Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
advisor | Advisor Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/advisor/advisor-get-started.md | Title: Azure Advisor portal basics -description: Get started with Azure Advisor. +description: Learn how to get started with Azure Advisor through the Azure portal, get and manage recommendations, and configure Advisor settings. Last updated 03/07/2024 # Azure Advisor portal basics -Learn how to access Advisor through the Azure portal, get and manage recommendations, and configure Advisor settings. +Learn how to access Azure Advisor through the Azure portal, get and manage recommendations, and configure Advisor settings. > [!NOTE]-> Azure Advisor runs in the background to find newly created resources. It can take up to 24 hours to provide recommendations on those resources. +> Advisor runs in the background to find newly created resources. It can take up to 24 hours to provide recommendations on those resources. ## Open Advisor -To access Azure Advisor, sign in to the [Azure portal](https://portal.azure.com). From there, select the [Advisor](https://aka.ms/azureadvisordashboard) icon at the top of the page, use the search bar at the top to search for Advisor, or use the left navigation pane **Advisor** link.<br> The Advisor **Overview** page opens by default. +To access Advisor, sign in to the [Azure portal](https://portal.azure.com). Then select the [Advisor](https://aka.ms/azureadvisordashboard) icon at the top of the page or use the search bar at the top to search for Advisor. You can also use the left pane and select **Advisor**. The Advisor **Overview** page opens by default. ## View the Advisor dashboard -See personalized and actionable recommendations on the Advisor **Overview** page. +On the Advisor **Overview** page, you see personalized and actionable recommendations. -* The links at the top offer options for **Feedback**, downloading recommendations as comma-separated or PDFs, and a quick-link to Advisor **Workbooks**. -* The blue filter buttons below them focus the recommendations. -* The tiles represent the different recommendation categories and include your current score in that category. -* The **Get started** link takes you to options for direct access to Advisor workbooks, recommendations, and the Well Architected Framework main page. +* The links at the top offer options for **Feedback**, downloading recommendations as comma-separated value (CSV) files or PDFs, and a link to Advisor **Workbooks**. +* The filter buttons underneath them focus the recommendations. +* The tiles represent the different recommendation categories and include your current score in each category. +* **Get started** takes you to options for direct access to Advisor workbooks, recommendations, and the Azure Well-Architected Framework main page. ### Filter and access recommendations -The tiles on the Advisor **Overview** page show the different categories of recommendations for all the subscriptions that you have access to, by default. +The tiles on the Advisor **Overview** page show the different categories of recommendations for all the subscriptions to which you have access, by default. -You can filter the display using the buttons at the top of the page: +To filter the display, use the buttons at the top of the page: -* **Subscription**: Choose *All* for Advisor recommendations on all subscriptions. Alternatively, select specific subscriptions. Apply changes by clicking outside of the button. -* **Recommendation Status**: *Active* (the default, recommendations not postponed or dismissed), *Postponed* or *Dismissed*. Apply changes by clicking outside of the button. -* **Resource Group**: Choose *All* (the default) or specific resource groups. Apply changes by clicking outside of the button. -* **Type**: Choose *All* (the default) or specific resources. Apply changes by clicking outside of the button. +* **Subscription**: Select **All** for Advisor recommendations on all subscriptions. Alternatively, select specific subscriptions. Apply changes by clicking outside of the button. +* **Recommendation Status**: **Active** (the default, recommendations not postponed or dismissed), **Postponed** or **Dismissed**. Apply changes by clicking outside of the button. +* **Resource Group**: Select **All** (the default) or specific resource groups. Apply changes by clicking outside of the button. +* **Type**: Select **All** (the default) or specific resources. Apply changes by clicking outside of the button. * For more advanced filtering, select **Add filter**. To display a specific list of recommendations, select a category tile. Each tile provides information about the recommendations for that category: For detailed graphics and information on your Advisor score, see [Optimize Azure ### Get recommendation details and solution options -View recommendation details ΓÇô such as the recommended actions and impacted resources ΓÇô and the solution options, including postponing or dismissing a recommendation. +You can view recommendation details, such as the recommended actions and affected resources. You can also see the solution options, including postponing or dismissing a recommendation. -1. To review details of a recommendation, including the affected resources, open the recommendation list for a category and then select the **Description** or the **Impacted resources** link for a specific recommendation. The following screenshot shows a **Reliability** recommendation details page. +1. To review details of a recommendation, including the affected resources, open the recommendation list for a category. Then select **Description** or **Impacted resources** for a specific recommendation. The following screenshot shows a Reliability recommendation details page. - :::image type="content" source="./media/advisor-get-started/advisor-score-reliability-recommendation-page.png" alt-text="Screenshot of Azure Advisor reliability recommendation details example." lightbox="./media/advisor-get-started/advisor-score-reliability-recommendation-page.png"::: + :::image type="content" source="./media/advisor-get-started/advisor-score-reliability-recommendation-page.png" alt-text="Screenshot that shows an Advisor Reliability Recommendation details example." lightbox="./media/advisor-get-started/advisor-score-reliability-recommendation-page.png"::: 1. To see action details, select a **Recommended actions** link. The Azure page where you can act opens. Alternatively, open a page to the affected resources to take the recommended action (the two pages might be the same). - Understand the recommendation before you act by clicking the **Learn more** link on the recommended action page, or at the top of the recommendations details page. + To help you understand the recommendation before you act, select **Learn more** on the **Recommended action** page or at the top of the **Recommendation details** page. 1. You can postpone the recommendation. - :::image type="content" source="./media/advisor-get-started/advisor-recommendation-postpone.png" alt-text="Sreenshot of Azure Advisor recommendation postpone option." lightbox="./media/advisor-get-started/advisor-recommendation-postpone.png"::: + :::image type="content" source="./media/advisor-get-started/advisor-recommendation-postpone.png" alt-text="Screenshot that shows an Advisor recommendation postpone option." lightbox="./media/advisor-get-started/advisor-recommendation-postpone.png"::: You can't dismiss the recommendation without certain privileges. For information on permissions, see [Permissions in Azure Advisor](permissions.md). To download your recommendations, select **Download as CSV** or **Download as PD ## Configure recommendations -You can exclude subscriptions or resources, such as 'test' resources, from Advisor recommendations and configure Advisor to generate recommendations only for specific subscriptions and resource groups. +You can exclude subscriptions or resources, such as test resources, from Advisor recommendations and configure Advisor to generate recommendations only for specific subscriptions and resource groups. > [!NOTE]-> To change subscriptions or Advisor compute rules, you must be a subscription owner. If you do not have the required permissions, the option is disabled in the user interface. For information on permissions, see [Permissions in Azure Advisor](permissions.md). For details on right sizing VMs, see [Reduce service costs by using Azure Advisor](advisor-cost-recommendations.md). +> To change subscriptions or Advisor compute rules, you must be a subscription owner. If you don't have the required permissions, the option is disabled in the user interface. For information on permissions, see [Permissions in Azure Advisor](permissions.md). For details on right-sizing VMs, see [Reduce service costs by using Azure Advisor](advisor-cost-recommendations.md). -From any Azure Advisor page, select **Configuration** in the left navigation pane. The Advisor Configuration page opens with the **Resources** tab selected, by default. +From any Azure Advisor page, select **Configuration** in the left pane. The Advisor configuration page opens with the **Resources** tab selected, by default. -Use the **Resources** tab to select or unselect subscriptions for Advisor recommendations. When ready, select **Apply**. The page refreshes. +Use the **Resources** tab to select or unselect subscriptions for Advisor recommendations. When you're ready, select **Apply**. The page refreshes. -Use the **VM/VMSS right sizing** tab to adjust Advisor virtual machine (VM) and virtual machine scale sets (VMSS) recommendations. Specifically, you can set up a filter for each subscription to only show recommendations for machines with certain CPU utilization. This setting filters recommendations by machine, but doesn't change how they're generated. Follow these steps. +Use the **VM/VMSS right sizing** tab to adjust Advisor virtual machine (VM) and virtual machine scale sets (VMSS) recommendations. Specifically, you can set up a filter for each subscription to only show recommendations for machines with certain CPU utilization. This setting filters recommendations by machine, but it doesn't change how they're generated. Follow these steps: -1. Select the subscriptions youΓÇÖd like to set up a filter for average CPU utilization, and then select **Edit**. Not all subscriptions can be edited for VM/VMSS right sizing and certain privileges are required; for more information on permissions, see [Permissions in Azure Advisor](permissions.md). +1. Select the subscriptions for which you want to set up a filter for average CPU utilization. Then select **Edit**. Not all subscriptions can be edited for VM/VMSS right sizing, and certain privileges are required. For more information on permissions, see [Permissions in Azure Advisor](permissions.md). -1. Select the desired average CPU utilization value and select **Apply**. It can take up to 24 hours for the new settings to be reflected in recommendations. +1. Select the average CPU utilization value you want and select **Apply**. It can take up to 24 hours for the new settings to be reflected in recommendations. - :::image type="content" source="./media/advisor-get-started/advisor-configure-rules.png" alt-text="Screenshot of Azure Advisor configuration option for VM/VMSS sizing rules." lightbox="./media/advisor-get-started/advisor-configure-rules.png"::: + :::image type="content" source="./media/advisor-get-started/advisor-configure-rules.png" alt-text="Screenshot that shows an Advisor configuration option for VM/VMSS sizing rules." lightbox="./media/advisor-get-started/advisor-configure-rules.png"::: -## Next steps +## Related content To learn more about Advisor, see: - [Introduction to Azure Advisor](advisor-overview.md)-- [Advisor Cost recommendations](advisor-cost-recommendations.md)-- [Advisor Security recommendations](advisor-security-recommendations.md)-- [Advisor Reliability recommendations](advisor-high-availability-recommendations.md)-- [Advisor Operational Excellence recommendations](advisor-operational-excellence-recommendations.md)-- [Advisor Performance recommendations](advisor-performance-recommendations.md)+- [Advisor cost recommendations](advisor-cost-recommendations.md) +- [Advisor security recommendations](advisor-security-recommendations.md) +- [Advisor reliability recommendations](advisor-high-availability-recommendations.md) +- [Advisor operational excellence recommendations](advisor-operational-excellence-recommendations.md) +- [Advisor performance recommendations](advisor-performance-recommendations.md) |
advisor | Advisor Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/advisor/advisor-overview.md | Title: Introduction to Azure Advisor -description: Use Azure Advisor to optimize your Azure deployments. +description: Learn how to use Azure Advisor to optimize your Azure deployments and get answers to frequently asked questions. Last updated 07/08/2024 With Advisor, you can: * Improve the performance, security, and reliability of your resources, as you identify opportunities to reduce your overall Azure spend. * Get recommendations with proposed actions inline. -You can access Advisor through the [Azure portal](https://aka.ms/azureadvisordashboard). Sign in to the [portal](https://portal.azure.com), locate **Advisor** in the navigation menu, or search for it in the **All services** menu. +You can access Advisor through the [Azure portal](https://aka.ms/azureadvisordashboard). Sign in to the [portal](https://portal.azure.com), locate **Advisor** on the navigation pane, or search for it on the **All services** menu. The Advisor dashboard displays personalized recommendations for all your subscriptions. The recommendations are divided into five categories: -* **Reliability**: To ensure and improve the continuity of your business-critical applications. For more information, see [Advisor Reliability recommendations](advisor-reference-reliability-recommendations.md). -* **Security**: To detect threats and vulnerabilities that might lead to security breaches. For more information, see [Advisor Security recommendations](advisor-security-recommendations.md). -* **Performance**: To improve the speed of your applications. For more information, see [Advisor Performance recommendations](advisor-reference-performance-recommendations.md). -* **Cost**: To optimize and reduce your overall Azure spending. For more information, see [Advisor Cost recommendations](advisor-reference-cost-recommendations.md). -* **Operational Excellence**: To help you achieve process and workflow efficiency, resource manageability and deployment best practices. For more information, see [Advisor Operational Excellence recommendations](advisor-reference-operational-excellence-recommendations.md). +* **Reliability**: To ensure and improve the continuity of your business-critical applications. For more information, see [Advisor reliability recommendations](advisor-reference-reliability-recommendations.md). +* **Security**: To detect threats and vulnerabilities that might lead to security breaches. For more information, see [Advisor security recommendations](advisor-security-recommendations.md). +* **Performance**: To improve the speed of your applications. For more information, see [Advisor performance recommendations](advisor-reference-performance-recommendations.md). +* **Cost**: To optimize and reduce your overall Azure spending. For more information, see [Advisor cost recommendations](advisor-reference-cost-recommendations.md). +* **Operational excellence**: To help you achieve process and workflow efficiency, resource manageability, and deployment best practices. For more information, see [Advisor operational excellence recommendations](advisor-reference-operational-excellence-recommendations.md). You can apply filters to display recommendations for specific subscriptions and resource types. -Select a category to display the list of recommendations for that category, and select a recommendation to learn more about it. You can also learn about actions that you can perform to take advantage of an opportunity or resolve an issue. +Select a category to display the list of recommendations for that category. Select a recommendation to learn more about it. You can also learn about actions that you can perform to take advantage of an opportunity or resolve an issue. -Select the recommended action for a recommendation to implement the recommendation. A simple interface opens that enables you to implement the recommendation or refer you to documentation that assists you with implementation. Once you implement a recommendation, it can take up to a day for Advisor to recognize that. +Select the recommended action for a recommendation to implement the recommendation. A simple interface opens that enables you to implement the recommendation. It also might refer you to documentation that assists you with implementation. After you implement a recommendation, it can take up to a day for Advisor to recognize the action. ++If you don't intend to take immediate action on a recommendation, you can postpone it for a specified time period. You can also dismiss it. If you don't want to receive recommendations for a specific subscription or resource group, you can configure Advisor to only generate recommendations for specified subscriptions and resource groups. -If you don't intend to take immediate action on a recommendation, you can postpone it for a specified time period, or dismiss it. If you don't want to receive recommendations for a specific subscription or resource group, you can configure Advisor to only generate recommendations for specified subscriptions and resource groups. - ## Frequently asked questions +Here are answers to common questions about Advisor. + ### How do I access Advisor?-You can access Advisor through the [Azure portal](https://aka.ms/azureadvisordashboard). Sign in to the [portal](https://portal.azure.com), locate **Advisor** in the navigation menu, or search for it in the **All services** menu. +You can access Advisor through the [Azure portal](https://aka.ms/azureadvisordashboard). Sign in to the [portal](https://portal.azure.com), locate **Advisor** on the navigation pane, or search for it on the **All services** menu. ### What permissions do I need to access Advisor?- -You can access Advisor recommendations as *Owner*, *Contributor*, or *Reader* of a subscription, Resource Group, or Resource. -### What resources does Advisor provide recommendations for? +You can access Advisor recommendations as the Owner, Contributor, or Reader of a subscription, resource group, or resource. -Advisor provides recommendations for the following +### What resources does Advisor provide recommendations for? -Azure Advisor also includes your recommendations from [Microsoft Defender for Cloud](../defender-for-cloud/defender-for-cloud-introduction.md), which might include recommendations for other resource types. +Advisor provides recommendations for the following ++- Azure API Management +- Azure Application Gateway +- Azure App Service +- Availability sets +- Azure Cache +- Azure Database for MySQL +- Azure Database for PostgreSQL +- Azure Farmbeats +- Azure Stack ACI +- Azure public IP addresses +- Azure Synapse Analytics +- Central server +- Azure Cognitive Services +- Azure Cosmos DB +- Azure Data Explorer +- Azure Data Factory +- Databricks Workspace +- Azure ExpressRoute +- Azure Front Door +- Azure HDInsight cluster +- Azure IoT Hub +- Azure Key Vault +- Azure Kubernetes Service +- Log Analytics +- Azure Cache for Redis server +- SQL Server +- Azure Storage account +- Azure Traffic Manager profile +- Azure Virtual Machines +- Azure Virtual Machine Scale Sets +- Azure Virtual Network gateway ++Advisor also includes your recommendations from [Microsoft Defender for Cloud](../defender-for-cloud/defender-for-cloud-introduction.md), which might include recommendations for other resource types. ### Can I postpone or dismiss a recommendation? -To postpone or dismiss a recommendation, select the **Postpone** or **Dismiss** link, and the recommendation is moved to the Postponed/Dismissed tab on the recommendation list page. +To postpone or dismiss a recommendation, select **Postpone** or **Dismiss**. The recommendation is moved to the **Postponed/Dismissed** tab on the recommendation list page. -## Next steps +## Related content To learn more about Advisor recommendations, see: * [Get started with Advisor](advisor-get-started.md) * [Advisor score](azure-advisor-score.md)-* [Advisor Reliability recommendations](advisor-reference-reliability-recommendations.md) -* [Advisor Security recommendations](advisor-security-recommendations.md) -* [Advisor Performance recommendations](advisor-reference-performance-recommendations.md) -* [Advisor Cost recommendations](advisor-reference-cost-recommendations.md) -* [Advisor Operational Excellence recommendations](advisor-reference-operational-excellence-recommendations.md) +* [Advisor reliability recommendations](advisor-reference-reliability-recommendations.md) +* [Advisor security recommendations](advisor-security-recommendations.md) +* [Advisor performance recommendations](advisor-reference-performance-recommendations.md) +* [Advisor cost recommendations](advisor-reference-cost-recommendations.md) +* [Advisor operational excellence recommendations](advisor-reference-operational-excellence-recommendations.md) |
advisor | Advisor Release Notes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/advisor/advisor-release-notes.md | Title: What's new in Azure Advisor -description: A description of what's new and changed in Azure Advisor +description: Learn about what's new and what's changed in Azure Advisor with information from release notes, videos, and blog posts. Last updated 05/03/2024 # What's new in Azure Advisor? -Learn what's new in the service. These items might be release notes, videos, blog posts, and other types of information. Bookmark this page to stay up to date with the service. +You can learn about what's new in Azure Advisor with the items in this article. These items might be release notes, videos, blog posts, and other types of information. Bookmark this page to stay up to date with the service. ## April 2024 -### Azure Advisor will no longer display aggregated potential yearly savings beginning 30 September 2024 +### Azure Advisor will no longer display aggregated potential yearly savings beginning September 30, 2024 -In the Azure portal, Azure Advisor currently shows potential aggregated cost savings under the label "Potential yearly savings based on retail pricing" on pages where cost recommendations are displayed (as shown in the image). This aggregated savings estimate will be removed from the Azure portal on 30 September 2024. However, you can still evaluate potential yearly savings tailored to your specific needs by following the steps in [Calculate cost savings](/azure/advisor/advisor-how-to-calculate-total-cost-savings). All individual recommendations and their associated potential savings will remain available. +In the Azure portal, Advisor currently shows potential aggregated cost savings under the label **Potential yearly savings based on retail pricing** on pages where cost recommendations appear. This aggregated savings estimate will be removed from the Azure portal on September 30, 2024. You can still evaluate potential yearly savings tailored to your specific needs by following the steps in [Calculate cost savings](/azure/advisor/advisor-how-to-calculate-total-cost-savings). All individual recommendations and their associated potential savings will remain available. #### Recommended action -If you want to continue calculating aggregated potential yearly savings, follow [these steps](/azure/advisor/advisor-how-to-calculate-total-cost-savings). Note that individual recommendations might show savings that overlap with the savings shown in other recommendations, although you might not be able to benefit from them concurrently. For example, you can benefit from savings plans or from reservations for virtual machines, but not typically from both on the same virtual machines. +If you want to continue calculating aggregated potential yearly savings, follow [these steps](/azure/advisor/advisor-how-to-calculate-total-cost-savings). Individual recommendations might show savings that overlap with the savings shown in other recommendations, although you might not be able to benefit from them concurrently. For example, you can benefit from savings plans or from reservations for virtual machines (VMs), but not typically from both on the same VMs. -### Public Preview: Resiliency Review on Azure Advisor +### Public preview: Resiliency review on Azure Advisor -Recommendations from WAF Reliability reviews in Advisor help you focus on the most important recommendations to ensure your workloads remain resilient. As part of the review, personalized and prioritized recommendations from Microsoft Cloud Solution Architects will be presented to you and your team. You can triage recommendations (accept or reject), manage their lifecycle on Advisor, and work with your Microsoft account team to track resolution. You can reach out to your account team to request Well Architected Reliability Assessment to successfully optimize workload resiliency and reliability by implementing curated recommendations and track its lifecycle