+This article describes application registration, application objects, and service principals in Azure Active Directory (Azure AD): what they're, how they're used, and how they're related to each other. A multi-tenant example scenario is also presented to illustrate the relationship between an application's application object and corresponding service principal objects.

+To delegate identity and access management functions to Azure AD, an application must be registered with an Azure AD tenant. When you register your application with Azure AD, you're creating an identity configuration for your application that allows it to integrate with Azure AD. When you register an app in the Azure portal, you choose whether it's a [single tenant](single-and-multi-tenant-apps.md#who-can-sign-in-to-your-app), or [multi-tenant](single-and-multi-tenant-apps.md#who-can-sign-in-to-your-app), and can optionally set a [redirect URI](reply-url.md). For step-by-step instructions on registering an app, see the [app registration quickstart](quickstart-register-app.md).

+When you've completed the app registration, you've a globally unique instance of the app (the application object) which lives within your home tenant or directory. You also have a globally unique ID for your app (the app or client ID). In the portal, you can then add secrets or certificates and scopes to make your app work, customize the branding of your app in the sign-in dialog, and more.

+If you register an application in the portal, an application object and a service principal object are automatically created in your home tenant. If you register/create an application using the Microsoft Graph APIs, creating the service principal object is a separate step.

+An Azure AD application is defined by its one and only application object, which resides in the Azure AD tenant where the application was registered (known as the application's "home" tenant). An application object is used as a template or blueprint to create one or more service principal objects. A service principal is created in every tenant where the application is used. Similar to a class in object-oriented programming, the application object has some static properties that are applied to all the created service principals (or application instances).

+The application object describes three aspects of an application:

+- How the service can issue tokens in order to access the application

+- The resources that the application might need to access

+- The actions that the application can take

+You can use the **App registrations** page in the [Azure portal][azure-portal] to list and manage the application objects in your home tenant.

+The Microsoft Graph [Application entity][ms-graph-app-entity] defines the schema for an application object's properties.

+- **Application** - The type of service principal is the local representation, or application instance, of a global application object in a single tenant or directory. In this case, a service principal is a concrete instance created from the application object and inherits certain properties from that application object. A service principal is created in each tenant where the application is used and references the globally unique app object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access.

+ When an application is given permission to access resources in a tenant (upon registration or consent), a service principal object is created. When you register an application using the Azure portal, a service principal is created automatically. You can also create service principal objects in a tenant using Azure PowerShell, Azure CLI, Microsoft Graph, and other tools.

+- **Managed identity** - This type of service principal is used to represent a [managed identity](../managed-identities-azure-resources/overview.md). Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to resources that support Azure AD authentication. When a managed identity is enabled, a service principal representing that managed identity is created in your tenant. Service principals representing managed identities can be granted access and permissions, but can't be updated or modified directly.

+- **Legacy** - This type of service principal represents a legacy app, which is an app created before app registrations were introduced or an app created through legacy experiences. A legacy service principal can have credentials, service principal names, reply URLs, and other properties that an authorized user can edit, but doesn't have an associated app registration. The service principal can only be used in the tenant where it was created.

+The Microsoft Graph [ServicePrincipal entity][ms-graph-sp-entity] defines the schema for a service principal object's properties.

+You can use the **Enterprise applications** page in the Azure portal to list and manage the service principals in a tenant. You can see the service principal's permissions, user consented permissions, which users have done that consent, sign in information, and more.

+The application object is the _global_ representation of your application for use across all tenants, and the service principal is the _local_ representation for use in a specific tenant. The application object serves as the template from which common and default properties are _derived_ for use in creating corresponding service principal objects.

+- A one-to-one relationship with the software application, and

+- A one-to-many relationship with its corresponding service principal object(s)

+| Step | Description |

+| - | -- |

+| 1 | The process of creating the application and service principal objects in the application's home tenant. |

+| 3 | The consumer tenants of the HR application (Contoso and Fabrikam) each have their own service principal object. Each represents their use of an instance of the application at runtime, governed by the permissions consented by the respective administrator. |

+[ms-graph-app-entity]: /graph/api/resources/application

+[ms-graph-sp-entity]: /graph/api/resources/serviceprincipal

+[azure-portal]: https://portal.azure.com

+You can also retrieve assignments in an access package using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can call the API to [list accessPackageAssignments](/graph/api/entitlementmanagement-list-accesspackageassignments?view=graph-rest-beta&preserve-view=true). While an identity governance administrator can retrieve access packages from multiple catalogs, if user or application service principal is assigned only to catalog-specific delegated administrative roles, the request must supply a filter to indicate a specific access package, such as: `$filter=accessPackage/id eq 'a914b616-e04e-476b-aa37-91038f0b165b'`. An application that has the application permission `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can also use this API to retrieve assignments across all catalogs.

+### View requests with Microsoft Graph

+You can also retrieve requests for an access package using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can call the API to [list accessPackageAssignmentRequests](/graph/api/entitlementmanagement-list-accesspackageassignmentrequests?view=graph-rest-beta&preserve-view=true). While an identity governance administrator can retrieve access package requests from multiple catalogs, if user or application service principal is assigned only to catalog-specific delegated administrative roles, the request must supply a filter to indicate a specific access package, such as: `$expand=accessPackage&$filter=accessPackage/id eq '9bbe5f7d-f1e7-4eb1-a586-38cdf6f8b1ea'`. An application that has the application permission `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can also use this API to retrieve requests across all catalogs.

+A catalog is a container of resources and access packages. You create a catalog when you want to group related resources and access packages. A user who has been delegated the [catalog creator](entitlement-management-delegate.md) role can create a catalog for resources that they own. Whoever creates the catalog becomes the first catalog owner. A catalog owner can add more users, groups of users, or application service principals as catalog owners.

+Entitlement management has the following roles that apply across all catalogs.

+Entitlement management has the following roles that are defined for each particular catalog. An administrator or a catalog owner can add users, groups of users, or service principals to these roles.

+| Entitlement management role | Role definition ID | Description |

+| | | -- |

+| Catalog owner | `ae79f266-94d4-4dab-b730-feca7e132178` | Edit and manage access packages and other resources in a catalog. Typically an IT administrator or resource owners, or a user who the catalog owner has chosen. |

+You can also manage access packages, catalogs, policies, requests and assignments using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can call the [entitlement management API](/graph/tutorial-access-package-api). An application with those application permissions can also use many of those API functions, with the exception of managing resources in catalogs and access packages. An an applications which only needs to operate within specific catalogs, can be added to the **Catalog owner** or **Catalog reader** roles of a catalog to be authorized to update or read within that catalog.

+ * If your runbook is only performing queries or updates within a single catalog, then you do not need to assign it tenant-wide application permissions; instead you can assign the service principal to the catalog's **Catalog owner** or **Catalog reader** role.

+ * If your runbook is making changes to entitlement management, for example to create assignments across multiple catalogs, then use the **EntitlementManagement.ReadWrite.All** permission.

+ serverSPOID=$(az ad sp list --filter "displayName eq '$appName'" --query '[0].id' -o tsv | tr -d '[:space:]')

+ serverSPOID=$(az ad sp list --filter "appId eq '$appID'" --query '[0].id' -o tsv | tr -d '[:space:]')

+To disable autorotation, first disable the addon. Then, re-enable the addon without the `enable-secret-rotation` flag.

+ az network vnet subnet create --resource-group $groupName --vnet-name $vnetName --name vnet-integration-subnet --address-prefixes 10.0.0.0/24 --delegations Microsoft.Web/serverfarms --disable-private-endpoint-network-policies false

+ az network vnet subnet create --resource-group $groupName --vnet-name $vnetName --name private-endpoint-subnet --address-prefixes 10.0.1.0/24 --disable-private-endpoint-network-policies true

+ hosts: all

+ # vars:

+ # azure:

+ # service_principal_id: 'INSERT-SERVICE-PRINCIPAL-CLIENT-ID'

+ # service_principal_secret: 'INSERT-SERVICE-PRINCIPAL-SECRET'

+ # resource_group: 'INSERT-RESOURCE-GROUP'

+ # tenant_id: 'INSERT-TENANT-ID'

+ # subscription_id: 'INSERT-SUBSCRIPTION-ID'

+ # location: 'INSERT-LOCATION'

+ - name: Check if the Connected Machine Agent has already been downloaded on Linux servers

+ stat:

+ path: /usr/bin/azcmagent

+ get_attributes: False

+ get_checksum: False

+ register: azcmagent_lnx_downloaded

+ when: ansible_system == 'Linux'

+ - name: Download the Connected Machine Agent on Linux servers

+ become: yes

+ get_url:

+ url: https://aka.ms/azcmagent

+ dest: ~/install_linux_azcmagent.sh

+ mode: '700'

+ when: (ansible_system == 'Linux') and (azcmagent_lnx_downloaded.stat.exists == false)

+ - name: Install the Connected Machine Agent on Linux servers

+ become: yes

+ shell: bash ~/install_linux_azcmagent.sh

+ when: (ansible_system == 'Linux') and (not azcmagent_lnx_downloaded.stat.exists)

+ - name: Check if the Connected Machine Agent has already been downloaded on Windows servers

+ win_stat:

+ path: C:\Program Files\AzureConnectedMachineAgent

+ register: azcmagent_win_downloaded

+ when: ansible_os_family == 'Windows'

+ - name: Download the Connected Machine Agent on Windows servers

+ win_get_url:

+ url: https://aka.ms/AzureConnectedMachineAgent

+ dest: C:\AzureConnectedMachineAgent.msi

+ when: (ansible_os_family == 'Windows') and (not azcmagent_win_downloaded.stat.exists)

+ - name: Install the Connected Machine Agent on Windows servers

+ win_package:

+ path: C:\AzureConnectedMachineAgent.msi

+ when: (ansible_os_family == 'Windows') and (not azcmagent_win_downloaded.stat.exists)

+ - name: Check if the Connected Machine Agent has already been connected

+ become: true

+ command:

+ cmd: azcmagent check

+ register: azcmagent_lnx_connected

+ ignore_errors: yes

+ when: ansible_system == 'Linux'

+ failed_when: (azcmagent_lnx_connected.rc not in [ 0, 16 ])

+ changed_when: False

+ - name: Check if the Connected Machine Agent has already been connected on windows

+ win_command: azcmagent check

+ register: azcmagent_win_connected

+ when: ansible_os_family == 'Windows'

+ ignore_errors: yes

+ failed_when: (azcmagent_win_connected.rc not in [ 0, 16 ])

+ changed_when: False

+ - name: Connect the Connected Machine Agent on Linux servers to Azure Arc

+ become: yes

+ shell: azcmagent connect --service-principal-id "{{ azure.service_principal_id }}" --service-principal-secret "{{ azure.service_principal_secret }}" --resource-group "{{ azure.resource_group }}" --tenant-id "{{ azure.tenant_id }}" --location "{{ azure.location }}" --subscription-id "{{ azure.subscription_id }}"

+ when: (ansible_system == 'Linux') and (azcmagent_lnx_connected.rc is defined and azcmagent_lnx_connected.rc != 0)

+ - name: Connect the Connected Machine Agent on Windows servers to Azure

+ win_shell: '& $env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe connect --service-principal-id "{{ azure.service_principal_id }}" --service-principal-secret "{{ azure.service_principal_secret }}" --resource-group "{{ azure.resource_group }}" --tenant-id "{{ azure.tenant_id }}" --location "{{ azure.location }}" --subscription-id "{{ azure.subscription_id }}"'

+ when: (ansible_os_family == 'Windows') and (azcmagent_win_connected.rc is defined and azcmagent_win_connected.rc != 0)

+ 

+

+

+

+

+

+ * A `ready` event is added to the map, which fires when the map resources finish loading and the map is ready to be accessed.

+| AlmaLinux 8.* | X | X | |

+| Rocky Linux 8.* | X | X | |

+> [!NOTE]

+> itemCount has a minimum value of one; the record itself represents an entry.

+> [!NOTE]

+> valueCount has a minimum value of one; the record itself represents an entry.

+> If you're upgrading from 3.2.x:

+> - Starting from 3.3.0, `LoggingLevel` is not captured by default as part of Traces' custom dimension since that data is already captured in the `SeverityLevel` field. For details on how to re-enable this if needed, please see the [config options](./java-standalone-config.md#logginglevel)

+This feature is in preview, starting from 3.3.0.

+Starting from version 3.3.0, `LoggingLevel` is not captured by default as part of Traces' custom dimension since that data is aleady captured in the `SeverityLevel` field.

+Starting from version 3.3.0, you can capture request and response headers on your server (request) telemetry:

+Starting from version 3.3.0, you can change this behavior to capture them as success if you prefer:

+> Vertx HTTP Library instrumentation is available starting from version 3.3.0

+longer network or ingestion service outages, you can increase this limit starting from version 3.3.0:

+ connectionString: 'YOUR_CONNECTION_STRING_GOES_HERE',

+ connectionString: 'YOUR_CONNECTION_STRING_GOES_HERE',

+ connectionString: 'YOUR_CONNECTION_STRING_GOES_HERE',

+ connectionString: 'YOUR_CONNECTION_STRING_GOES_HERE',

+*Does sampling affect alerting accuracy?*

+* Yes. Alerts can only trigger upon sampled data. Aggressive filtering may result in alerts not firing as expected.

+> [!NOTE]

+> Sampling is not applied to Metrics, but Metrics can be derived from sampled data. In this way sampling may indirectly affect alerting accuracy.

+### Which package should I use?

+| .Net Core app scenario | Package |

+|||

+| Without HostedServices | AspNetCore |

+| With HostedServices | AspNetCore (not WorkerService) |

+| With HostedServices, monitoring only HostedServices | WorkerService (rare scenario) |

+### Can HostedServices inside a .NET Core app using the AspNetCore package have TelemetryClient injected to it?

+* Yes. The config will be shared with the rest of the web application.

+* [Track more dependencies not automatically tracked](./auto-collect-dependencies.md).

+[Resource-context RBAC](manage-access.md#access-mode)

+| [Azure Cosmos DB Insights](../cosmos-db/cosmosdb-insights-overview.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/cosmosDBInsights) | Provides a view of the overall performance, failures, capacity, and operational health of all your Azure Cosmos DB resources in a unified interactive experience. |

+ | [Azure Cosmos DB](../cosmos-db/index.yml) | Microsoft.DocumentDB/databaseAccounts | [**Yes**](./essentials/metrics-supported.md#microsoftdocumentdbdatabaseaccounts) | [**Yes**](./essentials/resource-logs-categories.md#microsoftdocumentdbdatabaseaccounts) | [Azure Cosmos DB Insights](../cosmos-db/cosmosdb-insights-overview.md) | |

+* [Providing Disaster Recovery to CloudBees-Jenkins in AKS with Astra Control Service](https://techcommunity.microsoft.com/t5/azure-architecture-blog/providing-disaster-recovery-to-cloudbees-jenkins-in-aks-with/ba-p/3553412)

+ $deviceConnectionString = az iot hub device-identity connection-string show --device-id $EdgeDeviceId --hub-name $IoTHubName --resource-group $ResourceGroup --subscription $SubscriptionName

+## *Azure Video Indexer* insights -->

+>[!IMPORTANT]

+> To enable SNAT for your specified address ranges, you must [configure a gateway firewall rule](#gateway-firewall-used-to-filter-traffic-to-vms-at-t1-gateways) and SNAT for the specific address ranges you desire. If you don't want SNAT enabled for specific address ranges, you must create a [No-NAT rule](#no-nat-rule-for-specific-address-ranges) for the address ranges to exclude. For this functionality to work as expected, make the No-NAT rule a higher priority than the SNAT rule.

+1. Select **ADD NAT RULE**.

+1. Optionally, enter a source such as a subnet to SNAT or destination.

+1. Optionally, give the rule a higher priority number. This prioritization will move the rule further down the rule list to ensure more specific rules are matched first.

+## No NAT rule for specific address ranges

+A No NAT rule can be used to exclude certain matches from performing Network Address Translation. This policy can be used to allow private IP traffic to bypass the NAT rule.

+1. From your Azure VMware Solution private cloud, select **vCenter Credentials**.

+2. Locate your NSX-T URL and credentials.

+3. Log in to **VMWare NSX-T** and then select **3 NAT Rules**.

+1. Select the T1 Router and then select **ADD NAT RULE**.

+1. Select **SAVE**.

+You can provide security protection for your network traffic in and out of the public internet through your Gateway Firewall.

+1. From your Azure VMware Solution Private Cloud, select **VMware credentials**.

+ |**+ Add URL**|`https://www.microsoft.com/download/faq.aspx`|

+> When using SSML text, be sure to use the [supported SSML elements](speech-synthesis-markup.md?tabs=csharp#supported-ssml-elements) except the `audio`, `mstts:backgroundaudio`, and `lexicon` elements. The `audio`, `mstts:backgroundaudio`, and `lexicon` elements are not supported by Long Audio API. The `audio` and `lexicon` elements will be ignored without any error message. The `mstts:backgroundaudio` element will cause the systhesis task failure. If your synthesis task fails, download the audio result (.zip file) and check the error report with suffix name "err.txt" within the zip file for details.

