com/blog/migration-to-the-microsoft-technology-stack) | [SharePlex*](https://www.quest.com/products/shareplex/)<br/>[Attunity*](https://www.attunity.com/products/replicate/)<br/>[Striim*](https://www.striim.com/partners/striim-for-microsoft-azure/) |

-| Oracle | Azure Synapse Analytics | [SSMA](/sql/ssma/sql-server-migration-assistant)<br/>[Ispirer*](https://www.ispirer.com/blog/migration-to-the-microsoft-technology-stack) | [SSMA](/sql/ssma/sql-server-migration-assistant)<br/>[Ispirer*](https://www.ispirer.com/blog/migration-to-the-microsoft-technology-stack) | [SharePlex*](https://www.quest.com/products/shareplex/)<br/>[Attunity*](https://www.attunity.com/products/replicate/)<br/>[Striim*](https://www.striim.com/partners/striim-for-microsoft-azure/) |

-| Oracle | Azure DB for PostgreSQL -<br/>Single server | [Ora2Pg*](http://ora2pg.darold.net/start.html)<br/>[Ispirer*](https://www.ispirer.com/blog/migration-to-the-microsoft-technology-stack) | [Ora2Pg*](http://ora2pg.darold.net/start.html)<br/>[Ispirer*](https://www.ispirer.com/blog/migration-to-the-microsoft-technology-stack) | <br/>[Striim*](https://www.striim.com/partners/striim-for-microsoft-azure/) |

-| Oracle | Azure DB for PostgreSQL -<br/>Flexible server | [Ora2Pg*](http://ora2pg.darold.net/start.html)<br/>[Ispirer*](https://www.ispirer.com/blog/migration-to-the-microsoft-technology-stack) | [Ora2Pg*](http://ora2pg.darold.net/start.html)<br/>[Ispirer*](https://www.ispirer.com/blog/migration-to-the-microsoft-technology-stack) | <br/>[Striim*](https://www.striim.com/partners/striim-for-microsoft-azure/) |

-| MongoDB | Azure Cosmos DB | [DMS](https://azure.microsoft.com/services/database-migration/)<br/>[Cloudamize*](https://www.cloudamize.com/)<br/>[Imanis Data*](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/talena-inc.talena-solution-template?tab=Overview) | [DMS](https://azure.microsoft.com/services/database-migration/)<br/>[Cloudamize*](https://www.cloudamize.com/)<br/>[Imanis Data*](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/talena-inc.talena-solution-template?tab=Overview) | [DMS](https://azure.microsoft.com/services/database-migration/)<br/>[Cloudamize*](https://www.cloudamize.com/)<br/>[Imanis Data*](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/talena-inc.talena-solution-template?tab=Overview)<br/>[Striim*](https://www.striim.com/partners/striim-for-microsoft-azure/) |

-| MySQL | Azure SQL DB, MI, VM | [SSMA](/sql/ssma/sql-server-migration-assistant)<br/>[Ispirer*](https://www.ispirer.com/blog/migration-to-the-microsoft-technology-stack) | [SSMA](/sql/ssma/sql-server-migration-assistant)<br/>[Ispirer*](https://www.ispirer.com/blog/migration-to-the-microsoft-technology-stack) | [Attunity*](https://www.attunity.com/products/replicate/)<br/>[Striim*](https://www.striim.com/partners/striim-for-microsoft-azure/) |

-| MySQL | Azure DB for MySQL | [MySQL dump*](https://dev.mysql.com/doc/refman/5.7/en/mysqldump.html) | [DMS](https://azure.microsoft.com/services/database-migration/) | [MyDumper/MyLoader*](https://centminmod.com/mydumper.html) with [data-in replication](../mysql/concepts-data-in-replication.md)<br/>[Attunity*](https://www.attunity.com/products/replicate/)<br/>[Striim*](https://www.striim.com/partners/striim-for-microsoft-azure/) |

-| Amazon RDS for MySQL | Azure DB for MySQL | [MySQL dump*](https://dev.mysql.com/doc/refman/5.7/en/mysqldump.html) | [DMS](https://azure.microsoft.com/services/database-migration/) | [MyDumper/MyLoader*](https://centminmod.com/mydumper.html) with [data-in replication](../mysql/concepts-data-in-replication.md)<br/>[Attunity*](https://www.attunity.com/products/replicate/)<br/>[Striim*](https://www.striim.com/partners/striim-for-microsoft-azure/) |

-| PostgreSQL | Azure DB for PostgreSQL -<br/>Single server | [PG dump*](https://www.postgresql.org/docs/current/static/app-pgdump.html) | [PG dump*](https://www.postgresql.org/docs/current/static/app-pgdump.html) | [DMS](https://azure.microsoft.com/services/database-migration/)<br/>[Attunity*](https://www.attunity.com/products/replicate/)<br/>[Striim*](https://www.striim.com/partners/striim-for-microsoft-azure/) |

-| Amazon RDS for PostgreSQL | Azure DB for PostgreSQL -<br/>Single server | [PG dump*](https://www.postgresql.org/docs/current/static/app-pgdump.html) | [PG dump*](https://www.postgresql.org/docs/current/static/app-pgdump.html) | [DMS](https://azure.microsoft.com/services/database-migration/)<br/>[Attunity*](https://www.attunity.com/products/replicate/)<br/>[Striim*](https://www.striim.com/partners/striim-for-microsoft-azure/) |

-| DB2 | Azure SQL DB, MI, VM | [SSMA](/sql/ssma/sql-server-migration-assistant)<br/>[Ispirer*](https://www.ispirer.com/blog/migration-to-the-microsoft-technology-stack) | [SSMA](/sql/ssma/sql-server-migration-assistant)<br/>[Ispirer*](https://www.ispirer.com/blog/migration-to-the-microsoft-technology-stack) | [Attunity*](https://www.attunity.com/products/replicate/)<br/>[Striim*](https://www.striim.com/partners/striim-for-microsoft-azure/) |

-| Sybase - SAP ASE | Azure SQL DB, MI, VM | [SSMA](/sql/ssma/sql-server-migration-assistant)<br/>[Ispirer*](https://www.ispirer.com/blog/migration-to-the-microsoft-technology-stack) | [SSMA](/sql/ssma/sql-server-migration-assistant)<br/>[Ispirer*](https://www.ispirer.com/blog/migration-to-the-microsoft-technology-stack) | [Attunity*](https://www.attunity.com/products/replicate/)<br/>[Striim*](https://www.striim.com/partners/striim-for-microsoft-azure/) |

-# Configure custom BGP communities for Azure ExpressRoute private peering (Preview)

-@New-NetFirewallRule -DisplayName "Block QUIC for Exchange Online" -Direction Outbound -Action Block -Protocol UDP -RemoteAddress 13.107.6.152/31,13.107.18.10/31,13.107.128.0/22,23.103.160.0/20,40.96.0.0/13,40.104.0.0/15,52.96.0.0/14,131.253.33.215/32,132.245.0.0/16,150.171.32.0/22,204.79.197.215/32,6.6.0.0/16 -RemotePort 443

-> Incremental mode capability is currently in preview.

->

-description: How to configure the Azure IoT Edge runtime and any internet-facing IoT Edge modules to communicate through a proxy server.

-Environment=https_proxy=<proxy URL>

-Environment=https_proxy=<proxy URL>

- * Or, in Visual Studio go to **Extensions > Manage Extensions**. The **Manage Extensions** popup will open. In the search box in the upper right, add the text **Azure IoT Edge Tools for VS 2022**, then select **Download**. Close the popup when finished.

-* To test your module on a device, you'll need an active IoT Hub with at least one IoT Edge device. To create an IoT Edge device for testing you can create one in the Azure portal or with the CLI:

- * To create an IoT Edge device with the CLI follow the steps in the quickstart for [Linux](quickstart-linux.md#register-an-iot-edge-device) or [Windows](quickstart.md#register-an-iot-edge-device). In the process of registering an IoT Edge device, you create an IoT Edge device.

