+ Title: Create Advisor alerts for new recommendations by using Resource Manager template

+description: Learn how to set up an alert for new recommendations from Azure Advisor by using an Azure Resource Manager template (ARM template).

+# Quickstart: Create Advisor alerts on new recommendations by using an ARM template

+This article shows you how to set up an alert for new recommendations from Azure Advisor by using an Azure Resource Manager template (ARM template).

+Whenever Advisor detects a new recommendation for one of your resources, an event is stored in an [Azure activity log](../azure-monitor/essentials/platform-logs-overview.md). You can set up alerts for these events from Advisor by using a recommendation-specific alerts creation experience. You can select a subscription and optionally a resource group to specify the resources that you want to receive alerts on.

+You can also configure the action that takes place when an alert is triggered by:

+- Selecting an existing action group.

+- Creating a new action group.

+> Advisor alerts are currently only available for High Availability, Performance, and Cost recommendations. Security recommendations aren't supported.

+- To run the commands from your local computer, install the Azure CLI or the Azure PowerShell modules. For more information, see [Install the Azure CLI](/cli/azure/install-azure-cli) and [Install Azure PowerShell](/powershell/azure/install-azure-powershell).

+Deploy the template by using any standard method for [deploying an ARM template](../azure-resource-manager/templates/deploy-portal.md), such as the following examples that use the CLI and PowerShell. Replace the sample values for `ResourceGroup`, and `emailAddress` with appropriate values for your environment. The workspace name must be unique among all Azure subscriptions.

+Verify that the workspace was created by using one of the following commands. Replace the sample values for **Resource Group** with the value that you used in the previous example.

+If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When you no longer need the resources, delete the resource group, which deletes the alert rule and the related resources. To delete the resource group by using the CLI or PowerShell:

+## Related content

+- Get an [overview of activity log alerts](../azure-monitor/alerts/alerts-overview.md) and learn how to receive alerts.

+ Title: Create Advisor alerts for new recommendations by using Bicep

+description: Learn how to set up an alert for new recommendations from Azure Advisor by using Bicep.

+# Quickstart: Create Advisor alerts on new recommendations by using Bicep

+This article shows you how to set up an alert for new recommendations from Azure Advisor by using Bicep.

+Whenever Advisor detects a new recommendation for one of your resources, an event is stored in an [Azure activity log](../azure-monitor/essentials/platform-logs-overview.md). You can set up alerts for these events from Advisor by using a recommendation-specific alerts creation experience. You can select a subscription and optionally select a resource group to specify the resources that you want to receive alerts on.

+You can also configure the action that takes place when an alert is triggered by:

+- Selecting an existing action group.

+- Creating a new action group.

+> Advisor alerts are currently only available for High Availability, Performance, and Cost recommendations. Security recommendations aren't supported.

+- To run the commands from your local computer, install the Azure CLI or the Azure PowerShell modules. For more information, see [Install the Azure CLI](/cli/azure/install-azure-cli) and [Install Azure PowerShell](/powershell/azure/install-azure-powershell).

+1. Save the Bicep file as `main.bicep` to your local computer.

+1. Deploy the Bicep file by using either the Azure CLI or Azure PowerShell.

+ > Replace \<alert-name\> with the name of the alert.

+ When the deployment finishes, you should see a message that indicates the deployment succeeded.

+Use the Azure portal, the Azure CLI, or Azure PowerShell to list the deployed resources in the resource group.

+When you no longer need the resources, use the Azure portal, the Azure CLI, or Azure PowerShell to delete the resource group.

+## Related content

+- Get an [overview of activity log alerts](../azure-monitor/alerts/alerts-overview.md) and learn how to receive alerts.

+ Title: Create Advisor alerts for new recommendations using Azure portal

+description: Create Azure Advisor alerts for new recommendations by using the Azure portal.

+# Create Azure Advisor alerts on new recommendations by using the Azure portal

+This article shows you how to set up an alert for new recommendations from Azure Advisor by using the Azure portal.

+Whenever Advisor detects a new recommendation for one of your resources, an event is stored in the [Azure activity log](../azure-monitor/essentials/platform-logs-overview.md). You can set up alerts for these events from Advisor by using a recommendation-specific alerts creation experience. You can select a subscription and optionally a resource group to specify the resources that you want to receive alerts on.

+You can also configure the action that takes place when an alert is triggered by:

+* Selecting an existing action group.

+* Creating a new action group.

+> [!NOTE]

+> Advisor alerts are currently only available for High Availability, Performance, and Cost recommendations. Security recommendations aren't supported.

+## Create an alert rule

+Follow these steps to create an alert rule.

+1. In the [Azure portal](https://portal.azure.com), select **Advisor**.

+ 

+1. In the **Monitoring** section on the left menu, select **Alerts**.

+ 

+1. Select **New Advisor Alert**.

+ 

+1. In the **Scope** section, select the subscription and optionally the resource group that you want to be alerted on.

+ 

+1. In the condition section, select the method you want to use for configuring your alert. If you want to alert for all recommendations for a certain category or impact level, select **Category and impact level**. If you want to alert for all recommendations of a certain type, select **Recommendation type**.

+ 

+1. Depending on the **Configured by** option that you select, you can specify the criteria. If you want all recommendations, leave the remaining fields blank.

+ 

+1. In the action groups section, choose **Select existing** to use an action group that you already created or select **Create new** to set up a new [action group](../azure-monitor/alerts/action-groups.md).

+ 

+1. In the alert details section, give your alert a name and short description. If you want your alert to be enabled, leave the **Enable rule upon creation** selection set to **Yes**. Then select the resource group to save your alert to. This setting won't affect the targeting scope of the recommendation.

+ :::image type="content" source="./media/advisor-alerts/create8.png" alt-text="Screenshot that shows the alert details section.":::

+This section shows you how to configure Advisor alerts to send recommendation data through webhooks to your existing systems.

+You can set up alerts to be notified when you have a new Advisor recommendation on one of your resources. These alerts can notify you through email or text message. They can also be used to integrate with your existing systems through a webhook.

+### Use the Advisor recommendation alert payload

+If you want to integrate Advisor alerts into your own systems by using a webhook, you need to parse the JSON payload that's sent from the notification.

+When you set up your action group for this alert, you select if you want to use the common alert schema. If you select the common alert schema, your payload looks like this example:

+If you don't use the common schema, your payload looks like the following example:

+In either schema, you can identify Advisor recommendation events by looking for `eventSource` is `Recommendation` and `operationName` is `Microsoft.Advisor/recommendations/available/action`.

+Some of the other important fields that you might want to use are:

+* `alertTargetIDs` (in the common schema) or `resourceId` (legacy schema)

+* `recommendationType`

+* `recommendationName`

+* `recommendationCategory`

+* `recommendationImpact`

+* `recommendationResourceLink`

+## Manage your alerts

+From Advisor, you can edit, delete, or disable and enable your recommendations alerts.

+1. In the [Azure portal](https://portal.azure.com), select **Advisor**.

+ :::image type="content" source="./media/advisor-alerts/create1.png" alt-text="Screenshot that shows the Azure portal menu with Advisor selected.":::

+1. In the **Monitoring** section on the left menu, select **Alerts**.

+ :::image type="content" source="./media/advisor-alerts/create2.png" alt-text="Screenshot that shows the Azure portal menu with Alerts selected.":::

+1. To edit an alert, select the alert name to open the alert and edit the fields you want to edit.

+1. To delete, enable, or disable an alert, select the ellipsis at the end of the row. Then select the action you want to take.

+## Related content

+- Get an [overview of activity log alerts](../azure-monitor/alerts/alerts-overview.md) and learn how to receive alerts.

+This article shows you how to use Azure Advisor score to measure optimization progress.

+Advisor provides best-practice recommendations for your workloads. These recommendations are personalized and actionable to help you:

+* Assess your Azure workloads against the five pillars of the [Azure Well-Architected Framework](/azure/architecture/framework/).

+As your personalized cloud consultant, Advisor continually assesses your usage telemetry and resource configuration to check for industry best practices. Advisor then aggregates its findings into a single score. With this score, you can tell at a glance if you're taking the necessary steps to build reliable, secure, and cost-efficient solutions.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Select **Advisor score** on the left pane to open the score page.

+The contribution of each recommendation to your category score is shown clearly on the **Advisor score** page in the Azure portal. You can increase each category score by the percentage point listed in the **Potential score increase** column. This value reflects both the weight of the recommendation within the category and the predicted ease of implementation to address the potentially easiest tasks. Focusing on the recommendations with the greatest score impact helps you make the most progress with time.

+If any Advisor recommendations aren't relevant for an individual resource, you can postpone or dismiss those recommendations. They're excluded from the score calculation with the next refresh. Advisor also uses this input as feedback to improve the model.

+**Each of the five categories has a highest potential score of 100.** Your overall Advisor score is calculated as a sum of each applicable category score, divided by the sum of the highest potential score from all applicable categories. In most cases, this means adding up five Advisor scores for each category and dividing by 500. But *each category score is calculated only if you use resources that are assessed by Advisor*.

+* **Single subscription score:** This example is the simple mean of all Advisor category scores for your subscription. If the Advisor category scores are **Cost** = 73, **Reliability** = 85, **Operational excellence** = 77, and **Performance** = 100, the Advisor score would be (73 + 85 + 77 + 100)/(4x100) = 0.84% or 84%.

+* **Multiple subscriptions score:** When multiple subscriptions are selected, the overall Advisor score is calculated as an average of aggregated category scores. Each category score is calculated by using the individual subscription score and the subscription consumption-based weight. The overall score is calculated as the sum of aggregated category scores divided by the sum of the highest potential scores.

+## Frequently asked questions (FAQs)

+Here are answers to common questions about Advisor score.

+### I implemented a recommendation but my score didn't change. Why didn't the score increase?

+The score doesn't reflect adopted recommendations right away. It takes at least 24 hours for the score to change after the recommendation is remediated.

+If you dismiss a recommendation from Advisor, it's excluded from the calculation of your score. Dismissing recommendations also helps Advisor improve the quality of recommendations.

+No. Your score isn't necessarily a reflection of how much you spend. Unnecessary spending results in a lower **Cost** score.

+## Related content

+# Configure the Azure Advisor recommendations view

+Azure Advisor provides recommendations to help you optimize your Azure deployments. Within Advisor, you have access to a few features that help you narrow down your recommendations to only the ones that matter to you.

+Advisor gives you the ability to select subscriptions and resource groups that matter to you and your organization. You only see recommendations for the subscriptions and resource groups that you select. By default, all are selected. Configuration settings apply to the subscription or resource group, so the same settings apply to everyone that has access to that subscription or resource group. Configuration settings can be changed in the Azure portal or programmatically.

+ :::image type="content" source="./media/view-recommendations/configuration.png" alt-text="Screenshot of Azure Advisor showing the Configuration pane.":::

+1. Select the checkbox in the **Include** column for any subscriptions or resource groups to receive Advisor recommendations. If the box is disabled, you might not have permission to make a configuration change on that subscription or resource group. Learn more about [permissions in Azure Advisor](permissions.md).

+1. Select **Apply** at the bottom after you make a change.

+## Filter your view in the Azure portal

+Configuration settings remain active until changed. If you want to limit the view of recommendations for a single viewing, you can use the dropdown lists provided at the top of the Advisor pane. You can filter recommendations by subscription, resource group, workload, resource type, recommendation status, and impact. These filters are available for **Overview**, **Score**, **Cost**, **Security**, **Reliability**, **Operational excellence**, **Performance**, and **All recommendations** pages.

+ :::image type="content" source="./media/view-recommendations/filtering.png" alt-text="Screenshot of Advisor showing filtering options.":::

+> Contact your account team to add new workloads to the workload filter or edit workload names.

+## Dismiss and postpone recommendations

+Advisor allows you to dismiss or postpone recommendations on a single resource. If you dismiss a recommendation, you don't see it again unless you manually activate it. However, postponing a recommendation allows you to specify a duration after which the recommendation is automatically activated again. Postponing can be done in the Azure portal or programmatically.

+1. Select a recommendation category to view your recommendations.

+1. Select a recommendation from the list of recommendations.

+1. Select **Postpone** or **Dismiss** for the recommendation you want to postpone or dismiss.

+ :::image type="content" source="./media/view-recommendations/postpone-dismiss.png" alt-text="Screenshot that shows the Use Managed Disks page with the Select column and Postpone and Dismiss actions for a single recommendation highlighted.":::

+1. Select **Postpone** or **Dismiss** in the upper-left corner of the table.

+ :::image type="content" source="./media/view-recommendations/postpone-dismiss-multiple.png" alt-text="Screenshot that shows the Use Managed Disks page with the Select column and Postpone and Dismiss actions in the table highlighted.":::

+> You need Contributor or Owner permission to dismiss or postpone a recommendation. Learn more about permissions in Advisor.

+If the selection boxes are disabled, recommendations might still be loading. Wait for all recommendations to load before you try to postpone or dismiss.

+You can activate a recommendation that was postponed or dismissed. This action can be done in the Azure portal or programmatically. In the Azure portal:

+1. Open [Advisor](https://aka.ms/azureadvisordashboard) in the Azure portal.

+1. Change the filter on the **Overview** pane to **Postponed**. Advisor then displays postponed or dismissed recommendations.

+ :::image type="content" source="./media/view-recommendations/activate-postponed.png" alt-text="Screenshot that shows the Advisor pane with the Postponed dropdown menu selected.":::

+1. Select a recommendation from the list of recommendations. This action opens recommendations with the **Postponed & Dismissed** tab already selected to show the resources for which this recommendation was postponed or dismissed.

+1. Select **Activate** at the end of the row. The recommendation is now active for that resource and removed from the table. The recommendation is visible on the **Active** tab.

+ :::image type="content" source="./media/view-recommendations/activate-postponed-2.png" alt-text="Screenshot that shows the Enable Soft Delete pane with the Postponed & Dismissed tab and the Activate action highlighted.":::

+## Related content

+This article explains how you can view recommendations that matter to you in Advisor. To learn more about Advisor, see:

+- [Get started with Advisor](advisor-get-started.md)

+ var endpoint = new Uri(System.Environment.GetEnvironmentVariable("FACE_ENDPOINT"));

+ var credential = new AzureKeyCredential(System.Environment.GetEnvironmentVariable("FACE_APIKEY"));

+ String endpoint = System.getenv("FACE_ENDPOINT");

+ String accountKey = System.getenv("FACE_APIKEY");

+ endpoint = os.environ["FACE_ENDPOINT"]

+ key = os.environ["FACE_APIKEY"]

+ curl --request POST --location "%FACE_ENDPOINT%/face/v1.1-preview.1/detectliveness/singlemodal/sessions" ^

+ --header "Ocp-Apim-Subscription-Key: %FACE_APIKEY%" ^

+ curl --request POST --location "${FACE_ENDPOINT}/face/v1.1-preview.1/detectliveness/singlemodal/sessions" \

+ --header "Ocp-Apim-Subscription-Key: ${FACE_APIKEY}" \

+ curl --request GET --location "%FACE_ENDPOINT%/face/v1.1-preview.1/detectliveness/singlemodal/sessions/<session-id>" ^

+ --header "Ocp-Apim-Subscription-Key: %FACE_APIKEY%"

+ curl --request GET --location "${FACE_ENDPOINT}/face/v1.1-preview.1/detectliveness/singlemodal/sessions/<session-id>" \

+ --header "Ocp-Apim-Subscription-Key: ${FACE_APIKEY}"

+ curl --request DELETE --location "%FACE_ENDPOINT%/face/v1.1-preview.1/detectliveness/singlemodal/sessions/<session-id>" ^

+ --header "Ocp-Apim-Subscription-Key: %FACE_APIKEY%"

+ curl --request DELETE --location "${FACE_ENDPOINT}/face/v1.1-preview.1/detectliveness/singlemodal/sessions/<session-id>" \

+ --header "Ocp-Apim-Subscription-Key: ${FACE_APIKEY}"

+ var endpoint = new Uri(System.Environment.GetEnvironmentVariable("FACE_ENDPOINT"));

+ var credential = new AzureKeyCredential(System.Environment.GetEnvironmentVariable("FACE_APIKEY"));

+ String endpoint = System.getenv("FACE_ENDPOINT");

+ String accountKey = System.getenv("FACE_APIKEY");

+ endpoint = os.environ["FACE_ENDPOINT"]

+ key = os.environ["FACE_APIKEY"]

+ curl --request POST --location "%FACE_ENDPOINT%/face/v1.1-preview.1/detectlivenesswithverify/singlemodal/sessions" ^

+ --header "Ocp-Apim-Subscription-Key: %FACE_APIKEY%" ^

+ curl --request POST --location "${FACE_ENDPOINT}/face/v1.1-preview.1/detectlivenesswithverify/singlemodal/sessions" \

+ --header "Ocp-Apim-Subscription-Key: ${FACE_APIKEY}" \

+ curl --request GET --location "%FACE_ENDPOINT%/face/v1.1-preview.1/detectlivenesswithverify/singlemodal/sessions/<session-id>" ^

+ --header "Ocp-Apim-Subscription-Key: %FACE_APIKEY%"

+ curl --request GET --location "${FACE_ENDPOINT}/face/v1.1-preview.1/detectlivenesswithverify/singlemodal/sessions/<session-id>" \

+ --header "Ocp-Apim-Subscription-Key: ${FACE_APIKEY}"

+ curl --request DELETE --location "%FACE_ENDPOINT%/face/v1.1-preview.1/detectlivenesswithverify/singlemodal/sessions/<session-id>" ^

+ --header "Ocp-Apim-Subscription-Key: %FACE_APIKEY%"

+ curl --request DELETE --location "${FACE_ENDPOINT}/face/v1.1-preview.1/detectlivenesswithverify/singlemodal/sessions/<session-id>" \

+ --header "Ocp-Apim-Subscription-Key: ${FACE_APIKEY}"

+This guide demonstrates how to add a large number of persons and faces to a **PersonGroup** object. The same strategy also applies to **LargePersonGroup**, **FaceList**, and **LargeFaceList** objects. This sample is written in C#.

+using (var content = new ByteArrayContent(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(new Dictionary<string, object> { ["name"] = personGroupName, ["recognitionModel"] = "recognition_04" }))))

+{

+ content.Headers.ContentType = new MediaTypeHeaderValue("application/json");

+ await httpClient.PutAsync($"{ENDPOINT}/face/v1.0/persongroups/{personGroupId}", content);

+}

+string?[] persons = new string?[PersonCount];

+ using (var content = new ByteArrayContent(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(new Dictionary<string, object> { ["name"] = personName }))))

+ {

+ content.Headers.ContentType = new MediaTypeHeaderValue("application/json");

+ using (var response = await httpClient.PostAsync($"{ENDPOINT}/face/v1.0/persongroups/{personGroupId}/persons", content))

+ {

+ string contentString = await response.Content.ReadAsStringAsync();

+ persons[i] = (string?)(JsonConvert.DeserializeObject<Dictionary<string, object>>(contentString)?["personId"]);

+ }

+ }

+ using (var content = new StreamContent(stream))

+ {

+ content.Headers.ContentType = new MediaTypeHeaderValue("application/octet-stream");

+ await httpClient.PostAsync($"{ENDPOINT}/face/v1.0/persongroups/{personGroupId}/persons/{persons[i]}/persistedfaces?detectionModel=detection_03", content);

+ }

+The [Find Similar](/rest/api/face/face-recognition-operations/find-similar) operation does face matching between a target face and a set of candidate faces, finding a smaller set of faces that look similar to the target face. This is useful for doing a face search by image.

+[!code-csharp[](~/cognitive-services-quickstart-code/dotnet/Face/FindSimilar.cs?name=snippet_face_detect_recognize)]

+[!code-csharp[](~/cognitive-services-quickstart-code/dotnet/Face/FindSimilar.cs?name=snippet_loadfaces)]

+[!code-csharp[](~/cognitive-services-quickstart-code/dotnet/Face/FindSimilar.cs?name=snippet_find_similar)]

+[!code-csharp[](~/cognitive-services-quickstart-code/dotnet/Face/FindSimilar.cs?name=snippet_find_similar_print)]

+This guide assumes that you already constructed a [FaceClient](/dotnet/api/azure.ai.vision.face.faceclient) object, named `faceClient`, using a Face key and endpoint URL. For instructions on how to set up this feature, follow one of the quickstarts.

+To find faces and get their locations in an image, call the [DetectAsync](/dotnet/api/azure.ai.vision.face.faceclient.detectasync). It takes either a URL string or the raw image binary as input.

+The service returns a [FaceDetectionResult](/dotnet/api/azure.ai.vision.face.facedetectionresult) object, which you can query for different kinds of information, specified below.

+For information on how to parse the location and dimensions of the face, see [FaceRectangle](/dotnet/api/azure.ai.vision.face.facedetectionresult.facerectangle). Usually, this rectangle contains the eyes, eyebrows, nose, and mouth. The top of head, ears, and chin aren't necessarily included. To use the face rectangle to crop a complete head or get a mid-shot portrait, you should expand the rectangle in each direction.

+[Face landmarks](../concept-face-detection.md#face-landmarks) are a set of easy-to-find points on a face, such as the pupils or the tip of the nose. To get face landmark data, set the _detectionModel_ parameter to `FaceDetectionModel.Detection03` and the _returnFaceLandmarks_ parameter to `true`.

+To analyze face attributes, set the _detectionModel_ parameter to `FaceDetectionModel.Detection03` and the _returnFaceAttributes_ parameter to a list of [FaceAttributeType Enum](/dotnet/api/azure.ai.vision.face.faceattributetype) values.

+- [Reference documentation (.NET SDK)](https://aka.ms/azsdk-csharp-face-ref)

+var url = "https://<storage_account_name>.blob.core.windows.net/<container_name>/<file_name>";

+var response = await faceClient.DetectAsync(new Uri(url), FaceDetectionModel.Detection03, FaceRecognitionModel.Recognition04, returnFaceId: false);

+var faces = response.Value;

+- For face detection, when using detection model `FaceDetectionModel.Detection01`, reducing the image file size increases processing speed. When you use detection model `FaceDetectionModel.Detection02`, reducing the image file size will only increase processing speed if the image file is smaller than 1920x1080 pixels.

+string url1 = "https://raw.githubusercontent.com/Azure-Samples/cognitive-services-sample-data-files/master/Face/images/detection1.jpg";

+string url2 = "https://raw.githubusercontent.com/Azure-Samples/cognitive-services-sample-data-files/master/Face/images/detection2.jpg";

+var response1 = client.DetectAsync(new Uri(url1), FaceDetectionModel.Detection03, FaceRecognitionModel.Recognition04, returnFaceId: false);

+var response2 = client.DetectAsync(new Uri(url2), FaceDetectionModel.Detection03, FaceRecognitionModel.Recognition04, returnFaceId: false);

+Task.WaitAll(new Task<Response<IReadOnlyList<FaceDetectionResult>>>[] { response1, response2 });

+IEnumerable<FaceDetectionResult> results = response1.Result.Value.Concat(response2.Result.Value);

+`https://westus.api.cognitive.microsoft.com/face/v1.0/detect?detectionModel={detectionModel}&recognitionModel={recognitionModel}&returnFaceId={returnFaceId}&returnFaceAttributes={returnFaceAttributes}&returnFaceLandmarks={returnFaceLandmarks}&returnRecognitionModel={returnRecognitionModel}&faceIdTimeToLive={faceIdTimeToLive}`

+var response = await faceClient.DetectAsync(new Uri(imageUrl), FaceDetectionModel.Detection03, FaceRecognitionModel.Recognition04, returnFaceId: false, returnFaceLandmarks: false);

+var faces = response.Value;

+using (var content = new ByteArrayContent(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(new Dictionary<string, object> { ["name"] = "My Person Group Name", ["recognitionModel"] = "recognition_04" }))))

+{

+ content.Headers.ContentType = new MediaTypeHeaderValue("application/json");

+ await httpClient.PutAsync($"{ENDPOINT}/face/v1.0/persongroups/{personGroupId}", content);

+}

+string? personId = null;

+using (var content = new ByteArrayContent(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(new Dictionary<string, object> { ["name"] = "My Person Name" }))))

+{

+ content.Headers.ContentType = new MediaTypeHeaderValue("application/json");

+ using (var response = await httpClient.PostAsync($"{ENDPOINT}/face/v1.0/persongroups/{personGroupId}/persons", content))

+ {

+ string contentString = await response.Content.ReadAsStringAsync();

+ personId = (string?)(JsonConvert.DeserializeObject<Dictionary<string, object>>(contentString)?["personId"]);

+ }

+}

+using (var content = new ByteArrayContent(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(new Dictionary<string, object> { ["url"] = imageUrl }))))

+{

+ content.Headers.ContentType = new MediaTypeHeaderValue("application/json");

+ await httpClient.PostAsync($"{ENDPOINT}/face/v1.0/persongroups/{personGroupId}/persons/{personId}/persistedfaces?detectionModel=detection_03", content);

+}

+using (var content = new ByteArrayContent(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(new Dictionary<string, object> { ["name"] = "My face collection", ["recognitionModel"] = "recognition_04" }))))

+{

+ content.Headers.ContentType = new MediaTypeHeaderValue("application/json");

+ await httpClient.PutAsync($"{ENDPOINT}/face/v1.0/facelists/{faceListId}", content);

+}

+using (var content = new ByteArrayContent(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(new Dictionary<string, object> { ["url"] = imageUrl }))))

+{

+ content.Headers.ContentType = new MediaTypeHeaderValue("application/json");

+ await httpClient.PostAsync($"{ENDPOINT}/face/v1.0/facelists/{faceListId}/persistedfaces?detectionModel=detection_03", content);

+}

+* [Face JavaScript SDK](../quickstarts-sdk/identity-client-library.md?pivots=programming-language-javascript%253fpivots%253dprogramming-language-javascript)

+`https://westus.api.cognitive.microsoft.com/face/v1.0/detect?detectionModel={detectionModel}&recognitionModel={recognitionModel}&returnFaceId={returnFaceId}&returnFaceAttributes={returnFaceAttributes}&returnFaceLandmarks={returnFaceLandmarks}&returnRecognitionModel={returnRecognitionModel}&faceIdTimeToLive={faceIdTimeToLive}`

+string imageUrl = "https://raw.githubusercontent.com/Azure-Samples/cognitive-services-sample-data-files/master/Face/images/detection1.jpg";

+var response = await faceClient.DetectAsync(new Uri(imageUrl), FaceDetectionModel.Detection03, FaceRecognitionModel.Recognition04, returnFaceId: true, returnFaceLandmarks: true, returnRecognitionModel: true);

+var faces = response.Value;

+See the following .NET code example.

+using (var content = new ByteArrayContent(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(new Dictionary<string, object> { ["name"] = "My Person Group Name", ["recognitionModel"] = "recognition_04" }))))

+{

+ content.Headers.ContentType = new MediaTypeHeaderValue("application/json");

+ await httpClient.PutAsync($"{ENDPOINT}/face/v1.0/persongroups/{personGroupId}", content);

+}

+See the following .NET code example.

+using (var content = new ByteArrayContent(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(new Dictionary<string, object> { ["name"] = "My face collection", ["recognitionModel"] = "recognition_04" }))))

+{

+ content.Headers.ContentType = new MediaTypeHeaderValue("application/json");

+ await httpClient.PutAsync($"{ENDPOINT}/face/v1.0/facelists/{faceListId}", content);

+}

+* [Face JavaScript SDK](../quickstarts-sdk/identity-client-library.md?pivots=programming-language-javascript%253fpivots%253dprogramming-language-javascript)

+[Find Similar]: /rest/api/face/face-recognition-operations/find-similar-from-face-list

+The [Azure AI Face WPF (Windows Presentation Foundation)](https://github.com/Azure-Samples/azure-ai-vision/tree/main/face/DemoWPF) sample app uses the HeadPose attribute to rotate its detected face rectangles.

+You can programmatically rotate the face rectangle by using the HeadPose attribute. If you specify this attribute when detecting faces (see [Call the detect API](identity-detect-faces.md)), you will be able to query it later. The following method from the [Azure AI Face WPF](https://github.com/Azure-Samples/azure-ai-vision/tree/main/face/DemoWPF) app takes a list of **FaceDetectionResult** objects and returns a list of **[Face](https://github.com/Azure-Samples/azure-ai-vision/blob/main/face/DemoWPF/Sample-WPF/Controls/Face.cs)** objects. **Face** here is a custom class that stores face data, including the updated rectangle coordinates. New values are calculated for **top**, **left**, **width**, and **height**, and a new field **FaceAngle** specifies the rotation.

+public static IEnumerable<Face> CalculateFaceRectangleForRendering(IList<FaceDetectionResult> faces, int maxSize, Tuple<int, int> imageInfo)

+From here, you can use the returned **Face** objects in your display. The following lines from [FaceDetectionPage.xaml](https://github.com/Azure-Samples/azure-ai-vision/blob/main/face/DemoWPF/Sample-WPF/Controls/FaceDetectionPage.xaml) show how the new rectangle is rendered from this data:

+* See the [Azure AI Face WPF](https://github.com/Azure-Samples/azure-ai-vision/tree/main/face/DemoWPF) app on GitHub for a working example of rotated face rectangles.

+The samples are written in C#.

+## Step 1: Code migration

+ HttpClient httpClient = new HttpClient();

+ httpClient.DefaultRequestHeaders.Add("Ocp-Apim-Subscription-Key", SUBSCRIPTION_KEY);

+ await httpClient.PostAsync($"{ENDPOINT}/face/v1.0/largefacelists/{largeFaceListId}/train", null);

+ string? trainingStatus = null;

+ using (var response = await httpClient.GetAsync($"{ENDPOINT}/face/v1.0/largefacelists/{largeFaceListId}/training"))

+ {

+ string contentString = await response.Content.ReadAsStringAsync();

+ trainingStatus = (string?)(JsonConvert.DeserializeObject<Dictionary<string, object>>(contentString)?["status"]);

+ }

+ if ("running".Equals(trainingStatus))

+ else if ("succeeded".Equals(trainingStatus))

+using (var content = new ByteArrayContent(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(new Dictionary<string, object> { ["name"] = FaceListName, ["recognitionModel"] = "recognition_04" }))))

+{

+ content.Headers.ContentType = new MediaTypeHeaderValue("application/json");

+ await httpClient.PutAsync($"{ENDPOINT}/face/v1.0/facelists/{FaceListId}", content);

+}

+ {

+ using (Stream stream = File.OpenRead(imagePath))

+ using (var content = new StreamContent(stream))

+ content.Headers.ContentType = new MediaTypeHeaderValue("application/octet-stream");

+ await httpClient.PostAsync($"{ENDPOINT}/face/v1.0/facelists/{FaceListId}/persistedfaces?detectionModel=detection_03", content);

+ }

+ });

+var results = new List<HttpResponseMessage>();

+ var response = await faceClient.DetectAsync(BinaryData.FromStream(stream), FaceDetectionModel.Detection03, FaceRecognitionModel.Recognition04, returnFaceId: true);

+ var faces = response.Value;

+ using (var content = new ByteArrayContent(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(new Dictionary<string, object> { ["faceId"] = face.FaceId, ["faceListId"] = FaceListId }))))

+ {

+ content.Headers.ContentType = new MediaTypeHeaderValue("application/json");

+ results.Add(await httpClient.PostAsync($"{ENDPOINT}/face/v1.0/findsimilars", content));

+ }

+using (var content = new ByteArrayContent(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(new Dictionary<string, object> { ["name"] = LargeFaceListName, ["recognitionModel"] = "recognition_04" }))))

+{

+ content.Headers.ContentType = new MediaTypeHeaderValue("application/json");

+ await httpClient.PutAsync($"{ENDPOINT}/face/v1.0/largefacelists/{LargeFaceListId}", content);

+}

+ {

+ using (Stream stream = File.OpenRead(imagePath))

+ using (var content = new StreamContent(stream))

+ content.Headers.ContentType = new MediaTypeHeaderValue("application/octet-stream");

+ await httpClient.PostAsync($"{ENDPOINT}/face/v1.0/largefacelists/{LargeFaceListId}/persistedfaces?detectionModel=detection_03", content);

+ }

+ });

+// Must call it before FindSimilar to ensure the newly added faces searchable.

+var results = new List<HttpResponseMessage>();

+ var response = await faceClient.DetectAsync(BinaryData.FromStream(stream), FaceDetectionModel.Detection03, FaceRecognitionModel.Recognition04, returnFaceId: true);

+ var faces = response.Value;

+ using (var content = new ByteArrayContent(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(new Dictionary<string, object> { ["faceId"] = face.FaceId, ["largeFaceListId"] = LargeFaceListId }))))

+ {

+ content.Headers.ContentType = new MediaTypeHeaderValue("application/json");

+ results.Add(await httpClient.PostAsync($"{ENDPOINT}/face/v1.0/findsimilars", content));

+ }

+## Step 2: Train suggestions

+### Step 2a: Customize time interval

+### Step 2b: Small-scale buffer

+### Step 2c: Standalone training

+ trainTimer.Elapsed += (sender, args) => TrainTimerOnElapsed("mylargepersongroupid_001", TimeIntervalForStatus);

+byte[] byteData = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(body));

+To find four similar faces, the **matchPerson** mode returns A and B, which show the same person as the target face. The **matchFace** mode returns A, B, C, and D, which is exactly four candidates, even if some aren't the same person as the target or have low similarity. For more information, see the [Facial recognition](concept-face-recognition.md) concepts guide or the [Find Similar API](/rest/api/face/face-recognition-operations/find-similar) reference documentation.

+ \"incidentName\": \"<text-incident-name>\",

+ \"incidentDefinition\": \"string\"

+ \"incidentName\": \"<image-incident-name>\"

+> [!IMPORTANT]

+> Vision enhancements are not supported by the GPT-4 Turbo GA model. They are only available with the preview models.

+**Object grounding**: Azure AI Vision complements GPT-4 Turbo with VisionΓÇÖs text response by identifying and locating salient objects in the input images. This lets the chat model give more accurate and detailed responses about the contents of the image.

+## Deploy to a copilot (preview), Teams app (preview), or web app

+This gives you multiple options for deploying your solution.

+#### [Copilot (preview)](#tab/copilot)

+You can deploy to a copilot in [Copilot Studio](/microsoft-copilot-studio/fundamentals-what-is-copilot-studio) (preview) directly from Azure OpenAI studio, enabling you to bring conversational experiences to various channels such as: Microsoft Teams, websites, Dynamics 365, and other [Azure Bot Service channels](/microsoft-copilot-studio/publication-connect-bot-to-azure-bot-service-channels). The tenant used in the Azure OpenAI service and Copilot Studio (preview) should be the same. For more information, see [Use a connection to Azure OpenAI On Your Data](/microsoft-copilot-studio/nlu-generative-answers-azure-openai).

+#### [Teams app (preview)](#tab/teams)

+A Teams app lets you bring conversational experience to your users in Teams to improve operational efficiency and democratize access of information. This Teams app is configured to users within your Azure account tenant and personal chat (non-group chat) scenarios.

+**Prerequisites**

+- The latest version of [Visual Studio Code](https://code.visualstudio.com/) installed.

+- The latest version of [Teams toolkit](https://marketplace.visualstudio.com/items?itemName=TeamsDevApp.ms-teams-vscode-extension) installed. This is a VS Code extension that creates a project scaffolding for your app.

+- [Node.js](https://nodejs.org/en/download/) (version 16 or 17) installed. For more information, see [Node.js version compatibility table for project type](/microsoftteams/platform/toolkit/build-environments#nodejs-version-compatibility-table-for-project-type).

+- [Microsoft Teams](https://www.microsoft.com/microsoft-teams/download-app) installed.

+- Sign in to your [Microsoft 365 developer account](/microsoftteams/platform/concepts/build-and-test/prepare-your-o365-tenant) (using this link to get a test account: [Developer program](https://developer.microsoft.com/microsoft-365/dev-program)).

+ - Enable **custom Teams apps** and turn on **custom app uploading** in your account (instructions [here](/microsoftteams/platform/concepts/build-and-test/prepare-your-o365-tenant#enable-custom-teams-apps-and-turn-on-custom-app-uploading))

+- [Azure command-line interface (CLI)](/cli/azure/install-azure-cli) installed. This is a cross-platform command-line tool to connect to Azure and execute administrative commands on Azure resources. For more information on setting up environment variables, see the [Azure SDK documentation](https://github.com/Azure/azure-sdk-for-go/wiki/Set-up-Your-Environment-for-Authentication).

+- Your Azure account has been assigned **Cognitive Services OpenAI user** or **Cognitive Services OpenAI Contributor** role of the Azure OpenAI resource you're using, allowing your account to make Azure OpenAI API calls. For more information, see [Using your data with Azure OpenAI securely](/azure/ai-services/openai/how-to/use-your-data-securely#using-the-api) and [Add role assignment to an Azure OpenAI resource](/azure/ai-services/openai/how-to/role-based-access-control#add-role-assignment-to-an-azure-openai-resource) for instructions on setting this role in the Azure portal.

+You can deploy to a standalone Teams app directly from Azure OpenAI Studio. Follow the steps below:

+1. After you've added your data to the chat model, select **Deploy** and then **a new Teams app (preview)**.

+1. Enter the name of your Teams app and download the resulting .zip file.

+1. Extract the .zip file and open the folder in Visual Studio Code.

+1. If you chose **API key** in the data connection step, manually copy and paste your Azure AI Search key into the `src\prompts\chat\config.json` file. Your Azure AI Search Key can be found in Azure OpenAI Studio Playground by selecting the **View code** button with the key located under Azure Search Resource Key. If you chose **System assigned managed identity**, you can skip this step. Learn more about different data connection options in the [Data connection](/azure/ai-services/openai/concepts/use-your-data?tabs=ai-search#data-connection) section.

+1. Open the Visual Studio Code terminal and log into Azure CLI, selecting the account that you assigned **Cognitive Service OpenAI User** role to. Use the `az login` command in the terminal to log in.

+1. To debug your app, press the **F5** key or select **Run and Debug** from the left pane. Then select your debugging environment from the dropdown list. A webpage opens where you can chat with your custom copilot.

+ > [!NOTE]

+ > The citation experience is available in **Debug (Edge)** or **Debug (Chrome)** only.

+1. After you've tested your copilot, you can provision, deploy, and publish your Teams app by selecting the **Teams Toolkit Extension** on the left pane in Visual Studio Code. Run the separate provision, deploy, and publish stages in the **Lifecycle** section. You may be asked to sign in to your Microsoft 365 account where you have permissions to upload custom apps and your Azure Account.

+

+1. Provision your app: (detailed instructions in [Provision cloud resources](/microsoftteams/platform/toolkit/provision))

+1. Assign the **Cognitive Service OpenAI User** role to your deployed App Service resource

+ 1. Go to the Azure portal and select the newly created Azure App Service resource

+ 1. Go to **settings** -> **identity** -> **enable system assigned identity**

+ 1. Select **Azure role assignments** and then **add role assignments**. Specify the following parameters:

+ * Scope: resource group

+ * Subscription: the subscription of your Azure OpenAI resource

+ * Resource group of your Azure OpenAI resource

+ * Role: **Cognitive Service OpenAI user**

+1. Deploy your app to Azure by following the instructions in [Deploy to the cloud](/microsoftteams/platform/toolkit/deploy).

+1. Publish your app to Teams by following the instructions in [Publish Teams app](/microsoftteams/platform/toolkit/publish).

+The README file in your Teams app has additional details and tips. Also, see [Tutorial - Build Custom Copilot using Teams](/microsoftteams/platform/teams-ai-library-tutorial) for guided steps.

+#### [Web app](#tab/web-app)

+Deploying to a standalone web app lets you and your users to interact with chat models through a graphical user interface. See [Use the Azure OpenAI web app](../how-to/use-web-app.md) for more information.

+- An Azure subscription - <a href="https://azure.microsoft.com/free/cognitive-services" target="_blank">Create one for free</a>.

+- An Azure OpenAI resource with the GPT-4 Turbo with Vision model deployed. For more information about model deployment, see the [resource deployment guide](../how-to/create-resource.md).

+> [!IMPORTANT]

+> Vision enhancements are not supported by the GPT-4 Turbo GA model. They are only available with the preview models.

+> [!IMPORTANT]

+> Vision enhancements are not supported by the GPT-4 Turbo GA model. They are only available with the preview models.

+More complex security scenarios require Azure role-based access control (Azure RBAC). This document covers how to authenticate to your Azure OpenAI resource using Microsoft Entra ID.

+A Limited Access registration form is not required to access most Azure OpenAI models. Learn more on the [Azure OpenAI Limited Access page](/legal/cognitive-services/openai/limited-access?context=/azure/ai-services/openai/context/context).

+Create custom content filters for your DALL-E 2 and 3, GPT-4 Turbo with Vision GA (`turbo-2024-04-09`), and GPT-4o deployments. [Content filtering](/azure/ai-services/openai/concepts/content-filter?tabs=warning%2Cpython-new#configurability-preview)

+- **DALL-E 2 public preview**. Azure OpenAI Service now supports image generation APIs powered by OpenAI's DALL-E 2 model. Get AI-generated images based on the descriptive text you provide. To learn more, check out the [quickstart](./dall-e-quickstart.md).

+ Title: Distillation in AI Studio

+description: Learn how to do distillation in Azure AI Studio.

+reviewer: anshirga

+# Distillation in Azure AI Studio

+In this article

+ - [Distillation](#distillation)

+ - [Next Steps](#next-steps)

+In Azure AI Studio, you can leverage Distillation to efficiently train the student model.

+## Distillation

+In machine learning, distillation is a technique used to transfer knowledge from a large, complex model (often called the ΓÇ£teacher modelΓÇ¥) to a smaller, simpler model (the ΓÇ£student modelΓÇ¥). This process helps the smaller model achieve similar performance to the larger one while being more efficient in terms of computation and memory usage.

+The main steps in knowledge distillation involve:

+- **Using the teacher model** to generate predictions for the dataset.

+- **Training the student model** using these predictions, along with the original dataset, to mimic the teacher modelΓÇÖs behavior.

+

+You can use the sample notebook available at this [link](https://aka.ms/meta-llama-3.1-distillation) to see how to perform distillation. In this sample notebook, the teacher model used the Meta Llama 3.1 405B Instruct model, and the student model used the Meta Llama 3.1 8B Instruct.