+>

+> The `lexicon` element is not supported by the [Long Audio API](long-audio-api.md).

+> The 'audio' element is not supported by the [Long Audio API](long-audio-api.md).

+>

+> The `mstts:backgroundaudio` element is not supported by the [Long Audio API](long-audio-api.md).

+1. You can select this link to create an Azure Cognitive multi-service resource: [Create a Cognitive Services resource](https://portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne).

+ - [Anomaly Detector](https://portal.azure.com/#create/Microsoft.CognitiveServicesAnomalyDetector)

+ - [Content Moderator](https://portal.azure.com/#create/Microsoft.CognitiveServicesContentModerator)

+ - [Metrics Advisor](https://portal.azure.com/#create/Microsoft.CognitiveServicesMetricsAdvisor)

+ - [Personalizer](https://portal.azure.com/#create/Microsoft.CognitiveServicesPersonalizer)

+ - [Immersive reader](https://portal.azure.com/#create/Microsoft.CognitiveServicesImmersiveReader)

+ - [Language Understanding (LUIS)](https://portal.azure.com/#create/Microsoft.CognitiveServicesLUISAllInOne)

+ - [Language service](https://portal.azure.com/#create/Microsoft.CognitiveServicesTextAnalytics)

+ - [Translator](https://portal.azure.com/#create/Microsoft.CognitiveServicesTextTranslation)

+ - [QnA Maker](https://portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker)

+1. You can select this link to create a Speech resource: [Speech Services](https://portal.azure.com/#create/Microsoft.CognitiveServicesSpeechServices)

+ - [Computer vision](https://portal.azure.com/#create/Microsoft.CognitiveServicesComputerVision)

+ - [Custom vision service](https://portal.azure.com/#create/Microsoft.CognitiveServicesCustomVision)

+ - [Face](https://portal.azure.com/#create/Microsoft.CognitiveServicesFace)

+1. If you missed the previous steps or need to find your resource later, go to the [Azure services](https://portal.azure.com/#home) home page. From here you can view recent resources, select **My resources**, or use the search box to find your resource by name.

+|Count of trained models per project| 0 | 10 |

+|Count of trained models per project| 0 | 10 |

+ > [!IMPORTANT]

+ > Remember to remove the key from your code when you're done, and never post it publicly. For production, use a secure way of storing and accessing your credentials like [Azure Key Vault](../../../key-vault/general/overview.md). See the Cognitive Services [security](../../cognitive-services-security.md) article for more information.

+> [!IMPORTANT]

+> Remember to remove the key from your code when you're done, and never post it publicly. For production, use a secure way of storing and accessing your credentials like [Azure Key Vault](../../../key-vault/general/overview.md). See the Cognitive Services [security](../../cognitive-services-security.md) article for more information.

+| 4009 | Message is rejected by Microsoft Entitlement System| Most often it happens if fraudulent activity is detected. Please contact support for more details |

+You can develop and deploy application enclaves using [confidential VMs with Intel SGX enabled](virtual-machine-solutions-sgx.md).

+# Choosing container compute offerings for confidential computing

+Azure confidential computing offers multiple types of containers with varying tiers of confidentiality. You can use these containers to support data integrity and confidentiality, and code integrity.

+The diagram below will guide different offerings in this portfolio

+## Links to container compute offerings

+**Azure Container Instances with Confidential containers (AMD SEV_SNP)** are the first serverless offering that helps protect your container deployments with confidential computing through AMD SEV-SNP technology. Read more on the product [here](https://aka.ms/ccacipreview).

+<!-- You can deploy containers with confidential application enclaves. This method of container deployments has the strongest security and compute isolation, with a lower Trusted Computing Base (TCB). Confidential containers based on Intel Software Guard Extensions (SGX) that run in the hardware-based Trusted Execution Environment (TEE) are available. These containers support lifting and shifting your existing container apps. Another option is to allow building custom apps with enclave awareness. -->

+<!--  -->

+# SGX enclaves

+Intel SGX technology allows customers to create enclaves that protect data, and keep data encrypted while the CPU processes the data.

+Azure confidential computing offers [DCsv2-series](../virtual-machines/dcv2-series.md) and [DCsv3/DCdsv3-series](../virtual-machines/dcv3-series.md) virtual machines (VMs). These VMs have support for [Intel® Software Guard Extensions (SGX)](https://intel.com/sgx).

+Each enclave has an encrypted page cache (EPC) with a set size. The EPC determines the amount of memory that an enclave can hold. [DCsv2-series](../virtual-machines/dcv2-series.md) VMs hold up to 168 MiB. [DCsv3/DCdsv3-series](../virtual-machines/dcv3-series.md) VMs hold up to 256 GB for more memory-intensive workloads.

+- [Develop an enclave-aware application](application-development.md)

+- [Deploy a Intel SGX VM](quick-create-portal.md)

+ Title: Confidential containers with Intex SGX enclaves on Azure

+description: Learn about unmodified container support with confidential containers on Intel SGX through OSS and partner solutions

+# Confidential containers on Azure Kubernetes Service(AKS) with Intel SGX enclaves

+[Confidential containers](confidential-containers.md) help you run existing unmodified container applications of most **common programming languages** runtimes (Python, Node, Java etc.) in the Intel SGX based Trusted Execution Environment(TEE).

+This packaging model typically does not need any source-code modifications or recompilation and is the fastest method to run in Intel SGX enclaves. Typical deployment process for running your standard docker containers requires an Open-Source SGX Wrapper or Azure Partner Solution.

+In this packaging and execution model each container application is loaded in the trusted boundary (enclave) and with a hardware-based isolation enforced by Intel SGX CPU. Each container running in an enclave receives its own memory encryption key delivered from the Intel SGX CPU.

+This model works well for off the shelf container applications available in the market or custom apps currently running on general purpose nodes

+To run an existing Docker container, applications on confidential computing nodes require an Intel Software Guard Extensions (SGX) wrapper software to help the container execution within the bounds of special CPU instruction set.

+SGX creates a direct execution to the CPU to remove the guest operating system (OS), host OS, or hypervisor from the trust boundary. This step reduces the overall surface attack areas and vulnerabilities while achieving process level isolation within a single node.

+The overall process for running unmodified containers involves changes to how your container is packaged today as detailed below.

+The SGX wrapper software needed to help run standard containers are offered by Azure software partners or Open Source Software (OSS)solutions.

+## Partner enablers

+Developers can choose software providers based on their features, integration with Azure services and tooling support.

+> [!IMPORTANT]

+> Azure software partners often involve licensing fees on top of your Azure infrastructure. Please verify all partner software terms independently.

+### Fortanix

+[Fortanix](https://www.fortanix.com/) has portal and Command Line Interface (CLI) experiences to convert their containerized applications to SGX-capable confidential containers. You don't need to modify or recompile the application. Fortanix provides the flexibility to run and manage a broad set of applications. You can use existing applications, new enclave-native applications, and pre-packaged applications. Start with Fortanix's [Enclave Manager](https://em.fortanix.com/) UI or [REST APIs](https://www.fortanix.com/api/). Create confidential containers using the Fortanix's [quickstart guide for AKS](https://hubs.li/Q017JnNt0).

+

+### SCONE (Scontain)

+[SCONE](https://scontain.com/) (Scontain) security policies generate certificates, keys, and secrets. Only services with attestation for an application see these credentials. Application services automatically do attestation for each other through TLS. You don't need to modify the applications or TLS. For more explanation, see SCONE's [Flask application demo](https://sconedocs.github.io/flask_demo/).

+SCONE can convert most existing binaries into applications that run inside enclaves. SCONE also protects interpreted languages like Python by encrypting both data files and Python code files. You can use SCONE security policies to protect encrypted files against unauthorized access, modifications, and rollbacks. For more information, see SCONE's documentation on [how to use SCONE with an existing Python application](https://sconedocs.github.io/sconify_image/).

+

+You can deploy SCONE on Azure confidential computing nodes with AKS following this [SCONE sample AKS application deployment](https://sconedocs.github.io/aks/).

+### Anjuna

+[Anjuna](https://www.anjuna.io/) provides SGX platform software to run unmodified containers on AKS. For more information, see Anjuna's [documentation about functionality and sample applications](https://www.anjuna.io/microsoft-azure-confidential-computing-aks-lp).

+Get started with a sample Redis Cache and Python Custom Application [here](https://www.anjuna.io/microsoft-azure-confidential-computing-aks-lp)

+

+## OSS enablers

+> [!NOTE]

+> Azure confidential computing and Microsoft aren't directly affiliated with these projects and solutions.

+### Gramine

+[Gramine](https://grapheneproject.io/) is a lightweight guest OS, designed to run a single Linux application with minimal host requirements. Gramine can run applications in an isolated environment. There's tooling support for converting existing Docker container to SGX ready containers.

+For more information, see the Gramine's [sample application and deployment on AKS](https://github.com/gramineproject/contrib/tree/master/Examples/aks-attestation)

+### Occlum

+[Occlum](https://occlum.io/) is a memory-safe, multi-process library OS (LibOS) for Intel SGX. The OS enables legacy applications to run on SGX with little to no modifications to source code. Occlum transparently protects the confidentiality of user workloads while allowing an easy "lift and shift" to existing Docker applications.

+For more information, see Occlum's [deployment instructions and sample apps on AKS](https://github.com/occlum/occlum/blob/master/docs/azure_aks_deployment_guide.md).

+### Marblerun

+[Marblerun](https://marblerun.sh/) is an orchestration framework for confidential containers. You can run and scale confidential services on SGX-enabled Kubernetes. Marblerun takes care of boilerplate tasks like verifying the services in your cluster, managing secrets for them, and establishing enclave-to-enclave mTLS connections between them. Marblerun also ensures that your cluster of confidential containers adheres to a manifest defined in simple JSON. You can verify the manifest with external clients through remote attestation.

+This framework extends the confidentiality, integrity, and verifiability properties of a single enclave to a Kubernetes cluster.

+Marblerun supports confidential containers created with Graphene, Occlum, and EGo, with [examples for each SDK](https://docs.edgeless.systems/marblerun/#/examples?id=examples). The framework runs on Kubernetes alongside your existing cloud-native tooling. There's a CLI and helm charts. Marblerun also supports confidential computing nodes on AKS. Follow Marblerun's [guide to deploy Marblerun on AKS](https://docs.edgeless.systems/marblerun/#/deployment/cloud?id=cloud-deployment).

+## Confidential Containers reference architectures

+- [Confidential data messaging for healthcare reference architecture and sample with Intel SGX confidential containers](https://github.com/Azure-Samples/confidential-container-samples/blob/main/confidential-healthcare-scone-confinf-onnx/README.md).

+- [Confidential big-data processing with Apache Spark on AKS with Intel SGX confidential containers](/azure/architecture/example-scenario/confidential/data-analytics-containers-spark-kubernetes-azure-sql).

+## Get in touch

+Do you have questions about your implementation? Do you want to become an enabler for confidential containers? Send an email to <acconaks@microsoft.com>.

+## Next steps

+- [Deploy AKS cluster with Intel SGX Confidential VM Nodes](./confidential-enclave-nodes-aks-get-started.md)

+- [Microsoft Azure Attestation](../attestation/overview.md)

+- [Intel SGX Confidential Virtual Machines](virtual-machine-solutions-sgx.md)

+- [Azure Kubernetes Service (AKS)](../aks/intro-kubernetes.md)

+description: Learn about unmodified lift and shift container support to confidential containers.

+Confidential containers provide a set of features and capabilities to further secure your standard container workloads to achieve higher data security by running them in a Trusted Execution Environment (TEE). Azure offers a portfolio of capabilities through different confidential container options as discussed below.

+## Benefits

+Confidential containers on Azure run within an enclave-based TEE or VM based TEE environments. Both deployment models help achieve high-isolation and memory encryption through hardware-based assurances. Confidential computing can enhance your deployment security posture in Azure cloud by protecting your memory space through encryption.

+Below are the qualities of confidential containers:

+- Allows running existing standard container images with no code changes (lift-and-shift) within a TEE

+- Allows establishing a hardware root of trust through remote guest attestation

+- Provides strong assurances of data confidentiality, code integrity and data integrity in a cloud environment

+- Helps isolate your containers from other container groups/pods, as well as VM node OS kernel

+## VM Isolated Confidential containers on Azure Container Instances (ACI) - Private Preview

+Confidential Containers on ACI platform leverages VM-based trusted execution environments (TEEs) based on AMDΓÇÖs SEV-SNP technology. The TEE provides memory encryption and integrity of the utility VMΓÇÖs address space as well as hardware-level isolation from other container groups, the host operating system, and the hypervisor. The Root-of-Trust (RoT), which is responsible for managing the TEE, provides support for remote attestation, including issuing an attestation report which may be used by a relying party to verify that the utility VM has been created and configured on a genuine AMD SEV-SNP CPU. Read more on the product [here](https://aka.ms/ccacipreview)

+## Confidential containers in an Intel SGX enclave through OSS or partner software

+Azure Kubernetes Service (AKS) supports adding [Intel SGX confidential computing VM nodes](confidential-computing-enclaves.md) as agent pools in a cluster. These nodes allow you to run sensitive workloads within a hardware-based TEE. TEEs allow user-level code from containers to allocate private regions of memory to execute the code with CPU directly. These private memory regions that execute directly with CPU are called enclaves. Enclaves help protect data confidentiality, data integrity and code integrity from other processes running on the same nodes, as well as Azure operator. The Intel SGX execution model also removes the intermediate layers of Guest OS, Host OS and Hypervisor thus reducing the attack surface area. The *hardware based per container isolated execution* model in a node allows applications to directly execute with the CPU, while keeping the special block of memory encrypted per container. Confidential computing nodes with confidential containers are a great addition to your zero-trust, security planning and defense-in-depth container strategy. Learn more on this capability [here](confidential-containers-enclaves.md)

+## Questions?

+If you have questions about container offerings, please reach out to <acconaks@microsoft.com>.

+ Title: Confidential computing application enclave nodes on Azure Kubernetes Service (AKS)

+description: Intel SGX based confidential computing VM nodes with application enclave support

+# Application enclave support with Intel SGX based confidential computing nodes on Azure Kubernetes Service

+[Azure confidential computing](overview.md) allows you to protect your sensitive data while it's in use. Intel SGX based enclaves allows running application packaged as a container within AKS. Containers run within a Trusted Execution Environment(TEE) brings isolation from other containers, the node kernel in a hardware protected, integrity protected attestable environment.

+## Intel SGX confidential computing nodes feature

+- Hardware based, process level container isolation through Intel SGX trusted execution environment (TEE)

+- Encrypted Page Cache (EPC) memory-based pod scheduling through "Confcon" AKS addon

+- Intel SGX DCAP driver pre-installed and kernel dependency installed

+### Confidential containers through partners and OSS

+[Confidential containers](confidential-containers.md) help you run existing unmodified container applications of most **common programming languages** runtimes (Python, Node, Java etc.) confidentially. This packaging model does not need any source-code modifications or recompilation and is the fastest method to run in an Intel SGX enclaves achieved by packaging your standard docker containers with Open-Source Projects or Azure Partner Solutions. In this packaging and execution model all parts of the container application are loaded in the trusted boundary (enclave). This model works well for off the shelf container applications available in the market or custom apps currently running on general purpose nodes. Learn more on the prep and deployment process [here](confidential-containers-enclaves.md)

+## Frequently asked questions (FAQ)

+Find answers to some of the common questions about Azure Kubernetes Service (AKS) node pool support for Intel SGX based confidential computing nodes [here](confidential-nodes-aks-faq.yml)

+An enclave is a protected memory region that provides confidentiality for data and code execution. It's an instance of a Trusted Execution Environment (TEE) which is secured by hardware. Confidential computing VM's support on AKS uses [Intel Software Guard Extensions (SGX)](https://software.intel.com/sgx) to create isolated enclave environments in the nodes between each container application.

+[Open Enclave SDK](https://github.com/openenclave/openenclave/tree/master/docs/GettingStartedDocs) is a hardware-agnostic open-source library for developing C, C++ applications that use Hardware-based Trusted Execution Environments. The current implementation provides support for Intel SGX and preview support for [OP-TEE OS on Arm TrustZone](https://optee.readthedocs.io/en/latest/general/https://docsupdatetracker.net/about.html).

+Azure offers application enclaves via [confidential virtual machines with Intel Software Guard Extensions (SGX) enabled](quick-create-portal.md). After deploying an Intel SGX virtual machine, you'll need specialized tools to make your application "enclave aware". This way, you can build applications that have both trusted and untrusted portions of code.

+- [Attesting application enclaves](attestation.md)

+# Confidential Computing on Azure

+ Azure already offers many tools to safeguard [**data at rest**](../security/fundamentals/encryption-atrest.md) through models such as client-side encryption and server-side encryption. Additionally, Azure offers mechanisms to encrypt [**data in transit**](../security/fundamentals/data-encryption-best-practices.md#protect-data-in-transit) through secure protocols like TLS and HTTPS. This page introduces a third leg of data encryption - the encryption of **data in use**.