-The IoT Edge project template in Visual Studio creates a solution to deploy to IoT Edge devices. First, you'll create an Azure IoT Edge solution. Then, you'll create a module in that solution. Each IoT Edge solution can contain more than one module.

-In our solution, we're going to build three projects. The main module that contains *EdgeAgent* and *EdgeHub*, in addition to the temperature sensor module. Next, you'll add two more IoT Edge modules.

-> [!TIP]

-> The IoT Edge project structure created by Visual Studio is not the same as the one in Visual Studio Code.

-The deployment manifest you'll edit is named `deployment.debug.template.json`. This file is a template of an IoT Edge deployment manifest that defines all the modules that run on a device along with how they communicate with each other. For more information about deployment manifests, see [Learn how to deploy modules and establish routes](module-composition.md).

- :::image type="content" source="./media/how-to-visual-studio-develop-module/set-iot-edge-runtime-version.png" alt-text="Screenshot of how to find and select the menu item named 'Set I o T Edge Runtime version'.":::

- ...

- ...

- "image": "mcr.microsoft.com/azureiotedge-agent:1.4",

- ...

- ...

- ...

-1. If you changed the version, regenerate your deployment manifest by right-clicking the name of your project and select **Generate deployment for IoT Edge**. This generates a deployment manifest based on your deployment template and will appear in the **config** folder of your Visual Studio project.

- ...

- ...

- ...

- ...

- ...

-Typically, you'll want to test and debug each module before running it within an entire solution with multiple modules. The IoT Edge simulator tool allows you to run a single module in isolation a send messages over port 53000.

-After you're done developing a single module, you might want to run and debug an entire solution with multiple modules. The IoT Edge simulator tool allows you to run all modules defined in the deployment manifest including a simulated edgeHub for message routing. In this example, you'll run two custom modules and the simulated temperature sensor module. Messages from the simulated temperature sensor module are routed to each custom module.

- :::image type="content" source="./media/how-to-visual-studio-develop-module/add-new-module.png" alt-text="Screenshot of how to add a 'New I o T Edge Module' from the menu." lightbox="./media/how-to-visual-studio-develop-module/add-new-module.png":::

-1. Right-click the main project (for example, *AzureIotEdgeApp1*) and select **Set as StartUp Project**. By setting the main project as the startup project, all modules in the solution run. This includes both modules you added to the solution as well as the simulated temperature sensor module and the simulated Edge hub.

- In **Solution Explorer**, select the **Show All Files** toolbar button. The `.env` file will appear. Add your Azure Container Registry username and password to your `.env` file. These credentials can be found on the **Access Keys** page of your Azure Container Registry in the Azure portal.

- :::image type="content" source="./media/how-to-visual-studio-develop-module/show-env-file.png" alt-text="Screenshot of button that will show all files in the Solution Explorer.":::

-1. Go to your local Visual Studio main project folder and look in the `config` folder. The file path might look like this: `C:\Users\<YOUR-USER-NAME>\source\repos\<YOUR-IOT-EDGE-PROJECT-NAME>\config`. Here you'll find the generated deployment manifest such as `deployment.amd64.debug.json`.

- >:::image type="content" source="./media/how-to-publish-subscribe/unsupported-1.2-schema.png" alt-text="Screenshot of Azure portal error on the I o T Edge device page.":::

-1. If you're using an Azure Container Registry to store your module image, you'll need to add your credentials to **deployment.debug.template.json** in the *edgeAgent* settings. For example,

- ...

-Azure IoT Edge can make your IoT solution more efficient by moving workloads out of the cloud and to the edge. This capability lends itself well to services that process a lot of data, like computer vision models. The [Custom Vision Service](../cognitive-services/custom-vision-service/overview.md) lets you build custom image classifiers and deploy them to devices as containers. Together, these two services enable you to find insights from images or video streams without having to transfer all of the data off site first. Custom Vision provides a classifier that compares an image against a trained model to generate insights.

-Creating an image classifier requires a set of training images, as well as test images.

-5. When the export is complete, select **Download** and save the .zip package locally on your computer. Extract all files from the package. You'll use these files to create an IoT Edge module that contains the image classification server.

- | Provide a module name | Name your module **classifier**.<br><br>It's important that this module name be lowercase. IoT Edge is case-sensitive when referring to modules, and this solution uses a library that formats all requests in lowercase. |

-The IoT Edge extension tries to pull your container registry credentials from Azure and populate them in the environment file. Check to see if your credentials are already included. If not, add them now:

-Currently, Visual Studio Code can develop modules for Linux AMD64 and Linux ARM32v7 devices. You need to select which architecture you're targeting with each solution, because the container is built and run differently for each architecture type. The default is Linux AMD64, which is what we'll use for this tutorial.

-4. Save the **main.py** file.

-5. Open the **requrements.txt** file.

-3. Select the **deployment.amd64.json** file in the **config** folder and then **Select Edge Deployment Manifest**. Do not use the deployment.template.json file.

- ```bash

- iotedge logs cameraCapture

- ```

-From Visual Studio Code, right-click on the name of your IoT Edge device and select **Start Monitoring Built-in Event Endpoint**.

-> The cameraCapture module automatically reattempts connection until successful. After successful connection, you will see the expected image classification messages described below.

-The results from the Custom Vision module, which are sent as messages from the cameraCapture module, include the probability that the image is of either a hemlock or cherry tree. Since the image is hemlock, you should see the probability as 1.0.

-Continue on to the next tutorials to learn about other ways that Azure IoT Edge can help you turn data into business insights at the edge.

-In order to establish a TLS connection, you may need to download and reference the DigiCert Baltimore Root Certificate. This certificate is the one that Azure uses to secure the connection. You can find this certificate in the [Azure-iot-sdk-c](https://github.com/Azure/azure-iot-sdk-c/blob/master/certs/certs.c) repository. More information about these certificates can be found on [Digicert's website](https://www.digicert.com/digicert-root-certificates.htm).

-* `<local path to digicert.cer>` is the path to a local file that contains the DigiCert Baltimore Root certificate. You can create this file by copying the certificate information from [certs.c](https://github.com/Azure/azure-iot-sdk-c/blob/master/certs/certs.c) in the Azure IoT SDK for C. Include the lines `--BEGIN CERTIFICATE--` and `--END CERTIFICATE--`, remove the `"` marks at the beginning and end of every line, and remove the `\r\n` characters at the end of every line.

-* East US 2

-* West US

-* Southeast Asia

-* North Europe

-* US Gov Virginia

-* East US

-* West Europe

-* West US

-* West US 2

-* UK South

-* North Central US

-* Japan East

-* East Asia

-* West Central US

-* Australia Southeast

-* Australia East

-* Central India

-[Learn more](https://glasnostic.com/blog/announcing-glasnostic-for-azure-gwlb)

-Azure Logic Apps is a cloud-based platform for creating and running automated *logic app workflows* that integrate your apps, data, services, and systems. With this platform, you can quickly develop highly scalable integration solutions for your enterprise and business-to-business (B2B) scenarios. To create a logic app, you use either the **Logic App (Consumption)** resource type or the **Logic App (Standard)** resource type. The Consumption resource type runs in the *multi-tenant* Azure Logic Apps or *integration service environment*, while the Standard resource type runs in *single-tenant* Azure Logic Apps environment.

-Before you choose which resource type to use, review this article to learn how the resources types and service environments compare to each other. You can then decide the type that's best for your scenario's needs, solution requirements, and the environment where you want to deploy and run your workflows.

-If you're new to Azure Logic Apps, review the following documentation:

-* [What is Azure Logic Apps?](logic-apps-overview.md)

-* [What is a *logic app workflow*?](logic-apps-overview.md#logic-app-concepts)

-## Resource types and environments

-To create logic app workflows, you choose the **Logic App** resource type based on your scenario, solution requirements, the capabilities that you want, and the environment where you want to run your workflows.

-The following table briefly summarizes differences between the **Logic App (Standard)** resource type and the **Logic App (Consumption)** resource type. You also learn how the *single-tenant* environment differs from the *multi-tenant* environment and *integration service environment (ISE)* for deploying, hosting, and running your logic app workflows.