+We used an advanced prompt during synthetic data generation, which incorporates Chain of thought (COT) reasoning, resulting in higher accuracy data labels in the synthetic data. This further improves the accuracy of the distilled model.

+## Next steps

+- [What is Azure AI Studio?](../what-is-ai-studio.md)

+- [Learn more about deploying Meta Llama models](../how-to/deploy-models-llama.md)

+- [Azure AI FAQ article](../faq.yml)

+ Title: Synthetic data generation in AI Studio

+description: Learn how to generate Synthetic dataset in Azure AI Studio.

+reviewer: anshirga

+# Synthetic data generation in Azure AI Studio

+In this article

+ - [Synthetic data generation](#synthetic-data-generation)

+ - [Next Steps](#next-steps)

+In Azure AI Studio, you can leverage synthetic data generation to efficiently produce predictions for your datasets.

+## Synthetic data generation

+Synthetic data generation involves creating artificial data that mimics the statistical properties of real-world data. This data is generated using algorithms and machine learning techniques, and it can be used in various ways, such as computer simulations or by modeling real-world events.

+In machine learning, synthetic data is particularly valuable for several reasons:

+**Data Augmentation:** It helps in expanding the size of training datasets, which is crucial for training robust machine learning models. This is especially useful when real-world data is scarce or expensive to obtain.

+**Testing and Validation:** It allows for extensive testing and validation of machine learning models under various scenarios without the need for real-world data.

+You can use the sample notebook available at this [link](https://aka.ms/meta-llama-3.1-datagen) to see how to generate Synthetic data.

+## Next steps

+- [What is Azure AI Studio?](../what-is-ai-studio.md)

+- [Learn more about deploying Meta Llama models](../how-to/deploy-models-llama.md)

+- [Azure AI FAQ article](../faq.yml)

+- Meta Llama 2 family models

+- Meta Llama 3.1 family of models

+- `Meta-Llama-2-70b`

+- `Meta-Llama-2-7b`

+- `Meta-Llama-2-13b`

+### Llama 3.1 family models

+The following Llama 3.1 family models are supported in Azure AI Studio for fine-tuning:

+- `Meta-Llama-3.1-70b-Instruct`

+- `Meta-Llama-3.1-7b-Instruct`

+Fine-tuning of Llama 3.1 models is currently supported in projects located in West US 3.

+ Title: How to deploy Meta Llama 3.1 models with Azure AI Studio

+description: Learn how to deploy Meta Llama 3.1 models with Azure AI Studio.

+# How to deploy Meta Llama 3.1 models with Azure AI Studio

+In this article, you learn about the Meta Llama model family. You also learn how to use Azure AI Studio to deploy models from this set either to serverless APIs with pay-as you go billing or to managed compute.

+ > Read more about the announcement of Meta Llama 3.1 405B Instruct and other Llama 3.1 models available now on Azure AI Model Catalog: [Microsoft Tech Community Blog](https://aka.ms/meta-llama-3.1-release-on-azure) and from [Meta Announcement Blog](https://aka.ms/meta-llama-3.1-release-announcement).

+Now available on Azure AI Models-as-a-Service:

+- `Meta-Llama-3.1-405B-Instruct`

+- `Meta-Llama-3.1-70B-Instruct`

+- `Meta-Llama-3.1-8B-Instruct`

+The Meta Llama 3.1 family of multilingual large language models (LLMs) is a collection of pretrained and instruction tuned generative models in 8B, 70B and 405B sizes (text in/text out). All models support long context length (128k) and are optimized for inference with support for grouped query attention (GQA). The Llama 3.1 instruction tuned text only models (8B, 70B, 405B) are optimized for multilingual dialogue use cases and outperform many of the available open source chat models on common industry benchmarks.

+See the following GitHub samples to explore integrations with [LangChain](https://aka.ms/meta-llama-3.1-405B-instruct-langchain), [LiteLLM](https://aka.ms/meta-llama-3.1-405B-instruct-litellm), [OpenAI](https://aka.ms/meta-llama-3.1-405B-instruct-openai) and the [Azure API](https://aka.ms/meta-llama-3.1-405B-instruct-webrequests).

+## Deploy Meta Llama 3.1 405B Instruct as a serverless API

+Meta Llama 3.1 models - like `Meta Llama 3.1 405B Instruct` - can be deployed as a serverless API with pay-as-you-go, providing a way to consume them as an API without hosting them on your subscription while keeping the enterprise security and compliance organizations need. This deployment option doesn't require quota from your subscription. Meta Llama 3.1 models are deployed as a serverless API with pay-as-you-go billing through Microsoft Azure Marketplace, and they might add more terms of use and pricing.

+# [Meta Llama 3.1](#tab/llama-three)

+The following models are available in Azure Marketplace for Llama 3.1 and Llama 3 when deployed as a service with pay-as-you-go:

+* [Meta-Llama-3.1-405B-Instruct (preview)](https://aka.ms/aistudio/landing/meta-llama-3-405B-base)

+* [Meta-Llama-3.1-70B-Instruct (preview)](https://aka.ms/aistudio/landing/meta-llama-3-8B-refresh)

+* [Meta Llama-3.1-8B-Instruct (preview)](https://aka.ms/aistudio/landing/meta-llama-3-70B-refresh)

+* [Meta-Llama-3-70B-Instruct (preview)](https://aka.ms/aistudio/landing/meta-llama-3-70b-chat)

+* [Meta-Llama-3-8B-Instruct (preview)](https://aka.ms/aistudio/landing/meta-llama-3-8b-chat)

+- An [AI Studio hub](../how-to/create-azure-ai-resource.md). The serverless API model deployment offering for Meta Llama 3.1 and Llama 3 is only available with hubs created in these regions:

+1. Choose `Meta-Llama-3.1-405B-Instruct` deploy from the Azure AI Studio [model catalog](https://ai.azure.com/explore/models).

+1. On the **Details** page for `Meta-Llama-3.1-405B-Instruct`, select **Deploy** and then select **Serverless API with Azure AI Content Safety**.

+1. If this is your first time deploying the model in the project, you have to subscribe your project for the particular offering (for example, `Meta-Llama-3.1-405B-Instruct`) from Azure Marketplace. This step requires that your account has the Azure subscription permissions and resource group permissions listed in the prerequisites. Each project has its own subscription to the particular Azure Marketplace offering, which allows you to control and monitor spending. Select **Subscribe and Deploy**.

+To learn about billing for Meta Llama models deployed with pay-as-you-go, see [Cost and quota considerations for Llama 3 models deployed as a service](#cost-and-quota-considerations-for-meta-llama-31-models-deployed-as-a-service).

+To learn about billing for Llama models deployed with pay-as-you-go, see [Cost and quota considerations for Llama 3 models deployed as a service](#cost-and-quota-considerations-for-meta-llama-31-models-deployed-as-a-service).

+1. Find and select the `Meta-Llama-3.1-405B-Instruct` deployment you created.

+ - For chat models, such as `Meta-Llama-3.1-405B-Instruct`, use the [`/chat/completions`](#chat-api) API.

+ For more information on using the APIs, see the [reference](#reference-for-meta-llama-31-models-deployed-as-a-service) section.

+ For more information on using the APIs, see the [reference](#reference-for-meta-llama-31-models-deployed-as-a-service) section.

+### Reference for Meta Llama 3.1 models deployed as a service

+Apart from deploying with the pay-as-you-go managed service, you can also deploy Meta Llama 3.1 models to managed compute in AI Studio. When deployed to managed compute, you can select all the details about the infrastructure running the model, including the virtual machines to use and the number of instances to handle the load you're expecting. Models deployed to managed compute consume quota from your subscription. The following models from the 3.1 release wave are available on managed compute:

+- `Meta-Llama-3.1-8B-Instruct` (FT supported)

+- `Meta-Llama-3.1-70B-Instruct` (FT supported)

+- `Meta-Llama-3.1-8B` (FT supported)

+- `Meta-Llama-3.1-70B` (FT supported)

+- `Llama Guard 3 8B`

+- `Prompt Guard`

+Follow these steps to deploy a model such as `Meta-Llama-3.1-70B-Instruct ` to a managed compute in [Azure AI Studio](https://ai.azure.com).

+ :::image type="content" source="../media/deploy-monitor/llama/deploy-real-time-endpoint.png" alt-text="A screenshot showing how to deploy a model with the managed compute option." lightbox="../media/deploy-monitor/llama/deploy-real-time-endpoint.png":::

+| CLI using CURL and Python web requests | [webrequests.ipynb](https://aka.ms/meta-llama-3.1-405B-instruct-webrequests)|

+| OpenAI SDK (experimental) | [openaisdk.ipynb](https://aka.ms/meta-llama-3.1-405B-instruct-openai)|

+| LangChain | [langchain.ipynb](https://aka.ms/meta-llama-3.1-405B-instruct-langchain)|

+| LiteLLM SDK | [litellm.ipynb](https://aka.ms/meta-llama-3.1-405B-instruct-litellm) |

+### Cost and quota considerations for Meta Llama 3.1 models deployed as a service

+Meta Llama 3.1 models deployed as a service are offered by Meta through the Azure Marketplace and integrated with Azure AI Studio for use. You can find the Azure Marketplace pricing when deploying or [fine-tuning the models](./fine-tune-model-llama.md).

+Quota is managed per deployment. Each deployment has a rate limit of 400,000 tokens per minute and 1,000 API requests per minute. However, we currently limit one deployment per model per project. Contact Microsoft Azure Support if the current rate limits aren't sufficient for your scenarios.

+### Cost and quota considerations for Meta Llama 3.1 models deployed as managed compute

+For deployment and inferencing of Meta Llama 3.1 models with managed compute, you consume virtual machine (VM) core quota that is assigned to your subscription on a per-region basis. When you sign up for Azure AI Studio, you receive a default VM quota for several VM families available in the region. You can continue to create deployments until you reach your quota limit. Once you reach this limit, you can request a quota increase.

+- [Fine-tune a Meta Llama 3.1 models in Azure AI Studio](fine-tune-model-llama.md)

+The [Meta Llama family of large language models (LLMs)](./deploy-models-llama.md) is a collection of pretrained and fine-tuned generative text models ranging in scale from 7 billion to 70 billion parameters. The model family also includes fine-tuned versions optimized for dialogue use cases with Reinforcement Learning from Human Feedback (RLHF), called Llama-Instruct.

+# [Meta Llama 3.1](#tab/llama-three)

+The following models are available in Azure Marketplace for Llama 3.1 when fine-tuning as a service with pay-as-you-go billing:

+- `Meta-Llama-3.1-80B-Instruct` (preview)

+- `Meta-LLama-3.1-8b-Instruct` (preview)

+

+Fine-tuning of Llama 3.1 models is currently supported in projects located in West US 3.

+> [!IMPORTANT]

+> At this time we are not able to do fine-tuning for Llama 3.1 with sequence length of 128K.

+- `Meta Llama-2-70b` (preview)

+- `Meta Llama-2-13b` (preview)

+- `Meta Llama-2-7b` (preview)

+# [Meta Llama 3.1](#tab/llama-three)

+ An Azure subscription with a valid payment method. Free or trial Azure subscriptions won't work. If you don't have an Azure subscription, create a [paid Azure account](https://azure.microsoft.com/pricing/purchase-options/pay-as-you-go) to begin.

+- An [Azure AI hub resource](../how-to/create-azure-ai-resource.md).

+ > [!IMPORTANT]

+ > For Meta Llama 3.1 models, the pay-as-you-go model fine-tune offering is only available with AI hubs created in **West US 3** regions.

+- An [Azure AI project](../how-to/create-projects.md) in Azure AI Studio.

+- Azure role-based access controls (Azure RBAC) are used to grant access to operations in Azure AI Studio. To perform the steps in this article, your user account must be assigned the __owner__ or __contributor__ role for the Azure subscription. Alternatively, your account can be assigned a custom role that has the following permissions:

+ - On the Azure subscriptionΓÇöto subscribe the Azure AI project to the Azure Marketplace offering, once for each project, per offering:

+ - `Microsoft.MarketplaceOrdering/agreements/offers/plans/read`

+ - `Microsoft.MarketplaceOrdering/agreements/offers/plans/sign/action`

+ - `Microsoft.MarketplaceOrdering/offerTypes/publishers/offers/plans/agreements/read`

+ - `Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/read`

+ - `Microsoft.SaaS/register/action`

+

+ - On the resource groupΓÇöto create and use the SaaS resource:

+ - `Microsoft.SaaS/resources/read`

+ - `Microsoft.SaaS/resources/write`

+

+ - On the Azure AI projectΓÇöto deploy endpoints (the Azure AI Developer role contains these permissions already):

+ - `Microsoft.MachineLearningServices/workspaces/marketplaceModelSubscriptions/*`

+ - `Microsoft.MachineLearningServices/workspaces/serverlessEndpoints/*`

+ For more information on permissions, see [Role-based access control in Azure AI Studio](../concepts/rbac-ai-studio.md).

+# [Meta Llama 3.1](#tab/llama-three)

+To fine-tune a LLama 3.1 model:

+1. Sign in to [Azure AI Studio](https://ai.azure.com).

+1. Choose the model you want to fine-tune from the Azure AI Studio [model catalog](https://ai.azure.com/explore/models).

+1. On the model's **Details** page, select **fine-tune**.

+1. Select the project in which you want to fine-tune your models. To use the pay-as-you-go model fine-tune offering, your workspace must belong to the **West US 3** region.

+1. On the fine-tune wizard, select the link to **Azure Marketplace Terms** to learn more about the terms of use. You can also select the **Marketplace offer details** tab to learn about pricing for the selected model.

+1. If this is your first time fine-tuning the model in the project, you have to subscribe your project for the particular offering (for example, Meta-Llama-3-70B) from Azure Marketplace. This step requires that your account has the Azure subscription permissions and resource group permissions listed in the prerequisites. Each project has its own subscription to the particular Azure Marketplace offering, which allows you to control and monitor spending. Select **Subscribe and fine-tune**.

+ > [!NOTE]

+ > Subscribing a project to a particular Azure Marketplace offering (in this case, Meta-Llama-3-70B) requires that your account has **Contributor** or **Owner** access at the subscription level where the project is created. Alternatively, your user account can be assigned a custom role that has the Azure subscription permissions and resource group permissions listed in the [prerequisites](#prerequisites).

+1. Once you sign up the project for the particular Azure Marketplace offering, subsequent fine-tuning of the _same_ offering in the _same_ project don't require subscribing again. Therefore, you don't need to have the subscription-level permissions for subsequent fine-tune jobs. If this scenario applies to you, select **Continue to fine-tune**.

+1. Enter a name for your fine-tuned model and the optional tags and description.

+1. Select training data to fine-tune your model. See [data preparation](#data-preparation) for more information.

+ > [!NOTE]

+ > If you have your training/validation files in a credential less datastore, you will need to allow workspace managed identity access to their datastore in order to proceed with MaaS finetuning with a credential less storage. On the "Datastore" page, after clicking "Update authentication" > Select the following option:

+

+ 

+ Make sure all your training examples follow the expected format for inference. To fine-tune models effectively, ensure a balanced and diverse dataset. This involves maintaining data balance, including various scenarios, and periodically refining training data to align with real-world expectations, ultimately leading to more accurate and balanced model responses.

+ - The batch size to use for training. When set to -1, batch_size is calculated as 0.2% of examples in training set and the max is 256.

+ - The fine-tuning learning rate is the original learning rate used for pretraining multiplied by this multiplier. We recommend experimenting with values between 0.5 and 2. Empirically, we've found that larger learning rates often perform better with larger batch sizes. Must be between 0.0 and 5.0.

+ - Number of training epochs. An epoch refers to one full cycle through the data set.

+1. Task parameters are an optional step and an advanced option- Tuning hyperparameter is essential for optimizing large language models (LLMs) in real-world applications. It allows for improved performance and efficient resource usage. The default settings can be used or advanced users can customize parameters like epochs or learning rate.

+1. Review your selections and proceed to train your model.

+Once your model is fine-tuned, you can deploy the model and can use it in your own application, in the playground, or in prompt flow. For more information, see [How to deploy Llama 3.1 family of large language models with Azure AI Studio](./deploy-models-llama.md).

+ Title: Attach to Azure Container Registry (ACR) using the Azure Kubernetes Service (AKS) extension for Visual Studio Code

+description: Learn how to attach to Azure Container Registry (ACR) using the Azure Kubernetes Service (AKS) extension for Visual Studio Code.

+# Attach to Azure Container Registry (ACR) using the Azure Kubernetes Service (AKS) extension for Visual Studio Code

+In this article, you learn how to attach to Azure Container Registry (ACR) using the Azure Kubernetes Service (AKS) extension for Visual Studio Code.

+## Prerequisites

+Before you begin, make sure you have the following resources:

+* An Azure container registry. If you don't have one, create one using the steps in [Quickstart: Create a private container registry][create-acr-cli].

+* An AKS cluster. If you don't have one, create one using the steps in [Quickstart: Deploy an AKS cluster][deploy-aks-cli].

+* The Azure Kubernetes Service (AKS) extension for Visual Studio Code downloaded. For more information, see [Install the Azure Kubernetes Service (AKS) extension for Visual Studio Code][install-aks-vscode].

+## Attach your Azure container registry to your AKS cluster

+You can access the screen for attaching your container registry to your AKS cluster using the command palette or the Kubernetes view.

+### [Command palette](#tab/command-palette)

+1. On your keyboard, press `Ctrl+Shift+P` to open the command palette.

+2. Enter the following information:

+ * **Subscription**: Select the Azure subscription that holds your resources.

+ * **ACR Resource Group**: Select the resource group for your container registry.

+ * **Container Registry**: Select the container registry you want to attach to your cluster.

+ * **Cluster Resource Group**: Select the resource group for your cluster.

+ * **Cluster**: Select the cluster you want to attach to your container registry.

+3. Select **Attach**.

+ You should see a green checkmark, which means your container registry is attached to your AKS cluster.

+### [Kubernetes view](#tab/kubernetes-view)

+1. In the Kubernetes tab, under Clouds > Azure > your subscription > Automated Deployments, right click on your cluster and select **Attach ACR to Cluster**.

+2. Enter the following information:

+ * **Subscription**: Select the Azure subscription that holds your resources.

+ * **ACR Resource Group**: Select the resource group for your container registry.

+ * **Container Registry**: Select the container registry you want to attach to your cluster.

+ * **Cluster Resource Group**: Select the resource group for your cluster.

+ * **Cluster**: Select the cluster you want to attach to your container registry.

+3. Select **Attach**.

+ You should see a green checkmark, which means your container registry is attached to your AKS cluster.

+For more information, see [AKS extension for Visual Studio Code features][aks-vscode-features].

+## Product support and feedback

+If you have a question or want to offer product feedback, please open an issue on the [AKS extension GitHub repository][aks-vscode-github].

+## Next steps

+To learn more about other AKS add-ons and extensions, see [Add-ons, extensions, and other integrations for AKS][aks-addons].

+<!LINKS>

+[create-acr-cli]: ../container-registry/container-registry-get-started-azure-cli.md

+[deploy-aks-cli]: ./learn/quick-kubernetes-deploy-cli.md

+[install-aks-vscode]: ./aks-extension-vs-code.md#installation

+[aks-vscode-features]: https://code.visualstudio.com/docs/azure/aksextensions#_features

+[aks-vscode-github]: https://github.com/Azure/vscode-aks-tools/issues/new/choose

+[aks-addons]: ./integrations.md

+ Title: Create a Kubernetes deployment using Automated Deployments in the Azure Kubernetes Service (AKS) extension for Visual Studio Code

+description: Learn how create a Kubernetes deployment using Automated Deployments in the Azure Kubernetes Service (AKS) extension for Visual Studio Code.

+# Create a Kubernetes deployment using Automated Deployments in the Azure Kubernetes Service (AKS) extension for Visual Studio Code

+In this article, you learn how to create a Kubernetes deployment using Automated Deployments in the Azure Kubernetes Service (AKS) extension for Visual Studio Code. Automated Deployments provides an easy way to automate the process of scaling, updating, and maintaining your applications.

+## Prerequisites

+Before you begin, make sure you have the following resources:

+* An active folder with code open in Visual Studio Code.

+* The Azure Kubernetes Service (AKS) extension for Visual Studio Code downloaded. For more information, see [Install the Azure Kubernetes Service (AKS) extension for Visual Studio Code][install-aks-vscode].

+## Create a Kubernetes deployment using the Azure Kubernetes Service (AKS) extension

+You can access the screen to create a Kubernetes deployment using the command palette or the explorer view.

+### [Command palette](#tab/command-palette)

+1. On your keyboard, press `Ctrl+Shift+P` to open the command palette.

+2. In the search bar, search for and select **Automated Deployments: Create a Deployment**.

+3. Enter the following information:

+ * **Subscription**: Select your Azure subscription.

+ * **Location**: Select a location where you want to save your Kubernetes deployment files.

+ * **Deployment options**: Select `Kubernetes manifests`, `Helm`, or `Kustomize`.

+ * **Target port**: Select the port in which your applications listen to in your deployment. This port usually matches what is exposed in your Dockerfile.

+ * **Service port**: Select the port in which the service listens to for incoming traffic.

+ * **Namespace**: Select the namespace in which your application will be deployed into.

+4. Select **Create**.

+### [Explorer view](#tab/explorer-view)

+1. Right click on the explorer pane where your active folder is open and select **Create a Deployment**.

+2. Enter the following information:

+ * **Subscription**: Select your Azure subscription.

+ * **Location**: Select a location where you want to save your Kubernetes deployment files.

+ * **Deployment options**: Select `Kubernetes manifests`, `Helm`, or `Kustomize`.

+ * **Target port**: Select the port in which your applications listen to in your deployment. This port usually matches what is exposed in your Dockerfile.

+ * **Service port**: Select the port in which the service listens to for incoming traffic.

+ * **Namespace**: Select the namespace in which your application will be deployed into.

+3. Select **Create**.

+For more information, see [AKS extension for Visual Studio Code features][aks-vscode-features].

+## Product support and feedback

+

+If you have a question or want to offer product feedback, please open an issue on the [AKS extension GitHub repository][aks-vscode-github].

+

+## Next steps

+

+To learn more about other AKS add-ons and extensions, see [Add-ons, extensions, and other integrations for AKS][aks-addons].

+<!LINKS>

+[install-aks-vscode]: ./aks-extension-vs-code.md#installation

+[aks-vscode-features]: https://code.visualstudio.com/docs/azure/aksextensions#_features

+[aks-vscode-github]: https://github.com/Azure/vscode-aks-tools/issues/new/choose

+[aks-addons]: ./integrations.md

+

+ Title: Create a Dockerfile using Automated Deployments in the Azure Kubernetes Service (AKS) extension for Visual Studio Code

+description: Learn how to create a Dockerfile using Automated Deployments in the Azure Kubernetes Service (AKS) extension for Visual Studio Code.

+# Create a Dockerfile using Automated Deployments in the Azure Kubernetes Service (AKS) extension for Visual Studio Code

+In this article, you learn how to create a Dockerfile using Automated Deployments in the Azure Kubernetes Service (AKS) extension for Visual Studio Code. A Dockerfile is essential for Kubernetes because it defines the blueprint for creating Docker images. These images encapsulate your application along with its dependencies and environment settings, ensuring consistent deployment across various environments.

+## Prerequisites

+Before you begin, make sure you have the following resources:

+* An active folder with code open in Visual Studio Code.

+* The Azure Kubernetes Service (AKS) extension for Visual Studio Code downloaded. For more information, see [Install the Azure Kubernetes Service (AKS) extension for Visual Studio Code][install-aks-vscode].

+## Create a Dockerfile using the Azure Kubernetes Service (AKS) extension

+You can access the screen to create a Dockerfile using the command palette or the explorer view.

+### [Command palette](#tab/command-palette)

+1. On your keyboard, press `Ctrl+Shift+P` to open the command palette.

+2. In the search bar, search for and select **Automated Deployments: Create a Dockerfile**.

+3. Enter the following information:

+ * **Location**: Select a location where you want to save your Dockerfile.

+ * **Programming language**: Select the programming language your app is written in.

+ * **Programming language version**: Select the programming language version.

+ * **Application Port**: Select the port.

+ * **Cluster**: Select the port in which your application listens to for incoming network connections.

+4. Select **Create**.

+### [Explorer view](#tab/explorer-view)

+1. Right click on the explorer pane where your active folder is open and select **Create a Dockerfile**.

+2. Enter the following information:

+ * **Location**: Select a location where you want to save your Dockerfile.

+ * **Programming language**: Select the programming language your app is written in.

+ * **Programming language version**: Select the programming language version.

+ * **Application Port**: Select the port.

+ * **Cluster**: Select the port in which your application listens to for incoming network connections.

+3. Select **Create**.

+For more information, see [AKS extension for Visual Studio Code features][aks-vscode-features].

+## Product support and feedback

+

+If you have a question or want to offer product feedback, please open an issue on the [AKS extension GitHub repository][aks-vscode-github].

+

+## Next steps

+

+To learn more about other AKS add-ons and extensions, see [Add-ons, extensions, and other integrations for AKS][aks-addons].

+

+<!LINKS>

+[install-aks-vscode]: ./aks-extension-vs-code.md#installation

+[aks-vscode-features]: https://code.visualstudio.com/docs/azure/aksextensions#_features

+[aks-vscode-github]: https://github.com/Azure/vscode-aks-tools/issues/new/choose

+[aks-addons]: ./integrations.md

+ Title: Create a GitHub Workflow using Automated Deployments in the Azure Kubernetes Service (AKS) extension for Visual Studio Code

+description: Learn how to create a GitHub Workflow using Automated Deployments in the Azure Kubernetes Service (AKS) extension for Visual Studio Code.

+# Create a GitHub Workflow using Automated Deployments in the Azure Kubernetes Service (AKS) extension for Visual Studio Code

+In this article, you learn how to create a GitHub Workflow using Automated Deployments in the Azure Kubernetes Service (AKS) extension for Visual Studio Code. A GitHub Workflow automates various development tasks, such as building, testing, and deploying code, ensuring consistency and efficiency across the development process. It enhances collaboration by integrating seamlessly with version control, enabling continuous integration and continuous deployment (CI/CD) pipelines, and ensuring that all changes are thoroughly vetted before being merged into the main codebase.

+## Prerequisites

+Before you begin, make sure you have the following resources:

+* An active folder with code open in Visual Studio Code.

+* Make sure the current workspace is an active `git` repository.

+* The Azure Kubernetes Service (AKS) extension for Visual Studio Code downloaded. For more information, see [Install the Azure Kubernetes Service (AKS) extension for Visual Studio Code][install-aks-vscode].

+## Create a GitHub Workflow using the Azure Kubernetes Service (AKS) extension

+You can access the screen to create a GitHub Workflow using the command palette or the Kubernetes view.

+### [Command palette](#tab/command-palette)

+1. On your keyboard, press `Ctrl+Shift+P` to open the command palette.

+2. Enter the following information:

+ * **Workflow name**: Enter a name for your GitHub Workflow.

+ * **GitHub repository**: Select the location where want to save your Kubernetes deployment files.

+ * **Subscription**: Select your Azure subscription.

+ * **Dockerfile**: Select the Dockerfile that you want to build in the GitHub Action.

+ * **Build context**: Select a build context.

+ * **ACR Resource Group**: Select an ACR resource group.

+ * **Container Registry**: Select a container registry.

+ * **Azure Container Registry image**: Select or enter an Azure Container Registry image.

+ * **Cluster Resource Group**: Select your cluster resource group.

+ * **Cluster**: Select your AKS cluster.

+ * **Namespace**: Select or enter a namespace in which you will deploy into.

+ * **Type**: Select the type of deployment option.

+3. Select **Create**.

+### [Kubernetes view](#tab/kubernetes-view)

+

+1. In the Kubernetes tab, under Clouds > Azure > your subscription > Automated Deployments, right click on your cluster and select **Create a GitHub Workflow**.

+2. Enter the following information:

+ * **Workflow name**: Enter a name for your GitHub Workflow.

+ * **GitHub repository**: Select the location where want to save your Kubernetes deployment files.

+ * **Subscription**: Select your Azure subscription.

+ * **Dockerfile**: Select the Dockerfile that you want to build in the GitHub Action.

+ * **Build context**: Select a build context.

+ * **ACR Resource Group**: Select an ACR resource group.

+ * **Container Registry**: Select a container registry.

+ * **Azure Container Registy image**: Select or enter an Azure Container Registry image.

+ * **Cluster Resource Group**: Select your cluster resource group.

+ * **Cluster**: Select your AKS cluster.

+ * **Namespace**: Select or enter a namespace in which you will deploy into.

+ * **Type**: Select the type of deployment option.

+3. Select **Create**.

+For more information, see [AKS extension for Visual Studio Code features][aks-vscode-features].

+## Product support and feedback

+

+If you have a question or want to offer product feedback, please open an issue on the [AKS extension GitHub repository][aks-vscode-github].

+

+## Next steps

+

+To learn more about other AKS add-ons and extensions, see [Add-ons, extensions, and other integrations for AKS][aks-addons].

+

+<!LINKS>

+[install-aks-vscode]: ./aks-extension-vs-code.md#installation

+[aks-vscode-features]: https://code.visualstudio.com/docs/azure/aksextensions#_features

+[aks-vscode-github]: https://github.com/Azure/vscode-aks-tools/issues/new/choose

+[aks-addons]: ./integrations.md

+2. Make sure you're in the cloned *aks-store-demo* directory, and then open the `aks-store-quickstart.yaml` manifest file with a text editor.

+4. Save and close the file.

+ (Get-AzContainerRegistry -ResourceGroupName myResourceGroup -Name $ACRNAME).LoginServer

+2. Make sure you're in the cloned *aks-store-demo* directory, and then open the `aks-store-quickstart.yaml` manifest file with a text editor.

+4. Save and close the file.

+ statefulset.apps/rabbitmq created

+ configmap/rabbitmq-enabled-plugins created

+ statefulset.apps/rabbitmq created

+ configmap/rabbitmq-enabled-plugins created

+ Initially, the `EXTERNAL-IP` for the `store-front` service shows as `<pending>`:

+2. When the `EXTERNAL-IP` address changes from `<pending>` to a public IP address, use `CTRL-C` to stop the `kubectl` watch process.

+3. View the application in action by opening a web browser and navigating to the external IP address of your service: `http://<external-ip>`.

+1. Copy the External IP shown in the column for the `store-front` service

+## Clean up resources

+Since you validated the application's functionality, you can now remove the cluster from the application. We will deploy the application again in the next tutorial.

+1. Stop and remove the container instances and resources using the [`docker-compose down`][docker-compose-down] command.

+ ```console

+ kubectl delete -f aks-store-quickstart.yaml

+ ```

+1. Check that all the application pods have been removed:

+ ```console

+ kubectl get pods

+ ```

+>

+* Create an AKS cluster using the [`az aks create`][az aks create] command. The following example creates a cluster named *myAKSCluster* in the resource group named *myResourceGroup*. This resource group was created in the [previous tutorial][aks-tutorial-prepare-acr] in the *eastus* region. We will continue to use the environment variable, `$ACRNAME`, that we set in the [previous tutorial][aks-tutorial-prepare-acr]. If you do not have this environment variable set, set it now to the same value you used previously.

+ --attach-acr $ACRNAME

+ New-AzAksCluster -ResourceGroupName myResourceGroup -Name myAKSCluster -NodeCount 2 -GenerateSshKey -AcrNameToAttach $ACRNAME

+ aks-nodepool1-19366578-vmss000000 Ready agent 47h v1.28.9

+ aks-nodepool1-19366578-vmss000001 Ready agent 47h v1.28.9

+ aks-nodepool1-19366578-vmss000000 Ready agent 47h v1.28.9

+ aks-nodepool1-19366578-vmss000001 Ready agent 47h v1.28.9

+ aks-nodepool1-19366578-vmss000000 Ready agent 47h v1.28.9

+ aks-nodepool1-19366578-vmss000001 Ready agent 47h v1.28.9

+2. Navigate to the external IP address of the `store-front` service in your browser using `http://<external-ip>`.

+ $rand=New-Object System.Random

+ $RAND=$rand.Next()

+ $ACRNAME="myregistry$RAND" # Or replace with your own name

+[docker-for-linux]: https://docs.docker.com/desktop/install/linux-install/

+[docker-for-mac]: https://docs.docker.com/desktop/install/mac-install/

+[docker-for-windows]: https://docs.docker.com/desktop/install/windows-install/

+ "aadProfile": null,

+ "addonProfiles": null,

+ ...

+ "mode": "System",

+ "name": "nodepool1",

+ "osDiskSizeGb": 128,

+ "osDiskType": "Managed",

+ "vmSize": "Standard_DS2_v2",

+ ...

+ ...

+ ]

+ ...

+ ProvisioningState : Succeeded

+ MaxAgentPools : 100

+ KubernetesVersion : 1.28

+ CurrentKubernetesVersion : 1.28.9

+ DnsPrefix : myAKSCluster

+ Fqdn : myakscluster-000a0aa0.hcp.eastus.azmk8s.io

+ PrivateFQDN :

+ AzurePortalFQDN : myakscluster-000a0aa0.portal.hcp.eastus.azmk8s.io

+ AgentPoolProfiles : {default}

+ ...

+ ResourceGroupName : myResourceGroup

+ Id : /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/myResourceGroup/providers/Mic

+ rosoft.ContainerService/managedClusters/myAKSCluster

+ Name : myAKSCluster

+ Type : Microsoft.ContainerService/ManagedClusters

+ Location : eastus

+ Tags :

+ The following example output shows the current version as *1.28.9* and lists the available versions under `upgrades`:

+ {

+ "agentPoolProfiles": null,

+ "controlPlaneProfile": {

+ "kubernetesVersion": "1.28.9",

+ ...

+ "upgrades": [

+ {

+ "isPreview": null,

+ "kubernetesVersion": "1.29.4"

+ },

+ {

+ "isPreview": null,

+ "kubernetesVersion": "1.29.2"

+ }

+ ]

+ },

+ }

+ Select-Object -Property Name, CurrentKubernetesVersion, Location

+ The following example output shows the current version as *1.28.9* and the location as *eastus*:

+ Name CurrentKubernetesVersion Location

+ - --

+ myAKSCluster 1.28.9 eastus

+ Kubernetes 1.29.4

+ Kubernetes 1.29.2

+ True Kubernetes 1.28.9

+ Kubernetes 1.28.5

+ ...

+* You will be prompted to confirm the upgrade operation, and to confirm that you want to upgrade the control plane *and* all the node pools to the selected version of Kubernetes:

+ ```console

+ Are you sure you want to perform this operation? (y/N): y

+ Since control-plane-only argument is not specified, this will upgrade the control plane AND all nodepools to version 1.29.2. Continue? (y/N): y

+ ```

+ The following example output shows the result of upgrading to *1.29.2*. Notice the `kubernetesVersion` now shows *1.29.2*:

+ ...

+ ...

+ "currentOrchestratorVersion": "1.29.2",

+ "nodeImageVersion": "AKSUbuntu-2204gen2containerd-202405.27.0",

+ "orchestratorVersion": "1.29.2",

+ "upgradeSettings": {

+ "drainTimeoutInMinutes": null,

+ "maxSurge": "10%",

+ "nodeSoakDurationInMinutes": null,

+ "undrainableNodeBehavior": null

+ },

+ "vmSize": "Standard_DS2_v2",

+ ...

+ ...

+ "currentKubernetesVersion": "1.29.2",

+ "kubernetesVersion": "1.29.2",

+ ...

+ The following example output shows the result of upgrading to *1.29.2*. Notice the `KubernetesVersion` now shows *1.29.2*:

+ ...

+ ProvisioningState : Succeeded

+ MaxAgentPools : 100

+ KubernetesVersion : 1.29.2

+ CurrentKubernetesVersion : 1.29.2

+ ...

+ ResourceGroupName : myResourceGroup

+ Name : myAKSCluster

+ Type : Microsoft.ContainerService/ManagedClusters

+ Location : eastus

+ Tags :

+ LAST SEEN TYPE REASON OBJECT MESSAGE

+ 5m Normal Drain node/aks-nodepool1-96663640-vmss000000 Draining node: aks-nodepool1-96663640-vmss000000

+ 5m Normal Upgrade node/aks-nodepool1-96663640-vmss000000 Deleting node aks-nodepool1-96663640-vmss000000 from API server

+ 4m Normal Upgrade node/aks-nodepool1-96663640-vmss000000 Successfully reimaged node: aks-nodepool1-96663640-vmss000000

+ 4m Normal Upgrade node/aks-nodepool1-96663640-vmss000000 Successfully upgraded node: aks-nodepool1-96663640-vmss000000

+ 4m Normal Drain node/aks-nodepool1-96663640-vmss000000 Draining node: aks-nodepool1-96663640-vmss000000

+ myAKSCluster eastus myResourceGroup 1.29.2 1.29.2 Succeeded myaksclust-myresourcegroup-19da35-bd54a4be.hcp.eastus.azmk8s.io

+ Name Location KubernetesVersion ProvisioningState

+ - -- -- --

+ myAKSCluster eastus 1.29.2 Succeeded

+> It's important to complete this step as soon as possible. When your App Service Environment is in the hybrid state, it's unable to receive platform upgrades and security patches, which makes it more vulnerable to instability and security threats.

+Once you confirm your apps are working as expected, you can finalize the migration by running the following command. This command also deletes your old environment.

+ > - For Python 3.8 packages, use .whl files targeting cp38-amd64.

+2. On the **Add Python Package** page, select a local package to upload. The package can be a **.whl** file.

+## Disable access key authentication on your cache

+Using Microsoft Entra ID is the secure way to connect your cache. We recommend using Microsoft Entra ID and disabling access keys.

+When you disable access key Authentication for a cache, all existing client connections are terminated, whether they use access keys or Microsoft Entra ID auth-based. You're advised to follow the recommended Redis client best practices to implement proper retry mechanisms for reconnecting MS Entra-based connections, if any.

+Before you disable access keys:

+- Before you disable access keys, Microsoft Entra ID authorization must be enabled.

+- Disabling access keys is only available for Basic, Standard, and Premium tier caches.

+- For geo-replicated caches, before you disable accces keys, you must: 1) unlink the caches, 2) disable access keys, and finally, 3) relink the caches.

+If you have a cache where access keys are used, and you want to disable access keys, follow this procedure.

+1. In the Azure portal, select the Azure Cache for Redis instance where you'd like to disable access keys.

+1. Select **Authentication** from the Resource menu.

+1. In the working pane, selectΓÇ»**Access keys**.

+1. SelectΓÇ»**Disable Access Keys Authentication**. Then, selectΓÇ»**Save**.

+ :::image type="content" source="media/cache-azure-active-directory-for-authentication/cache-disable-access-keys.png" alt-text="Screenshot showing access keys in the working pane with a red box around Disable Access Key Authentication. ":::

+1. You're asked to confirm that you want to update your configuration. SelectΓÇ»**Yes**.

+> [!IMPORTANT]

+> When the **Disable Access Key Authentication**" setting is changed for a cache, all existing client connections, using access keys or Microsoft Entra ID, are terminated. Follow the best practices to implement proper retry mechanisms for reconnecting MS Entra-based connections. For more information, see [Connection resilience](cache-best-practices-connection.md).

+ - The maximum number of keys in the cache during the past reporting time period. This number maps to `keyspace` from the Redis INFO command.

+

+ > [!IMPORTANT]

+ > Because of a limitation in the underlying metrics system for caches with clustering enabled, Total Keys return the maximum number of keys of the shard that had the maximum number of keys during the reporting interval.

+

+ServiceNow supported versions include Washington, Vancouver, Utah, Tokyo, San Diego, Rome, Quebec, Paris, Orlando, New York, Madrid, London, Kingston, Jakarta, Istanbul, Helsinki, and Geneva.

+> * Red Hat Openshift distributions, including Azure Red Hat OpenShift (ARO)

+> * Windows nodes

+| Spain Central | :white_check_mark: | :white_check_mark: | :white_check_mark: |

+- [Migrate Log Analytics workspaces to availability zone support](../../availability-zones/migrate-monitor-log-analytics.md).

+* US Gov Arizona

+* US Gov Texas

+* US Gov Virginia

+* [Customer-managed keys for Azure NetApp Files volume encryption](configure-customer-managed-keys.md#supported-regions) is now available in all US Gov regions

+ Title: Bicep warnings and error codes

+description: Lists the warnings and error codes.

+# Bicep warning and error codes

+If you need more information about a particular warning or error code, select the **Feedback** button in the upper right corner of the page and specify the code.