+

+> [!VIDEO https://www.youtube.com/embed/rT6zMOoLEqI]

+Azure confidential computing makes it easier to trust the cloud provider, by reducing the need for trust across various aspects of the compute cloud infrastructure. Azure confidential computing minimizes trust for the host OS kernel, the hypervisor, the VM admin, and the host admin.

+Azure confidential computing can help you:

+- **Prevent unauthorized access**: Run sensitive data in the cloud. Trust that Azure provides the best data protection possible, with little to no change from what gets done today.

+- **Meet regulatory compliance**: Migrate to the cloud and keep full control of data to satisfy government regulations for protecting personal information and secure organizational IP.

+- **Ensure secure and untrusted collaboration**: Tackle industry-wide work-scale problems by combing data across organizations, even competitors, to unlock broad data analytics and deeper insights.

+- **Isolate processing**: Offer a new wave of products that remove liability on private data with blind processing. User data can't even be retrieved by the service provider.

+## Azure offerings

+Verifying that applications are running confidentially form the very foundation of confidential computing. This verification is multi-pronged and relies on the following suite of Azure offerings:

+- [Microsoft Azure Attestation](../attestation/overview.md), a remote attestation service for validating the trustworthiness of multiple Trusted Execution Environments (TEEs) and verifying integrity of the binaries running inside the TEEs.

+- [Azure Key Vault Managed HSM](../key-vault/managed-hsm/index.yml), a fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications, using FIPS 140-2 Level 3 validated Hardware Security Modules (HSM).

+- [Trusted Launch](../virtual-machines/trusted-launch.md) is available across all Generation 2 VMs bringing hardened security features ΓÇô secure boot, virtual trusted platform module, and boot integrity monitoring ΓÇô that protect against boot kits, rootkits, and kernel-level malware.

+- [Azure Confidential Ledger](../confidential-ledger/overview.md). ACL is a tamper-proof register for storing sensitive data for record keeping and auditing or for data transparency in multi-party scenarios. It offers Write-Once-Read-Many guarantees, which make data non-erasable and non-modifiable. The service is built on Microsoft Research's [Confidential Consortium Framework](https://www.microsoft.com/research/project/confidential-consortium-framework/).

+- [Always Encrypted with secure enclaves in Azure SQL](/sql/relational-databases/security/encryption/always-encrypted-enclaves). The confidentiality of sensitive data is protected from malware and high-privileged unauthorized users by running SQL queries directly inside a TEE.

+Technologies like [Intel Software Guard Extensions](https://www.intel.com.au/content/www/au/en/architecture-and-technology/software-guard-extensions-enhanced-data-protection.html) (Intel SGX), or [AMD Secure Encrypted Virtualization](https://www.amd.com/en/processors/amd-secure-encrypted-virtualization) (SEV-SNP) are recent CPU improvements supporting confidential computing implementations. These technologies are designed as virtualization extensions and provide feature sets including memory encryption and integrity, CPU-state confidentiality and integrity, and attestation, for building the confidential computing threat model. Azure Computational Computing leverages these technologies in the following computation resources:

+- [Confidential VMs with Intel SGX application enclaves](confidential-computing-enclaves.md). Azure offers the [DCsv2](../virtual-machines/dcv2-series.md), [DCsv3, and DCdsv3](../virtual-machines/dcv3-series.md) series built on Intel SGX technology for hardware-based enclave creation. You can build secure enclave-based applications to run in a series of VMs to protect your application data and code in use.

+- [App-enclave aware containers](enclave-aware-containers.md) running on Azure Kubernetes Service (AKS). Confidential computing nodes on AKS use Intel SGX to create isolated enclave environments in the nodes between each container application.

+- Confidential VMs based on [AMD SEV-SNP technology](https://azure.microsoft.com/blog/azure-and-amd-enable-lift-and-shift-confidential-computing/) enable lift-and-shift of existing workloads and protect data from the cloud operator with VM-level confidentiality.

+- [Learn common confidential computing scenarios](use-cases-scenarios.md)

+Confidential computing is an industry term defined by the [Confidential Computing Consortium](https://confidentialcomputing.io/) (CCC) - a foundation dedicated to defining and accelerating the adoption of confidential computing. The CCC defines confidential computing as: The protection of data in use by performing computations in a hardware-based Trusted Execution Environment (TEE).

+A TEE is an environment that enforces execution of only authorized code. Any data in the TEE can't be read or tampered with by any code outside that environment. The confidential computing threat model aims at removing or reducing the ability for a cloud provider operator and other actors in the tenant's domain to access code and data while being executed.

+<!-- Confidential computing allows you to isolate your sensitive data while it's being processed. Many industries use confidential computing to protect their data by using confidential computing to:

+- Run machine learning processes on sensitive information

+- Perform algorithms on encrypted data sets from multiple sources

+- Secure financial data

+- Protect patient information -->

+When used with data encryption at rest and in transit, confidential computing eliminates the single largest barrier of encryption - encryption while in use - by protecting sensitive or highly regulated data sets and application workloads in a secure public cloud platform. Confidential computing extends beyond generic data protection. TEEs are also being used to protect proprietary business logic, analytics functions, machine learning algorithms, or entire applications.

+## Lessen the need for trust

+- **App software vendors**: Trust software by deploying on-premises, using open-source, or by building in-house application software.

+- **Hardware vendors**: Trust hardware by using on-premises hardware or in-house hardware.

+- **Infrastructure providers**: Trust cloud providers or manage your own on-premises data centers.

+## Reducing the attack surface

+The trusted computing base (TCB) refers to all of a system's hardware, firmware, and software components that provide a secure environment. The components inside the TCB are considered "critical". If one component inside the TCB is compromised, the entire system's security may be jeopardized. A lower TCB means higher security. There's less risk of exposure to various vulnerabilities, malware, attacks, and malicious people.

+### Next steps

+[Microsoft's offerings](https://aka.ms/azurecc) for confidential computing extend from Infrastructure as a Service (IaaS) to Platform as a Service (PaaS) and as well as developer tools to support your journey to data and code confidentiality in the cloud.

+Learn more about confidential computing on Azure

+> [Overview of Azure Confidential Computing](overview-azure-products.md)

+Business transactions and project collaboration require sharing information amongst multiple parties. Often, the data being shared is confidential. The data may be personal information, financial records, medical records, private citizen data, etc. Public and private organizations require their data be protected from unauthorized access. Sometimes these organizations even want to protect data from computing infrastructure operators or engineers, security architects, business consultants, and data scientists.

+In Government and public agencies, Azure confidential computing is a solution to raise the degree of trust towards the ability to protect data sovereignty in the public cloud. Moreover, thanks to the increasingly adoption of confidential computing capabilities into PaaS services in Azure, a higher degree of trust can be achieved with a reduced impact to the innovation ability provided by public cloud services. This combination of protecting data sovereignity with a reduced impact to the innovation ability makes Azure confidential computing a very effective response to the needs of sovereignty and digital transformation of Government services.

+Enormous investment and revolutionary innovation in confidential computing has enabled the removal of the cloud service provider from the trust chain to an unprecedented degree. Azure confidential computing delivers the highest level of sovereignty available in the market today. This allows customer and governments to meet their sovereignty needs today and still leverage innovation tomorrow.

+ dnsNameLabelReusePolicy: string

+ Title: Deploy an Azure Container Instances (ACI) container group with DNS name reuse policy

+description: Set the DNS name reuse policy for your container groups to avoid subdomain takeover when you release your DNS names.

+# Deploy an Azure Container Instances (ACI) container group with DNS name reuse policy (preview)

+DNS name reuse is convenient for DevOps within any modern company. The idea of redeploying an application by reusing the DNS name fulfills an on-demand philosophy that secures cloud development. Therefore, it's important to note that DNS names that are available to anyone become a problem when one customer releases a name only to have that same name taken by another customer. This is called subdomain takeover. A customer releases a resource using a particular name, and another customer creates a new resource with that same DNS name. If there were any records pointing to the old resource, they now also point to the new resource.

+In order to avoid this, ACI will now allow customers to reuse DNS names while preventing DNS names from being reused by different customers. ACI secures DNS names by randomly generating a hash value to associate with the DNS name, making it difficult for another customer to accidentally create an ACI with the same name and get linked to the past customer's ACI information.

+> [!IMPORTANT]

+> DNS name reuse policy support is only available on ACI API version `10-01-2021` or later.

+## Prerequisites

+* An **active Azure subscription**. If you don't have an active Azure subscription, create a [free account](https://azure.microsoft.com/free) before you begin.

+* A **resource group** to manage all the resources you use in this how-to guide. We use the example resource group name **ACIResourceGroup** throughout this article.

+ ```azurecli-interactive

+ az group create --name ACIResourceGroup --location westus

+## Understand the DNS name reuse policy

+You now have the choice when creating an ACI to choose what level of reuse you want your DNS name label to have.

+| Policy name | Policy definition |

+| - | - |

+| unsecure | Hash will be generated based on only the DNS name. Avoiding subdomain takeover is not guaranteed if another customer uses the same DNS name. |

+| tenantReuse | **Default** Hash will be generated based on the DNS name and the tenant ID. Object's domain name label can be reused within the same tenant. |

+| subscriptionReuse | Hash will be generated based on the DNS name and the tenant ID and subscription ID. Object's domain name label can be reused within the same subscription. |

+| resourceGroupReuse | Hash will be generated based on the DNS name and the tenant ID, subscription ID, and resource group name. Object's domain name label can be reused within the same resource group. |

+| noReuse | Hash will not be generated. Object's domain label can't be reused within resource group, subscription, or tenant. |

+## Create a container instance

+> [!IMPORTANT]

+> Setting the DNS name reuse policy is not currently supported through the Azure CLI .

+The process for deploying your container instance remains same. If you want the full process of how to deploy a container instance, see the quickstart featuring your preferred deployment method. For example, the [ARM template quickstart](container-instances-quickstart-template.md).

+For [Azure portal](https://portal.azure.com) users, you can set the DNS name reuse policy on the **Networking** tab during the container instance creation process using the **DNS name label scope reuse** field.

+

+For ARM template users, see the [Resource Manager reference](/azure/templates/microsoft.containerinstance/containergroups.md) to see how the dnsNameLabelReusePolicy field fits into the existing schema.

+For YAML template users, see the [YAML reference](container-instances-reference-yaml.md) to see how the dnsNameLabelReusePolicy field fits into the existing schema.

+## Next steps

+See the Azure Quickstart Template [Create an Azure container group with VNet](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.containerinstance/aci-vnet), to deploy a container group within a virtual network.

+* [Explore Azure Monitor for Azure Cosmos DB](cosmosdb-insights-overview.md?toc=/azure/cosmos-db/toc.json&bc=/azure/cosmos-db/breadcrumb/toc.json)

+> For more information about measuring the current data usage of your Azure Cosmos DB account, see [Explore Azure Monitor Cosmos DB insights](cosmosdb-insights-overview.md#view-utilization-and-performance-metrics-for-azure-cosmos-db). Continous 7-day tier does not incur charges for backup of the data.

+ Title: Monitor Azure Cosmos DB with Azure Monitor Cosmos DB insights| Microsoft Docs

+description: This article describes the Cosmos DB insights feature of Azure Monitor that provides Cosmos DB owners with a quick understanding of performance and utilization issues with their Cosmos DB accounts.

+# Explore Azure Monitor Cosmos DB insights

+Cosmos DB insights provides a view of the overall performance, failures, capacity, and operational health of all your Azure Cosmos DB resources in a unified interactive experience. This article will help you understand the benefits of this new monitoring experience, and how you can modify and adapt the experience to fit the unique needs of your organization.

+## Introduction

+Before diving into the experience, you should understand how it presents and visualizes information.

+It delivers:

+* **At scale perspective** of your Azure Cosmos DB resources across all your subscriptions in a single location, with the ability to selectively scope to only those subscriptions and resources you are interested in evaluating.

+* **Drill down analysis** of a particular Azure Cosmos DB resource to help diagnose issues or perform detailed analysis by category - utilization, failures, capacity, and operations. Selecting any one of those options provides an in-depth view of the relevant Azure Cosmos DB metrics.

+* **Customizable** - This experience is built on top of Azure Monitor workbook templates allowing you to change what metrics are displayed, modify or set thresholds that align with your limits, and then save into a custom workbook. Charts in the workbooks can then be pinned to Azure dashboards.

+This feature does not require you to enable or configure anything, these Azure Cosmos DB metrics are collected by default.

+>[!NOTE]

+>There is no charge to access this feature and you will only be charged for the Azure Monitor essential features you configure or enable, as described on the [Azure Monitor pricing details](https://azure.microsoft.com/pricing/details/monitor/) page.

+## View utilization and performance metrics for Azure Cosmos DB

+To view the utilization and performance of your storage accounts across all of your subscriptions, perform the following steps.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. Search for **Monitor** and select **Monitor**.

+ 

+3. Select **Cosmos DB**.

+ 

+### Overview

+On **Overview**, the table displays interactive Azure Cosmos DB metrics. You can filter the results based on the options you select from the following drop-down lists:

+* **Subscriptions** - only subscriptions that have an Azure Cosmos DB resource are listed.

+* **Cosmos DB** - You can select all, a subset, or single Azure Cosmos DB resource.

+* **Time Range** - by default, displays the last 4 hours of information based on the corresponding selections made.

+The counter tile under the drop-down lists rolls-up the total number of Azure Cosmos DB resources are in the selected subscriptions. There is conditional color-coding or heatmaps for columns in the workbook that report transaction metrics. The deepest color has the highest value and a lighter color is based on the lowest values.

+Selecting a drop-down arrow next to one of the Azure Cosmos DB resources will reveal a breakdown of the performance metrics at the individual database container level:

+

+Selecting the Azure Cosmos DB resource name highlighted in blue will take you to the default **Overview** for the associated Azure Cosmos DB account.

+### Failures

+Select **Failures** at the top of the page and the **Failures** portion of the workbook template opens. It shows you total requests with the distribution of responses that make up those requests:

+

+| Code | Description |

+|--|:--|

+| `200 OK` | One of the following REST operations were successful: </br>- GET on a resource. </br> - PUT on a resource. </br> - POST on a resource. </br> - POST on a stored procedure resource to execute the stored procedure.|

+| `201 Created` | A POST operation to create a resource is successful. |

+| `404 Not Found` | The operation is attempting to act on a resource that no longer exists. For example, the resource may have already been deleted. |

+For a full list of status codes, consult the [Azure Cosmos DB HTTP status code article](/rest/api/cosmos-db/http-status-codes-for-cosmosdb).

+### Capacity

+Select **Capacity** at the top of the page and the **Capacity** portion of the workbook template opens. It shows you how many documents you have, your document growth over time, data usage, and the total amount of available storage that you have left. This can be used to help identify potential storage and data utilization issues.

+

+As with the overview workbook, selecting the drop-down next to an Azure Cosmos DB resource in the **Subscription** column will reveal a breakdown by the individual containers that make up the database.

+### Operations

+Select **Operations** at the top of the page and the **Operations** portion of the workbook template opens. It gives you the ability to see your requests broken down by the type of requests made.

+So in the example below you see that `eastus-billingint` is predominantly receiving read requests, but with a small number of upsert and create requests. Whereas `westeurope-billingint` is read-only from a request perspective, at least over the past four hours that the workbook is currently scoped to via its time range parameter.

+

+## View from an Azure Cosmos DB resource

+1. Search for or select any of your existing Azure Cosmos DB accounts.

+2. Once you've navigated to your Azure Cosmos DB account, in the Monitoring section select **Insights (preview)** or **Workbooks** to perform further analysis on throughput, requests, storage, availability, latency, system, and account management.

+### Time range

+By default, the **Time Range** field displays data from the **Last 24 hours**. You can modify the time range to display data anywhere from the last 5 minutes to the last seven days. The time range selector also includes a **Custom** mode that allows you to type in the start/end dates to view a custom time frame based on available data for the selected account.

+### Insights overview

+The **Overview** tab provides the most common metrics for the selected Azure Cosmos DB account including:

+* Total Requests

+* Failed Requests (429s)

+* Normalized RU Consumption (max)

+* Data & Index Usage

+* Cosmos DB Account Metrics by Collection

+**Total Requests:** This graph provides a view of the total requests for the account broken down by status code. The units at the bottom of the graph are a sum of the total requests for the period.

+**Failed Requests (429s)**: This graph provides a view of failed requests with a status code of 429. The units at the bottom of the graph are a sum of the total failed requests for the period.

+**Normalized RU Consumption (max)**: This graph provides the max percentage between 0-100% of Normalized RU Consumption units for the specified period.

+## Pin, export, and expand

+You can pin any one of the metric sections to an [Azure Dashboard](../azure-portal/azure-portal-dashboards.md) by selecting the pushpin icon at the top right of the section.

+

+To export your data into the Excel format, select the down arrow icon to the left of the pushpin icon.

+

+To expand or collapse all drop-down views in the workbook, select the expand icon to the left of the export icon:

+

+## Customize Cosmos DB insights

+Since this experience is built on top of Azure Monitor workbook templates, you have the ability to **Customize** > **Edit** and **Save** a copy of your modified version into a custom workbook.

+

+Workbooks are saved within a resource group, either in the **My Reports** section that's private to you or in the **Shared Reports** section that's accessible to everyone with access to the resource group. After you save the custom workbook, you need to go to the workbook gallery to launch it.

+

+## Troubleshooting

+For troubleshooting guidance, refer to the dedicated workbook-based insights [troubleshooting article](../azure-monitor/insights/troubleshoot-workbooks.md).

+## Next steps

+* Configure [metric alerts](../azure-monitor/alerts/alerts-metric.md) and [service health notifications](../service-health/alerts-activity-log-service-notifications-portal.md) to set up automated alerting to aid in detecting issues.

+* Learn the scenarios workbooks are designed to support, how to author new and customize existing reports, and more by reviewing [Create interactive reports with Azure Monitor workbooks](../azure-monitor/visualize/workbooks-overview.md).

+If you have an existing application using standard (manual) provisioned throughput, you can use [Azure Monitor metrics](cosmosdb-insights-overview.md) to determine if your traffic pattern is suitable for autoscale.

+ Title: Get started with Azure Cosmos DB MongoDB API and .NET

+description: Get started developing a .NET application that works with Azure Cosmos DB MongoDB API. This article helps you learn how to set up a project and configure access to an Azure Cosmos DB MongoDB API database.

+ms.devlang: dotnet

+# Get started with Azure Cosmos DB MongoDB API and .NET Core

+This article shows you how to connect to Azure Cosmos DB MongoDB API using .NET Core and the relevant NuGet packages. Once connected, you can perform operations on databases, collections, and documents.

+> [!NOTE]

+> The [example code snippets](https://github.com/Azure-Samples/cosmos-db-mongodb-api-dotnet-samples) are available on GitHub as a .NET Core project.

+[MongoDB API reference documentation](https://docs.mongodb.com/drivers/csharp) | [MongoDB Package (NuGet)](https://www.nuget.org/packages/MongoDB.Driver)

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free).

+* [.NET 6.0](https://dotnet.microsoft.com/en-us/download)

+* [Azure Command-Line Interface (CLI)](/cli/azure/) or [Azure PowerShell](/powershell/azure/)

+* [Azure Cosmos DB MongoDB API resource](quickstart-dotnet.md#create-an-azure-cosmos-db-account)

+## Create a new .NET Core app

+1. Create a new .NET Core application in an empty folder using your preferred terminal. For this scenario you'll use a console application. Use the [``dotnet new``](/dotnet/core/tools/dotnet-new) command to create and name the console app.