-## Logic App (Standard) resource

-The **Logic App (Standard)** resource type is powered by the redesigned single-tenant Azure Logic Apps runtime. This runtime uses the [Azure Functions extensibility model](../azure-functions/functions-bindings-register.md) and is hosted as an extension on the Azure Functions runtime. This design provides portability, flexibility, and more performance for your logic app workflows plus other capabilities and benefits inherited from the Azure Functions platform and Azure App Service ecosystem. For example, you can create, deploy, and run single-tenant based logic apps and their workflows in [Azure App Service Environment v3 (Windows plans only)](../app-service/environment/overview.md).

-The Standard resource type introduces a resource structure that can host multiple workflows, similar to how an Azure function app can host multiple functions. With a 1-to-many mapping, workflows in the same logic app and tenant share compute and processing resources, providing better performance due to their proximity. This structure differs from the **Logic App (Consumption)** resource where you have a 1-to-1 mapping between a logic app resource and a workflow.

-To learn more about portability, flexibility, and performance improvements, continue with the following sections. Or, for more information about the single-tenant Azure Logic Apps runtime and Azure Functions extensibility, review the following documentation:

-When you create logic apps using the **Logic App (Standard)** resource type, you can deploy and run your workflows in other environments, such as [Azure App Service Environment v3 (Windows plans only)](../app-service/environment/overview.md). If you use Visual Studio Code with the **Azure Logic Apps (Standard)** extension, you can *locally* develop, build, and run your workflows in your development environment without having to deploy to Azure. If your scenario requires containers, [create single-tenant based logic apps using Azure Arc-enabled Logic Apps](azure-arc-enabled-logic-apps-create-deploy-workflows.md). For more information, review [What is Azure Arc enabled Logic Apps?](azure-arc-enabled-logic-apps-overview.md)

-These capabilities provide major improvements and substantial benefits compared to the multi-tenant model, which requires you to develop against an existing running resource in Azure. Also, the multi-tenant model for automating **Logic App (Consumption)** resource deployment is based on Azure Resource Manager templates (ARM templates), which combine and handle resource provisioning for both apps and infrastructure.

-With the **Logic App (Standard)** resource type, deployment becomes easier because you can separate app deployment from infrastructure deployment. You can package the single-tenant Azure Logic Apps runtime and workflows together as part of your logic app. You can use generic steps or tasks that build, assemble, and zip your logic app resources into ready-to-deploy artifacts. To deploy your infrastructure, you can still use ARM templates to separately provision those resources along with other processes and pipelines that you use for those purposes.

-Using the **Logic App (Standard)** resource type, you can create and run multiple workflows in the same single logic app resource and tenant. With this 1-to-many mapping, these workflows share resources, such as compute, processing, storage, and network, providing better performance due to their proximity.

-The **Logic App (Standard)** resource type and single-tenant Azure Logic Apps runtime provide another significant improvement by making the more popular managed connectors available as built-in operations. For example, you can use built-in operations for Azure Service Bus, Azure Event Hubs, SQL, and others. Meanwhile, the managed connector versions are still available and continue to work.

-When you use the new built-in operations, you create connections called *built-in connections* or *service provider connections*. Their managed connection counterparts are called *API connections*, which are created and run separately as Azure resources that you also have to then deploy by using ARM templates. Built-in operations and their connections run locally in the same process that runs your workflows. Both are hosted on the single-tenant Azure Logic Apps runtime. As a result, built-in operations and their connections provide better performance due to proximity with your workflows. This design also works well with deployment pipelines because the service provider connections are packaged into the same build artifact.

-Logic app resources created with the **Logic App (Standard)** resource type are hosted in single-tenant Azure Logic Apps, which [doesn't store, process, or replicate data outside the region where you deploy these logic app resources](https://azure.microsoft.com/global-infrastructure/data-residency), meaning data in your logic app workflows stay in the same region where you create and deploy their parent resources.

-Workflows running in either [Azure Logic Apps (Standard)](single-tenant-overview-compare.md) or an [*integration service environment* (ISE)](connect-virtual-network-vnet-isolated-environment-overview.md) can access secured resources such as virtual machines (VMs), other services, and systems that exist in an [Azure virtual network](../virtual-network/virtual-networks-overview.md). Both Azure Logic Apps (Standard) and an ISE are dedicated instances of the Azure Logic Apps service that use dedicated resources and run separately from the global multi-tenant Azure Logic Apps service.

-Running logic apps in your own dedicated instance helps reduce the impact that other Azure tenants might have on app performance, also known as the ["noisy neighbors" effect](https://en.wikipedia.org/wiki/Cloud_computing_issues#Performance_interference_and_noisy_neighbors).

-Azure Logic Apps (Standard) and an ISE also provide the following benefits:

-* Your own static IP addresses, which are separate from the static IP addresses that are shared by the logic apps in the multi-tenant service. You can also set up a single public, static, and predictable outbound IP address to communicate with destination systems. That way, you don't have to set up extra firewall openings at those destination systems for each ISE.

-To create a logic app based on the environment that you want, you have multiple options, for example:

-| Azure portal | **Logic App (Standard)** resource type | [Create an example Standard logic app workflow in single-tenant Azure Logic Apps - Azure portal](create-single-tenant-workflows-azure-portal.md) |

-||||

-| Azure portal | **Logic App (Consumption)** resource type | [Quickstart: Create an example Consumption logic app workflow in multi-tenant Azure Logic Apps - Azure portal](quickstart-create-example-consumption-workflow.md) |

-| Azure CLI | [**Logic Apps Azure CLI** extension](https://github.com/Azure/azure-cli-extensions/tree/master/src/logic) | - [Quickstart: Create and manage Consumption logic app workflows in multi-tenant Azure Logic Apps - Azure CLI](quickstart-logic-apps-azure-cli.md) <p><p>- [az logic](/cli/azure/logic) |

-||||

-| Azure portal | **Logic App (Consumption)** resource type with an existing ISE resource | Same as [Quickstart: Create an example Consumption logic app workflow in multi-tenant Azure Logic Apps - Azure portal](quickstart-create-example-consumption-workflow.md), but select an ISE, not a multi-tenant region. |

-||||

-For example, in the Azure portal, the **Logic apps** page shows both **Consumption** and **Standard** logic app resource types. In Visual Studio Code, deployed logic apps appear under your Azure subscription, but they're grouped by the extension that you used, namely **Azure: Logic Apps (Consumption)** and **Azure: Logic Apps (Standard)**.

-With the **Logic App (Standard)** resource type, you can create these workflow types within the same logic app:

-| Handles large messages | Best for handling small message sizes (under 64 KB) |

-|||

-You can [make a workflow callable](logic-apps-http-endpoint.md) from other workflows that exist in the same **Logic App (Standard)** resource by using the [Request trigger](../connectors/connectors-native-reqres.md), [HTTP Webhook trigger](../connectors/connectors-native-webhook.md), or managed connector triggers that have the [ApiConnectionWebhook type](logic-apps-workflow-actions-triggers.md#apiconnectionwebhook-trigger) and can receive HTTPS requests.

-||||

-The single-tenant model and **Logic App (Standard)** resource type include many current and new capabilities, for example:

- * More managed connectors are now available as built-in connectors in Standard logic app workflows. The built-in versions run natively on the single-tenant Azure Logic Apps runtime. Some built-in connectors are also informally known as [*service provider* connectors](../connectors/built-in.md#service-provider-interface-implementation). For a list, review [Built-in connectors in Consumption and Standard](../connectors/built-in.md#built-in-connectors).

- > To use these actions in single-tenant Azure Logic Apps (Standard), you need to have Liquid maps, XML maps, or XML schemas.

- > You can upload these artifacts in the Azure portal from your logic app's resource menu, under **Artifacts**, which includes

- > the **Schemas** and **Maps** sections. Or, you can add these artifacts to your Visual Studio Code project's **Artifacts**

- > folder using the respective **Maps** and **Schemas** folders. You can then use these artifacts across multiple workflows

- > within the *same logic app resource*.