+| Code | Description |

+||-|

+| BCP001 | The following token is not recognized: "{token}". |

+| BCP002 | The multi-line comment at this location is not terminated. Terminate it with the */ character sequence. |

+| BCP003 | The string at this location is not terminated. Terminate the string with a single quote character. |

+| BCP004 | The string at this location is not terminated due to an unexpected new line character. |

+| BCP005 | The string at this location is not terminated. Complete the escape sequence and terminate the string with a single unescaped quote character. |

+| BCP006 | The specified escape sequence is not recognized. Only the following escape sequences are allowed: {ToQuotedString(escapeSequences)}. |

+| BCP007 | This declaration type is not recognized. Specify a metadata, parameter, variable, resource, or output declaration. |

+| BCP008 | Expected the "=" token, or a newline at this location. |

+| BCP009 | Expected a literal value, an array, an object, a parenthesized expression, or a function call at this location. |

+| BCP010 | Expected a valid 64-bit signed integer. |

+| BCP011 | The type of the specified value is incorrect. Specify a string, boolean, or integer literal. |

+| BCP012 | Expected the "{keyword}" keyword at this location. |

+| BCP013 | Expected a parameter identifier at this location. |

+| BCP015 | Expected a variable identifier at this location. |

+| BCP016 | Expected an output identifier at this location. |

+| BCP017 | Expected a resource identifier at this location. |

+| BCP018 | Expected the "{character}" character at this location. |

+| BCP019 | Expected a new line character at this location. |

+| BCP020 | Expected a function or property name at this location. |

+| BCP021 | Expected a numeric literal at this location. |

+| BCP022 | Expected a property name at this location. |

+| BCP023 | Expected a variable or function name at this location. |

+| BCP024 | The identifier exceeds the limit of {LanguageConstants.MaxIdentifierLength}. Reduce the length of the identifier. |

+| BCP025 | The property "{property}" is declared multiple times in this object. Remove or rename the duplicate properties. |

+| BCP026 | The output expects a value of type "{expectedType}" but the provided value is of type "{actualType}". |

+| BCP028 | Identifier "{identifier}" is declared multiple times. Remove or rename the duplicates. |

+| BCP029 | The resource type is not valid. Specify a valid resource type of format "&lt;types>@&lt;apiVersion>". |

+| BCP030 | The output type is not valid. Please specify one of the following types: {ToQuotedString(validTypes)}. |

+| BCP031 | The parameter type is not valid. Please specify one of the following types: {ToQuotedString(validTypes)}. |

+| BCP032 | The value must be a compile-time constant. |

+| <a id='BCP033' />[BCP033](./diagnostics/bcp033.md) | Expected a value of type &lt;data-type> but the provided value is of type &lt;data-type>. |

+| BCP034 | The enclosing array expected an item of type "{expectedType}", but the provided item was of type "{actualType}". |

+| <a id='BCP035' />[BCP035](./diagnostics/bcp035.md) | The specified &lt;data-type> declaration is missing the following required properties: &lt;property-name>. |

+| <a id='BCP036' />[BCP036](./diagnostics/bcp036.md) | The property &lt;property-name> expected a value of type &lt;data-type> but the provided value is of type &lt;data-type>. |

+| <a id='BCP037' />[BCP037](./diagnostics/bcp037.md) | The property &lt;property-name> is not allowed on objects of type &lt;type-definition>. |

+| <a id='BCP040' />[BCP040](./diagnostics/bcp040.md) | String interpolation is not supported for keys on objects of type &lt;type-definition>. |

+| BCP041 | Values of type "{valueType}" cannot be assigned to a variable. |

+| BCP043 | This is not a valid expression. |

+| BCP044 | Cannot apply operator "{operatorName}" to operand of type "{type}". |

+| BCP045 | Cannot apply operator "{operatorName}" to operands of type "{type1}" and "{type2}".{(additionalInfo is null ? string.Empty : " " + additionalInfo)} |

+| BCP046 | Expected a value of type "{type}". |

+| BCP047 | String interpolation is unsupported for specifying the resource type. |

+| BCP048 | Cannot resolve function overload. For details, see the documentation. |

+| BCP049 | The array index must be of type "{LanguageConstants.String}" or "{LanguageConstants.Int}" but the provided index was of type "{wrongType}". |

+| BCP050 | The specified path is empty. |

+| BCP051 | The specified path begins with "/". Files must be referenced using relative paths. |

+| BCP052 | The type "{type}" does not contain property "{badProperty}". |

+| BCP053 | The type "{type}" does not contain property "{badProperty}". Available properties include {ToQuotedString(availableProperties)}. |

+| BCP054 | The type "{type}" does not contain any properties. |

+| BCP055 | Cannot access properties of type "{wrongType}". An "{LanguageConstants.Object}" type is required. |

+| BCP056 | The reference to name "{name}" is ambiguous because it exists in namespaces {ToQuotedString(namespaces)}. The reference must be fully qualified. |

+| BCP057 | The name "{name}" does not exist in the current context. |

+| BCP059 | The name "{name}" is not a function. |

+| BCP060 | The "variables" function is not supported. Directly reference variables by their symbolic names. |

+| BCP061 | The "parameters" function is not supported. Directly reference parameters by their symbolic names. |

+| BCP062 | The referenced declaration with name "{name}" is not valid. |

+| BCP063 | The name "{name}" is not a parameter, variable, resource or module. |

+| BCP064 | Found unexpected tokens in interpolated expression. |

+| BCP065 | Function "{functionName}" is not valid at this location. It can only be used as a parameter default value. |

+| BCP066 | Function "{functionName}" is not valid at this location. It can only be used in resource declarations. |

+| BCP067 | Cannot call functions on type "{wrongType}". An "{LanguageConstants.Object}" type is required. |

+| BCP068 | Expected a resource type string. Specify a valid resource type of format "&lt;types>@&lt;apiVersion>". |

+| BCP069 | The function "{function}" is not supported. Use the "{@operator}" operator instead. |

+| BCP070 | Argument of type "{argumentType}" is not assignable to parameter of type "{parameterType}". |

+| BCP071 | Expected {expected}, but got {argumentCount}. |

+| <a id='BCP072' />[BCP072](./diagnostics/bcp072.md) | This symbol cannot be referenced here. Only other parameters can be referenced in parameter default values. |

+| <a id='BCP073' />[BCP073](./diagnostics/bcp073.md) | The property &lt;property-name> is read-only. Expressions cannot be assigned to read-only properties. |

+| BCP074 | Indexing over arrays requires an index of type "{LanguageConstants.Int}" but the provided index was of type "{wrongType}". |

+| BCP075 | Indexing over objects requires an index of type "{LanguageConstants.String}" but the provided index was of type "{wrongType}". |

+| BCP076 | Cannot index over expression of type "{wrongType}". Arrays or objects are required. |

+| BCP077 | The property "{badProperty}" on type "{type}" is write-only. Write-only properties cannot be accessed. |

+| BCP078 | The property "{propertyName}" requires a value of type "{expectedType}", but none was supplied. |

+| BCP079 | This expression is referencing its own declaration, which is not allowed. |

+| BCP080 | The expression is involved in a cycle ("{string.Join("\" -> \"", cycle)}"). |

+| BCP081 | Resource type "{resourceTypeReference.FormatName()}" does not have types available. Bicep is unable to validate resource properties prior to deployment, but this will not block the resource from being deployed. |

+| BCP082 | The name "{name}" does not exist in the current context. Did you mean "{suggestedName}"? |

+| BCP083 | The type "{type}" does not contain property "{badProperty}". Did you mean "{suggestedProperty}"? |

+| BCP084 | The symbolic name "{name}" is reserved. Please use a different symbolic name. Reserved namespaces are {ToQuotedString(namespaces.OrderBy(ns => ns))}. |

+| BCP085 | The specified file path contains one ore more invalid path characters. The following are not permitted: {ToQuotedString(forbiddenChars.OrderBy(x => x).Select(x => x.ToString()))}. |

+| BCP086 | The specified file path ends with an invalid character. The following are not permitted: {ToQuotedString(forbiddenPathTerminatorChars.OrderBy(x => x).Select(x => x.ToString()))}. |

+| BCP087 | Array and object literals are not allowed here. |

+| BCP088 | The property "{property}" expected a value of type "{expectedType}" but the provided value is of type "{actualStringLiteral}". Did you mean "{suggestedStringLiteral}"? |

+| BCP089 | The property "{property}" is not allowed on objects of type "{type}". Did you mean "{suggestedProperty}"? |

+| BCP090 | This module declaration is missing a file path reference. |

+| BCP091 | An error occurred reading file. {failureMessage} |

+| BCP092 | String interpolation is not supported in file paths. |

+| BCP093 | File path "{filePath}" could not be resolved relative to "{parentPath}". |

+| BCP094 | This module references itself, which is not allowed. |

+| BCP095 | The file is involved in a cycle ("{string.Join("\" -> \"", cycle)}"). |

+| BCP096 | Expected a module identifier at this location. |

+| BCP097 | Expected a module path string. This should be a relative path to another bicep file, e.g. 'myModule.bicep' or '../parent/myModule.bicep' |

+| BCP098 | The specified file path contains a "\" character. Use "/" instead as the directory separator character. |

+| BCP099 | The "{LanguageConstants.ParameterAllowedPropertyName}" array must contain one or more items. |

+| BCP100 | The function "if" is not supported. Use the "?:\" (ternary conditional) operator instead, e.g. condition ? ValueIfTrue : ValueIfFalse |

+| BCP101 | The "createArray" function is not supported. Construct an array literal using []. |

+| BCP102 | The "createObject" function is not supported. Construct an object literal using {}. |

+| BCP103 | The following token is not recognized: "{token}". Strings are defined using single quotes in bicep. |

+| BCP104 | The referenced module has errors. |

+| BCP105 | Unable to load file from URI "{fileUri}". |

+| BCP106 | Expected a new line character at this location. Commas are not used as separator delimiters. |

+| BCP107 | The function "{name}" does not exist in namespace "{namespaceType.Name}". |

+| BCP108 | The function "{name}" does not exist in namespace "{namespaceType.Name}". Did you mean "{suggestedName}"? |

+| BCP109 | The type "{type}" does not contain function "{name}". |

+| BCP110 | The type "{type}" does not contain function "{name}". Did you mean "{suggestedName}"? |

+| BCP111 | The specified file path contains invalid control code characters. |

+| BCP112 | The "{LanguageConstants.TargetScopeKeyword}" cannot be declared multiple times in one file. |

+| BCP113 | Unsupported scope for module deployment in a "{LanguageConstants.TargetScopeTypeTenant}" target scope. Omit this property to inherit the current scope, or specify a valid scope. Permissible scopes include tenant: tenant(), named management group: managementGroup(&lt;name>), named subscription: subscription(&lt;subId>), or named resource group in a named subscription: resourceGroup(&lt;subId>, &lt;name>). |

+| BCP114 | Unsupported scope for module deployment in a "{LanguageConstants.TargetScopeTypeManagementGroup}" target scope. Omit this property to inherit the current scope, or specify a valid scope. Permissible scopes include current management group: managementGroup(), named management group: managementGroup(&lt;name>), named subscription: subscription(&lt;subId>), tenant: tenant(), or named resource group in a named subscription: resourceGroup(&lt;subId>, &lt;name>). |

+| BCP115 | Unsupported scope for module deployment in a "{LanguageConstants.TargetScopeTypeSubscription}" target scope. Omit this property to inherit the current scope, or specify a valid scope. Permissible scopes include current subscription: subscription(), named subscription: subscription(&lt;subId>), named resource group in same subscription: resourceGroup(&lt;name>), named resource group in different subscription: resourceGroup(&lt;subId>, &lt;name>), or tenant: tenant(). |

+| BCP116 | Unsupported scope for module deployment in a "{LanguageConstants.TargetScopeTypeResourceGroup}" target scope. Omit this property to inherit the current scope, or specify a valid scope. Permissible scopes include current resource group: resourceGroup(), named resource group in same subscription: resourceGroup(&lt;name>), named resource group in a different subscription: resourceGroup(&lt;subId>, &lt;name>), current subscription: subscription(), named subscription: subscription(&lt;subId>) or tenant: tenant(). |

+| BCP117 | An empty indexer is not allowed. Specify a valid expression. |

+| BCP118 | Expected the "{" character, the "[" character, or the "if" keyword at this location. |

+| BCP119 | Unsupported scope for extension resource deployment. Expected a resource reference. |

+| BCP120 | This expression is being used in an assignment to the "{propertyName}" property of the "{objectTypeName}" type, which requires a value that can be calculated at the start of the deployment. |

+| BCP121 | Resources: {ToQuotedString(resourceNames)} are defined with this same name in a file. Rename them or split into different modules. |

+| BCP122 | Modules: {ToQuotedString(moduleNames)} are defined with this same name and this same scope in a file. Rename them or split into different modules. |

+| BCP123 | Expected a namespace or decorator name at this location. |

+| BCP124 | The decorator "{decoratorName}" can only be attached to targets of type "{attachableType}", but the target has type "{targetType}". |

+| BCP125 | Function "{functionName}" cannot be used as a parameter decorator. |

+| BCP126 | Function "{functionName}" cannot be used as a variable decorator. |

+| BCP127 | Function "{functionName}" cannot be used as a resource decorator. |

+| BCP128 | Function "{functionName}" cannot be used as a module decorator. |

+| BCP129 | Function "{functionName}" cannot be used as an output decorator. |

+| BCP130 | Decorators are not allowed here. |

+| BCP132 | Expected a declaration after the decorator. |

+| BCP133 | The unicode escape sequence is not valid. Valid unicode escape sequences range from \\u{0} to \\u{10FFFF}. |

+| BCP134 | Scope {ToQuotedString(LanguageConstants.GetResourceScopeDescriptions(suppliedScope))} is not valid for this module. Permitted scopes: {ToQuotedString(LanguageConstants.GetResourceScopeDescriptions(supportedScopes))}. |

+| BCP135 | Scope {ToQuotedString(LanguageConstants.GetResourceScopeDescriptions(suppliedScope))} is not valid for this resource type. Permitted scopes: {ToQuotedString(LanguageConstants.GetResourceScopeDescriptions(supportedScopes))}. |

+| BCP136 | Expected a loop item variable identifier at this location. |

+| BCP137 | Loop expected an expression of type "{LanguageConstants.Array}" but the provided value is of type "{actualType}". |

+| BCP138 | For-expressions are not supported in this context. For-expressions may be used as values of resource, module, variable, and output declarations, or values of resource and module properties. |

+| BCP139 | A resource's scope must match the scope of the Bicep file for it to be deployable. You must use modules to deploy resources to a different scope. |

+| BCP140 | The multi-line string at this location is not terminated. Terminate it with "'''. |

+| BCP141 | The expression cannot be used as a decorator as it is not callable. |

+| BCP142 | Property value for-expressions cannot be nested. |

+| BCP143 | For-expressions cannot be used with properties whose names are also expressions. |

+| BCP144 | Directly referencing a resource or module collection is not currently supported here. Apply an array indexer to the expression. |

+| BCP145 | Output "{identifier}" is declared multiple times. Remove or rename the duplicates. |

+| BCP147 | Expected a parameter declaration after the decorator. |

+| BCP148 | Expected a variable declaration after the decorator. |

+| BCP149 | Expected a resource declaration after the decorator. |

+| BCP150 | Expected a module declaration after the decorator. |

+| BCP151 | Expected an output declaration after the decorator. |

+| BCP152 | Function "{functionName}" cannot be used as a decorator. |

+| BCP153 | Expected a resource or module declaration after the decorator. |

+| BCP154 | Expected a batch size of at least {limit} but the specified value was "{value}". |

+| BCP155 | The decorator "{decoratorName}" can only be attached to resource or module collections. |

+| BCP156 | The resource type segment "{typeSegment}" is invalid. Nested resources must specify a single type segment, and optionally can specify an API version using the format "&lt;type>@&lt;apiVersion>". |

+| BCP157 | The resource type cannot be determined due to an error in the containing resource. |

+| BCP158 | Cannot access nested resources of type "{wrongType}". A resource type is required. |

+| BCP159 | The resource "{resourceName}" does not contain a nested resource named "{identifierName}". Known nested resources are: {ToQuotedString(nestedResourceNames)}. |

+| BCP160 | A nested resource cannot appear inside of a resource with a for-expression. |

+| BCP162 | Expected a loop item variable identifier or "(" at this location. |

+| BCP164 | A child resource's scope is computed based on the scope of its ancestor resource. This means that using the "scope" property on a child resource is unsupported. |

+| BCP165 | A resource's computed scope must match that of the Bicep file for it to be deployable. This resource's scope is computed from the "scope" property value assigned to ancestor resource "{ancestorIdentifier}". You must use modules to deploy resources to a different scope. |

+| BCP166 | Duplicate "{decoratorName}" decorator. |

+| BCP167 | Expected the "{" character or the "if" keyword at this location. |

+| BCP168 | Length must not be a negative value. |

+| BCP169 | Expected resource name to contain {expectedSlashCount} "/" character(s). The number of name segments must match the number of segments in the resource type. |

+| BCP170 | Expected resource name to not contain any "/" characters. Child resources with a parent resource reference (via the parent property or via nesting) must not contain a fully-qualified name. |

+| BCP171 | Resource type "{resourceType}" is not a valid child resource of parent "{parentResourceType}". |

+| BCP172 | The resource type cannot be validated due to an error in parent resource "{resourceName}". |

+| BCP173 | The property "{property}" cannot be used in an existing resource declaration. |

+| BCP174 | Type validation is not available for resource types declared containing a "/providers/" segment. Please instead use the "scope" property. |

+| BCP176 | Values of the "any" type are not allowed here. |

+| BCP177 | This expression is being used in the if-condition expression, which requires a value that can be calculated at the start of the deployment.{variableDependencyChainClause}{accessiblePropertiesClause} |

+| BCP178 | This expression is being used in the for-expression, which requires a value that can be calculated at the start of the deployment.{variableDependencyChainClause}{accessiblePropertiesClause} |

+| BCP179 | Unique resource or deployment name is required when looping. The loop item variable "{itemVariableName}" or the index variable "{indexVariableName}" must be referenced in at least one of the value expressions of the following properties in the loop body: {ToQuotedString(expectedVariantProperties)} |

+| BCP180 | Function "{functionName}" is not valid at this location. It can only be used when directly assigning to a module parameter with a secure decorator. |

+| BCP181 | This expression is being used in an argument of the function "{functionName}", which requires a value that can be calculated at the start of the deployment.{variableDependencyChainClause}{accessiblePropertiesClause} |

+| BCP182 | This expression is being used in the for-body of the variable "{variableName}", which requires values that can be calculated at the start of the deployment.{variableDependencyChainClause}{violatingPropertyNameClause}{accessiblePropertiesClause} |

+| BCP183 | The value of the module "params" property must be an object literal. |

+| BCP184 | File '{filePath}' exceeded maximum size of {maxSize} {unit}. |

+| BCP185 | Encoding mismatch. File was loaded with '{detectedEncoding}' encoding. |

+| BCP186 | Unable to parse literal JSON value. Please ensure that it is well-formed. |

+| BCP187 | The property "{property}" does not exist in the resource or type definition, although it might still be valid.{TypeInaccuracyClause} |

+| BCP188 | The referenced ARM template has errors. Please see [https://aka.ms/arm-template](https://aka.ms/arm-template) for information on how to diagnose and fix the template. |

+| BCP189 | (allowedSchemes.Contains(ArtifactReferenceSchemes.Local, StringComparer.Ordinal), allowedSchemes.Any(scheme => !string.Equals(scheme, ArtifactReferenceSchemes.Local, StringComparison.Ordinal))) switch { (false, false) => "Module references are not supported in this context.", (false, true) => $"The specified module reference scheme \"{badScheme}\" is not recognized. Specify a module reference using one of the following schemes: {FormatSchemes()}", (true, false) => $"The specified module reference scheme \"{badScheme}\" is not recognized. Specify a path to a local module file.", (true, true) => $"The specified module reference scheme \"{badScheme}\" is not recognized. Specify a path to a local module file or a module reference using one of the following schemes: {FormatSchemes()}"} |

+| BCP190 | The artifact with reference "{artifactRef}" has not been restored. |

+| BCP191 | Unable to restore the artifact with reference "{artifactRef}". |

+| BCP192 | Unable to restore the artifact with reference "{artifactRef}": {message} |

+| BCP193 | {BuildInvalidOciArtifactReferenceClause(aliasName, badRef)} Specify a reference in the format of "{ArtifactReferenceSchemes.Oci}:&lt;artifact-uri>:&lt;tag>", or "{ArtifactReferenceSchemes.Oci}/&lt;module-alias>:&lt;module-name-or-path>:&lt;tag>". |

+| BCP194 | {BuildInvalidTemplateSpecReferenceClause(aliasName, badRef)} Specify a reference in the format of "{ArtifactReferenceSchemes.TemplateSpecs}:&lt;subscription-ID>/&lt;resource-group-name>/&lt;template-spec-name>:&lt;version>", or "{ArtifactReferenceSchemes.TemplateSpecs}/&lt;module-alias>:&lt;template-spec-name>:&lt;version>". |

+| BCP195 | {BuildInvalidOciArtifactReferenceClause(aliasName, badRef)} The artifact path segment "{badSegment}" is not valid. Each artifact name path segment must be a lowercase alphanumeric string optionally separated by a ".", "_", or \"-\"." |

+| BCP196 | The module tag or digest is missing. |

+| BCP197 | The tag "{badTag}" exceeds the maximum length of {maxLength} characters. |

+| BCP198 | The tag "{badTag}" is not valid. Valid characters are alphanumeric, ".", "_", or "-" but the tag cannot begin with ".", "_", or "-". |

+| BCP199 | Module path "{badRepository}" exceeds the maximum length of {maxLength} characters. |

+| BCP200 | The registry "{badRegistry}" exceeds the maximum length of {maxLength} characters. |

+| BCP201 | Expected a provider specification string of with a valid format at this location. Valid formats are "br:&lt;providerRegistryHost>/&lt;providerRepositoryPath>@&lt;providerVersion>" or "br/&lt;providerAlias>:&lt;providerName>@&lt;providerVersion>". |

+| BCP202 | Expected a provider alias name at this location. |

+| BCP203 | Using provider statements requires enabling EXPERIMENTAL feature "Extensibility". |

+| BCP204 | Provider namespace "{identifier}" is not recognized. |

+| BCP205 | Provider namespace "{identifier}" does not support configuration. |

+| BCP206 | Provider namespace "{identifier}" requires configuration, but none was provided. |

+| BCP207 | Namespace "{identifier}" is declared multiple times. Remove the duplicates. |

+| BCP208 | The specified namespace "{badNamespace}" is not recognized. Specify a resource reference using one of the following namespaces: {ToQuotedString(allowedNamespaces)}. |

+| BCP209 | Failed to find resource type "{resourceType}" in namespace "{@namespace}". |

+| BCP210 | Resource type belonging to namespace "{childNamespace}" cannot have a parent resource type belonging to different namespace "{parentNamespace}". |

+| BCP211 | The module alias name "{aliasName}" is invalid. Valid characters are alphanumeric, "_", or "-". |

+| BCP212 | The Template Spec module alias name "{aliasName}" does not exist in the {BuildBicepConfigurationClause(configFileUri)}. |

+| BCP213 | The OCI artifact module alias name "{aliasName}" does not exist in the {BuildBicepConfigurationClause(configFileUri)}. |

+| BCP214 | The Template Spec module alias "{aliasName}" in the {BuildBicepConfigurationClause(configFileUri)} is in valid. The "subscription" property cannot be null or undefined. |

+| BCP215 | The Template Spec module alias "{aliasName}" in the {BuildBicepConfigurationClause(configFileUri)} is in valid. The "resourceGroup" property cannot be null or undefined. |

+| BCP216 | The OCI artifact module alias "{aliasName}" in the {BuildBicepConfigurationClause(configFileUri)} is invalid. The "registry" property cannot be null or undefined. |

+| BCP217 | {BuildInvalidTemplateSpecReferenceClause(aliasName, referenceValue)} The subscription ID "{subscriptionId}" is not a GUID. |

+| BCP218 | {BuildInvalidTemplateSpecReferenceClause(aliasName, referenceValue)} The resource group name "{resourceGroupName}" exceeds the maximum length of {maximumLength} characters. |

+| BCP219 | {BuildInvalidTemplateSpecReferenceClause(aliasName, referenceValue)} The resource group name "{resourceGroupName}" is invalid. Valid characters are alphanumeric, unicode characters, ".", "_", "-", "(", or ")", but the resource group name cannot end with ".". |

+| BCP220 | {BuildInvalidTemplateSpecReferenceClause(aliasName, referenceValue)} The Template Spec name "{templateSpecName}" exceeds the maximum length of {maximumLength} characters. |

+| BCP221 | {BuildInvalidTemplateSpecReferenceClause(aliasName, referenceValue)} The Template Spec name "{templateSpecName}" is invalid. Valid characters are alphanumeric, ".", "_", "-", "(", or ")", but the Template Spec name cannot end with ".". |

+| BCP222 | {BuildInvalidTemplateSpecReferenceClause(aliasName, referenceValue)} The Template Spec version "{templateSpecVersion}" exceeds the maximum length of {maximumLength} characters. |

+| BCP223 | {BuildInvalidTemplateSpecReferenceClause(aliasName, referenceValue)} The Template Spec version "{templateSpecVersion}" is invalid. Valid characters are alphanumeric, ".", "_", "-", "(", or ")", but the Template Spec name cannot end with ".". |

+| BCP224 | {BuildInvalidOciArtifactReferenceClause(aliasName, badRef)} The digest "{badDigest}" is not valid. The valid format is a string "sha256:" followed by exactly 64 lowercase hexadecimal digits. |

+| BCP225 | The discriminator property "{propertyName}" value cannot be determined at compilation time. Type checking for this object is disabled. |

+| BCP226 | Expected at least one diagnostic code at this location. Valid format is "#disable-next-line diagnosticCode1 diagnosticCode2 ...". |

+| BCP227 | The type "{resourceType}" cannot be used as a parameter or output type. Extensibility types are currently not supported as parameters or outputs. |

+| BCP229 | The parameter "{parameterName}" cannot be used as a resource scope or parent. Resources passed as parameters cannot be used as a scope or parent of a resource. |

+| BCP300 | Expected a type literal at this location. Please specify a concrete value or a reference to a literal type. |

+| BCP301 | The type name "{reservedName}" is reserved and may not be attached to a user-defined type. |

+| BCP302 | The name "{name}" is not a valid type. Please specify one of the following types: {ToQuotedString(validTypes)}. |

+| BCP303 | String interpolation is unsupported for specifying the provider. |

+| BCP304 | Invalid provider specifier string. Specify a valid provider of format "&lt;providerName>@&lt;providerVersion>". |

+| BCP305 | Expected the "with" keyword, "as" keyword, or a new line character at this location. |

+| BCP306 | The name "{name}" refers to a namespace, not to a type. |

+| BCP307 | The expression cannot be evaluated, because the identifier properties of the referenced existing resource including {ToQuotedString(runtimePropertyNames.OrderBy(x => x))} cannot be calculated at the start of the deployment. In this situation, {accessiblePropertyNamesClause}{accessibleFunctionNamesClause}. |

+| BCP308 | The decorator "{decoratorName}" may not be used on statements whose declared type is a reference to a user-defined type. |

+| BCP309 | Values of type "{flattenInputType.Name}" cannot be flattened because "{incompatibleType.Name}" is not an array type. |

+| BCP311 | The provided index value of "{indexSought}" is not valid for type "{typeName}". Indexes for this type must be between 0 and {tupleLength - 1}. |

+| BCP315 | An object type may have at most one additional properties declaration. |

+| BCP316 | The "{LanguageConstants.ParameterSealedPropertyName}" decorator may not be used on object types with an explicit additional properties type declaration. |

+| BCP317 | Expected an identifier, a string, or an asterisk at this location. |

+| BCP318 | The value of type "{possiblyNullType}" may be null at the start of the deployment, which would cause this access expression (and the overall deployment with it) to fail. If you do not know whether the value will be null and the template would handle a null value for the overall expression, use a `.?` (safe dereference) operator to short-circuit the access expression if the base expression's value is null: {accessExpression.AsSafeAccess().ToString()}. If you know the value will not be null, use a non-null assertion operator to inform the compiler that the value will not be null: {SyntaxFactory.AsNonNullable(expression).ToString()}. |

+| BCP319 | The type at "{errorSource}" could not be resolved by the ARM JSON template engine. Original error message: "{message}" |

+| BCP320 | The properties of module output resources cannot be accessed directly. To use the properties of this resource, pass it as a resource-typed parameter to another module and access the parameter's properties therein. |

+| BCP321 | Expected a value of type "{expectedType}" but the provided value is of type "{actualType}". If you know the value will not be null, use a non-null assertion operator to inform the compiler that the value will not be null: {SyntaxFactory.AsNonNullable(expression).ToString()}. |

+| BCP322 | The `.?` (safe dereference) operator may not be used on instance function invocations. |

+| BCP323 | The `[?]` (safe dereference) operator may not be used on resource or module collections. |

+| BCP325 | Expected a type identifier at this location. |

+| BCP326 | Nullable-typed parameters may not be assigned default values. They have an implicit default of 'null' that cannot be overridden. |

+| <a id='BCP327' />[BCP327](./diagnostics/bcp327.md) | The provided value (which will always be greater than or equal to &lt;value>) is too large to assign to a target for which the maximum allowable value is &lt;max-value>. |

+| <a id='BCP328' />[BCP328](./diagnostics/bcp328.md) | The provided value (which will always be less than or equal to &lt;value>) is too small to assign to a target for which the minimum allowable value is &lt;max-value>. |

+| BCP329 | The provided value can be as small as {sourceMin} and may be too small to assign to a target with a configured minimum of {targetMin}. |

+| BCP330 | The provided value can be as large as {sourceMax} and may be too large to assign to a target with a configured maximum of {targetMax}. |

+| BCP331 | A type's "{minDecoratorName}" must be less than or equal to its "{maxDecoratorName}", but a minimum of {minValue} and a maximum of {maxValue} were specified. |

+| <a id='BCP332' />[BCP332](./diagnostics/bcp332.md) | The provided value (whose length will always be greater than or equal to &lt;string-length>) is too long to assign to a target for which the maximum allowable length is &lt;max-length>. |

+| <a id='BCP333' />[BCP333](./diagnostics/bcp333.md) | The provided value (whose length will always be less than or equal to &lt;string-length>) is too short to assign to a target for which the minimum allowable length is &lt;min-length>. |

+| BCP334 | The provided value can have a length as small as {sourceMinLength} and may be too short to assign to a target with a configured minimum length of {targetMinLength}. |

+| BCP335 | The provided value can have a length as large as {sourceMaxLength} and may be too long to assign to a target with a configured maximum length of {targetMaxLength}. |

+| BCP337 | This declaration type is not valid for a Bicep Parameters file. Specify a "{LanguageConstants.UsingKeyword}", "{LanguageConstants.ParameterKeyword}" or "{LanguageConstants.VariableKeyword}" declaration. |

+| BCP338 | Failed to evaluate parameter "{parameterName}": {message} |

+| BCP339 | The provided array index value of "{indexSought}" is not valid. Array index should be greater than or equal to 0. |

+| BCP340 | Unable to parse literal YAML value. Please ensure that it is well-formed. |

+| BCP341 | This expression is being used inside a function declaration, which requires a value that can be calculated at the start of the deployment. {variableDependencyChainClause}{accessiblePropertiesClause} |

+| BCP342 | User-defined types are not supported in user-defined function parameters or outputs. |

+| BCP344 | Expected an assert identifier at this location. |

+| BCP345 | A test declaration can only reference a Bicep File |

+| BCP0346 | Expected a test identifier at this location. |

+| BCP0347 | Expected a test path string at this location. |

+| BCP348 | Using a test declaration statement requires enabling EXPERIMENTAL feature "{nameof(ExperimentalFeaturesEnabled.TestFramework)}". |

+| BCP349 | Using an assert declaration requires enabling EXPERIMENTAL feature "{nameof(ExperimentalFeaturesEnabled.Assertions)}". |

+| BCP350 | Value of type "{valueType}" cannot be assigned to an assert. Asserts can take values of type 'bool' only. |

+| BCP351 | Function "{functionName}" is not valid at this location. It can only be used when directly assigning to a parameter. |

+| BCP352 | Failed to evaluate variable "{name}": {message} |

+| BCP353 | The {itemTypePluralName} {ToQuotedString(itemNames)} differ only in casing. The ARM deployments engine is not case sensitive and will not be able to distinguish between them. |

+| BCP354 | Expected left brace ('{') or asterisk ('*') character at this location. |

+| BCP355 | Expected the name of an exported symbol at this location. |

+| BCP356 | Expected a valid namespace identifier at this location. |

+| BCP358 | This declaration is missing a template file path reference. |

+| BCP360 | The '{symbolName}' symbol was not found in (or was not exported by) the imported template. |

+| BCP361 | The "@export()" decorator must target a top-level statement. |

+| BCP362 | This symbol is imported multiple times under the names {string.Join(", ", importedAs.Select(identifier => $"'{identifier}'"))}. |

+| BCP363 | The "{LanguageConstants.TypeDiscriminatorDecoratorName}" decorator can only be applied to object-only union types with unique member types. |

+| BCP364 | The property "{discriminatorPropertyName}" must be a required string literal on all union member types. |

+| BCP365 | The value "{discriminatorPropertyValue}" for discriminator property "{discriminatorPropertyName}" is duplicated across multiple union member types. The value must be unique across all union member types. |

+| BCP366 | The discriminator property name must be "{acceptablePropertyName}" on all union member types. |

+| BCP367 | The "{featureName}" feature is temporarily disabled. |

+| BCP368 | The value of the "{targetName}" parameter cannot be known until the template deployment has started because it uses a reference to a secret value in Azure Key Vault. Expressions that refer to the "{targetName}" parameter may be used in {LanguageConstants.LanguageFileExtension} files but not in {LanguageConstants.ParamsFileExtension} files. |

+| BCP369 | The value of the "{targetName}" parameter cannot be known until the template deployment has started because it uses the default value defined in the template. Expressions that refer to the "{targetName}" parameter may be used in {LanguageConstants.LanguageFileExtension} files but not in {LanguageConstants.ParamsFileExtension} files. |

+| BCP372 | The "@export()" decorator may not be applied to variables that refer to parameters, modules, or resource, either directly or indirectly. The target of this decorator contains direct or transitive references to the following unexportable symbols: {ToQuotedString(nonExportableSymbols)}. |

+| BCP373 | Unable to import the symbol named "{name}": {message} |

+| BCP374 | The imported model cannot be loaded with a wildcard because it contains the following duplicated exports: {ToQuotedString(ambiguousExportNames)}. |

+| BCP375 | An import list item that identifies its target with a quoted string must include an 'as &lt;alias>' clause. |

+| BCP376 | The "{name}" symbol cannot be imported because imports of kind {exportMetadataKind} are not supported in files of kind {sourceFileKind}. |

+| BCP377 | The provider alias name "{aliasName}" is invalid. Valid characters are alphanumeric, "_", or "-". |

+| BCP378 | The OCI artifact provider alias "{aliasName}" in the {BuildBicepConfigurationClause(configFileUri)} is invalid. The "registry" property cannot be null or undefined. |

+| BCP379 | The OCI artifact provider alias name "{aliasName}" does not exist in the {BuildBicepConfigurationClause(configFileUri)}. |

+| BCP380 | Artifacts of type: "{artifactType}" are not supported. |

+| BCP381 | Declaring provider namespaces with the "import" keyword has been deprecated. Please use the "provider" keyword instead. |

+| BCP383 | The "{typeName}" type is not parameterizable. |

+| BCP384 | The "{typeName}" type requires {requiredArgumentCount} argument(s). |

+| BCP385 | Using resource-derived types requires enabling EXPERIMENTAL feature "{nameof(ExperimentalFeaturesEnabled.ResourceDerivedTypes)}". |

+| BCP386 | The decorator "{decoratorName}" may not be used on statements whose declared type is a reference to a resource-derived type. |

+| BCP387 | Indexing into a type requires an integer greater than or equal to 0. |

+| BCP388 | Cannot access elements of type "{wrongType}" by index. A tuple type is required. |

+| BCP389 | The type "{wrongType}" does not declare an additional properties type. |

+| BCP390 | The array item type access operator ('[*]') can only be used with typed arrays. |

+| BCP391 | Type member access is only supported on a reference to a named type. |

+| BCP392 | "The supplied resource type identifier "{resourceTypeIdentifier}" was not recognized as a valid resource type name." |

+| BCP393 | "The type pointer segment "{unrecognizedSegment}" was not recognized. Supported pointer segments are: "properties", "items", "prefixItems", and "additionalProperties"." |

+| BCP394 | Resource-derived type expressions must derefence a property within the resource body. Using the entire resource body type is not permitted. |

+| BCP395 | Declaring provider namespaces using the '&lt;providerName>@&lt;version>' expression has been deprecated. Please use an identifier instead. |

+| BCP396 | The referenced provider types artifact has been published with malformed content. |

+| BCP397 | "Provider {name} is incorrectly configured in the {BuildBicepConfigurationClause(configFileUri)}. It is referenced in the "{RootConfiguration.ImplicitProvidersConfigurationKey}" section, but is missing corresponding configuration in the "{RootConfiguration.ProvidersConfigurationKey}" section." |

+| BCP398 | "Provider {name} is incorrectly configured in the {BuildBicepConfigurationClause(configFileUri)}. It is configured as built-in in the "{RootConfiguration.ProvidersConfigurationKey}" section, but no built-in provider exists." |

+| BCP399 | Fetching az types from the registry requires enabling EXPERIMENTAL feature "{nameof(ExperimentalFeaturesEnabled.DynamicTypeLoading)}". |

+| BCP400 | Fetching types from the registry requires enabling EXPERIMENTAL feature "{nameof(ExperimentalFeaturesEnabled.ProviderRegistry)}". |

+## Next steps

+To learn about Bicep, see [Bicep overview](./overview.md).

+To deploy a template that moves an existing Azure subscription to a new management group, see [Move subscriptions in ARM template](../../governance/management-groups/manage.md#move-a-subscription-in-an-arm-template)

+ Title: BCP033

+description: Error/warning - Expected a value of type <data-type> but the provided value is of type <data-type>.

+# Bicep error/warning code - BCP033

+This error/warning occurs when you assign a value of a mismatched data type.

+## Error/warning description

+`Expected a value of type <data-type> but the provided value is of type <data-type>.`

+## Solution

+Use the expected data type.

+## Examples

+The following example raises the error because the expected data type is a string. The actual provided value is an integer:

+```bicep

+var myValue = 5

+output myString string = myValue

+```

+You can fix the error by providing a string value:

+```bicep

+var myValue = '5'

+output myString string = myValue

+```

+## Next steps

+For more information about Bicep error and warning codes, see [Bicep warnings and errors](../bicep-core-diagnostics.md).

+ Title: BCP035

+description: Error/warning - The specified <data-type> declaration is missing the following required properties <property-name>.

+# Bicep error/warning code - BCP035

+This error/warning occurs when your resource definition is missing a required property.

+## Error/warning description

+`The specified <date-type> declaration is missing the following required properties: <property-name>.`

+## Solution

+Add the missing property to the resource definition.

+## Examples

+The following example raises the warning for **virtualNetworkGateway1** and **virtualNetworkGateway2**:

+```bicep

+var networkConnectionName = 'testConnection'

+var location = 'eastus'

+var vnetGwAId = 'gatewayA'

+var vnetGwBId = 'gatewayB'

+resource networkConnection 'Microsoft.Network/connections@2023-11-01' = {

+ name: networkConnectionName

+ location: location

+ properties: {

+ virtualNetworkGateway1: {

+ id: vnetGwAId

+ }

+ virtualNetworkGateway2: {

+ id: vnetGwBId

+ }

+ connectionType: 'Vnet2Vnet'

+ }

+}

+```

+The warning is:

+```warning

+The specified "object" declaration is missing the following required properties: "properties". If this is an inaccuracy in the documentation, please report it to the Bicep Team.

+```

+You can verify the missing properties from the [template reference](/azure/templates). If you see the warning from Visual Studio Code, hover the cursor over the resource symbolic name and select **View document** to open the template reference.

+You can fix the issue by adding the missing properties:

+```bicep

+var networkConnectionName = 'testConnection'

+var location = 'eastus'

+var vnetGwAId = 'gatewayA'

+var vnetGwBId = 'gatewayB'

+resource networkConnection 'Microsoft.Network/connections@2023-11-01' = {

+ name: networkConnectionName

+ location: location

+ properties: {

+ virtualNetworkGateway1: {

+ id: vnetGwAId

+ properties:{}

+ }

+ virtualNetworkGateway2: {

+ id: vnetGwBId

+ properties:{}

+ }

+ connectionType: 'Vnet2Vnet'

+ }

+}

+```

+## Next steps

+For more information about Bicep error and warning codes, see [Bicep warnings and errors](../bicep-core-diagnostics.md).

+ Title: BCP036

+description: Error/warning - The property <property-name> expected a value of type <data-type> but the provided value is of type <data-type>.

+# Bicep error/warning code - BCP036

+This error/warning occurs when you assign a value to a property whose expected data type isn't compatible with the type of the assigned value.

+## Error/warning description

+`The property <property-name> expected a value of type <data-type> but the provided value is of type <data-type>.`

+## Solution

+Assign a value with the correct data type.

+## Examples

+The following example raises the error because `sku` is defined as a string, not an integer:

+```bicep

+type storageAccountConfigType = {

+ name: string

+ sku: string

+}

+param foo storageAccountConfigType = {

+ name: 'myStorage'

+ sku: 2

+}

+```

+You can fix the issue by assigning a string value to `sku`:

+```bicep

+type storageAccountConfigType = {

+ name: string

+ sku: string

+}

+param foo storageAccountConfigType = {

+ name: 'myStorage'

+ sku: 'Standard_LRS'

+}

+```

+## Next steps

+For more information about Bicep error and warning codes, see [Bicep warnings and errors](../bicep-core-diagnostics.md).

+ Title: BCP037

+description: Warning - The property <property-name> is not allowed on objects of type <type-definition>.

+# Bicep warning code - BCP037

+This warning occurs when you specify a property that isn't defined in a resource type.

+## Warning description

+`The property <property-name> is not allowed on objects of type <type-defintion>.`

+## Solution

+Remove the undefined property.

+## Examples

+The following example raises the warning because `bar` isn't defined in `storageAccountType`:

+```bicep

+type storageAccountConfigType = {

+ name: string

+ sku: string

+}

+param foo storageAccountConfigType = {

+ name: 'myStorage'

+ sku: 'Standard_LRS'

+ bar: 'myBar'

+}

+```

+You can fix the issue by removing the property:

+```bicep

+type storageAccountConfigType = {

+ name: string

+ sku: string

+}

+param foo storageAccountConfigType = {

+ name: 'myStorage'

+ sku: 'Standard_LRS'

+}

+```

+The following example raises the error because `obj` is a sealed type and doesn't define a `baz` property.

+```bicep

+@sealed()

+type obj = {

+ foo: string

+ bar: string

+}

+param p obj = {

+ foo: 'foo'

+ bar: 'bar'

+ baz: 'baz'

+}

+```

+You can fix the issue by removing the property:

+```bicep

+@sealed()

+type obj = {

+ foo: string

+ bar: string

+}

+param p obj = {

+ foo: 'foo'

+ bar: 'bar'

+}

+```

+## Next steps

+For more information about Bicep error and warning codes, see [Bicep warnings and errors](../bicep-core-diagnostics.md).

+ Title: BCP040

+description: Error/warning - String interpolation is not supported for keys on objects of type <type-definition>.