+ ```console

+ dotnet new console -o app

+ ```

+2. Add the [MongoDB](https://www.nuget.org/packages/MongoDB.Driver) NuGet package to the console project. Use the [``dotnet add package``](/dotnet/core/tools/dotnet-add-package) command specifying the name of the NuGet package.

+ ```console

+ dotnet add package MongoDB.Driver

+ ```

+3. To run the app, use a terminal to navigate to the application directory and run the application.

+ ```console

+ dotnet run

+ ```

+## Connect to Azure Cosmos DB MongoDB API with the MongoDB native driver

+To connect to Azure Cosmos DB with the MongoDB native driver, create an instance of the [``MongoClient``](https://mongodb.github.io/mongo-csharp-driver/2.17/apidocs/html/T_MongoDB_Driver_MongoClient.htm) class. This class is the starting point to perform all operations against MongoDb databases. The most common constructor for **MongoClient** accepts a connection string, which you can retrieve using the following steps:

+## Get resource name

+### [Azure CLI](#tab/azure-cli)

+### [PowerShell](#tab/azure-powershell)

+### [Portal](#tab/azure-portal)

+Skip this step and use the information for the portal in the next step.

+## Retrieve your connection string

+### [Azure CLI](#tab/azure-cli)

+### [PowerShell](#tab/azure-powershell)

+### [Portal](#tab/azure-portal)

+> [!TIP]

+> For this guide, we recommend using the resource group name ``msdocs-cosmos``.

+## Configure environment variables

+## Create MongoClient with connection string

+Define a new instance of the ``MongoClient`` class using the constructor and the connection string variable you set previously.

+## Use the MongoDB client classes with Cosmos DB for MongoDB API

+Each type of resource is represented by one or more associated C# classes. Here's a list of the most common classes:

+| Class | Description |

+|||

+|[``MongoClient``](https://mongodb.github.io/mongo-csharp-driver/2.16/apidocs/html/T_MongoDB_Driver_MongoClient.htm)|This class provides a client-side logical representation for the MongoDB API layer on Cosmos DB. The client object is used to configure and execute requests against the service.|

+|[``MongoDatabase``](https://mongodb.github.io/mongo-csharp-driver/2.16/apidocs/html/T_MongoDB_Driver_MongoDatabase.htm)|This class is a reference to a database that may, or may not, exist in the service yet. The database is validated or created server-side when you attempt to perform an operation against it.|

+|[``Collection``](https://mongodb.github.io/mongo-csharp-driver/2.16/apidocs/html/T_MongoDB_Driver_MongoCollection.htm)|This class is a reference to a collection that also may not exist in the service yet. The collection is validated server-side when you attempt to work with it.|

+The following guides show you how to use each of these classes to build your application and manage data.

+**Guide**:

+* [Manage databases](how-to-dotnet-manage-databases.md)

+* [Manage collections](how-to-dotnet-manage-collections.md)

+* [Manage documents](how-to-dotnet-manage-documents.md)

+* [Use queries to find documents](how-to-dotnet-manage-queries.md)

+## See also

+- [Package (NuGet)](https://www.nuget.org/packages/Microsoft.Azure.Cosmos)

+- [API reference](https://docs.mongodb.com/drivers/csharp)

+## Next steps

+Now that you've connected to a MongoDB API account, use the next guide to create and manage databases.

+> [!div class="nextstepaction"]

+> [Create a database in Azure Cosmos DB MongoDB API using .NET](how-to-dotnet-manage-databases.md)

+ Title: Create a collection in Azure Cosmos DB MongoDB API using .NET

+description: Learn how to work with a collection in your Azure Cosmos DB MongoDB API database using the .NET SDK.

+ms.devlang: dotnet

+# Manage a collection in Azure Cosmos DB MongoDB API using .NET

+Manage your MongoDB collection stored in Cosmos DB with the native MongoDB client driver.

+> [!NOTE]

+> The [example code snippets](https://github.com/Azure-Samples/cosmos-db-mongodb-api-dotnet-samples) are available on GitHub as a .NET project.

+[MongoDB API reference documentation](https://docs.mongodb.com/drivers/csharp) | [MongoDB Package (NuGet)](https://www.nuget.org/packages/MongoDB.Driver)

+## Name a collection

+In Azure Cosmos DB, a collection is analogous to a table in a relational database. When you create a collection, the collection name forms a segment of the URI used to access the collection resource and any child docs.

+Here are some quick rules when naming a collection:

+* Keep collection names between 3 and 63 characters long

+* Collection names can only contain lowercase letters, numbers, or the dash (-) character.

+* Container names must start with a lowercase letter or number.

+## Get collection instance

+Use an instance of the **Collection** class to access the collection on the server.

+* [MongoClient.Database.Collection](https://mongodb.github.io/node-mongodb-native/4.7/classes/Collection.html)

+The following code snippets assume you've already created your [client connection](how-to-dotnet-get-started.md#create-mongoclient-with-connection-string).

+## Create a collection

+To create a collection, insert a document into the collection.

+* [MongoClient.Database.Collection](https://mongodb.github.io/node-mongodb-native/4.5/classes/Db.html#collection)

+* [MongoClient.Database.Collection.InsertOne](https://mongodb.github.io/node-mongodb-native/4.7/classes/Collection.html#insertOne)

+* [MongoClient.Database.Collection.InsertMany](https://mongodb.github.io/node-mongodb-native/4.7/classes/Collection.html#insertMany)

+## Drop a collection

+* [MongoClient.Db.dropCollection](https://mongodb.github.io/node-mongodb-native/4.7/classes/Db.html#dropCollection)

+Drop the collection from the database to remove it permanently. However, the next insert or update operation that accesses the collection will create a new collection with that name.

+## Get collection indexes

+An index is used by the MongoDB query engine to improve performance to database queries.

+* [MongoClient.Database.Collection.indexes](https://mongodb.github.io/node-mongodb-native/4.7/classes/Collection.html#indexes)

+## See also

+- [Get started with Azure Cosmos DB MongoDB API and .NET](how-to-dotnet-get-started.md)

+- [Create a database](how-to-dotnet-manage-databases.md)

+ Title: Manage a MongoDB database using .NET

+description: Learn how to manage your Cosmos DB resource when it provides the MongoDB API with a .NET SDK.

+ms.devlang: dotnet

+# Manage a MongoDB database using .NET

+Your MongoDB server in Azure Cosmos DB is available from the [MongoDB](https://www.nuget.org/packages/MongoDB.Driver) NuGet package.

+> [!NOTE]

+> The [example code snippets](https://github.com/Azure-Samples/cosmos-db-mongodb-api-dotnet-samples) are available on GitHub as a .NET project.

+[MongoDB API reference documentation](https://docs.mongodb.com/drivers/csharp) | [MongoDB Package (NuGet)](https://www.nuget.org/packages/MongoDB.Driver)

+## Name a database

+In Azure Cosmos DB, a database is analogous to a namespace. When you create a database, the database name forms a segment of the URI used to access the database resource and any child resources.

+Here are some quick rules when naming a database:

+* Keep database names between 3 and 63 characters long

+* Database names can only contain lowercase letters, numbers, or the dash (-) character.

+* Database names must start with a lowercase letter or number.

+Once created, the URI for a database is in this format:

+``https://<cosmos-account-name>.documents.azure.com/dbs/<database-name>``

+## Create a database instance

+You can use the `MongoClient` to get an instance of a database, or create one if it doesn't exist already. The `MongoDatabase` class provides access to collections and their documents.

+* [MongoClient](https://mongodb.github.io/mongo-csharp-driver/2.16/apidocs/html/T_MongoDB_Driver_MongoClient.htm)

+* [MongoClient.Database](https://mongodb.github.io/mongo-csharp-driver/2.16/apidocs/html/T_MongoDB_Driver_MongoDatabase.htm)

+The following code snippet creates a new database by inserting a document into a collection. Remember, the database will not be created until it is needed for this type of operation.

+## Get an existing database

+You can also retrieve an existing database by name using the `GetDatabase` method to access its collections and documents.

+* [MongoClient.GetDatabase](https://mongodb.github.io/mongo-csharp-driver/2.17/apidocs/html/M_MongoDB_Driver_MongoClient_GetDatabase.htm)

+## Get a list of all databases

+You can retrieve a list of all the databases on the server using the `MongoClient`.

+* [MongoClient.Database.ListDatabaseNames](https://mongodb.github.io/mongo-csharp-driver/2.17/apidocs/html/M_MongoDB_Driver_MongoClient_ListDatabaseNames_3.htm)

+This technique can then be used to check if a database already exists.

+## Drop a database

+A database is removed from the server using the `DropDatabase` method on the DB class.

+* [MongoClient.DropDatabase](https://mongodb.github.io/mongo-csharp-driver/2.17/apidocs/html/M_MongoDB_Driver_MongoClient_DropDatabase_1.htm)

+## See also

+- [Get started with Azure Cosmos DB MongoDB API and .NET](how-to-dotnet-get-started.md)

+- Work with a collection](how-to-dotnet-manage-collections.md)

+ Title: Create a document in Azure Cosmos DB MongoDB API using .NET

+description: Learn how to work with a document in your Azure Cosmos DB MongoDB API database using the .NET SDK.

+ms.devlang: dotnet

+# Manage a document in Azure Cosmos DB MongoDB API using .NET

+Manage your MongoDB documents with the ability to insert, update, and delete documents.

+> [!NOTE]

+> The [example code snippets](https://github.com/Azure-Samples/cosmos-db-mongodb-api-dotnet-samples) are available on GitHub as a .NET project.

+[MongoDB API reference documentation](https://docs.mongodb.com/drivers/node) | [MongoDB Package (NuGet)](https://www.nuget.org/packages/MongoDB.Driver)

+## Insert a document

+Insert one or many documents, defined with a JSON schema, into your collection.

+* [MongoClient.Database.Collection.InsertOne](https://mongodb.github.io/mongo-csharp-driver/2.17/apidocs/html/M_MongoDB_Driver_IMongoCollection_1_InsertOne_1.htm)

+* [MongoClient.Database.Collection.InsertMany](https://mongodb.github.io/mongo-csharp-driver/2.17/apidocs/html/M_MongoDB_Driver_IMongoCollection_1_InsertMany_1.htm)

+## Update a document

+To update a document, specify the query filter used to find the document along with a set of properties of the document that should be updated.

+* [MongoClient.Database.Collection.UpdateOne](https://mongodb.github.io/mongo-csharp-driver/2.17/apidocs/html/M_MongoDB_Driver_IMongoCollection_1_UpdateOne_1.htm)

+* [MongoClient.Database.Collection.UpdateMany](https://mongodb.github.io/mongo-csharp-driver/2.17/apidocs/html/M_MongoDB_Driver_IMongoCollection_1_UpdateMany_1.htm)

+## Bulk updates to a collection

+You can perform several different types of operations at once with the **bulkWrite** operation. Learn more about how to [optimize bulk writes for Cosmos DB](optimize-write-performance.md#tune-for-the-optimal-batch-size-and-thread-count).

+The following bulk operations are available:

+* [MongoClient.Database.Collection.BulkWrite](https://mongodb.github.io/mongo-csharp-driver/2.17/apidocs/html/M_MongoDB_Driver_IMongoCollection_1_BulkWrite_1.htm)

+ * insertOne

+ * updateOne

+ * updateMany

+ * deleteOne

+ * deleteMany

+## Delete a document

+To delete documents, use a query to define how the documents are found.

+* [MongoClient.Database.Collection.DeleteOne](https://mongodb.github.io/mongo-csharp-driver/2.17/apidocs/html/M_MongoDB_Driver_IMongoCollection_1_DeleteOne_1.htm)

+* [MongoClient.Database.Collection.DeleteMany](https://mongodb.github.io/mongo-csharp-driver/2.17/apidocs/html/M_MongoDB_Driver_IMongoCollection_1_DeleteMany_1.htm)

+## See also

+- [Get started with Azure Cosmos DB MongoDB API and JavaScript](how-to-javascript-get-started.md)

+- [Create a database](how-to-javascript-manage-databases.md)

+ Title: Query documents in Azure Cosmos DB MongoDB API using .NET

+description: Learn how to query documents in your Azure Cosmos DB MongoDB API database using the .NET SDK.

+ms.devlang: dotnet

+# Query documents in Azure Cosmos DB MongoDB API using .NET

+Use queries to find documents in a collection.

+> [!NOTE]

+> The [example code snippets](https://github.com/Azure-Samples/cosmos-db-mongodb-api-dotnet-samples) are available on GitHub as a .NET project.

+[MongoDB API reference documentation](https://docs.mongodb.com/drivers/node) | [MongoDB Package (NuGet)](https://www.nuget.org/packages/MongoDB.Driver)

+## Query for documents

+To find documents, use a query filter on the collection to define how the documents are found.

+* [MongoClient.Database.Collection.Find](https://mongodb.github.io/mongo-csharp-driver/2.17/apidocs/html/M_MongoDB_Driver_IMongoCollectionExtensions_Find__1_3.htme)

+* [FilterDefinition](https://mongodb.github.io/mongo-csharp-driver/2.17/apidocs/html/T_MongoDB_Driver_FilterDefinition_1.htm)

+* [FilterDefinitionBuilder](https://mongodb.github.io/mongo-csharp-driver/2.17/apidocs/html/T_MongoDB_Driver_FilterDefinitionBuilder_1.htm)

+## See also

+- [Get started with Azure Cosmos DB MongoDB API and .NET](how-to-dotnet-get-started.md)

+- [Create a database](how-to-dotnet-manage-databases.md)

+- [Create a database](how-to-javascript-manage-databases.md)

+The sample code demonstrated in this article creates a database named ``adventureworks`` with a collection named ``products``. The ``products`` collection is designed to contain product details such as name, category, quantity, and a sale indicator. Each product also contains a unique identifier.

+Cosmos DB insights is a feature based on the [workbooks feature of Azure Monitor](../azure-monitor/visualize/workbooks-overview.md) and uses the same monitoring data collected for Azure Cosmos DB described in the sections below. Use Azure Monitor for a view of the overall performance, failures, capacity, and operational health of all your Azure Cosmos DB resources in a unified interactive experience, and use the other features of Azure Monitor for detailed analysis and alerting. To learn more, see the [Explore Cosmos DB insights](cosmosdb-insights-overview.md) article.

+Create a new .NET application in an empty folder using your preferred terminal. Use the [``dotnet new console``](/dotnet/core/tools/dotnet-new) to create a new console app.

+> [Get started with Azure Cosmos DB Table API and .NET](./how-to-dotnet-get-started.md)

+1. Sign in to the ΓÇ»[Azure portal](https://portal.azure.com).

+1. Search for  **Cost Management + Billing** and then select  **Billing scopes**.

+1. Select your billing scope, and then in the left menu underΓÇ» **Settings**, select ΓÇ»**Properties**.

+1. SelectΓÇ» **Update PO number**.

+1. Enter a PO number and then select ΓÇ»**Update**.

+Or you can update the PO number from Invoice blade for the upcoming invoice:

+1. Sign in to the ΓÇ»[Azure portal](https://portal.azure.com).

+1. Search for  **Cost Management + Billing** and then select  **Billing scopes**.

+1. Select your billing scope, then in the left menu under ΓÇ»**Billing**, select ΓÇ»**Invoices**.

+1. SelectΓÇ» **Update PO number**.

+1. Enter a PO number and then select ΓÇ»**Update**.

+- **Enterprise Agreement**: A billing account for an Enterprise Agreement (EA) is created when your organization signs an [Enterprise Agreement](https://azure.microsoft.com/pricing/enterprise-agreement/) to use Azure. An EA enrollment can contain an unlimited number of EA accounts. However, an EA account has a subscription limit of 5000. If you need more subscriptions than the limit, create more EA accounts. Generally speaking, a subscription is a billing container. We recommend that you avoid creating multiple subscriptions to implement access boundaries. To separate resources with an access boundary, consider using a resource group. For more information about resource groups, see [Manage Azure resource groups by using the Azure portal](../../azure-resource-manager/management/manage-resource-groups-portal.md).

+- **Microsoft Customer Agreement**: A billing account for a Microsoft Customer Agreement is created when your organization works with a Microsoft representative to sign a Microsoft Customer Agreement. Some customers in select regions, who sign up through the Azure website for an [account with pay-as-you-go rates](https://azure.microsoft.com/offers/ms-azr-0003p/) or an [Azure Free Account](https://azure.microsoft.com/offers/ms-azr-0044p/) may have a billing account for a Microsoft Customer Agreement as well. You can have a maximum of 20 subscriptions in a Microsoft Customer Agreement for an individual. A Microsoft Customer Agreement for an enterprise can have up to 5000 subscriptions under it.

+- **Message**: ADLS Gen2 storage staging properties should be specified. Either one of key or tenant/spnId/spn Credential/spnCredentialType or miServiceUri/miServiceToken is required.

+## Error code: DF-Executor-OutOfMemorySparkError

+- **Message**: The data may be too large to fit in the memory.

+- **Cause**: The size of the data far exceeds the limit of the node memory.

+- **Recommendation**: Increase the core count and switch to the memory optimized compute type.

+## Error code: DF-SQLDW-InternalErrorUsingMSI

+- **Message**: An internal error occurred while authenticating against Managed Service Identity in Azure Synapse Analytics instance. Please restart the Azure Synapse Analytics instance or contact Azure Synapse Analytics Dedicated SQL Pool support if this problem persists.

+- **Cause**: An internal error occurred in Azure Synapse Analytics.

+- **Recommendation**: Restart the Azure Synapse Analytics instance or contact Azure Synapse Analytics Dedicated SQL Pool support if this problem persists.

+## Error code: DF-Executor-IncorrectLinkedServiceConfiguration

+- **Message**: Possible causes are,

+ - The linked service is incorrectly configured as type 'Azure Blob Storage' instead of 'Azure DataLake Storage Gen2' and it has 'Hierarchical namespace' enabled. Please create a new linked service of type 'Azure DataLake Storage Gen2' for the storage account in question.

+ - Certain scenarios with any combinations of 'Clear the folder', non-default 'File name option', 'Key' partitioning may fail with a Blob linked service on a 'Hierarchical namespace' enabled storage account. You can disable these dataflow settings (if enabled) and try again in case you do not want to create a new Gen2 linked service.

+- **Cause**: Delete operation on the Azure Data Lake Storage Gen2 account failed since its linked service is incorrectly configured as Azure Blob Storage.