on Advisor. +Recommendations from Azure Well-Architected Framework (WAF) Reliability reviews in Advisor help you focus on the most important recommendations to ensure that your workloads remain resilient. As part of the review, personalized and prioritized recommendations from Microsoft Cloud Solution Architects are presented to you and your team. You can triage recommendations (accept or reject), manage their lifecycle on Advisor, and work with your Microsoft account team to track resolution. You can reach out to your account team to request a WAF Reliability assessment to successfully optimize workload resiliency and reliability by implementing curated recommendations and track its lifecycle on Advisor. -To learn more, visit [Azure Advisor Resiliency Reviews](/azure/advisor/advisor-resiliency-reviews). +To learn more, see [Azure Advisor Resiliency reviews](/azure/advisor/advisor-resiliency-reviews). ## March 2024 -### Well-Architected Framework (WAF) assessments & recommendations +### Well-Architected Framework (WAF) assessments and recommendations -The Well-Architected Framework (WAF) assessment provides a curated view of a workloadΓÇÖs architecture. Now you can take the WAF assessment and manage recommendations on Azure Advisor to improve resiliency, security, cost, operational excellence, and performance efficiency. As a part of this release, we're announcing two key WAF assessments - [Mission Critical | Well-Architected Review](/assessments/23513bdb-e8a2-4f0b-8b6b-191ee1f52d34/) and [Azure Well-Architected Review](/assessments/azure-architecture-review/). +The WAF assessment provides a curated view of a workload's architecture. Now you can take the WAF assessment and manage recommendations on Advisor to improve resiliency, security, cost, operational excellence, and performance efficiency. As a part of this release, we're announcing two key WAF assessments: [Mission-Critical | Well-Architected Review](/assessments/23513bdb-e8a2-4f0b-8b6b-191ee1f52d34/) and [Azure Well-Architected Review](/assessments/azure-architecture-review/). -To get started, visit [Use Azure WAF assessments](/azure/advisor/advisor-assessments). +To get started, see [Use Azure WAF assessments](/azure/advisor/advisor-assessments). ## November 2023 -### ZRS recommendations for Azure Disks +### ZRS recommendations for Azure disks -Azure Advisor now has Zone Redundant Storage (ZRS) recommendations for Azure Managed Disks. Disks with ZRS provide synchronous replication of data across three availability zones in a region, enabling disks to tolerate zonal failures without causing disruptions to your application. By adopting this recommendation, you can now design your solutions to utilize ZRS disks. Access these recommendations through the Advisor portal and APIs. +Advisor now has zone-redundant storage (ZRS) recommendations for Azure managed disks. Disks with ZRS provide synchronous replication of data across three availability zones in a region, enabling disks to tolerate zonal failures without causing disruptions to your application. By adopting this recommendation, you can now design your solutions to utilize ZRS disks. Access these recommendations through the Advisor portal and APIs. -To learn more, visit [Use Azure Disks with Zone Redundant Storage for higher resiliency and availability](/azure/advisor/advisor-reference-reliability-recommendations#use-azure-disks-with-zone-redundant-storage-for-higher-resiliency-and-availability). +To learn more, see [Use Azure disks with zone-redundant storage for higher resiliency and availability](/azure/advisor/advisor-reference-reliability-recommendations#use-azure-disks-with-zone-redundant-storage-for-higher-resiliency-and-availability). ## October 2023 -### New version of Service Retirement workbook +### New version of the Service Retirement workbook -Azure Advisor now has a new version of the Service Retirement workbook that includes three major changes: --* 10 new services are onboarded to the workbook. The Retirement workbook now covers 40 services. --* Seven services that completed their retirement lifecycle are off boarded. +Advisor now has a new version of the Service Retirement workbook that includes three major changes: +* Ten new services are onboarded to the workbook. The retirement workbook now covers 40 services. +* Seven services that completed their retirement lifecycle are off-boarded. * User experience and navigation are improved. List of the newly added -| Service | Retiring Feature | +| Service | Retiring feature | |--|-|-| Azure Monitor | Classic alerts for Azure Gov cloud and Azure China 21Vianet | -| Azure Stack Edge | IoT Edge on K8s | +| Azure Monitor | Classic alerts for Azure US Government cloud and Azure China 21Vianet | +| Azure Stack Edge | IoT Edge on Kubernetes | | Azure Migrate | Classic |-| Application Insights | Trouble Shooting Guides Retirement | +| Application Insights | Troubleshooting guides retirement | | Azure Maps | Gen1 price tier |-| Application Insights | Single URL Ping Test | +| Application Insights | Single URL ping test | | Azure API for FHIR | Azure API for FHIR | | Azure Health Data Services | SMART on FHIR proxy | | Azure Database for MariaDB | Entire service | List of the newly added List of the removed -| Service | Retiring Feature | +| Service | Retiring feature | |--|-|-| Virtual Machines | Classic IaaS | +| Azure Virtual Machines | Classic IaaS | | Azure Cache for Redis | Version 4.x | | Virtual Machines | NV and NV_Promo series | | Virtual Machines | NC-series | | Virtual Machines | NC V2 series | | Virtual Machines | ND-Series |-| Virtual Machines | Azure Dedicated Host SKUs (Dsv3-Type1, Esv3-Type1, Dsv3-Type2, Esv3-Type2) | +| Virtual Machines | Azure Dedicated Host SKUs (Dsv3-Type1, Esv3-Type1, Dsv3-Type2, and Esv3-Type2) | -UX improvements: +User experience improvements: -* Resource details grid: Now, the resource details are readily available by default, whereas previously, they were only visible after selecting a service. -* Resource link: The **Resource** link now opens in a context pane, previously it opened in the same tab. +* **Resource details grid**: Now, the resource details are readily available by default. Previously, they were only visible after selecting a service. +* **Resource link**: The **Resource** link now opens in a context pane. Previously, it opened on the same tab. -To learn more, visit [Prepare migration of your workloads impacted by service retirement](/azure/advisor/advisor-how-to-plan-migration-workloads-service-retirement). +To learn more, see [Prepare migration of your workloads affected by service retirement](/azure/advisor/advisor-how-to-plan-migration-workloads-service-retirement). ### Service Health Alert recommendations -Azure Advisor now provides Service Health Alert recommendation for subscriptions, which do not have service health alerts configured. The action link will redirect you to the Service Health page where you can create and customize alerts based on the class of service health notification, affected subscriptions, services, and regions. +Advisor now provides Azure Service Health alert recommendations for subscriptions that don't have Service Health alerts configured. The link redirects you to the **Service Health** page. There, you can create and customize alerts based on the class of service health notification, affected subscriptions, services, and regions. -Azure Service Health alerts keep you informed about issues and advisories in four areas (Service issues, Planned maintenance, Security and Health advisories) and can be crucial for incident preparedness. +Service Health alerts keep you informed about issues and advisories in four areas: Service issues, Planned maintenance, Security advisories, and Health advisories. The alerts can be crucial for incident preparedness. -To learn more, visit [Service Health portal classic experience overview](/azure/service-health/service-health-overview). +To learn more, see [Service Health portal classic experience overview](/azure/service-health/service-health-overview). ## August 2023 -### Improved VM resiliency with Availability Zone recommendations +### Improved VM resiliency with availability zone recommendations -Azure Advisor now provides availability zone recommendations. By adopting these recommendations, you can design your solutions to utilize zonal virtual machines (VMs), ensuring the isolation of your VMs from potential failures in other zones. With zonal deployment, you can expect enhanced resiliency in your workload by avoiding downtime and business interruptions. +Advisor now provides availability zone recommendations. By adopting these recommendations, you can design your solutions to utilize zonal VMs, ensuring the isolation of your VMs from potential failures in other zones. With zonal deployment, you can expect enhanced resiliency in your workload by avoiding downtime and business interruptions. -To learn more, visit [Use Availability zones for better resiliency and availability](/azure/advisor/advisor-reference-reliability-recommendations#use-availability-zones-for-better-resiliency-and-availability). +To learn more, see [Use availability zones for better resiliency and availability](/azure/advisor/advisor-reference-reliability-recommendations#use-availability-zones-for-better-resiliency-and-availability). ## July 2023 -### Introducing workload based recommendations management +### Workload-based recommendations management -Azure Advisor now offers the capability of grouping and/or filtering recommendations by workload. The feature is available to selected customers based on their support contract. +Advisor now offers the capability of grouping or filtering recommendations by workload. The feature is available to selected customers based on their support contract. -If you're interested in workload based recommendations, reach out to your account team for more information. +If you're interested in workload-based recommendations, reach out to your account team for more information. ### Cost Optimization workbook template -The Azure Cost Optimization workbook serves as a centralized hub for some of the most used tools that can help you drive utilization and efficiency goals. It offers a range of recommendations, including Azure Advisor cost recommendations, identification of idle resources, and management of improperly deallocated Virtual Machines. Additionally, it provides insights into leveraging Azure Hybrid benefit options for Windows, Linux, and SQL databases. +The Azure Cost Optimization workbook serves as a centralized hub for some of the most-used tools that can help you drive utilization and efficiency goals. It offers a range of recommendations, including Advisor cost recommendations, identification of idle resources, and management of improperly deallocated VMs. It also provides insights into using Azure Hybrid Benefit options for Windows, Linux, and SQL databases. -To learn more, visit [Understand and optimize your Azure costs using the Cost Optimization workbook](/azure/advisor/advisor-cost-optimization-workbook). +To learn more, see [Understand and optimize your Azure costs by using the Cost Optimization workbook](/azure/advisor/advisor-cost-optimization-workbook). ## June 2023 ### Recommendation reminders for an upcoming event -Azure Advisor now offers new recommendation reminders to help you proactively manage and improve the resilience and health of your workloads before an important event. Customers in [Azure Event Management (AEM) program](https://www.microsoft.com/unifiedsupport/enhanced-solutions) are now reminded about outstanding recommendations for their subscriptions and resources that are critical for the event. +Advisor now offers new recommendation reminders to help you proactively manage and improve the resilience and health of your workloads before an important event. Customers in the [Azure Event Management (AEM) program](https://www.microsoft.com/unifiedsupport/enhanced-solutions) are now reminded about outstanding recommendations for their subscriptions and resources that are critical for the event. The event notifications are displayed when you visit Advisor or manage resources critical for an upcoming event. The reminders are displayed for events happening within the next 12 months and only for the subscriptions linked to an event. The notification includes a call to action to review outstanding recommendations for reliability, security, performance, and operational excellence. The event notifications are displayed when you visit Advisor or manage resources ### New: Reliability workbook template -Azure Advisor now has a Reliability workbook template. The new workbook helps you identify areas of improvement by checking configuration of selected Azure resources using the [resiliency checklist](/azure/architecture/checklist/resiliency-per-service) and documented best practices. You can use filters, subscription, resource group, and tags, to focus on resources that you care about most. Use the workbook recommendations to: +Advisor now has a Reliability workbook template. The new workbook helps you identify areas of improvement by checking configuration of selected Azure resources by using the [resiliency checklist](/azure/architecture/checklist/resiliency-per-service) and documented best practices. You can use filters, subscriptions, resource groups, and tags to focus on resources that you care about most. Use the workbook recommendations to: * Optimize your workload.- * Prepare for an important event.- * Mitigate risks after an outage. -To learn more, visit [Optimize your resources for reliability](https://aka.ms/advisor_improve_reliability). +To learn more, see [Optimize your resources for reliability](https://aka.ms/advisor_improve_reliability). -To assess the reliability of your workload using the tenets found in theΓÇ»[Microsoft Azure Well-Architected Framework](/azure/architecture/framework/), reference theΓÇ»[Microsoft Azure Well-Architected Review](/assessments/?id=azure-architecture-review&mode=pre-assessment). +To assess the reliability of your workload by using the tenets found in theΓÇ»[Azure WAF](/azure/architecture/framework/), see theΓÇ»[Azure Well-Architected Framework review](/assessments/?id=azure-architecture-review&mode=pre-assessment). ### Data in Azure Resource Graph is now available in Azure China and US Government clouds -Azure Advisor data is now available in the Azure Resource Graph (ARG) in Azure China and US Government clouds. The ARG is useful for customers who can now get recommendations for all their subscriptions at once and build custom views of Advisor recommendation data. For example: +Advisor data is now available in Azure Resource Graph in the Azure China and US Government clouds. Resource Graph is useful for customers who can now get recommendations for all their subscriptions at once and build custom views of Advisor recommendation data. For example, you can: * Review your recommendations summarized by impact and category.- * See all recommendations for a recommendation type.+* View affected resource counts by recommendation category. -* View impacted resource counts by recommendation category. +To learn more, see [Query for Advisor data in Resource Graph Explorer (Azure Resource Graph)](https://aka.ms/advisorarg). -To learn more, visit [Query for Advisor data in Resource Graph Explorer (Azure Resource Graph)](https://aka.ms/advisorarg). +### Service Retirement workbook -### Service retirement workbook +Advisor now provides a Service Retirement workbook. It's important to be aware of the upcoming Azure service and feature retirements to understand their effect on your workloads and plan migration. The [Service Retirement workbook](https://portal.azure.com/#view/Microsoft_Azure_Expert/AdvisorMenuBlade/~/workbooks) provides a single centralized resource-level view of service retirements. It helps you assess impact, evaluate options, and plan migration. +The workbook includes 35 services and features that are planned for retirement. You can view planned retirement dates and the list and map of affected resources. You also get information to take the necessary actions. -Azure Advisor now provides a service retirement workbook. It's important to be aware of the upcoming Azure service and feature retirements to understand their impact on your workloads and plan migration. The [Service Retirement workbook](https://portal.azure.com/#view/Microsoft_Azure_Expert/AdvisorMenuBlade/~/workbooks) provides a single centralized resource level view of service retirements and helps you assess impact, evaluate options, and plan migration. -The workbook includes 35 services and features planned for retirement. You can view planned retirement dates, list and map of impacted resources and get information to make the necessary actions. --To learn more, visit [Prepare migration of your workloads impacted by service retirements](advisor-how-to-plan-migration-workloads-service-retirement.md). +To learn more, see [Prepare migration of your workloads impacted by service retirements](advisor-how-to-plan-migration-workloads-service-retirement.md). ## April 2023 ### Postpone/dismiss a recommendation for multiple resources -Azure Advisor now provides the option to postpone or dismiss a recommendation for multiple resources at once. Once you open a recommendations details page with a list of recommendations and associated resources, select the relevant resources and choose **Postpone** or **Dismiss** in the command bar at the top of the page. +Advisor now provides the option to postpone or dismiss a recommendation for multiple resources at once. After you open a recommendations details page with a list of recommendations and associated resources, select the relevant resources and choose **Postpone** or **Dismiss** in the command bar at the top of the page. -To learn more, visit [Dismissing and postponing recommendations](/azure/advisor/view-recommendations#dismissing-and-postponing-recommendations). +To learn more, see [Dismiss and postpone recommendations](/azure/advisor/view-recommendations#dismissing-and-postponing-recommendations). -### VM/VMSS right-sizing recommendations with custom lookback period +### VM/virtual machine scale set right-sizing recommendations with custom lookback period -You can now improve the relevance of recommendations to make them more actionable, resulting in additional cost savings. +You can now improve the relevance of recommendations to make them more actionable to achieve more cost savings. -The right sizing recommendations help optimize costs by identifying idle or underutilized virtual machines based on their CPU, memory, and network activity over the default lookback period of seven days. Now, with this latest update, you can adjust the default look back period to get recommendations based on 14, 21, 30, 60, or even 90 days of use. The configuration can be applied at the subscription level. This is especially useful when the workloads have biweekly or monthly peaks (such as with payroll applications). +The right-sizing recommendations help optimize costs by identifying idle or underutilized VMs based on their CPU, memory, and network activity over the default lookback period of seven days. Now, with this latest update, you can adjust the default lookback period to get recommendations based on 14, 21, 30, 60, or even 90 days of use. The configuration can be applied at the subscription level. This capability is especially useful when the workloads have biweekly or monthly peaks (such as with payroll applications). -To learn more, visit [Optimize Virtual Machine (VM) or Virtual Machine Scale Set (VMSS) spend by resizing or shutting down underutilized instances](advisor-cost-recommendations.md#optimize-virtual-machine-vm-or-virtual-machine-scale-set-vmss-spend-by-resizing-or-shutting-down-underutilized-instances). +To learn more, see [Optimize VM or virtual machine scale set spend by resizing or shutting down underutilized instances](advisor-cost-recommendations.md#optimize-virtual-machine-vm-or-virtual-machine-scale-set-vmss-spend-by-resizing-or-shutting-down-underutilized-instances). ## March 2023 ### Advanced filtering capabilities -Azure Advisor now provides additional filtering capabilities. You can filter recommendations by resource group, resource type, impact and workload. +Advisor now provides more filtering capabilities. You can filter recommendations by resource group, resource type, impact, and workload. ## November 2022 -### New cost recommendations for Virtual Machine Scale Sets +### New cost recommendations for virtual machine scale sets -Azure Advisor now offers cost optimization recommendations for Virtual Machine Scale Sets (VMSS). These include shutdown recommendations for resources that we detect aren't used at all, and SKU change or instance count reduction recommendations for resources that we detect are under-utilized. For example, for resources where we think customers are paying for more than what they might need based on the workloads running on the resources. +Advisor now offers cost-optimization recommendations for virtual machine scale sets. They include shutdown recommendations for resources that we detect aren't used at all. They also include SKU change or instance count reduction recommendations for resources that we detect are underutilized. An example recommendation is for resources where we think customers are paying for more than what they might need based on the workloads running on the resources. -To learn more, visit [ -Optimize virtual machine (VM) or virtual machine scale set (VMSS) spend by resizing or shutting down underutilized instances](/azure/advisor/advisor-cost-recommendations#optimize-virtual-machine-vm-or-virtual-machine-scale-set-vmss-spend-by-resizing-or-shutting-down-underutilized-instances). +To learn more, see [ +Optimize VM or virtual machine scale set spend by resizing or shutting down underutilized instances](/azure/advisor/advisor-cost-recommendations#optimize-virtual-machine-vm-or-virtual-machine-scale-set-vmss-spend-by-resizing-or-shutting-down-underutilized-instances). ## June 2022 ### Advisor support for Azure Database for MySQL - Flexible Server -Azure Advisor provides a personalized list of best practices for optimizing your Azure Database for MySQL - Flexible Server instance. The feature analyzes your resource configuration and usage, and then recommends solutions to help you improve the cost effectiveness, performance, reliability, and security of your resources. With Azure Advisor, you can find recommendations based on transport layer security (TLS) configuration, CPU, and storage usage to prevent resource exhaustion. +Advisor provides a personalized list of best practices for optimizing your Azure Database for MySQL - Flexible Server instance. The feature analyzes your resource configuration and usage. It then recommends solutions to help you improve the cost effectiveness, performance, reliability, and security of your resources. With Advisor, you can find recommendations based on transport layer security (TLS) configuration, CPU, and storage usage to prevent resource exhaustion. -To learn more, visit [Azure Advisor for MySQL](/azure/mysql/single-server/concepts-azure-advisor-recommendations). +To learn more, see [Azure Advisor for MySQL](/azure/mysql/single-server/concepts-azure-advisor-recommendations). ## May 2022 ### Unlimited number of subscriptions -It's easier now to get an overview of optimization opportunities available to your organization ΓÇô no need to spend time and effort to apply filters and process subscription in batches. +It's easier now to get an overview of optimization opportunities available to your organization. There's no need to spend time and effort to apply filters and process subscriptions in batches. -To learn more, visit [Get started with Azure Advisor](advisor-get-started.md). +To learn more, see [Get started with Azure Advisor](advisor-get-started.md). ### Tag filtering -You can now get Advisor recommendations scoped to a business unit, workload, or team. Filter recommendations and calculate scores using tags you have already assigned to Azure resources, resource groups and subscriptions. Apply tag filters to: --* Identify cost saving opportunities by business units +You can now get Advisor recommendations scoped to a business unit, workload, or team. To filter recommendations and calculate scores, use tags that you already assigned to Azure resources, resource groups, and subscriptions. Apply tag filters to: -* Compare scores for workloads to optimize critical ones first +* Identify cost-saving opportunities by business units. +* Compare scores for workloads to optimize critical ones first. -To learn more, visit [How to filter Advisor recommendations using tags](advisor-tag-filtering.md). +To learn more, see [Filter Advisor recommendations by using tags](advisor-tag-filtering.md). ## January 2022 -[**Shutdown/Resize your virtual machines**](advisor-cost-recommendations.md#optimize-virtual-machine-vm-or-virtual-machine-scale-set-vmss-spend-by-resizing-or-shutting-down-underutilized-instances) recommendation was enhanced to increase the quality, robustness, and applicability. --Improvements include: --1. Cross SKU family series resize recommendations are now available. +The [Shut down/Resize your VMs](advisor-cost-recommendations.md#optimize-virtual-machine-vm-or-virtual-machine-scale-set-vmss-spend-by-resizing-or-shutting-down-underutilized-instances) recommendation was enhanced to increase quality, robustness, and applicability. -1. Cross version resize recommendations are now available. In general, newer versions of SKU families are more optimized, provide more features, and have better performance/cost ratios than older versions. +Improvements include: -1. For better actionability, we updated recommendation criteria to include other SKU characteristics such as accelerated networking support, premium storage support, availability in a region, inclusion in an availability set, and more. +- Cross-SKU family series resize recommendations are now available. +- Cross-version resize recommendations are now available. In general, newer versions of SKU families are more optimized, provide more features, and have better performance/cost ratios than older versions. +- Updated recommendation criteria include other SKU characteristics for better actionability. Examples are accelerated networking support, premium storage support, availability in a region, and inclusion in an availability set. -Read the [How-to guide](advisor-cost-recommendations.md#optimize-virtual-machine-vm-or-virtual-machine-scale-set-vmss-spend-by-resizing-or-shutting-down-underutilized-instances) to learn more. +To learn more, read the [How-to guide](advisor-cost-recommendations.md#optimize-virtual-machine-vm-or-virtual-machine-scale-set-vmss-spend-by-resizing-or-shutting-down-underutilized-instances). |