+# Bicep error/warning code - BCP040

+This error/warning occurs when the Bicep compiler can't determine the exact value of an interpolated string key.

+## Error/warning description

+`String interpolation is not supported for keys on objects of type <type-definition>.`

+## Solution

+Remove string interpolation.

+## Examples

+The following example raises the warning because string interpolation is used for specifying the key `sku1`:

+```bicep

+var name = 'sku'

+type storageAccountConfigType = {

+ name: string

+ sku1: string

+}

+param foo storageAccountConfigType = {

+ name: 'myStorage'

+ '${name}1': 'Standard_LRS'

+}

+```

+You can fix the issue by adding the missing properties:

+```bicep

+var name = 'sku'

+type storageAccountConfigType = {

+ name: string

+ sku1: string

+}

+param foo storageAccountConfigType = {

+ name: 'myStorage'

+ sku1: 'Standard_LRS'

+}

+```

+## Next steps

+For more information about Bicep error and warning codes, see [Bicep warnings and errors](../bicep-core-diagnostics.md).

+ Title: BCP053

+description: Error/warning - The type <resource-type> does not contain property <property-name>. Available properties include <property-names>.

+# Bicep error/warning code - BCP053

+This error/warning occurs when you reference a property that isn't defined in the resource type or [user-defined data type](../user-defined-data-types.md).

+## Error/warning description

+`The type <resource-type> does not contain property <property-name>. Available properties include <property-names>.`

+## Solution

+Reference the correct property name

+## Examples

+The following example raises the error because `Microsoft.Storage/storageAccounts` doesn't contain a property called `bar`.

+```bicep

+param location string

+resource storage 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+ name: 'myStorage'

+ location: location

+ sku: {

+ name: 'Standard_LRS'

+ }

+ kind: 'StorageV2'

+}

+output foo string = storage.bar

+```

+You can fix the error by referencing a valid property, such as `name`:

+```bicep

+param location string

+resource storage 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+ name: 'myStorage'

+ location: location

+ sku: {

+ name: 'Standard_LRS'

+ }

+ kind: 'StorageV2'

+}

+output foo string = storage.name

+```

+## Next steps

+For more information about Bicep error and warning codes, see [Bicep warnings and errors](../bicep-core-diagnostics.md).

+ Title: BCP072

+description: Error - This symbol cannot be referenced here. Only other parameters can be referenced in parameter default values.

+# Bicep error code - BCP072

+This error occurs when you reference a variable in parameter default values.

+## Error description

+`This symbol cannot be referenced here. Only other parameters can be referenced in parameter default values.`

+## Solution

+Reference another parameter instead.

+## Examples

+The following example raises the error because the parameter default value references a variable:

+```bicep

+param foo string = bar

+var bar = 'HelloWorld!'

+```

+You can fix the error by referencing another parameter:

+```bicep

+param foo string = bar

+param bar string = 'HelloWorld!'

+output outValue string = foo

+```

+## Next steps

+For more information about Bicep error and warning codes, see [Bicep warnings and errors](../bicep-core-diagnostics.md).

+ Title: BCP073

+description: Warning - The property <property-name> is read-only. Expressions cannot be assigned to read-only properties.

+# Bicep warning code - BCP073

+This warning occurs when you assign a value to a read-only property.

+## Warning description

+`The property <property-name> is read-only. Expressions cannot be assigned to read-only properties.`

+## Solution

+Remove the property assignment from the file.

+## Examples

+The following example raises the warning because `sku` can only be set on the `storageAccounts` level. It's read-only for services that are under a storage account like `blobServices` and `fileServices`.

+```bicep

+param location string

+resource storage 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+ name: 'mystore'

+ location: location

+ sku: {

+ name: 'Standard_LRS'

+ }

+ kind: 'StorageV2'

+}

+resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-04-01' = {

+ parent: storage

+ name: 'default'

+ sku: {}

+}

+```

+You can fix the issue by removing the `sku` property assignment:

+```bicep

+param location string

+resource storage 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+ name: 'mystore'

+ location: location

+ sku: {

+ name: 'Standard_LRS'

+ }

+ kind: 'StorageV2'

+}

+resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-04-01' = {

+ parent: storage

+ name: 'default'

+}

+```

+## Next steps

+For more information about Bicep error and warning codes, see [Bicep warnings and errors](../bicep-core-diagnostics.md).

+ Title: BCP327

+description: Error/warning - The provided value (which will always be greater than or equal to <value>) is too large to assign to a target for which the maximum allowable value is <max-value>.

+# Bicep error/warning code - BCP327

+This error/warning occurs when you assign a value that is greater than the allowable value.

+## Error/warning description

+`The provided value (which will always be greater than or equal to <value>) is too large to assign to a target for which the maximum allowable value is <max-value>.`

+## Solution

+Assign a value that falls within the permitted range.

+## Examples

+The following example raises the error because `13` is greater than maximum allowable value:

+```bicep

+@minValue(1)

+@maxValue(12)

+param month int = 13

+```

+You can fix the error by assigning a value within the permitted range:

+```bicep

+@minValue(1)

+@maxValue(12)

+param month int = 12

+```

+## Next steps

+For more information about Bicep error and warning codes, see [Bicep warnings and errors](../bicep-core-diagnostics.md).

+ Title: BCP328

+description: Error/warning - The provided value (which will always be less than or equal to <value>) is too small to assign to a target for which the minimum allowable value is <min-value>.

+# Bicep error/warning code - BCP328

+This error/warning occurs when you assign a value that is less than the allowable value.

+## Error/warning description

+`The provided value (which will always be less than or equal to <value>) is too small to assign to a target for which the minimum allowable value is <min-value>.`

+## Solution

+Assign a value that falls within the permitted range.

+## Examples

+The following example raises the error because `0` is less than minimum allowable value:

+```bicep

+@minValue(1)

+@maxValue(12)

+param month int = 0

+```

+You can fix the error by assigning a value within the permitted range:

+```bicep

+@minValue(1)

+@maxValue(12)

+param month int = 1

+```

+## Next steps

+For more information about Bicep error and warning codes, see [Bicep warnings and errors](../bicep-core-diagnostics.md).

+ Title: BCP332

+description: Error/warning - The provided value (whose length will always be greater than or equal to <length>) is too long to assign to a target for which the maximum allowable length is <max-length>.

+# Bicep error/warning code - BCP332

+This error/warning occurs when a string or array exceeding the allowable length is assigned.

+## Error/warning description

+`The provided value (whose length will always be greater than or equal to <length>) is too long to assign to a target for which the maximum allowable length is <max-length>.`

+## Solution

+Assign a string whose length is within the allowable range.

+## Examples

+The following example raises the error because the value `longerThan10` exceeds the allowable length:

+```bicep

+@minLength(3)

+@maxLength(10)

+param storageAccountName string = 'longerThan10'

+```

+You can fix the error by assigning a string whose length is within the allowable range.

+```bicep

+@minLength(3)

+@maxLength(10)

+param storageAccountName string = 'myStorage'

+```

+## Next steps

+For more information about Bicep error and warning codes, see [Bicep warnings and errors](../bicep-core-diagnostics.md).

+ Title: BCP333

+description: Error/warning - The provided value (whose length will always be less than or equal to <length>) is too short to assign to a target for which the minimum allowable length is <min-length>.

+# Bicep error/warning code - BCP333

+This error/warning occurs when an assigned string or array is shorter than the allowable length.

+## Error/warning description

+`The provided value (whose length will always be less than or equal to <length>) is too short to assign to a target for which the minimum allowable length is <min-length>.`

+## Solution

+Assign a string whose length is within the allowable range.

+## Examples

+The following example raises the error because the value `st` is shorter than the allowable length:

+```bicep

+@minLength(3)

+@maxLength(10)

+param storageAccountName string = 'st'

+```

+You can fix the error by assigning a string whose length is within the allowable range.

+```bicep

+@minLength(3)

+@maxLength(10)

+param storageAccountName string = 'myStorage'

+```

+## Next steps

+For more information about Bicep error and warning codes, see [Bicep warnings and errors](../bicep-core-diagnostics.md).

+ * To move an Azure subscription to a new management group, see [Move subscriptions](../../governance/management-groups/manage.md#move-management-groups-and-subscriptions).

+To deploy a template that moves an existing Azure subscription to a new management group, see [Move subscriptions in ARM template](../../governance/management-groups/manage.md#move-a-subscription-in-an-arm-template)

+ Title: Back up SQL Server from the Azure VM blade using Azure Backup

+description: In this article, learn how to back up SQL Server databases from the Azure VM blade via the Azure portal.

+# Back up a SQL Server from the Azure SQL Server VM blade

+This article describes how to use Azure Backup to back up a SQL Server (running in Azure VM) from the SQL VM resource via the Azure portal.

+SQL Server databases are critical workloads that require a low recovery-point objective (RPO) and long-term retention. You can back up SQL Server databases running on Azure virtual machines (VMs) by using [Azure Backup](backup-overview.md).

+>[!Note]

+>Learn more about the [SQL backup supported configurations and scenarios](sql-support-matrix.md).

+## Prerequisites

+Before you back up a SQL Server database, see the [backup criteria](backup-sql-server-database-azure-vms.md#prerequisites).

+## Configure backup for SQLServer database

+You can now configure Azure backup for your SQL server running in Azure VM, directly from the SQL VM resource blade.

+To configure backup from the SQL VM blade, follow these steps:

+1. In the [Azure portal](https://portal.azure.com/), go to the *SQL VM resource*.

+ >[!Note]

+ >SQL Server resource is different from the Virtual Machine resource.

+1. Go to **Settings** > **Backups**.

+ If the backup isnΓÇÖt configured for the VM, the following backup options appear:

+ - **Azure Backup**

+ - **Automated Backup**

+ :::image type="content" source="./media/backup-sql-server-database-from-azure-vm-blade/select-backups.png" alt-text="Screenshot shows how to select the Backups option on a SQL VM." lightbox="./media/backup-sql-server-database-from-azure-vm-blade/select-backups.png":::

+1. On the **Azure Backup** blade, select **Enable** to start configuring the backup for the SQL Server using Azure Backup.

+1. To start the backup operation, select an existing Recovery Services vault or [create a new vault](backup-sql-server-database-azure-vms.md#create-a-recovery-services-vault).

+1. Select **Discover** to start discovering databases in the VM.

+ :::image type="content" source="./media/backup-sql-server-database-from-azure-vm-blade/start-database-discovery.png" alt-text="Screenshot shows how to start discovering the SQL database." lightbox="./media/backup-sql-server-database-from-azure-vm-blade/start-database-discovery.png":::

+ This operation will take some time to run when performed for the first time.

+ :::image type="content" source="./media/backup-sql-server-database-from-azure-vm-blade/database-discovery-in-progress.png" alt-text="Screenshot shows the database discovery operation in progress." lightbox="./media/backup-sql-server-database-from-azure-vm-blade/database-discovery-in-progress.png":::

+ Azure Backup discovers all SQL Server databases on the VM. During discovery, the following operations run in the background:

+ 1. Azure Backup registers the VM with the vault for workload backup. All databases on the registered VM can only be backed up to this vault.

+ 1. Azure Backup installs the AzureBackupWindowsWorkload extension on the VM. No agent is installed on the SQL database.

+ 1. Azure Backup creates the service account NT Service\AzureWLBackupPluginSvc on the VM.

+ 1. All backup and restore operations use the service account.

+ 1. NT Service\AzureWLBackupPluginSvc needs SQL sysadmin permissions. All SQL Server VMs created in Azure Marketplace come with the SqlIaaSExtension installed.

+ The AzureBackupWindowsWorkload extension uses the SQLIaaSExtension to automatically get the necessary permissions.

+1. Once the operation is completed, select **Configure backup**.

+ :::image type="content" source="./media/backup-sql-server-database-from-azure-vm-blade/start-database-backup-configuration.png" alt-text="Screenshot shows how to start the database backup configuration." lightbox="./media/backup-sql-server-database-from-azure-vm-blade/start-database-backup-configuration.png":::

+1. Define a backup policy using one of the following options:

+ 1. Select the default policy as *HourlyLogBackup*.

+ 1. Select an existing backup policy previously created for SQL.

+ 1. [Create a new policy](tutorial-sql-backup.md#create-a-backup-policy) based on your RPO and retention range.

+ :::image type="content" source="./media/backup-sql-server-database-from-azure-vm-blade/select-backup-policy.png" alt-text="Screenshot shows how to select a backup policy for the database." lightbox="./media/backup-sql-server-database-from-azure-vm-blade/select-backup-policy.png":::

+1. Select **Add** to view all the registered availability groups and standalone SQL Server instances.

+1. On **Select items to backup**, expand the list of all the *unprotected databases* in that instance or the *Always On availability group*.

+1. Select the *databases* to protect and select **OK**.

+ :::image type="content" source="./media/backup-sql-server-database-from-azure-vm-blade/confirm-database-selection.png" alt-text="Screenshot shows how to confirm the selection of database for backup." lightbox="./media/backup-sql-server-database-from-azure-vm-blade/confirm-database-selection.png":::

+1. To optimize backup loads, Azure Backup allows/permits a maximum number of 50 databases in one backup job.

+ 1. To protect more than 50 databases, configure multiple backups.

+ 1. To enable the entire instance or the Always On availability group, in the AUTOPROTECT drop-down list, select ON, and then select OK.

+1. Select **Enable Backup** to submit the Configure Protection operation and track the configuration progress in the Notifications area of the portal.

+ :::image type="content" source="./media/backup-sql-server-database-from-azure-vm-blade/enable-database-backup.png" alt-text="Screenshot shows how to enable the database backup operation." lightbox="./media/backup-sql-server-database-from-azure-vm-blade/enable-database-backup.png":::

+1. To get an overview of your configured backups and a summary of backup jobs, go to **Settings** > **Backups** in the SQL VM resource.

+ :::image type="content" source="./media/backup-sql-server-database-from-azure-vm-blade/backup-jobs-summary.png" alt-text="Screenshot shows how to view the backup jobs summary." lightbox="./media/backup-sql-server-database-from-azure-vm-blade/backup-jobs-summary.png":::

+## Next steps

+- [Restore SQL Server databases on Azure VM](restore-sql-database-azure-vm.md)

+- [Manage and monitor backed up SQL Server databases](manage-monitor-sql-database-backup.md)

+- [Troubleshoot backups on a SQL Server database](backup-sql-server-azure-troubleshoot.md)

+- [FAQ - Backing up SQL Server databases on Azure VMs - Azure Backup | Microsoft Learn](/azure/backup/faq-backup-sql-server)

+This article describes how to enable the older TLS protocols (TLS 1.0 and 1.1). It also covers the application of legacy cipher suites to support the additional protocols on the Windows Server 2019 cloud service web and worker roles.

+We understand that while we're taking steps to deprecate TLS 1.0 and TLS 1.1, our customers may need to support the older protocols and cipher suites in the meantime. While we don't recommend re-enabling these legacy values, we're providing guidance to help customers. We encourage customers to evaluate the risk of regression before implementing the changes outlined in this article.

+In support of our commitment to use best-in-class encryption, Microsoft announced plans to start migration away from TLS 1.0 and 1.1 in June of 2017. Microsoft announced our intent to disable Transport Layer Security (TLS) 1.0 and 1.1 by default in supported versions of Microsoft Edge and Internet Explorer 11 in the first half of 2020. Similar announcements from Apple, Google, and Mozilla indicate the direction in which the industry is headed.

+The Windows Server 2019 cloud server image is configured with TLS 1.0 and TLS 1.1 disabled at the registry level. This means applications deployed to this version of Windows AND using the Windows stack for TLS negotiation won't allow TLS 1.0 and TLS 1.1 communication.

+Use the following code as an example to create a script that enables the older protocols and cipher suites. For the purposes of this documentation, this script is named: **TLSsettings.ps1**. Store this script on your local desktop for easy access in later steps.

+Create a CMD file named **RunTLSSettings.cmd** using the following script. Store this script on your local desktop for easy access in later steps.

+Here's an example that shows both the worker role and web role.

+Now that you completed the previous steps, publish the update to your existing Cloud Service.

+[Azure Automation](https://azure.microsoft.com/services/automation/) is an Azure service for simplifying cloud management through process automation. When you use Azure Automation, you can automate long-running, manual, error-prone, and frequently repeated tasks to increase reliability, efficiency, and time to value for your organization.

+Azure Automation provides a highly reliable and highly available workflow execution engine that scales to meet your needs as your organization grows. In Azure Automation, processes can be kicked off manually, by non-Microsoft systems, or at scheduled intervals so that tasks happen exactly when needed.

+Lower operational overhead and free up IT / DevOps staff to focus on work that adds business value by running your cloud management tasks automatically with Azure Automation.

+Azure cloud services can be managed in Azure Automation by using the PowerShell cmdlets that are available in the [Azure PowerShell tools](/powershell/). Azure Automation has these cloud service PowerShell cmdlets available out of the box, so that you can perform all of your cloud service management tasks within the service. You can also pair these cmdlets in Azure Automation with the cmdlets for other Azure services, to automate complex tasks across Azure services and non-Microsoft systems.

+Now that you covered the basics of Azure Automation and how it can be used to manage Azure cloud services, follow these links to learn more about Azure Automation.

+When you deploy instances to a Cloud Service or add new web or worker role instances, Microsoft Azure allocates compute resources. You may occasionally receive errors when performing these operations even before you reach the Azure subscription limits. This article explains the causes of some of the common allocation failures and suggests possible remediation. The information can also be useful when you plan the deployment of your services.

+The servers in Azure datacenters are partitioned into clusters. A new cloud service allocation request is attempted in multiple clusters. When the first instance is deployed to a cloud service(in either staging or production), that cloud service gets pinned to a cluster. Any further deployments for the cloud service happen in the same cluster. In this article, we refer to this state as "pinned to a cluster." The following diagram illustrates the case of a normal allocation, which is attempted in multiple clusters. The second diagram illustrates the case of an allocation pinned to Cluster 2 because that's where the existing Cloud Service CS_1 is hosted.

+When an allocation request is pinned to a cluster, there's a higher chance of failing to find free resources since the available resource pool is limited to a cluster. Furthermore, if your allocation request is pinned to a cluster but the cluster doesn't support the resource type you requested, your request fails even if the cluster has free resource. The next diagram illustrates the case where a pinned allocation fails because the only candidate cluster doesn't have free resources. Diagram 4 illustrates the case where a pinned allocation fails because the only candidate cluster doesn't support the requested virtual machine (VM) size, even though the cluster has free resources.

+See these further solutions for the exceptions:

+|FabricInternalServerError |Operation failed with error code 'InternalError' and errorMessage 'The server encountered an internal error. Please retry the request.'|[Troubleshoot FabricInternalServerError](cloud-services-troubleshoot-fabric-internal-server-error.md)|

+|ServiceAllocationFailure |Operation failed with error code 'InternalError' and errorMessage 'The server encountered an internal error. Please retry the request.'|[Troubleshoot ServiceAllocationFailure](cloud-services-troubleshoot-fabric-internal-server-error.md)|

+|LocationNotFoundForRoleSize |The operation '`{Operation ID}`' failed: 'The requested VM tier is currently not available in Region (`{Region ID}`) for this subscription. Please try another tier or deploy to a different location.'|[Troubleshoot LocationNotFoundForRoleSize](cloud-services-troubleshoot-location-not-found-for-role-size.md)|

+|ConstrainedAllocationFailed |Azure operation '`{Operation ID}`' failed with code Compute.ConstrainedAllocationFailed. Details: Allocation failed; unable to satisfy constraints in request. The requested new service deployment is bound to an Affinity Group, or it targets a Virtual Network, or there's an existing deployment under this hosted service. Any of these conditions constrains the new deployment to specific Azure resources. Please retry later or try reducing the VM size or number of role instances. Alternatively, if possible, remove the constraints or try deploying to a different region.|[Troubleshoot ConstrainedAllocationFailed](cloud-services-troubleshoot-constrained-allocation-failed.md)|

+|OverconstrainedAllocationRequest |The VM size (or combination of VM sizes) required by this deployment can't be provisioned due to deployment request constraints. If possible, try relaxing constraints such as virtual network bindings, deploying to a hosted service with no other deployment in it and to a different affinity group or with no affinity group, or try deploying to a different region.|[Troubleshoot OverconstrainedAllocationRequest](cloud-services-troubleshoot-overconstrained-allocation-request.md)|

+* Deploying to Staging Slot - If a cloud service has a deployment in either slot, then the entire cloud service is pinned to a specific cluster. This means that if a deployment already exists in the production slot, then a new staging deployment can only be allocated in the same cluster as the production slot. If the cluster is nearing capacity, the request may fail.

+* Scaling - Adding new instances to an existing cloud service must allocate in the same cluster. Small scaling requests can usually be allocated, but not always. If the cluster is nearing capacity, the request may fail.

+* Affinity Group - The fabric in any cluster in that region can allocate a new deployment to an empty cloud service, unless the cloud service is pinned to an affinity group. Deployments attempt to use the same affinity group on the same cluster. If the cluster is nearing capacity, the request may fail.

+* Affinity Group virtual network - Older Virtual Networks were tied to affinity groups instead of regions, and cloud services in these Virtual Networks would be pinned to the affinity group cluster. Attempted deployments to this type of virtual network occur on the pinned cluster. If the cluster is nearing capacity, the request may fail.

+2. Delete both production and staging slots - This solution preserves your existing Domain Name System (DNS) name but causes downtime to your application.

+ * Create a new deployment in the existing cloud service. This solution reattempts allocation on all clusters in the region. Ensure the cloud service isn't tied to an affinity group.

+3. Reserved IP - This solution preserves your existing IP address but causes downtime to your application.

+ * Follow #2, making sure to specify the new ReservedIP in the service's CSCFG.

+4. Remove affinity group for new deployments - Affinity Groups are no longer recommended. Follow steps for #1 to deploy a new cloud service. Ensure cloud service isn't in an affinity group.

+5. Convert to a Regional Virtual Network - See [How to migrate from Affinity Groups to a Regional Virtual Network (virtual network)](/previous-versions/azure/virtual-network/virtual-networks-migrate-to-regional-vnet).

+Certificates are used in Azure for cloud services ([service certificates](#what-are-service-certificates)) and for authenticating with the management API ([management certificates](#what-are-management-certificates)). This article gives a general overview of both certificate types, how to [create](#create) and deploy them to Azure.

+Certificates used in Azure are x.509 v3 certificates. They can self-sign, or another trusted certificate can sign them. A certificate is self-signed when its creator signs it. Self-signed certificates aren't trusted by default, but most browsers can ignore this problem. You should only use self-signed certificates when developing and testing your cloud services.

+Certificates used by Azure can contain a public key. Certificates have a thumbprint that provides a means to identify them in an unambiguous way. This thumbprint is used in the Azure [configuration file](cloud-services-configure-ssl-certificate-portal.md) to identify which certificate a cloud service should use.

+You can upload service certificates to Azure either using the Azure portal or by using the classic deployment model. Service certificates are associated with a specific cloud service. The service definition file assigns them to a deployment.

+Service certificates can be managed separately from your services, and different individuals may manage them. For example, a developer may upload a service package that refers to a certificate that an IT manager previously uploaded to Azure. An IT manager can manage and renew that certificate (changing the configuration of the service) without needing to upload a new service package. Updating without a new service package is possible because the logical name, store name, and location of the certificate is in the service definition file and while the certificate thumbprint is specified in the service configuration file. To update the certificate, it's only necessary to upload a new certificate and change the thumbprint value in the service configuration file.

+Management certificates allow you to authenticate with the classic deployment model. Many programs and tools (such as Visual Studio or the Azure SDK) use these certificates to automate configuration and deployment of various Azure services. These certificates aren't related to cloud services.

+There's a limit of 100 management certificates per subscription. There's also a limit of 100 management certificates for all subscriptions under a specific service administratorΓÇÖs user ID. If the user ID for the account administrator was already used to add 100 management certificates and there's a need for more certificates, you can add a coadministrator to add more certificates.

+Additionally, management certificates canΓÇÖt be used with Cloud Solution Provider (CSP) subscriptions as CSP subscriptions only support the Azure Resource Manager deployment model and management certificates use the classic deployment model. Reference [Azure Resource Manager vs classic deployment model](../azure-resource-manager/management/deployment-models.md) and [Understanding Authentication with the Azure SDK for .NET](/dotnet/azure/sdk/authentication) for more information on your options for CSP subscriptions.

+This utility is retired and is no longer documented here. For more information, see [this Microsoft Developer Network (MSDN) article](/windows/desktop/SecCrypto/makecert).

+There are many pages on the internet that cover how to create certificates with IIS, such as [When to Use an IIS Self Signed Certificate](https://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html).

+[Quick steps: Create and use an SSH public-private key pair for Linux VMs in Azure](../virtual-machines/linux/mac-create-ssh-keys.md?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json) describes how to create certificates with SSH.

+description: Learn about what Azure Cloud Services is, specifically its design to support applications that are scalable, reliable, and inexpensive to operate.

+More control also means less ease of use. Unless you need the more control options, it's typically quicker and easier to get a web application up and running in the Web Apps feature of App Service compared to Azure Cloud Services.

+* **Web role**: Automatically deploys and hosts your app through Internet Information Services (IIS).

+* **Worker role**: Doesn't use IIS, and runs your app standalone.

+The PaaS nature of Azure Cloud Services has other implications, too. One of the most important implications is that you should write applications built on this technology to run correctly when any web or worker role instance fails. To achieve this goal, an Azure Cloud Services application shouldn't maintain state in the file system of its own VMs. Unlike VMs created with Virtual Machines, writes made to Azure Cloud Services VMs aren't persistent. There's nothing like a Virtual Machines data disk. Instead, an Azure Cloud Services application should explicitly write all state to Azure SQL Database, blobs, tables, or some other external storage. Building applications this way makes them easier to scale and more resistant to failure. Scalability and resiliency are both important goals of Azure Cloud Services.

+This task uses a production deployment. Information on using a staging deployment is provided at the end of this article.

+Read [How to create and deploy an Azure Cloud Service (classic)](cloud-services-how-to-create-deploy-portal.md) first if you haven't yet created a cloud service.

+To configure TLS for an application, you first need to get a TLS/SSL certificate signed by a Certificate Authority (CA), a trusted partner who issues certificates for this purpose. If you don't already have one, you need to obtain one from a company that sells TLS/SSL certificates.

+* The certificate's subject name must match the domain used to access the cloud service. You can't obtain a TLS/SSL certificate from a certificate authority (CA) for the cloudapp.net domain. You must acquire a custom domain name to use when accessing your service. When you request a certificate from a CA, the certificate's subject name must match the custom domain name used to access your application. For example, if your custom domain name is **contoso.com** you would request a certificate from your CA for ***.contoso.com** or **www\.contoso.com**.

+For test purposes, you can [create](cloud-services-certs-create.md) and use a self-signed certificate. A self-signed certificate isn't authenticated through a CA and can use the cloudapp.net domain as the website URL. For example, the following task uses a self-signed certificate in which the common name (CN) used in the certificate is **sslexample.cloudapp.net**.

+ The **Certificates** section defines the name of our certificate, its location, and the name of the store where it's located.

+ All the required changes to the service definition file are complete, but you still need to add the certificate information to the service configuration file.

+4. In your service configuration file (CSCFG), ServiceConfiguration.Cloud.cscfg, add a **Certificates** value with that of your certificate. The following code sample provides details of the **Certificates** section, except for the thumbprint value.

+Now that you updated the service definition and service configuration files, package your deployment for uploading to Azure. If

+you're using **cspack**, don't use the

+**/generateConfigurationFile** flag, as that overwrites the

+certificate information you inserted.

+2. Select **Certificates**.

+3. Select **Upload** at the top of the certificates area.

+4. Provide the **File**, **Password**, then select **Upload** at the bottom of the data entry area.

+1. Select the **Site URL** to open up the web browser.

+We first set up a virtual network in Azure. We then add an Active Directory Domain Controller (hosted on an Azure Virtual Machine) to the virtual network. Next, we add existing cloud service roles to the precreated virtual network, then connect them to the Domain Controller.

+2. Your AD Domain Controller and Web/Worker Role instances need to be in the virtual network.

+Follow this step-by-step guide and if you run into any issues, leave us a comment at the end of the article.

+## Create a virtual network

+You can create a virtual network in Azure using the Azure portal or PowerShell. For this tutorial, PowerShell is used. To create a virtual network using the Azure portal, see [Create a virtual network](../virtual-network/quick-create-portal.md). The article covers creating a virtual network (Resource Manager), but you must create a virtual network (Classic) for cloud services. To do so, in the portal, select **Create a resource**, type *virtual network* in the **Search** box, and then press **Enter**. In the search results, under **Everything**, select **virtual network**. Under **Select a deployment model**, select **Classic**, then select **Create**. You can then follow the steps in the article.

+#Create virtual network

+Once you complete setting up the virtual network, you need to create an AD Domain Controller. For this tutorial, we set up an AD Domain Controller on an Azure Virtual Machine (VM).

+Create a virtual machine through PowerShell using the following commands:

+# Create a VM and add it to the virtual network

+To configure the Virtual Machine as an AD Domain Controller, you need to sign in to the VM and configure it.

+To sign in to the VM, you can get the remote desktop protocol (RDP) file through PowerShell, use the following commands:

+Once you sign into the VM, set up your Virtual Machine as an AD Domain Controller by following the step-by-step guide on [How to set up your customer AD Domain Controller](https://social.technet.microsoft.com/wiki/contents/articles/12370.windows-server-2012-set-up-your-first-domain-controller-step-by-step.aspx).

+## Add your Cloud Service to the virtual network

+Next, you need to add your cloud service deployment to the new virtual network. To add your cloud service deployment, modify your cloud service cscfg by adding the relevant sections to your cscfg using Visual Studio or the editor of your choice.

+description: Learn how to expose your Azure application or data to the internet on a custom domain by configuring Domain Name System (DNS) settings. These examples use the Azure portal.

+When you create a Cloud Service, Azure assigns it to a subdomain of **cloudapp.net**. For example, if your Cloud Service is named `contoso`, your users are able to access your application on a URL like `http://contoso.cloudapp.net`. Azure also assigns a virtual IP address.

+CNAME (or alias records) and A records both allow you to associate a domain name with a specific server (or service in this case); however, they work differently. There are also some specific considerations when using A records with Azure Cloud services that you should consider before deciding which to use.

+A CNAME record maps a *specific* domain, such as **contoso.com** or **www\.contoso.com**, to a canonical domain name. In this case, the canonical domain name is the **[myapp].cloudapp.net** domain name of your Azure hosted application. Once created, the CNAME creates an alias for the **[myapp].cloudapp.net**. The CNAME entry resolves to the IP address of your **[myapp].cloudapp.net** service automatically, so if the IP address of the cloud service changes, you don't have to take any action.

+An *A* record maps a domain, such as **contoso.com** or **www\.contoso.com**, *or a wildcard domain* such as **\*.contoso.com**, to an IP address. With an Azure Cloud Service, the virtual IP of the service. So the main benefit of an A record over a CNAME record is that you can have one entry that uses a wildcard, such as \***.contoso.com**, which would handle requests for multiple subdomains such as **mail.contoso.com**, **login.contoso.com**, or **www\.contso.com**.

+ * Sign into the [Azure portal], select your cloud service, look at the **Overview** section and then find the **Site URL** entry.

+ Save the domain name used in the URL returned by either method, as you need it when creating a CNAME record.

+2. Sign into your DNS registrar's website and go to the page for managing DNS. Look for links or areas of the site labeled as **Domain Name**, **DNS**, or **Name Server Management**.

+3. Now find where you can select or enter CNAMEs. You may have to select the record type from a drop-down or go to an advanced settings page. You should look for the words **CNAME**, **Alias**, or **Subdomains**.

+> The preceding example only applies to traffic at the **www** subdomain. Since you cannot use wildcards with CNAME records, you must create one CNAME for each domain/subdomain. If you want to direct traffic from subdomains, such as *.contoso.com, to your cloudapp.net address, you can configure a **URL Redirect** or **URL Forward** entry in your DNS settings, or create an A record.

+ * Sign into the [Azure portal], select your cloud service, look at the **Overview** section and then find the **Public IP addresses** entry.

+ Save the IP address, as you need it when creating an A record.

+2. Sign into your DNS registrar's website and go to the page for managing DNS. Look for links or areas of the site labeled as **Domain Name**, **DNS**, or **Name Server Management**.

+3. Now find where you can select or enter A records. You may have to select the record type from a drop-down, or go to an advanced settings page.

+4. Select or enter the domain or subdomain that uses this A record. For example, select **www** if you want to create an alias for **www\.customdomain.com**. If you want to create a wildcard entry for all subdomains, enter `*****`. This entry covers all subdomains such as **mail.customdomain.com**, **login.customdomain.com**, and **www\.customdomain.com**.

+5. Enter the IP address of your cloud service in the provided field. This step associates the domain entry used in the A record with the IP address of your cloud service deployment.

+* [How to Map Content Delivery Network (CDN) Content to a Custom Domain](../cdn/cdn-map-content-to-custom-domain.md)

+You can collect diagnostic data like application logs, performance counters etc. from a Cloud Service using the Azure Diagnostics extension. This article describes how to enable the Azure Diagnostics extension for a Cloud Service using PowerShell. See [How to install and configure Azure PowerShell](/powershell/azure/) for the prerequisites needed for this article.

+If the diagnostics configuration file specifies a `StorageAccount` element with a storage account name, then the `New-AzureServiceDiagnosticsExtensionConfig` cmdlet automatically uses that storage account. For this configuration to work, the storage account needs to be in the same subscription as the Cloud Service being deployed.

+From Azure SDK 2.6 onward, the extension configuration files generated by the MSBuild publish target output includes the storage account name based on the diagnostics configuration string specified in the service configuration file (.cscfg). The following script shows you how to parse the Extension configuration files from the publish target output and configure diagnostics extension for each role when deploying the cloud service.

+Visual Studio Codespace uses a similar approach for automated deployments of Cloud Services with the diagnostics extension. See [Publish-AzureCloudDeployment.ps1](https://github.com/Microsoft/azure-pipelines-tasks/blob/master/Tasks/AzureCloudPowerShellDeploymentV1/Publish-AzureCloudDeployment.ps1) for a complete example.

+If no `StorageAccount` was specified in the diagnostics configuration, then you need to pass in the *StorageAccountName* parameter to the cmdlet. If you specify the *StorageAccountName* parameter, then the cmdlet uses the storage account specified in the parameter and not the one specified in the diagnostics configuration file.

+If the diagnostics storage account is in a different subscription from the Cloud Service, then you need to explicitly pass in the *StorageAccountName* and *StorageAccountKey* parameters to the cmdlet. The *StorageAccountKey* parameter isn't needed when the diagnostics storage account is in the same subscription, as the cmdlet can automatically query and set the key value when enabling the diagnostics extension. However, if the diagnostics storage account is in a different subscription, then the cmdlet might not be able to get the key automatically and you need to explicitly specify the key through the *StorageAccountKey* parameter.

+* For more information on using Azure diagnostics and other techniques to troubleshoot problems, see [Enabling Diagnostics in Azure Cloud Services and Virtual Machines](cloud-services-dotnet-diagnostics.md).

+description: Learn what to do if an Azure service disruption that impacts Azure Cloud Services.

+# What to do if an Azure service disruption that impacts Azure Cloud Services (classic)

+At Microsoft, we work hard to make sure that our services are always available to you when you need them. Forces beyond our control sometimes affect us in ways that cause unplanned service disruptions.

+This article covers a true disaster recovery scenario, when a whole region experiences an outage due to major natural disaster or widespread service interruption. These scenarios are rare occurrences, but you must prepare for the possibility that there's an outage of an entire region. If an entire region experiences a service disruption, the locally redundant copies of your data would temporarily be unavailable. If you enabled geo-replication, three extra copies of your Azure Storage blobs and tables are stored in a different region. If a complete regional outage or a disaster in which the primary region isn't recoverable occurs, Azure remaps all of the Domain Name System (DNS) entries to the geo-replicated region.

+For the fastest response to the loss of a region, it's important that you configure Traffic Manager's [endpoint monitoring](../traffic-manager/traffic-manager-monitoring.md).

+In this case, no action on your part is required, but your service is unavailable until the region is restored. You can see the current service status on the [Azure Service Health Dashboard](https://azure.microsoft.com/status/).

+Tracing is a way for you to monitor the execution of your application while it's running. You can use the [System.Diagnostics.Trace](/dotnet/api/system.diagnostics.trace), [System.Diagnostics.Debug](/dotnet/api/system.diagnostics.debug), and [System.Diagnostics.TraceSource](/dotnet/api/system.diagnostics.tracesource) classes to record information about errors and application execution in logs, text files, or other devices for later analysis. For more information about tracing, see [Tracing and Instrumenting Applications](/dotnet/framework/debug-trace-profile/tracing-and-instrumenting-applications).

+Implement tracing in your Cloud Services application by adding the [DiagnosticMonitorTraceListener](/previous-versions/azure/reference/ee758610(v=azure.100)) to the application configuration and making calls to System.Diagnostics.Trace or System.Diagnostics.Debug in your application code. Use the configuration file *app.config* for worker roles and the *web.config* for web roles. When you create a new hosted service using a Visual Studio template, Azure Diagnostics is automatically added to the project, and the DiagnosticMonitorTraceListener is added to the appropriate configuration file for the roles that you add.

+By placing [Trace Switches](/dotnet/framework/debug-trace-profile/trace-switches) in your code, you can control whether tracing occurs and how extensive it is. Tracing lets you monitor the status of your application in a production environment. Monitoring application status is especially important in a business application that uses multiple components running on multiple computers. For more information, see [How to: Configure Trace Switches](/dotnet/framework/debug-trace-profile/how-to-create-initialize-and-configure-trace-switches).

+Trace, Debug, and TraceSource require you set up "listeners" to collect and record the messages that are sent. Listeners collect, store, and route tracing messages. They direct the tracing output to an appropriate target, such as a log, window, or text file. Azure Diagnostics uses the [DiagnosticMonitorTraceListener](/previous-versions/azure/reference/ee758610(v=azure.100)) class.

+Before you complete the following procedure, you must initialize the Azure diagnostic monitor. To initialize the Azure diagnostic monitor, see [Enabling Diagnostics in Microsoft Azure](cloud-services-dotnet-diagnostics.md).

+> [!NOTE]

+> If you use the templates that are provided by Visual Studio, the configuration of the listener is added automatically for you.

+2. Add the following code to the file. Change the Version attribute to use the version number of the assembly you're referencing. The assembly version doesn't necessarily change with each Azure SDK release unless there are updates to it.

+ > Make sure you have a project reference to the Microsoft.WindowsAzure.Diagnostics assembly. Update the version number in the preceding xml to match the version of the referenced Microsoft.WindowsAzure.Diagnostics assembly.

+2. Add the following using directive if it isn't present:

+3. Add Trace statements where you want to capture information about the state of your application. You can use various methods to format the output of the Trace statement. For more information, see [How to: Add Trace Statements to Application Code](/dotnet/framework/debug-trace-profile/how-to-add-trace-statements-to-application-code).

+This walkthrough describes how to implement an Azure worker role that emits telemetry data using the .NET EventSource class. Azure Diagnostics is used to collect the telemetry data and store it in an Azure storage account. When you create a worker role, Visual Studio automatically enables Diagnostics 1.0 as part of the solution in Azure Software Development Kits (SDKs) for .NET 2.4 and earlier. The following instructions describe the process for creating the worker role, disabling Diagnostics 1.0 from the solution, and deploying Diagnostics 1.2 or 1.3 to your worker role.

+This article assumes you have an Azure subscription and are using Visual Studio with the Azure SDK. If you don't have an Azure subscription, you can sign up for the [Free Trial][Free Trial]. Make sure to [Install and configure Azure PowerShell version 0.8.7 or later][Install and configure Azure PowerShell version 0.8.7 or later].

+2. Create an **Azure Cloud Service** project from the **Cloud** template that targets .NET Framework 4.5. Name the project "WadExample" and select Ok.

+3. Select **Worker Role** and select Ok. The project is created.

+5. In the **Configuration** tab, uncheck **Enable Diagnostics** to disable Diagnostics 1.0 (Azure SDK 2.4 and earlier).

+Replace the contents of WorkerRole.cs with the following code. The class SampleEventSourceWriter, inherited from the [EventSource Class][EventSource Class], implements four logging methods: **SendEnums**, **MessageMethod**, **SetOther**, and **HighFreq**. The first parameter to the **WriteEvent** method defines the ID for the respective event. The Run method implements an infinite loop that calls each of the logging methods implemented in the **SampleEventSourceWriter** class every 10 seconds.

+6. Modify any other **Settings** as appropriate and select **Publish**.

+7. After the deployment completes, verify in the Azure portal that your cloud service is in a **Running** state.

+2. Add an XML file to your **WorkerRole1** project by right-clicking on the **WorkerRole1** project and select **Add** -> **New Item…** -> **Visual C# items** -> **Data** -> **XML File**. Name the file `WadExample.xml`.

+3. Associate the WadConfig.xsd with the configuration file. Make sure the WadExample.xml editor window is the active window. Press **F4** to open the **Properties** window. Select the **Schemas** property in the **Properties** window. Select the **…** in the **Schemas** property. Select the **Add…** button and navigate to the location where you saved the .xsd file and select the file WadConfig.xsd. Select **OK**.

+In the Visual Studio **Server Explorer**, navigate to the wadexample storage account. After the cloud service has been running about five (5) minutes, you should see the tables **WADEnumsTable**, **WADHighFreqTable**, **WADMessageTable**, **WADPerformanceCountersTable**, and **WADSetOtherTable**. Double-click one of the tables to view the collected telemetry.

+[See a list of related Azure virtual-machine diagnostic articles](../azure-monitor/agents/diagnostics-extension-overview.md) to change the data you collect, troubleshoot problems, or learn more about diagnostics in general.

+description: Learn how to create a multi-tier app using ASP.NET Model-View-Controller (MVC) and Azure. The app runs in a cloud service, with web role and worker role. It uses Entity Framework, SQL Database, and Azure Storage queues and blobs.