+- **Recommendation**: Create a new Azure Data Lake Storage Gen2 linked service for the storage account. If that's not feasible, some known scenarios like **Clear the folder**, non-default **File name option**, **Key** partitioning in any combinations may fail with an Azure Blob Storage linked service on a hierarchical namespace enabled storage account. You can disable these data flow settings if you enabled them and try again.

+## Error code: DF-Delta-InvalidProtocolVersion

+- **Message**: Unsupported Delta table protocol version, Refer https://docs.delta.io/latest/versioning.html#-table-version for versioning information.

+- **Cause**: Data flows don't support this version of the Delta table protocol.

+- **Recommendation**: Use a lower version of the Delta table protocol.

+2. Connect the computer to PORT 1 on your device. If connecting the computer to the device directly (without a switch), use an Ethernet crossover cable or a USB Ethernet adapter.

+ The backplane of the device may look slightly different depending on the exact model you have received. Use the illustrations in [Cable your device](azure-stack-edge-gpu-deploy-install.md#cable-the-device) to identify Port 1 on your device.

+ The backplane of the device may look slightly different depending on the exact model you have received. Use the illustrations in [Cable your device](azure-stack-edge-gpu-deploy-install.md#cable-the-device) to identify Port 1 on your device.

+ - Device with two Peripheral Component Interconnect (PCI) slots and one GPU

+

+ 

+ - Device with three PCI slots and one GPU

+ 

+

+ - Device with three PCI slots and two GPUs

+ 

+### Do I need to buy a separate anti-malware solution to protect my machines?

+No. With MDE integration in Defender for Servers, you'll also get malware protection on your machines.

+- On Windows Server 2012 R2 with MDE unified solution integration enabled, Defender for Servers will deploy [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows) in *active mode*.

+- On newer Windows Server operating systems, Microsoft Defender Antivirus is part of the operating system and will be enabled in *active mode*.

+- On Linux, Defender for Servers will deploy MDE including the anti-malware component, and set the component in *passive mode*.

+- [Defender for Container's VA adds support for the detection of language specific packages (Preview)](#defender-for-containers-va-adds-support-for-the-detection-of-language-specific-packages-preview)

+### Defender for Container's VA adds support for the detection of language specific packages (Preview)

+Defender for Container's vulnerability assessment (VA) is able to detect vulnerabilities in OS packages deployed via the OS package manager. We have now extended VA's abilities to detect vulnerabilities included in language specific packages.

+This feature is in `preview` and is only available for Linux images.

+To see all of the included language specific packages that have been added, check out Defender for Container's full list of [features and their availability](supported-machines-endpoint-solutions-clouds-containers.md#registries-and-images).

+| Vulnerability Assessment ^{[2](#footnote2)} | Registry scan - OS packages | ACR, Private ACR | GA | Preview | Agentless | Defender for Containers | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+| Vulnerability Assessment ^{[3](#footnote3)} | Registry scan - language specific packages | ACR, Private ACR | Preview | - | Agentless | Defender for Containers | Commercial clouds |

+^{<a name="footnote1"></a>1} Specific features are in preview. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+^{<a name="footnote2"></a>2} VA can detect vulnerabilities for these [OS packages](#registries-and-images).

+^{<a name="footnote3"></a>3} VA can detect vulnerabilities for these [language specific packages](#registries-and-images).

+## Additional information

+### Registries and images

+| Aspect | Details |

+|--|--|

+| Registries and images | **Supported**<br> ΓÇó [ACR registries protected with Azure Private Link](../container-registry/container-registry-private-link.md) (Private registries requires access to Trusted Services) <br> ΓÇó Windows images using Windows OS version 1709 and above (Preview). This is free while it's in preview, and will incur charges (based on the Defender for Containers plan) when it becomes generally available.<br><br>**Unsupported**<br> ΓÇó Super-minimalist images such as [Docker scratch](https://hub.docker.com/_/scratch/) images<br> ΓÇó "Distroless" images that only contain an application and its runtime dependencies without a package manager, shell, or OS<br> ΓÇó Images with [Open Container Initiative (OCI) Image Format Specification](https://github.com/opencontainers/image-spec/blob/master/spec.md) |

+| OS Packages | **Supported** <br> ΓÇó Alpine Linux 3.12-3.15 <br> ΓÇó Red Hat Enterprise Linux 6, 7, 8 <br> ΓÇó CentOS 6, 7 <br> ΓÇó Oracle Linux 6,6,7,8 <br> ΓÇó Amazon Linux 1,2 <br> ΓÇó openSUSE Leap 42, 15 <br> ΓÇó SUSE Enterprise Linux 11,12, 15 <br> ΓÇó Debian GNU/Linux wheezy, jessie, stretch, buster, bullseye <br> ΓÇó Ubuntu 10.10-22.04 <br> ΓÇó FreeBSD 11.1-13.1 <br> ΓÇó Fedora 32, 33, 34, 35|

+| Language specific packages (Preview) <br><br> (**Only supported for Linux images**) | **Supported** <br> ΓÇó Python <br> ΓÇó Node.js <br> ΓÇó .NET <br> ΓÇó JAVA <br> ΓÇó Go |

+### Kubernetes distributions and configurations

+| Aspect | Details |

+|--|--|

+| Kubernetes distributions and configurations | **Supported**<br> ΓÇó Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters<br>ΓÇó [Azure Kubernetes Service (AKS)](../aks/intro-kubernetes.md) with [Kubernetes RBAC](../aks/concepts-identity.md#kubernetes-rbac) <br> ΓÇó [Amazon Elastic Kubernetes Service (EKS)](https://aws.amazon.com/eks/)<br> ΓÇó [Google Kubernetes Engine (GKE) Standard](https://cloud.google.com/kubernetes-engine/) <br><br> **Supported via Arc enabled Kubernetes** ^{[1](#footnote1)} ^{[2](#footnote2)}<br>ΓÇó [Azure Kubernetes Service on Azure Stack HCI](/azure-stack/aks-hci/overview)<br> ΓÇó [Kubernetes](https://kubernetes.io/docs/home/)<br> ΓÇó [AKS Engine](https://github.com/Azure/aks-engine)<br> ΓÇó [Azure Red Hat OpenShift](https://azure.microsoft.com/services/openshift/)<br> ΓÇó [Red Hat OpenShift](https://www.openshift.com/learn/topics/kubernetes/) (version 4.6 or newer)<br> ΓÇó [VMware Tanzu Kubernetes Grid](https://tanzu.vmware.com/kubernetes-grid)<br> ΓÇó [Rancher Kubernetes Engine](https://rancher.com/docs/rke/latest/en/)<br> |

+^{<a name="footnote1"></a>1} Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters have been tested.

+^{<a name="footnote2"></a>2}To get [Microsoft Defender for Containers](../defender-for-cloud/defender-for-containers-introduction.md) protection for you should onboard to [Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md) and enable Defender for Containers as an Arc extension.

+> [!NOTE]

+> For additional requirements for Kuberenetes workload protection, see [existing limitations](../governance/policy/concepts/policy-for-kubernetes.md#limitations).

+^{<a name="footnote1"></a>1} Specific features are in preview. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Additional information

+### Kubernetes distributions and configurations

+| Aspect | Details |

+|--|--|

+| Kubernetes distributions and configurations | **Supported**<br> ΓÇó Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters<br>ΓÇó [Azure Kubernetes Service (AKS)](../aks/intro-kubernetes.md) with [Kubernetes RBAC](../aks/concepts-identity.md#kubernetes-rbac) <br> ΓÇó [Amazon Elastic Kubernetes Service (EKS)](https://aws.amazon.com/eks/)<br> ΓÇó [Google Kubernetes Engine (GKE) Standard](https://cloud.google.com/kubernetes-engine/) <br><br> **Supported via Arc enabled Kubernetes** ^{[1](#footnote1)} ^{[2](#footnote2)}<br>ΓÇó [Azure Kubernetes Service on Azure Stack HCI](/azure-stack/aks-hci/overview)<br> ΓÇó [Kubernetes](https://kubernetes.io/docs/home/)<br> ΓÇó [AKS Engine](https://github.com/Azure/aks-engine)<br> ΓÇó [Azure Red Hat OpenShift](https://azure.microsoft.com/services/openshift/)<br> ΓÇó [Red Hat OpenShift](https://www.openshift.com/learn/topics/kubernetes/) (version 4.6 or newer)<br> ΓÇó [VMware Tanzu Kubernetes Grid](https://tanzu.vmware.com/kubernetes-grid)<br> ΓÇó [Rancher Kubernetes Engine](https://rancher.com/docs/rke/latest/en/)<br> |

+^{<a name="footnote1"></a>1} Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters have been tested.

+^{<a name="footnote2"></a>2}To get [Microsoft Defender for Containers](../defender-for-cloud/defender-for-containers-introduction.md) protection for you should onboard to [Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md) and enable Defender for Containers as an Arc extension.

+> [!NOTE]

+> For additional requirements for Kuberenetes workload protection, see [existing limitations](../governance/policy/concepts/policy-for-kubernetes.md#limitations).

+^{<a name="footnote1"></a>1} Specific features are in preview. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+### Additional information

+### Kubernetes distributions and configurations

+| Aspect | Details |

+|--|--|

+| Kubernetes distributions and configurations | **Supported**<br> ΓÇó Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters<br>ΓÇó [Azure Kubernetes Service (AKS)](../aks/intro-kubernetes.md) with [Kubernetes RBAC](../aks/concepts-identity.md#kubernetes-rbac) <br> ΓÇó [Amazon Elastic Kubernetes Service (EKS)](https://aws.amazon.com/eks/)<br> ΓÇó [Google Kubernetes Engine (GKE) Standard](https://cloud.google.com/kubernetes-engine/) <br><br> **Supported via Arc enabled Kubernetes** ^{[1](#footnote1)} ^{[2](#footnote2)}<br>ΓÇó [Azure Kubernetes Service on Azure Stack HCI](/azure-stack/aks-hci/overview)<br> ΓÇó [Kubernetes](https://kubernetes.io/docs/home/)<br> ΓÇó [AKS Engine](https://github.com/Azure/aks-engine)<br> ΓÇó [Azure Red Hat OpenShift](https://azure.microsoft.com/services/openshift/)<br> ΓÇó [Red Hat OpenShift](https://www.openshift.com/learn/topics/kubernetes/) (version 4.6 or newer)<br> ΓÇó [VMware Tanzu Kubernetes Grid](https://tanzu.vmware.com/kubernetes-grid)<br> ΓÇó [Rancher Kubernetes Engine](https://rancher.com/docs/rke/latest/en/)<br> |

+^{<a name="footnote1"></a>1} Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters have been tested.

+^{<a name="footnote2"></a>2}To get [Microsoft Defender for Containers](../defender-for-cloud/defender-for-containers-introduction.md) protection for you should onboard to [Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md) and enable Defender for Containers as an Arc extension.

+> [!NOTE]

+> For additional requirements for Kuberenetes workload protection, see [existing limitations](../governance/policy/concepts/policy-for-kubernetes.md#limitations).

+| Vulnerability Assessment ^{[2](#footnote2)} | Registry scan - OS packages | ACR, Private ACR | GA | Preview | Agentless | Defender for Containers |

+| Vulnerability Assessment ^{[3](#footnote3)} | Registry scan - language specific packages | ACR, Private ACR | Preview | - | Agentless | Defender for Containers |

+| Vulnerability Assessment | View vulnerabilities for running images | Arc enabled K8s clusters | Preview | - | Defender extension | Defender for Containers |

+^{<a name="footnote1"></a>1} Specific features are in preview. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+^{<a name="footnote2"></a>2} VA can detect vulnerabilities for these [OS packages](#registries-and-images-1).

+^{<a name="footnote3"></a>3} VA can detect vulnerabilities for these [language specific packages](#registries-and-images-1).

+| OS Packages | **Supported** <br> ΓÇó Alpine Linux 3.12-3.15 <br> ΓÇó Red Hat Enterprise Linux 6, 7, 8 <br> ΓÇó CentOS 6, 7 <br> ΓÇó Oracle Linux 6,6,7,8 <br> ΓÇó Amazon Linux 1,2 <br> ΓÇó openSUSE Leap 42, 15 <br> ΓÇó SUSE Enterprise Linux 11,12, 15 <br> ΓÇó Debian GNU/Linux wheezy, jessie, stretch, buster, bullseye <br> ΓÇó Ubuntu 10.10-22.04 <br> ΓÇó FreeBSD 11.1-13.1 <br> ΓÇó Fedora 32, 33, 34, 35 |

+| Language specific packages (Preview) <br><br> (**Only supported for Linux images**) | **Supported** <br> ΓÇó Python <br> ΓÇó Node.js <br> ΓÇó .NET <br> ΓÇó JAVA <br> ΓÇó Go |

+^{<a name="footnote1"></a>1} Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters have been tested.

+Defender for IoT security agents collects data, and system events from your local device, and sends the data to the Azure cloud for processing.

+If you've configured and connected a Log Analytics workspace, you'll see these events in Log Analytics. For more information, see [Tutorial: Investigate security alerts](tutorial-investigate-security-alerts.md).

+The Defender for IoT micro agent collects many types of device events including new processes, and all new connection events. Both the new process, and new connection events may occur frequently on a device. This capability is important for comprehensive security, however, the number of messages the security agents send may quickly meet, or exceed your IoT Hub quota, and cost limits. These messages, and events contain highly valuable security information that is crucial to protecting your device.

+- **UTMP and SYSLOG**. UTMP catches SSH interactive events, telnet events, and terminal logins, as well as all failed login events from SSH, telnet, and terminal. If SYSLOG is enabled on the device, the Login collector also collects SSH sign-in events via the SYSLOG file named **auth.log**.

+| **Login_UsePAM** | Boolean: <br>- **True**: Only the PAM Login collector is used <br>- **False**: The UTMP Login collector is used, with SYSLOG if SYSLOG is enabled |

+## System information (trigger based collector)

+The baseline collector performs periodic CIS checks, and *failed*, *pass*, and *skip* check results are sent to the Defender for IoT cloud service. Defender for IoT aggregates the results and provides recommendations based on any failures.

+| **Check result** | Can be `Fail`, `Pass`, `Skip`, or `Error`. For example, `Error` in a situation where the check canΓÇÖt run. |

+> [!NOTE]

+> The SBoM collector currently only collects the first 500 packages ingested.

+## Basic OS baseline security recommendation investigation

+## Advanced OS baseline security recommendation investigation

+This section describes how to better understand the OS baseline test results, and querying events in Azure Log Analytics.

+**Prerequisites**:

+The advanced OS baseline security recommendation investigation is only supported by using Azure Log Analytics and you must connect Defender for IoT to a Log Analytics workspace before continuing.

+For more information, see [Configure Microsoft Defender for IoT agent-based solution](tutorial-configure-agent-based-solution.md).

+**To query your IoT security events in Log Analytics for alerts**:

+1. In your Log Analytics workspace, go to **Logs** > **AzureSecurityOfThings** > **SecurityAlert**.

+1. In the query editor on the right, enter a KQL query to display the alerts you want to see.

+1. Select **Run** to display the alerts that match your query.

+For example:

+> [!NOTE]

+> In addition to alerts, you can also use this same procedure to query for recommendations or raw event data.

+>

+- Defender for IoT device agents handle event aggregation, to help avoid high network throughput.

+- The micro agent has flexible deployment options. The micro agent includes source code, so you can incorporate it into firmware, or customize it to include only what you need. It's also available as a binary package, or integrated directly into other Azure IoT solutions. The micro agent is available for standard IoT operating systems, such as Linux and Azure RTOS.

+For more information, see [Upgrade the Microsoft Defender for IoT micro agent](upgrade-micro-agent.md).

+## July 2022

+**Version 4.2.4**

+- **Proxy connection updates**: Now you can connect your micro-agent to an IoT Hub via a proxy. For more information, see [Connect via a proxy](tutorial-standalone-agent-binary-installation.md#connect-via-a-proxy).

+- **Support for TPM-backed certificates**: Now you can use OpenSSL certificates backed by TPM. For more information, see [Authenticate using a certificate](tutorial-standalone-agent-binary-installation.md#authenticate-using-a-certificate).

+- **AMQP support**: Now you can add AMQP support after installing your micro-agent. For more information, see [Add AMQP protocol support](tutorial-standalone-agent-binary-installation.md#add-amqp-protocol-support).

+- **Baseline collector updates**: The baseline collector now sends *pass* and *skip* checks to the cloud in addition to *failed* results. For more information, see [Micro agent event collection](concept-event-aggregation.md#baseline-trigger-based).

+- **Login collector via UTMP**: The login collector now supports UTMP to catch SSH interactive events, telnet events, and terminal logins, including failed login events. For more information, see [Login collector (event-based collector)](concept-event-aggregation.md#login-collector-event-based-collector).

+- **SBoM collector known issue**: The SBoM collector currently only collects the first 500 packages ingested. For more information, see [SBoM (trigger based)](concept-event-aggregation.md#sbom-trigger-based) collection.

+- **Login Collector**: Now supporting login collector using: SYSLOG collecting SSH login events and PAM collecting SSH, telnet and local login events using the pluggable authentication modules stack. For more information, see [Login collector (event-based collector)](concept-event-aggregation.md#login-collector-event-based-collector).

+- **[System information collector](concept-event-aggregation.md#system-information-trigger-based-collector)** - The system information collector gathers information related to the deviceΓÇÖs operating system and hardware details.

+- [Onboard to Defender for IoT](quickstart-onboard-iot-hub.md)

+- [Upgrade the Microsoft Defender for IoT micro agent](upgrade-micro-agent.md)

+> - Create a Log Analytics workspace

+## Create a Log Analytics workspace

+Defender for IoT allows you to store security alerts, recommendations, and raw security data, in your Log Analytics workspace. Log Analytics ingestion in IoT Hub is set to **off** by default in the Defender for IoT solution. It is possible, to attach Defender for IoT to a Log Analytics workspace, and to store the security data there as well.

+1. Under the **Workspace configuration**, switch the Log Analytics toggle to **On**.

+1. Verify that the **Access to raw security data** option is selected.

+Defender for IoT will now monitor your newly added resource groups, and surfaces relevant security recommendations and alerts as part of your IoT solution.

+## Connect via a proxy

+This procedure describes how you can connect the Defender for IoT micro-agent to the IoT Hub via a proxy.

+**To configure connections via a proxy**:

+1. On your micro-agent machine, create a `/etc/defender_iot_micro_agent/conf.json` file with the following content:

+ ```json

+ {

+ "IothubModule_ProxyConfig": "<proxy_ipv4>,<port>,<username>,<password>",

+ "IothubModule_TransportProtocol": "MQTT_WebSocket_Protocol"

+ }

+ ```

+ User and password fields are optional. If you don't need them, use the following syntax instead:

+ ```json

+ {

+ "IothubModule_ProxyConfig": "<proxy_ipv4>,<port>",

+ "IothubModule_TransportProtocol": "MQTT_WebSocket_Protocol"

+ }

+1. Delete any cached file at **/var/lib/defender_iot_micro_agent/cache.json**.

+1. Restart the micro-agent. Run:

+ ```bash

+ sudo systemctl restart defender-iot-micro-agent.service

+ ```

+## Add AMQP protocol support

+This procedure describes additional steps required to support the AMQP protocol.

+**To add AMQP protocol support**:

+1. On your micro-agent machine, open the `/etc/defender_iot_micro_agent/conf.json` file and add the following content:

+ ```json

+ {

+ "IothubModule_TransportProtocol": "AMQP_Protocol"

+ }

+ ```

+1. Delete any cached file at **/var/lib/defender_iot_micro_agent/cache.json**.

+1. Restart the micro-agent. Run

+ ```bash

+ sudo systemctl restart defender-iot-micro-agent.service

+ ```

+ Title: Availability zones and disaster recovery | Microsoft Docs

+description: Describes how Azure Event Grid supports availability zones and disaster recovery.

+# Availability zones and disaster recovery

+Azure availability zones are designed to help you achieve resiliency and reliability for your business-critical workloads. Event Grid supports automatic geo-disaster recovery of event subscription configuration data (metadata) for topics, system topics, domains, and partner topics. This article gives you more details about Event Grid's support for availability zones and disaster recovery.

+## Availability zones

+Azure availability zones are designed to help you achieve resiliency and reliability for your business-critical workloads. Azure maintains multiple geographies. These discrete demarcations define disaster recovery and data residency boundaries across one or multiple Azure regions. Maintaining many regions ensures customers are supported across the world.

+Azure Event Grid event subscription configurations and events are automatically replicated across data centers in the availability zone, and replicated in the three availability zones (when available) in the region specified to provide automatic in-region recovery of your data in case of a failure in the region. See [Azure regions with availability zones](../availability-zones/az-overview.md#azure-regions-with-availability-zones) to learn more about the supported regions with availability zones.

+Azure availability zones are connected by a high-performance network with a round-trip latency of less than 2ms. They help your data stay synchronized and accessible when things go wrong. Each zone is composed of one or more datacenters equipped with independent power, cooling, and networking infrastructure. Availability zones are designed so that if one zone is affected, regional services, capacity, and high availability are supported by the remaining two zones.

+With availability zones, you can design and operate applications and databases that automatically transition between zones without interruption. Azure availability zones are highly available, fault tolerant, and more scalable than traditional single or multiple datacenter infrastructures.

+If a region supports availability zones, the event data is replicated across availability zones though.

+## Disaster recovery

+Event Grid supports automatic geo-disaster recovery of event subscription configuration data (metadata) for topics, system topics, domains, and partner topics. Event Grid automatically syncs your event-related infrastructure to a paired region. If an entire Azure region goes down, the events will begin to flow to the geo-paired region with no intervention from you.

+> [!NOTE]

+> Event data is not replicated to the paired region, only the metadata is replicated.

+Microsoft offers options to recover from a failure, you can opt to enable recovery to a paired region where available or disable recovery to a paired region to manage your own recovery. See [Azure cross-region replication pairings for all geographies](../availability-zones/cross-region-replication-azure.md#azure-cross-region-replication-pairings-for-all-geographies) to learn more about the supported paired regions. The failover is nearly instantaneous once initiated. To learn more about how to implement your own failover strategy, see [Build your own disaster recovery plan for Azure Event Grid topics and domains](custom-disaster-recovery.md) .

+Microsoft-initiated failover is exercised by Microsoft in rare situations to fail over all the Event Grid resources from an affected region to the corresponding geo-paired region. This process is a default option and requires no intervention from the user. Microsoft reserves the right to make a determination of when this option will be exercised. This mechanism doesn't involve a user consent before the user's traffic is failed over.

+If you have decided not to replicate any data to a paired region, you'll need to invest in some practices to build your own disaster recovery scenario and recover from a severe loss of application functionality using more than 2 regions. See [Build your own disaster recovery plan for Azure Event Grid topics and domains](custom-disaster-recovery.md) for more details. See [Build your own client-side disaster recovery for Azure Event Grid topics](custom-disaster-recovery-client-side.md) in case you want to implement client-side disaster recovery for Azure Event Grid topics.

+## RTO and RPO

+Disaster recovery is measured with two metrics:

+- Recovery Point Objective (RPO): the minutes or hours of data that may be lost.

+- Recovery Time Objective (RTO): the minutes or hours the service may be down.

+Event GridΓÇÖs automatic failover has different RPOs and RTOs for your metadata (topics, domains, event subscriptions.) and data (events). If you need different specification from the following ones, you can still implement your own [client-side fail over using the topic health apis](custom-disaster-recovery.md).

+### Recovery point objective (RPO)

+- **Metadata RPO**: zero minutes. Anytime a resource is created in Event Grid, it's instantly replicated across regions. When a failover occurs, no metadata is lost.

+- **Data RPO**: If your system is healthy and caught up on existing traffic at the time of regional failover, the RPO for events is about 5 minutes.

+### Recovery time objective (RTO)

+- **Metadata RTO**: Though generally it happens much more quickly, within 60 minutes, Event Grid will begin to accept create/update/delete calls for topics and subscriptions.

+- **Data RTO**: Like metadata, it generally happens much more quickly, however within 60 minutes, Event Grid will begin accepting new traffic after a regional failover.

+> [!IMPORTANT]

+> - There is no service level agreement (SLA) for server-side disaster recovery. If the paired region has no extra capacity to take on the additional traffic, Event Grid cannot initiate failover. Service level objectives are best-effort only.

+> - The cost for metadata GeoDR on Event Grid is: $0.

+> - Geo-disaster recovery isn't supported for partner topics.

+## Metrics

+Event Grid also provides [diagnostic logs schemas](diagnostic-logs.md) and [metrics](metrics.md) that helps you to identify a problem when there is a failure when publishing or delivering events. See the [troubleshoot](troubleshoot-issues.md) article in case you need with solving an issue in Azure Event Grid.

+## More information

+You may find more information availability zone resiliency and disaster recovery in Azure Event Grid in our [FAQ](/azure/event-grid/event-grid-faq).

+## Next steps

+- If you want to implement your own disaster recovery plan for Azure Event Grid topics and domains, see [Build your own disaster recovery for custom topics in Event Grid](custom-disaster-recovery.md).

+## Azure Event Grid status in a region

+You can view status of Event Grid in a particular region using the [Azure status dashboard](https://status.azure.com/en-us/status).

+Azure Firewall is the first cloud firewall service to attain the ICSA Labs Corporate Firewall Certification.

+- For the Azure Firewall certification report, see the [ICSA Labs Certification Testing and Audit Report](https://www.icsalabs.com/sites/default/files/FINAL_Microsoft-Azure_Firewall_Report_210721.pdf).

+- For the Intrusion Prevention Systems (IPS) report, see [Network Intrusion Prevention Systems Certification Testing Report](https://www.icsalabs.com/sites/default/files/FINAL_Microsoft_NIPS_Cert_Testing_Report_20220715.pdf).

+For more information, see the [ICSA Labs Firewall Certification Program](https://www.icsalabs.com/technology-program/firewalls) page.

+Policy analytics starts monitoring the flows in the DNAT, Network, and Application rule analysis only after you enable the feature. It can't analyze rules hit before the feature is enabled.

+#### Firewall with no Diagnostics settings configured

+#### Firewall with Diagnostics settings already configured

+1. Ensure that the Firewall attached to the policy is logging to **Resource Specific** tables, and that the following three tables are also selected:

+|Rule name | IP Address | VNet or Subnet IP Address | TCP | 1688 | IP address | 20.118.99.224, 40.83.235.53 (azkms.core.windows.net)|

+|[Azure SignalR Service should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F53503636-bcc9-4748-9663-5348217f160f) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: [https://aka.ms/asrs/privatelink](../../../azure-signalr/howto-private-endpoints.md). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit_v2.json) |

+|[Azure SignalR Service should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F53503636-bcc9-4748-9663-5348217f160f) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: [https://aka.ms/asrs/privatelink](../../../azure-signalr/howto-private-endpoints.md). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit_v2.json) |

+|[Azure SignalR Service should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F53503636-bcc9-4748-9663-5348217f160f) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: [https://aka.ms/asrs/privatelink](../../../azure-signalr/howto-private-endpoints.md). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit_v2.json) |

+|[Diagnostic logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) |Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) |

+|[Diagnostic logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) |Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) |

+|[Diagnostic logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) |Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) |

+|[Diagnostic logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) |Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) |

+|[Web Application Firewall (WAF) should be enabled for Application Gateway](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F564feb30-bf6a-4854-b4bb-0d2d2d1e6c66) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json) |

+|[Azure SignalR Service should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F53503636-bcc9-4748-9663-5348217f160f) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: [https://aka.ms/asrs/privatelink](../../../azure-signalr/howto-private-endpoints.md). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit_v2.json) |

+|[Web Application Firewall (WAF) should be enabled for Application Gateway](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F564feb30-bf6a-4854-b4bb-0d2d2d1e6c66) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json) |

+|[Azure SignalR Service should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F53503636-bcc9-4748-9663-5348217f160f) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: [https://aka.ms/asrs/privatelink](../../../azure-signalr/howto-private-endpoints.md). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit_v2.json) |

+|[Web Application Firewall (WAF) should be enabled for Application Gateway](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F564feb30-bf6a-4854-b4bb-0d2d2d1e6c66) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json) |

+- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).

+### Spark 3.1 is now generally available

+## June 2022

+#### **Bug fixes**

+|Bug fixes |Related information |

+|Export Job not being queued for execution. |Fixes issue with export job not being queued due to duplicate job definition caused due to reference to container URL. For more information, see [#2648](https://github.com/microsoft/fhir-server/pull/2648). |

+|Queries not providing consistent result count after appended with the _sort operator. |Fixes the issue with the help of distinct operator to resolve inconsistency and record duplication in response. For more information, see [#2680](https://github.com/microsoft/fhir-server/pull/2680). |

+## May 2022

+### FHIR service

+description: How to open a help request for Azure HPC Cache technical support

+Support requests are also used to make quota requests. Follow the instructions in [Request an HPC Cache quota increase](increase-quota.md).

+After you choose either **New support request** from your cache or **Create a support request** from the main Help + support page, a form appears.

+

+1. On the support request form, select **Technical** as the **Issue type**.

+1. Select your subscription from the list.

+1. Select the service type **HPC Cache**. If you can't find the Azure HPC Cache service, click the **All services** button and search for HPC.

+1. Fill in the **Resource** name (if applicable), write a **Summary** of the problem, and select the most appropriate **Problem type**.