advisor | Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/advisor/permissions.md | Title: Roles and permissions -description: Advisor permissions and how they may block your ability to configure subscriptions or postpone or dismiss recommendations. +description: Learn about Advisor permissions and how they might block your ability to configure subscriptions or postpone or dismiss recommendations. Last updated 05/03/2024 Azure Advisor provides recommendations based on the usage and configuration of y ## Roles and their access -The following table defines the roles and the access they have within Advisor: +The following table defines the roles and the access they have within Advisor. -| **Role** | **View recommendations** | **Edit rules** | **Edit subscription configuration** | **Edit resource group configuration**| **Dismiss and postpone recommendations**| +| Role | View recommendations | Edit rules | Edit subscription configuration | Edit resource group configuration| Dismiss and postpone recommendations| ||::|::|::|::|::| |Subscription Owner|**X**|**X**|**X**|**X**|**X**| |Subscription Contributor|**X**|**X**|**X**|**X**|**X**| The following table defines the roles and the access they have within Advisor: ## Permissions and unavailable actions -Lack of proper permissions can block your ability to perform actions in Advisor. Following are some common problems. +Lack of proper permissions can block your ability to perform actions in Advisor. You might encounter the following common problems. ### Unable to configure subscriptions or resource groups -When you attempt to configure subscriptions or resource groups in Advisor, you may see that the option to include or exclude is disabled. This status indicates that you do not have a sufficient level of permission for that resource group or subscription. To resolve this issue, learn how to [grant a user access](../role-based-access-control/quickstart-assign-role-user-portal.md). +When you attempt to configure subscriptions or resource groups in Advisor, you might see that the option to include or exclude is disabled. This status indicates that you don't have a sufficient level of permission for that resource group or subscription. To resolve this problem, learn how to [grant a user access](../role-based-access-control/quickstart-assign-role-user-portal.md). ### Unable to postpone or dismiss a recommendation -If you receive an error when trying to postpone or dismiss a recommendation, you might not have sufficient permissions. Dismissing a recommendation means you can't see it again unless manually reactivated, so you might potentially overlook important advice for optimizing Azure deployments. Therefore, itΓÇÖs crucial that only users with sufficient permissions can dismiss recommendations. Make sure that you have at least contributor access to the impacted resource of the recommendation you're postponing or dismissing. To resolve this issue, learn how to [grant a user access](../role-based-access-control/quickstart-assign-role-user-portal.md). +If you receive an error when you try to postpone or dismiss a recommendation, you might not have sufficient permissions. Dismissing a recommendation means you can't see it again unless it's manually reactivated, so you might potentially overlook important advice for optimizing Azure deployments. It's crucial that only users with sufficient permissions can dismiss recommendations. Make sure that you have at least Contributor access to the affected resource of the recommendation that you want to postpone or dismiss. To resolve this problem, learn how to [grant a user access](../role-based-access-control/quickstart-assign-role-user-portal.md). -## Next steps +## Related content -This article gave an overview of how Advisor uses Azure RBAC to control user permissions and how to resolve common issues. To learn more about Advisor, see: +This article gave an overview of how Advisor uses Azure RBAC to control user permissions and how to resolve common problems. To learn more about Advisor, see: - [What is Azure Advisor?](./advisor-overview.md) - [Get started with Azure Advisor](./advisor-get-started.md) |
ai-services | Concept Custom | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-custom.md | The following table compares custom template and custom neural features: |Data extraction | Key-value pairs, tables, selection marks, coordinates, and signatures | Key-value pairs, selection marks, and tables| |Overlapping fields | Not supported | Supported | |Document variations | Requires a model per each variation | Uses a single model for all variations |-|Language support | Multiple [language support](concept-custom-template.md#supported-languages-and-locales) | English, with preview support for Spanish, French, German, Italian, and Dutch [language support](concept-custom-neural.md#supported-languages-and-locales) | +|Language support | [**Language support custom template**](language-support-custom.md#custom-template) | [**Language support custom neural**](language-support-custom.md#custom-neural) | ### Custom classification model |
ai-services | Get Started Sdks Rest Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/quickstarts/get-started-sdks-rest-api.md | |
ai-services | V3 0 Languages | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/reference/v3-0-languages.md | Send a `GET` request to: ```HTTP https://api.cognitive.microsofttranslator.com/languages?api-version=3.0++``` ++For virtual networks, use your custom domain endpoint: ++```HTTP +https://<your-custom-domain>.cognitiveservices.azure.com/languages?api-version=3.0 ``` -_See_ [**Virtual Network Support**](v3-0-reference.md#virtual-network-support) for Translator service selected network and private endpoint configuration and support. +For more information, _see_ [**Virtual Network Support**](v3-0-reference.md#virtual-network-support) for Translator service selected network and private endpoint configuration and support. ## Request parameters Request headers are: |Headers|Description| |||-|Accept-Language|**Optional request header**.<br><br>The language to use for user interface strings. Some of the fields in the response are names of languages or names of regions. Use this parameter to define the language in which these names are returned. The language is specified by providing a well-formed BCP 47 language tag. For instance, use the value `fr` to request names in French or use the value `zh-Hant` to request names in Chinese Traditional.<br/>Names are provided in the English language when a target language isn't specified or when localization isn't available.| +|Accept-Language|**Optional request header**.<br><br>The language to use for user interface strings. Some of the fields in the response are names of languages or names of regions. Use this parameter to define the language in which these names are returned. The language is specified by providing a well-formed `BCP` 47 language tag. For instance, use the value `fr` to request names in French or use the value `zh-Hant` to request names in Chinese Traditional.<br/>Names are provided in the English language when a target language isn't specified or when localization isn't available.| |X-ClientTraceId|**Optional request header**.<br>A client-generated GUID to uniquely identify the request.| Authentication isn't required to get language resources. ## Response body -A client uses the `scope` query parameter to define which groups of languages it's interested in. +A client uses the `scope` query parameter to define which groups of languages to list. * `scope=translation` provides languages supported to translate text from one language to another language; The value for each property is as follows. * `translation` property - The value of the `translation` property is a dictionary of (key, value) pairs. Each key is a BCP 47 language tag. A key identifies a language for which text can be translated to or translated from. The value associated with the key is a JSON object with properties that describe the language: + The value of the `translation` property is a dictionary of (key, value) pairs. Each key is a `BCP` 47 language tag. A key identifies a language for which text can be translated to or translated from. The value associated with the key is a JSON object with properties that describe the language: * `name`: Display name of the language in the locale requested via `Accept-Language` header. The value for each property is as follows. * `transliteration` property - The value of the `transliteration` property is a dictionary of (key, value) pairs. Each key is a BCP 47 language tag. A key identifies a language for which text can be converted from one script to another script. The value associated with the key is a JSON object with properties that describe the language and its supported scripts: + The value of the `transliteration` property is a dictionary of (key, value) pairs. Each key is a `BCP` 47 language tag. A key identifies a language for which text can be converted from one script to another script. The value associated with the key is a JSON object with properties that describe the language and its supported scripts: * `name`: Display name of the language in the locale requested via `Accept-Language` header. The value for each property is as follows. * `dictionary` property - The value of the `dictionary` property is a dictionary of (key, value) pairs. Each key is a BCP 47 language tag. The key identifies a language for which alternative translations and back-translations are available. The value is a JSON object that describes the source language and the target languages with available translations: + The value of the `dictionary` property is a dictionary of (key, value) pairs. Each key is a `BCP` 47 language tag. The key identifies a language for which alternative translations and back-translations are available. The value is a JSON object that describes the source language and the target languages with available translations: * `name`: Display name of the source language in the locale requested via `Accept-Language` header. The value for each property is as follows. The structure of the response object doesn't change without a change in the version of the API. For the same version of the API, the list of available languages may change over time because Microsoft Translator continually extends the list of languages supported by its services. -The list of supported languages doesn't change frequently. To save network bandwidth and improve responsiveness, a client application should consider caching language resources and the corresponding entity tag (`ETag`). Then, the client application can periodically (for example, once every 24 hours) query the service to fetch the latest set of supported languages. Passing the current `ETag` value in an `If-None-Match` header field allows the service to optimize the response. If the resource hasn't been modified, the service returns status code 304 and an empty response body. +The list of supported languages doesn't change frequently. To save network bandwidth and improve responsiveness, a client application should consider caching language resources and the corresponding entity tag (`ETag`). Then, the client application can periodically (for example, once every 24 hours) query the service to fetch the latest set of supported languages. Passing the current `ETag` value in an `If-None-Match` header field allows the service to optimize the response. If the resource isn't modified, the service returns status code 304 and an empty response body. ## Response headers The following are the possible HTTP status codes that a request returns. |Status Code|Description| | | | |200|Success.|-|304|The resource hasn't been modified since the version specified by request headers `If-None-Match`.| +|304|The resource isn't modified and aligns with the version specified by request headers `If-None-Match`.| |400|One of the query parameters is missing or not valid. Correct request parameters before retrying.|-|429|The server rejected the request because the client has exceeded request limits.| +|429|The server rejected the request because the client exceeded request limits.| |500|An unexpected error occurred. If the error persists, report it with: date and time of the failure, request identifier from response header `X-RequestId`, and client identifier from request header `X-ClientTraceId`.| |503|Server temporarily unavailable. Retry the request. If the error persists, report it with: date and time of the failure, request identifier from response header `X-RequestId`, and client identifier from request header `X-ClientTraceId`.| |
aks | Create Node Pools | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/create-node-pools.md | The Azure Linux container host for AKS is an open-source Linux distribution avai You can migrate your existing Ubuntu nodes to Azure Linux using one of the following methods: * [Remove existing node pools and add new Azure Linux node pools](../azure-linux/tutorial-azure-linux-migration.md#add-azure-linux-node-pools-and-remove-existing-node-pools).-* [In-place OS SKU migration (preview)](../azure-linux/tutorial-azure-linux-migration.md#in-place-os-sku-migration-preview). +* [In-place OS SKU migration (preview)](../azure-linux/tutorial-azure-linux-migration.md#in-place-os-sku-migration). ## Node pools with unique subnets |
aks | Enable Fips Nodes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/enable-fips-nodes.md | The Federal Information Processing Standard (FIPS) 140-2 is a US government stan ## Prerequisites -* Azure CLI version 2.32.0 or later installed and configured. Run `az --version` to find the version. For more information about installing or upgrading the Azure CLI, see [Install Azure CLI][install-azure-cli]. +* Azure CLI version 2.32.0 or later installed and configured. To find the version, run `az --version`. For more information about installing or upgrading the Azure CLI, see [Install Azure CLI][install-azure-cli]. > [!NOTE] > AKS Monitoring Addon supports FIPS enabled node pools with Ubuntu, Azure Linux, and Windows starting with Agent version 3.1.17 (Linux) and Win-3.1.17 (Windows). The Federal Information Processing Standard (FIPS) 140-2 is a US government stan > [!IMPORTANT]-> The FIPS-enabled Linux image is a different image than the default Linux image used for Linux-based node pools. To enable FIPS on a node pool, you must create a new Linux-based node pool. You can't enable FIPS on existing node pools. +> The FIPS-enabled Linux image is a different image than the default Linux image used for Linux-based node pools. > > FIPS-enabled node images may have different version numbers, such as kernel version, than images that aren't FIPS-enabled. The update cycle for FIPS-enabled node pools and node images may differ from node pools and images that aren't FIPS-enabled. The below table includes the supported OS versions: |Windows|Windows Server 2019| Supported| |Windows| Windows Server 2022| Supported| -When requesting FIPS enabled Ubuntu, if the default Ubuntu version does not support FIPS, AKS will default to the most recent FIPS-supported version of Ubuntu. For example, Ubuntu 22.04 is default for Linux node pools. Since 22.04 does not currently support FIPS, AKS will default to Ubuntu 20.04 for Linux FIPS-enabled nodepools. +When requesting FIPS enabled Ubuntu, if the default Ubuntu version does not support FIPS, AKS will default to the most recent FIPS-supported version of Ubuntu. For example, Ubuntu 22.04 is default for Linux node pools. Since 22.04 does not currently support FIPS, AKS defaults to Ubuntu 20.04 for Linux FIPS-enabled nodepools. > [!NOTE] > Previously, you could use the GetOSOptions API to determine whether a given OS supported FIPS. The GetOSOptions API is now deprecated and it will no longer be included in new AKS API versions starting with 2024-05-01. FIPS-enabled node pools also have a *kubernetes.azure.com/fips_enabled=true* lab FIPS-enabled node pools also have a *kubernetes.azure.com/fips_enabled=true* label, which deployments can use to target those node pools. +## Update an existing node pool to enable or disable FIPS (preview) ++Existing node pools can be updated to enable or disable FIPS. If you are planning to migrate your node pools from non-FIPS to FIPS, first validate that your application is working properly in a test environment before migrating it to a production environment. Validating your application in a test environment should prevent issues caused by the FIPS kernel blocking some weak cipher or encryption algorithm, such as an MD4 algorithm that is not FIPS compliant. ++> [!NOTE] +> When updating an existing Linux node pool to enable or disable FIPS, the node pool update will move between the fips and non-fips image. This node pool update will trigger a reimage to complete the update. This may cause the node pool update to take a few minutes to complete. ++### Prerequisites ++* Azure CLI version 2.56.0 or later, together with the [aks-preview](https://github.com/cli/azure/azure-cli-extensions-list) extension installed and configured. To find the version, run `az --version`. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli]. +++### Install the `aks-preview` Azure CLI extension ++* Register or update the aks-preview extension using the [`az extension add`][az-extension-add] or [`az extension update`][az-extension-update] command. ++ ```azurecli-interactive + # Register the aks-preview extension + az extension add --name aks-preview ++ # Update the aks-preview extension + az extension update --name aks-preview + ``` ++### Register the `MutableFipsPreview` feature flag ++1. Register the `MutableFipsPreview` feature flag using the [`az feature register`][az-feature-register] command. ++ ```azurecli-interactive + az feature register --namespace "Microsoft.ContainerService" --name "MutableFipsPreview" + ``` ++ It takes a few minutes for the status to show *Registered*. ++2. Verify the registration status using the [`az feature show`][az-feature-show] command. ++ ```azurecli-interactive + az feature show --namespace "Microsoft.ContainerService" --name "MutableFipsPreview" + ``` ++3. When the status reflects *Registered*, refresh the registration of the *Microsoft.ContainerService* resource provider using the [`az provider register`][az-provider-register] command. ++ ```azurecli-interactive + az provider register --namespace Microsoft.ContainerService + ``` ++### Enable FIPS on an existing node pool +Existing node pools can be updated to enable FIPS. When you update an existing node pool, the node image will change from the current image to the recommended FIPS image of the same OS SKU. ++1. Update a node pool using the [`az aks nodepool update`][az-aks-nodepool-update] command with the `--enable-fips-image` parameter. ++ ```azurecli-interactive + az aks nodepool update \ + --resource-group myResourceGroup \ + --cluster-name myAKSCluster \ + --name np \ + --enable-fips-image + ``` ++The above command triggers a reimage of the node pool immediately to deploy the FIPS compliant Operating System. This reimage occurs during the node pool update. No additional steps are required. ++2. Verify that your node pool is FIPS-enabled using the [`az aks show`][az-aks-show] command and query for the *enableFIPS* value in *agentPoolProfiles*. ++ ```azurecli-interactive + az aks show \ + --resource-group myResourceGroup \ + --name myAKSCluster \ + --query="agentPoolProfiles[].{Name:name enableFips:enableFips}" \ + -o table + ``` ++ The following example output shows that the *np* node pool is FIPS-enabled: ++ ```output + Name enableFips + + np True + nodepool1 False + ``` ++3. List the nodes using the `kubectl get nodes` command. ++ ```azurecli-interactive + kubectl get nodes + ``` ++ The following example output shows a list of the nodes in the cluster. The nodes starting with `aks-np` are part of the FIPS-enabled node pool. ++ ```output + NAME STATUS ROLES AGE VERSION + aks-np-12345678-vmss000000 Ready agent 6m4s v1.19.9 + aks-np-12345678-vmss000001 Ready agent 5m21s v1.19.9 + aks-np-12345678-vmss000002 Ready agent 6m8s v1.19.9 + aks-nodepool1-12345678-vmss000000 Ready agent 34m v1.19.9 + ``` ++4. Run a deployment with an interactive session on one of the nodes in the FIPS-enabled node pool using the `kubectl debug` command. ++ ```azurecli-interactive + kubectl debug node/aks-np-12345678-vmss000000 -it --image=mcr.microsoft.com/dotnet/runtime-deps:6.0 + ``` ++5. From the interactive session output, verify the FIPS cryptographic libraries are enabled. Your output should look similar to the following example output: ++ ```output + root@aks-np-12345678-vmss000000:/# cat /proc/sys/crypto/fips_enabled + 1 + ``` ++FIPS-enabled node pools also have a *kubernetes.azure.com/fips_enabled=true* label, which deployments can use to target those node pools. ++## Disable FIPS on an existing node pool +Existing Linux node pools can be updated to disable FIPS. When updating an existing node pool, the node image will change from the current FIPS image to the recommended non-FIPS image of the same OS SKU. The node image change will occur after a reimage. ++1. Update a Linux node pool using the [`az aks nodepool update`][az-aks-nodepool-update] command with the `--disable-fips-image` parameter. ++ ```azurecli-interactive + az aks nodepool update \ + --resource-group myResourceGroup \ + --cluster-name myAKSCluster \ + --name np \ + --disable-fips-image + ``` ++The above command triggers a reimage of the node pool immediately to deploy the FIPS compliant Operating System. This reimage occurs during the node pool update. No additional steps are required. ++2. Verify that your node pool is not FIPS-enabled using the [`az aks show`][az-aks-show] command and query for the *enableFIPS* value in *agentPoolProfiles*. ++ ```azurecli-interactive + az aks show \ + --resource-group myResourceGroup \ + --name myAKSCluster \ + --query="agentPoolProfiles[].{Name:name enableFips:enableFips}" \ + -o table + ``` ++ The following example output shows that the *np* node pool is not FIPS-enabled: ++ ```output + Name enableFips + + np False + nodepool1 False + ``` + ## Next steps To learn more about AKS security, see [Best practices for cluster security and upgrades in Azure Kubernetes Service (AKS)][aks-best-practices-security]. |
azure-functions | Functions Add Openai Text Completion | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-add-openai-text-completion.md | Last updated 07/11/2024 ++ - ce-skilling-ai-copilot zone_pivot_groups: programming-languages-set-functions #customer intent: As an Azure developer, I want learn how to integrate Azure OpenAI capabilities in my function code to leverage AI benefits in my colud-based code executions. |
azure-functions | Functions Bindings Openai Assistant Trigger | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-openai-assistant-trigger.md | Title: Azure OpenAI assistant trigger for Azure Functions description: Learn how to use the Azure OpenAI assistant trigger to execute code based on custom chat bots and skills in Azure Functions. -+ + - build-2024 + - devx-track-extended-java + - devx-track-js + - devx-track-python + - devx-track-ts ++ - ce-skilling-ai-copilot Last updated 05/24/2024 zone_pivot_groups: programming-languages-set-functions |
azure-functions | Functions Bindings Openai Assistantcreate Output | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-openai-assistantcreate-output.md | Title: Azure OpenAI assistant create output binding for Azure Functions description: Learn how to use the Azure OpenAI assistant create output binding to create Azure OpenAI assistants from your function code executions. - Previously updated : 05/20/2024+ + - build-2024 + - devx-track-extended-java + - devx-track-js + - devx-track-python + - devx-track-ts ++ - ce-skilling-ai-copilot Last updated 05/20/2024 zone_pivot_groups: programming-languages-set-functions |