+This tutorial shows you how to create a multi-tier .NET application with an ASP.NET Model-View-Controller (MVC) front-end and deploy it to an [Azure cloud service](cloud-services-choose-me.md). The application uses [Azure SQL Database](/previous-versions/azure/ee336279(v=azure.100)), the [Azure Blob service](https://www.asp.net/aspnet/overview/developing-apps-with-windows-azure/building-real-world-cloud-apps-with-windows-azure/unstructured-blob-storage), and the [Azure Queue service](https://www.asp.net/aspnet/overview/developing-apps-with-windows-azure/building-real-world-cloud-apps-with-windows-azure/queue-centric-work-pattern). You can [download the Visual Studio project](https://code.msdn.microsoft.com/Simple-Azure-Cloud-Service-e01df2e4) from the Microsoft Developer Network (MSDN) Code Gallery.

+## Learning goals

+The tutorial assumes that you understand [basic concepts about Azure cloud services](cloud-services-choose-me.md) such as *web role* and *worker role* terminology. It also assumes that you know how to work with [ASP.NET MVC](https://www.asp.net/mvc/tutorials/mvc-5/introduction/getting-started) or [Web Forms](https://www.asp.net/web-forms/tutorials/aspnet-45/getting-started-with-aspnet-45-web-forms/introduction-and-overview) projects in Visual Studio. The sample application uses MVC, but most of the tutorial also applies to Web Forms.

+You can run the app locally without an Azure subscription, but you need one to deploy the application to the cloud. If you don't have an account, you can [activate your MSDN subscriber benefits](https://azure.microsoft.com/pricing/member-offers/msdn-benefits-details/?WT.mc_id=A55E3C668) or [sign up for a free trial](https://azure.microsoft.com/pricing/free-trial/?WT.mc_id=A55E3C668).

+The app stores ads in an SQL database, using Entity Framework Code First to create the tables and access the data. For each ad, the database stores two URLs, one for the full-size image and one for the thumbnail.

+4. To build the solution, press CTRL+SHIFT+B.

+ By default, Visual Studio automatically restores the NuGet package content, which wasn't included in the *.zip* file. If the packages don't restore, install them manually by going to the **Manage NuGet Packages for Solution** dialog box and clicking the **Restore** button at the top right.

+7. To run the application, press CTRL+F5.

+8. Select **Create an Ad**.

+9. Enter some test data and select a *.jpg* image to upload, and then select **Create**.

+ The app goes to the Index page, but it doesn't show a thumbnail for the new ad because that processing has yet to happen.

+11. Select **Details** for your ad to see the full-size image.

+In the following section, you configure the solution to use Azure cloud resources for queues, blobs, and the application database when it runs in the cloud. If you wanted to continue to run locally but use cloud storage and database resources, you could do that. It's just a matter of setting connection strings, which you see how to do.

+You do the following steps to run the application in the cloud:

+An Azure cloud service is the environment the application runs in.

+2. Select **Create a resource > Compute > Cloud Service**.

+3. In the Domain Name System (DNS) name input box, enter a URL prefix for the cloud service.

+ This URL has to be unique. You get an error message if the prefix you choose is already in use.

+4. Specify a new Resource group for the service. Select **Create new** and then type a name in the Resource group input box, such as CS_contososadsRG.

+ This field specifies which datacenter your cloud service is hosted in. For a production application, you'd choose the region closest to your customers. For this tutorial, choose the region closest to you.

+5. Select **Create**.

+When the app runs in the cloud, it uses a cloud-based database.

+1. In the [Azure portal](https://portal.azure.com), select **Create a resource > Databases > SQL Database**.

+3. In the **Resource group**, choose **Use existing** and select the resource group used for the cloud service.

+4. In the following image, select **Server - Configure required settings** and **Create a new server**.

+ If you selected **Create a new server**, you aren't entering an existing name and password here. You're entering a new name and password that you're defining now to use later when you access the database. If you selected a server that you created previously, the portal prompts you for the password to the administrative user account you already created.

+ When the cloud service and database are in different datacenters (different regions), latency increases and you incur charges for bandwidth outside the data center. Bandwidth within a data center is free.

+9. Select **Select** for the new server.

+10. Choose **Create**.

+In a real-world application, you would typically create separate accounts for application data versus logging data, and separate accounts for test data versus production data. For this tutorial, you use just one account.

+1. In the [Azure portal](https://portal.azure.com), select **Create a resource > Storage > Storage account - blob, file, table, queue**.

+ This prefix plus the text you see under the box is the unique URL to your storage account. If the prefix you enter is already in use by someone else, choose a different prefix.

+5. In the **Resource group**, select **Use existing** and select the resource group used for the cloud service.

+ When the cloud service and storage account are in different datacenters (different regions), latency increases and you incur charges for bandwidth outside the data center. Bandwidth within a data center is free.

+ Azure affinity groups provide a mechanism to minimize the distance between resources in a data center, which can reduce latency. This tutorial doesn't use affinity groups. For more information, see [How to Create an Affinity Group in Azure](/previous-versions/azure/reference/gg715317(v=azure.100)).

+7. Choose **Create**.

+You use a [Web.config transform](https://www.asp.net/mvc/tutorials/deployment/visual-studio-web-deployment/web-config-transformations) for the web role and a cloud service environment setting for the worker role.

+2. In the [Azure portal](https://portal.azure.com), choose **SQL Databases** in the left pane, select the database you created for this tutorial, and then select **Show connection strings**.

+7. In **Solution Explorer**, under **Roles** in the cloud service project, right-click **ContosoAdsWorker** and then select **Properties**.

+8. Choose the **Settings** tab.

+Azure storage account connection strings for both the web role project and the worker role project are stored in environment settings in the cloud service project. For each project, there's a separate set of settings to be used when the application runs locally and when it runs in the cloud. You update the cloud environment settings for both web and worker role projects.

+1. In **Solution Explorer**, right-click **ContosoAdsWeb** under **Roles** in the **ContosoAdsCloudService** project, and then select **Properties**.

+2. Choose the **Settings** tab. In the **Service Configuration** drop-down box, choose **Cloud**.

+3. Select the **StorageConnectionString** entry, and you see an ellipsis (**...**) button at the right end of the line. Choose the ellipsis button to open the **Create Storage Account Connection String** dialog box.

+4. In the **Create Storage Connection String** dialog box, select **Your subscription**, choose the storage account that you created earlier, and then select **OK**. The explorer prompts you for your Azure account credentials if you still need to sign in.

+The role environment settings that you configured using the Visual Studio UI are stored in the following files in the ContosoAdsCloudService project:

+The `<Instances>` setting specifies the number of virtual machines that Azure runs the worker role code on. The [Next steps](#next-steps) section includes links to more information about scaling out a cloud service,

+2. In the **Sign in** step of the **Publish Azure Application** wizard, select **Next**.

+3. In the **Settings** step of the wizard, select **Next**.

+4. In the **Summary** step, select **Publish**.

+5. Choose the right arrow icon to expand the deployment details.

+6. When the deployment status is complete, select the **Web app URL** to start the application.

+If you still need to download [the completed application](https://code.msdn.microsoft.com/Simple-Azure-Cloud-Service-e01df2e4), do that now. Copy the files from the downloaded project into the new project.

+3. Name the project and solution ContosoAdsCloudService, and then select **OK**.

+5. When you see the **New ASP.NET Project** dialog box for the web role, choose the MVC template, and then select **Change Authentication**.

+6. In the **Change Authentication** dialog box, choose **No Authentication**, and then select **OK**.

+7. In the **New ASP.NET Project** dialog, select **OK**.

+9. In the **Add New Project** dialog box, choose **Windows** under **Visual C#** in the left pane, and then select the **Class Library** template.

+10. Name the project *ContosoAdsCommon*, and then select **OK**.

+3. Look for the *WindowsAzure.Storage* package, and if it's in the list, select it and select the web and worker projects to update it in, and then select **Update**.

+ The storage client library is updated more frequently than Visual Studio project templates, so you may find that the version in a newly created project needs to be updated.

+1. In the ContosoAdsWeb project, set a reference to the ContosoAdsCommon project. Right-click the ContosoAdsWeb project, and then select **References** - **Add References**. In the **Reference Manager** dialog box, select **Solution ΓÇô Projects** in the left pane, select **ContosoAdsCommon**, and then select **OK**.

+ ContosoAdsCommon contains the Entity Framework data model and context class, which uses both the front-end and back-end.

+3. In the ContosoAdsCloudService project, right-click ContosoAdsWeb under **Roles**, and then select **Properties**.

+4. In the **ContosoAdsWeb [Role]** properties window, select the **Settings** tab, and then select **Add Setting**.

+8. While still in the **ContosoAdsWorker [Role]** properties window, add another connection string:

+In this section, you copy code files from the downloaded solution into the new solution. The following sections show and explain key parts of this code.

+To add files to a project or a folder, right-click the project or folder and select **Add** - **Existing Item**. Select the files you want and then select **Add**. If asked whether you want to replace existing files, select **Yes**.

+You can now build and run the application as instructed earlier in the tutorial, and the app uses local database and storage emulator resources.

+The following sections explain the code related to working with the Azure environment, blobs, and queues. This tutorial doesn't explain how to create MVC controllers and views using scaffolding, how to write Entity Framework code that works with SQL Server databases, or the basics of asynchronous programming in ASP.NET 4.5. For information about these topics, see the following resources:

+The ContosoAdsContext class specifies that the Ad class is used in a DbSet collection, which Entity Framework stores in an SQL database.

+The class has two constructors. The first of them is used by the web project, and specifies the name of a connection string that is stored in the Web.config file. The second constructor enables you to pass in the actual connection string used by the worker role project, since it doesn't have a Web.config file. You saw earlier where this connection string was stored. Later, you see how the code retrieves the connection string when it instantiates the DbContext class.

+Code that is called from the `Application_Start` method creates an *images* blob container and an *images* queue if they don't already exist. This code ensures that whenever you use a new storage account or use the storage emulator on a new computer, the code automatically creates the required blob container and queue.

+The `OnStart` method gets the database connection string from the *.cscfg* file and passes it to the Entity Framework DbContext class. The SQLClient provider is used by default, so the provider doesn't have to be specified.

+After each iteration of the loop, if no queue message was found, the program sleeps for a second. This sleep prevents the worker role from incurring excessive CPU time and storage transaction costs. The Microsoft Customer Advisory Team tells a story about a developer who forgot to include this sleep function, deployed to production, and left for vacation. When they got back, their oversight cost more than the vacation.

+Sometimes the content of a queue message causes an error in processing. This kind of message is called a *poison message*. If you merely logged an error and restarted the loop, you could endlessly try to process that message. Therefore, the catch block includes an if statement that checks to see how many times the app tried to process the current message. If the count is higher than five times, the message is deleted from the queue.

+The `RoleEnvironment` object is provided by Azure when you run an application in Azure or when you run locally using the Azure Compute Emulator. If you get this error when you're running locally, make sure that you set the ContosoAdsCloudService project as the startup project. This setting makes the project run using the Azure Compute Emulator.

+One of the things the application uses the Azure RoleEnvironment for is to get the connection string values that are stored in the *.cscfg* files, so another cause of this exception is a missing connection string. Make sure that you created the StorageConnectionString setting for both Cloud and Local configurations in the ContosoAdsWeb project, and that you created both connection strings for both configurations in the ContosoAdsWorker project. If you do a **Find All** search for StorageConnectionString in the entire solution, you should see it nine times in six files.

+### Can't override to port xxx. New port below minimum allowed value 8080 for protocol http

+Try changing the port number used by the web project. Right-click the ContosoAdsWeb project, and then select **Properties**. Choose the **Web** tab, and then change the port number in the **Project Url** setting.

+By default new cloud service projects use the Azure Compute Emulator express to simulate the Azure environment. The Azure Compute Emulator is a lightweight version of the full compute emulator, and under some conditions the full emulator works when the express version doesn't.

+To change the project to use the full emulator, right-click the ContosoAdsCloudService project, and then select **Properties**. In the **Properties** window, select the **Web** tab, and then select the **Use Full Emulator** radio button.

+The Contoso Ads application is intentionally made simple for a getting-started tutorial. For example, it doesn't implement [dependency injection](https://www.asp.net/mvc/tutorials/hands-on-labs/aspnet-mvc-4-dependency-injection) or the [repository and unit of work patterns](https://www.asp.net/mvc/tutorials/getting-started-with-ef-using-mvc/advanced-entity-framework-scenarios-for-an-mvc-web-application#repo). It doesn't [use an interface for logging](https://www.asp.net/aspnet/overview/developing-apps-with-windows-azure/building-real-world-cloud-apps-with-windows-azure/monitoring-and-telemetry#log), it doesn't use [EF Code First Migrations](https://www.asp.net/mvc/tutorials/getting-started-with-ef-using-mvc/migrations-and-deployment-with-the-entity-framework-in-an-asp-net-mvc-application) to manage data model changes or [EF Connection Resiliency](https://www.asp.net/mvc/tutorials/getting-started-with-ef-using-mvc/connection-resiliency-and-command-interception-with-the-entity-framework-in-an-asp-net-mvc-application) to manage transient network errors, and so forth.

+When files are added in this way to the role content folder, they automatically add to your cloud service package. The files are then deployed to a consistent location on the virtual machine. Repeat this process for each web and worker role in your cloud service so that all roles have a copy of the installer.

+ The script checks whether the specified version of the .NET Framework is present on your machine by querying the registry. If the .NET Framework version isn't installed, then the .NET Framework web installer is opened. To help troubleshoot any issues, the script logs all activity to the file startuptasklog-(current date and time).txt that is stored in **InstallLogs** local storage.

+3. Add the install.cmd file to each role by using **Add** > **Existing Item** in **Solution Explorer** as described earlier in this article.

+When you deploy your cloud service, the startup tasks install the .NET Framework (if necessary). Your cloud service roles are in the *busy* state while the framework is being installed. If the framework installation requires a restart, the service roles might also restart.

+## Next steps

+Cloud service roles communicate through internal and external connections. External connections are called **input endpoints** while internal connections are called **internal endpoints**. This article describes how to modify the [service definition](cloud-services-model-and-package.md#csdef) to create endpoints.

+The input endpoint is used when you want to expose a port to the outside. You specify the protocol type and the port of the endpoint, which then applies for both the external and internal ports for the endpoint. If you want, you can specify a different internal port for the endpoint with the [localPort](/previous-versions/azure/reference/gg557552(v=azure.100)#inputendpoint) attribute.

+Instance input endpoints are similar to input endpoints but allow you to map specific public-facing ports for each individual role instance by using port forwarding on the load balancer. You can specify a single public-facing port, or a range of ports.

+Internal endpoints are available for instance-to-instance communication. The port is optional and if omitted, a dynamic port is assigned to the endpoint. A port range can be used. There's a limit of five internal endpoints per role.

+There's one minor difference with endpoints when working with both worker and web roles. The web role must have at minimum a single input endpoint using the **HTTP** protocol.

+The Azure Managed Library provides methods for role instances to communicate at runtime. From code running within a role instance, you can retrieve information about the existence of other role instances and their endpoints. You can also obtain information about the current role instance.

+When you connect to a role instance programmatically through the .NET SDK, it's relatively easy to access the endpoint information. For example, after you connect to a specific role environment, you can get the port of a specific endpoint with this code:

+The **Instances** property returns a collection of **RoleInstance** objects. This collection always contains the current instance. If the role doesn't define an internal endpoint, the collection includes the current instance but no other instances. The number of role instances in the collection is always one in the case where no internal endpoint is defined for the role. If the role defines an internal endpoint, its instances are discoverable at runtime, and the number of instances in the collection corresponds to the number of instances specified for the role in the service configuration file.

+To determine the port number for an internal endpoint on a role instance, you can use the [`InstanceEndpoints`](/previous-versions/azure/reference/ee741917(v=azure.100)) property to return a Dictionary object that contains endpoint names and their corresponding IP addresses and ports. The [`IPEndpoint`](/previous-versions/azure/reference/ee741919(v=azure.100)) property returns the IP address and port for a specified endpoint. The `PublicIPEndpoint` property returns the port for a load balanced endpoint. The IP address portion of the `PublicIPEndpoint` property isn't used.

+Here's an example that iterates role instances.

+Here's an example of a worker role that gets the endpoint exposed through the service definition and starts listening for connections.

+An XML schema reference for the elements used can be found [here](/previous-versions/azure/reference/gg557551(v=azure.100)).

+description: Information about when the Azure Guest OS Family 2, 3, and 4 retirement happened and how to determine if their retirement affects you.

+This retirement affects your cloud services if the `osFamily` column in the script output contains a `2`, `3`, `4`, or is empty. If empty, the default `osFamily` attribute points to `osFamily` `5`.

+If this retirement affects you, we recommend you migrate your Cloud Service or [Cloud Services Extended Support](../cloud-services-extended-support/overview.md) roles to one of the supported Guest OS Families:

+description: Provides information about when the Azure Guest OS Family 1 retirement happened and how to determine if its retirement affects you.

+**Sept 2, 2014** The Azure Guest operating system (Guest OS) Family 1.x, which is based on the Windows Server 2008 operating system, was officially retired. All attempts to deploy new services or upgrade existing services using Family 1 fail with an error message informing you that the Guest OS Family 1 is retired.

+**November 3, 2014** Extended support for Guest OS Family 1 ended. Guest OS Family 1 is retired. This retirement affects all services still on Family 1. We may stop those services at any time. There's no guarantee your services continue to run unless you manually upgrade them yourself.

+If you have other questions, visit the [Microsoft Question & Answer page for Cloud Services](/answers/topics/azure-cloud-services.html) or [contact Azure support](https://azure.microsoft.com/support/options/).

+This retirement affects your cloud services if any one of the following applies:

+2. You don't have a value for osFamily explicitly specified in the ServiceConfiguration.cscfg file for your Cloud Service. Currently, the system uses the default value of "1" in this case.

+The OS Family 1 retirement affects your cloud services if the osFamily column in the script output is empty or contains a "1".

+## Recommendations

+## Extended Support for Guest OS Family 1 ended November 3, 2014

+description: This article lists the Microsoft Security Response Center updates applied to different Azure Guest OS. See if an update applies to your Guest OS.

+The following tables show the Microsoft Security Response Center (MSRC) updates applied to the Azure Guest OS. Search this article to determine if a particular update applies to your Guest OS. Updates always carry forward for the particular [family][family-explain] they were introduced in.

+| N/A | [4284826] |June nonsecurity rollup |2.76 |June 12, 2018 |

+| N/A | [4284855] |June nonsecurity rollup |3.63 |June 12, 2018 |

+| N/A | [4284815] |June nonsecurity rollup |4.56 |June 12, 2018 |

+| N/A | [4103718] |May nonsecurity rollup |2.75 |May 8, 2018 |

+| N/A | [4103730] |May nonsecurity rollup |3.62 |May 8, 2018 |

+| N/A | [4103725] |May nonsecurity rollup |4.55 |May 8, 2018 |

+| N/A | [4040980], [4040977] |Sept ΓÇÖ17 .NET nonsecurity rollup |2.75 |November 14, 2017 |

+| N/A | [4095874] |May .NET 3.5 nonsecurity release |2.75 |May 8, 2018 |

+| N/A | [4096495] |May .NET 4.x nonsecurity release |2.75 |May 8, 2018 |

+| N/A | [4040975] |Sept ΓÇÖ17 .NET nonsecurity rollup |3.62 |November 14, 2017 |

+| N/A | [4095872] |May .NET 3.5 nonsecurity release |3.62 |May 8, 2018 |

+| N/A | [4096494] |May .NET 4.x nonsecurity release |3.62 |May 8, 2018 |

+| N/A | [4096416] |May .NET 4.5x nonsecurity release |3.62 |May 8, 2018 |

+| N/A | [4040974], [4040972] |Sept ΓÇÖ17 .NET nonsecurity rollup |4.55 |November 14, 2017 |

+| N/A | [4043763] |Oct ΓÇÖ17 .NET nonsecurity rollup |4.55 |September 12, 2017 |

+| N/A | [4095876] |May .NET 4.x nonsecurity release |4.55 |May 8, 2018 |

+| N/A | [4096417] |May .NET 4.5x nonsecurity release |4.55 |May 8, 2018 |

+| N/A | [4093118] |April nonsecurity rollup |2.73 |April 10, 2018 |

+| N/A | [4093123] |April nonsecurity rollup |3.61 |April 10, 2018 |

+| N/A | [4093114] |April nonsecurity rollup |4.74 |April 10, 2018 |

+| N/A | [4088875] |March nonsecurity rollup |2.73 |March 13, 2018 |

+| N/A | [4099950] |March nonsecurity rollup prerequisite|2.73 |March 13, 2018 |

+| N/A | [4088877] |March nonsecurity rollup |3.60 |March 13, 2018 |

+| N/A | [4088876] |March nonsecurity rollup |4.53 |March 13, 2018 |

+| N/A | [4074598] |February nonsecurity rollup |2.72 |February 13, 2018 |

+| N/A | [4074593] |February nonsecurity rollup |3.59 |February 13, 2018 |

+| N/A | [4074594] |February nonsecurity rollup |4.52 |February 13, 2018 |

+| N/A | [4056894] |January nonsecurity rollup |2.71 |January 4, 2018 |

+| N/A | [4056896] |January nonsecurity rollup |3.58 |January 4, 2018 |

+| N/A | [4056895] |January nonsecurity rollup |4.51 |January 4, 2018 |

+| N/A | [4054518] |December nonsecurity rollup |2.70 |December 12, 2017 |

+| N/A | [4054520] |December nonsecurity rollup |3.57 |December 12, 2017 |

+| N/A | [4054519] |December nonsecurity rollup |4.50 |December 12, 2017 |

+| N/A | [4048957] |November nonsecurity rollup |2.69 |November 14, 2017 |

+| N/A | [4048959] |November nonsecurity rollup |3.56 |November 14, 2017 |

+| N/A | [4048958] |November nonsecurity rollup |4.49 |November 14, 2017 |

+| N/A | [4041681] |October nonsecurity rollup |2.68 |October 10, 2017 |

+| N/A | [4041690] |October nonsecurity rollup |3.55 |October 10, 2017 |

+| N/A | [4041693] |October nonsecurity rollup |4.48 |October 10, 2017 |

+| N/A | [4038777] |September nonsecurity rollup |2.67 |September 12, 2017 |

+| N/A | [4038799] |September nonsecurity rollup |3.54 |September 12, 2017 |

+| N/A | [4038792] |September nonsecurity rollup |4.47 |September 12, 2017 |

+| N/A | [4040980] |September .NET nonsecurity rollup |2.67 |September 12, 2017 |

+| N/A | [4040979] |September .NET nonsecurity rollup |3.54 |September 12, 2017 |

+| N/A | [4040981] |September .NET nonsecurity rollup |4.47 |September 12, 2017 |

+| N/A | [4034664] |August nonsecurity rollup |2.66 |August 8, 2017 |

+| N/A | [4034665] |August nonsecurity rollup |5.11 |August 8, 2017 |

+| N/A | [4034681] |August nonsecurity rollup |4.46 |August 8, 2017 |

+| Rel 17-07 | [4025341] |July nonsecurity rollup |2.65 |July 11, 2017 |

+| Rel 17-07 | [4025331] |July nonsecurity rollup |3.52 |July 11, 2017 |

+| Rel 17-07 | [4025336] |July nonsecurity rollup |4.45 |July 11, 2017 |

+| N/A | [4022719] |June nonsecurity rollup |2.64 |June 13, 2017 |

+| N/A | [4022724] |June nonsecurity rollup |3.51 |June 13, 2017 |

+| N/A | [4022726] |June nonsecurity rollup |4.44 |June 13, 2017 |

+| N/A | [4019264] |May nonsecurity rollup |2.63 |June 13, 2017 |

+| N/A | [4014545] |May .NET nonsecurity rollup |2.63 |April 11, 2017 |

+| N/A | [4014508] |May .NET nonsecurity rollup |2.63 |May 9, 2017 |

+| N/A | [4014511] |May .NET nonsecurity rollup |2.63 |May 9, 2017 |

+| N/A | [4014514] |May .NET nonsecurity rollup |2.63 |May 9, 2017 |

+| N/A | [4019216] |May nonsecurity rollup |3.50 |May 9, 2017 |

+| N/A | 4014503 |May .NET nonsecurity rollup |3.50 |May 9, 2017 |

+| N/A | [4014506] |May .NET nonsecurity rollup |3.50 |May 9, 2017 |

+| N/A | [4014509] |May .NET nonsecurity rollup |3.50 |May 9, 2017 |

+| N/A | [4014513] |May .NET nonsecurity rollup |3.50 |May 9, 2017 |

+| N/A | [4019215] |May nonsecurity rollup |4.43 |May 9, 2017 |

+| N/A | [4014505] |May .NET nonsecurity rollup |4.43 |May 9, 2017 |

+| N/A | [4014507] |May .NET nonsecurity rollup |4.43 |May 9, 2017 |

+| N/A | [4014510] |May .NET nonsecurity rollup |4.43 |May 9, 2017 |

+| N/A | [4014512] |May .NET nonsecurity rollup |4.43 |May 9, 2017 |

+| N/A | [4014565] |April .NET nonsecurity rollup |2.62 | April 11, 2017 |

+| N/A | [4014559] |April .NET nonsecurity rollup |2.62 | April 11, 2017 |

+| N/A | [4014563] |April .NET nonsecurity rollup |3.49 | April 11, 2017 |

+| N/A | [4014557] |April .NET nonsecurity rollup |3.49 | April 11, 2017 |

+| N/A | [4014545] |April .NET nonsecurity rollup |3.49 | April 11, 2017 |

+| N/A | [4014548] |April .NET nonsecurity rollup |3.49 | April 11, 2017 |

+| N/A | [4015551] |April nonsecurity rollup |3.49 | April 11, 2017 |

+| N/A | [4014555] |April .NET nonsecurity rollup |4.42 | April 11, 2017 |

+| N/A | [4014567] |April .NET nonsecurity rollup |4.42 | April 11, 2017 |

+| N/A | [4015550] |April nonsecurity rollup |4.42 | April 11, 2017 |

+| N/A |[2922223] |You can't change system time if RealTimeIsUniversal registry entry is enabled in Windows |2.52 |June 14, 2016 |

+| N/A |[2896881] |Long sign in time when you use the AddPrinterConnection VBScript command to map printers for users during sign in process in Windows |4.15, 3.22, 2.34 |Jan 13 2015 |

+description: Provides information about what Microsoft supports regarding the Azure Guest OS used by Cloud Services.

+The information on this page relates to the Azure Guest operating system ([Guest OS](cloud-services-guestos-update-matrix.md)) for Cloud Services worker and web roles (PaaS). It doesn't apply to Virtual Machines (IaaS).

+Microsoft has a published [support policy for the Guest OS](https://support.microsoft.com/gp/azure-cloud-lifecycle-faq). This page describes how the policy is implemented.

+The policy is:

+* Microsoft supports **at least the latest two families of the Guest OS**. When a family is retired, customers have 12 months from the official retirement date to update to a newer supported Guest OS family.

+* Microsoft supports **at least the latest two versions of the supported Guest OS families**.

+* Microsoft supports **at least the latest two versions of the Azure SDK**. When a version of the SDK is retired, customers have 12 months from the official retirement date to update to a newer version.

+At times, more than two families or releases may be supported. Official Guest OS support information appears on the [Azure Guest OS Releases and SDK Compatibility Matrix](cloud-services-guestos-update-matrix.md).

+New Guest OS **versions** are introduced about every month to incorporate the latest Microsoft Security Response Center (MSRC) updates. Because of the regular monthly updates, a Guest OS version is normally disabled around 60 days after its release. This activity keeps at least two Guest OS versions for each family available for use.

+Once the retirement is announced, customers have a 12 month "transition" period before the older family is officially removed from service. This transition time may be extended at the discretion of Microsoft. Microsoft posts updates on the [Azure Guest OS Releases and SDK Compatibility Matrix](cloud-services-guestos-update-matrix.md).

+A gradual retirement process begins six (6) months into the transition period. During this time:

+* Microsoft notifies customers of the retirement.

+* The newer version of the Azure SDK doesn't support the retired Guest OS family.

+* New deployments and redeployments of Cloud Services are prohibited on the retired family

+Microsoft continues to introduce new Guest OS version incorporating the latest MSRC updates until the last day of the transition period, known as the "expiration date." On the expiration date, cloud services still running are unsupported under the Azure Service Level Agreement (SLA). Microsoft has the discretion to force upgrade, delete or stop those services after that date.

+If customers set their Guest OS to automatically update, they never have to worry about dealing with Guest OS versions. They're always using the latest Guest OS version.

+At 60 days into the lifespan, a version is "*disabled*." "Disabled" means that the version is removed from the portal. The version can no longer be set from the CSCFG configuration file. Existing deployments are left running, but new deployments and code and configuration updates to existing deployments are prohibited.

+Sometime after the Guest OS version becomes "disabled," it "expires," and any installations still running that expired version are exposed to security and vulnerability issues. Generally, expiration is done in batches, so the period from disablement to expiration can vary.

+Customers who configure their services to update the Guest OS manually, should ensure that their services are running on a supported Guest OS. If a service is configured to update the Guest OS automatically, the underlying platform ensures compliance and upgrades to the latest Guest OS.

+These periods may be made longer at Microsoft's discretion to ease customer transitions. Microsoft communicates any changes on the [Azure Guest OS Releases and SDK Compatibility Matrix](cloud-services-guestos-update-matrix.md).

+* **Family retirement** <br>Microsoft uses blog posts and portal notification. Microsoft informs customers who are still using a retired Guest OS family through direct communication (email, portal messages, phone call) to assigned service administrators. Microsoft posts all changes to the [Azure Guest OS Releases and SDK Compatibility Matrix](cloud-services-guestos-update-matrix.md).

+* **Version Retirement** <br>Microsoft posts all changes and the dates they occur to the [Azure Guest OS Releases and SDK Compatibility Matrix](cloud-services-guestos-update-matrix.md), including release, disabled, and expiration. Services admins receive emails if they have deployments running on a disabled Guest OS version or family. The timing of these emails can vary. Generally they are at least a month before disablement, though this timing isn't an official SLA.

+* Start planning your migration to a newer family early.

+* Set up temporary test deployments to test your Cloud Service running on the new family.

+* Set your Guest OS version to **Automatic** (osVersion=* in the [.cscfg](cloud-services-model-and-package.md#cscfg) file) so the migration to new Guest OS versions occurs automatically.

+If your web application architecture depends on underlying features of the operating system, use platform supported capabilities such as [startup tasks](cloud-services-startup-tasks.md) or other extensibility mechanisms. Alternatively, you can also use [Azure Virtual Machines](https://azure.microsoft.com/documentation/scenarios/virtual-machines/) (IaaS ΓÇô Infrastructure as a Service), where you're responsible for maintaining the underlying operating system.

+Provides you with up-to-date information about the latest Azure Guest OS releases for Cloud Services. This information helps you plan your upgrade path before a Guest OS is disabled. If you configure your roles to use *automatic* Guest OS updates as described in [Azure Guest OS Update Settings][Azure Guest OS Update Settings], it isn't vital that you read this page.

+The June Guest OS released.

+The May Guest OS released.

+The April Guest OS released.

+The March Guest OS released.

+The February Guest OS released.

+The January Guest OS released.

+The December Guest OS released.

+The November Guest OS released.

+The October Guest OS released.

+The September Guest OS released.

+The August Guest OS released.

+The July Guest OS released.

+The June Guest OS released.

+The May Guest OS released.

+The April Guest OS released.

+The March Guest OS released.

+The February Guest OS released.

+The January Guest OS released.

+The December Guest OS released.

+The November Guest OS released.

+The October Guest OS released.

+The September Guest OS released.

+The August Guest OS released.

+The July Guest OS released.

+The June Guest OS released.

+The May Guest OS released.

+The April Guest OS released.

+The March Guest OS released.

+The February Guest OS released.

+The January Guest OS released.

+The December Guest OS released.

+The November Guest OS released.

+The October Guest OS released.

+The September Guest OS released.

+The August Guest OS released.

+The July Guest OS released.

+The June Guest OS released.

+The May Guest OS released.

+The April Guest OS released.

+The March Guest OS released.

+The February Guest OS released.

+The January Guest OS released.

+The December Guest OS released.

+The November Guest OS released.

+The October Guest OS released.

+The September Guest OS released.

+The August Guest OS released.

+The July Guest OS released.

+The June Guest OS released.

+The May Guest OS released.

+The April Guest OS released.

+The March Guest OS released.

+The February Guest OS released.

+The January Guest OS released.

+The December Guest OS released.

+The November Guest OS released.

+The October Guest OS released.

+The September Guest OS released.

+The August Guest OS released.

+The July Guest OS released.

+The June Guest OS released.

+The May Guest OS released.

+The April Guest OS released.

+The March Guest OS released.

+The February Guest OS released.

+The January Guest OS released.

+Family 6 Guest OS (Windows Server 2019) released.

+The December Guest OS released.

+The November Guest OS released.

+The October Guest OS released.

+The September Guest OS released.

+|~~WA-GUEST-OS-4.99_202201-02~~| February 11, 2022 | March 19, 2022 |

+|~~WA-GUEST-OS-4.97_202112-01~~| January 10, 2022 | March 2, 2022 |

+There are three dates that are important to Guest OS releases: **release** date, **disabled** date, and **expiration** date. A Guest OS is considered available when it is in the Portal and can be selected as the target Guest OS. When a Guest OS reaches the **disabled** date, Microsoft removes it from Azure. However, any Cloud Service targeting that Guest OS still operate as normal.

+The window between the **disabled** date and the **expiration** date provides you with a buffer to easily transition from one Guest OS to one newer. If you're using *automatic* as your Guest OS, you're always on the latest version and you don't have to worry about it expiring.

+When the **expiration** date passes, any Cloud Service still using that Guest OS stops, deletes, or force upgrades. You can read more about the retirement policy [here][retirepolicy].

+ A rerelease of a Guest OS version. A rerelease occurs if Microsoft finds issues during testing; requiring changes. The latest release always supersedes any previous releases, public or not. The Azure portal only allows users to pick the latest release for a given version. Deployments running on a previous release aren't force upgraded depending on the severity of the bug.

+In the following example, 2 is the family, 12 is the version, and "rel2" is the release.

+The configuration string for a Guest OS has this same information embedded in it, along with a date showing which MSRC patches were considered for that release. In this example, MSRC patches produced for Windows Server 2008 R2 up to and including August 2012 were considered for inclusion. Only patches specifically applying to that version of Windows Server are included. For example, if an MSRC patch applies to Microsoft Office, it isn't included because that product isn't part of the Windows Server base image.

+This page includes information on upcoming Guest OS Releases. Some customers want to know when a release occurs because cloud service roles set to automatically update reboot on releases. Guest OS releases typically occur 2-3 weeks after the MSRC update release that occurs on the second Tuesday of every month. New releases include all the relevant MSRC patches for each Guest OS family.

+Microsoft Azure is constantly releasing updates. The Guest OS is only one such update in the pipeline. Many factors affect a release, and they're too numerous to list here. In addition, Azure runs on literally hundreds of thousands of machines. This means that it's impossible to give an exact date and time to expect your role or roles to reboot. We're working on a plan to limit or time reboots.

+When a new release of the Guest OS is published, it can take time to fully propagate across Azure. As services are updated to the new Guest OS, they reboot, honoring update domains. Services set to use "Automatic" updates get a release first. After the update, youΓÇÖll see the new Guest OS version listed for your service in the Azure portal. Rereleases may occur during this period. Some versions may be deployed over longer periods of time and automatic upgrade reboots may not occur for many weeks after the official release date. Once a Guest OS is available, you can then explicitly choose that version from the portal or in your configuration file.

+For a great deal of valuable information on restarts and pointers to more information on Guest and Host OS updates, see the Microsoft Developer Network (MSDN) blog post titled [Role Instance Restarts Due to OS Upgrades][restarts].

+For more information about manually updating your Guest OS, see the [Guest OS retirement policy][retirepolicy].

+The **Settings** or **All settings** links open up **Settings** where you can change the **Properties**, change the **Configuration**, manage the **Certificates**, set up **Alert rules**, and manage the **Users** who have access to this cloud service.

+By default, Azure periodically updates your guest OS to the latest supported image within the OS family that you specified in your service configuration (.cscfg), such as Windows Server 2016.

+You can add alerts to your cloud service. Select **Settings** > **Alert Rules** > **Add alert**.

+Instead of using **Settings** > **Alert Rules**, you can select on one of the metric tiles in the **Monitoring** section of the cloud service.

+1. Select on the **Settings** icon or the **All settings** link to open up **Settings**.

+2. Select on the **Configuration** item.

+3. Select on the **Download** button.

+5. Select the .cscfg file and select **OK**.

+You can learn more about these components and how to create a package [here](cloud-services-model-and-package.md).

+* If you want to configure verbose monitoring for your cloud service, enable Azure Diagnostics for the cloud service. *Minimal monitoring* (the default monitoring level) uses performance counters gathered from the host operating systems for role instances (virtual machines). *Verbose monitoring* gathers more metrics based on performance data within the role instances to enable closer analysis of issues that occur during application processing. To find out how to enable Azure Diagnostics, see [Enabling diagnostics in Azure](cloud-services-dotnet-diagnostics.md).

+* If you need to install the Azure SDK, choose **Install Azure SDK** to open the [Azure Downloads page](https://azure.microsoft.com/downloads/), and then download the SDK for the language in which you prefer to develop your code. You have an opportunity to do the installation later.

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+2. Choose **Create a resource > Compute**, and then scroll down to and select **Cloud Service**.

+6. Select **Package**, which opens the **Upload a package** pane. Fill in the required fields. If any of your roles contain a single instance, ensure **Deploy even if one or more roles contain a single instance** is selected.

+8. Select **OK**, which closes the **Upload a package** pane.

+9. If you don't have any certificates to add, choose **Create**.

+2. Select **Attach certificate**, and then choose **OK** on the **Add certificates** pane.

+3. Select **Create** on the **Cloud Service** pane. When the deployment reaches the **Ready** status, proceed to the next steps.

+1. Select the cloud service instance.

+2. Under **Essentials**, select the **Site URL** to open your cloud service in a web browser.

+For more information about how to scale your cloud service, see [Configure autoscaling for a cloud service in the portal](cloud-services-how-to-scale-portal.md).

+6. Select the **Start deployment** check box to apply the update after the upload of the package finishes.

+> [!NOTE]

+> Guest OS updates and service healing operations also can cause deployment swaps to fail. For more information, see [Troubleshoot cloud service deployment problems](cloud-services-troubleshoot-deployment-problems.md).

+As described in the previous section, a deployment swap is typically fast because it's just a configuration change in the Azure load balancer. In some cases, it can take 10 or more seconds and result in transient connection failures. To limit the impact to your customers, consider implementing [client retry logic](/azure/architecture/best-practices/transient-faults).

+To save compute costs, you can delete the staging deployment after you verify that your production deployment is working as expected. Even if you stop your deployed role instances, Azure bills you for compute costs.

+You can monitor key performance metrics for any cloud service. Every cloud service role collects minimal data: CPU usage, network usage, and disk utilization. If the cloud service has the `Microsoft.Azure.Diagnostics` extension applied to a role, that role can collect more points of data. This article provides an introduction to Azure Diagnostics for Cloud Services.

+With basic monitoring, performance counter data from role instances is sampled and collected at 3-minute intervals. This basic monitoring data isn't stored in your storage account and has no additional cost associated with it.

+With advanced monitoring, more metrics are sampled and collected at intervals of 5 minutes, 1 hour, and 12 hours. The aggregated data is stored in a storage account, in tables, and is purged after 10 days. The storage account used is configured per role; you can use different storage accounts for different roles. You use a connection string in the [.csdef](cloud-services-model-and-package.md#servicedefinitioncsdef) and [.cscfg](cloud-services-model-and-package.md#serviceconfigurationcscfg) files for configuration.

+Basic monitoring doesn't require a storage account.

+Advanced monitoring involves using the **Azure Diagnostics** extension (and optionally the Application Insights SDK) on the role you want to monitor. The diagnostics extension uses a config file (per role) named **diagnostics.wadcfgx** to configure the diagnostics metrics monitored. The Azure Diagnostic extension collects and stores data in an Azure Storage account. These settings are configured in the **.wadcfgx**, [.csdef](cloud-services-model-and-package.md#servicedefinitioncsdef), and [.cscfg](cloud-services-model-and-package.md#serviceconfigurationcscfg) files. This means that there's an extra cost associated with advanced monitoring.

+* Internet Information Services (IIS) logs

+* Manifest based Event Tracing for Windows (ETW)

+In the **ServiceDefinition.csdef** file, add a new setting named `Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString` for each role that uses advanced diagnostics. Visual Studio adds this value to the file when you create a new project. In case it's missing, you can add it now.

+This snippet defines a new setting that must be added to every **ServiceConfiguration.cscfg** file.

+When you publish the Cloud Service from Visual Studio, you have the option to send the diagnostic data to Application Insights. You can create the Application Insights Azure resource at that time or send the data to an existing Azure resource. Application Insights can monitor your cloud service for availability, performance, failures, and usage. Custom charts can be added to Application Insights so that you can see the data that matters the most. Role instance data can be collected by using the Application Insights SDK in your cloud service project. For more information on how to integrate Application Insights, see [Application Insights with Cloud Services](../azure-monitor/app/azure-web-apps-net-core.md).

+While you can use Application Insights to display the performance counters (and the other settings) you specified through the Microsoft Azure Diagnostics extension, you only get a richer experience by integrating the Application Insights SDK into your worker and web roles.

+You can set conditions for a cloud service worker role to trigger scale in or out operations. The conditions for the role can be based on the CPU, disk, or network load of the role. You can also set a condition based on a message queue or the metric of some other Azure resource associated with your subscription.

+* Core usage affects scaling.

+ Larger role instances use more cores. You can scale an application only within the limit of cores for your subscription. For example, say your subscription has a limit of 20 cores. If you run an application with two medium-sized cloud services (a total of four cores), you can only scale up other cloud service deployments in your subscription by the remaining 16 cores. For more information about sizes, see [Cloud Service Sizes](cloud-services-sizes-specs.md).