- * **Logic App (Standard)** resources can run anywhere because Azure Logic Apps generates Shared Access Signature (SAS) connection strings that these logic apps can use for sending requests to the cloud connection runtime endpoint. Azure Logic Apps service saves these connection strings with other application settings so that you can easily store these values in Azure Key Vault when you deploy in Azure.

- * The **Logic App (Standard)** resource type supports having the [system-assigned managed identity *and* multiple user-assigned managed identities](create-managed-service-identity.md) enabled at the same time, though you still can only select one identity to use at any time. However, most [built-in, service provider-based connectors](/azure/logic-apps/connectors/built-in/reference/) currently don't support selecting user-assigned managed identities for authentication.

-* Regenerate access keys for managed connections used by individual workflows in a **Logic App (Standard)** resource. For this task, [follow the same steps for the **Logic Apps (Consumption)** resource but at the individual workflow level](logic-apps-securing-a-logic-app.md#regenerate-access-keys), not the logic app resource level.

-A Standard logic app workflow has many of the same built-in connectors as a Consumption logic app workflow, but not all. Vice versa, a Standard logic app workflow has many built-in connectors that aren't available in a Consumption logic app workflow.

-For example, a Standard logic app workflow has both managed connectors and built-in connectors for Azure Blob, Azure Cosmos DB, Azure Event Hubs, Azure Service Bus, DB2, FTP, MQ, SFTP, SQL Server, and others. Although a Consumption logic app workflow doesn't have these same built-in connector versions, other built-in connectors such as Azure API Management, Azure App Services, and Batch, are available.

-For the **Logic App (Standard)** resource, these capabilities have changed, or they're currently limited, unavailable, or unsupported:

-* **Triggers and actions**: [Built-in triggers and actions](../connectors/built-in.md) run natively in Azure Logic Apps, while managed connectors are hosted and run in Azure. For Standard workflows, some built-in triggers and actions are currently unavailable, such as Sliding Window, Batch, Azure App Service, and Azure API Management. To start a stateful or stateless workflow, use a built-in trigger such as the Request, Event Hubs, or Service Bus trigger. The Recurrence trigger is available for stateful workflows, but not stateless workflows. In the designer, built-in triggers and actions appear on the **Built-in** tab, while [managed connector triggers and actions](../connectors/managed.md) appear on the **Azure** tab.

- For *stateless* workflows, *managed connector actions* are available, but *managed connector triggers* are unavailable. So the **Azure** tab appears only when you can select managed connector actions. Although you can enable managed connectors for stateless workflows, the designer doesn't show any managed connector triggers for you to add.

- * These triggers and actions have either changed or are currently limited, unsupported, or unavailable:

- * Some [triggers and actions for integration accounts](../connectors/managed.md#integration-account-connectors) are unavailable, for example, the AS2 (V2) actions and RosettaNet actions.

-* **Authentication**: The following authentication types are currently unavailable for the **Logic App (Standard)** resource type:

-* **Trigger history and run history**: For the **Logic App (Standard)** resource type, trigger history and run history in the Azure portal appears at the workflow level, not the logic app level. For more information, review [Create single-tenant based workflows using the Azure portal](create-single-tenant-workflows-azure-portal.md).

-* **Deployment targets**: You can't deploy the **Logic App (Standard)** resource type to an [integration service environment (ISE)](connect-virtual-network-vnet-isolated-environment-overview.md) nor to Azure deployment slots.

-* **Azure API Management**: You currently can't import the **Logic App (Standard)** resource type into Azure API Management. However, you can import the **Logic App (Consumption)** resource type.

-With Azure Machine Learning, you can bring data from a local machine or an existing cloud-based storage. In this article, you'll learn the main Azure Machine Learning data concepts.

-| Azure Data Lake (gen1) | `adl://<accountname>.azuredatalakestore.net/<folder1>/<folder2>`

-|Azure Machine Learning [Datastore](#datastore) | `azureml://datastores/<data_store_name>/paths/<folder1>/<folder2>/<folder3>/<file>.parquet` |

-An Azure Machine Learning job maps URIs to the compute target filesystem. This mapping means that in a command that consumes or produces a URI, that URI works like a file or a folder. A URI uses **identity-based authentication** to connect to storage services, with either your Azure Active Directory ID (default), or Managed Identity. Azure Machine Learning [Datastore](#datastore) URIs can apply either identity-based authentication, or **credential-based** (for example, Service Principal, SAS token, account key) without exposure of secrets.

-Read [Access data in a job](how-to-read-write-data-v2.md) for more information.

-## Data types

-A URI (storage location) can reference a file, a folder, or a data table. A machine learning job input and output definition requires one of the following three data types:

-|Type |V2 API |V1 API |Canonical Scenarios | V2/V1 API Difference

-||||||

-|**File**<br>Reference a single file | `uri_file` | `FileDataset` | Read/write a single file - the file can have any format. | A type new to V2 APIs. In V1 APIs, files always mapped to a folder on the compute target filesystem; this mapping required an `os.path.join`. In V2 APIs, the single file is mapped. This way, you can refer to that location in your code. |

-|**Folder**<br> Reference a single folder | `uri_folder` | `FileDataset` | You must read/write a folder of parquet/CSV files into Pandas/Spark.<br><br>Deep-learning with images, text, audio, video files located in a folder. | In V1 APIs, `FileDataset` had an associated engine that could take a file sample from a folder. In V2 APIs, a Folder is a simple mapping to the compute target filesystem. |

-|**Table**<br> Reference a data table | `mltable` | `TabularDataset` | You have a complex schema subject to frequent changes, or you need a subset of large tabular data.<br><br>AutoML with Tables. | In V1 APIs, the Azure Machine Learning back-end stored the data materialization blueprint. As a result, `TabularDataset` only worked if you had an Azure Machine Learning workspace. `mltable` stores the data materialization blueprint in *your* storage. This storage location means you can use it *disconnected to AzureML* - for example, local, on-premises. In V2 APIs, you'll find it easier to transition from local to remote jobs. Read [Working with tables in Azure Machine Learning](how-to-mltable.md) for more information. |

-## Data runtime capability

-Azure Machine Learning uses its own *data runtime* for mounts/uploads/downloads, to map storage URIs to the compute target filesystem, or to materialize tabular data into pandas/spark with Azure Machine Learning tables (`mltable`). The Azure Machine Learning data runtime is designed for machine learning task *high speed and high efficiency*. Its key benefits include:

-## Datastore

-An Azure Machine Learning datastore serves as a *reference* to an *existing* Azure storage account. The benefits of Azure Machine Learning datastore creation and use include:

-1. A common, easy-to-use API that interacts with different storage types (Blob/Files/ADLS).

-1. Easier discovery of useful datastores in team operations.

-1. For credential-based access (service principal/SAS/key), Azure Machine Learning datastore secures connection information. This way, you won't need to place that information in your scripts.

-When you create a datastore with an existing Azure storage account, you can choose between two different authentication methods:

-The following table summarizes the Azure cloud-based storage services that an Azure Machine Learning datastore can create. Additionally, the table summarizes the authentication types that can access those

-Supported storage service | Credential-based authentication | Identity-based authentication

-||:-:|::|

-Azure Blob Container| Γ£ô | Γ£ô|

-Azure File Share| Γ£ô | |

-Azure Data Lake Gen1 | Γ£ô | Γ£ô|

-Azure Data Lake Gen2| Γ£ô | Γ£ô|

-Read [Create datastores](how-to-datastore.md) for more information about datastores.

-Read [Create data assets](how-to-create-data-assets.md) for more information about data assets.

- > [!TIP]

- > This example is for a managed VNet configured to allow internet traffic. If you want to allow only approved outbound traffic, set `isolation_mode: allow_only_approved_outbound` instead.

- > [!TIP]

- > The following example is for a managed VNet configured to allow internet traffic. If you want to allow only approved outbound traffic, use `IsolationMode.ALLOW_ONLY_APPROVED_OUTBOUND` instead.