azure-functions | Functions Bindings Openai Assistantpost Input | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-openai-assistantpost-input.md | Title: Azure OpenAI assistant post input binding for Azure Functions description: Learn how to use the Azure OpenAI assistant post input binding to query chat bots during function execution in Azure Functions. -+ + - build-2024 + - devx-track-extended-java + - devx-track-js + - devx-track-python + - devx-track-ts ++ - ce-skilling-ai-copilot Last updated 05/20/2024 zone_pivot_groups: programming-languages-set-functions |
azure-functions | Functions Bindings Openai Assistantquery Input | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-openai-assistantquery-input.md | Title: Azure OpenAI assistant query input binding for Azure Functions description: Learn how to use the Azure OpenAI assistant query input binding to access Azure OpenAI Assistants APIs during function execution in Azure Functions. -+ + - build-2024 + - devx-track-extended-java + - devx-track-js + - devx-track-python + - devx-track-ts ++ - ce-skilling-ai-copilot Last updated 05/20/2024 zone_pivot_groups: programming-languages-set-functions |
azure-functions | Functions Bindings Openai Embeddings Input | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-openai-embeddings-input.md | Title: Azure OpenAI embeddings input binding for Azure Functions description: Learn how to use the Azure OpenAI embeddings input binding to generate embeddings during function execution in Azure Functions. -+ + - build-2024 + - devx-track-extended-java + - devx-track-js + - devx-track-python + - devx-track-ts ++ - ce-skilling-ai-copilot Last updated 05/20/2024 zone_pivot_groups: programming-languages-set-functions |
azure-functions | Functions Bindings Openai Embeddingsstore Output | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-openai-embeddingsstore-output.md | Title: Azure OpenAI embeddings store output binding for Azure Functions description: Learn how to use the Azure OpenAI embeddings store output binding to write searchable content to a semantic document store during function execution in Azure Functions. -+ + - build-2024 + - devx-track-extended-java + - devx-track-js + - devx-track-python + - devx-track-ts ++ - ce-skilling-ai-copilot Last updated 05/20/2024 zone_pivot_groups: programming-languages-set-functions |
azure-functions | Functions Bindings Openai Semanticsearch Input | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-openai-semanticsearch-input.md | Title: Azure OpenAI Semantic Search Input Binding for Azure Functions description: Learn how to use the Azure OpenAI semantic search input binding to use semantic search on your embeddings during function execution in Azure Functions. -+ + - build-2024 + - devx-track-extended-java + - devx-track-js + - devx-track-python + - devx-track-ts ++ - ce-skilling-ai-copilot Last updated 05/08/2024 zone_pivot_groups: programming-languages-set-functions |
azure-functions | Functions Bindings Openai Textcompletion Input | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-openai-textcompletion-input.md | Title: Azure OpenAI text completion input binding for Azure Functions description: Learn how to use the Azure OpenAI text completion input binding to access Azure OpenAI text completion APIs during function execution in Azure Functions. -+ + - build-2024 + - devx-track-extended-java + - devx-track-js + - devx-track-python + - devx-track-ts ++ - ce-skilling-ai-copilot Last updated 07/08/2024 zone_pivot_groups: programming-languages-set-functions |
azure-functions | Functions Bindings Openai | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-openai.md | Title: Azure OpenAI extension for Azure Functions description: Learn to configure the Azure OpenAI extension to be able to integrate your Azure Functions code executions with Azure OpenAI APIs. -+ + - build-2024 + - devx-track-extended-java + - devx-track-js + - devx-track-python + - devx-track-ts ++ - ce-skilling-ai-copilot Last updated 05/14/2024 zone_pivot_groups: programming-languages-set-functions |
azure-linux | Tutorial Azure Linux Migration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-linux/tutorial-azure-linux-migration.md | Last updated 01/19/2024 In this tutorial, part three of five, you migrate your existing nodes to Azure Linux. You can migrate your existing nodes to Azure Linux using one of the following methods: * Remove existing node pools and add new Azure Linux node pools.-* In-place OS SKU migration (preview). +* In-place OS SKU migration. If you don't have any existing nodes to migrate to Azure Linux, skip to the [next tutorial](./tutorial-azure-linux-telemetry-monitor.md). In later tutorials, you learn how to enable telemetry and monitoring in your clusters and upgrade Azure Linux nodes. If you don't have any existing nodes to migrate to Azure Linux, skip to the [nex az aks nodepool delete --resource-group <resource-group-name> --cluster-name <cluster-name> --name <node-pool-name> ``` -## In-place OS SKU migration (preview) +## In-place OS SKU migration You can now migrate your existing Ubuntu node pools to Azure Linux by changing the OS SKU of the node pool, which rolls the cluster through the standard node image upgrade process. This new feature doesn't require the creation of new node pools. You can now migrate your existing Ubuntu node pools to Azure Linux by changing t There are several settings that can block the OS SKU migration request. To ensure a successful migration, review the following guidelines and limitations: -* The OS SKU migration feature isn't available through Terraform, PowerShell, or the Azure portal. +* The OS SKU migration feature isn't available through PowerShell or the Azure portal. * The OS SKU migration feature isn't able to rename existing node pools. * Ubuntu and Azure Linux are the only supported Linux OS SKU migration targets.-* AgentPool `count` field must not change during the migration. * An Ubuntu OS SKU with `UseGPUDedicatedVHD` enabled can't perform an OS SKU migration. * An Ubuntu OS SKU with CVM 20.04 enabled can't perform an OS SKU migration. * Node pools with Kata enabled can't perform an OS SKU migration. There are several settings that can block the OS SKU migration request. To ensur ### Prerequisites -* [Install the `aks-preview` extension](#install-the-aks-preview-extension). -* [Register the `OSSKUMigrationPreview` feature flag on your subscription](#register-the-osskumigrationpreview-feature-flag). * An existing AKS cluster with at least one Ubuntu node pool. * We recommend that you ensure your workloads configure and run successfully on the Azure Linux container host before attempting to use the OS SKU migration feature by [deploying an Azure Linux cluster](./quickstart-azure-cli.md) in dev/prod and verifying your service remains healthy. * Ensure the migration feature is working for you in test/dev before using the process on a production cluster. * Ensure that your pods have enough [Pod Disruption Budget](../aks/operator-best-practices-scheduler.md#plan-for-availability-using-pod-disruption-budgets) to allow AKS to move pods between VMs during the upgrade.-* You need Azure CLI version 0.5.172 or higher. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli). +* You need Azure CLI version [2.61.0](https://learn.microsoft.com/cli/azure/release-notes-azure-cli#may-21-2024) or higher. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli). +* If you are using Terraform, you must have [v3.111.0](https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.111.0) or greater of the AzureRM Terraform module. ### [Azure CLI](#tab/azure-cli) -#### Install the `aks-preview` extension ---1. Install the `aks-preview` extension using the `az extension add` command. -- ```azurecli-interactive - az extension add --name aks-preview - ``` --2. Update the extension to make sure you have the latest version using the `az extension update` command. -- ```azurecli-interactive - az extension update --name aks-preview - ``` --#### Register the `OSSKUMigrationPreview` feature flag --1. Register the `OSSKUMigrationPreview` feature flag on your subscription using the `az feature register` command. -- ```azurecli-interactive - az feature register --namespace Microsoft.ContainerService --name OSSKUMigrationPreview - ``` --2. Check the registration status using the `az feature list` command. -- ```azurecli-interactive - az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/OSSKUMigrationPreview')].{Name:name,State:properties.state}" - ``` -- Your output should look similar to the following example output: -- ```output - Name State - - - - Microsoft.ContainerService/OSSKUMigrationPreview Registered - ``` --3. Refresh the registration of the `OSSKUMigrationPreview` feature flag using the `az provider register` command. -- ```azurecli-interactive - az provider register --namespace Microsoft.ContainerService - ``` - #### Migrate the OS SKU of your Ubuntu node pool * Migrate the OS SKU of your node pool to Azure Linux using the `az aks nodepool update` command. This command updates the OS SKU for your node pool from Ubuntu to Azure Linux. The OS SKU change triggers an immediate upgrade operation, which takes several minutes to complete. There are several settings that can block the OS SKU migration request. To ensur az deployment group create --resource-group testRG --template-file 0base.json ``` -3. Migrate the OS SKU of your system node pool to Azure Linux using the `az deployment group create` command and the ManagedClusters API in the [1mcupdate.json example ARM template](#1mcupdatejson). +3. Migrate the OS SKU of your system node pool to Azure Linux using the `az deployment group create` command. ```azurecli-interactive az deployment group create --resource-group testRG --template-file 1mcupdate.json ``` -4. Migrate the OS SKU of your system node pool back to Ubuntu using the `az deployment group create` command and the AgentPools API in the [2apupdate.json example ARM template](#2apupdatejson). +4. Migrate the OS SKU of your system node pool back to Ubuntu using the `az deployment group create` command. ```azurecli-interactive az deployment group create --resource-group testRG --template-file 2apupdate.json ``` +### [Terraform](#tab/terraform) ++#### Example Terraform template ++1. Confirm that your `providers.tf` file is updated to pick up the required version of the Azure provider. ++##### providers.tf ++```terraform +terraform { + required_version = ">=1.0" ++ required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~>3.111.0" + } + random = { + source = "hashicorp/random" + version = "~>3.0" + } + } + } ++ provider "azurerm" { + features {} + } +``` ++2. For brevity, only the snippet of the Terraform template that is of interest is displayed below. In this initial configuration, an AKS cluster with a nodepool of **os_sku** with **Ubuntu** is deployed. ++##### base.tf ++```terraform +resource "azurerm_kubernetes_cluster" "k8s" { + location = azurerm_resource_group.rg.location + name = var.cluster_name + resource_group_name = azurerm_resource_group.rg.name + dns_prefix = var.dns_prefix + tags = { + Environment = "Development" + } ++ default_node_pool { + name = "azurelinuxpool" + vm_size = "Standard_D2_v2" + node_count = var.agent_count + os_sku = "Ubuntu" + } + linux_profile { + admin_username = "azurelinux" ++ ssh_key { + key_data = file(var.ssh_public_key) + } + } + network_profile { + network_plugin = "kubenet" + load_balancer_sku = "standard" + } + service_principal { + client_id = var.aks_service_principal_app_id + client_secret = var.aks_service_principal_client_secret + } +} +``` ++3. To run an in-place OS SKU migration, just replace the **os_sku** to **AzureLinux** and re-apply the Terraform plan. ++##### update.tf ++```terraform +resource "azurerm_kubernetes_cluster" "k8s" { + location = azurerm_resource_group.rg.location + name = var.cluster_name + resource_group_name = azurerm_resource_group.rg.name + dns_prefix = var.dns_prefix + tags = { + Environment = "Development" + } ++ default_node_pool { + name = "azurelinuxpool" + vm_size = "Standard_D2_v2" + node_count = var.agent_count + os_sku = "AzureLinux" + } + linux_profile { + admin_username = "azurelinux" ++ ssh_key { + key_data = file(var.ssh_public_key) + } + } + network_profile { + network_plugin = "kubenet" + load_balancer_sku = "standard" + } + service_principal { + client_id = var.aks_service_principal_app_id + client_secret = var.aks_service_principal_client_secret + } +} +``` + ### Verify the OS SKU migration Once the migration is complete on your test clusters, you should verify the foll ### Run the OS SKU migration on your production clusters -1. Update your existing templates to set `OSSKU=AzureLinux`. In ARM templates, you use `"OSSKU: "AzureLinux"` in the `agentPoolProfile` section. In Bicep, you use `osSku: "AzureLinux"` in the `agentPoolProfile` section. Make sure that your `apiVersion` is set to `2023-07-01` or later. -2. Redeploy your ARM template for the cluster to apply the new `OSSKU` setting. During this deploy, your cluster behaves as if it's taking a node image upgrade. Your cluster surges capacity, and then reboots your existing nodes one by one into the latest AKS image from your new OS SKU. +1. Update your existing templates to set `OSSKU=AzureLinux`. In ARM templates, you use `"OSSKU: "AzureLinux"` in the `agentPoolProfile` section. In Bicep, you use `osSku: "AzureLinux"` in the `agentPoolProfile` section. Lastly, for Terraform, you use `"os_sku = "AzureLinux"` in the `default_node_pool` section. Make sure that your `apiVersion` is set to `2023-07-01` or later. +2. Redeploy your ARM, Bicep, or Terraform template for the cluster to apply the new `OSSKU` setting. During this deploy, your cluster behaves as if it's taking a node image upgrade. Your cluster surges capacity, and then reboots your existing nodes one by one into the latest AKS image from your new OS SKU. ### Rollback If you experience issues during the OS SKU migration, you can roll back to your In this tutorial, you migrated existing nodes to Azure Linux using one of the following methods: * Remove existing node pools and add new Azure Linux node pools.-* In-place OS SKU migration (preview). +* In-place OS SKU migration. In the next tutorial, you learn how to enable telemetry to monitor your clusters. |
azure-monitor | Azure Monitor Agent Custom Text Log Migration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/azure-monitor-agent-custom-text-log-migration.md | -# Migrate from MMA custom text log to AMA DCR based custom text logs -This article describes the steps to migrate a [MMA Custom text log](data-sources-custom-logs.md) table so you can use it as a destination for a new [AMA custom text logs](data-collection-log-text.md) DCR. When you follow the steps, you won't lose any data. If you're creating a new AMA custom text log table, then this article doesn't pertain to you. +# Migrate from MMA custom text table to AMA DCR based custom text table +This article describes the steps to migrate a [MMA Custom text log](data-sources-custom-logs.md) table so you can use it as a destination for a new [AMA custom text logs](data-collection-log-text.md) DCR. If you're creating a new AMA custom text table, then this article doesn't pertain to you. -> Note: Once logs are migrated, MMA will not be able to write to the destination table. This is an issue for the migration of production system that we are actively working. -> -## Background -MMA custom text logs must be configured to support new features in order for AMA custom text log DCRs to write to it. The following actions are taken: -- The table is reconfigured to enable all DCR-based custom logs features.-- All MMA custom fields stop updating in the table. AMA can write data to any column in the table. -- The MMA Custom text log can write to noncustom fields, but it will not be able to create new columns. The portal table management UI can be used to change the schema after migration.+> [!Warning] +> Your MMA agents won't be able to write to existing custom tables after migration. If your AMA agent writes to an existing custom table, it is implicitly migrated. + -## Migration procedure +## Background +You must configure MMA custom text logs to support new DCR features that allow AMA agents to write to it. Take the following actions: +- Your table is reconfigured to enable all DCR-based custom logs features. +- Your AMA agents can write data to any column in the table. +- Your MMA Custom text log will lose the ability to write to the custom log. +To continue to write you custom data from both MMA and AMA each must have its own custom table. Your data queries in LA that process your data must join the two tables until the migration is complete at which point you can remove the join. + +## Migration You should follow the steps only if the following criteria are true: - You created the original table using the Custom Log Wizard. - You're going to preserve the existing data in the table.-- You're going to write new data using and [AMA custom text log DCR](data-collection-log-text.md) and possibly configure an [ingestion time transformation](azure-monitor-agent-transformation.md).+- You do not need MMA agents to send data to the existing table +- You're going to exclusively write new data using and [AMA custom text log DCR](data-collection-log-text.md) and possibly configure an [ingestion time transformation](azure-monitor-agent-transformation.md). +## Procedure 1. Configure your data collection rule (DCR) following procedures at [collect text logs with Azure Monitor Agent](data-collection-log-text.md) 2. Issue the following API call against your existing custom logs table to enable ingestion from Data Collection Rule and manage your table from the portal UI. This call is idempotent and future calls have no effect. Migration is one-way, you can't migrate the table back to MMA. |
azure-monitor | Azure Monitor Agent Extension Versions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/azure-monitor-agent-extension-versions.md | We strongly recommended to always update to the latest version, or opt in to the ## Version details | Release Date | Release notes | Windows | Linux | |:|:|:|:|-| June 2024 |**Windows**<ul><li>Fix encoding issues with Resource ID field.</li><li>AMA: Support new ingestion endpoint for GovSG environment.</li><li>MA: Fixes a CPU uptick issue for certain Bond serialization scenarios.</li><li>Upgrade AzureSecurityPack version to 4.33.0.1.</li><li>Upgrade Metrics Extension version to 2.2024.517.533.</li><li>Upgrade Health Extension version to 2024.528.1.</li></ul>**Linux**<ul><li>Coming Soon</li></ul>| 1.28.0 | | +| June 2024 |**Windows**<ul><li>Fix encoding issues with Resource ID field.</li><li>AMA: Support new ingestion endpoint for GovSG environment.</li><li>MA: Fixes a CPU uptick issue for certain Bond serialization scenarios.</li><li>Upgrade AzureSecurityPack version to 4.33.0.1.</li><li>Upgrade Metrics Extension version to 2.2024.517.533.</li><li>Upgrade Health Extension version to 2024.528.1.</li></ul>**Linux**<ul><li>Coming Soon</li></ul>| 1.28.2 | | | May 2024 |**Windows**<ul><li>Upgraded Fluent-bit version to 3.0.5. This Fix resolves as security issue in fluent-bit (NVD - CVE-2024-4323 (nist.gov)</li><li>Disabled Fluent-bit logging that caused disk exhaustion issues for some customers. Example error is Fluentbit log with "[C:\projects\fluent-bit-2e87g\src\flb_scheduler.c:72 errno=0] No error" fills up the entire disk of the server.</li><li>Fixed AMA extension getting stuck in deletion state on some VMs that are using Arc. This fix improves reliability.</li><li>Fixed AMA not using system proxy, this issue is a bug introduced in 1.26.0. The issue was caused by a new feature that uses the Arc agent’s proxy settings. When the system proxy as set as None the proxy was broken in 1.26.</li><li>Fixed Windows Firewall Logs log file rollover issues</li></ul>| 1.27.0 | | | April 2024 |**Windows**<ul><li>In preparation for the May 17 public preview of Firewall Logs, the agent completed the addition of a profile filter for Domain, Public, and Private Logs. </li><li>AMA running on an Arc enabled server will default to using the Arc proxy settings if available.</li><li>The AMA VM extension proxy settings override the Arc defaults.</li><li>Bug fix in MSI installer: Symptom - If there are spaces in the fluent-bit config path, AMA wasn't recognizing the path properly. AMA now adds quotes to configuration path in fluent-bit.</li><li>Bug fix for Container Insights: Symptom - custom resource ID weren't being honored.</li><li>Security issue fix: skip the deletion of files and directory whose path contains a redirection (via Junction point, Hard links, Mount point, OB Symlinks etc.).</li><li>Updating MetricExtension package to 2.2024.328.1744.</li></ul>**Linux**<ul><li>AMA 1.30 now available in Arc.</li><li>New distribution support Debian 12, RHEL CIS L2.</li><li>Fix for mdsd version 1.30.3 in persistence mode, which converted positive integers to float/double values ("3.0", "4.0") to type ulong which broke Azure stream analytics.</li></ul>| 1.26.0 | 1.31.1 | | March 2024 | **Known Issues - ** a change in 1.25.0 to the encoding of resource IDs in the request headers to the ingestion end point has disrupted SQL ATP. This is causing failures in alert notifications to the Microsoft Detection Center (MDC) and potentially affecting billing events. Symptom is not seeing expected alerts related to SQL security threats. 1.25.0 didn't release to all data centers and it wasn't identified for auto update in any data center. Customers that did upgrade to 1.25.0 should roll back to 1.24.0<br><br>**Windows**<ul><li>**Breaking Change from Public Preview to GA** Due to customer feedback, automatic parsing of JSON into column in your custom table in Log Analytic was added. You must take action to migrate your JSON DCR created before this release to prevent data loss. This fix is the last before the release of the JSON Log type in Public Preview.</li><li>Fix AMA when resource ID contains non-ascii chars, which is common when using some languages other than English. Errors would follow this pattern: … [HealthServiceCommon] [] [Error] … WinHttpAddRequestHeaders(x-ms-AzureResourceId: /subscriptions/{your subscription #} /resourceGroups/???????/providers/ … PostDataItems" failed with code 87(ERROR_INVALID_PARAMETER) </li></ul>**Linux**<ul><li>The AMA agent now supports Debian 12 and RHEL9 CIS L2 distribution.</li></ul>| 1.25.0 | 1.31.0 | |
azure-monitor | Data Collection Log Json | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/data-collection-log-json.md | Adhere to the following recommendations to ensure that you don't experience data ## Custom table-Before you can collect log data from a JSON file, you must create a custom table in your Log Analytics workspace to receive the data. The table schema must match the columns in the incoming stream, or you must add a transformation to ensure that the output schema matches the table. For example, you can use the following PowerShell script to create a custom table with multiple columns. +Before you can collect log data from a JSON file, you must create a custom table in your Log Analytics workspace to receive the data. The table schema must match the columns in the incoming stream, or you must add a transformation to ensure that the output schema matches the table. ++> +> Warning: You shouldnΓÇÖt use an existing custom table used by MMA agents. Your MMA agents won't be able to write to the table once the first AMA agent writes to the table. You should create a new table for AMA to use to prevent MMA data loss. +> ++For example, you can use the following PowerShell script to create a custom table with multiple columns. ```powershell $tableParams = @' |
azure-monitor | Data Collection Log Text | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/data-collection-log-text.md | The incoming stream of data includes the columns in the following table. ## Custom table Before you can collect log data from a text file, you must create a custom table in your Log Analytics workspace to receive the data. The table schema must match the data you are collecting, or you must add a transformation to ensure that the output schema matches the table. +> +> Warning: You shouldnΓÇÖt use an existing custom log table used by MMA agents. Your MMA agents won't be able to write to the table once the first AMA agent writes to the table. You should create a new table for AMA to use to prevent MMA data loss. +> ++ For example, you can use the following PowerShell script to create a custom table with `RawData` and `FilePath`. You wouldn't need a transformation for this table because the schema matches the default schema of the incoming stream. |