+After you select a **Problem type**, the form might display tips or system information that can help you troubleshoot that issue.

+If you can't resolve the issue with the suggested solution, fill out the rest of the fields with your information and preferences. Submit the ticket when you are ready.

+After you submit the request, you will receive a confirmation email with a ticket number. A support staff member will contact you about the request.

+ Title: Request a quota increase for Azure HPC Cache

+description: How to request a quota increase for Azure HPC Cache by opening a support request ticket

+# Request an HPC Cache quota increase

+If you want to host more HPC Caches than your subscription currently allows, use the support request form in the Azure portal to request a quota increase.

+You also can use the [quotas page](https://ms.portal.azure.com/#view/Microsoft_Azure_Capacity/QuotaMenuBlade/~/overview) in the Azure portal to check your current quotas and request increases.

+## Quota information

+The default quota for Azure HPC Cache is four caches per subscription. If you want to create more than six caches in the same subscription, support approval is needed.

+Each HPC Cache uses multiple virtual machines, network resources, storage containers, and other Azure services, so it's unlikely that the number of caches per subscription will be the limiting factor in how many you can have. Quotas for those other services are handled separately from HPC Cache quotas, so you must open different tickets to increase those quotas.

+## Request a quota increase

+Navigate to your cache instance, then click the **New support request** link that appears at the bottom of the sidebar.

+To open a ticket when you do not have an active cache, use the main Help + support page from the Azure portal. Open the portal menu from the control at the top left of the screen, then scroll to the bottom and click **Help + support**.

+Choose **Create a support request**.

+Select your subscription from the list.

+If you can't find the Azure HPC Cache service, click the **All services** button and search for HPC.

+* For **Issue type**, select **Service and subscription limits (quotas)**.

+ 

+* Select the **Subscription** for the quota increase.

+* Select the **Quota type** "HPC Cache".

+ 

+ Click **Next** to go to the **Additional details** page.

+* In **Request details**, click the link that says **Enter details**. An additional form opens to the right.

+ 

+* For **Quota type** select **HPC Cache count**.

+* Select the **Region** where your cache is located.

+ The form shows your HPC Cache limit and current usage in this region.

+* Type the limit you're requesting in the **New limit** field. Click **Save and continue**.

+ Fill in the additional details required and create the request.

+After you submit the request, you will receive a confirmation email with a ticket number. A support staff member will contact you about the request.

+Support requests are also used to [request technical support](hpc-cache-support-ticket.md).

+Every user must have a user account before they can sign in and access an application. IoT Central currently supports Microsoft user accounts, Azure Active Directory accounts, and Azure Active Directory service principals. IoT Central doesn't currently support Azure Active Directory groups. To learn more, see [Microsoft account help](https://support.microsoft.com/products/microsoft-account?category=manage-account) and [Quickstart: Add new users to Azure Active Directory](../../active-directory/fundamentals/add-users-azure-active-directory.md).

+ :::image type="content" source="media/howto-manage-users-roles/manage-users-pnp.png" alt-text="Screenshot of manage users page in IoT Central.":::

+1. To add a user on the **Users** page, choose **+ Assign user**. To add a service principal on the **Users** page, choose **+ Assign service principal**. Start typing the name of the service principal to auto-populate the form.

+ > [!NOTE]

+ > A service principal must belong to the same Azure Active Directory tenant as the Azure subscription associated with the IoT Central application.

+Users in the **Org Administrator** role can invite users to the application, create suborganizations within their organization hierarchy, and manage the devices within their organization.

+ Title: How to Configure Azure IoT Edge for Linux on Windows to work on a DMZ | Microsoft Docs

+description: How to configure the Azure IoT Edge for Linux (EFLOW) VM to support multiple network interface cards (NICs) and connect to multiple networks.

+# How to configure Azure IoT Edge for Linux on Windows Industrial IoT & DMZ configuration

+This article describes how to configure the Azure IoT Edge for Linux (EFLOW) VM to support multiple network interface cards (NICs) and connect to multiple networks. By enabling multiple NIC support, applications running on the EFLOW VM can communicate with devices connected to the offline network, and at the same time, use IoT Edge to send data to the cloud.

+## Prerequisites

+- A Windows device with EFLOW already set up. For more information on EFLOW installation and configuration, see [Create and provision an IoT Edge for Linux on Windows device using symmetric keys](./how-to-provision-single-device-linux-on-windows-symmetric.md).

+- A virtual switch different from the default one used during EFLOW installation. For more information on creating a virtual switch, see [Create a virtual switch for Azure IoT Edge for Linux on Windows](./how-to-create-virtual-switch.md).

+## Industrial scenario

+Industrial IoT is transcurring the era of IT and OT convergence. However, making traditional OT assets more intelligent with IT technologies also means a larger exposure to cyberattacks. This is one of the main reasons why multiple environments are designed using demilitarized zones or also known as DMZs.

+Imagine a workflow scenario where you have a networking configuration divided into two different networks or zones. In the first zone, you may have a secure network defined as the offline network. The offline network has no internet connectivity and is limited to internal access. In the second zone, you may have a demilitarized zone (DMZ), in which you may have a couple of devices that have limited internet connectivity. When moving the workflow to run on the EFLOW VM, you may have problems accessing the different networks since the EFLOW VM by default has only one NIC attached.

+Suppose you have an environment with some devices like PLCs or OPC UA compatible devices connected to the offline network, and you want to upload all the device's information to Azure using the OPC Publisher module running on the EFLOW VM.

+Since the EFLOW host device and the PLC or OPC UA devices are physically connected to the offline network, you can use the [Azure IoT Edge for Linux on Windows virtual multiple NIC configurations](./how-to-configure-multiple-nics.md) to connect the EFLOW VM to the offline network. By using an *external virtual switch*, you can connect the EFLOW VM to the offline network and directly communicate with other offline devices.

+For the other network, the EFLOW host device is physically connected to the DMZ (online network) with internet and Azure connectivity. Using an *internal or external switch*, you can connect the EFLOW VM to Azure IoT Hub using IoT Edge modules and upload the information sent by the offline devices through the offline NIC.

+

+### Scenario summary

+Secure network:

+- No internet connectivity, access restricted.

+- PLCs or UPC UA compatible devices connected.

+- EFLOW VM connected using an External virtual switch.

+DMZ:

+- Internet connectivity - Azure connection allowed.

+- EFLOW VM connected to Azure IoT Hub, using either an Internal/External virtual switch.

+- OPC Publisher running as a module inside the EFLOW VM used to publish data to Azure.

+## Configure VM network virtual switches

+The following steps are specific for the networking described in the example scenario. Ensure that the virtual switches used and the configurations used align with your networking environment.

+> [!NOTE]

+> The steps in this article assume that the EFLOW VM was deployed with an *external virtual switch* connected to the *secure network (offline)*. You can change the following steps to your specific network configuration you want to achieve. For more information about EFLOW multiple NIcs support, see [Azure IoT Edge for Linux on Windows virtual multiple NIC configurations](./how-to-configure-multiple-nics.md).

+To finish the provisioning of the EFLOW VM and communicate with Azure, you need to assign another NIC that is connected to the DMZ network (online).

+For this scenario, you'll assign an *external virtual switch* connected to the DMZ network. For more information, review [Create a virtual switch for Hyper-V virtual machines](/windows-server/virtualization/hyper-v/get-started/create-a-virtual-switch-for-hyper-v-virtual-machines).

+To create an external virtual switch, follow these steps:

+1. Open Hyper-V Manager.

+2. In **Actions**, select **Virtual Switch Manager**.

+3. In **Virtual Switches**, select **New Virtual network switch**.

+4. Choose type **External** then select **Create Virtual Switch**.

+5. Enter a name that represents the secure network. For example, *OnlineOPCUA*.

+6. Under **Connection Type**, select **External Network** then choose the *network adapter* connected to your DMZ network.

+7. Select **Apply**.

+Once the external virtual switch is created, you need to attach it to the EFLOW VM using the following steps. For more information about attaching multiple NICs, see [EFLOW Multiple NICs](https://github.com/Azure/iotedge-eflow/wiki/Multiple-NICs).

+For the custom new *external virtual switch* you created, use the following PowerShell commands to attach it your EFLOW VM and set a static IP:

+1. `Add-EflowNetwork -vswitchName "OnlineOPCUA" -vswitchType "External"`

+ 

+2. `Add-EflowVmEndpoint -vswitchName "OnlineOPCUA" -vEndpointName "OnlineEndpoint" -ip4Address 192.168.0.103 -ip4PrefixLength 24 -ip4GatewayAddress 192.168.0.1`

+ 

+Once complete, you'll have the *OnlineOPCUA* switch assigned to the EFLOW VM. To check the multiple NIC attachment, use the following steps:

+1. Open an elevated PowerShell session by starting with **Run as Administrator**.

+1. Connect to the EFLOW virtual machine.

+ ```powershell

+ Connect-EflowVm

+ ```

+1. List all the network interfaces assigned to the EFLOW virtual machine.

+ ```bash

+ ifconfig

+ ```

+1. Review the IP configuration and verify you see the *eth0* interface (connected to the secure network) and the *eth1* interface (connected to the DMZ network).

+ 

+## Configure VM network routing

+When using the EFLOW multiple NICs feature, you may want to set up the different route priorities. By default, EFLOW creates one *default* route per *ehtX* interface assigned to the VM. EFLOW assigns the default route a random priority. If all interfaces are connected to the internet, random priorities may not be a problem. However, if one of the NICs is connected to an *offline* network, you may want to prioritize the *online* NIC over the *offline* NIC to get the EFLOW VM connected to the internet.

+EFLOW uses the [route](https://man7.org/linux/man-pages/man8/route.8.html) service to manage the network routing alternatives. In order to check the available EFLOW VM routes, use the following steps:

+1. Open an elevated PowerShell session by starting with **Run as Administrator**.

+1. Connect to the EFLOW virtual machine.

+

+ ```powershell

+ Connect-EflowVm

+ ```

+1. List all the network routes configured in the EFLOW virtual machine.

+

+ ```bash

+ sudo route

+ ```

+ 

+ >[!TIP]

+ >The previous image shows the route command output with the two NIC's assigned (*eth0* and *eth1*). The virtual machine creates two different *default* destinations rules with different metrics. A lower metric value has a higher priority. This routing table will vary depending on the networking scenario configured in the previous steps.

+### Static routes fix

+Every time EFLOW VM starts, the networking services recreates all routes, and any previously assigned priority could change. To work around this issue, you can assign the desired priority for each route every time the EFLOW VM starts. You can create a service that executes every time the VM starts and use the `route` command to set the desired route priorities.

+First, create a bash script that executes the necessary commands to set the routes. For example, following the networking scenario mentioned earlier, the EFLOW VM has two NICs (offline and online networks). NIC *eth0* is connected using the gateway IP xxx.xxx.xxx.xxx. NIC *eth1* is connected using the gateway IP yyy.yyy.yyy.yyy.

+The following script resets the *default* routes for both *eth0* and *eth1 then adds the routes with the desired **\<number\>** metric. Remember that *a lower metric value has higher priority*.

+```bash

+#!/bin/sh

+# Wait 30s for the interfaces to be up

+sleep 30

+# Delete previous eth0 route and create a new one with desired metric

+sudo ip route del default via xxx.xxx.xxx.xxx dev eth0

+sudo route add -net default gw xxx.xxx.xxx.xxx netmask 0.0.0.0 dev eth0 metric <number>

+# Delete previous eth1 route and create a new one with desired metric

+sudo ip route del default via yyy.yyy.yyy.yyy dev eth1

+sudo route add -net default gw yyy.yyy.yyy.yyy netmask 0.0.0.0 dev eth1 metric <number>

+```

+You can use the previous script to create your own custom script specific to your networking scenario. Once script is defined, save it, and assign execute permission. For example, if the script name is *route-setup.sh*, you can assign execute permission using the command `sudo chmod +x route-setup.sh`. You can test if the script works correctly by executing it manually using the command `sudo sh ./route-setup.sh` and then checking the routing table using the `sudo route` command.

+

+The final step is to create a Linux service that runs on startup, and executes the bash script to set the routes. You'll have to create a *systemd* unit file to load the service. The following is an example of that file.

+

+```systemd

+[Unit]

+after=network

+[Service]

+Type=simple

+ExecStart=/bin/bash /home/iotedge-user/route-setup.sh

+[Install]

+WantedBy=default.target

+```

+ To check the service works, reboot the EFLOW VM (`Stop-EflowVm` & `Start-EflowVm`) then `Connect-EflowVm` to connect to the VM. List the routes using `sudo route` and verify they're correct. You should be able to see the new *default* rules with the assigned metric.

+## Next steps

+Follow the steps in [How to configure networking for Azure IoT Edge for Linux on Windows](./how-to-configure-iot-edge-for-linux-on-windows-networking.md) to verify your networking configurations were applied correctly.

+ az iot hub device-identity connection-string show --hub-name YourIoTHubName --device-id MyAndroidThingsDevice --output table

+ az iot hub device-identity connection-string show --hub-name {YourIoTHubName} --device-id {YourDeviceID} --output table

+Key Vault provides support for Azure Active Directory Conditional Access policies. By using Conditional Access policies, you can apply the right access controls to Key Vault when needed to keep your organization secure and stay out of your user's way when not needed.

+## July 28, 2022

+[Data Science VM ΓÇô Ubuntu 20.04](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.ubuntu-2004?tab=Overview)

+Version `22.07.19`

+Main changes:

+- Updated `Azure Cli` to version `2.38.0`

+- Updated `Nodejs` to version `v16.16.0`

+- Updated `Scala` to version `2.12.15`

+- Updated `Spark` to version `3.2.2`

+- `MMLSpark` notebook features `v0.10.0`

+- 4 additional R libraries: [janitor](https://cran.r-project.org/web/packages/janitor/https://docsupdatetracker.net/index.html), [skimr](https://cran.r-project.org/web/packages/skimr/https://docsupdatetracker.net/index.html#:~:text=CRAN%20-%20Package%20skimr%20skimr:%20Compact%20and%20Flexible%2cby%20the%20user%20as%20can%20the%20default%20formatting.), [palmerpenguins](https://cran.r-project.org/web/packages/palmerpenguins/https://docsupdatetracker.net/index.html) and [doParallel](https://cran.r-project.org/web/packages/doParallel/https://docsupdatetracker.net/index.html)

+- Added new AzureML Environment `azureml_310_sdkv2`

+[Data Science Virtual Machine - Windows 2019](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.dsvm-win-2019?tab=Overview)

+Version `22.07.18`

+Main Changes:

+- General OS level updates

+- `Cudatoolkit` and `CUDNN` upgraded to `13.1` and `2.8.1` respectively.

+- Fix `Python 3.8` - AzureML notebook run, pinned `matplotlib` to `3.2.1` and `cycler` to `0.11.0` packages in `Azureml_py38` environment.

+- Update `Rscript` env path to support latest R studio version `4.1.3`.

+- Updated R environment - added libraries: `Cluster`, `Devtools Factoextra`, `GlueHere`, `Ottr`, `Paletteer`, `Patchwork`, `Plotly`, `Rmd2jupyter`, `Scales`, `Statip`, `Summarytools`, `Tidyverse`, `Tidymodels` and `Testthat`

+- Further `Log4j` vulnerability mitigation - although not used, we moved all `log4j` to version `v2`, we have removed old `log4j jars1.0` and moved `log4j` version 2.0 jars.

+- `Azure CLI` to version `2.33.1`

+- Fixed `jupyterhub` access issue using public ip address

+ - `azureml_py38_PT_TF`: additional `azureml_py38` environment, preinstalled with latest `TensorFlow` and `PyTorch`

+ - `py38_default`: default system environment based on `Python 3.8`

+With the __new v2 API__, most operations use ARM. So enabling a private endpoint on your workspace doesn't provide the same level of network isolation. Operations that use ARM communicate over public networks, and include any metadata (such as your resource IDs) or parameters used by the operation. For example, the [create or update job](/rest/api/azureml/2022-05-01/jobs/create-or-update) api sends metadata, and [parameters](./reference-yaml-job-command.md).

+To create or overwrite a named compute resource, you'll use a PUT request. In the following, in addition to the now-familiar replacements of `YOUR-SUBSCRIPTION-ID`, `YOUR-RESOURCE-GROUP`, `YOUR-WORKSPACE-NAME`, and `YOUR-ACCESS-TOKEN`, replace `YOUR-COMPUTE-NAME`, and values for `location`, `vmSize`, `vmPriority`, `scaleSettings`, `adminUserName`, and `adminUserPassword`. As specified in the reference at [Machine Learning Compute - Create Or Update SDK Reference](/rest/api/azureml/2022-05-01/workspaces/create-or-update), the following command creates a dedicated, single-node Standard_D1 (a basic CPU compute resource) that will scale down after 30 minutes:

+| --resource-group | Choose a resource group for your Managed Grafana instance. | *my-resource-group* |

+# Support matrix for migration of physical servers, AWS VMs, and GCP VMs

+This article summarizes support settings and limitations for migrating physical servers, AWS VMs, and GCP VMs to Azure with [Azure Migrate: Server Migration](migrate-services-overview.md#azure-migrate-server-migration-tool) . If you're looking for information about assessing physical servers for migration to Azure, review the [assessment support matrix](migrate-support-matrix-physical.md).