+* To enable high availability of your application, you should ensure it deploys with two or more role instances. For more information, see [Service Level Agreements](https://azure.microsoft.com/support/legal/sla/).

+ **IMPORTANT**: Make sure to select the cloud service role, not the role instance that is below the role.

+After you configure the profile and rules, select the **Save** icon at the top.

+After you configure the profile, select the **OK** button at the bottom of the profile blade.

+After you configure the rule, select the **OK** button at the bottom of the rule blade.

+After you configure the scale settings, select the **Save** icon at the top.

+description: Learn how to use PowerShell to scale a web role or worker role in or out in Azure cloud services (classic).

+## Sign in to Azure

+Before you can perform any operations on your subscription through PowerShell, you must sign in:

+The cmdlet blocks momentarily while the new instances are provisioned and started. During this time, if you open a new PowerShell window and call **Get-AzureRole** as shown earlier, you see the new target instance count. If you inspect the role status in the portal, you should see the new instance starting up:

+Once the new instances start, the cmdlet returns successfully:

+It isn't possible to configure autoscale for cloud services from PowerShell. To do that, see [How to auto scale a cloud service](cloud-services-how-to-scale-portal.md).

+A cloud service is created from three components, the service definition *(.csdef)*, the service config *(.cscfg)*, and a service package *(.cspkg)*. Both the **ServiceDefinition.csdef** and **ServiceConfig.cscfg** files are XML-based and describe the structure of the cloud service and its configuration; collectively called the model. The **ServicePackage.cspkg** is a zip file that is generated from the **ServiceDefinition.csdef** and among other things, contains all the required binary-based dependencies. Azure creates a cloud service from both the **ServicePackage.cspkg** and the **ServiceConfig.cscfg**.

+Once the cloud service is running in Azure, you can reconfigure it through the **ServiceConfig.cscfg** file, but you can't alter the definition.

+* I'm using Visual Studio and I want to...

+You can refer to the [Service Definition Schema](/previous-versions/azure/reference/ee758711(v=azure.100)) for a better understanding of the XML schema used here, however, here's a quick explanation of some of the elements:

+The service configuration file isn't packaged with the application. The configuration uploads to Azure as a separate file and used to configure the cloud service. You can upload a new service configuration file without redeploying your cloud service. The configuration values for the cloud service can be changed while the cloud service is running. The following example shows the configuration settings that can be defined for the Web and Worker roles:

+You can refer to the [Service Configuration Schema](/previous-versions/azure/reference/ee758710(v=azure.100)) for better understanding the XML schema used here, however, here's a quick explanation of the elements:

+Configures the number of running instances for the role. To prevent your cloud service from potentially becoming unavailable during upgrades, we recommend you deploy more than one instance of your web-facing roles. By deploying more than one instance, you adhere to the guidelines in the [Azure Compute Service Level Agreement (SLA)](https://azure.microsoft.com/support/legal/sla/), which guarantees 99.95% external connectivity for Internet-facing roles when two or more role instances are deployed for a service.

+The following sample shows the configuration for a web role with a website and web application. The website is configured as the default entry location on port 80. The web applications are configured to receive requests from an alternate host header that is called ΓÇ£mail.mysite.cloudapp.netΓÇ¥.

+You can update the configuration of your cloud service while it runs in Azure, without taking the service offline. To change configuration information, you can either upload a new configuration file, or edit the configuration file in place and apply it to your running service. The following changes can be made to the configuration of a service:

+ Topology changes don't affect running instances, except where an instance is being removed. All remaining instances generally don't need to be recycled; however, you can choose to recycle role instances in response to a topology change.

+ You can only update a certificate when a role instance is offline. If a certificate is added, deleted, or changed while a role instance is online, Azure gracefully takes the instance offline to update the certificate. Azure brings it back online after the change is complete.

+| \[OutputFileName\] |The name for the generated package file. Typically, this variable is set to the name of the application. If no file name is specified, the application package is created as \[ApplicationName\].cspkg. |

+I'm using Visual Studio and I want to...

+The following screenshot shows the completed application:

+The following steps create the cloud service project that hosts the Socket.IO application.

+ You see the following response:

+For this project, we use the chat example from the [Socket.IO

+ The highlighted items in the previous screenshot are the files copied from the **examples\\chat** directory

+3. In the **C:\\node\\chatapp\\WorkerRole1** directory, delete the **server.js** file, and then rename the **app.js** file to **server.js**. This step removes the default **server.js** file created previously by the **Add-AzureNodeWorkerRole** cmdlet and replaces it with the application file from the chat example.

+2. Find the **Module dependencies** section at the beginning of server.js and change the line containing **sio = require('..//..//lib//socket.io')** to **sio = require('socket.io')** as follows:

+ following line by replacing **3000** with **process.env.port** as follows:

+1. In **Azure PowerShell**, change directories to the **C:\\node\\chatapp\\WorkerRole1** directory and use the following command to install the modules required by this application:

+ This command installs the modules listed in the package.json file. After

+ following screenshot:

+ relative path, Socket.IO wasn't referenced in the package.json

+ This step allows you to post messages as a specific nickname. To test

+ multi-user functionality, open more browser windows using the

+In this tutorial, you learned how to create a basic chat application hosted in an Azure Cloud Service. To learn how to host this application in an Azure Website, see [Build a Node.js Chat Application with Socket.IO on an Azure Web Site][chatwebsite].

+description: Learn how to create a Node.js web application and deploy it to an Azure cloud service.

+This tutorial shows how to create a Node.js application running in an Azure Cloud Service. Cloud Services are the building blocks of scalable cloud applications in Azure. They allow the separation and independent management and scale-out of front-end and back-end components of your application. Cloud Services provide a robust dedicated virtual machine for hosting each role reliably.

+> Looking to build a website? If your scenario involves just a simple website front-end, consider [using a lightweight web app]. You can easily upgrade to a Cloud Service as your web app grows and your requirements change.

+By following this tutorial, you build a web application hosted inside a web role. You use the compute emulator to test your application locally, then deploy it using PowerShell command-line tools.

+The application is a "hello world" application:

+3. Enter the following PowerShell cmdlet to create the project:

+The Node.js app is defined in the file **server.js**, located in the directory for the web role (**WebRole1** by default). Here's the code:

+ This command uses your browser to navigate to the publish settings download page. You may be prompted to sign in with a Microsoft Account. If so, use the account associated with your Azure subscription.

+* **-ServiceName** specifies the name for the deployment. This value must be a unique name; otherwise, the publish process fails. The **Get-Date** command tacks on a date/time string that should make the name unique.

+* **-Location** specifies the datacenter that hosts the application. To see a list of available datacenters, use the **Get-AzureLocation** cmdlet.

+* **-Launch** opens a browser window and navigates to the hosted service after the deployment completes.

+After publishing succeeds, you see a response similar to the screenshot:

+Once the deployment completes, a browser window opens and navigates to the cloud service.

+2. Creates a new **storage account** if one doesn't exist. The Azure storage account is used to store the application package during deployment. You can safely delete the storage account after deployment is done.

+3. Creates a new **cloud service** if one doesn't already exist. A **cloud service** is the container in which your application is hosted when it deploys to Azure. For more information, see [Overview of Creating a Hosted Service for Azure].

+After deploying your application, you may want to disable it so you can avoid extra costs. Azure bills web role instances per hour of server time consumed. Server time is consumed once your application is deployed, even if the instances aren't running and are in the stopped state.

+ Stopping the service may take several minutes. When the service is stopped, you receive a message indicating that it stopped.

+ Deleting the service may take several minutes. After you delete the service, you receive a message indicating that the service was deleted.

+description: Use this tutorial to create a new application using the Express module, which provides a Model-View-Control (MVC) framework for creating Node.js web applications.

+Developers often use non-Microsoft modules to provide more

+functionality when developing a Node.js application. In this tutorial,

+you create a new application using the [Express](https://github.com/expressjs/express) module, which provides a Model-View-Control framework for creating Node.js web applications.

+The following screenshot shows the completed application:

+ > By default, **Add-AzureNodeWebRole** uses an older version of Node.js. The preceding **Set-AzureServiceProjectRole** line instructs Azure to use v0.10.21 of Node. Note the parameters are case-sensitive. You can verify the correct version of Node.js has been selected by checking the **engines** property in **WebRole1\package.json**.

+ The following screenshot shows the output of the npm command. Your output should look similar.

+ To continue, enter **y** or **yes** when prompted to overwrite your earlier application. Express generates the app.js file and a folder structure for building your application.

+3. To install the other dependencies defined in the package.json file,

+4. Use the following command to copy the **bin/www** file to **server.js**. This step allows the cloud service to find the entry point for this application.

+ Once you make this modification, the line should appear as follows:

+Azure."

+4. To see your changes, refresh your browser.

+Once the deployment operation completes, your browser opens and displays the web page.

+Various tools and techniques are available for testing the performance of cloud services.

+You can also use diagnostics to track numerous performance

+This article covers the CPU Sampling method of profiling, which can be done locally in the emulator. CPU sampling is a method of profiling that isn't intrusive. At a designated sampling interval, the profiler takes a snapshot of the call stack. The data is collected over a period of time, and shown in a report. This method of profiling tends to indicate where in a computationally intensive application most of the CPU work is being done, giving you the opportunity to focus on the "hot path" where your application is spending the most time.

+## Configure Visual Studio for profiling

+First, there are a few Visual Studio configuration options that might be helpful when profiling. To make sense of the profiling reports, you need symbols (.pdb files) for your application and also symbols for system libraries. Make sure you reference the available symbol servers; to do so, on the **Tools** menu in Visual Studio, choose **Options**, then choose **Debugging**, then **Symbols**. Make sure that Microsoft Symbol Servers is listed under **Symbol file (.pdb) locations**. You can also reference https://referencesource.microsoft.com/symbols, which might have more symbol files.

+You can use these instructions with an existing project or with a new project. If you create a new project to try the following techniques, choose a C# **Azure Cloud Service** project, and select a **Web Role** and a **Worker Role**.

+Build and run your cloud service locally without debugging (Ctrl+F5), with the solution configuration set to **Release**. This setting ensures that all files and folders are created for running the application locally and that all the emulators are started. To verify that your worker role is running, start the Compute Emulator UI from the taskbar.

+## Attach to a process

+To attach the profiler to a process, go to the **Analyze** menu, select **Profiler**, and choose **Attach/Detach**.

+If your project folder is on a network drive, the profiler asks you to provide another location to save the profiling reports.

+sign-in the Compute Emulator UI to know what process to connect to.

+Once you attach, perform the steps in your application's UI (if needed) to reproduce the scenario.

+## View performance reports

+If you see String.wstrcpy in the Hot Path, select on Just My Code to change the view to show user code only. If you see String.Concat, try pressing the **Show All Code** button.

+If you added the string concatenation code in this article, you should see a warning in the Task List for it. You may also see a warning that there's an excessive amount of garbage collection, which is due to the number of strings created and disposed.

+## Make changes and compare performance

+You can also compare the performance before and after a code change. To replace the string concatenation operation with the use of StringBuilder, stop the running process and edit the code:

+Congratulations! You got started with the profiler.

+* Make sure you profile a Release build and start without debugging.

+* If the Attach/Detach option isn't enabled on the Profiler menu, run the Performance Wizard.

+* If you used any of the profiling commands from the

+ command line, especially the global settings, make sure you call VSPerfClrEnv /globaloff and shut down VsPerfMon.exe.

+* When sampling, you see the message "PRF0025: No data was collected," check the CPU activity of the process. Applications that aren't doing any computational work might not produce any sampling data. It's also possible that the process exited before any sampling was done. Check to see that the Run method for a role that you profile doesn't terminate.

+Instrumenting Azure binaries in the emulator isn't supported in the Visual Studio profiler, but if you want to test memory allocation, you can choose that option when profiling. You can also choose concurrency profiling, which helps you determine whether threads are wasting time competing for locks, or tier interaction profiling, which helps you track down performance problems when interacting between tiers of an application, most frequently between the data tier and a worker role. You can view the database queries that your app generates and use the profiling data to improve your use of the database. For information about tier interaction profiling, see the blog post [Walkthrough: Using the Tier Interaction Profiler in Visual Studio Team System 2010][3].

+This guide shows you how to create PHP web or worker roles in a Windows development environment, choose a specific version of PHP from the "built-in" versions available, change the PHP configuration, enable extensions, and finally, deploy to Azure. It also describes how to configure a web or worker role to use a PHP runtime (with custom configuration and extensions) that you provide.

+Azure provides three compute models for running applications: Azure App Service, Azure Virtual Machines, and Azure Cloud Services. All three models support PHP. Cloud Services, which includes web and worker roles, provides *platform as a service (PaaS)*. Within a cloud service, a web role provides a dedicated Internet Information Services (IIS) web server to host front-end web applications. A worker role can run asynchronous, long-running, or perpetual tasks independent of user interaction or input.

+The [Azure SDK for PHP](https://github.com/Azure/azure-sdk-for-php) consists of several components. This article uses two of them: Azure PowerShell and the Azure emulators. These two components can be installed via the Microsoft Web Platform Installer. For more information, see [How to install and configure Azure PowerShell](/powershell/azure/).

+The first step in creating a PHP web or worker role is to create an Azure Service project. An Azure Service project serves as a logical container for web and worker roles, and it contains the project's [service definition (.csdef)] and [service configuration (.cscfg)] files.

+This command creates a new directory (`myProject`) to which you can add web and worker roles.

+In some cases, instead of selecting a built-in PHP runtime and configuring it as previously described, you may want to provide your own PHP runtime. For example, you can use the same PHP runtime in a web or worker role that you use in your development environment. This process makes it easier to ensure that the application behavior stays the same in your production environment.

+1. Create an Azure Service project and add a PHP web role as described previously in this article.

+3. (OPTIONAL) If your PHP runtime uses the [Microsoft Drivers for PHP for SQL Server][sqlsrv drivers], you need to configure your web role to install [SQL Server Native Client 2012][sql native client] when it provisions. To do so, add the [sqlncli.msi x64 installer] to the `bin` folder in your web role's root directory. The startup script described in the next step will silently run the installer when the role is provisioned. If your PHP runtime doesn't use the Microsoft Drivers for PHP for SQL Server, you can remove the following line from the script shown in the next step:

+4. Define a startup task that configures [Internet Information Services (IIS)][iis.net] to use your PHP runtime to handle requests for `.php` pages. To do so, open the `setup_web.cmd` file (in the `bin` file of your web role's root directory) in a text editor and replace its contents with the following script:

+5. Add your application files to your web role's root directory, which becomes the web server's root directory.

+6. Publish your application as described in the [Publish your application section](#publish-your-application).

+> The `download.ps1` script (in the `bin` folder of the web role's root directory) can be deleted after you follow the preceding steps for using your own PHP runtime.

+1. Create an Azure Service project and add a PHP worker role as described previously in this article.

+3. (OPTIONAL) If your PHP runtime uses [Microsoft Drivers for PHP for SQL Server][sqlsrv drivers], you need to configure your worker role to install [SQL Server Native Client 2012][sql native client] when it provisions. To do so, add the [sqlncli.msi x64 installer] to the worker role's root directory. The startup script described in the next step will silently run the installer when the role is provisioned. If your PHP runtime doesn't use the Microsoft Drivers for PHP for SQL Server, you can remove the following line from the script shown in the next step:

+4. Define a startup task that adds your `php.exe` executable to the worker role's PATH environment variable when the role is provisioned. To do so, open the `setup_worker.cmd` file (in the worker role's root directory) in a text editor and replace its contents with the following script:

+6. Publish your application as described in the [Publish your application section](#publish-your-application).

+The Azure emulators provide a local environment in which you can test your Azure application before you deploy it to the cloud. There are some differences between the emulators and the Azure environment. To understand these differences better, see [Use the Azure Storage Emulator for development and testing](../storage/common/storage-use-emulator.md).

+You must have PHP installed locally to use the compute emulator. The compute emulator uses your local PHP installation to run your application.

+The following sample output is similar to what you should see:

+You can see your application running in the emulator by opening a web browser and browsing to the local address shown in the output (`http://127.0.0.1:81` in the example output shown earlier).

+This article explains how to quickly create a Cloud Services container using Azure PowerShell cmdlets. Use the following steps:

+* To manage the cloud service deployment, refer to the [Get-AzureService](/powershell/module/servicemanagement/azure/Get-AzureService), [Remove-AzureService](/powershell/module/servicemanagement/azure/Remove-AzureService), and [Set-AzureService](/powershell/module/servicemanagement/azure/set-azureservice) commands. For more information, see [How to configure cloud services](cloud-services-how-to-configure-portal.md).

+ Title: Use the classic deployment model (Python) - feature guide

+The Azure classic deployment model provides programmatic access to much of the service management functionality available through the [Azure portal]. You can use the Azure SDK for Python to manage your cloud services and storage accounts.

+To use the classic deployment model, you need to [create an Azure account](https://azure.microsoft.com/pricing/free-trial/).

+The Azure SDK for Python wraps the [classic deployment model][svc-mgmt-rest-api], which is a REST API. All API operations are performed over Transport Layer Security (TLS) and mutually authenticated by using X.509 v3 certificates. The management service can be accessed from within a service running in Azure. It also can be accessed directly over the Internet from any application that can send an HTTPS request and receive an HTTPS response.

+# Linux virtual machine (VM) configuration, you can use WindowsConfigurationSet

+To capture a virtual machine (VM) image, you first call the **capture\_vm\_image** method.

+Now that you learned the basics of service management, you can access the [Complete API reference documentation for the Azure Python SDK](https://azure-sdk-for-python.readthedocs.org/) and perform complex tasks easily to manage your Python application.

+* [Azure SDK Tools for Visual Studio (VS) 2013][Azure SDK Tools for VS 2013] or

+Azure provides three compute models for running applications: [Web Apps feature in Azure App Service][execution model-web sites], [Azure Virtual Machines][execution model-vms], and [Azure Cloud Services][execution model-cloud services]. All three models support Python. Cloud Services, which include web and worker roles, provide *Platform as a Service (PaaS)*. Within a cloud service, a web role provides a dedicated Internet Information Services (IIS) web server to host front end web applications. A worker role can run asynchronous, long-running, or perpetual tasks independent of user interaction or input.

+You can add web or worker roles to an existing cloud service at any time. You can choose to add existing projects in your solution, or create new ones.

+Your cloud service can contain roles implemented in different languages. For example, you can have a Python web role implemented using Django, with Python, or with C# worker roles. You can easily communicate between your roles using Service Bus queues or storage queues.

+The main problem with the setup scripts is that they don't install Python. First, define two [startup tasks](cloud-services-startup-tasks.md) in the [ServiceDefinition.csdef](cloud-services-model-and-package.md#servicedefinitioncsdef) file. The first task (**PrepPython.ps1**) downloads and installs the Python runtime. The second task (**PipInstaller.ps1**) runs pip to install any dependencies you may have.

+The **bin\LaunchWorker.ps1** was originally created to do a lot of prep work, but it doesn't really work. Replace the contents in that file with the following script.

+The Visual Studio templates probably created a **ps.cmd** file in the **./bin** folder. This shell script calls out the preceding PowerShell wrapper scripts and provides logging based on the name of the PowerShell wrapper called. If this file wasn't created, the following script would be in it:

+Although PTVS supports launching in the emulator, debugging (for example, breakpoints) doesn't work.

+To debug your web and worker roles, you can set the role project as the startup project and debug that instead. You can also set multiple startup projects. Right-click the solution and then select **Set StartUp Projects**.

+When you finish configuring settings, choose **Publish**.

+Some progress appears in the output window, then you see the Microsoft Azure Activity Log window.

+ConnectCallResult response = await client.ConnectCallAsync(serverCallLocator, callbackUri);

+ConnectCallResult response = await client.ConnectCallAsync(roomCallLocator, callbackUri);

+### Dapr location

+## Call a container app by name

+You can call a container app by doing by sending a request to `http://<CONTAINER_APP_NAME>` from another app in the environment.

+- Don't explicitly deny the Azure DNS address `168.63.129.16` in the outgoing NSG rules, or your Container Apps environment won't be able to function.

+> [!NOTE]

+> You must enroll in the [Azure Cosmos DB NoSQL Vector Index preview feature](nosql/vector-search.md#enroll-in-the-vector-search-preview-feature) to specify a vector indexing policy.>

+>[!IMPORTANT]

+> The vector path added to the "excludedPaths" section of the indexing policy to ensure optimized performance for insertion. Not adding the vector path to "excludedPaths" will result in higher RU charge and latency for vector insertions.

+ Collection<Embedding> collection = new Collection<Embedding>(embeddings);

+ ContainerProperties properties = new ContainerProperties(id: "vector-container", partitionKeyPath: "/id")

+ {

+ VectorEmbeddingPolicy = new(collection),

+ IndexingPolicy = new IndexingPolicy()

+ {

+ VectorIndexes = new()

+ {

+ new VectorIndexPath()

+ {

+ Path = "/vector",

+ Type = VectorIndexType.QuantizedFlat,

+ }

+ }

+ },

+ };

+ properties.IndexingPolicy.IncludedPaths.Add(new IncludedPath { Path = "/*" });

+ properties.IndexingPolicy.ExcludedPaths.Add(new ExcludedPath { Path = "/vector/*" });

+>[!IMPORTANT]

+> The vector path added to the "excludedPaths" section of the indexing policy to ensure optimized performance for insertion. Not adding the vector path to "excludedPaths" will result in higher RU charge and latency for vector insertions.

+ExcludedPath excludedPath1 = new ExcludedPath("/coverImageVector/*");

+ExcludedPath excludedPath2 = new ExcludedPath("/contentVector/*");

+indexingPolicy.setExcludedPaths(ImmutableList.of(excludedPath1, excludedPath2));

+IncludedPath includedPath1 = new IncludedPath("/*");

+indexingPolicy.setIncludedPaths(Collections.singletonList(includedPath1));

+>[!IMPORTANT]

+> The vector path added to the "excludedPaths" section of the indexing policy to ensure optimized performance for insertion. Not adding the vector path to "excludedPaths" will result in higher RU charge and latency for vector insertions.

+> A vector indexing policy must be on the same path defined in the container's vector policy. [Learn more about container vector policies](vector-search.md#container-vector-policies).)

+ },

+ {

+ "path": "/vector/*"

+>[!IMPORTANT]

+> The vector path added to the "excludedPaths" section of the indexing policy to ensure optimized performance for insertion. Not adding the vector path to "excludedPaths" will result in higher RU charge and latency for vector insertions.

+ ]

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "path": "/\"_etag\"/?",

+ "path": "/coverImageVector/*",

+ "path": "/contentVector/*"

+

+>[!IMPORTANT]

+> The vector path added to the "excludedPaths" section of the indexing policy to ensure optimized performance for insertion. Not adding the vector path to "excludedPaths" will result in higher RU charge and latency for vector insertions.

+- [Python - Notebook tutorial](https://github.com/microsoft/AzureDataRetrievalAugmentedGenerationSamples)

+- [C# - Build Your Own Copilot Complete Solution Accelerator with AKS and Semantic Kernel](https://aka.ms/cdbcopilot)

+- [C# - Build Your Own Copilot Sample App and Hands-on-Lab](https://github.com/AzureCosmosDB/cosmosdb-nosql-copilot)

+- [Python - Movie Chatbot](https://github.com/AzureCosmosDB/Fabric-Conf-2024-Build-AI-Apps/tree/main/AzureCosmosDBforNoSQL)

+### Azure Cosmos DB for MongoDB

+- [Build Your Own Copilot for Azure Cosmos DB for MongoDB in C# with Semantic Kernel](https://github.com/AzureCosmosDB/cosmosdb-mongo-copilot)

+- [Python Notebook - Vector database integration through LangChain tutorial](https://python.langchain.com/docs/integrations/vectorstores/azure_cosmos_db)

+- [Python Notebook - LLM Caching integration through LangChain tutorial](https://python.langchain.com/docs/integrations/llms/llm_caching#azure-cosmos-db-semantic-cache)

+- [Python Notebook - Movie Chatbot](https://github.com/AzureCosmosDB/Fabric-Conf-2024-Build-AI-Apps/tree/main/AzureCosmosDBforMongoDB)

+* To change the management group for a subscription, see [Move subscriptions](../../governance/management-groups/manage.md#move-management-groups-and-subscriptions).

+* To change the management group for a subscription, see [Move subscriptions](../../governance/management-groups/manage.md#move-management-groups-and-subscriptions).

+* To change the management group for a subscription, see [Move subscriptions](../../governance/management-groups/manage.md#move-management-groups-and-subscriptions).

+If you need to access data stores that have been configured to use only the strongest cryptography/most secure network protocol (TLS 1.2), including your Azure Blob Storage for staging, you must enable only TLS 1.2 and disable older SSL/TLS versions at the same time on your self-hosted IR. To do so, you can download and run the *main.cmd* script from https://github.com/Azure/Azure-DataFactory/tree/main/SamplesV2/SQLServerIntegrationServices/publicpreview/CustomSetupScript/UserScenarios/TLS%201.2.

+| [Security recommendations to fix infrastructure as code misconfigurations](iac-vulnerabilities.md) |  |  | [Microsoft Security DevOps extension](azure-devops-extension.yml) |

+| [Security recommendations to fix code vulnerabilities](defender-for-devops-introduction.md#manage-your-devops-environments-in-defender-for-cloud)|  |

+| [Security recommendations to fix infrastructure as code misconfigurations](iac-vulnerabilities.md) |  |

+- End user ID

+ - main

+ # Windows and Linux agents are supported

+ # Write access for security-events is only required for customers looking for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS)

+ - name: Run Microsoft Security DevOps

+ # Upload alerts to the Security tab - required for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS)

+ # - name: Upload alerts to Security tab

+ # uses: github/codeql-action/upload-sarif@v3

+ # with:

+ # sarif_file: ${{ steps.msdo.outputs.sarifFile }}

+ # Upload alerts file as a workflow artifact - required for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS)

+ # - name: Upload alerts file as a workflow artifact

+ # uses: actions/upload-artifact@v3

+ # with:

+ # name: alerts

+ # path: ${{ steps.msdo.outputs.sarifFile }}

+ > [!NOTE]

+ > **For additional tool configuration options and instructions, see [the Microsoft Security DevOps wiki](https://github.com/microsoft/security-devops-action/wiki)**

+ :::image type="content" source="media/msdo-github-action/start-commit.png" alt-text="Screenshot showing you where to select start commit.":::

+

+1. Select **Commit new file**. Note that the process can take up to one minute to complete.

+ :::image type="content" source="media/msdo-github-action/commit-new.png" alt-text="Screenshot showing you how to commit a new file.":::

+ :::image type="content" source="media/msdo-github-action/verify-actions.png" alt-text="Screenshot showing you where to navigate to, to see that your new action is running." lightbox="media/msdo-github-action/verify-actions.png":::

+1. Sign in to Azure.

+1. Navigate to Defender for Cloud > DevOps Security.

+1. From the DevOps security blade, you should begin seeing the same MSDO security results developers see in their CI logs within minutes for the associated repository. Customers with GitHub Advanced Security will see the findings ingested from these tools as well.

+## Next steps

+1. To view the results of the scan, go to **Defender for Cloud** > **DevOps security** (No GHAS pre-requisite) or **Security** > **Code scanning alerts** natively in GitHub (Requires GHAS license).

+The IaC scanning tools that are included with Microsoft Security DevOps are [Template Analyzer](https://github.com/Azure/template-analyzer) ([PSRule](https://aka.ms/ps-rule-azure) is included in Template Analyzer), [Checkov](https://www.checkov.io/) and [Terrascan](https://github.com/tenable/terrascan).

+Chekov runs rules on ARM templates and templates for CloudFormation, Docker, Helm, Kubernetes, Kustomize, and Terraform. For more information, see the [Checkov rules](https://www.checkov.io/5.Policy%20Index/all.html).

+- [Checkov](https://www.checkov.io/)

+## Connect your GitHub environment

+To connect your GitHub environment to Microsoft Defender for Cloud:

+1. Select the organizations to install the Defender for Cloud GitHub application. It's recommended to grant access to **all repositories** to ensure Defender for Cloud can secure your entire GitHub environment.

+ This step grants Defender for Cloud access to organizations that you wish to onboard.

+

+1. All organizations with the Defender for Cloud GitHub application installed will be onboarded to Defender for Cloud. To change the behavior going forward, select one of the following:

+ - Select **all existing organizations** to automatically discover all repositories in GitHub organizations where the DevOps security GitHub application is installed.

+

+ - Select **all existing and future organizations** to automatically discover all repositories in GitHub organizations where the DevOps security GitHub application is installed and future organizations where the DevOps security GitHub application is installed.

+ > [!NOTE]

+ > Organizations can be removed from your connector after the connector creation is complete. See the [editing your DevOps connector](edit-devops-connector.md) page for more information.

+

+### [(Preview) Azure DevOps projects should have creation of classic pipelines disabled](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/9f4a17ee-7a02-4978-b968-8c36b74ac8e3)

+**Description**: Disabling the creation of classic build and release pipelines prevents a security concern that stems from YAML and classic pipelines sharing the same resources, for example the same service connections. Potential attackers can leverage classic pipelines to create processes that evade typical defense mechanisms set up around modern YAML pipelines.

+**Severity**: High

+### [(Preview) GitHub organizations should block Copilot suggestions that match public code](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/98e858ed-6e88-4698-b538-f51b31ad57f6)

+**Description**: Enabling GitHub Copilot's filter to block code suggestions matching public code on GitHub enhances security and legal compliance. It prevents the unintentional incorporation of public or open-source code, reducing the risk of legal issues and ensuring adherence to licensing terms. Additionally, it helps avoid introducing potential vulnerabilities from public code into the organization's projects, thereby maintaining higher code quality and security. When the filter is enabled, GitHub Copilot checks code suggestions with their surrounding code of about 150 characters against public code on GitHub. If there is a match or near match, the suggestion will not be shown.

+**Severity**: High

+### [(Preview) GitHub organizations should enforce multifactor authentication for outside collaborators](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/a9621d26-9d8c-4cd6-8ad0-84501eb88f17)

+**Description**: Enforcing multifactor authentication for outside collaborators in a GitHub organization is a security measure that requires collaborators to use an additional form of identification besides their password to access the organization's repositories and resources. This enhances security by protecting against unauthorized access, even if a password is compromised, and helps ensure compliance with industry standards. It involves informing collaborators about the requirement and providing support for the transition, ultimately reducing the risk of data breaches.

+**Severity**: High

+### [(Preview) GitHub repositories should require minimum two-reviewer approval for code pushes](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/20be7df7-9ebb-4fb4-95a9-3ae19b78b80a)

+**Description**: To prevent unintended or malicious changes from being directly committed, it's important to implement protection policies for the default branch in GitHub repositories. We recommend requiring at least two code reviewers to approve pull requests before the code is merged with the default branch. By requiring approval from a minimum number of two reviewers, you can reduce the risk of unauthorized modifications, which could lead to system instability or security vulnerabilities.

+**Severity**: High

+- [Review security recommendations](review-security-recommendations.md)

+Network planning should include an estimate of the number of IP addresses you'll need, and their distribution across VNETs. Additional free IP addresses are necessary for the Azure Network connection health check. You need 1 additional IP address per dev box, and two IP addresses for the health check and Dev Box infrastructure.

+This section covers some common connection and network issues.

+### Updating dev box definition image issues

+When you update the image used in a dev box definition, you must ensure that you have sufficient IP addresses available in your virtual network. Additional free IP addresses are necessary for the Azure Network connection health check. If the health check fails the dev box definition will not update. You need 1 additional IP address per dev box, and two IP addresses for the health check and Dev Box infrastructure.

+For more information about updating dev box definition images, see [Update a dev box definition](how-to-manage-dev-box-definitions.md#update-a-dev-box-definition).

+When you update the image used in a dev box definition, you must ensure that you have sufficient IP addresses available in your virtual network. Additional free IP addresses are necessary for the Azure Network connection health check. If the health check fails the dev box definition will not update. You need 1 additional IP address per dev box, and two IP addresses for the health check and Dev Box infrastructure.

+ Title: Monitoring data reference for Azure Event Hubs

+description: This article contains important reference material you need when you monitor Azure Event Hubs by using Azure Monitor.

+# Azure Event Hubs monitoring data reference

+See [Monitor Azure Event Hubs](monitor-event-hubs.md) for details on the data you can collect for Event Hubs and how to use it.

+Azure Event Hubs creates monitoring data using [Azure Monitor](../azure-monitor/overview.md), which is a full stack monitoring service in Azure. Azure Monitor provides a complete set of features to monitor your Azure resources. It can also monitor resources in other clouds and on-premises.

+Azure Event Hubs collects the same kinds of monitoring data as other Azure resources that are described in [Monitoring data from Azure resources](../azure-monitor/essentials/monitor-azure-resource.md#monitoring-data).

+### Supported metrics for Microsoft.EventHub/clusters

+The following table lists the metrics available for the Microsoft.EventHub/clusters resource type.

+### Supported metrics for Microsoft.EventHub/Namespaces

+The following table lists the metrics available for the Microsoft.EventHub/Namespaces resource type.

+The following tables list all the automatically collected platform metrics collected for Azure Event Hubs. The resource provider for these metrics is `Microsoft.EventHub/clusters` or `Microsoft.EventHub/namespaces`.

+*Request metrics* count the number of data and management operations requests. This table provides more information about values from the preceding tables.

+| Metric name | Description |

+|:--|:|

+| Incoming Requests | The number of requests made to the Event Hubs service over a specified period. This metric includes all the data and management plane operations. |

+| Successful Requests | The number of successful requests made to the Event Hubs service over a specified period. |

+| Throttled Requests | The number of requests that were throttled because the usage was exceeded. |

+This table provides more information for message metrics from the preceding tables.

+| Metric name | Description |

+|:|:|

+| Incoming Messages | The number of events or messages sent to Event Hubs over a specified period. |

+| Outgoing Messages | The number of events or messages received from Event Hubs over a specified period. |

+| Captured Messages | The number of captured messages. |

+| Incoming Bytes | Incoming bytes for an event hub over a specified period. |

+| Outgoing Bytes | Outgoing bytes for an event hub over a specified period. |

+| Size | Size of an event hub in bytes. |

+> - These values are point-in-time values. Incoming messages that are consumed immediately after that point-in-time might not be reflected in these metrics.

+> - The Incoming Requests metric includes all the data and management plane operations. The Incoming Messages metric gives you the total number of events that are sent to the event hub. For example, if you send a batch of 100 events to an event hub, it counts as 1 incoming request and 100 incoming messages.

+This table provides more information for capture metrics from the preceding tables.

+| Metric name | Description |

+|:|:|

+| Captured Messages | The number of captured messages. |

+| Captured Bytes | Captured bytes for an event hub. |

+| Capture Backlog | Capture backlog for an event hub. |

+This table provides more information for connection metrics from the preceding tables.

+| Metric name | Description |

+|:|:|

+| Active Connections | The number of active connections on a namespace and on an entity (event hub) in the namespace. Value for this metric is a point-in-time value. Connections that were active immediately after that point-in-time might not be reflected in the metric. |

+| Connections Opened | The number of open connections. |

+| Connections Closed | The number of closed connections. |

+This table provides more information for error metrics from the preceding tables.

+| Metric name | Description |

+|:|:|

+| Server Errors | The number of requests not processed because of an error in the Event Hubs service over a specified period. |

+| User Errors | The number of requests not processed because of user errors over a specified period. |

+| Quota Exceeded Errors | The number of errors caused by exceeding quotas over a specified period. |

+The following two types of errors are classified as *user errors*:

+> [!NOTE]

+> Logic Apps creates epoch receivers. Receivers can be moved from one node to another depending on the service load. During those moves, `ReceiverDisconnection` exceptions might occur. They are counted as user errors on the Event Hubs service side. Logic Apps can collect failures from Event Hubs clients so that you can view them in user logs.

+| Dimension name | Description |

+|:-|:|

+| EntityName | Name of the event hub. With the 'Incoming Requests' metric, the Entity Name dimension has a value of `-NamespaceOnlyMetric-` in addition to all your event hubs. It represents the requests that were made at the namespace level. Examples include a request to list all event hubs in the namespace or requests to entities that failed authentication or authorization. |

+| OperationResult | Either indicates `success` or the appropriate error state, such as `serverbusy`, `clienterror` or `quotaexceeded`. |

+Adding dimensions to your metrics is optional. If you don't add dimensions, metrics are specified at the namespace level.

+> When you enable metrics in a diagnostic setting, dimension information isn't currently included as part of the information sent to a storage account, event hub, or log analytics.

+### Supported resource logs for Microsoft.EventHub/Namespaces

+### Event Hubs Microsoft.EventHub/namespaces

+- [AzureActivity](/azure/azure-monitor/reference/tables/azureactivity#columns)

+- [AzureMetrics](/azure/azure-monitor/reference/tables/azuremetrics#columns)

+- [AzureDiagnostics](/azure/azure-monitor/reference/tables/azurediagnostics#columns)

+- [AZMSApplicationMetricLogs](/azure/azure-monitor/reference/tables/azmsapplicationmetriclogs#columns)

+- [AZMSOperationalLogs](/azure/azure-monitor/reference/tables/azmsoperationallogs#columns)

+- [AZMSRunTimeAuditLogs](/azure/azure-monitor/reference/tables/azmsruntimeauditlogs#columns)

+- [AZMSDiagnosticErrorLogs](/azure/azure-monitor/reference/tables/azmsdiagnosticerrorlogs#columns)

+- [AZMSVnetConnectionEvents](/azure/azure-monitor/reference/tables/azmsvnetconnectionevents#columns)

+- [AZMSArchiveLogs](/azure/azure-monitor/reference/tables/azmsarchivelogs#columns)

+- [AZMSAutoscaleLogs](/azure/azure-monitor/reference/tables/azmsautoscalelogs#columns)

+- [AZMSKafkaCoordinatorLogs](/azure/azure-monitor/reference/tables/azmskafkacoordinatorlogs#columns)

+- [AZMSKafkaUserErrorLogs](/azure/azure-monitor/reference/tables/azmskafkausererrorlogs#columns)

+- [AZMSCustomerManagedKeyUserLogs](/azure/azure-monitor/reference/tables/azmscustomermanagedkeyuserlogs#columns)

+### Event Hubs resource logs

+Azure Event Hubs now has the capability to dispatch logs to either of two destination tables: Azure Diagnostic or [Resource specific tables](~/articles/azure-monitor/essentials/resource-logs.md) in Log Analytics. You could use the toggle available on Azure portal to choose destination tables.

+Azure Event Hubs uses Kusto tables from Azure Monitor Logs. You can query these tables with Log Analytics. For a list of Kusto tables the service uses, see [Azure Monitor Logs table reference](/azure/azure-monitor/reference/tables/tables-resourcetype#event-hubs).

+You can view our sample queries to get started with different log categories.

+> [!IMPORTANT]

+> Dimensions aren't exported to a Log Analytics workspace.

+### Runtime audit logs

+Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.

+> [!NOTE]

+|:- |:-|:--|:--|

+| `TimeGenerated [UTC]`|Time of executed operation (in UTC) | No | Yes |

+| `AuthType` | Type of authentication (Microsoft Entra ID or SAS Policy). | Yes | Yes |

+| `AuthKey` | Microsoft Entra ID application ID or SAS policy name that's used to authenticate to a resource. | Yes | Yes |

+| `Category` | Log category | Yes | No |

+| `Provider`|Name of Service emitting the logs, such as EventHubs | No | Yes |

+AzureDiagnostics:

+### Application metrics logs

+Application metrics logs capture the aggregated information on certain metrics related to data plane operations. The captured information includes the following runtime metrics.

+> [!NOTE]

+> Application metrics logs are available only in **premium** and **dedicated** tiers.

+|:-|:- |

+### Diagnostic Error Logs

+Diagnostic error logs capture error messages for any client side, throttling, and Quota exceeded errors. They provide detailed diagnostics for error identification.

+Diagnostic Error Logs include elements listed in following table:

+|:|:|:|:|

+- [Microsoft.EventHub resource provider operations](/azure/role-based-access-control/permissions/integration#microsofteventhub)

+## Related content

+- See [Monitor Azure Event Hubs](monitor-event-hubs.md) for a description of monitoring Event Hubs.

+- See [Monitor Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource) for details on monitoring Azure resources.

+ Title: Monitor Azure Event Hubs

+Azure Monitor documentation describes the following concepts:

+The following sections describe the specific data gathered for Azure Event Hubs. These sections also provide examples for configuring data collection and analyzing this data with Azure tools.

+For more information about the resource types for Event Hubs, see [Azure Event Hubs monitoring data reference](monitor-event-hubs-reference.md).

+- Azure Storage

+ If you use Azure Storage to store the diagnostic logging information, the information is stored in containers named *insights-logs-operationlogs* and *insights-metrics-pt1m*. Sample URL for an operation log: `https://<Azure Storage account>.blob.core.windows.net/insights-logs-operationallogs/resourceId=/SUBSCRIPTIONS/<Azure subscription ID>/RESOURCEGROUPS/<Resource group name>/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/<Namespace name>/y=<YEAR>/m=<MONTH-NUMBER>/d=<DAY-NUMBER>/h=<HOUR>/m=<MINUTE>/PT1H.json`. The URL for a metric log is similar.

+- Azure Event Hubs

+ If you use Azure Event Hubs to store the diagnostic logging information, the information is stored in Event Hubs instances named *insights-logs-operationlogs* and *insights-metrics-pt1m*. You can also select an existing event hub except for the event hub for which you're configuring diagnostic settings.

+- Log Analytics

+ If you use Log Analytics to store the diagnostic logging information, the information is stored in tables named *AzureDiagnostics / AzureMetrics* or resource specific tables.

+> Enabling these settings requires additional Azure

+Resource Logs aren't collected and stored until you create a diagnostic setting and route them to one or more locations. When you create a diagnostic setting, you specify which categories of logs to collect. The categories for Azure Event Hubs are listed in [Azure Event Hubs monitoring data reference](monitor-event-hubs-reference.md#resource-logs).

+> [!NOTE]

+> Azure Monitor doesn't include dimensions in the exported metrics data that's sent to a destination like Azure Storage, Azure Event Hubs, and Log Analytics.