azure-monitor | Data Collection Rule Create Edit | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/data-collection-rule-create-edit.md | The following table lists methods to create data collection scenarios using the ## Create a DCR -The Azure portal provides a data collection rule wizard for collecting data from virtual machines and for collecting Prometheus metrics from containers. +Azure provides a centralized cloud based data collection configuration plan for virtual machines, virtual machine scale sets, On-Prem machines and Prometheus metrics from containers. ++This article describes how to create a DCR from scratch. There are other insights solution that provide DCR creation experiences like Sentinel, VM insights, and Application Insights that create DCRs as part of there own workflows. Some time the DCRs created in these by different solution can seem to conflict. There are three tables to which Windows events can be sent to. Sentinel security audit events with go to SecurityEvents, WEF connector events go to the WindowsEvent table. If you use the scratch Windows event collection the results go to the Event table. To create a data collection rule using the Azure CLI, PowerShell, API, or ARM templates, create a JSON file, starting with one of the [sample DCRs](./data-collection-rule-samples.md). Use information in [Structure of a data collection rule in Azure Monitor](./data-collection-rule-structure.md) to modify the JSON file for your particular environment and requirements. |
azure-monitor | Cross Workspace Queries | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/api/cross-workspace-queries.md | Title: Cross workspace queries description: The API supports the ability to query across multiple workspaces. Previously updated : 08/06/2022 Last updated : 07/21/2024 Example: Authorization: Bearer <user token> {- "query": "union (AzureActivity | where timestamp > ago(1d), (workspaces('AIFabrikamDemo').AzureActivity | where timestamp> ago(1d))" + "query": "union (AzureActivity | where timestamp > ago(1d)), (workspaces('00000000-0000-0000-0000-000000000000').AzureActivity | where timestamp> ago(1d))" } ``` |
azure-monitor | Basic Logs Configure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/basic-logs-configure.md | All custom tables created with or migrated to the [data collection rule (DCR)-ba | Azure Load Balancing | [ALBHealthEvent](/azure/azure-monitor/reference/tables/ALBHealthEvent) | | Azure Databricks | [DatabricksBrickStoreHttpGateway](/azure/azure-monitor/reference/tables/databricksbrickstorehttpgateway)<br>[DatabricksDataMonitoring](/azure/azure-monitor/reference/tables/databricksdatamonitoring)<br>[DatabricksFilesystem](/azure/azure-monitor/reference/tables/databricksfilesystem)<br>[DatabricksDashboards](/azure/azure-monitor/reference/tables/databricksdashboards)<br>[DatabricksCloudStorageMetadata](/azure/azure-monitor/reference/tables/databrickscloudstoragemetadata)<br>[DatabricksPredictiveOptimization](/azure/azure-monitor/reference/tables/databrickspredictiveoptimization)<br>[DatabricksIngestion](/azure/azure-monitor/reference/tables/databricksingestion)<br>[DatabricksMarketplaceConsumer](/azure/azure-monitor/reference/tables/databricksmarketplaceconsumer)<br>[DatabricksLineageTracking](/azure/azure-monitor/reference/tables/databrickslineagetracking) | API Management | [ApiManagementGatewayLogs](/azure/azure-monitor/reference/tables/ApiManagementGatewayLogs)<br>[ApiManagementWebSocketConnectionLogs](/azure/azure-monitor/reference/tables/ApiManagementWebSocketConnectionLogs) |+| API Management Service| [APIMDevPortalAuditDiagnosticLog](/azure/azure-monitor/reference/tables/APIMDevPortalAuditDiagnosticLog) | Application Gateways | [AGWAccessLogs](/azure/azure-monitor/reference/tables/AGWAccessLogs)<br>[AGWPerformanceLogs](/azure/azure-monitor/reference/tables/AGWPerformanceLogs)<br>[AGWFirewallLogs](/azure/azure-monitor/reference/tables/AGWFirewallLogs) | | Application Gateway for Containers | [AGCAccessLogs](/azure/azure-monitor/reference/tables/AGCAccessLogs) | | Application Insights | [AppTraces](/azure/azure-monitor/reference/tables/apptraces) | All custom tables created with or migrated to the [data collection rule (DCR)-ba | Container Apps Environments | [AppEnvSpringAppConsoleLogs](/azure/azure-monitor/reference/tables/AppEnvSpringAppConsoleLogs) | | Communication Services | [ACSAdvancedMessagingOperations](/azure/azure-monitor/reference/tables/acsadvancedmessagingoperations)<br>[ACSCallAutomationIncomingOperations](/azure/azure-monitor/reference/tables/ACSCallAutomationIncomingOperations)<br>[ACSCallAutomationMediaSummary](/azure/azure-monitor/reference/tables/ACSCallAutomationMediaSummary)<br>[ACSCallClientMediaStatsTimeSeries](/azure/azure-monitor/reference/tables/ACSCallClientMediaStatsTimeSeries)<br>[ACSCallClientOperations](/azure/azure-monitor/reference/tables/ACSCallClientOperations)<br>[ACSCallRecordingIncomingOperations](/azure/azure-monitor/reference/tables/ACSCallRecordingIncomingOperations)<br>[ACSCallRecordingSummary](/azure/azure-monitor/reference/tables/ACSCallRecordingSummary)<br>[ACSCallSummary](/azure/azure-monitor/reference/tables/ACSCallSummary)<br>[ACSJobRouterIncomingOperations](/azure/azure-monitor/reference/tables/ACSJobRouterIncomingOperations)<br>[ACSRoomsIncomingOperations](/azure/azure-monitor/reference/tables/acsroomsincomingoperations)<br>[ACSCallClosedCaptionsSummary](/azure/azure-monitor/reference/tables/acscallclosedcaptionssummary) | | Confidential Ledgers | [CCFApplicationLogs](/azure/azure-monitor/reference/tables/CCFApplicationLogs) |- Cosmos DB | [CDBDataPlaneRequests](/azure/azure-monitor/reference/tables/cdbdataplanerequests)<br>[CDBPartitionKeyStatistics](/azure/azure-monitor/reference/tables/cdbpartitionkeystatistics)<br>[CDBPartitionKeyRUConsumption](/azure/azure-monitor/reference/tables/cdbpartitionkeyruconsumption)<br>[CDBQueryRuntimeStatistics](/azure/azure-monitor/reference/tables/cdbqueryruntimestatistics)<br>[CDBMongoRequests](/azure/azure-monitor/reference/tables/cdbmongorequests)<br>[CDBCassandraRequests](/azure/azure-monitor/reference/tables/cdbcassandrarequests)<br>[CDBGremlinRequests](/azure/azure-monitor/reference/tables/cdbgremlinrequests)<br>[CDBControlPlaneRequests](/azure/azure-monitor/reference/tables/cdbcontrolplanerequests) | + Cosmos DB | [CDBDataPlaneRequests](/azure/azure-monitor/reference/tables/cdbdataplanerequests)<br>[CDBPartitionKeyStatistics](/azure/azure-monitor/reference/tables/cdbpartitionkeystatistics)<br>[CDBPartitionKeyRUConsumption](/azure/azure-monitor/reference/tables/cdbpartitionkeyruconsumption)<br>[CDBQueryRuntimeStatistics](/azure/azure-monitor/reference/tables/cdbqueryruntimestatistics)<br>[CDBMongoRequests](/azure/azure-monitor/reference/tables/cdbmongorequests)<br>[CDBCassandraRequests](/azure/azure-monitor/reference/tables/cdbcassandrarequests)<br>[CDBGremlinRequests](/azure/azure-monitor/reference/tables/cdbgremlinrequests)<br>[CDBControlPlaneRequests](/azure/azure-monitor/reference/tables/cdbcontrolplanerequests)<br>[CDBTableApiRequests](/azure/azure-monitor/reference/tables/CDBTableApiRequests) | | Cosmos DB for MongoDB (vCore) | [VCoreMongoRequests](/azure/azure-monitor/reference/tables/VCoreMongoRequests) | | Kubernetes clusters - Azure Arc | [ArcK8sAudit](/azure/azure-monitor/reference/tables/ArcK8sAudit)<br>[ArcK8sAuditAdmin](/azure/azure-monitor/reference/tables/ArcK8sAuditAdmin)<br>[ArcK8sControlPlane](/azure/azure-monitor/reference/tables/ArcK8sControlPlane) | | Data Manager for Energy | [OEPDataplaneLogs](/azure/azure-monitor/reference/tables/OEPDataplaneLogs) | |
container-registry | Container Registry Artifact Cache | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-artifact-cache.md | Artifact cache addresses the challenge of pull limits imposed by public registri Artifact cache currently supports the following upstream registries: >[!WARNING]-> We recommend customers to [create a credential set](container-registry-artifact-cache.md#create-new-credentials) when sourcing content from Docker hub. +> Customers must generate [credential set](container-registry-artifact-cache.md#create-new-credentials) to source content from Docker hub. | Upstream Registries | Support | Availability | |-|-|--|-| Docker Hub | Supports both authenticated and unauthenticated pulls. | Azure CLI | -| Docker Hub | Supports authenticated pulls only. | Azure portal | +| Docker Hub | Supports authenticated pulls only. | Azure CLI, Azure portal | | Microsoft Artifact Registry | Supports unauthenticated pulls only. | Azure CLI, Azure portal | | AWS Elastic Container Registry (ECR) Public Gallery | Supports unauthenticated pulls only. | Azure CLI, Azure portal | | GitHub Container Registry | Supports both authenticated and unauthenticated pulls. | Azure CLI, Azure portal | |
container-registry | Troubleshoot Artifact Cache | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/troubleshoot-artifact-cache.md | To resolve this issue, you need to follow these steps: Artifact cache currently supports the following upstream registries: >[!WARNING]-> We recommend customers to [create a credential set](container-registry-artifact-cache.md#create-new-credentials) when sourcing content from Docker hub. +> Customers must generate [credential set](container-registry-artifact-cache.md#create-new-credentials) to source content from Docker hub. | Upstream Registries | Support | Availability | |-|-|--|-| Docker Hub | Supports both authenticated and unauthenticated pulls. | Azure CLI | -| Docker Hub | Supports authenticated pulls only. | Azure portal | +| Docker Hub | Supports authenticated pulls only. | Azure CLI, Azure portal | | Microsoft Artifact Registry | Supports unauthenticated pulls only. | Azure CLI, Azure portal | | AWS Elastic Container Registry (ECR) Public Gallery | Supports unauthenticated pulls only. | Azure CLI, Azure portal | | GitHub Container Registry | Supports both authenticated and unauthenticated pulls. | Azure CLI, Azure portal | |
defender-for-cloud | Data Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/data-security.md | Title: Microsoft Defender for Cloud data security -description: Learn how data is managed and safeguarded in Microsoft Defender for Cloud. +description: Learn how data is managed and safeguarded in Microsoft Defender for Cloud to ensure the security of your data. Previously updated : 11/02/2023 Last updated : 07/18/2024+#customer intent: As a reader, I want to understand how data is managed and safeguarded in Microsoft Defender for Cloud so that I can ensure the security of my data. + # Microsoft Defender for Cloud data security To help customers prevent, detect, and respond to threats, Microsoft Defender for Cloud collects and processes security-related data, including configuration information, metadata, event logs, and more. Microsoft adheres to strict compliance and security guidelinesΓÇöfrom coding to operating a service. Customers can access Defender for Cloud related data from the following data str > [!NOTE] > If there are no Defender plans enabled on the subscription, data will be removed from Azure Resource Graph after 30 days of inactivity in the Microsoft Defender for Cloud portal. After interaction with artifacts in the portal related to the subscription, the data should be visible again within 24 hours. +## Data retention ++When the cloud security graph collects data from Azure and multicloud environments and other data source, it retains the data for a 14 day period. After 14 days, the data is deleted. ++Calculated data, such as attack paths, might be kept for an additional 14 days. Calculated data consist of data that is derived from the raw data collected from the environment. For example, the attack path is derived from the raw data collected from the environment. ++This information is collected in accordance with the privacy commitments described in our [Privacy Statement](https://privacy.microsoft.com/privacystatement). + ## Defender for Cloud and Microsoft Defender 365 Defender integration When you enable any of Defender for Cloud's paid plans you automatically gain all of the benefits of Microsoft Defender XDR. Information from Defender for Cloud will be shared with Microsoft Defender XDR. This data might contain customer data and will be stored according to [Microsoft 365 data handling guidelines](/microsoft-365/security/defender/data-privacy). -## Next steps --In this document, you learned how data is managed and safeguarded in Microsoft Defender for Cloud. +## Related content -To learn more about Microsoft Defender for Cloud, see [What is Microsoft Defender for Cloud?](defender-for-cloud-introduction.md). +- [What is Microsoft Defender for Cloud?](defender-for-cloud-introduction.md). |
defender-for-cloud | Prepare Deprecation Log Analytics Mma Agent | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent.md | The following table summarizes how Defender for Servers features will be provide | OS misconfigurations (Microsoft Cloud Security Benchmark) | Recommendations that are available through the Foundational CSPM and Defender for Servers plans using the Log Analytics agent, Guest Configuration extension (Preview). | Guest Configuration extension, as part of Defender for Servers Plan 2.| - Functionality based on Guest Configuration extension will be released to GA in September 2024<br/>- Functionality with the Log Analytics agent will be deprecated in November 2024.<br/>- Support of this feature for Docker-hub and Azure Virtual Machine Scale Sets will be deprecated in Aug 2024.| | File integrity monitoring | Log Analytics agent, AMA (Preview) | Defender for Endpoint agent integration | Functionality with the Defender for Endpoint agent will be available in August 2024.<br/>- Functionality with the Log Analytics agent will be deprecated in November 2024.<br/>- Functionality with AMA will deprecate when the Defender for Endpoint integration is released.| -The [500-MB benefit](faq-defender-for-servers.yml#is-the-500-mb-of-free-data-ingestion-allowance-applied-per-workspace-or-per-machine-) for data ingestion over the defined tables remains supported via the AMA agent for machines under subscriptions covered by Defender for Servers Plan 2. Every machine is eligible for the benefit only once, even if both Log Analytics agent and Azure Monitor agent are installed on it. For the data allowance to be granted, Defender for Servers Plan 2 needs to be enabled on the Log Analytics workspace AMA is connected to and on the machine's subscription. -Learn more about how to [deploy AMA](../azure-monitor/vm/monitor-virtual-machine-agent.md#agent-deployment-options). +### The 500-MB benefit for data ingestion ++To preserve the 500 MB of free data ingestion allowance for the [supported data types](faq-defender-for-servers.yml#is-the-500-mb-of-free-data-ingestion-allowance-applied-per-workspace-or-per-machine-), you need to migrate from MMA to AMA. ++> [!NOTE] +> +> - The benefit is granted to every AMA machine that is part of a subscription with Defender for Servers plan 2 enabled. +> +> - The benefit is granted to the workspace the machine is reporting to. +> +> - The security solution should be installed on the related Workspace. Learn more about how to perform it [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-to-configure-security-events-collection-with-azure-monitor/ba-p/3770719). +> +> - If the machine is reporting to more than one workspace, the benefit will be granted to only one of them. ++Learn more about how to [deploy AMA](/azure/azure-monitor/vm/monitor-virtual-machine-agent). For SQL servers on machines, we recommend to [migrate to SQL server-targeted Azure Monitoring Agent's (AMA) autoprovisioning process](defender-for-sql-autoprovisioning.md). ### Endpoint protection recommendations experience - changes and migration guidance -Endpoint discovery and recommendations are currently provided by the Defender for Cloud Foundational CSPM and the Defender for Servers plans using the Log Analytics agent in GA, or in preview via the AMA. This experience will be replaced by security recommendations that are gathered using agentless machine scanning.ΓÇ» +Endpoint discovery and recommendations are currently provided by the Defender for Cloud Foundational CSPM and the Defender for Servers plans using the Log Analytics agent in GA, or in preview via the AMA. This experience will be replaced by security recommendations that are gathered using agentless machine scanning. Endpoint protection recommendations are constructed in two stages. The first stage is [discovery](#endpoint-detection-and-response-solutiondiscovery) of an endpoint detection and response solution. The second isΓÇ»[assessment](#endpoint-detection-and-response-solutionconfiguration-assessment) of the solutionΓÇÖs configuration. The following tables provide details of the current and new experiences for each stage. |
defender-for-cloud | Release Notes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/release-notes.md | This article summarizes what's new in Microsoft Defender for Cloud. It includes ## July 2024 -|Date | Category | Update| -|--|--|--| -|July 15|Preview|[Binary Drift Public Preview in Defender for Containers](#binary-drift-public-preview-now-available-in-defender-for-containers)| -|July 14|GA|[Automated remediation scripts for AWS and GCP are now GA](#automated-remediation-scripts-for-aws-and-gcp-are-now-ga)| +| Date | Category | Update | +| - | | | +| July 18 | Upcoming update | [Deprecation of MMA-related features as part of agent retirement](#deprecation-of-mma-related-features-as-part-of-agent-retirement) | +| July 15 | Preview | [Binary Drift Public Preview in Defender for Containers](#binary-drift-public-preview-now-available-in-defender-for-containers) | +| July 14 | GA | [Automated remediation scripts for AWS and GCP are now GA](#automated-remediation-scripts-for-aws-and-gcp-are-now-ga) | | July 11 | Upcoming update | [GitHub application permissions update](#github-application-permissions-update) |-| July 10 | GA | [Compliance standards are now GA](#compliance-standards-are-now-ga) | -| July 9 | Upcoming update | [Inventory experience improvement](#inventory-experience-improvement) | -|July 8 | Upcoming update | [Container mapping tool to run by default in GitHub](#container-mapping-tool-to-run-by-default-in-github) | +| July 10 | GA | [Compliance standards are now GA](#compliance-standards-are-now-ga) | +| July 9 | Upcoming update | [Inventory experience improvement](#inventory-experience-improvement) | +| July 8 | Upcoming update | [Container mapping tool to run by default in GitHub](#container-mapping-tool-to-run-by-default-in-github) | ++### Deprecation of MMA-related features as part of agent retirement ++July 18, 2024 ++**Estimated date for change**: August 2024 ++As part of the [deprecation of the Microsoft Monitoring Agent (MMA) and the updated Defender for Servers deployment strategy](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-strategy-and-plan-towards-log/ba-p/3883341), all security features for Defender for Servers will now be provided through a single agent (Defender for Endpoint), or via agentless scanning capabilities. This won't require dependence on either the MMA or Azure Monitoring Agent (AMA). ++As we approach the agent's retirement in August 2024, the following MMA-related features will be removed from the Defender for Cloud portal: ++- Display of MMA installation status on the **Inventory** and **Resource Health** blades. +- [The capability](quickstart-onboard-machines.md#connect-on-premises-machines-by-using-the-azure-portal) to onboard new non-Azure servers to Defender for Servers via Log Analytics workspaces will be removed from both the **Inventory** and **Getting Started** blades. ++> [!NOTE] +> We recommend that current customers, who have onboarded on-premises servers using the [legacy approach](quickstart-onboard-machines.md#connect-on-premises-machines-by-using-the-azure-portal), should now connect these machines via Azure Arc-enabled servers. We also recommend enabling the Defender for Servers Plan 2 on the Azure subscriptions to which these servers are connected. +> +>For those customers who have selectively enabled Defender for Servers Plan 2 on specific Azure VMs through the [legacy approach](quickstart-onboard-machines.md#connect-on-premises-machines-by-using-the-azure-portal), we recommend enabling the Defender for Servers Plan 2 on the Azure subscriptions of these machines. You can then exclude individual machines from the Defender for Servers coverage using the Defender for Servers [per-resource configuration](tutorial-enable-servers-plan.md#enable-defender-for-servers-at-the-resource-level). +> +> These steps will ensure there is no loss of security coverage due to the retirement of the Log Analytics agent. ++To maintain security continuity, we advise customers with Defender for Servers Plan 2 to enable [agentless machine scanning](enable-agentless-scanning-vms.md) and [integration with Microsoft Defender for Endpoint](enable-defender-for-endpoint.md) on their subscriptions. ++You can use [this custom workbook](https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Workbooks/Defender%20for%20Servers%20Deployment%20Status) to keep track of your Log Analytics Agent (MMA) estate and monitor the deployment status of Defender for Servers across Azure VMs and Azure Arc machines. ++For more information, see [Prepare for retirement of the Log Analytics agent](prepare-deprecation-log-analytics-mma-agent.md). ### Binary Drift public preview now available in Defender for Containers We are introducing the public preview of Binary Drift for Defender for Container For more information about this feature, see [Binary Drift Detection](binary-drift-detection.md) ### Automated remediation scripts for AWS and GCP are now GA+ July 14, 2024 -In March, we released automated remediation scripts for AWS & GCP to Public Preview, that allows you to remediate recommendations for AWS & GCP at scale programmatically. +In March, we released automated remediation scripts for AWS & GCP to Public Preview, that allows you to remediate recommendations for AWS & GCP at scale programmatically. Today we are releasing this feature to generally available (GA). [Learn how to use automated remediation scripts](/azure/defender-for-cloud/implement-security-recommendations)> As part of this update, the GitHub application will require GitHub Copilot Busin Permissions can be granted in two different ways: -1. In your GitHub organization, navigate to the Microsoft Security DevOps application within **Settings > GitHub Apps** and accept the permissions request. +1. In your GitHub organization, navigate to the Microsoft Security DevOps application within **Settings > GitHub Apps** and accept the permissions request. 1. In an automated email from GitHub Support, select **Review permission request** to accept or reject this change. With DevOps security capabilities in Microsoft Defender Cloud Security Posture M ## June 2024 -|Date | Category | Update | -|--|--|--| -| June 27 | GA | [Checkov IaC Scanning in Defender for Cloud](#ga-checkov-iac-scanning-in-defender-for-cloud). | -| June 24 | Update | [Change in pricing for multicloud Defender for Containers](#update-change-in-pricing-for-defender-for-containers-in-multicloud) | -| June 20 | Upcoming deprecation | [Reminder of deprecation for adaptive recommendations at Microsoft Monitoring Agent (MMA) deprecation](#deprecation-reminder-of-deprecation-for-adaptive-recommendations).<br/><br/> Estimated deprecation August 2024. | -| June 10 | Preview | [Copilot for Security in Defender for Cloud](#preview-copilot-for-security-in-defender-for-cloud) | -| June 10 | Upcoming update |[SQL vulnerability assessment automatic enablement using express configuration on unconfigured servers](#update-sql-vulnerability-assessment-automatic-enablement).<br/><br/> Estimated update: July 10, 2024. | -| June 3 | Upcoming update |[Changes in identity recommendations behavior](#update-changes-in-identity-recommendations-behavior)<br/><br/> Estimated update: July 10 2024. | +| Date | Category | Update | +| - | -- | | +| June 27 | GA | [Checkov IaC Scanning in Defender for Cloud](#ga-checkov-iac-scanning-in-defender-for-cloud). | +| June 24 | Update | [Change in pricing for multicloud Defender for Containers](#update-change-in-pricing-for-defender-for-containers-in-multicloud) | +| June 20 | Upcoming deprecation | [Reminder of deprecation for adaptive recommendations at Microsoft Monitoring Agent (MMA) deprecation](#deprecation-reminder-of-deprecation-for-adaptive-recommendations).<br/><br/> Estimated deprecation August 2024. | +| June 10 | Preview | [Copilot for Security in Defender for Cloud](#preview-copilot-for-security-in-defender-for-cloud) | +| June 10 | Upcoming update | [SQL vulnerability assessment automatic enablement using express configuration on unconfigured servers](#update-sql-vulnerability-assessment-automatic-enablement).<br/><br/> Estimated update: July 10, 2024. | +| June 3 | Upcoming update | [Changes in identity recommendations behavior](#update-changes-in-identity-recommendations-behavior)<br/><br/> Estimated update: July 10 2024. | ### GA: Checkov IaC Scanning in Defender for Cloud |
governance | Create Management Group Rest Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/management-groups/create-management-group-rest-api.md | Title: "Quickstart: Create a management group with REST API" description: In this quickstart, you use REST API to create a management group to organize your resources into a resource hierarchy. Previously updated : 08/17/2021 Last updated : 07/19/2024 + # Quickstart: Create a management group with REST API Management groups are containers that help you manage access, policy, and compliance across multiple directory. You receive a notification when the process is complete. For more inf account before you begin. - If you haven't already, install [ARMClient](https://github.com/projectkudu/ARMClient). It's a tool- that sends HTTP requests to Azure Resource Manager-based REST APIs. Instead, you can use the "Try - It" feature in REST documentation or tooling like PowerShell's - [Invoke-RestMethod](/powershell/module/microsoft.powershell.utility/invoke-restmethod) or - [Postman](https://www.postman.com). + that sends HTTP requests to Azure Resource Manager-based REST APIs. - Any Microsoft Entra ID user in the tenant can create a management group without the management group write permission assigned to that user if |