-| Geo-restore from geo-replicated backups | Not supported | RTO - Varies <br/>RPO < 1 h | RTO - Varies <br/>RPO < 1 h |

-**Support** | Available for VMware VMs in general availability (GA).<br><br>Available for Hyper-V VMs and physical servers in public preview. | In general availability (GA).

-**Dynamic disk** | An OS disk as a dynamic disk is not supported. Ongoing replications need to be disabled and re-enabled after converting a dynamic OS disk to basic to start replication of the disk successfully.

-**Disk limits** | Up to 60 disks per VM.

-**Application servers** | Enable PowerShell remoting on the application servers: sign in to the application server and follow [these instructions to turn on PowerShell remoting](/powershell/module/microsoft.powershell.core/enable-psremoting). <br/><br/> If the application server is running Window Server 2008 R2, ensure that PowerShell 5.1 is installed on the application server. Follow the instructions [here to download and install PowerShell 5.1](/powershell/scripting/windows-powershell/wmf/setup/install-configure) on the application server. <br/><br/> If the Microsoft Web Deployment tool isn't already installed on the machine running the App Containerization tool and the application server, install it. You can [download the tool](https://aka.ms/webdeploy3.6).

-**ASP.NET application** | The tool currently supports: <br> <ul><li> ASP.NET applications that use .NET Framework 3.5 or later.<br/> <li>Application servers that run Windows Server 2008 R2 or later. (Application servers should be running PowerShell 5.1.) <br/><li> Applications that run on Internet Information Services 7.5 or later.</ul> <br/><br/> The tool currently doesn't support: <br/> <ul><li>Applications that require Windows authentication. (AKS doesn't currently support gMSA.) <br/> <li> Applications that depend on other Windows services hosted outside of Internet Information Services.

-**Application servers** | Enable PowerShell remoting on the application servers: Sign in to the application server and follow [these](/powershell/module/microsoft.powershell.core/enable-psremoting) instructions to turn on PowerShell remoting. <br/><br/> If the application server is running Windows Server 2008 R2, ensure that PowerShell 5.1 is installed on the application server. Follow the instruction [here](/powershell/scripting/windows-powershell/wmf/setup/install-configure) to download and install PowerShell 5.1 on the application server. <br/><br/> Install the Microsoft Web Deploy tool on the machine running the App Containerization helper tool and application server if not already installed. You can download the tool from [here](https://aka.ms/webdeploy3.6).

-**ASP.NET application** | The tool currently supports:<br/> - ASP.NET applications using Microsoft .NET framework 3.5 or later. <br/>- Application servers running Windows Server 2008 R2 or later (application servers should be running PowerShell version 5.1). <br/>- Applications running on Internet Information Services (IIS) 7.5 or later. <br/><br/> The tool currently doesn't support: <br/>- Applications requiring Windows authentication (The App Containerization tool currently doesn't support gMSA). <br/>- Applications that depend on other Windows services hosted outside IIS.

- --name TutorialIPv6NATLB-rg \

- --location westus2

- --resource-group TutorialIPv6NATLB-rg \

- --location westus2 \

- --name myVNet \

- --address-prefixes '10.1.0.0/16'

- --name myBackendSubnet \

- --resource-group TutorialIPv6NATLB-rg \

- --vnet-name myVNet \

- --address-prefixes '10.1.0.0/24'

- --resource-group TutorialIPv6NATLB-rg \

- --vnet-name myVNet \

- --address-prefixes '10.1.1.0/26'

- --resource-group TutorialIPv6NATLB-rg \

- --name myPublicIP-Bastion \

- --resource-group TutorialIPv6NATLB-rg \

- --name myBastion \

- --public-ip-address myPublicIP-Bastion \

- --vnet-name myVNet \

- --location westus2

- --resource-group TutorialIPv6NATLB-rg \

- --name myPublicIP-NAT \

- --resource-group TutorialIPv6NATLB-rg \

- --name myNATgateway \

- --public-ip-addresses myPublicIP-NAT \

-Use [az network vnet subnet update](/cli/azure/network/vnet/subnet#az_network_vnet_subnet_update) to associate the NAT gateway with **myBackendSubnet**.

- --resource-group TutorialIPv6NATLB-rg \

- --vnet-name myVNet \

- --name myBackendSubnet \

- --nat-gateway myNATgateway

-The addition of IPv6 to the virtual network must be done after the NAT gateway is associated with **myBackendSubnet**. Use the following example to add and IPv6 address space and subnet to the virtual network you created in the previous steps.