+For a list of available metrics for Event Hubs, see [Azure Event Hubs monitoring data reference](monitor-event-hubs-reference.md#metrics).

+### Analyze metrics

+For the available resource log categories, their associated Log Analytics tables, and the log schemas for Event Hubs, see [Azure Event Hubs monitoring data reference](monitor-event-hubs-reference.md#resource-logs).

+### Analyze logs

+Using Azure Monitor Log Analytics requires you to create a diagnostic configuration and enable **Send information to Log Analytics**. For more information, see the [Metrics](#azure-monitor-platform-metrics) section. Data in Azure Monitor Logs is stored in tables, with each table having its own set of unique properties. Azure Event Hubs has the capability to dispatch logs to either of two destination tables: Azure Diagnostic or Resource specific tables in Log Analytics. For a detailed reference of the logs and metrics, see [Azure Event Hubs monitoring data reference](monitor-event-hubs-reference.md).

+### Use runtime logs

+Azure Event Hubs allows you to monitor and audit data plane interactions of your client applications using runtime audit logs and application metrics logs.

+Using *Runtime audit logs* you can capture aggregated diagnostic information for all data plane access operations such as publishing or consuming events. *Application metrics logs* capture the aggregated data on certain runtime metrics (such as consumer lag and active connections) related to client applications are connected to Event Hubs.

+> [!NOTE]

+> Runtime audit logs are available only in **premium** and **dedicated** tiers.

+### Enable runtime logs

+You can enable either runtime audit or application metrics logging by selecting *Diagnostic settings* from the *Monitoring* section on the Event Hubs namespace page in Azure portal. Select **Add diagnostic setting** as shown in the following image.

+Then you can enable log categories *RuntimeAuditLogs* or *ApplicationMetricsLogs* as needed.

+Once runtime logs are enabled, Event Hubs start collecting and storing them according to the diagnostic setting configuration.

+### Publish and consume sample data

+To collect sample runtime audit logs in your Event Hubs namespace, you can publish and consume sample data using client applications that are based on the [Event Hubs SDK](../event-hubs/event-hubs-dotnet-standard-getstarted-send.md). That SDK uses Advanced Message Queuing Protocol (AMQP). Or you can use any [Apache Kafka client application](../event-hubs/event-hubs-quickstart-kafka-enabled-event-hubs.md).

+Application metrics include the following runtime metrics.

+Therefore you can use application metrics to monitor runtime metrics such as consumer lag or active connection from a given client application. Fields associated with runtime audit logs are defined in [application metrics logs reference](../event-hubs/monitor-event-hubs-reference.md#runtime-audit-logs).

+### Sample Kusto queries

+Following are sample queries that you can use to help you monitor your Azure Event Hubs resources:

+### [AzureDiagnostics](#tab/AzureDiagnostics)

+- Get errors from the past seven days.

+ ```Kusto

+ AzureDiagnostics

+ | where TimeGenerated > ago(7d)

+ | where ResourceProvider =="MICROSOFT.EVENTHUB"

+ | where Category == "OperationalLogs"

+ | summarize count() by "EventName"

+- Get runtime audit logs generated in the last one hour.

+ ```Kusto

+ AzureDiagnostics

+ | where TimeGenerated > ago(1h)

+ | where ResourceProvider =="MICROSOFT.EVENTHUB"

+ | where Category == "RuntimeAuditLogs"

+ ```

+- Get access attempts to a key vault that resulted in "key not found" error.

+ ```Kusto

+ AzureDiagnostics

+ | where ResourceProvider == "MICROSOFT.EVENTHUB"

+ | where Category == "Error" and OperationName == "wrapkey"

+ | project Message

+ ```

+- Get operations performed with a key vault to disable or restore the key.

+ ```Kusto

+ AzureDiagnostics

+ | where ResourceProvider == "MICROSOFT.EVENTHUB"

+ | where Category == "info" and OperationName == "disable" or OperationName == "restore"

+ | project Message

+ ```

+- Get capture failures and their duration in seconds.

+ ```kusto

+ AzureDiagnostics

+ | where ResourceProvider == "MICROSOFT.EVENTHUB"

+ | where Category == "ArchiveLogs"

+ | summarize count() by "failures", "durationInSeconds"

+ ```

+### [Resource Specific Table](#tab/Resourcespecifictable)

+- Get Operational Logs for event hub resource for last seven days.

+ ```Kusto

+ AZMSOperationalLogs

+ | where Timegenerated > ago(7d)

+ | where Provider == "EVENTHUB"

+ | where resourceId == "<Resource Id>" // Replace your resource Id

+ ```

+- Get capture logs for event hub for last seven days.

+ ```Kusto

+ AZMSArchiveLogs

+ | where EventhubName == "<Event Hub Name>" //Enter event hub entity name

+ | where TimeGenerated > ago(7d)

+ ```

+You can analyze the collected runtime audit logs using the following sample query.

+Up on the execution of the query you should be able to obtain corresponding audit logs in the following format.

+By analyzing these logs, you should be able to audit how each client application interacts with Event Hubs. Each field associated with runtime audit logs is defined in [runtime audit logs reference](../event-hubs/monitor-event-hubs-reference.md#runtime-audit-logs).

+### Analyze application metrics

+You can analyze the collected application metrics logs using the following sample query.

+### Event Hubs alert rules

+The following table lists some suggested alert rules for Event Hubs. These alerts are just examples. You can set alerts for any metric, log entry, or activity log entry listed in the [Azure Event Hubs monitoring data reference](monitor-event-hubs-reference.md).

+| Alert type | Condition | Description |

+|:|:|:|

+| Metric | CPU | When CPU utilization exceeds a set value. |

+| Metric | Available Memory | When Available Memory drops below a set value. |

+| Metric | Capture Backlog | When Capture Backlog is above a certain value. |

+## Related content

+- See [Azure Event Hubs monitoring data reference](monitor-event-hubs-reference.md) for a reference of the metrics, logs, and other important values created for Event Hubs.

+- See [Monitoring Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource) for general details on monitoring Azure resources.

+ 1. For **SAS key name**, select the SAS policy that can be used as a security context for this application group. You can select **Add SAS Policy** to add a new policy and then associate with the application group.

+Azure Event Hubs supports [Application Metric Logs](monitor-event-hubs-reference.md#application-metrics-logs) functionality to observe usual throughput within your system and accordingly decide on the threshold value for application group. You can follow these steps to decide on a threshold value:

+1. Turn on [diagnostic settings](../azure-monitor/essentials/diagnostic-settings.md) in Event Hubs with **Application Metric logs** as selected category and choose **Log Analytics** as destination.

+Due to restrictions at protocol level, throttled request logs are not generated for consumer operations within event hub ( `OutgoingMessages` or `OutgoingBytes`). When requests are throttled at consumer side, you would observe sluggish egress throughput.

+[Setup monitoring](monitor-expressroute-reference.md#supported-metrics-for-microsoftnetworkexpressroutegateways) using Azure Monitor for ExpressRoute Gateway availability, performance, and scalability. When you deploy an ExpressRoute gateway, Azure manages the compute and functions of your gateway. There are multiple [gateway metrics](expressroute-monitoring-metrics-alerts.md#expressroute-virtual-network-gateway-metrics) available to you to better understand the performance of your gateway.

+These scenarios are Generally Available for limited scenarios with connections associated to 10 Gbps and 100 Gbps ExpressRoute Direct circuits. To enable, follow the below guidance:

+ Title: Monitoring data reference for Azure ExpressRoute

+description: This article contains important reference material you need when you monitor Azure ExpressRoute by using Azure Monitor.

+# Azure ExpressRoute monitoring data reference

+See [Monitor Azure ExpressRoute](monitor-expressroute.md) for details on the data you can collect for ExpressRoute and how to use it.

+>[!NOTE]

+> Using *GlobalGlobalReachBitsInPerSecond* and *GlobalGlobalReachBitsOutPerSecond* are only visible if at least one Global Reach connection is established.

+>

+### Supported metrics for Microsoft.Network/expressRouteCircuits

+The following table lists the metrics available for the Microsoft.Network/expressRouteCircuits resource type.

+### Supported metrics for Microsoft.Network/expressRouteCircuits/peerings

+The following table lists the metrics available for the Microsoft.Network/expressRouteCircuits/peerings resource type.

+### Supported metrics for microsoft.network/expressroutegateways

+The following table lists the metrics available for the microsoft.network/expressroutegateways resource type.

+### Supported metrics for Microsoft.Network/expressRoutePorts

+The following table lists the metrics available for the Microsoft.Network/expressRoutePorts resource type.

+### Metrics information

+Follow links in these lists for more information about metrics from the preceding tables.

+ExpressRoute circuits metrics:

+- [ARP Availability](#arp)

+- [BGP Availability](#bgp)

+- [BitsInPerSecond](#circuitbandwidth)

+- [BitsOutPerSecond](#circuitbandwidth)

+- DroppedInBitsPerSecond

+- DroppedOutBitsPerSecond

+- GlobalReachBitsInPerSecond

+- GlobalReachBitsOutPerSecond

+- [FastPathRoutesCount](#fastpath-routes-count-at-circuit-level)

+> [!NOTE]

+ExpressRoute gateways metrics:

+- [Bits received per second](#gwbits)

+- [CPU utilization](#cpu)

+- [Packets per second](#packets)

+- [Count of routes advertised to peer](#advertisedroutes)

+- [Count of routes learned from peer](#learnedroutes)

+- [Frequency of routes changed](#frequency)

+- [Number of VMs in virtual network](#vm)

+- [Active flows](#activeflows)

+- [Max flows created per second](#maxflows)

+ExpressRoute gateway connections metrics:

+- [BitsInPerSecond](#connectionbandwidth)

+- [BitsOutPerSecond](#connectionbandwidth)

+ExpressRoute Direct metrics:

+- [BitsInPerSecond](#directin)

+- [BitsOutPerSecond](#directout)

+- DroppedInBitsPerSecond

+- DroppedOutBitsPerSecond

+- [AdminState](#admin)

+- [LineProtocol](#line)

+- [RxLightLevel](#rxlight)

+- [TxLightLevel](#txlight)

+- [FastPathRoutesCount](#fastpath-routes-count-at-port-level)

+ExpressRoute Traffic Collector metrics:

+- [CPU utilization](#cpu-utilizationsplit-by-instance-1)

+- [Memory Utilization](#memory-utilizationsplit-by-instance)

+- [Count of flow records processed](#count-of-flow-records-processedsplit-by-instances-or-expressroute-circuit)

+### Circuits metrics

+#### <a name = "arp"></a>ARP Availability - Split by Peering

+Aggregation type: *Avg*

+You can view near to real-time availability of [ARP](./expressroute-troubleshooting-arp-resource-manager.md) (Layer-2 connectivity) across peerings and peers (Primary and Secondary ExpressRoute routers). This dashboard shows the Private Peering ARP session status is up across both peers, but down for Microsoft peering for both peers. The default aggregation (Average) was utilized across both peers.

+#### <a name = "bgp"></a>BGP Availability - Split by Peer

+Aggregation type: *Avg*

+You can view near to real-time availability of BGP (Layer-3 connectivity) across peerings and peers (Primary and Secondary ExpressRoute routers). This dashboard shows the Primary BGP session status is up for private peering and the Second BGP session status is down for private peering.

+>[!NOTE]

+>During maintenance between the Microsoft edge and core network, BGP availability will appear down even if the BGP session between the customer edge and Microsoft edge remains up. For information about maintenance between the Microsoft edge and core network, make sure to have your [maintenance alerts turned on and configured](./maintenance-alerts.md).

+>

+#### <a name = "circuitbandwidth"></a>Bits In and Out - Metrics across all peerings

+Aggregation type: *Avg*

+You can view metrics across all peerings on a given ExpressRoute circuit.

+#### Bits In and Out - Metrics per peering

+Aggregation type: *Avg*

+You can view metrics for private, public, and Microsoft peering in bits/second.

+#### FastPath routes count (at circuit level)

+Aggregation type: *Max*

+This metric shows the number of FastPath routes configured on a circuit. Set an alert for when the number of FastPath routes on a circuit goes beyond the threshold limit. For more information, see [ExpressRoute FastPath limits](about-fastpath.md#ip-address-limits).

+### Virtual network gateway metrics

+Aggregation type: *Avg*

+When you deploy an ExpressRoute gateway, Azure manages the compute and functions of your gateway. There are six gateway metrics available to you to better understand the performance of your gateway:

+- Bits received per second

+- CPU Utilization

+- Packets per seconds

+- Count of routes advertised to peers

+- Count of routes learned from peers

+- Frequency of routes changed

+- Number of VMs in the virtual network

+- Active flows

+- Max flows created per second

+We highly recommended you set alerts for each of these metrics so that you're aware of when your gateway could be seeing performance issues.

+#### <a name = "gwbits"></a>Bits received per second - Split by instance

+Aggregation type: *Avg*

+This metric captures inbound bandwidth utilization on the ExpressRoute virtual network gateway instances. Set an alert for how frequent the bandwidth utilization exceeds a certain threshold. If you need more bandwidth, increase the size of the ExpressRoute virtual network gateway.

+#### <a name = "cpu"></a>CPU Utilization - Split by instance

+Aggregation type: *Avg*

+You can view the CPU utilization of each gateway instance. The CPU utilization might spike briefly during routine host maintenance but prolong high CPU utilization could indicate your gateway is reaching a performance bottleneck. Increasing the size of the ExpressRoute gateway might resolve this issue. Set an alert for how frequent the CPU utilization exceeds a certain threshold.

+#### <a name = "packets"></a>Packets Per Second - Split by instance

+Aggregation type: *Avg*

+This metric captures the number of inbound packets traversing the ExpressRoute gateway. You should expect to see a consistent stream of data here if your gateway is receiving traffic from your on-premises network. Set an alert for when the number of packets per second drops below a threshold indicating that your gateway is no longer receiving traffic.

+#### <a name = "advertisedroutes"></a>Count of Routes Advertised to Peer - Split by instance

+Aggregation type: *Max*

+This metric shows the number of routes the ExpressRoute gateway is advertising to the circuit. The address spaces might include virtual networks that are connected using virtual network peering and uses remote ExpressRoute gateway. You should expect the number of routes to remain consistent unless there are frequent changes to the virtual network address spaces. Set an alert for when the number of advertised routes drop below the threshold for the number of virtual network address spaces you're aware of.

+#### <a name = "learnedroutes"></a>Count of routes learned from peer - Split by instance

+Aggregation type: *Max*

+This metric shows the number of routes the ExpressRoute gateway is learning from peers connected to the ExpressRoute circuit. These routes can be either from another virtual network connected to the same circuit or learned from on-premises. Set an alert for when the number of learned routes drop below a certain threshold. This metric can indicate either the gateway is seeing a performance problem or remote peers are no longer advertising routes to the ExpressRoute circuit.

+#### <a name = "frequency"></a>Frequency of routes change - Split by instance

+Aggregation type: *Sum*

+This metric shows the frequency of routes being learned from or advertised to remote peers. You should first investigate your on-premises devices to understand why the network is changing so frequently. A high frequency in routes change could indicate a performance problem on the ExpressRoute gateway where scaling the gateway SKU up might resolve the problem. Set an alert for a frequency threshold to be aware of when your ExpressRoute gateway is seeing abnormal route changes.

+#### <a name = "vm"></a>Number of VMs in the virtual network

+Aggregation type: *Max*

+This metric shows the number of virtual machines that are using the ExpressRoute gateway. The number of virtual machines might include VMs from peered virtual networks that use the same ExpressRoute gateway. Set an alert for this metric if the number of VMs goes above a certain threshold that could affect the gateway performance.

+>[!NOTE]

+> To maintain reliability of the service, Microsoft often performs platform or OS maintenance on the gateway service. During this time, this metric may fluctuate and report inaccurately.

+>

+#### <a name = "activeflows"></a>Active flows

+Aggregation type: *Avg*

+Split by: Gateway Instance

+This metric displays a count of the total number of active flows on the ExpressRoute Gateway. Only inbound traffic from on-premises is captured for active flows. Through split at instance level, you can see active flow count per gateway instance. For more information, see [understand network flow limits](../virtual-network/virtual-machine-network-throughput.md#network-flow-limits).

+#### <a name = "maxflows"></a>Max flows created per second

+Aggregation type: *Max*

+Split by: Gateway Instance and Direction (Inbound/Outbound)

+This metric displays the maximum number of flows created per second on the ExpressRoute Gateway. Through split at instance level and direction, you can see max flow creation rate per gateway instance and inbound/outbound direction respectively. For more information, see [understand network flow limits](../virtual-network/virtual-machine-network-throughput.md#network-flow-limits).

+### <a name = "connectionbandwidth"></a>Gateway connections in bits/seconds

+Aggregation type: *Avg*

+This metric shows the bits per second for ingress and egress to Azure through the ExpressRoute gateway. You can split this metric further to see specific connections to the ExpressRoute circuit.

+### ExpressRoute Direct metrics

+#### <a name = "directin"></a>Bits In Per Second - Split by link

+Aggregation type: *Avg*

+You can view the bits in per second across both links of the ExpressRoute Direct port pair. Monitor this dashboard to compare inbound bandwidth for both links.

+#### <a name = "directout"></a>Bits Out Per Second - Split by link

+Aggregation type: *Avg*

+You can also view the bits out per second across both links of the ExpressRoute Direct port pair. Monitor this dashboard to compare outbound bandwidth for both links.

+#### <a name = "admin"></a>Admin State - Split by link

+Aggregation type: *Avg*

+You can view the Admin state for each link of the ExpressRoute Direct port pair. The Admin state represents if the physical port is on or off. This state is required to pass traffic across the ExpressRoute Direct connection.

+#### <a name = "line"></a>Line Protocol - Split by link

+Aggregation type: *Avg*

+You can view the line protocol across each link of the ExpressRoute Direct port pair. The Line Protocol indicates if the physical link is up and running over ExpressRoute Direct. Monitor this dashboard and set alerts to know when the physical connection goes down.

+#### <a name = "rxlight"></a>Rx Light Level - Split by link

+Aggregation type: *Avg*

+You can view the Rx light level (the light level that the ExpressRoute Direct port is **receiving**) for each port. Healthy Rx light levels generally fall within a range of -10 dBm to 0 dBm. Set alerts to be notified if the Rx light level falls outside of the healthy range.

+>[!NOTE]

+> ExpressRoute Direct connectivity is hosted across different device platforms. Some ExpressRoute Direct connections will support a split view for Rx light levels by lane. However, this is not supported on all deployments.

+>

+#### <a name = "txlight"></a>Tx Light Level - Split by link

+Aggregation type: *Avg*

+You can view the Tx light level (the light level that the ExpressRoute Direct port is **transmitting**) for each port. Healthy Tx light levels generally fall within a range of -10 dBm to 0 dBm. Set alerts to be notified if the Tx light level falls outside of the healthy range.

+>[!NOTE]

+> ExpressRoute Direct connectivity is hosted across different device platforms. Some ExpressRoute Direct connections will support a split view for Tx light levels by lane. However, this is not supported on all deployments.

+#### FastPath routes count (at port level)

+Aggregation type: *Max*

+This metric shows the number of FastPath routes configured on an ExpressRoute Direct port.

+*Guidance:* Set an alert for when the number of FastPath routes on the port goes beyond the threshold limit. For more information, see [ExpressRoute FastPath limits](about-fastpath.md#ip-address-limits).

+### ExpressRoute Traffic Collector metrics

+#### CPU Utilization - Split by instance

+Aggregation type:ΓÇ»*Avg* (of percentage of total utilized CPU)

+*Granularity: 5 min*

+You can view the CPU utilization of each ExpressRoute Traffic Collector instance. The CPU utilization might spike briefly during routine host maintenance, but prolonged high CPU utilization could indicate your ExpressRoute Traffic Collector is reaching a performance bottleneck.

+**Guidance:** Set an alert for when avg CPU utilization exceeds a certain threshold.

+#### Memory Utilization - Split by instance

+Aggregation type:ΓÇ»*Avg* (of percentage of total utilized Memory)

+*Granularity: 5 min*

+You can view the memory utilization of each ExpressRoute Traffic Collector instance. Memory utilization might spike briefly during routine host maintenance, but prolonged high memory utilization could indicate your Azure Traffic Collector is reaching a performance bottleneck.

+**Guidance:** Set an alert for when avg memory utilization exceeds a certain threshold.

+#### Count of flow records processed - Split by instances or ExpressRoute circuit

+Aggregation type: *Count*

+*Granularity: 5 min*

+You can view the count of number of flow records processed by ExpressRoute Traffic Collector, aggregated across ExpressRoute Circuits. Customer can split the metrics across each ExpressRoute Traffic Collector instance or ExpressRoute circuit when multiple circuits are associated to the ExpressRoute Traffic Collector. Monitoring this metric helps you understand if you need to deploy more ExpressRoute Traffic Collector instances or migrate ExpressRoute circuit association from one ExpressRoute Traffic Collector deployment to another.

+**Guidance:** Splitting by circuits is recommended when multiple ExpressRoute circuits are associated with an ExpressRoute Traffic Collector deployment. This metric helps determine the flow count of each ExpressRoute circuit and ExpressRoute Traffic Collector utilization by each ExpressRoute circuit.

+Dimension for ExpressRoute circuit:

+|:|:|

+| PeeringType | The type of peering configured. The supported values are Microsoft and Private peering. |

+| Peering | The supported values are Primary and Secondary. |

+| DeviceRole | |

+| PeeredCircuitSkey | The remote ExpressRoute circuit service key connected using Global Reach. |

+Dimension for ExpressRoute gateway:

+|:-- |:-- |

+| BgpPeerAddress | |

+| ConnectionName | |

+| direction | |

+| roleInstance | The gateway instance. Each ExpressRoute gateway is composed of multiple instances. The supported values are `GatewayTenantWork_IN_X`, where X is a minimum of 0 and a maximum of the number of gateway instances -1. |

+Dimension for Express Direct:

+|:|:|

+| Lane | |

+| Link | The physical link. Each ExpressRoute Direct port pair is composed of two physical links for redundancy, and the supported values are link1 and link2. |

+### Supported resource logs for Microsoft.Network/expressRouteCircuits

+### ExpressRoute Microsoft.Network/expressRouteCircuits

+- [AzureActivity](/azure/azure-monitor/reference/tables/AzureActivity#columns)

+- [AzureMetrics](/azure/azure-monitor/reference/tables/AzureMetrics#columns)

+- [AzureDiagnostics](/azure/azure-monitor/reference/tables/AzureDiagnostics#columns)

+- [Microsoft.Network resource provider operations](/azure/role-based-access-control/resource-provider-operations#microsoftnetwork)

+The following table lists the operations related to ExpressRoute that might be created in the Activity log.

+| All Administrative operations | All administrative operations including create, update, and delete of an ExpressRoute circuit. |

+For more information on the schema of Activity Log entries, see [Activity Log schema](../azure-monitor/essentials/activity-log-schema.md).

+When you review any metrics through Log Analytics, the output contains the following columns:

+| Column | Type | Description |

+|:-|:--|:|

+| TimeGrain | string | PT1M (metric values are pushed every minute) |

+| Count | real | Usually equal to 2 (each MSEE pushes a single metric value every minute) |

+| Minimum | real | The minimum of the two metric values pushed by the two MSEEs |

+| Maximum | real | The maximum of the two metric values pushed by the two MSEEs |

+| Average | real | Equal to (Minimum + Maximum)/2 |

+| Total | real | Sum of the two metric values from both MSEEs (the main value to focus on for the metric queried) |

+## Related content

+- See [Monitor Azure ExpressRoute](monitor-expressroute.md) for a description of monitoring ExpressRoute.

+- See [Monitor Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource) for details on monitoring Azure resources.

+ Title: Monitor Azure ExpressRoute

+description: Start here to learn how to monitor Azure ExpressRoute by using Azure Monitor. This article includes links to other resources.

+# Monitor Azure ExpressRoute

+For more information about the resource types for ExpressRoute, see [Azure ExpressRoute monitoring data reference](monitor-expressroute-reference.md).

+For a list of available metrics for ExpressRoute, see [Azure ExpressRoute monitoring data reference](monitor-expressroute-reference.md#metrics).

+> [!NOTE]

+> Using **Classic Metrics** is not recommended.

+>

+You can analyze metrics for *Azure ExpressRoute* with metrics from other Azure services using metrics explorer by opening **Metrics** from the **Azure Monitor** menu. See [Analyze metrics with Azure Monitor metrics explorer](../azure-monitor/essentials/analyze-metrics.md) for details on using this tool.

+- To view **ExpressRoute** metrics, filter by Resource Type *ExpressRoute circuits*.

+- To view **Global Reach** metrics, filter by Resource Type *ExpressRoute circuits* and select an ExpressRoute circuit resource that has Global Reach enabled.

+- To view **ExpressRoute Direct** metrics, filter Resource Type by *ExpressRoute Ports*.

+### ExpressRoute metrics

+To view **Metrics**, go to the *Azure Monitor* page and select *Metrics*. To view **ExpressRoute** metrics, filter by Resource Type *ExpressRoute circuits*. To view **Global Reach** metrics, filter by Resource Type *ExpressRoute circuits* and select an ExpressRoute circuit resource that has Global Reach enabled. To view **ExpressRoute Direct** metrics, filter Resource Type by *ExpressRoute Ports*.

+After a metric is selected, the default aggregation is applied. Optionally, you can apply splitting, which shows the metric with different dimensions.

+> [!IMPORTANT]

+> When viewing ExpressRoute metrics in the Azure portal, select a time granularity of **5 minutes or greater** for best possible results.

+>

+> :::image type="content" source="./media/expressroute-monitoring-metrics-alerts/metric-granularity.png" alt-text="Screenshot of time granularity options.":::

+For the ExpressRoute metrics, see [Azure ExpressRoute monitoring data reference](monitor-expressroute-reference.md).

+### Aggregation Types

+Metrics explorer supports sum, maximum, minimum, average and count as [aggregation types](../azure-monitor/essentials/metrics-charts.md#aggregation). You should use the recommended Aggregation type when reviewing the insights for each ExpressRoute metric.

+- Sum: The sum of all values captured during the aggregation interval.

+- Count: The number of measurements captured during the aggregation interval.

+- Average: The average of the metric values captured during the aggregation interval.

+- Min: The smallest value captured during the aggregation interval.

+- Max: The largest value captured during the aggregation interval.

+For the available resource log categories, their associated Log Analytics tables, and the log schemas for ExpressRoute, see [Azure ExpressRoute monitoring data reference](monitor-expressroute-reference.md#resource-logs).

+### More metrics in Log Analytics

+You can also view ExpressRoute metrics by going to your ExpressRoute circuit resource and selecting the *Logs* tab. For any metrics you query, the output contains the following columns.

+| Column | Type | Description |

+|:-|:--|:|

+| TimeGrain | string | PT1M (metric values are pushed every minute) |

+| Count | real | Usually is 2 (each MSEE pushes a single metric value every minute) |

+| Minimum | real | The minimum of the two metric values pushed by the two MSEEs |

+| Maximum | real | The maximum of the two metric values pushed by the two MSEEs |

+| Average | real | Equal to (Minimum + Maximum)/2 |

+| Total | real | Sum of the two metric values from both MSEEs (the main value to focus on for the metric queried) |

+<a name="collection-and-routing"></a>

+All resource logs in Azure Monitor have the same fields followed by service-specific fields. The common schema is outlined in [Azure Monitor resource log schema](../azure-monitor/essentials/resource-logs-schema.md#top-level-common-schema). The schema for ExpressRoute resource logs is found in the [Azure ExpressRoute Data Reference](monitor-expressroute-reference.md#schemas).

+|:|:|

+These queries work with the [new language](../azure-monitor/logs/log-query-overview.md).

+- Query for Border Gateway Protocol (BGP) route table learned over the last 12 hours.

+ ```kusto

+ AzureDiagnostics

+ | where TimeGenerated > ago(12h)

+ | where ResourceType == "EXPRESSROUTECIRCUITS"

+ | project TimeGenerated, ResourceType , network_s, path_s, OperationName

+ ```

+- Query for BGP informational messages by level, resource type, and network.

+ ```kusto

+ AzureDiagnostics

+ | where Level == "Informational"

+ | where ResourceType == "EXPRESSROUTECIRCUITS"

+ | project TimeGenerated, ResourceId , Level, ResourceType , network_s, path_s

+ ```

+- Query for Traffic graph BitInPerSeconds in the last one hour.

+ ```kusto

+ AzureMetrics

+ | where MetricName == "BitsInPerSecond"

+ | summarize by Average, bin(TimeGenerated, 1h), Resource

+ | render timechart

+ ```

+- Query for Traffic graph BitOutPerSeconds in the last one hour.

+ ```kusto

+ AzureMetrics

+ | where MetricName == "BitsOutPerSecond"

+ | summarize by Average, bin(TimeGenerated, 1h), Resource

+ | render timechart

+ ```

+- Query for graph of ArpAvailability in 5-minute intervals.

+ ```kusto

+ AzureMetrics

+ | where MetricName == "ArpAvailability"

+ | summarize by Average, bin(TimeGenerated, 5m), Resource

+ | render timechart

+ ```

+- Query for graph of BGP availability in 5-minute intervals.

+ ```kusto

+ AzureMetrics

+ | where MetricName == "BGPAvailability"