key-vault | Access Behind Firewall | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/access-behind-firewall.md | Title: Access Key Vault behind a firewall - Azure Key Vault | Microsoft Docs description: Learn about the ports, hosts, or IP addresses to open to enable a key vault client application behind a firewall to access a key vault. -+ |
key-vault | About Keys Details | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/keys/about-keys-details.md | Title: Key types, algorithms, and operations - Azure Key Vault description: Supported key types, algorithms, and operations (details). -+ |
key-vault | About Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/keys/about-keys.md | Title: About keys - Azure Key Vault description: Overview of Azure Key Vault REST interface and developer details for keys. --+ |
key-vault | Byok Specification | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/keys/byok-specification.md | Title: Bring your own key specification - Azure Key Vault | Microsoft Docs description: This document described bring your own key specification. -+ |
key-vault | Hsm Protected Keys Byok | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/keys/hsm-protected-keys-byok.md | Title: How to generate & transfer HSM-protected keys ΓÇô BYOK ΓÇô Azure Key Vault description: Use this article to help you plan for, generate, and transfer your own HSM-protected keys to use with Azure Key Vault. Also known as bring your own key (BYOK). -+ |
key-vault | Hsm Protected Keys Ncipher | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/keys/hsm-protected-keys-ncipher.md | Title: How to generate and transfer HSM-protected keys for Azure Key Vault - Azure Key Vault description: Use this article to help you plan for, generate, and then transfer your own HSM-protected keys to use with Azure Key Vault. Also known as BYOK or bring your own key. -+ |
key-vault | Hsm Protected Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/keys/hsm-protected-keys.md | Title: How to generate & transfer HSM-protected keys ΓÇô Azure Key Vault description: Learn how to plan for, generate, and then transfer your own HSM-protected keys to use with Azure Key Vault. Also known as BYOK or bring your own key. -+ |
key-vault | Authorize Azure Resource Manager | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/managed-hsm/authorize-azure-resource-manager.md | Title: Allow key management operations through Azure Resource Manager description: Learn how to allow key management operations through ARM -+ |
key-vault | Backup Restore | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/managed-hsm/backup-restore.md | Title: Full backup/restore and selective restore for Azure Managed HSM description: This document explains full backup/restore and selective restore. -+ tags: azure-key-vault |
key-vault | Built In Roles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/managed-hsm/built-in-roles.md | Title: Local RBAC built-in roles for Azure Key Vault Managed HSM description: Get an overview of Azure Key Vault Managed HSM built-in roles that can be assigned to users, service principals, groups, and managed identities. -+ |
key-vault | Disaster Recovery Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/managed-hsm/disaster-recovery-guide.md | Title: What to do if there's an Azure service disruption that affects Managed HSM - Azure Key Vault | Microsoft Docs description: Learn what to do if there's an Azure service disruption that affects Managed HSM. -+ |
key-vault | Hsm Protected Keys Byok | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/managed-hsm/hsm-protected-keys-byok.md | Title: How to generate and transfer HSM-protected keys for Azure Key Vault Managed HSM - Azure Key Vault | Microsoft Docs description: Use this article to help you plan for, generate, and transfer your own HSM-protected keys to use with Managed HSM. Also known as bring your own key (BYOK). -+ For more information on login options via the CLI, take a look at [sign in with ||EC-HSM|P-256<br />P-384<br />P-521|Vendor HSM|The key to be transferred to the Managed HSM| ||Symmetric key (oct-hsm)|128-bit<br />192-bit<br />256-bit|Vendor HSM|The key to be transferred to the Managed HSM| ||||-## Generate and transfer your key to the Managed HSM -To generate and transfer your key to a Managed HSM: +## Generate and transfer your key to the Managed HSM - - [Step 1: Generate a KEK](#step-1-generate-a-kek) - - [Step 2: Download the KEK public key](#step-2-download-the-kek-public-key) - - [Step 3: Generate and prepare your key for transfer](#step-3-generate-and-prepare-your-key-for-transfer) - - [Step 4: Transfer your key to Managed HSM](#step-4-transfer-your-key-to-managed-hsm) ### Step 1: Generate a KEK |
key-vault | Key Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/managed-hsm/key-management.md | Title: Manage keys in a managed HSM - Azure Key Vault | Microsoft Docs description: Use this article to manage keys in a managed HSM -+ |
machine-learning | How To Use Batch Azure Data Factory | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-use-batch-azure-data-factory.md | Big data requires a service that can orchestrate and operationalize processes to Azure Data Factory allows the creation of pipelines that can orchestrate multiple data transformations and manage them as a single unit. Batch endpoints are an excellent candidate to become a step in such processing workflow. In this example, learn how to use batch endpoints in Azure Data Factory activities by relying on the Web Invoke activity and the REST API. +> [!TIP] +> When using data pipelines in Fabric, you can invoke batch endpoint directly using the Azure Machine Learning activity. We recommend using Fabric for data orchestration whenever possible to take advantage of the newest capabilities. The Azure Machine Learning activity in Azure Data Factory can only work with assets from Azure Machine Learning V1. Learn more at [Run Azure Machine Learning models from Fabric, using batch endpoints (preview)](how-to-use-batch-fabric.md). + ## Prerequisites * This example assumes that you have a model correctly deployed as a batch endpoint. Particularly, we are using the *heart condition classifier* created in the tutorial [Using MLflow models in batch deployments](how-to-mlflow-batch.md). The pipeline requires the following parameters to be configured: | | -|- | | `endpoint_uri` | The endpoint scoring URI | `https://<endpoint_name>.<region>.inference.ml.azure.com/jobs` | | `poll_interval` | The number of seconds to wait before checking the job status for completion. Defaults to `120`. | `120` |-| `endpoint_input_uri` | The endpoint's input data. Multiple data input types are supported. Ensure that the manage identity you are using for executing the job has access to the underlying location. Alternative, if using Data Stores, ensure the credentials are indicated there. | `azureml://datastores/.../paths/.../data/` | +| `endpoint_input_uri` | The endpoint's input data. Multiple data input types are supported. Ensure that the managed identity you are using for executing the job has access to the underlying location. Alternative, if using Data Stores, ensure the credentials are indicated there. | `azureml://datastores/.../paths/.../data/` | | `endpoint_input_type` | The type of the input data you are providing. Currently batch endpoints support folders (`UriFolder`) and File (`UriFile`). Defaults to `UriFolder`. | `UriFolder` | | `endpoint_output_uri` | The endpoint's output data file. It must be a path to an output file in a Data Store attached to the Machine Learning workspace. Not other type of URIs is supported. You can use the default Azure Machine Learning data store, named `workspaceblobstore`. | `azureml://datastores/workspaceblobstore/paths/batch/predictions.csv` | The pipeline requires the following parameters to be configured: | `client_secret` | The client secret of the service principal used to invoke the endpoint | `ABCDEFGhijkLMNOPQRstUVwz` | | `endpoint_uri` | The endpoint scoring URI | `https://<endpoint_name>.<region>.inference.ml.azure.com/jobs` | | `poll_interval` | The number of seconds to wait before checking the job status for completion. Defaults to `120`. | `120` |-| `endpoint_input_uri` | The endpoint's input data. Multiple data input types are supported. Ensure that the manage identity you are using for executing the job has access to the underlying location. Alternative, if using Data Stores, ensure the credentials are indicated there. | `azureml://datastores/.../paths/.../data/` | +| `endpoint_input_uri` | The endpoint's input data. Multiple data input types are supported. Ensure that the managed identity you are using for executing the job has access to the underlying location. Alternative, if using Data Stores, ensure the credentials are indicated there. | `azureml://datastores/.../paths/.../data/` | | `endpoint_input_type` | The type of the input data you are providing. Currently batch endpoints support folders (`UriFolder`) and File (`UriFile`). Defaults to `UriFolder`. | `UriFolder` | | `endpoint_output_uri` | The endpoint's output data file. It must be a path to an output file in a Data Store attached to the Machine Learning workspace. Not other type of URIs is supported. You can use the default Azure Machine Learning data store, named `workspaceblobstore`. | `azureml://datastores/workspaceblobstore/paths/batch/predictions.csv` | |
mysql | Migrate Single Flexible In Place Auto Migration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/migrate/migrate-single-flexible-in-place-auto-migration.md | Title: In-place automigration description: This tutorial describes how to configure notifications, review migration details and FAQs for an Azure Database for MySQL Single Server instance schedule for in-place automigration to Flexible Server. - Previously updated : 05/21/2024+ Last updated : 07/19/2024 -> [!IMPORTANT] -> Some Single Server instances may require mandatory inputs to perform a successful in-place automigration. Review the migration details in the Migration blade on Azure portal to provide those inputs. Failure to provide mandatory inputs 7 days before the scheduled migration will lead to re-scheduling of the migration to a later date. +> [!IMPORTANT] +> Some Single Server instances might require mandatory inputs to perform a successful in-place automigration. Review the migration details in the Migration blade on Azure portal to provide those inputs. Failure to provide mandatory inputs 7 days before the scheduled migration will lead to re-scheduling of the migration to a later date. The in-place migration provides a highly resilient and self-healing offline migration experience during a planned maintenance window, with less than **5 mins** of downtime. It uses backup and restore technology for faster migration time. This migration removes the overhead to manually migrate your server and ensure you can take advantage of the benefits of Flexible Server, including better price & performance, granular control over database configuration, and custom maintenance windows. Following described are the key phases of the migration: The in-place migration provides a highly resilient and self-healing offline migr - **DNS switch and cutover** are performed successfully within the planned maintenance window with minimal downtime, allowing maintenance of the same connection string post-migration. Client applications seamlessly connect to the target flexible server without any user driven manual updates. In addition to both connection string formats (Single and Flexible Server) being supported on migrated Flexible Server, both username formats ΓÇô username@server_name and username are also supported on the migrated Flexible Server. - The **migrated Flexible Server is online** and can now be managed via Azure portal/CLI. Stopped Single Server is deleted seven days after the migration. -> [!NOTE] +> [!NOTE] > If your Single Server instance has General Purpose V1 storage, your scheduled instance will undergo an additional restart operation 12 hours prior to the scheduled migration time. This restart operation serves to enable the log_bin server parameter needed to upgrade the instance to General Purpose V2 storage before undergoing the in-place auto-migration. ## Eligibility Following described are the ways to check and configure automigration notificati Following described are the ways to review your migration schedule once you receive the in-place automigration notification: > [!NOTE] -> The migration schedule will be locked 7 days prior to the scheduled migration window after which you'll be unable to reschedule. +> The migration schedule is locked 7 days prior to the scheduled migration window after which you'll be unable to reschedule. - The **Single Server overview page** for your instance displays a portal banner with information about your migration schedule. - For Single Servers scheduled for automigration, a new **Migration blade** is lighted on the portal. You can review the migration schedule by navigating to the Migration blade of your Single Server instance. - If you wish to defer the migration, you can defer by a month at a time by navigating to the Migration blade of your single server instance on the Azure portal and rescheduling the migration by selecting another migration window within a month. - If your Single Server has **General Purpose SKU**, you have the other option to enable **High Availability** when reviewing the migration schedule. As High Availability can only be enabled during create time for a MySQL Flexible Server, it's highly recommended that you enable this feature when reviewing the migration schedule.-- If your Single Server has **private endpoints**, perform the following **mandatory** steps when reviewing the migration schedule atleast 7 days before the scheduled migration:+- If your Single Server has **private endpoints**, perform the following **mandatory** steps when reviewing the migration schedule at least 7 days before the scheduled migration: - **Review** the private endpoints listed to be migrated. Ensure they are marked as **Ready to Migrate**. If they are marked as ineligible, select the appropriate subscription and private DNS Zone.- - Select the **confirmation checkbox** after performing the listed pre-requisite checks for migrating private endpoints. - - Click on the **Authenticate** button to authenticate ARM connection required to migrate the private endpoints from source to target server. - - Click on **Save** to save all the above steps. + - Select the **confirmation checkbox** after performing the listed prerequisite checks for migrating private endpoints. + - Select the **Authenticate** button to authenticate ARM connection required to migrate the private endpoints from source to target server. + - Select on **Save** to save all the above steps. > [!NOTE] - > If the mandatory inputs for migration are not provided atleast 7 days before the scheduled migration, the migration will be rescheduled to a later date. + > If the mandatory inputs for migration are not provided at least 7 days before the scheduled migration, the migration is rescheduled to a later date. ## Prerequisite checks for in-place automigration Here's the info you need to know post in-place migration: | **Property** | **Configuration** | | | |-| Suppress specific alert types | Disable specific alert types with the Microsoft Defender for Cloud platform. For more information, visit [Suppress alerts from Microsoft Defender for Cloud guide](../../defender-for-cloud/alerts-suppression-rules.md). <br /><br /> Single Server users can use the API property: <br /> `properties.disabledAlerts` | -| Email notifications | Define email notification for Microsoft Defender for Cloud Alerts for all resources in a subscription. For more information, visit [Configure email notifications for security alerts](../../defender-for-cloud/configure-email-notifications.md). <br /><br /> Single Server users can use the API properties: <br /> `properties.emailAccountAdmins`, <br /> `properties.emailAddresses` | -| Export alerts for further processing and/or archiving | Alerts are stored in the Microsoft Defender for Cloud platform and exposed through the Azure Resource Graph. <br /> You can export alerts to a different store and manage retention separately. For more information, visit [Set up continuous export in the Azure portal - Microsoft Defender for Cloud](../../defender-for-cloud/continuous-export.md). <br /><br /> Single Server users can use the API properties: <br /> `properties.retentionDays`, <br /> `properties.storageAccountAccessKey`, <br /> `properties.storageEndpoint` | +| Suppress specific alert types | Disable specific alert types with the Microsoft Defender for Cloud platform. For more information, visit [Suppress alerts from Microsoft Defender for Cloud guide](../../defender-for-cloud/alerts-suppression-rules.md).<br /><br />Single Server users can use the API property:<br />`properties.disabledAlerts` | +| Email notifications | Define email notification for Microsoft Defender for Cloud Alerts for all resources in a subscription. For more information, visit [Configure email notifications for security alerts](../../defender-for-cloud/configure-email-notifications.md).<br /><br />Single Server users can use the API properties:<br />`properties.emailAccountAdmins`,<br />`properties.emailAddresses` | +| Export alerts for further processing and/or archiving | Alerts are stored in the Microsoft Defender for Cloud platform and exposed through the Azure Resource Graph.<br />You can export alerts to a different store and manage retention separately. For more information, visit [Set up continuous export in the Azure portal - Microsoft Defender for Cloud](../../defender-for-cloud/continuous-export.md).<br /><br />Single Server users can use the API properties:<br />`properties.retentionDays`,<br />`properties.storageAccountAccessKey`,<br />`properties.storageEndpoint` | ## Frequently Asked Questions (FAQs) Here's the info you need to know post in-place migration: **Q. How can I defer the scheduled migration?ΓÇï** -**A.** You can review the migration schedule by navigating to the Migration blade of your Single Server instance. If you wish to defer the migration, you can defer by a month at the most by navigating to the Migration blade of your single server instance on the Azure portal and rescheduling the migration by selecting another migration window within a month. The migration details will be locked seven days prior to the scheduled migration window after which you're unable to reschedule. This in-place migration can be deferred monthly until 16 September 2024. +**A.** You can review the migration schedule by navigating to the Migration blade of your Single Server instance. If you wish to defer the migration, you can defer by a month at the most by navigating to the Migration blade of your single server instance on the Azure portal and rescheduling the migration by selecting another migration window within a month. The migration details are locked seven days prior to the scheduled migration window after which you're unable to reschedule. This in-place migration can be deferred monthly until 16 September 2024. **Q. What username and connection string would be supported for the migrated Flexible Server? ΓÇïΓÇï** |
mysql | Whats Happening To Mysql Single Server | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/migrate/whats-happening-to-mysql-single-server.md | Title: What's happening to Azure Database for MySQL single server? description: The Azure Database for MySQL - Single Server service is being deprecated.---+++ Last updated 05/21/2024 For more information on migrating from Single Server to Flexible Server using ot - If your source Azure Database for MySQL Single Server has engine version v8.x, ensure to upgrade your source server's .NET client driver version to 8.0.32 to avoid any encoding incompatibilities post migration to Flexible Server. - If your source Azure Database for MySQL Single Server has engine version v8.x, ensure to upgrade your source server's TLS version from v1.0 or v1.1 to TLS v1.2 before the migration as the older TLS versions have been deprecated for Flexible Server. - If your source Azure Database for MySQL Single Server utilizes nondefault ports such as 3308,3309 and 3310, change your connectivity port to 3306 as the above mentioned nondefault ports aren't supported on Flexible Server.-- Service tags (SQL) in Outbound Rules are not supported on Azure Database for MySQL Flexible Server. Please use Fully Qualified Domain name(FQDN) in Outbound Rules when configuring teh firewall settings for the Flexible Server.+- Service tags (SQL) in Outbound Rules are not supported on Azure Database for MySQL Flexible Server. Please use Fully Qualified Domain name(FQDN) in Outbound Rules when configuring the firewall settings for the Flexible Server. ## What happens post sunset date (September 16, 2024)? When you migrate from Azure Database for MySQL - Single Server to Flexible Serve **Q. What happens to my existing Azure Database for MySQL single server instances?** -**A.** Your existing Azure Database for MySQL single server workloads continues to function as before and will be officially supported until the sunset date. However, no new updates are released for Single Server and we strongly advise you to start migrating to Azure Database for MySQL Flexible Server at the earliest. Post the sunset date, your Single Server instance, along with its data files, will be [force-migrated](./whats-happening-to-mysql-single-server.md#forced-migration-post-sunset-date) to an appropriate Flexible Server instance in a phased manner. +**A.** Your existing Azure Database for MySQL single server workloads continues to function as before and is officially supported until the sunset date. However, no new updates are released for Single Server and we strongly advise you to start migrating to Azure Database for MySQL Flexible Server at the earliest. Post the sunset date, your Single Server instance, along with its data files, will be [force-migrated](./whats-happening-to-mysql-single-server.md#forced-migration-post-sunset-date) to an appropriate Flexible Server instance in a phased manner. **Q. Can I choose to continue running Single Server beyond the sunset date?** **A.** Unfortunately, we don't plan to support Single Server beyond the sunset date of **September 16, 2024**, and hence we strongly advise that you start planning your migration as soon as possible. Post the sunset date, your Single Server instance, along with its data files, will be force-migrated to an appropriate Flexible Server instance in a phased manner. This might lead to limited feature availability as certain advanced functionality can't be force-migrated without customer inputs to the Flexible Server instance. Read more about steps to reconfigure such features post force-migration to minimize the potential impact [here](./whats-happening-to-mysql-single-server.md#action-required-post-forced-migration). If your server is in a region where Azure Database for MySQL - Flexible Server isn't supported, then post the sunset date, your Single Server instance is available with limited operations to access data and to be able to migrate to Flexible Server. **Q. My single server is deployed in a region that doesn't support flexible server. What will happen to my server post sunset date?**+ **A.** If your server is in a region where Azure Database for MySQL - Flexible Server isn't supported, then post the sunset date, your Single Server instance is available with limited operations to access data and to be able to migrate to Flexible Server. We strongly recommend that you use one of the following options to migrate before the sunset date to avoid any disruptions in business continuity: - Use Azure DMS to perform a cross-region migration to Flexible Server in a suitable Azure region. - Migrate to MySQL Server hosted on a VM in the region, if you're unable to change regions due to compliance issues. **Q. Post sunset date, will there be any data loss for my Single Server?**+ **A.** No, there won't be any data loss incurred for your Single Server instance. Post the sunset date, your Single Server instance, along with its data files, will be force-migrated to an appropriate Flexible Server instance. If your server is in a region where Azure Database for MySQL - Flexible Server isn't supported, then post the sunset date, your Single Server instance is available with limited operations to access data and to be able to migrate to Flexible Server in an appropriate region. **Q. After the Single Server retirement announcement, what if I still need to create a new single server to meet my business needs?** We know migrating services can be a frustrating experience, and we apologize in - [Frequently Asked Questions about DMS (classic) migrations](../../dms/faq-mysql-single-to-flex.md) - [Select the right tools for migration to Azure Database for MySQL](../migrate/how-to-decide-on-right-migration-tools.md) - [What is Flexible Server](../flexible-server/overview.md)++ |