- --address-prefixes 10.1.0.0/16 2404:f800:8000:122::/63 \

- --name myVNet \

- --resource-group TutorialIPv6NATLB-rg

- --address-prefixes 10.1.0.0/24 2404:f800:8000:122::/64 \

- --name myBackendSubnet \

- --vnet-name myVNet \

- --resource-group TutorialIPv6NATLB-rg

- --name myNSG \

- --resource-group TutorialIPv6NATLB-rg

- --resource-group TutorialIPv6NATLB-rg \

- --nsg-name myNSG \

- --name myNSGRuleRDP \

- --destination-port-range 3389 \

- --name myNIC \

- --resource-group TutorialIPv6NATLB-rg \

- --vnet-name myVNet \

- --subnet myBackendSubnet \

- --name ipconfig-IPv6 \

- --nic-name myNIC \

- --resource-group TutorialIPv6NATLB-rg \

- --vnet-name myVNet \

- --subnet myBackendSubnet \

- --name myVM \

- --resource-group TutorialIPv6NATLB-rg \

- --image Win2022Datacenter \

- --nics myNIC

- ```

- --resource-group TutorialIPv6NATLB-rg \

- --name myPublicIP-IPv6 \

- --name myLoadBalancer \

- --resource-group TutorialIPv6NATLB-rg \

- --backend-pool-name myBackendPool \

- --frontend-ip-name myFrontend-IPv6 \

- --location westus2 \

- --public-ip-address myPublicIP-IPv6 \

- --sku Standard

- --address-pool myBackendPool \

- --frontend-ip-configs myFrontend-IPv6 \

- --lb-name myLoadBalancer \

- --name myOutBoundRule \

- --resource-group TutorialIPv6NATLB-rg \

- --address-pool myBackendPool \

- --ip-config-name ipconfig-IPv6 \

- --nic-name myNIC \

- --resource-group TutorialIPv6NATLB-rg \

- --lb-name myLoadBalancer

- --resource-group TutorialIPv6NATLB-rg \

- --name myPublicIP-NAT \

- --resource-group TutorialIPv6NATLB-rg \

- --name myPublicIP-NAT \

- --resource-group TutorialIPv6NATLB-rg \

- --name myPublicIP-IPv6 \

- --resource-group TutorialIPv6NATLB-rg \

- --name myPublicIP-IPv6 \

-1. In the **Overview** of **myVM**, select **Connect** then **Bastion**. Select **Use Bastion**

-1. Select **myVM**.

-1. In the **Overview** of **myVM**, select **Connect** then **Bastion**.

-1. On the desktop of **myVM**, open **Microsoft Edge**.

-1. To confirm the IPv4 address, enter `http://v4.testmyipv6.com` in the address bar.

-1. You should see the IPv4 address displayed. In this example, the IP of **40.90.217.214** displayed.

- :::image type="content" source="./media/tutorial-dual-stack-outbound-nat-load-balancer/cli-verify-ipv4.png" alt-text="Screenshot of outbound IPv4 public IP address from CLI steps.":::

-1. In the address bar, enter `http://v6.testmyipv6.com`

-1. You should see the IPv6 address displayed. In this example, the IP of **2603:1030:c04:3::4d** is displayed.

- :::image type="content" source="./media/tutorial-dual-stack-outbound-nat-load-balancer/cli-verify-ipv6.png" alt-text="Screenshot of outbound IPv6 public IP address from CLI steps.":::

-1. Close the bastion connection to **myVM**.

- --name TutorialIPv6NATLB-rg

-az nf ipprefix create \

-az nf ipprefix create \

-az nf ipcommunity create \

-az nf ipcommunity show --resource-group "ResourceGroupName" --resource-name "ipcommunity-2701"

-az nf ipextendedcommunity create \

-az nf ipextendedcommunity show --resource-group "ResourceGroupName" --resource-name "ipextcommunity-2701"

-az nf routepolicy create \

-az nf routepolicy show --resource-group "ResourceGroupName" --resource-name "rcf-Fab3-l3domain-v6-connsubnet-ext-policy"

-## Dependant Azure resources setup

-[Azure CLI extension for managed network fabrics](./howto-install-cli-extensions.md).

-az nf l2domain create \

-az nf l2domain show --resource-group "ResourceGroupName" --resource-name "example-l2domain"

-az nf l2domain list --resource-group "ResourceGroupName"

-az nf l2domain update-admin-state --resource-group "ResourceGroupName" --resource-name "example-l2domain" --state Enable/Disable

-az nf l2domain delete --resource-group "ResourceGroupName" --resource-name "example-l2domain"

-az nf l3domain create

-az nf l3domain create --resource-group "ResourceGroupName" --resource-name "l3untrust" --location "eastus" --nf-id "/subscriptions/xxxxxx-xxxxxx-xxxx-xxxx-xxxxxx/resourceGroups/NFResourceGroupName/providers/Microsoft.ManagedNetworkFabric/networkFabrics/NFName"

-az nf l3domain create --resource-group "ResourceGroupName" --resource-name "l3trust" --location "eastus" --nf-id "/subscriptions/xxxxxx-xxxxxx-xxxx-xxxx-xxxxxx/resourceGroups/NFResourceGroupName/providers/Microsoft.ManagedNetworkFabric/networkFabrics/NFName"

-az nf l3domain create --resource-group "ResourceGroupName" --resource-name "l3mgmt" --location "eastus" --nf-id "/subscriptions/xxxxxx-xxxxxx-xxxx-xxxx-xxxxxx/resourceGroups/NFResourceGroupName/providers/Microsoft.ManagedNetworkFabric/networkFabrics/NFName"

-az nf l3domain show --resource-group "ResourceGroupName" --resource-name "example-l3domain"

-az nf l3domain list --resource-group "ResourceGroupName"

-az nf l3domain update-admin-state --resource-group "ResourceGroupName" --resource-name "example-l3domain" --state Enable/Disable

- az nf l3domain delete --resource-group "ResourceGroupName" --resource-name "example-l3domain"

-az nf internalnetwork create

-az nf internalnetwork create --resource-group "ResourceGroupName" --l3-isolation-domain-name l3untrust --resource-name untrustnetwork --location "eastus" --vlan-id 502 --fabric-asn 65048 --peer-asn 65047--connected-i-pv4-subnets prefix="10.151.3.11/24" --mtu 1500

-az nf internalnetwork create --resource-group "ResourceGroupName" --l3-isolation-domain-name l3trust --resource-name trustnetwork --location "eastus" --vlan-id 503 --fabric-asn 65048 --peer-asn 65047--connected-i-pv4-subnets prefix="10.151.1.11/24" --mtu 1500

-az nf internalnetwork create --resource-group "ResourceGroupName" --l3-isolation-domain-name l3mgmt --resource-name mgmtnetwork --location "eastus" --vlan-id 504 --fabric-asn 65048 --peer-asn 65047--connected-i-pv4-subnets prefix="10.151.2.11/24" --mtu 1500

-az nf internalnetwork create

-az nf internalnetwork create

-az nf externalnetwork create

-az nf externalnetwork create

-az nf externalnetwork create

-az nf l2domain update-administrative-state --resource-group "ResourceGroupName" --resource-name "l2HAnetwork" --state Enable

-az nf l3domain update-admin-state --resource-group "ResourceGroupName" --resource-name "l3untrust" --state Enable

-az nf l3domain update-admin-state --resource-group "ResourceGroupName" --resource-name "l3trust" --state Enable

-az nf l3domain update-admin-state --resource-group "ResourceGroupName" --resource-name "l3mgmt" --state Enable

-az nf controller create \

- az nf controller show --resource-group "NFCResourceGroupName" --resource-name "nfcname"

- az nf controller delete --resource-group "NFCResourceGroupName" --resource-name "nfcname"

-az nf fabric create \

-az nf fabric show --resource-group "NFResourceGroupName" --resource-name "NFName"

-az nf fabric list --resource-group "NFResourceGroup"

-az nf nni create \

-az nf nni show -g "NFResourceGroup" --resource-name "NFNNIName" --fabric "NFFabric"

-az nf nni list -g NFResourceGroup --fabric NFFabric

-az nf device update \

-az nf device list --resource-group "NFResourceGroup"

-az nf device show --resource-group "NFResourceGroup" --resource-name "Network-Device-Name"

-az nf fabric provision --resource-group "NFResourceGroup" --resource-name "NFName"

-az nf fabric show --resource-group "NFResourceGroup" --resource-name "NFName"

-az nf fabric deprovision --resource-group "NFResourceGroup" --resource-name "NFName"

-az nf fabric delete --resource-group "NFResourceGroup" --resource-name "NFName"

-az nf fabric show --resource-group "NFResourceGroup" --resource-name "NFName"

-Command group 'nf' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

-(ResourceNotFound) The Resource 'Microsoft.ManagedNetworkFabric/NetworkFabrics/NFName' under resource group 'NFResourceGroup' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix

-# [Linux / macOS / WSL](#tab/linux+macos+wsl)

-```sh

- curl -L "https://aka.ms/nexus-nf-cli" --output "managednetworkfabric-0.0.0-py3-none-any.whl"

-```

-# [PowerShell](#tab/powershell)

-```ps

- curl "https://aka.ms/nexus-nf-cli" -OutFile "managednetworkfabric-0.0.0-py3-none-any.whl"

-```

- az extension add --source managednetworkfabric-0.0.0-py3-none-any.whl

- az nf --help

-az nf fabric create \

- az nf l3domain update-admin-state --resource-group "RESOURCE_GROUP_NAME" --resource-name "L3ISOLATIONDOMAIN_NAME" --state "Enable"

-az nf l3domain show -g "example-rg" --resource-name "l2domainname" -o table

-az nf l2domain show -g "example-rg" --resource-name "l3domainname" -o table

- - [Post a message in a Microsoft Teams channel](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SentinelSOARessentials/Playbooks/Post-Message-Teams)

- - [Send an Outlook email notification](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Incident-Email-Notification)

- - [Post a message in a Slack channel](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SentinelSOARessentials/Playbooks/Post-Message-Slack)

- - [Prompt to block an IP address](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-IPs-on-MDATP-Using-GraphSecurity).

- - [Block an Azure AD user](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUserOrAdmin)

- - [Reset an Azure AD user password](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Azure%20Active%20Directory/Playbooks/Reset-AADUserPassword)

- - [Prompt to isolate a machine](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Isolate-AzureVMtoNSG)

- - [Change an incident's severity](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Change-Incident-Severity)

- - [Create a ServiceNow incident](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Servicenow/Playbooks/Create-SNOW-record)

-1. In the **Create a certificate** dialog under **Method of certificate creation**, select `Import`.

- --file <path-to-pfx-file> \

- --password <export-password>

-If you don't have an application in Azure Spring Apps, follow the instructions in [Quickstart: Launch an existing application in Azure Spring Apps using the Azure portal](./quickstart.md).

- --resource-group <resource-group-name>

- --service <Azure-Spring-Apps-instance-name>

- --app <app-name> \

- --resource-group <resource-group-name>

- --service <service-name>

- --app <app-name> \

-In your app page, in the navigation, select **Custom Domain**. Then, set **HTTPS Only**, to `True`.

-**This article applies to:** ✔️ Standard consumption and dedicated (Preview) ✔️ Basic/Standard ✔️ Enterprise

-Pet Clinic, as deployed in the default configuration [Quickstart: Build and deploy apps to Azure Spring Apps](quickstart-deploy-apps.md), uses an in-memory database (HSQLDB) that is populated with data at startup. This quickstart explains how to provision and prepare an Azure Database for MySQL instance and then configure Pet Clinic on Azure Spring Apps to use it as a persistent database with only one command.

-## Prepare an Azure Database for MySQL instance

-1. Create an Azure Database for MySQL flexible server using the [az mysql flexible-server create](/cli/azure/mysql/flexible-server#az-mysql-flexible-server-create) command. Replace the placeholders `<database-name>`, `<resource-group-name>`, `<MySQL-flexible-server-name>`, `<admin-username>`, and `<admin-password>` with a name for your new database, the name of your resource group, a name for your new server, and an admin username and password. Use single quotes around the value for `admin-password`.