+ | summarize by Average, bin(TimeGenerated, 5m), Resource

+ | render timechart

+ ```

+> [!NOTE]

+> During maintenance between the Microsoft edge and core network, BGP availability appears down even if the BGP session between the customer edge and Microsoft edge remains up. For information about maintenance between the Microsoft edge and core network, make sure to have your [maintenance alerts turned on and configured](./maintenance-alerts.md).

+### ExpressRoute alert rules

+The following table lists some suggested alert rules for ExpressRoute. These alerts are just examples. You can set alerts for any metric, log entry, or activity log entry listed in the [Azure ExpressRoute monitoring data reference](monitor-expressroute-reference.md).

+1. Select **+ Create** > **Alert rule** and select the ExpressRoute gateway connection resource. Select **Next: Condition >** to configure the signal.

+### Alerts based on each peering

+After you select a metric, certain metric allow you to set up dimensions based on peering or a specific peer (virtual networks).

+### Configure alerts for activity logs on circuits

+When selecting signals to be alerted on, you can select **Activity Log** signal type.

+## Related content

+- See [Azure ExpressRoute monitoring data reference](monitor-expressroute-reference.md) for a reference of the metrics, logs, and other important values created for ExpressRoute.

+- See [Monitoring Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource) for general details on monitoring Azure resources.

+ [hierarchy protection](./how-to/protect-resource-hierarchy.md#setting-require-authorization)

+ [default management group](./how-to/protect-resource-hierarchy.md#setting-define-the-default-management-group)

+ [hierarchy protection](./how-to/protect-resource-hierarchy.md#setting-require-authorization)

+ [default management group](./how-to/protect-resource-hierarchy.md#setting-define-the-default-management-group)

+ [hierarchy protection](./how-to/protect-resource-hierarchy.md#setting-require-authorization)

+ [default management group](./how-to/protect-resource-hierarchy.md#setting-define-the-default-management-group)

+ "context"

+ "fmt"

+ "os"

+ mg "github.com/Azure/azure-sdk-for-go/services/resources/mgmt/2020-05-01/managementgroups"

+ "github.com/Azure/go-autorest/autorest/azure/auth"

+ // Get variables from command line arguments

+ var mgName = os.Args[1]

+ // Create and authorize a client

+ mgClient := mg.NewClient()

+ authorizer, err := auth.NewAuthorizerFromCLI()

+ if err == nil {

+ mgClient.Authorizer = authorizer

+ } else {

+ fmt.Printf(err.Error())

+ }

+ // Create the request

+ Request := mg.CreateManagementGroupRequest{

+ Name: &mgName,

+ }

+ // Run the query and get the results

+ var results, queryErr = mgClient.CreateOrUpdate(context.Background(), mgName, Request, "no-cache")

+ if queryErr == nil {

+ fmt.Printf("Results: " + fmt.Sprint(results) + "\n")

+ } else {

+ fmt.Printf(queryErr.Error())

+ }

+ [hierarchy protection](./how-to/protect-resource-hierarchy.md#setting-require-authorization)

+ [default management group](./how-to/protect-resource-hierarchy.md#setting-define-the-default-management-group)

+ [hierarchy protection](./how-to/protect-resource-hierarchy.md#setting-require-authorization)

+ [default management group](./how-to/protect-resource-hierarchy.md#setting-define-the-default-management-group)

+ [hierarchy protection](./how-to/protect-resource-hierarchy.md#setting-require-authorization)

+ [default management group](./how-to/protect-resource-hierarchy.md#setting-define-the-default-management-group)

+ [hierarchy protection](./how-to/protect-resource-hierarchy.md#setting-require-authorization)

+ [default management group](./how-to/protect-resource-hierarchy.md#setting-define-the-default-management-group)

+ [hierarchy protection](./how-to/protect-resource-hierarchy.md#setting-require-authorization)

+ [default management group](./how-to/protect-resource-hierarchy.md#setting-define-the-default-management-group)

+ Title: Protect your resource hierarchy - Azure Governance

+description: Learn how to help protect your resource hierarchy by using hierarchy settings that include defining the default management group.

+# Protect your resource hierarchy

+Your resources, resource groups, subscriptions, management groups, and tenant compose

+your resource hierarchy. Settings at the root management group, such as Azure custom roles or

+policy assignments, can affect every resource in your resource hierarchy. It's important to

+protect the resource hierarchy from changes that could negatively affect all resources.

+Management groups have hierarchy settings that enable the tenant administrator to control these

+Configuring hierarchy settings requires the following resource provider operations on

+These operations represent Azure role-based access control (Azure RBAC) permissions.

+They only allow a user to read and update the hierarchy settings. They don't

+provide any other access to the management group hierarchy or to resources in the hierarchy.

+Both of

+these operations are available in the Azure built-in role Hierarchy Settings Administrator.

+## Setting: Define the default management group

+By default, a new subscription that you add in a tenant becomes a member of the root management

+group. If you assign policy assignments, Azure RBAC, and other governance

+constructs to the root management group, they immediately affect these new

+management group, even though that's the desired place to assign them. In other cases, an organization wants a more

+restrictive set of controls for new subscriptions but doesn't want to assign them to all

+By allowing the default management group for new subscriptions to be defined, you can apply organization-wide

+governance constructs at the root management group. You can define a separate management group

+with policy assignments or Azure role assignments that are more suited to a new subscription.

+### Define the default management group in the portal

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Use the search bar to search for and select **Management groups**.

+ If the **Change default management group** button is unavailable, the cause is one of these conditions:

+ - The management group that you're viewing isn't the root management group.

+ - Your security principal doesn't have the necessary permissions to alter the hierarchy settings.

+1. Select a management group from your hierarchy, and then choose the **Select** button.

+### Define the default management group by using the REST API

+To define the default management group by using the REST API, you must call the

+[Hierarchy Settings](/rest/api/managementgroups/hierarchysettings) endpoint. Use

+group. Replace `{defaultGroupID}` with the ID of the management group that will become the default management

+group.

+- REST API URI:

+- Request body:

+`defaultManagementGroup` to a value of

+## Setting: Require authorization

+Any user, by default, can create new management groups in a tenant. Admins of a tenant might want

+to provide these permissions only to specific users, to maintain consistency and conformity in the

+management group hierarchy. To create child management groups, a user requires the

+`Microsoft.Management/managementGroups/write` operation on the root management group.

+### Require authorization in the portal

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Use the search bar to search for and select **Management groups**.

+1. Turn on the **Require permissions for creating new management groups** toggle.

+ If the **Require permissions for creating new management groups** toggle is unavailable, the cause is one of these conditions:

+ - The management group that you're viewing isn't the root management group.

+ - Your security principal doesn't have the necessary permissions to alter the hierarchy settings.

+### Require authorization by using the REST API

+To require authorization by using the REST API, call the

+[Hierarchy Settings](/rest/api/managementgroups/hierarchysettings) endpoint. Use

+the following REST API URI and body format. This value is a Boolean, so provide either `true` or

+`false` for the value. A value of `true` enables this method of protecting your management group

+hierarchy.

+- REST API URI:

+- Request body:

+To turn off the setting, use the same endpoint and set

+`requireAuthorizationForGroupCreation` to a value of `false`.

+## Azure PowerShell sample

+Azure PowerShell doesn't have an `Az` command to define the default management group or to require

+authorization. As a workaround, you can use the REST API with the following Azure PowerShell sample:

+## Related content

+- [Change, delete, or manage your management groups](../manage.md)

+If your organization has many subscriptions, you might need a way to efficiently manage access,

+above subscriptions. You organize subscriptions into containers called *management groups* and apply

+subscription you have. To learn more about management groups, see

+> Azure Resource Manager user tokens and management group cache last for 30 minutes before they're

+> forced to refresh. Any action like moving a management group or subscription might

+> take up to 30 minutes to appear. To see the updates sooner, you need to update your token by

+For the Azure PowerShell actions in this article, keep in mind that `AzManagementGroup`-related cmdlets mention that `-GroupId` is an alias of the `-GroupName` parameter.

+You can use either of them to provide the management group ID as a string value.

+You can change the name of the management group by using the Azure portal, Azure PowerShell, or the Azure CLI.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Select the management group that you want to rename.

+1. Select the **Rename Group** option at the top of the pane.

+ :::image type="content" source="./media/detail_action_small.png" alt-text="Screenshot of the action bar and the Rename Group button on the management group page." border="false":::

+1. On the **Rename Group** pane, enter the new name that you want to display.

+ :::image type="content" source="./media/rename_context.png" alt-text="Screenshot of the options to rename a management group." border="false":::

+### Change the name in Azure PowerShell

+To update the display name, use `Update-AzManagementGroup` in Azure PowerShell. For example, to change a management

+group's display name from **Contoso IT** to **Contoso Group**, run the following command:

+### Change the name in the Azure CLI

+For the Azure CLI, use the `update` command:

+To delete a management group, you must meet the following requirements:

+- There are no child management groups or subscriptions under the management group. To move a

+ [Move management groups and subscriptions](#move-management-groups-and-subscriptions) later in this article.

+- You need write permissions on the management group (Owner, Contributor, or Management Group

+ Contributor). To see what permissions you have, select the management group and then select

+ [What is Azure role-based access control (Azure RBAC)?](../../role-based-access-control/overview.md).

+### Delete a management group in the portal

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Select the management group that you want to delete.

+1. Select **Delete**.

+ :::image type="content" source="./media/delete.png" alt-text="Screenshot of the management group page with the Delete button." border="false":::

+ > If the **Delete** button is unavailable, hovering over the button shows you the reason.

+1. A dialog opens and asks you to confirm that you want to delete the management group.

+ :::image type="content" source="./media/delete_confirm.png" alt-text="Screenshot of the confirmation dialog for deleting a management group." border="false":::

+### Delete a management group in Azure PowerShell

+To delete a management group, use the `Remove-AzManagementGroup` command in Azure PowerShell:

+### Delete a management group in the Azure CLI

+With the Azure CLI, use the command `az account management-group delete`:

+You can view any management group if you have a direct or inherited Azure role on it.

+### View management groups in the portal

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. The page for management group hierarchy appears. On this page, you can explore all the

+ management groups and subscriptions that you have access to. Selecting the group name takes you to a

+ :::image type="content" source="./media/main.png" alt-text="Screenshot of the management groups page that shows child management groups and subscriptions." border="false":::

+### View management groups in Azure PowerShell

+You use the `Get-AzManagementGroup` command to retrieve all groups. For the full list of

+`GET` PowerShell commands for management groups, see the

+[Az.Resources](/powershell/module/az.resources/Get-AzManagementGroup) modules.

+For a single management group's information, use the `-GroupId` parameter:

+To return a specific management group and all the levels of the hierarchy under it, use the `-Expand`

+and `-Recurse` parameters:

+### View management groups in the Azure CLI

+You use the `list` command to retrieve all groups:

+For a single management group's information, use the `show` command:

+To return a specific management group and all the levels of the hierarchy under it, use the `-Expand`

+and `-Recurse` parameters:

+## Move management groups and subscriptions

+and subscriptions can become children of another management group. A subscription that moves to a

+management group inherits all user access and policies from the parent management group.

+You can move subscriptions between management groups. A subscription can have only one parent management group.

+When you move a management group or subscription to be a child of another management group, three

+- Child subscription or management group

+ - `Microsoft.management/managementgroups/subscriptions/write` (only for subscriptions)

+There's an exception: if the target or the existing parent management group is the root management group,

+the permission requirements don't apply. Because the root management group is the default landing

+targets are limited. You can move the subscription only to another management group where you have

+Contributor because you would lose ownership of the subscription. If you're directly assigned to the

+Owner role for the subscription, you can move it to any management group where you have the Contributor role.

+**IAM**. To learn more about Azure roles, see

+[What is Azure role-based access control (Azure RBAC)?](../../role-based-access-control/overview.md).

+### Add an existing subscription to a management group in the portal

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Select the management group that you want to be the parent.

+ :::image type="content" source="./media/add_context_sub.png" alt-text="Screenshot of the box for selecting an existing subscription to add to a management group." border="false":::

+1. Select **Save**.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Select the management group that's the current parent.

+1. Select the ellipsis (`...`) at the end of the row for the subscription in the list that you want to move.

+ :::image type="content" source="./media/move_small.png" alt-text="Screenshot of the menu that includes the move option for a subscription." border="false":::

+1. On **Move** pane, select the value for **New parent management group ID**.

+ :::image type="content" source="./media/move_small_context.png" alt-text="Screenshot of the pane for moving a subscription to a different management group." border="false":::

+### Move a subscription in Azure PowerShell

+To move a subscription in PowerShell, you use the `New-AzManagementGroupSubscription` command:

+To remove the link between the subscription and the management group, use the

+`Remove-AzManagementGroupSubscription` command:

+### Move a subscription in the Azure CLI

+To move a subscription in the Azure CLI, you use the `add` command:

+To remove the subscription from the management group, use the `subscription remove` command:

+### Move a subscription in an ARM template

+template and deploy it at the [tenant level](../../azure-resource-manager/templates/deploy-to-tenant.md):

+Or, use the following Bicep file:

+### Move a management group in the portal

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Select the management group that you want to be the parent.

+1. On the **Add management group** pane, choose whether you want to use a new or existing management group:

+ - Selecting **Create new** creates a new management group.

+ - Selecting **Use existing** presents you with a dropdown list of all the management groups that you

+ :::image type="content" source="./media/add_context_MG.png" alt-text="Screenshot of the pane for adding a management group." border="false":::

+### Move a management group in Azure PowerShell

+To move a management group under a different

+group, use the `Update-AzManagementGroup` command in Azure PowerShell:

+### Move a management group in the Azure CLI

+To move a management group in the Azure CLI, use the `update` command:

+## Audit management groups by using activity logs

+Management groups are supported in [Azure Monitor activity logs](../../azure-monitor/essentials/platform-logs-overview.md). You can query all

+example, you can see all role assignments or policy assignment changes made to a particular

+When you want to query on management groups outside the Azure portal, the target scope for

+management groups looks like `"/providers/Microsoft.Management/managementGroups/{yourMgID}"`.

+## Reference management groups from other resource providers

+When you're referencing management groups from another resource provider's actions, use the following path as

+the scope. This path applies when you're using Azure PowerShell, the Azure CLI, and REST APIs.

+An example of using this path is when you're assigning a new role to a management group in

+Azure PowerShell:

+You use the same scope path to retrieve a policy definition for a management group:

+## Related content

+- [Review management groups in the Azure PowerShell Az.Resources module](/powershell/module/az.resources#resources)

+- [Review management groups in the REST API](/rest/api/managementgroups/managementgroups)

+- [Review management groups in the Azure CLI](/cli/azure/account/management-group)

+description: Learn about management groups, how their permissions work, and how to use them.

+If your organization has many Azure subscriptions, you might need a way to efficiently manage access,

+above subscriptions. When you organize subscriptions into management groups, the governance conditions that you apply

+However, all subscriptions within a single management group must trust the same Microsoft Entra tenant.

+For example, you can apply a policy to a management group that limits the regions available for virtual machine (VM) creation. This policy would be applied to all nested management groups, subscriptions, and resources to allow VM creation only in authorized regions.

+creating a hierarchy for governance by using management groups.

+ Diagram of a root management group that holds both management groups and subscriptions. Some child management groups hold management groups, some hold subscriptions, and some hold both. One of the examples in the sample hierarchy is four levels of management groups, with all subscriptions at the child level.

+You can create a hierarchy that applies a policy, for example, that limits VM locations to the West US region in the management group called _Corp_. This policy will inherit all the Enterprise Agreement (EA) subscriptions that are descendants of that management group and will apply to all VMs under those subscriptions. The resource or subscription

+owner can't alter this security policy, to allow for improved governance.

+> Management groups aren't currently supported in cost management features for Microsoft Customer Agreement (MCA) subscriptions.

+subscriptions. By moving multiple subscriptions under a management group, you can create one

+[Azure role assignment](../../role-based-access-control/overview.md) on the management group. The role

+users to have access to everything they need, instead of scripting Azure role-based access control (RBAC) over different

+- A single directory can support 10,000 management groups.

+

+ This limit doesn't include the root level or the subscription level.

+- Each management group and subscription can support only one parent.

+- All subscriptions and management groups are within a single hierarchy in each directory. For more information, see

+ [Important facts about the root management group](#important-facts-about-the-root-management-group) later in this article.

+Each directory has a single top-level management group called the _root_ management group. The

+fold up to it.

+The root management group allows for the application of global policies and Azure role assignments

+at the directory level. Initially, the [Microsoft Entra Global Administrator needs to elevate

+Administrator role of this root group. After elevating access, the administrator can

+- By default, the root management group's display name is **Tenant root group**, and it operates itself as a management group. The ID is the same value as the Microsoft Entra tenant ID.

+- To change the display name, your account must have the Owner or Contributor role on the

+ root management group. For more information, see

+ [Change the name of a management group](manage.md#change-the-name-of-a-management-group).

+ - New subscriptions automatically default to the root management group when they're created.

+ - No one has default access to the root management group. Microsoft Entra Global Administrators are

+ the only users who can elevate themselves to gain access. After they have access to the root

+ management group, they can assign any Azure role to other users to manage the group.

+> Any assignment of user access or policy on the root management group applies to all

+> resources within the directory. Because of this access level, all customers should evaluate the need to have

+> items defined on this scope. User access and policy assignments should be "must have" only at this

+When any user starts using management groups, an initial setup process happens. The

+first step is creation of the root management group in the directory. All

+existing subscriptions that exist in the directory then become children of the root management group.

+access and policies that other customers within the directory can't bypass.

+Anything assigned on the

+root applies to the entire hierarchy. That is, it applies to all management groups, subscriptions,

+resource groups, and resources within that Microsoft Entra tenant.

+[Azure RBAC](../../role-based-access-control/overview.md) for all

+resource access and role definitions. Child resources that

+exist in the hierarchy inherit these permissions. Any Azure role can be assigned to a management group that will inherit down

+the hierarchy to the resources.

+For example, you can assign the Azure role VM Contributor to a

+| Azure role name | Create | Rename | Move\*\* | Delete | Assign access | Assign policy | Read |

+|Management Group Contributor\* | X | X | X | X | | | X |

+|Management Group Reader\* | | | | | | | X |

+\*: These roles allow users to perform the specified actions only on the management group scope.

+\*\*: Role assignments on the root management group aren't required to move a subscription or a

+For details on moving items within the hierarchy, see [Manage your resources with management groups](manage.md).

+will inherit down the hierarchy like any built-in role.

+For information about the limitations with custom roles and management groups, see [Limitations](#limitations) later in this article.

+change with the inclusion of management groups. Use the full path to define the management group:

+because both are custom-defined fields in creating a management group.

+Role definitions are assignable scopes anywhere within the management group hierarchy. A role

+definition can be on a parent management group, whereas the actual role assignment exists on

+the child subscription. Because there's a relationship between the two items, you'll receive an error

+if you try to separate the assignment from its definition.

+For example, consider the following example of a small section of a hierarchy.

+ The diagram focuses on the root management group with child landing zones and sandbox management groups. The management group for landing zones has two child management groups named Corp and Online, whereas the sandbox management group has two child subscriptions.

+Assume that a custom role is defined on the sandbox management group. That custom role is then

+assigned on the two sandbox subscriptions.

+If you try to move one of those subscriptions to be a child of the Corp management group, you'll break the path from subscription role assignment to the role definition for the sandbox management group. In this scenario, you'll receive an error that says the move isn't allowed because it will

+To fix this scenario, you have these options:

+ management group.

+- Change the assignable scope within the role definition. In this example, you can update the

+ assignable scopes from the sandbox management group to the root management group so that both branches of the hierarchy can reach the definition.

+- Create another custom role that's defined in the other branch. This new role also requires you to change the role

+ on the subscription.

+There are limitations to using custom roles on management groups:

+- You can define only one management group in the assignable scopes of a new role. This limitation

+ disconnected. This kind of situation happens when a subscription or management group with a role

+ definition's assignable scope. If there's a typo or an incorrect management group ID, the

+To move a management group or subscription to be a child of another management group, you need:

+- Management group write permissions and role assignment write permissions on the child subscription or

+ - Built-in role example: Owner

+ - Built-in role example: Owner, Contributor, Management Group Contributor

+ - Built-in role example: Owner, Contributor, Management Group Contributor

+There's an exception: if the target or the existing parent management group is the root management group,

+the permission requirements don't apply. Because the root management group is the default landing

+If the Owner role on the subscription is inherited from the current management group, your move

+targets are limited. You can move the subscription only to another management group where you have

+the Owner role. You can't move the subscription to a management group where you're only a

+Contributor because you would lose ownership of the subscription. If you're directly assigned to the

+Owner role for the subscription, you can move it to any management group where you have the Contributor role.

+> Azure Resource Manager caches details of the management group hierarchy for up to 30 minutes.

+> As a result, the Azure portal might not immediately show that you moved a management group.

+## Auditing management groups by using activity logs

+Management groups are supported in [Azure Monitor activity logs](../../azure-monitor/essentials/platform-logs-overview.md). You can query all

+When you want to query on management groups outside the Azure portal, the target scope for

+management groups looks like `"/providers/Microsoft.Management/managementGroups/{management-group-id}"`.

+> By using the Azure Resource Manager REST API, you can enable diagnostic settings on a management group to send related Azure Monitor activity log entries to a Log Analytics workspace, Azure Storage, or Azure Event Hubs. For more information, see [Management group diagnostic settings: Create or update](/rest/api/monitor/management-group-diagnostic-settings/create-or-update).

+## Related content

+- [Change, delete, or manage your management groups](./manage.md)

+- [Protect your resource hierarchy](./how-to/protect-resource-hierarchy.md)

+#### 1.7.0

+Introducing expansion, a shift left feature that lets you know up front whether your workload resources (Deployments, ReplicaSets, Jobs, etc.) will produce admissible pods. Expansion shouldn't change the behavior of your policies; rather, it just shifts Gatekeeper's evaluation of pod-scoped policies to occur at workload admission time rather than pod admission time. However, to perform this evaluation it must generate and evaluate a what-if pod that is based on the pod spec defined in the workload, which may have incomplete metadata. For instance, the what-if pod will not contain the proper owner references. Because of this small risk of policy behavior changing, we're introducing expansion as disabled by default. To enable expansion for a given policy definition, set `.policyRule.then.details.source` to `All`. Built-ins will be updated soon to enable parameterization of this field. If you test your policy definition and find that the what-if pod being generated for evaluation purposes is incomplete, you can also use a mutation with source `Generated` to mutate the what-if pods. For more information on this option, view the [Gatekeeper documentation](https://open-policy-agent.github.io/gatekeeper/website/docs/expansion#mutating-example).

+Security improvements.

+- Released July 2024

+- Kubernetes 1.27+

+- Gatekeeper 3.16.3

+#### 1.6.1

+Security improvements.

+- Released May 2024

+- Gatekeeper 3.14.2

+#### 1.5.0

+Security improvements.

+- Released May 2024

+- Kubernetes 1.27+

+- Gatekeeper 3.16.3

+> With the `management.task` running every 10 minutes, there will be pressure on the SQL server DTU.

+ --location westus2

+ --location westus2 \

+az config set extension.use_dynamic_install=yes_without_prompt

+ --location westus2

+ --image win2022datacenter \

+# Quickstart: Create an internal load balancer to load balance virtual machines using Azure PowerShell

+Get started with Azure Load Balancer creating an internal load balancer and two virtual machines with Azure PowerShell. Also, you deploy other resources including Azure Bastion, NAT Gateway, a virtual network, and the required subnets.

+$rg = @{

+ Name = 'CreateINTLBQS-rg'

+ Location = 'westus2'

+}

+New-AzResourceGroup @rg

+ ResourceGroupName = $rg.name

+ Location = 'westus2'

+ ResourceGroupName = $rg.name

+ Location = 'westus2'

+ ResourceGroupName = $rg.name

+ Location = 'westus2'

+ ResourceGroupName = $rg.name

+ Location = 'westus2'

+ ResourceGroupName = $rg.name

+ Location = 'westus2'

+ ResourceGroupName = $rg.name

+ ResourceGroupName = $rg.name

+ Location = 'westus2'

+ ResourceGroupName = $rg.name

+ ResourceGroupName = $rg.name

+ Location = 'westus2'

+ ResourceGroupName = $rg.name

+ ResourceGroupName = $rg.name

+$sg = @{

+ ResourceGroupName = $rg.name

+$nsg = Get-AzNetworkSecurityGroup @sg

+ ResourceGroupName = $rg.name

+ Location = 'westus2'

+ ResourceGroupName = $rg.name

+ Location = 'westus2'

+ ResourceGroupName = $rg.name

+ Location = 'westus2'

+ ResourceGroupName = $rg.name

+$sg = @{

+ ResourceGroupName = $rg.name

+$nsg = Get-AzNetworkSecurityGroup @sg

+ ResourceGroupName = $rg.name

+ Location = 'westus2'

+ ResourceGroupName = $rg.name

+ Location = 'westus2'

+Remove-AzResourceGroup -Name $rg.name

+Get started with Azure Load Balancer by using Azure PowerShell to create a public load balancer and two virtual machines. Also, you deploy other resources including Azure Bastion, NAT Gateway, a virtual network, and the required subnets.

+ Location = 'westus2'

+ ResourceGroupName = $rg.name

+ Location = 'westus2'

+ ResourceGroupName = $rg.name

+ Location = 'westus2'

+ ResourceGroupName = $rg.name

+ ResourceGroupName = $rg.name

+ Location = 'westus2'

+ ResourceGroupName = $rg.name

+ Location = 'westus2'

+ ResourceGroupName = $rg.name

+ Location = 'westus2'

+ ResourceGroupName = $rg.name

+ Location = 'westus2'

+ ResourceGroupName = $rg.name

+ Location = 'westus2'

+ ResourceGroupName = $rg.name

+ ResourceGroupName = $rg.name

+ Location = 'westus2'

+ ResourceGroupName = $rg.name

+ ResourceGroupName = $rg.name

+ ResourceGroupName = $rg.name

+ ResourceGroupName = $rg.name

+ Location = 'westus2'

+ ResourceGroupName = $rg.name

+ Location = 'westus2'

+ ResourceGroupName = $rg.name

+ Location = 'westus2'

+ ResourceGroupName = $rg.name

+Remove-AzResourceGroup -Name $rg.name

+In this section, you create a cross-region load balancer, public IP address, and load balancing rule.

+In this section, you add two regional standard load balancers to the backend pool of the cross-region load balancer.

+In this section, you place the resource IDs of two regional load balancers frontends into variables, and then use the variables to add the frontends to the backend address pool of the cross-region load balancer.

+In this section, you test the cross-region load balancer. You connect to the public IP address in a web browser. You stop the virtual machines in one of the regional load balancer backend pools and observe the failover.

+In this section, you create the resources needed for the cross-region load balancer.

+In this section, you add two regional standard load balancers to the backend pool of the cross-region load balancer.

+In this section, you test the cross-region load balancer. You connect to the public IP address in a web browser. You stop the virtual machines in one of the regional load balancer backend pools and observe the failover.

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) and access to the Azure portal.

+> During this preview key rotation and data labeling capabilities are not supported. Server-side encryption is currently not supported in reference to an Azure Key Vault for storing your encryption key that has public network access disabled.

+ Title: How to deploy Meta Llama 3.1 models with Azure Machine Learning studio

+description: Learn how to deploy Meta Llama 3.1 models with Azure Machine Learning studio.

+# How to deploy Meta Llama 3.1 models with Azure Machine Learning studio

+In this article, you learn about the Meta Llama models family (LLMs). You also learn how to use Azure Machine Learning studio to deploy models from this set either to serverless APIs with pay-as you go billing or to managed compute.

+> Read more about the announcement of Meta Llama 3.1 405B Instruct and other Llama 3.1 models available now on Azure AI Model Catalog: [Microsoft Tech Community Blog](https://aka.ms/meta-llama-3.1-release-on-azure) and from [Meta Announcement Blog](https://aka.ms/meta-llama-3.1-release-announcement).

+Now available on Azure Machine Learning studio Models-as-a-Service:

+- `Meta-Llama-3.1-405B-Instruct`

+- `Meta-Llama-3.1-70B-Instruct`

+- `Meta-Llama-3.1-8B-Instruct`

+The Meta Llama 3.1 family of multilingual large language models (LLMs) is a collection of pretrained and instruction tuned generative models in 8B, 70B and 405B sizes (text in/text out). All models support long context length (128k) and are optimized for inference with support for grouped query attention (GQA). The Llama 3.1 instruction tuned text only models (8B, 70B, 405B) are optimized for multilingual dialogue use cases and outperform many of the available open source chat models on common industry benchmarks.

+See the following GitHub samples to explore integrations with [LangChain](https://aka.ms/meta-llama-3.1-405B-instruct-langchain), [LiteLLM](https://aka.ms/meta-llama-3.1-405B-instruct-litellm), [OpenAI](https://aka.ms/meta-llama-3.1-405B-instruct-openai) and the [Azure API](https://aka.ms/meta-llama-3.1-405B-instruct-webrequests).

+## Deploy Meta Llama 3.1 405B Instruct as a serverless API

+Meta Llama 3.1 models - like `Meta Llama 3.1 405B Instruct` - can be deployed as a serverless API with pay-as-you-go, providing a way to consume them as an API without hosting them on your subscription while keeping the enterprise security and compliance organizations need. This deployment option doesn't require quota from your subscription. Meta Llama 3.1 models are deployed as a serverless API with pay-as-you-go billing through Microsoft Azure Marketplace, and they might add more terms of use and pricing.

+The following models are available in Azure Marketplace for Llama 3.1 and Llama 3 when deployed as a service with pay-as-you-go:

+# [Meta Llama 3.1](#tab/llama-three)

+* [Meta-Llama-3.1-405B-Instruct (preview)](https://aka.ms/aistudio/landing/meta-llama-3-405B-base)

+* [Meta-Llama-3.1-70B-Instruct (preview)](https://aka.ms/aistudio/landing/meta-llama-3-8B-refresh)

+* [Meta Llama-3.1-8B-Instruct (preview)](https://aka.ms/aistudio/landing/meta-llama-3-70B-refresh)

+* [Meta-Llama-3-70B-Instruct (preview)](https://aka.ms/aistudio/landing/meta-llama-3-70b-chat)

+* [Meta-Llama-3-8B-Instruct (preview)](https://aka.ms/aistudio/landing/meta-llama-3-8b-chat)

+- An Azure Machine Learning workspace and a compute instance. If you don't have these, use the steps in the [Quickstart: Create workspace resources](quickstart-create-resources.md) article to create them. The serverless API model deployment offering for Meta Llama 3.1 and Llama 3 is only available with hubs created in these regions:

+1. Select the workspace in which you want to deploy your models. To use the pay-as-you-go model deployment offering, your workspace must belong to one of the available regions listed in the prerequisites of this article.

+1. Choose `Meta-Llama-3.1-405B-Instruct` to deploy from the [model catalog](https://ml.azure.com/model/catalog).

+1. On the **Details** page for `Meta-Llama-3.1-405B-Instruct`, select **Deploy** and then select **Serverless API with Azure AI Content Safety**.

+1. If this is your first time deploying the model in the workspace, you have to subscribe your workspace for the particular offering (for example, `Meta-Llama-3.1-405B-Instruct`) from Azure Marketplace. This step requires that your account has the Azure subscription permissions and resource group permissions listed in the prerequisites. Each workspace has its own subscription to the particular Azure Marketplace offering, which allows you to control and monitor spending. Select **Subscribe and Deploy**.

+To learn about billing for Meta Llama models deployed as a serverless API, see [Cost and quota considerations for Meta Llama models deployed as a serverless API](#cost-and-quota-considerations-for-meta-llama-31-models-deployed-as-a-serverless-api).

+1. Find and select the `Meta-Llama-3.1-405B-Instruct` deployment you created.

+ - For chat models, such as `Meta-Llama-3.1-405B-Instruct`, use the [`/chat/completions`](#chat-api) API.

+ For more information on using the APIs, see the [reference](#reference-for-meta-llama-31-models-deployed-a-serverless-api) section.

+ For more information on using the APIs, see the [reference](#reference-for-meta-llama-31-models-deployed-a-serverless-api) section.

+### Reference for Meta Llama 3.1 models deployed a serverless API

+Apart from deploying with the pay-as-you-go managed service, you can also deploy Meta Llama 3.1 models to managed compute in Azure Machine Learning studio. When deployed to managed compute, you can select all the details about the infrastructure running the model, including the virtual machines to use and the number of instances to handle the load you're expecting. Models deployed to managed compute consume quota from your subscription. The following models from the 3.1 release wave are available on managed compute:

+- `Meta-Llama-3.1-8B-Instruct` (FT supported)

+- `Meta-Llama-3.1-70B-Instruct` (FT supported)

+- `Meta-Llama-3.1-8B` (FT supported)

+- `Meta-Llama-3.1-70B` (FT supported)

+- `Llama Guard 3 8B`

+- `Prompt Guard`

+Follow these steps to deploy a model such as `Meta-Llama-3.1-70B-Instruct` to a managed compute in [Azure Machine Learning studio](https://ml.azure.com).

+ Alternatively, you can initiate deployment by going to your workspace and selecting **Endpoints** > **Managed Comput** > **Create**.

+Follow these steps to deploy a model such as `Llama-2-7b-chat` to a managed compute in [Azure Machine Learning studio](https://ml.azure.com).

+ Alternatively, you can initiate deployment by going to your workspace and selecting **Endpoints** > **managed compute** > **Create**.

+For reference about how to invoke Meta Llama 3 models deployed to managed compute, see the model's card in Azure Machine Learning studio [model catalog](concept-model-catalog.md). Each model's card has an overview page that includes a description of the model, samples for code-based inferencing, fine-tuning, and model evaluation.

+| CLI using CURL and Python web requests | [webrequests.ipynb](https://aka.ms/meta-llama-3.1-405B-instruct-webrequests)|

+| OpenAI SDK (experimental) | [openaisdk.ipynb](https://aka.ms/meta-llama-3.1-405B-instruct-openai)|

+| LangChain | [langchain.ipynb](https://aka.ms/meta-llama-3.1-405B-instruct-langchain)|

+| LiteLLM SDK | [litellm.ipynb](https://aka.ms/meta-llama-3.1-405B-instruct-litellm) |

+### Cost and quota considerations for Meta Llama 3.1 models deployed as a serverless API

+Meta Llama 3.1 models deployed as a serverless API are offered by Meta through Azure Marketplace and integrated with Azure Machine Learning studio for use. You can find Azure Marketplace pricing when deploying or fine-tuning models.

+Quota is managed per deployment. Each deployment has a rate limit of 400,000 tokens per minute and 1,000 API requests per minute. However, we currently limit one deployment per model per project. Contact Microsoft Azure Support if the current rate limits aren't sufficient for your scenarios.

+### Cost and quota considerations for Meta Llama 3.1 models deployed managed compute

+For deployment and inferencing of Meta Llama 3.1 models with managed compute, you consume virtual machine (VM) core quota that is assigned to your subscription on a per-region basis. When you sign up for Azure AI Studio, you receive a default VM quota for several VM families available in the region. You can continue to create deployments until you reach your quota limit. Once you reach this limit, you can request a quota increase.

+ az ml workspace show --name <my workspace name> \

+ --resource-group <my resource group> \

+ --subscription <my subscription id> \

+ --query container_registry

+az ml workspace create -n <workspace name> \

+az ml compute show --name <cluster name> -n <workspace> -g <resource group>

+ az ml workspace show -n <workspace name> -g <resource group> --query identityPrincipalId

+ az ml connection create --file <yml file> --resource-group <resource group> --name <workspace>

+|[StepSequence](/python/api/azureml-pipeline-core/azureml.pipeline.core.stepsequence)|[Data dependency](https://github.com/Azure/azureml-examples/tree/main/cli/jobs/pipelines-with-components/basics/3b_pipeline_with_data)|

+> Managed online endpoint only supports managed virtual network. If your workspace is in custom vnet, you need to try other deployment options, such as deploy to [Kubernetes online endpoint using CLI/SDK](./how-to-deploy-to-code.md), or [deploy to other platforms such as Docker](https://microsoft.github.io/promptflow/how-to-guides/deploy-a-flow/https://docsupdatetracker.net/index.html).

+> Managed online endpoint only supports managed virtual network. If your workspace is in custom vnet, you can deploy to Kubernetes online endpoint, or [deploy to other platforms such as Docker](https://microsoft.github.io/promptflow/how-to-guides/deploy-a-flow/https://docsupdatetracker.net/index.html).

+If you're interested in learning more about how you can use Planners in Semantic Kernel, we recommend that you read the following article:

+* [Learn more about planners](/semantic-kernel/ai-orchestration/planners/evaluate-and-deploy-planners/)

+| **Download** | **Hash value** |

+ | | |

+ | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | [!INCLUDE [security-hash-value.md](includes/security-hash-value.md)] |

+

+ | **Download** | **Hash value** |

+ | | |

+ | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | [!INCLUDE [security-hash-value.md](includes/security-hash-value.md)] |

+ | **Download** | **Hash value** |

+ | | |

+ | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | [!INCLUDE [security-hash-value.md](includes/security-hash-value.md)] |

+ | **Download** | **Hash value** |

+ | | |

+ | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | [!INCLUDE [security-hash-value.md](includes/security-hash-value.md)] |

+ | **Download** | **Hash value** |

+ | | |

+ | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | [!INCLUDE [security-hash-value.md](includes/security-hash-value.md)] |

+

+ | **Download** | **Hash value** |

+ | | |

+ | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | [!INCLUDE [security-hash-value.md](includes/security-hash-value.md)] |

+ | **Download** | **Hash value** |

+ | | |

+ | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | [!INCLUDE [security-hash-value.md](includes/security-hash-value.md)] |

+ Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | [!INCLUDE [security-hash-value.md](includes/security-hash-value.md)]

+ Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | [!INCLUDE [security-hash-value.md](includes/security-hash-value.md)]

+ Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | [!INCLUDE [security-hash-value.md](includes/security-hash-value.md)]

+ Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | [!INCLUDE [security-hash-value.md](includes/security-hash-value.md)]

+SHA256 | [!INCLUDE [security-hash-value.md](includes/security-hash-value.md)]

+ Hyper-V (85.8 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | [!INCLUDE [security-hash-value.md](includes/security-hash-value.md)]

+

+ | **Download** | **Hash value** |

+ | | |

+ | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | [!INCLUDE [security-hash-value.md](includes/security-hash-value.md)] |

+

+ [!INCLUDE [public-cloud-vmware.md](../includes/public-cloud-vmware.md)]

+ VMware (85.8 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | [!INCLUDE [security-hash-value.md](../includes/security-hash-value.md)]

+ [!INCLUDE [public-cloud-vmware.md](../includes/public-cloud-vmware.md)]

+ VMware (85.8 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | [!INCLUDE [security-hash-value.md](../includes/security-hash-value.md)]

+ | Traffic analytics processing interval | Select the processing interval that you prefer, available options are: **Every 1 hour** and **Every 10 mins**. The default processing interval is every one hour. For more information, see [Traffic analytics](traffic-analytics.md). |

+We're pleased to announce the launch of OpenShift 4.14 for Azure Red Hat OpenShift. This release enables [OpenShift Container Platform 4.14](https://docs.openshift.com/container-platform/4.14/welcome/https://docsupdatetracker.net/index.html). You can check the end of support date on the [support lifecycle page](/azure/openshift/support-lifecycle) for previous versions.

+1. First, engage with your Microsoft account manager and get your business cases approved by Azure Payment HSM Product Manager. See [Getting started with Azure Payment HSM](getting-started.md). Ask your Microsoft account manager and Cloud Service Architect (CSA) to fill out the [Payment HSM: initial contact form](https://forms.office.com/r/yxREMbybct).

+1. The Azure Payment HSM comes with payShield Manager license so you can remotely manage the HSM; you must have Thales smart cards and card readers for payShield Manager before onboarding Azure payment HSM. The minimum requirement is one compatible USB Smartcard reader with at least 5 payShield Manager Smartcards. Contact your Thales sales representative for the purchase or using existing compatible smart cards and readers. For more information, see the [Payment HSM support: Prerequisites](support-guide.md#prerequisites).

+1. Fill out the [Payment HSM: Thales support account request form](https://forms.office.com/r/tDNPwLCsqB) to provide your contact information to the Microsoft account team and the Azure Payment HSM Product Manager, so they can set up your Thales support account. After your Thales Customer ID is created, so you can submit payShield 10K support issues and download documentation, software, and firmware from Thales portal. The customer team can use the Thales Customer ID to create individual account access to Thales support portal.

+1. You must next engage with the Microsoft CSAs to plan your deployment, and to understand the networking requirements and constraints/workarounds before onboarding the service. For details, see:

+1. Contact Microsoft support to get your subscription approved and receive feature registration, to access the Azure payment HSM service. See [Register the Azure Payment HSM resource providers](register-payment-hsm-resource-providers.md?tabs=azure-cli). There is no charge at this step.

+1. To create payment HSMs, follow the [Tutorials](create-payment-hsm.md) and [How-To Guides](register-payment-hsm-resource-providers.md). Customer billing starts when the HSM resource is created.

+1. Upgrade the payShield 10K firmware to their desired version.

+1. Review the support process and scope here for Microsoft support and Thales's support: [Azure Payment HSM Service support guide ](support-guide.md).

+1. Monitor your payShield 10K using standard SNMP V3 tools. payShield Monitor is another product available to provide continuous monitoring of HSMs. Contact Thales Sales rep for licensing information.

+| `authResourceId` | (Optional) A string that if set, indicates that this skill should use a managed identity on the connection to the function or app hosting the code. This property takes an application (client) ID or app's registration in Microsoft Entra ID, in any of these formats: `api://<appId>`, `<appId>/.default`, `api://<appId>/.default`. This value is used to scope the authentication token retrieved by the indexer, and is sent along with the custom Web skill API request to the function or app. Setting this property requires that your search service is [configured for managed identity](search-howto-managed-identities-data-sources.md) and your Azure function app is [configured for a Microsoft Entra sign in](../app-service/configure-authentication-provider-aad.md). To use this parameter, call the API with `api-version=2023-10-01-Preview`. |

+1. Configure Azure AI Search for role-based access:

+1. Assign roles:

+ 1. On Azure AI Search, add two role assignments for the Azure OpenAI managed identity:

+ - **Search Index Data Reader**

+ - **Search Service Contributor**

+ 1. On Azure OpenAI, assign yourself to a role. The code for this quickstart runs locally. Requests to Azure OpenAI originate from your system:

+ - **Cognitive Services OpenAI User**

+1. Run the following code to set query parameters. The query is a keyword search using semantic ranking. In a keyword search, the search engine returns up to 50 matches, but only the top 5 are provided to the model. If you can't enable semantic ranking on your search service, set the value to false.

+ async def get_sources(search_client: SearchClient, query: str, search_type: SearchType, use_semantic_reranker: bool = True, sources_to_include: int = 5) -> List[str]:

+ async def append_grounded_message(self, search_client: SearchClient, query: str, search_type: SearchType, use_semantic_reranker: bool = True, sources_to_include: int = 5):

+ sources = await get_sources(search_client, query, search_type, use_semantic_reranker, sources_to_include)

+ sources_to_include=sources_to_include)

+ Output is from Azure OpenAI, and it consists of recommendations for several hotels. Here's an example of what the output might look like:

+ ```

+ Based on your criteria, we recommend the following hotels:

+

+ - Contoso Ocean Motel: located right on the beach and has private balconies with ocean views. They also have indoor and outdoor pools. It's located on the boardwalk near shops and art entertainment.

+ - Northwind Plaza & Suites: offers ocean views, free Wi-Fi, full kitchen, and a free breakfast buffet. Although not directly on the beach, this hotel has great views and is near the aquarium. They also have a pool.

+

+ Several other hotels have views and water features, but do not offer beach access or views of the ocean.

+ ```

+ To experiment further, change the query and rerun the last step to better understand how the model works with your data.

+ You can also modify the prompt to change the tone or structure of the output.

+| `authResourceId` | (Optional) A string that if set, indicates that this vectorizer should use a managed identity on the connection to the function or app hosting the code. This property takes an application (client) ID or app's registration in Microsoft Entra ID, in any of these formats: `api://<appId>`, `<appId>/.default`, `api://<appId>/.default`. This value is used to scope the authentication token retrieved by the indexer, and is sent along with the custom Web API request to the function or app. Setting this property requires that your search service is [configured for managed identity](search-howto-managed-identities-data-sources.md) and your Azure function app is [configured for a Microsoft Entra sign in](../app-service/configure-authentication-provider-aad.md). |

+| [Entrust Root Certification Authority G2](https://web.entrust.com/root-certificates/entrust_g2_ca.cer) | 4a538c28<br>8cf427fd790c3ad166068de81e57efbb932272d4 |

+| [DigiCert Cloud Services CA-1](https://crt.sh/?d=B3F6B64A07BB9611F47174407841F564FB991F29) | 0f171a48c6f223809218cd2ed6ddc0e8<br>b3f6b64a07bb9611f47174407841f564fb991f29 |

+| [DigiCert TLS RSA SHA256 2020 CA1](https://crt.sh/?d=6938FD4D98BAB03FAADB97B34396831E3780AEA1) | 0a3508d55c292b017df8ad65c00ff7e4<br>6938fd4d98bab03faadb97b34396831e3780aea1 |

+| [Entrust Certification Authority - L1K](https://aia.entrust.net/l1k-chain256.cer) | 0ee94cc30000000051d37785<br>f21c12f46cdb6b2e16f09f9419cdff328437b2d7 |

+| [Entrust Certification Authority - L1M](https://aia.entrust.net/l1m-chain256.cer) | 61a1e7d20000000051d366a6<br>cc136695639065fab47074d28c55314c66077e90 |

+| [**Entrust Root Certification Authority G2**](https://web.entrust.com/root-certificates/entrust_g2_ca.cer) | 4a538c28<br>8cf427fd790c3ad166068de81e57efbb932272d4 |

+| Γöö [Entrust Certification Authority - L1K](https://aia.entrust.net/l1k-chain256.cer) | 0ee94cc30000000051d37785<br>f21c12f46cdb6b2e16f09f9419cdff328437b2d7 |

+| Γöö [Entrust Certification Authority - L1M](https://aia.entrust.net/l1m-chain256.cer) | 61a1e7d20000000051d366a6<br>cc136695639065fab47074d28c55314c66077e90 |

+- July 22, 2024: Added Entrust CAs from a parallel Microsoft 365 article to provide a comprehensive list.

+- June 27, 2024: Removed the following CAs, which were superseded by both versions of Microsoft Azure ECC TLS Issuing CAs 03, 04, 07, 08.

+ | Certificate Authority | Serial Number<br>Thumbprint |

+ |- |- |

+ | [Microsoft Azure ECC TLS Issuing CA 01](https://www.microsoft.com/pki/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2001.cer)|0x09dc42a5f574ff3a389ee06d5d4de440<br>92503D0D74A7D3708197B6EE13082D52117A6AB0|

+ |[Microsoft Azure ECC TLS Issuing CA 01](https://crt.sh/?d=2616305805)|0x330000001aa9564f44321c54b900000000001a<br>CDA57423EC5E7192901CA1BF6169DBE48E8D1268|

+ |[Microsoft Azure ECC TLS Issuing CA 02](https://www.microsoft.com/pki/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2002.cer)|0x0e8dbe5ea610e6cbb569c736f6d7004b<br>1E981CCDDC69102A45C6693EE84389C3CF2329F1|

+ |[Microsoft Azure ECC TLS Issuing CA 02](https://crt.sh/?d=2616326233)|0x330000001b498d6736ed5612c200000000001b<br>489FF5765030EB28342477693EB183A4DED4D2A6|

+ |[Microsoft Azure ECC TLS Issuing CA 05](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2005.cer)|x0ce59c30fd7a83532e2d0146b332f965<br>C6363570AF8303CDF31C1D5AD81E19DBFE172531|

+ |[Microsoft Azure ECC TLS Issuing CA 05](https://crt.sh/?d=2616326161)| 0x330000001cc0d2a3cd78cf2c1000000000001c<br>4C15BC8D7AA5089A84F2AC4750F040D064040CD4|

+ |[Microsoft Azure ECC TLS Issuing CA 06](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2006.cer)|0x066e79cd7624c63130c77abeb6a8bb94<br>7365ADAEDFEA4909C1BAADBAB68719AD0C381163|

+ |[Microsoft Azure ECC TLS Issuing CA 06](https://crt.sh/?d=2616326228)|0x330000001d0913c309da3f05a600000000001d<br>DFEB65E575D03D0CC59FD60066C6D39421E65483|

+ |[Microsoft Azure TLS Issuing CA 01](https://www.microsoft.com/pki/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2001.cer)| 0x0aafa6c5ca63c45141ea3be1f7c75317<br>2F2877C5D778C31E0F29C7E371DF5471BD673173|

+ |[Microsoft Azure TLS Issuing CA 01](https://crt.sh/?d=2616326024)| 0x1dbe9496f3db8b8de700000000001d<br>B9ED88EB05C15C79639493016200FDAB08137AF3|

+ |[Microsoft Azure TLS Issuing CA 02](https://www.microsoft.com/pki/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2002.cer)| 0x0c6ae97cced599838690a00a9ea53214<br>E7EEA674CA718E3BEFD90858E09F8372AD0AE2AA|

+ |[Microsoft Azure TLS Issuing CA 02](https://crt.sh/?d=2616326032)| 0x330000001ec6749f058517b4d000000000001e<br>C5FB956A0E7672E9857B402008E7CCAD031F9B08|

+ |[Microsoft Azure TLS Issuing CA 05](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2005.cer)| 0x0d7bede97d8209967a52631b8bdd18bd<br>6C3AF02E7F269AA73AFD0EFF2A88A4A1F04ED1E5|

+ |[Microsoft Azure TLS Issuing CA 05](https://crt.sh/?d=2616326057)|0x330000001f9f1fa2043bc28db900000000001f<br>56F1CA470BB94E274B516A330494C792C419CF87|

+ |[Microsoft Azure TLS Issuing CA 06](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2006.cer)| 0x02e79171fb8021e93fe2d983834c50c0<br>30E01761AB97E59A06B41EF20AF6F2DE7EF4F7B0|

+ |[Microsoft Azure TLS Issuing CA 06](https://crt.sh/?d=2616330106)|0x3300000020a2f1491a37fbd31f000000000020<br>8F1FD57F27C828D7BE29743B4D02CD7E6E5F43E6|

+If an application fails due to a fatal error immediately after sending a message, and the restarted application instance erroneously believes that the prior message delivery didn't occur, a subsequent send causes the same message to appear in the system twice.

+For a business process in which multiple messages are sent in the course of handling some application context, the `MessageId` can be a composite of the application-level context identifier, such as a purchase order number, and the subject of the message, for example, **12345.2017/payment**.

+Apart from just enabling duplicate detection, you can also configure the size of the duplicate detection history time window during which message IDs are retained. This value defaults to 10 minutes for queues and topics, with a minimum value of 20 seconds to maximum value of 7 days.

+ Title: Monitoring data reference for Azure Service Bus

+description: This article contains important reference material you need when you monitor Azure Service Bus by using Azure Monitor.

+# Azure Service Bus monitoring data reference

+See [Monitor Azure Service Bus](monitor-service-bus.md) for details on the data you can collect for Service Bus and how to use it.

+### Supported metrics for Microsoft.ServiceBus/Namespaces

+The following table lists the metrics available for the Microsoft.ServiceBus/Namespaces resource type.

+The following sections provide more detailed descriptions for metrics presented in the previous section.

+### Request metrics

+*Request metrics* count the number of data and management operations requests.

+| Metric | Description |

+|:-|:|

+| Incoming Requests | The number of requests made to the Service Bus service over a specified period. |

+| Successful Requests | The number of successful requests made to the Service Bus service over a specified period. |

+| [Server Errors](service-bus-messaging-exceptions.md#exception-categories) | The number of requests not processed because of an error in the Service Bus service over a specified period. |

+| [User Errors](service-bus-messaging-exceptions.md#exception-categories) | The number of requests not processed because of user errors over a specified period. |

+| Throttled Requests | The number of requests that were throttled because the usage was exceeded.</p><p>MessagingErrorSubCode dimension has the following possible values: <br/><ul><li><b>CPU:</b> CPU throttling</li><li><b>Storage:</b>It indicates throttle because of pending checkpoint operations</li><li><b>Namespace:</b>Namespace operations throttling.</li><li><b>Unknown:</b> Other resource throttling.</li></p> |

+| Pending Checkpoint Operations Count | The number of pending checkpoint operations on the namespace. Service starts to throttle when the pending checkpoint count exceeds limit of (500,000 + (500,000 * messaging units)) operations. This metric applies only to namespaces using the **premium** tier. |

+| Server Send Latency | The time taken by the Service Bus service to complete the request. |

+The following two types of errors are classified as *user errors*:

+- Client-side errors (In HTTP that would be 400 errors).

+- Errors that occur while processing messages, such as [MessageLockLostException](/dotnet/api/azure.messaging.servicebus.servicebusfailurereason).

+The following metrics are *message metrics*.

+| Metric | Description |

+|:-|:|

+| Incoming Messages | The number of events or messages sent to Service Bus over a specified period. For basic and standard tiers, incoming autoforwarded messages are included in this metric. And, for the premium tier, they aren't included. |

+| Outgoing Messages | The number of events or messages received from Service Bus over a specified period. The outgoing autoforwarded messages aren't included in this metric. |

+| Messages | Count of messages in a queue/topic. This metric includes messages in all the different states like active, dead-lettered, scheduled, etc. |

+| Active Messages | Count of active messages in a queue/topic. Active messages are the messages in the queue or subscription that are in the active state and ready for delivery. The messages are available to be received. |

+| Dead-lettered messages | Count of dead-lettered messages in a queue/topic. |

+| Scheduled messages | Count of scheduled messages in a queue/topic. |

+| Completed Messages | The number of messages completed over a specified period. |

+| Abandoned Messages | The number of messages abandoned over a specified period. |

+| Size | Size of an entity (queue or topic) in bytes. |

+> Values for messages, active, dead-lettered, scheduled, completed, and abandoned messages are point-in-time values. Incoming messages that were consumed immediately after that point-in-time might not be reflected in these metrics.

+> When a client tries to get the info about a queue or topic, the Service Bus service returns some static information such as name, last updated time, created time, and requires session or not. Some dynamic information like message counts. If the request gets throttled, the service returns the static information and empty dynamic information. That's why message counts are shown as 0 when the namespace is being throttled. This behavior is by design.

+The following metrics are *connection metrics*.

+| Metric | Description |

+|:-|:|

+| Active Connections | The number of active connections on a namespace and on an entity in the namespace. Value for this metric is a point-in-time value. Connections that were active immediately after that point-in-time may not be reflected in the metric. |

+| Connections Opened | The number of connections opened. Value for this metric is an aggregation, and includes all connections that were opened in the aggregation time window. |

+| Connections Closed | The number of connections closed. Value for this metric is an aggregation, and includes all connections that were opened in the aggregation time window. |

+The following *resource metrics* are available only with the **premium** tier.