operator-nexus | Troubleshoot Bare Metal Machine Provisioning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-nexus/troubleshoot-bare-metal-machine-provisioning.md | + + Title: Azure Operator Nexus troubleshoot bare metal machine provisioning +description: Troubleshoot bare metal machine provisioning for Azure Operator Nexus. +++ Last updated : 07/19/2024+++++# Troubleshoot BMM provisioning in Azure Operator Nexus cluster ++As part of cluster deploy action, bare metal machines (BMM) are provisioned with required roles to participate in the cluster. This document supports troubleshooting for common provisioning issues using Azure CLI, Azure portal, and the server baseboard management controller (BMC). For the Azure Operator Nexus platform, the underlying server hardware uses integrated Dell remote access controller (iDRAC) as the BMC. Provisioning uses the Preboot eXecution Environment (PXE) interface to load the Operating System (OS) on the BMM. ++## Prerequisites +1. Install the latest version of the [appropriate CLI extensions](howto-install-cli-extensions.md) +2. Collect the following information: + - Subscription ID (SUBSCRIPTION) + - Cluster name (CLUSTER) + - Resource group (CLUSTER_RG) + - Managed resource group (CLUSTER_MRG) +3. Request subscription access to run Azure Operator Nexus network fabric (NF) and network cloud (NC) CLI extension commands. +4. Log in to Azure CLI and select the subscription where the cluster is deployed. ++## BMM roles +For a given SKU, there are required roles to manage and operate the underlying kubernetes cluster. ++The following roles are assigned to BMM resources (see [BMM roles reference](reference-near-edge-baremetal-machine-roles.md)): ++ - `Control plane`: BMM responsible for running the kubernetes control plane agents for cluster. + - `Management plane`: BMM responsible for running the platform agents including controllers and extensions. + - `Compute plane`: BMM responsible for running actual tenant workloads including kubernetes clusters and virtual machines. ++## Listing BMM status +This command will `list` all `bareMetalMachineName` resources in the managed resource group with simple status: ++```azurecli +az networkcloud baremetalmachine list -g $CLUSTER_MRG -o table ++Name ResourceGroup DetailedStatus DetailedStatusMessage + -- - +BMM_NAME CLUSTER_MRG STATUS STATUS_MSG +``` ++Where `STATUS` goes through the following phases through the BMM provisioning process (see [BMM Status in Azure Operator Nexus Compute Concepts](concepts-compute.md)): ++`Registering` -> `Preparing` -> `Inspecting` -> `Available` -> `Provisioning` -> `Provisioned` ++These phases are defined as follows: ++| Phase | Actions | +| | | +| `Registering` | Verifying BMC connectivity/BMC credentials and adding BMM to provisioning service. | +| `Preparing` | Rebooting BMM, resetting BMC, and verifying power state. | +| `Inspecting` | Updating firmware, applying BIOS settings, and configuring storage. | +| `Available` | BMM is ready to install OS. | +| `Provisioning` | OS image installing on the BMM. After OS is installed, BMM attempts to join cluster. | +| `Provisioned` | BMM successfully provisioned and joined to cluster. | +| `Deprovisioning` | BMM provisioning failed. Provisioning service is cleaning up resource for retry. | +| `Failed` | BMM provisioning failed and manual recovery is required. All retries exhausted. | ++During any phase, the BMM detailed status is set to failed and the phase is blocked if any of the following occurs: +- BMC is unavailable +- Network port is down +- Hardware component fails ++To get a more detailed status of the BMM: +```azurecli +az networkcloud baremetalmachine list -g $CLUSTER_MRG --query "sort_by([].{name:name,readyState:readyState,provisioningState:provisioningState,detailedStatus:detailedStatus,detailedStatusMessage:detailedStatusMessage,powerState:powerState,machineRoles:machineRoles| join(', ', @),createdAt:systemData.createdAt}, &name)" --output table ++Name ReadyState ProvisioningState DetailedStatus DetailedStatusMessage PowerState MachineRoles CreatedAt + - -- -- -- - -- +BMM_NAME RSTATE PROV_STATE STATUS STATUS_MSG POWER_STATE BMM_ROLE CREATE_DATE +``` ++Where the output is defined as follows: ++| Output | Definition | +| | | +| BMM_NAME | BMM name | +| RSTATE | Cluster participation status (`True`,`False`). | +| PROV_STATE | Provisioning state (`Succeeded`,`Failed`). | +| STATUS | Provisioning detailed status (`Registering`,`Preparing`,`Inspecting`,`Available`,`Provisioning`,`Provisioned`,`Deprovisioning`,`Failed`). | +| STATUS_MSG | Detailed provisioning status message. | +| POWER_STATE | Power state of BMM (`On`,`Off`). | +| BMM_ROLE | BMM cluster role (`control-plane`,`management-plane`,`compute-plane`). | +| CREATE_DATE | BMM creation date. | ++For example: +```azurecli +x01dev01c01w01 True Succeeded Provisioned The OS is provisioned to the machine On platform.afo-nc.microsoft.com/compute-plane=true 2024-05-03T15:12:48.0934793Z +x01dev01c01w01 False Failed Preparing Preparing for provisioning of the machine Off platform.afo-nc.microsoft.com/compute-plane=true 2024-05-03T15:12:48.0934793Z +``` ++## BMM details +To show details and status of a single BMM: +```azurecli +az networkcloud baremetalmachine show -g $CLUSTER_MRG -n $BMM_NAME +``` +For BMM details specific to troubleshooting: +```azurecli +az networkcloud baremetalmachine show -g $CLUSTER_MRG -n $BMM_NAME --query "{name:name,BootMAC:bootMacAddress,BMCMAC:bmcMacAddress,Connect:bmcConnectionString,SN:serialNumber,rackId:rackId,RackSlot:rackSlot}" -o table +``` ++## Troubleshooting failed provisioning state ++The following conditions can cause provisioning failures: ++| Error Type | Resolution | +| - | - | +| BMC shows `Backplane Comm` critical error. | 1) Execute BMM remote flea drain. 2) Perform BMM physical flea drain. 3) Execute BMM `replace` action. | +| Boot (PXE) network data response empty from BMC. | 1) Reset port on fabric device. 2) Execute BMM remote flea drain. 3) Perform BMM physical flea drain. 4) Execute BMM `replace` action. | +| Boot (PXE) MAC address mismatch. | 1) Validate BMM MAC address data against BMC data. 2) Execute BMM remote flea drain. 3) Perform BMM physical flea drain. 4) Execute BMM `replace` action. | +| BMC MAC address mismatch | 1) Validate BMM MAC address data against BMC data. 2) Execute BMM remote flea drain. 3) Perform BMM physical flea drain. 4) Execute BMM `replace` action. | +| Disk data response empty from BMC. | 1) Remove/replace disk. 2) Remove/replace storage controller. 3) Execute BMM remote flea drain. 4) Perform BMM physical flea drain. 5) Execute BMM `replace` action. | +| BMC unreachable. | 1) Reset port on fabric device. 2) Remove/replace cable. 3) Execute BMM remote flea drain. 4) Perform BMM physical flea drain. 5) Execute BMM `replace` action. | +| BMC fails log in. | 1) Update credentials on BMC. 2) Execute BMM `replace` action. | +| Memory, CPU, OEM critical errors on BMC. | 1) Resolve hardware issue with remove/replace. 2) Execute BMM remote flea drain. 3) Perform BMM physical flea drain. 4) Execute BMM `replace` action. | +| Console stuck at boot loader (GRUB) menu. | 1) Execute NVRAM reset. 2) Execute BMM `replace` action. | ++### Azure BMM activity log ++1. Log in to [Azure portal](https://portal.azure.com/). +2. Search on the BMM name in the top `Search` box. +3. Select the `Bare Metal Machine (Operator Nexus)` from the search results. +4. Select `Activity log` on the left side menu. +5. Make sure the `Timespan` encompasses the provisioning period. +6. Expand the `BareMetalMachines_Update` operation and select any that show `Failed` status. +7. Select `JSON` tab to get the detailed status message. ++Look for failures related to invalid credentials or BMC unavailable. ++### Determine BMC IPv4 address +The IPv4 address of the BMC (BMC_IP) is in the `Connect` value returned from the previous `BMM Details` section. ++### Validate MAC address of BMM against BMC data ++To get the MAC address information from the BMM: +```azurecli +az networkcloud baremetalmachine show -g $CLUSTER_MRG -n $BMM_NAME --query "{name:name,BootMAC:bootMacAddress,BMCMAC:bmcMacAddress,SN:serialNumber,rackId:rackId,RackSlot:rackSlot}" -o table +``` ++Verify the MAC address data against the BMC through the WEB UI: +`BMC` -> `Dashboard` - Shows BMC MAC address +`BMC` -> `System Info` -> `Network` -> `Embedded.1-1-1` - Shows Boot MAC address ++Verify the MAC address using `racadm` from a jumpbox that has access to the BMC network: +```bash +racadm --nocertwarn -r $IP -u $BMC_USR -p $BMC_PWD getsysinfo | grep "MAC Address " #BMC MAC +racadm --nocertwarn -r $IP -u $BMC_USR -p $BMC_PWD getsysinfo | grep "NIC.Embedded.1-1-1" #Boot MAC +``` ++If the MAC address supplied to the cluster is incorrect, use the BMM `replace` action at [BMM actions](howto-baremetal-functions.md) to correct the addresses. ++### Ping test BMC connectivity ++Attempt to run ping against the BMC IPv4 address: +1. Obtain the IPv4 address (BMC_IP) from the previous `Determine BMC IPv4 address`. +2. Test ping to the BMC: ++ To test from a jumpbox that has access to the BMC network: + ```bash + ping $BMC_IP -c 3 + ``` + + To test from a BMM control-plane host using Azure CLI: + ```azurecli + az networkcloud baremetalmachine run-read-command -g $CLUSTER_MRG -n $BMM_NAME --limit-time-seconds 60 --commands "[{command:'ping',arguments:['$BMC_IP',-c,3]}]" + ``` ++### Reset port on fabric device +If the BMC_IP isn't responsive, a reset of the fabric device port retriggers autonegotiation on the port and may bring it back online. ++To find the `Network Fabric` port from Azure: +1. Obtain the `RackID` and `RackSlot` from the previous `BMM Details` section. +2. In Azure portal, drill down to the `Network Rack` RackID for the BMM. +3. Select `Network Devices` tab and the management (Mgmt) switch for the rack. +4. Under `Resources`, select `Network Interfaces` and then the BMC (iDRAC) or boot (PXE) interface for the port that requires reset. ++ Collect the following information: + - Network fabric resource group (NF_RG) + - Device name (NF_DEVICE_NAME) + - Interface name (NF_DEVICE_INTERFACE_NAME) ++5. Reset the port: ++ To reset the port using Azure CLI: + ```azurecli + az networkfabric interface update-admin-state -g $NF_RG --network-device-name $NF_DEVICE_NAME --resource-name $NF_DEVICE_INTERFACE_NAME --state Disable + az networkfabric interface update-admin-state -g $NF_RG --network-device-name $NF_DEVICE_NAME --resource-name $NF_DEVICE_INERFACE_NAME --state Enable + ``` ++### BMM remote power drain (flea drain) +Perform a remote flea drain against the BMM through the BMC UI: +`BMC` -> `Configuration` -> `BIOS Settings` -> `Miscellaneous Settings` -> `Select "Full Power Cycle" under Power Cycle Request` -> `Apply and reboot` ++Perform a remote flea drain using `racadm` from a jumpbox that has access to the BMC network: +```bash +racadm set bios.miscsettings.powercyclerequest FullPowerCycle +racadm jobqueue create BIOS.Setup.1-1 +racadm serveraction powercycle +``` ++### BMM physical power drain (flea drain) +For a physical flea drain, the local site hands physically disconnect the power cables from both power adapters for 5 minutes and then restore power. This process ensures the server, capacitors, and all components have complete power removal and all cached data is cleared. ++### Reset NVRAM +If provisioning failed due to an OEM or hardware error, the boot sequence may be locked in NVRAM to `PXE boot` instead of showing `hdd` or `hard drive` listed first in the boot order. ++This condition typically shows the BMM at the bootloader stage on the console and is blocked without manual keystroke intervention. ++To reset the NVRAM, use the following sequence in the BMC UI: +`Maintenance` -> `Diagnostics` -> `Reset iDrac to Factory Defaults` -> `Discard All Settings, but preserve user and network settings` -> `Apply and reboot` ++### Reset BMC password +If the activity log indicates invalid credentials on the BMC, run the following command from a jumpbox that has access to the BMC network: +```bash +racadm -r $BMC_IP -u $BMC_USER -p $CURRENT_PASSWORD set iDRAC.Users.2.Password $BMC_PWD +``` ++## Adding servers back into the cluster after a repair ++After hardware is fixed, run BMM `replace` action following instructions from the following page [BMM actions](howto-baremetal-functions.md). ++If you still have questions, [contact support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade). +For more information about support plans, see [Azure Support plans](https://azure.microsoft.com/support/plans/response/). |
search | Search Api Migration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-api-migration.md | Azure AI Search breaks backward compatibility as a last resort. Upgrade is neces ## How to upgrade -In your application code that makes direct calls to the REST APIs, modify the `api-version` parameter on the requst header. For more information about structuring a REST call, see [Quickstart: using REST](search-get-started-rest.md#set-up-visual-studio-code). +The `api-version` parameter is specified in the request header. In your application code that makes direct calls to the REST APIs, search for all instances of the existing version and then replace it with the new version. For more information about structuring a REST call, see [Quickstart: using REST](search-get-started-rest.md#set-up-visual-studio-code). If you're using an Azure SDK, those packages target specific versions of the REST API. Package updates might coincide with a REST API update, but each SDK is on it's own release schedule that ships independently of Azure AI Search REST API versions. Check the change log of your SDK package to determine whether a package release targets the latest REST API version. |
search | Search Get Started Portal Import Vectors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-get-started-portal-import-vectors.md | Last updated 07/19/2024 > [!IMPORTANT] > The **Import and vectorize data** wizard is in public preview under [Supplemental Terms of Use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). By default, it targets the [2024-05-01-Preview REST API](/rest/api/searchservice/skillsets/create-or-update?view=rest-searchservice-2024-05-01-preview&preserve-view=true). -This quickstart helps you get started with [integrated vectorization (preview)](vector-search-integrated-vectorization.md) by using the **Import and vectorize data** wizard in the Azure portal. This wizard chunks your content and calls a user-specified embedding model to vectorize content during indexing and for queries. +This quickstart helps you get started with [integrated vectorization (preview)](vector-search-integrated-vectorization.md) by using the **Import and vectorize data** wizard in the Azure portal. The wizard chunks your content and calls an embedding model to vectorize content during indexing and for queries. Key points about the wizard: Key points about the wizard: Azure Storage must be a standard performance (general-purpose v2) account. Access tiers can be hot, cool, and cold. Don't use Azure Data Lake Storage Gen2 (a storage account with a hierarchical namespace). This version of the wizard doesn't support Data Lake Storage Gen2. -+ An embedding model on a supported platform. [Deployment instructions](#set-up-embedding-models) are provided in this article. ++ An embedding model on an Azure AI platform. [Deployment instructions](#set-up-embedding-models) are in this article. | Provider | Supported models | ||| | [Azure OpenAI Service](https://aka.ms/oai/access) | text-embedding-ada-002, text-embedding-3-large, or text-embedding-3-small. | | [Azure AI Studio model catalog](/azure/ai-studio/what-is-ai-studio) | Azure, Cohere, and Facebook embedding models. |- | [Azure AI services multiservice account](/azure/ai-services/multi-service-resource) | [Azure AI Vision multimodal](/azure/ai-services/computer-vision/how-to/image-retrieval) for image and text vectorization. Azure AI Vision multimodal is available in selected regions: East US, West US, West US2, North Europe, West Europe, France Central, Sweden Central, Switzerland North, Southeast Asia, Korea Central, Australia East, or Japan East. [Check the documentation](/azure/ai-services/computer-vision/how-to/image-retrieval?tabs=csharp) for an updated list. | + | [Azure AI services multiservice account](/azure/ai-services/multi-service-resource) | [Azure AI Vision multimodal](/azure/ai-services/computer-vision/how-to/image-retrieval) for image and text vectorization. Azure AI Vision multimodal is available in selected regions. [Check the documentation](/azure/ai-services/computer-vision/how-to/image-retrieval?tabs=csharp) for an updated list. **To use this resource, the account must be in an available region and in the same region as Azure AI Search**. | ### Public endpoint requirements The wizard supports semantic ranking, but only on the Basic tier and higher, and This section points you to data that works for this quickstart. -### [Azure Storage](#tab/sample-data-storage) +### [Azure Blob storage](#tab/sample-data-storage) 1. Sign in to the [Azure portal](https://portal.azure.com/) with your Azure account, and go to your Azure Storage account. This section points you to data that works for this quickstart. 1. Create a new container and then upload the [health-plan PDF documents](https://github.com/Azure-Samples/azure-search-sample-data/tree/main/health-plan) used for this quickstart. -1. On **Access control**, assign the [Storage Blob Data Reader](search-howto-managed-identities-data-sources.md#assign-a-role) role on the container to the search service identity. Or, get a connection string to the storage account from the **Access keys** page. +1. On the left pane, under **Access control**, assign the [Storage Blob Data Reader](search-howto-managed-identities-data-sources.md#assign-a-role) role to the search service identity. Or, get a connection string to the storage account from the **Access keys** page. ### [OneLake](#tab/sample-data-onelake) This section points you to data that works for this quickstart. ## Set up embedding models -Integrated vectorization and the **Import and vectorize data** wizard tap into deployed embedding models during indexing to convert text and images into vectors. --You can use embedding models deployed in Azure OpenAI, in Azure AI Vision for multimodal embeddings, or in the model catalog in Azure AI Studio. +The wizard can use embedding models deployed from Azure OpenAI, Azure AI Vision, or from the model catalog in Azure AI Studio. ### [Azure OpenAI](#tab/model-aoai) -**Import and vectorize data** supports `text-embedding-ada-002`, `text-embedding-3-large`, and `text-embedding-3-small`. Internally, the wizard uses the [AzureOpenAIEmbedding skill](cognitive-search-skill-azure-openai-embedding.md) to connect to Azure OpenAI. --Use these instructions to assign permissions or get an API key for search service connection to Azure OpenAI. You should set up permissions or have connection information available before you run the wizard. +The wizard supports text-embedding-ada-002, text-embedding-3-large, and text-embedding-3-small. Internally, the wizard calls the [AzureOpenAIEmbedding skill](cognitive-search-skill-azure-openai-embedding.md) to connect to Azure OpenAI. 1. Sign in to the [Azure portal](https://portal.azure.com/) with your Azure account, and go to your Azure OpenAI resource. Use these instructions to assign permissions or get an API key for search servic ### [Azure AI Vision](#tab/model-ai-vision) -**Import and vectorize data** supports Azure AI Vision image retrieval through multimodal embeddings (version 4.0). Internally, the wizard uses the [multimodal embeddings skill](cognitive-search-skill-vision-vectorize.md) to connect to Azure AI Vision. +The wizard supports Azure AI Vision image retrieval through multimodal embeddings (version 4.0). Internally, the wizard calls the [multimodal embeddings skill](cognitive-search-skill-vision-vectorize.md) to connect to Azure AI Vision. 1. [Create an Azure AI Vision service in a supported region](/azure/ai-services/computer-vision/how-to/image-retrieval?tabs=csharp#prerequisites). After you finish these steps, you should be able to select the Azure AI Vision v ### [Azure AI Studio model catalog](#tab/model-catalog) -**Import and vectorize data** supports Azure, Cohere, and Facebook embedding models in the Azure AI Studio model catalog, but it doesn't currently support the OpenAI CLIP model. Internally, the wizard uses the [AML skill](cognitive-search-aml-skill.md) to connect to the catalog. --Use these instructions to assign permissions or get an API key for search service connection to Azure OpenAI. You should set up permissions or have connection information available before you run the wizard. +The wizard supports Azure, Cohere, and Facebook embedding models in the Azure AI Studio model catalog, but it doesn't currently support the OpenAI CLIP model. Internally, the wizard calls the [AML skill](cognitive-search-aml-skill.md) to connect to the catalog. -1. For the model catalog, you should have an [Azure OpenAI resource](/azure/ai-services/openai/how-to/create-resource), a [hub in Azure AI Studio](/azure/ai-studio/how-to/create-projects), and a [project](/azure/ai-studio/how-to/create-projects). Hubs and projects that have the same name can share connection information and permissions. +1. For the model catalog, you should have an [Azure OpenAI resource](/azure/ai-services/openai/how-to/create-resource), a [hub in Azure AI Studio](/azure/ai-studio/how-to/create-projects), and a [project](/azure/ai-studio/how-to/create-projects). Hubs and projects having the same name can share connection information and permissions. 1. Deploy a supported embedding model to the model catalog in your project. Use these instructions to assign permissions or get an API key for search servic The next step is to connect to a data source to use for the search index. -1. In the **Import and vectorize data** wizard, on the **Set up your data connection** page, select **Azure Blob Storage** or **OneLake**. +### [Azure Blob storage](#tab/connect-data-storage) ++1. On the **Set up your data connection** page, select **Azure Blob Storage**. 1. Specify the Azure subscription. -1. For OneLake, specify the lakehouse URL, or provide the workspace and lakehouse IDs. +1. Choose the storage account and container that provide the data. ++1. Specify whether you want [deletion detection](search-howto-index-changed-deleted-blobs.md) support. On subsequent indexing runs, the search index is updated to remove any search documents based on soft-deleted blobs on Azure Storage. ++ + You're prompted to choose either **Native blob soft delete** or **Soft delete using custom data**. + + Your blob container must have deletion detection enabled before you run the wizard. + + [Enable soft delete](/azure/storage/blobs/soft-delete-blob-overview) in Azure Storage, or [add custom metadata](search-howto-index-changed-deleted-blobs.md#soft-delete-strategy-using-custom-metadata) to your blobs that indexing recognizes as a deletion flag. + + If you choose **Soft delete using custom data**, you're prompted to provide the metadata property name-value pair. ++1. Specify whether you want your search service to [connect to Azure Storage using its managed identity](search-howto-managed-identities-storage.md). ++ + You're prompted to choose either a system-managed or user-managed identity. + + The identity should have a **Storage Blob Data Reader** role on Azure Storage. + + Do not skip this option. A connection error occurs during indexing if the wizard can't connect to Azure Storage. ++1. Select **Next**. ++### [OneLake (preview)](#tab/connect-data-onelake) - For Azure Storage, select the account and container that provide the data. +Support for OneLake indexing is in preview. For more information about supported shortcuts and limitations, see ([OneLake indexing](search-how-to-index-onelake-files.md)). -1. Specify whether you want [deletion detection](search-howto-index-changed-deleted-blobs.md). +1. On the **Set up your data connection** page, select **OneLake**. ++1. Specify the type of connection: ++ + Lakehouse URL + + Workspace ID and Lakehouse ID ++1. For OneLake, specify the lakehouse URL, or provide the workspace and lakehouse IDs. ++1. Specify whether you want your search service to connect to OneLake using its system or user managed identity. You must use a managed identity and roles for search connections to OneLake. 1. Select **Next**. ++ ## Vectorize your text In this step, specify the embedding model for vectorizing chunked data. -1. On the **Vectorize your text** page, specify whether deployed models are on Azure OpenAI, the Azure AI Studio model catalog, or an existing Azure AI Vision multimodal resource in the same region as Azure AI Search. +1. On the **Vectorize your text** page, choose the source of the embedding model: -1. Specify the Azure subscription. + + Azure OpenAI + + Azure AI Studio model catalog + + An existing Azure AI Vision multimodal resource in the same region as Azure AI Search. If there's no [Azure AI Services multi-service account](/azure/ai-services/multi-service-resource) in the same region, this option isn't available. ++1. Choose the Azure subscription. 1. Make selections according to the resource: - 1. For Azure OpenAI, select the service, model deployment, and authentication type. + + For Azure OpenAI, choose an existing deployment of text-embedding-ada-002, text-embedding-3-large, or text-embedding-3-small. - 1. For AI Studio catalog, select the project, model deployment, and authentication type. + + For AI Studio catalog, choose an existing deployment of an Azure, Cohere, and Facebook embedding model. - 1. For AI Vision vectorization, select the account. + + For AI Vision multimodal embeddings, select the account. For more information, see [Set up embedding models](#set-up-embedding-models) earlier in this article. +1. Specify whether you want your search service to authenticate using an API key or managed identity. ++ + The identity should have a **Cognitive Services OpenAI User** role on the Azure AI multi-services account. + 1. Select the checkbox that acknowledges the billing impact of using these resources. 1. Select **Next**. In this step, specify the embedding model for vectorizing chunked data. If your content includes images, you can apply AI in two ways: + Use a supported image embedding model from the catalog, or choose the Azure AI Vision multimodal embeddings API to vectorize images.-+ Use optical character recognition (OCR) to recognize text in images. +++ Use optical character recognition (OCR) to recognize text in images. This option invokes the [OCR skill](cognitive-search-skill-ocr.md) to read text from images. Azure AI Search and your Azure AI resource must be in the same region. |