- ```azurecli-interactive

- az mysql flexible-server create \

- --resource-group <resource-group-name> \

- --name <MySQL-flexible-server-name> \

- --database-name <database-name> \

- --public-access 0.0.0.0 \

- --admin-user <admin-username> \

- --admin-password '<admin-password>'

- ```

- > [!NOTE]

- > The `Standard_B1ms` SKU is used by default. For pricing details, see [Azure Database for MySQL pricing](https://azure.microsoft.com/pricing/details/mysql/flexible-server/).

- > [!TIP]

- > The password should be at least eight characters long and contain at least one English uppercase letter, one English lowercase letter, one number, and one non-alphanumeric character (!, $, #, %, and so on.).

-1. Run the `az spring connection create` command to create a service connection between Azure Spring Apps and the Azure MySQL database. Replace the placeholders below with your own information. Use single quotes around the value for MySQL server `secret`.

- --app <app-name> \

-### [Portal](#tab/azure-portal)

-1. Under **Settings**, select **Apps** and select the application from the list.

-Run the `az spring connection validate` command to show the status of the connection between Azure Spring Apps and the Azure MySQL database. Replace the placeholders below with your own information.

- --app <app-name> \

-* [Bind an Azure Database for MySQL instance to your application in Azure Spring Apps](how-to-bind-mysql.md)

-| **Availability** <br> **(RA-GRS reads)** | 99.99% | 99.999% | 99.999% | 99.999% |

-If you initiate a conversion from the Azure portal, the conversion process could take up to 72 hours to begin, and possibly longer if requested by opening a support request.

-Within a single subscription, you can create accounts with either standard or Azure DNS Zone endpoints, for a maximum of 5250 accounts per region per subscription. With a quota increase, you can crate up to 5500 storage accounts per region per subscription.

- > Once you've completed this tab, you can continue to optionally create session hosts, a workspace, register the default desktop application group from this host pool, and enable diagnostics settings. Alternatively, if you want to create and configure these separately, select **Next: Review + create** and go to step 9.

-description: Learn how Azure Private Link (preview) can help you keep network traffic private.

-# Use Azure Private Link with Azure Virtual Desktop (preview)

-> [!IMPORTANT]

-> Private Link for Azure Virtual Desktop is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-You can use a [private endpoint](../private-link/private-endpoint-overview.md) from Azure Private Link with Azure Virtual Desktop to privately connect to your remote resources. With Private Link, traffic between your virtual network and the service travels the Microsoft "backbone" network, which means you'll no longer need to expose your service to the public internet. Keeping traffic within this "backbone" network improves security and keeps your data safe. This article describes how Private Link can help you secure your Azure Virtual Desktop environment.

-You can either share these private endpoints across your network topology or you can isolate your virtual networks (VNets) so that each has their own private endpoint to the host pool or workspace.

-The following diagram shows how Private Link securely connects a local client to the Azure Virtual Desktop service:

-When adding Private Link, you can connect to Azure Virtual Desktop in the following ways:

-> [!NOTE]

-> If you intend to restrict network ports from either the user client devices or your session host VMs to the private endpoints, you will need to allow traffic across the entire TCP dynamic port range of 1 - 65535 to the private endpoint for the host pool resource using the *connection* sub-resource. The entire TCP dynamic port range is needed because port mapping is used to all global gateways through the single private endpoint IP address corresponding to the *connection* sub-resource.

-> If you restrict ports to the private endpoint, your users may not be able to connect successfully to Azure Virtual Desktop.

-## Public preview limitations

-The public preview of using Private Link with Azure Virtual Desktop has the following limitations:

-description: How to set up Private Link for Azure Virtual Desktop (preview).

-# Set up Private Link for Azure Virtual Desktop (preview)

-> Private Link for Azure Virtual Desktop is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-This article will show you how to set up Private Link for Azure Virtual Desktop (preview) in your Azure Virtual Desktop deployment. For more information about what Private Link can do for your deployment and the limitations of the public preview version, see [Private Link for Azure Virtual Desktop (preview)](private-link-overview.md).

-## Prerequisites

-In order to use Private Link in your Azure Virtual Desktop deployment, you'll need the following things:

->[!IMPORTANT]

->There's currently a bug in version 1.2.3918 of the Remote Desktop client for Windows that causes a client regression when you use Private Link. In order to use Private Link in your deployment, you must use a version later than 1.2.3918. Using an earlier version of the Remote Desktop client can potentially cause security issues. We don't recommend using version 1.2.3918 for environments or VMs that you aren't using to preview Private Link.

-### Re-register your resource provider

-In the public preview version of Private Link, after you create your resources, you'll need to re-register them to your resource provider before you can start using Private Link. Re-registering allows the service to download and assign the new roles that will let you use this feature.

-To re-register your resource provider:

-1. Select **Subscriptions**.

-1. Select the name of your subscription.

-1. Select **Resource providers**.

-1. Search for **Microsoft.DesktopVirtualization**.

-1. Select **Microsoft.DesktopVirtualization**, then select **Re-register**.

-1. Verify that the status of Microsoft.DesktopVirtualization is **Registered**.

-## Enable preview content on your Azure subscription

-In order to use Private Link, you'll need to register your Azure subscription to use Private Link. To register your subscription:

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. In the search box, enter and select **Subscriptions**.

-1. Select the name of your subscription.

-1. In the menu on the left side of the screen, look under **Settings** and select **Preview features**.

-1. In the search box that opens, enter **Private**.

-1. Select **Azure Virtual Desktop Private Link Public Preview**.

-1. Select **Register**.

-Once you select **Register**, you'll be able to use Private Link.

-## Create a placeholder workspace

-A private endpoint to the global sub-resource of any workspace controls the shared fully qualified domain name (FQDN) for initial feed discovery. This control enables feed discovery for all workspaces. Because the workspace connected to the private endpoint is so important, deleting it will cause all feed discovery processes to stop working. Instead of deleting the workspace, you should create an unused placeholder workspace to terminate the global endpoint before you start using Private Link. To create a workspace, follow the instructions in [Workspace information](create-host-pools-azure-marketplace.md#workspace-information).

-## Set up Private Link in the Azure portal

-Now, let's set up Private Link for your host pool. During the setup process, you'll create private endpoints to the following resources:

-| Resource type | Target sub-resource | Quantity |

-|--|--|

-| Microsoft.DesktopVirtualization/workspaces | global | One for all Azure Virtual Desktop deployments |

-| Microsoft.DesktopVirtualization/workspaces | feed | One per workspace |

-| Microsoft.DesktopVirtualization/hostpools | connection | One per host pool |

-To configure Private Link in the Azure portal:

-1. Open the Azure portal and sign in.

-1. Search for and select **Azure Virtual Desktop**.

-1. Go to **Host pools**, then select the name of the host pool you want to use.

- >[!TIP]

- >You can also start setting up by going to **Private Link Center** > **Private Endpoints** > **Add a private endpoint**.

-1. After you've opened the host pool, go to **Networking** > **Private Endpoint connections**.

-1. Select **New private endpoint**.

-1. In the **Basics** tab, either use the drop-down menus to select the **Subscription** and **Resource group** you want to use or create a new resource group.

-1. Next, enter a name for your new private endpoint. The network interface name will fill automatically.

-1. Select the **region** your private endpoint will be located in. You must choose the same location as your session host and the virtual network (VNet) you plan to use.