security | Encryption Models | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/encryption-models.md | Title: Data encryption models in Microsoft Azure description: This article provides an overview of data encryption models In Microsoft Azure.- -+ Last updated : 07/19/2024 Previously updated : 05/13/2024- + # Data encryption models An understanding of the various encryption models and their pros and cons is essential for understanding how the various resource providers in Azure implement encryption at Rest. These definitions are shared across all resource providers in Azure to ensure common language and taxonomy. There are three scenarios for server-side encryption: - Customer controls keys on customer-controlled hardware - Full cloud functionality -Server-side Encryption models refer to encryption that is performed by the Azure service. In that model, the Resource Provider performs the encrypt and decrypt operations. For example, Azure Storage may receive data in plain text operations and will perform the encryption and decryption internally. The Resource Provider might use encryption keys that are managed by Microsoft or by the customer depending on the provided configuration. +Server-side Encryption models refer to encryption that is performed by the Azure service. In that model, the Resource Provider performs the encrypt and decrypt operations. For example, Azure Storage might receive data in plain text operations and will perform the encryption and decryption internally. The Resource Provider might use encryption keys that are managed by Microsoft or by the customer depending on the provided configuration. -![Server](./media/encryption-models/azure-security-encryption-atrest-fig3.png) -Each of the server-side encryption at rest models implies distinctive characteristics of key management. This includes where and how encryption keys are created, and stored as well as the access models and the key rotation procedures. +Each of the server-side encryption at rest models implies distinctive characteristics of key management. This includes where and how encryption keys are created, and stored as well as the access models and the key rotation procedures. For client-side encryption, consider the following: The supported encryption models in Azure split into two main groups: "Client Enc Client Encryption model refers to encryption that is performed outside of the Resource Provider or Azure by the service or calling application. The encryption can be performed by the service application in Azure, or by an application running in the customer data center. In either case, when leveraging this encryption model, the Azure Resource Provider receives an encrypted blob of data without the ability to decrypt the data in any way or have access to the encryption keys. In this model, the key management is done by the calling service/application and is opaque to the Azure service. -![Client](./media/encryption-models/azure-security-encryption-atrest-fig2.png) ## Server-side encryption using service-managed keys -For many customers, the essential requirement is to ensure that the data is encrypted whenever it is at rest. Server-side encryption using service-managed Keys enables this model by allowing customers to mark the specific resource (Storage Account, SQL DB, etc.) for encryption and leaving all key management aspects such as key issuance, rotation, and backup to Microsoft. Most Azure services that support encryption at rest typically support this model of offloading the management of the encryption keys to Azure. The Azure resource provider creates the keys, places them in secure storage, and retrieves them when needed. This means that the service has full access to the keys and the service has full control over the credential lifecycle management. +For many customers, the essential requirement is to ensure that the data is encrypted whenever it is at rest. Server-side encryption using service-managed Keys enables this model by allowing customers to mark the specific resource (Storage Account, SQL DB, etc.) for encryption and leaving all key management aspects such as key issuance, rotation, and backup to Microsoft. Most Azure services that support encryption at rest typically support this model of offloading the management of the encryption keys to Azure. The Azure resource provider creates the keys, places them in secure storage, and retrieves them when needed. This means that the service has full access to the keys and the service has full control over the credential lifecycle management. -![managed](./media/encryption-models/azure-security-encryption-atrest-fig4.png) Server-side encryption using service-managed keys therefore quickly addresses the need to have encryption at rest with low overhead to the customer. When available a customer typically opens the Azure portal for the target subscription and resource provider and checks a box indicating, they would like the data to be encrypted. In some Resource Managers server-side encryption with service-managed keys is on by default. -Server-side encryption with Microsoft-managed keys does imply the service has full access to store and manage the keys. While some customers may want to manage the keys because they feel they gain greater security, the cost and risk associated with a custom key storage solution should be considered when evaluating this model. In many cases, an organization may determine that resource constraints or risks of an on-premises solution may be greater than the risk of cloud management of the encryption at rest keys. However, this model might not be sufficient for organizations that have requirements to control the creation or lifecycle of the encryption keys or to have different personnel manage a service's encryption keys than those managing the service (that is, segregation of key management from the overall management model for the service). +Server-side encryption with Microsoft-managed keys does imply the service has full access to store and manage the keys. While some customers might want to manage the keys because they feel they gain greater security, the cost and risk associated with a custom key storage solution should be considered when evaluating this model. In many cases, an organization might determine that resource constraints or risks of an on-premises solution might be greater than the risk of cloud management of the encryption at rest keys. However, this model might not be sufficient for organizations that have requirements to control the creation or lifecycle of the encryption keys or to have different personnel manage a service's encryption keys than those managing the service (that is, segregation of key management from the overall management model for the service). ### Key access When Server-side encryption with service-managed keys is used, the key creation, ## Server-side encryption using customer-managed keys in Azure Key Vault -For scenarios where the requirement is to encrypt the data at rest and control the encryption keys customers can use server-side encryption using customer-managed Keys in Key Vault. Some services may store only the root Key Encryption Key in Azure Key Vault and store the encrypted Data Encryption Key in an internal location closer to the data. In that scenario customers can bring their own keys to Key Vault (BYOK ΓÇô Bring Your Own Key), or generate new ones, and use them to encrypt the desired resources. While the Resource Provider performs the encryption and decryption operations, it uses the configured key encryption key as the root key for all encryption operations. +For scenarios where the requirement is to encrypt the data at rest and control the encryption keys customers can use server-side encryption using customer-managed Keys in Key Vault. Some services might store only the root Key Encryption Key in Azure Key Vault and store the encrypted Data Encryption Key in an internal location closer to the data. In that scenario customers can bring their own keys to Key Vault (BYOK ΓÇô Bring Your Own Key), or generate new ones, and use them to encrypt the desired resources. While the Resource Provider performs the encryption and decryption operations, it uses the configured key encryption key as the root key for all encryption operations. Loss of key encryption keys means loss of data. For this reason, keys should not be deleted. Keys should be backed up whenever created or rotated. [Soft-Delete and purge protection](../../key-vault/general/soft-delete-overview.md) must be enabled on any vault storing key encryption keys to protect against accidental or malicious cryptographic erasure. Instead of deleting a key, it is recommended to set enabled to false on the key encryption key. Use access controls to revoke access to individual users or services in [Azure Key Vault](../../key-vault/general/security-features.md#access-model-overview) or [Managed HSM](../../key-vault/managed-hsm/secure-your-managed-hsm.md). For operations using encryption keys, a service identity can be granted access t To obtain a key for use in encrypting or decrypting data at rest the service identity that the Resource Manager service instance will run as must have UnwrapKey (to get the key for decryption) and WrapKey (to insert a key into key vault when creating a new key). ->[!NOTE] ->For more detail on Key Vault authorization see the secure your key vault page in the [Azure Key Vault documentation](../../key-vault/general/security-features.md). +> [!NOTE] +> For more detail on Key Vault authorization see the secure your key vault page in the [Azure Key Vault documentation](../../key-vault/general/security-features.md). **Advantages** To obtain a key for use in encrypting or decrypting data at rest the service ide ## Server-side encryption using customer-managed keys in customer-controlled hardware -Some Azure services enable the Host Your Own Key (HYOK) key management model. This management mode is useful in scenarios where there is a need to encrypt the data at rest and manage the keys in a proprietary repository outside of Microsoft's control. In this model, the service must use the key from an external site to decrypt the Data Encryption Key (DEK). Performance and availability guarantees are impacted, and configuration is more complex. Additionally, since the service does have access to the DEK during the encryption and decryption operations the overall security guarantees of this model are similar to when the keys are customer-managed in Azure Key Vault. As a result, this model is not appropriate for most organizations unless they have specific key management requirements. Due to these limitations, most Azure services do not support server-side encryption using customer-managed keys in customer-controlled hardware. One of two keys in [Double Key Encryption](/microsoft-365/compliance/double-key-encryption) follows this model. +Some Azure services enable the Host Your Own Key (HYOK) key management model. This management mode is useful in scenarios where there is a need to encrypt the data at rest and manage the keys in a proprietary repository outside of Microsoft's control. In this model, the service must use the key from an external site to decrypt the Data Encryption Key (DEK). Performance and availability guarantees are affected, and configuration is more complex. Additionally, since the service does have access to the DEK during the encryption and decryption operations the overall security guarantees of this model are similar to when the keys are customer-managed in Azure Key Vault. As a result, this model is not appropriate for most organizations unless they have specific key management requirements. Due to these limitations, most Azure services do not support server-side encryption using customer-managed keys in customer-controlled hardware. One of two keys in [Double Key Encryption](/microsoft-365/compliance/double-key-encryption) follows this model. ### Key Access When server-side encryption using customer-managed keys in customer-controlled h - Increased dependency on network availability between the customer datacenter and Azure datacenters. ## Supporting services+ The Azure services that support each encryption model: -| Product, Feature, or Service | Server-Side Using Service-Managed Key | Server-Side Using Customer-Managed Key | Client-Side Using Client-Managed Key | -|-|--|--|--| -| **AI and Machine Learning** | | | | -| Azure AI Search | Yes | Yes | - | -| Azure AI services | Yes | Yes, including Managed HSM | - | -| Azure Machine Learning | Yes | Yes | - | -| Content Moderator | Yes | Yes, including Managed HSM | - | -| Face | Yes | Yes, including Managed HSM | - | -| Language Understanding | Yes | Yes, including Managed HSM | - | -| Azure OpenAI | Yes | Yes, including Managed HSM | - | -| Personalizer | Yes | Yes, including Managed HSM | - | -| QnA Maker | Yes | Yes, including Managed HSM | - | -| Speech Services | Yes | Yes, including Managed HSM | - | -| Translator Text | Yes | Yes, including Managed HSM | - | -| [Power Platform](https://www.microsoft.com/power-platform) | Yes | Yes, including Managed HSM | - | -| [Dataverse](https://www.microsoft.com/power-platform/dataverse) | Yes | Yes, including Managed HSM | - | -| [Dynamics 365](https://www.microsoft.com/dynamics-365) | Yes | Yes, including Managed HSM | - | -| **Analytics** | | | | -| Azure Stream Analytics | Yes | Yes\*\*, including Managed HSM | - | -| Event Hubs | Yes | Yes | - | -| Functions | Yes | Yes | - | -| Azure Analysis Services | Yes | - | - | -| Azure Data Catalog | Yes | - | - | -| Azure HDInsight | Yes | Yes | - | -| Azure Monitor Application Insights | Yes | Yes | - | -| Azure Monitor Log Analytics | Yes | Yes, including Managed HSM | - | -| Azure Data Explorer | Yes | Yes | - | -| Azure Data Factory | Yes | Yes, including Managed HSM | - | -| Azure Data Lake Store | Yes | Yes, RSA 2048-bit | - | -| **Containers** | | | | -| Azure Kubernetes Service | Yes | Yes, including Managed HSM | - | -| Container Instances | Yes | Yes | - | -| Container Registry | Yes | Yes | - | -| **Compute** | | | | -| Virtual Machines | Yes | Yes, including Managed HSM | - | -| Virtual Machine Scale Set | Yes | Yes, including Managed HSM | - | -| SAP HANA | Yes | Yes | - | -| App Service | Yes | Yes\*\*, including Managed HSM | - | -| Automation | Yes | Yes | - | -| Azure Functions | Yes | Yes\*\*, including Managed HSM | - | -| Azure portal | Yes | Yes\*\*, including Managed HSM | - | -| Azure VMware Solution | Yes | Yes, including Managed HSM | - | -| Logic Apps | Yes | Yes | - | -| Azure-managed applications | Yes | Yes\*\*, including Managed HSM | - | -| Service Bus | Yes | Yes | - | -| Site Recovery | Yes | Yes | - | -| **Databases** | | | | -| SQL Server on Virtual Machines | Yes | Yes | Yes | -| Azure SQL Database | Yes | Yes, RSA 3072-bit, including Managed HSM | Yes | -| Azure SQL Managed Instance | Yes | Yes, RSA 3072-bit, including Managed HSM | Yes | -| Azure SQL Database for MariaDB | Yes | - | - | -| Azure SQL Database for MySQL | Yes | Yes | - | -| Azure SQL Database for PostgreSQL | Yes | Yes, including Managed HSM | - | -| Azure Synapse Analytics (dedicated SQL pool (formerly SQL DW) only) | Yes | Yes, RSA 3072-bit, including Managed HSM | - | -| SQL Server Stretch Database | Yes | Yes, RSA 3072-bit | Yes | -| Table Storage | Yes | Yes | Yes | -| Azure Cosmos DB | Yes ([learn more](../../cosmos-db/database-security.md?tabs=sql-api)) | Yes, including Managed HSM ([learn more](../../cosmos-db/how-to-setup-cmk.md) and [learn more](../../cosmos-db/how-to-setup-customer-managed-keys-mhsm.md)) | - | -| Azure Databricks | Yes | Yes, including Managed HSM | - | -| Azure Database Migration Service | Yes | N/A\* | - | -| **Identity** | | | | -| Microsoft Entra ID | Yes | - | - | -| Microsoft Entra Domain Services | Yes | Yes | - | -| **Integration** | | | | -| Service Bus | Yes | Yes | - | -| Event Grid | Yes | - | - | -| API Management | Yes | - | - | -| **IoT Services** | | | | -| IoT Hub | Yes | Yes | Yes | -| IoT Hub Device Provisioning | Yes | Yes | - | -| **Management and Governance** | | | | -| Azure Managed Grafana | Yes | - | N/A | -| Azure Site Recovery | Yes | - | - | -| Azure Migrate | Yes | Yes | - | -| **Media** | | | | -| Media Services | Yes | Yes | Yes | -| **Security** | | | | -| Microsoft Defender for IoT | Yes | Yes | - | -| Microsoft Sentinel | Yes | Yes, including Managed HSM | - | -| **Storage** | | | | -| Blob Storage | Yes | Yes, including Managed HSM | Yes | -| Premium Blob Storage | Yes | Yes, including Managed HSM | Yes | -| Disk Storage | Yes | Yes, including Managed HSM | - | -| Ultra Disk Storage | Yes | Yes, including Managed HSM | - | -| Managed Disk Storage | Yes | Yes, including Managed HSM | - | -| File Storage | Yes | Yes, including Managed HSM | - | -| File Premium Storage | Yes | Yes, including Managed HSM | - | -| File Sync | Yes | Yes, including Managed HSM | - | -| Queue Storage | Yes | Yes, including Managed HSM | Yes | -| Data Lake Storage Gen2 | Yes | Yes, including Managed HSM | Yes | -| Avere vFXT | Yes | - | - | -| Azure Cache for Redis | Yes | Yes\*\*\*, including Managed HSM | - | -| Azure NetApp Files | Yes | Yes | Yes | -| Archive Storage | Yes | Yes | - | -| StorSimple | Yes | Yes | Yes | -| Azure Backup | Yes | Yes, including Managed HSM | Yes | -| Data Box | Yes | - | Yes | -| Data Box Edge | Yes | Yes | - | -| **Other** | | | | -| Azure Data Manager for Energy | Yes | Yes | Yes | +| Product, Feature, or Service | Server-Side Using Service-Managed Key | Server-Side Using Customer-Managed Key | Client-Side Using Client-Managed Key | +| | | | | +| **AI and Machine Learning** | | | | +| Azure AI Search | Yes | Yes | - | +| Azure AI services | Yes | Yes, including Managed HSM | - | +| Azure Machine Learning | Yes | Yes | - | +| Content Moderator | Yes | Yes, including Managed HSM | - | +| Face | Yes | Yes, including Managed HSM | - | +| Language Understanding | Yes | Yes, including Managed HSM | - | +| Azure OpenAI | Yes | Yes, including Managed HSM | - | +| Personalizer | Yes | Yes, including Managed HSM | - | +| QnA Maker | Yes | Yes, including Managed HSM | - | +| Speech Services | Yes | Yes, including Managed HSM | - | +| Translator Text | Yes | Yes, including Managed HSM | - | +| [Power Platform](https://www.microsoft.com/power-platform) | Yes | Yes, including Managed HSM | - | +| [Dataverse](https://www.microsoft.com/power-platform/dataverse) | Yes | Yes, including Managed HSM | - | +| [Dynamics 365](https://www.microsoft.com/dynamics-365) | Yes | Yes, including Managed HSM | - | +| **Analytics** | | | | +| Azure Stream Analytics | Yes | Yes\*\*, including Managed HSM | - | +| Event Hubs | Yes | Yes | - | +| Functions | Yes | Yes | - | +| Azure Analysis Services | Yes | - | - | +| Azure Data Catalog | Yes | - | - | +| Azure HDInsight | Yes | Yes | - | +| Azure Monitor Application Insights | Yes | Yes | - | +| Azure Monitor Log Analytics | Yes | Yes, including Managed HSM | - | +| Azure Data Explorer | Yes | Yes | - | +| Azure Data Factory | Yes | Yes, including Managed HSM | - | +| Azure Data Lake Store | Yes | Yes, RSA 2048-bit | - | +| **Containers** | | | | +| Azure Kubernetes Service | Yes | Yes, including Managed HSM | - | +| Container Instances | Yes | Yes | - | +| Container Registry | Yes | Yes | - | +| **Compute** | | | | +| Virtual Machines | Yes | Yes, including Managed HSM | - | +| Virtual Machine Scale Set | Yes | Yes, including Managed HSM | - | +| SAP HANA | Yes | Yes | - | +| App Service | Yes | Yes\*\*, including Managed HSM | - | +| Automation | Yes | Yes | - | +| Azure Functions | Yes | Yes\*\*, including Managed HSM | - | +| Azure portal | Yes | Yes\*\*, including Managed HSM | - | +| Azure VMware Solution | Yes | Yes, including Managed HSM | - | +| Logic Apps | Yes | Yes | - | +| Azure-managed applications | Yes | Yes\*\*, including Managed HSM | - | +| Service Bus | Yes | Yes | - | +| Site Recovery | Yes | Yes | - | +| **Databases** | | | | +| SQL Server on Virtual Machines | Yes | Yes | Yes | +| Azure SQL Database | Yes | Yes, RSA 3072-bit, including Managed HSM | Yes | +| Azure SQL Managed Instance | Yes | Yes, RSA 3072-bit, including Managed HSM | Yes | +| Azure SQL Database for MariaDB | Yes | - | - | +| Azure SQL Database for MySQL | Yes | Yes | - | +| Azure SQL Database for PostgreSQL | Yes | Yes, including Managed HSM | - | +| Azure Synapse Analytics (dedicated SQL pool (formerly SQL DW) only) | Yes | Yes, RSA 3072-bit, including Managed HSM | - | +| SQL Server Stretch Database | Yes | Yes, RSA 3072-bit | Yes | +| Table Storage | Yes | Yes | Yes | +| Azure Cosmos DB | Yes ([learn more](../../cosmos-db/database-security.md?tabs=sql-api)) | Yes, including Managed HSM ([learn more](../../cosmos-db/how-to-setup-cmk.md) and [learn more](../../cosmos-db/how-to-setup-customer-managed-keys-mhsm.md)) | - | +| Azure Databricks | Yes | Yes, including Managed HSM | - | +| Azure Database Migration Service | Yes | N/A\* | - | +| **Identity** | | | | +| Microsoft Entra ID | Yes | - | - | +| Microsoft Entra Domain Services | Yes | Yes | - | +| **Integration** | | | | +| Service Bus | Yes | Yes | - | +| Event Grid | Yes | - | - | +| API Management | Yes | - | - | +| **IoT Services** | | | | +| IoT Hub | Yes | Yes | Yes | +| IoT Hub Device Provisioning | Yes | Yes | - | +| **Management and Governance** | | | | +| Azure Managed Grafana | Yes | - | N/A | +| Azure Site Recovery | Yes | - | - | +| Azure Migrate | Yes | Yes | - | +| **Media** | | | | +| Media Services | Yes | Yes | Yes | +| **Security** | | | | +| Microsoft Defender for IoT | Yes | Yes | - | +| Microsoft Sentinel | Yes | Yes, including Managed HSM | - | +| **Storage** | | | | +| Blob Storage | Yes | Yes, including Managed HSM | Yes | +| Premium Blob Storage | Yes | Yes, including Managed HSM | Yes | +| Disk Storage | Yes | Yes, including Managed HSM | - | +| Ultra Disk Storage | Yes | Yes, including Managed HSM | - | +| Managed Disk Storage | Yes | Yes, including Managed HSM | - | +| File Storage | Yes | Yes, including Managed HSM | - | +| File Premium Storage | Yes | Yes, including Managed HSM | - | +| File Sync | Yes | Yes, including Managed HSM | - | +| Queue Storage | Yes | Yes, including Managed HSM | Yes | +| Data Lake Storage Gen2 | Yes | Yes, including Managed HSM | Yes | +| Avere vFXT | Yes | - | - | +| Azure Cache for Redis | Yes | Yes\*\*\*, including Managed HSM | - | +| Azure NetApp Files | Yes | Yes | Yes | +| Archive Storage | Yes | Yes | - | +| StorSimple | Yes | Yes | Yes | +| Azure Backup | Yes | Yes, including Managed HSM | Yes | +| Data Box | Yes | - | Yes | +| Data Box Edge | Yes | Yes | - | +| **Other** | | | | +| Azure Data Manager for Energy | Yes | Yes | Yes | \* This service doesn't persist data. Transient caches, if any, are encrypted with a Microsoft key. The Azure services that support each encryption model: \*\*\* Any transient data stored temporarily on disk such as pagefiles or swap files are encrypted with a Microsoft key (all tiers) or a customer-managed key (using the Enterprise and Enterprise Flash tiers). For more information, see [Configure disk encryption in Azure Cache for Redis](../../azure-cache-for-redis/cache-how-to-encryption.md). -## Next steps +## Related content -- Learn how [encryption is used in Azure](encryption-overview.md).-- Learn how Azure uses [double encryption](double-encryption.md) to mitigate threats that come with encrypting data.+- [encryption is used in Azure](encryption-overview.md) +- [double encryption](double-encryption.md) |
storage-mover | Agent Deploy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage-mover/agent-deploy.md | |