-1. When you're done, select **Next: Resource >**.

-1. In the **Resource** tab, use the following resource:

-

- - Resource type: **Microsoft.DesktopVirtualization/hostpools**

- - Resource: *your host pool*

- - Target sub-resource: connection

-1. Select **Next: Virtual Network >**.

-1. In the **Virtual Network** tab, make sure the values in the **Virtual Network** and **subnet** fields are correct.

-1. In the **Private IP configuration** field, choose whether you want to dynamically or statically allocate IP addresses from the subnet you selected in the previous step.

-

- - If you choose to statically allocate IP addresses, you'll need to fill in the **Name** and **Private IP** for each listed member.

-1. Next, select an existing application security group or create a new one.

-

- - If you're creating a new application security group, select **Create new**, then enter a name for the new security group.

-1. When you're finished, select **Next: DNS >**.

-1. In the **DNS** tab, in the **Integrate with private DNS zone** field, select **Yes** if you want to integrate with an Azure private DNS zone. The private DNS zone name is `privatelink.wvd.microsoft.com`. Learn more about integration at [Azure Private endpoint DNS configuration](../private-link/private-endpoint-dns.md).

-1. When you're done, select **Next: Tags >**.

-1. In the **Tags** tab, you can optionally add tags to help the Azure service categorize your resources. If you don't want to add tags, select **Next: Review + create**.

-1. Review the details of your private endpoint. If everything looks good, select **Create** and wait for the deployment to finish.

-1. Now, repeat the process to create private endpoints for your resources. Return to step 3, but select **Workspaces** instead of host pools and use the following resources, then follow the rest of the steps until the end.

- - Resource type: **Microsoft.DesktopVirtualization/workspaces**

- - Resource: *your placeholder workspace*

- - Target sub-resource: global

- - Resource type: **Microsoft.DesktopVirtualization/workspaces**

- - Resource: *your workspace*

- - Target sub-resource: feed

->[!NOTE]

->You'll need to repeat this process to create a private endpoint for every resource you want to put into Private Link.

-In addition to creating private routes, you can also control if the Azure Virtual Desktop resource allows traffic to come from public routes.

-To control public traffic:

-1. Open the Azure portal and sign in.

-1. Search for and select **Azure Virtual Desktop**.

-1. Go to **Host pools** > **Networking** > **Firewall and virtual networks**.

-1. First, configure the **Allow end users access from public network** setting.

- - If you select the check box, users can connect to the host pool using public internet or private endpoints.

- - If you don't select the check box, users can only connect to host pool using private endpoints.

-1. Next, configure the **Allow session hosts access from public network** setting.

- - If you select the check box, Azure Virtual Desktop session hosts will talk to the Azure Virtual Desktop service over public internet or private endpoints.

- - If you don't select the check box, Azure Virtual Desktop session hosts can only talk to the Azure Virtual Desktop service over private endpoint connections.

->[!IMPORTANT]

->Disabling the **Allow session host access from public network** setting won't affect existing sessions. You must restart the session host VM for the change to take effect on the session host network settings.

-## Network security groups

-Follow the directions in [Tutorial: Filter network traffic with a network security group using the Azure portal](../virtual-network/tutorial-filter-network-traffic.md) to set up a network security group (NSG). You can use this NSG to block the **WindowsVirtualDesktop** service tag. If you block this service tag, all service traffic will use private routes only.

-When you set up your NSG, you must configure it to allow both the URLs in the [required URL list](safe-url-list.md) and your private endpoints. Make sure to include the URLs for Azure Monitor.

-> [!NOTE]

-> If you intend to restrict network ports from either the user client devices or your session host VMs to the private endpoints, you will need to allow traffic across the entire TCP dynamic port range of 1 - 65535 to the private endpoint for the host pool resource using the *connection* sub-resource. The entire TCP dynamic port range is needed because port mapping is used to all global gateways through the single private endpoint IP address corresponding to the *connection* sub-resource.

-> If you restrict ports to the private endpoint, your users may not be able to connect successfully to Azure Virtual Desktop.

-## Validate your Private Link deployment

-To validate your Private Link for Azure Virtual Desktop and make sure it's working:

-1. Check to see if your session hosts are registered and functional on the VNet. You can check their health status with [Azure Monitor](insights.md).

-1. Next, test your feed connections to make sure they perform as expected. Use the client and make sure you can add and refresh workspaces.

-1. Finally, run the following end-to-end tests:

- - Make sure your clients can't connect to Azure Virtual Desktop and your session hosts from public routes.

- - Make sure the session hosts can't connect to Azure Virtual Desktop from public routes.

-> Connecting to a session host outside of Azure Virtual Desktop that is powered off, such as using the MSTSC client, won't start the VM.

- Once you've completed this tab, select **Next: Virtual Machines**.

-| <kbd>CTRL</kbd>+<kbd>ALT</kbd>+<kbd>DELETE</kbd> | <kbd>CTRL</kbd>+<kbd>ALT</kbd>+<kbd>END</kbd> (Windows) | Shows the Windows Security dialog box. |

-| <kbd>CTRL</kbd>+<kbd>ALT</kbd>+<kbd>DELETE</kbd> | <kbd>FN</kbd>+<kbd>Control</kbd>+<kbd>Option</kbd>+<kbd>Delete</kbd> (macOS) | Shows the Windows Security dialog box. |

-> You can copy and paste text only. Files can't be copied or pasted to and from the web client. Additionally, you can only use <kbd>CTRL</kbd>+<kbd>C</kbd> and <kbd>CTRL</kbd>+<kbd>V</kbd> to copy and paste text.

-[Accelerated Networking](../virtual-network/create-vm-accelerated-networking-cli.md): Supported only for Marketplace Windows image <br>

-[Live Migration](maintenance-and-updates.md): Supported <br>

-[Memory Preserving Updates](maintenance-and-updates.md): Supported <br>

-[Ephemeral OS Disks](ephemeral-os-disks.md): Supported <br>

-[Accelerated Networking](../virtual-network/create-vm-accelerated-networking-cli.md): Supported only for Marketplace Windows image <br>

-[Live Migration](maintenance-and-updates.md): Supported <br>

-[Memory Preserving Updates](maintenance-and-updates.md): Supported <br>

-[VM Generation Support](generation-2.md): Generation 1 and 2 <br>

-| Local Disk | 960 GB NVMe (block), 480 GB SSD (page file) |

-| **Virtual Hub Data Processed** | Data in bytes/second on how much traffic traverses the virtual hub router in a given time period. Note that only the following flows use the virtual hub router: VNet to VNet (same hub) and VPN/ExpressRoute branch to VNet (interhub).|

-$MetricInformation = Get-AzMetric -ResourceId "/subscriptions/<SubscriptionID>/resourceGroups/<ResourceGroupName>/providers/Microsoft.Network/VirtualHubs/<VirtualHubName>" -MetricName "VirtualHubDataProcessed" -TimeGrain 00:05:00 -StartTime 2022-2-20T01:00:00Z -EndTime 2022-2-20T01:30:00Z -AggregationType Average

-* **Aggregation Types** - Average/Minimum/Maximum/Total

- * Average - Total average of bytes/sec per the selected time period.

- * Minimum ΓÇô Minimum bytes that were sent during the selected time grain period.

- * Maximum ΓÇô Maximum bytes that were sent during the selected time grain period.

- * Total ΓÇô Total bytes/sec that were sent during the selected time grain period.

-The following diagram shows the virtual network and the VPN gateway that you create using the steps in this article. You can later create different types of connections, such as [Site-to-Site](tutorial-site-to-site-portal.md) and [Point-to-site](point-to-site-about.md) to connect to this virtual network via the VPN gateway.

-A gateway can take 45 minutes or more to fully create and deploy. You can see the deployment status on the Overview page for your gateway. After the gateway is created, you can view the IP address that has been assigned to it by looking at the virtual network in the portal. The gateway appears as a connected device.

-Once you have a VPN gateway, you can configure connections. The following articles will help you create a few of the most common configurations:

-> CRS 2.2.9 is no longer supported for new WAF policies. We recommend you upgrade to the latest CRS version.

-You can enable a managed bot protection rule set to take custom actions on requests from all bot categories.