+The table summarizes support for physical servers, AWS VMs, and GCP VMs that you want to migrate using agent-based migration.

+If you set up the replication appliance manually, then make sure that it complies with the requirements summarized in the table. When you set up the Azure Migrate replication appliance as an VMware VM using the OVA template provided in the Azure Migrate hub, the appliance is set up with Windows Server 2016, and complies with the support requirements.

+## June 2022 round-trip latency figures

+The monthly Percentile P50 round trip times between Azure regions for the past 30 days (ending on June 30, 2022) are shown below. The following measurements are powered by [ThousandEyes](https://thousandeyes.com).

+```azurecli

+az aro delete --name $CLUSTER_NAME

+ --resource-group $RESOURCE_GROUP

+ [--no-wait]

+ [--yes]

+- [Azure Event Hubs client library for Python code samples](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/eventhub/azure-eventhub/samples/async_samples)

+If the Private Link service is no longer in use, you can delete it. However, before you delete the service, ensure that there are no private endpoint connections associated with it. You can reject all connections and delete the service.

+Many businesses today have large data estates that move massive amounts of data between applications, storage systems, analytics systems, and across departments within their organization. During these movements, and over time, data can be accidentally duplicated or become fragmented, and become stale or out of date. Hence, accuracy becomes a concern when using this data to drive insights into your business.

+To protect the quality of data within an organization, master data management (MDM) arose as a discipline that creates a source of truth for enterprise data so that an organization can check and validate their key assets. These key assets, or master data assets, are critical records that provide context for a business. For example, master data might include information on specific products, employees, customers, financial structures, suppliers, or locations. Master data management ensures data quality across an entire organization by maintaining an authoritative consolidated de-duplicated set of the master data records, and ensuring data remains consistent across your organization's complete data estate.

+As an example, it can be difficult for a company to have a clear, single view of their customers. Customer data may differ between systems, there may be duplicated records due to incorrect entry, or shipping and customer service systems may vary due to name, address, or other attributes. Master data management consolidates all this differing information about the customer it into a single, standard format that can be used to check data across an organizations entire data estate. Not only does this improve quality of data by eliminating mismatched data across departments, but it ensures that data analyzed for business intelligence (BI) and other applications is trustworthy and up to date, reduces data load by removing duplicate records across the organization, and streamlines communications between business systems.

+## Microsoft Purview & Profisee Integrated MDM - Better Together!

+Microsoft Purview classifies data by using [RegEx](https://wikipedia.org/wiki/Regular_expression), [Bloom Filter](https://wikipedia.org/wiki/Bloom_filter) and Machine Learning models. The following lists describe the format, pattern, and keywords for the Microsoft Purview defined system classifications. Each classification name is prefixed by *MICROSOFT*.

+## Machine Learning model based classifications

+Person Name machine learning model has been trained using global datasets of names in English language.

+> Microsoft Purview classifies full names stored in the same column as well as first/last names in separate columns.

+> Role-based access control for data plane operations, such as creating or querying an index, is currently in public preview and available under [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). This functionality is only available in public cloud regions and may impact the latency of your operations while the functionality is in preview. For more information on preview limitations, see [RBAC preview limitations](search-security-rbac.md#preview-limitations).

+Search applications that are built on Azure Cognitive Search can now use the [Microsoft identity platform](../active-directory/develop/v2-overview.md) for authenticated and authorized access. On Azure, the identity provider is Azure Active Directory (Azure AD). A key [benefit of using Azure AD](../active-directory/develop/active-directory-how-to-integrate.md#benefits-of-integration) is that your credentials and API keys no longer need to be stored in your code. Azure AD authenticates the security principal (a user, group, or service) running the application. If authentication succeeds, Azure AD returns the access token to the application, and the application can then use the access token to authorize requests to Azure Cognitive Search.

+This article shows you how to configure your client for Azure AD:

+As a first step, sign up for the preview and enable role-based access control (RBAC) on your [search service](search-create-service-portal.md).

+RBAC for data plane operations is in preview. In this step, add the preview feature to your Azure subscription.

+> Once you add the preview to your subscription, all search services in the subscription are permanently enrolled in the preview. If you don't want RBAC on a given service, you can disable RBAC for data plane operations as shown in a later step.

+1. Choose whether to allow both key-based and role-based access control, or only role-based access control.

+In this step, create a [managed identity](../active-directory/managed-identities-azure-resources/overview.md) for your client application.

+ :::image type="content" source="media/search-howto-aad/create-managed-identity.png" alt-text="Screenshot of the Create Managed Identity wizard." border="true" :::

+It's a best practice to grant minimum permissions. If your application only needs to handle queries, you should assign the [Search Index Data Reader (preview)](../role based-access-control/built-in-roles.md#search-index-data-reader) role. Alternatively, if it needs both read and write access on a search index, you should use the [Search Index Data Contributor (preview)](../role-based-access-control/built-in-roles.md#search-index-data-contributor) role.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+ > The Owner, Contributor, Reader, and Search Service Contributor roles don't give you access to the data within a search index, so you can't query a search index or index data using those roles. For data access to a search index, you need either the Search Index Data Contributor or Search Index Data Reader role.

+You can assign multiple roles, such as Search Service Contributor and Search Index Data Contributor, if your application needs comprehensive access to the search services, objects, and content.

+Once you have a managed identity and a role assignment on the search service, you're ready to add code to your application to authenticate the security principal and acquire an OAuth 2.0 token.

+> [!NOTE]

+> To learn more about the OAuth 2.0 code grant flow used by Azure AD, see [Authorize access to Azure Active Directory web applications using the OAuth 2.0 code grant flow](../active-directory/develop/v2-oauth2-auth-code-flow.md).

+The Azure.Identity documentation has more details about `DefaultAzureCredential` and using [Azure AD authentication with the Azure SDK for .NET](/dotnet/api/overview/azure/identity-readme). `DefaultAzureCredential` is intended to simplify getting started with the SDK by handling common scenarios with reasonable default behaviors. Developers who want more control or whose scenario isn't served by the default settings should use other credential types.

+Per-user access over search results (sometimes referred to as row-level security or document-level security) isn't supported. As a workaround, [create security filters](search-security-trimming-for-azure-search.md) that trim results by user identity, removing documents for which the requestor shouldn't have access.

+| [Reader](../role-based-access-control/built-in-roles.md#reader) | (Generally available) Limited access to partial service information. In the portal, the Reader role can access information in the service Overview page, in the Essentials section and under the Monitoring tab. All other tabs and pages are off limits. </br></br>This role has access to service information: service name, resource group, service status, location, subscription name and ID, tags, URL, pricing tier, replicas, partitions, and search units. This role also has access to service metrics: search latency, percentage of throttled requests, average queries per second. </br></br>This role doesn't allow access to API keys, role assignments, content (indexes or synonym maps), or content metrics (storage consumed, number of objects). |

+| [Search Service Contributor](../role-based-access-control/built-in-roles.md#search-service-contributor) | (Generally available) This role is identical to the Contributor role and applies to control plane operations. </br></br>(Preview) When you enable the RBAC preview for the data plane, this role also provides full access to all data plane actions on indexes, synonym maps, indexers, data sources, and skillsets as defined by [`Microsoft.Search/searchServices/*`](../role-based-access-control/resource-provider-operations.md#microsoftsearch). This role does not give you access to query search indexes or index documents. This role is for search service administrators who need to manage the search service and its objects, but without the ability to view or access object data. </br></br>Like Contributor, members of this role can't make or manage role assignments or change authorization options. To use the preview capabilities of this role, your service must have the preview feature enabled, as described in this article. |

+If you're using Postman or another web testing tool, see the Tip below for help on setting up the request.

+1. [Assign roles](#step-3-assign-roles) on the service and verify they're working correctly against the data plane.

+ + Members of Search Index Data Reader can use Search Explorer to query the index. You can use any API version to check for access. You should be able to issue queries and view results, but you shouldn't be able to view the index definition.

+Configuration is required to register an application with Azure Active Directory, and to obtain and pass authorization tokens:

+More details about using [Azure AD authentication with the Azure SDK for .NET](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/identity/Azure.Identity) are available in the SDK's GitHub repo.

+API keys can't be deleted, but they can be disabled on your service. If you're using the Search Service Contributor, Search Index Data Contributor, and Search Index Data Reader preview roles and Azure AD authentication, you can disable API keys, causing the search service to refuse all data-related requests that pass an API key in the header for content-related requests.

+You can't combine steps one and two. In step one, "disableLocalAuth" must be false to meet the requirements for setting "AuthOptions", whereas step two changes that value to true.

+To re-enable key authentication, rerun the last request, setting "disableLocalAuth" to false. The search service will resume acceptance of API keys on the request automatically (assuming they're specified).

+> If your search service has a managed identity assigned to it, the specific search service will show up as a cloud app that can be included or excluded as part of the Conditional Access policy. Conditional Access policies can't be enforced on a specific search service. Instead make sure you select the general **Azure Cognitive Search** cloud app.

+(OWASP)](https://www.owasp.org/) ΓÇô OWASP is an online

+- Windows Server 2022 is now supported as of the 9.0 CU2 release.

+- Mirantis Container runtime support on Windows for Service Fabric containers

+- The Microsoft Web Platform Installer (WebPI) used for installing Service Fabric SDK and Tools was retired on July 1, 2022.

+| July 14, 2022 | [Azure Service Fabric 9.0 Second Refresh Release](https://techcommunity.microsoft.com/t5/azure-service-fabric-blog/microsoft-azure-service-fabric-9-0-second-refresh-release/ba-p/3575842) | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_90CU2.md)|

+| July 14, 2022 | [Azure Service Fabric 8.2 Fourth Refresh Release](https://techcommunity.microsoft.com/t5/azure-service-fabric-blog/microsoft-azure-service-fabric-8-2-fourth-refresh-release/ba-p/3575845) | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_82CU4.md)|

+- Linux: Mirantis Container Runtime + Ubuntu

+- Windows: Mirantis Container Runtime + Windows Server 2019/2022

+WebPI may already be installed on your computer. Search for it by using the Windows key. If it's not present, you can [download it here](https://www.microsoft.com/web/downloads/platform.aspx).WebPI can be used to download Service Fabric SDK releases prior to July 2022 until December 31st, 2022 after which the WebPI feed and installer will be pulled from the Microsoft download center.

+For latest Runtime and SDK you can dowload from below.

+9.0CU2 RunTime - https://download.microsoft.com/download/b/8/a/b8a2fb98-0ec1-41e5-be98-9d8b5abf7856/MicrosoftServiceFabric.9.0.1048.9590.exe

+9.0CU2 SDK - https://download.microsoft.com/download/b/8/a/b8a2fb98-0ec1-41e5-be98-9d8b5abf7856/MicrosoftServiceFabricSDK.6.0.1048.msi

+8.2CU4 RunTime - https://download.microsoft.com/download/b/8/a/b8a2fb98-0ec1-41e5-be98-9d8b5abf7856/MicrosoftServiceFabric.8.2.1659.9590.exe

+8.2CU4 SDK - https://download.microsoft.com/download/b/8/a/b8a2fb98-0ec1-41e5-be98-9d8b5abf7856/MicrosoftServiceFabricSDK.5.2.1659.msi

+> [!NOTE]

+> The package search pattern should only return exactly one package. If the build task produces multiple JAR packages such as *sources.jar* and *javadoc.jar*, you need to refine the search pattern so that it only matches the application binary artifact.

+| 2.7.x | 2021.0.3+ aka Jubilee|

+| 2.6.x | 2021.0.0+ aka Jubilee|

+| 2.7.x | 2021.0.3+ aka Jubilee |

+| 2.6.x | 2021.0.0+ aka Jubilee |

+| 2.5.x | 2020.3+ aka Ilford+ |

+### Dependencies for Spring Boot version 2.4/2.5/2.6/2.7

+For Spring Boot version 2.6/2.7, add the following dependencies to the application POM file.

+ <version>2.7.2</version>

+ <version>2021.0.3</version>

+* <a id="ad-file-mount-cname"></a>

+**Can I use the canonical name (CNAME) to mount an Azure file share while using identity-based authentication (AD DS or Azure AD DS)?**

+ No, this scenario isn't supported.

+- AD DS identities used for Azure Files on-premises AD DS authentication must be synced to Azure AD or use a default share-level permission. Password hash synchronization is optional.

+- Does not support using CNAME to mount file shares.

+3. Get the device connection string using the [az iot hub device-identity connection-string show](/cli/azure/iot/hub/device-identity/connection-string#az-iot-hub-device-identity-connection-string-show) command. Copy the entire connection string and save it for when you create the Raspberry Pi simulator.

+ az iot hub device-identity connection-string show --hub-name "MyASAIoTHub" --device-id "MyASAIoTDevice" --output table

+4. Get the device connection string using the [az iot hub device-identity connection-string show](/cli/azure/iot/hub/device-identity/connection-string#az-iot-hub-device-identity-connection-string-show) command. Copy the entire connection string and save it for when you create the Raspberry Pi simulator.

+ az iot hub device-identity connection-string show --hub-name "MyASAIoTHub" --device-id "MyASAIoTDevice" --output table

+6. Next, choose the image that needs to be used to create the virtual machine. You can choose **Gallery** for new host pool deployments with **Storage blob** no longer available.

+ - After choosing **Gallery**, select a Windows image that meets your requirements from the drop-down menu:

+ - Windows 11 Enterprise multi-session (Gen2)

+ - Windows 11 Enterprise multi-session + Microsoft 365 Apps (Gen2)

+ - Windows 10 Enterprise multi-session, Version 21H2 (Gen2)

+ - Windows 10 Enterprise multi-session, Version 21H2 + Microsoft 365 Apps (Gen2)

+

+ - If you are adding a VM to a host pool that allows **Storage Blob**, you can use your own image build through Hyper-V or on an Azure VM. All you have to do is enter the location of the image in the storage blob as a URI.

+12. After that, select whether you want the virtual machines to be joined to **Active Directory** or **Azure Active Directory**.

+Now create a virtual machine scale set with [New-AzVmss](/powershell/module/az.compute/new-azvmss). The following example creates a scale set with an instance count of *2* running Windows Server 2019 Datacenter edition.

+## Sharing

+There are three main ways to share images in an Azure Compute Gallery, depending on who you want to share with:

+| Share with\: | Option |

+|-|-|

+| [Specific people, groups, or service principals](#rbac) | Role-based access control (RBAC) lets you share resources to specific people, groups, or service principals on a granular level. |

+| [Subscriptions or tenants](#shared-directly-to-a-tenant-or-subscription) | Direct shared gallery (preview) lets you share to everyone in a subscription or tenant. |

+| [Everyone](#community-gallery) | Community gallery (preview) lets you share your entire gallery publicly, to all Azure users. |

+### RBAC

+As the Azure Compute Gallery, definition, and version are all resources, they can be shared using the built-in native Azure Roles-based Access Control (RBAC) roles. Using Azure RBAC roles you can share these resources to other users, service principals, and groups. You can even share access to individuals outside of the tenant they were created within. Once a user has access to the resource version, they can use it to deploy a VM or a Virtual Machine Scale Set. Here is the sharing matrix that helps understand what the user gets access to:

+| Shared with User | Azure Compute Gallery | Image Definition | Image version |

+|-|-|--|-|

+| Azure Compute Gallery | Yes | Yes | Yes |

+| Image Definition | No | Yes | Yes |

+We recommend sharing at the Gallery level for the best experience. We do not recommend sharing individual image versions. For more information about Azure RBAC, see [Assign Azure roles](../role-based-access-control/role-assignments-portal.md).

+For more information, see [Share using RBAC](./share-gallery.md).

+### Shared directly to a tenant or subscription

+Give specific subscriptions or tenants access to a direct shared Azure Compute Gallery. Sharing a gallery with tenants and subscriptions give them read-only access to your gallery. For more information, see [Share a gallery with subscriptions or tenants](./share-gallery-direct.md).

+> Azure Compute Gallery ΓÇô direct shared gallery is currently in PREVIEW and subject to the [Preview Terms for Azure Compute Gallery](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+>

+> To publish images to a direct shared gallery during the preview, you need to register at [https://aka.ms/directsharedgallery-preview](https://aka.ms/directsharedgallery-preview). Creating VMs from a direct shared gallery is open to all Azure users.

+> During the preview, you need to create a new gallery, with the property `sharingProfile.permissions` set to `Groups`. When using the CLI to create a gallery, use the `--permissions groups` parameter. You can't use an existing gallery, the property can't currently be updated.

+>

+> You can't currently create a Flexible virtual machine scale set from an image shared to you by another tenant.

+#### Limitations

+During the preview:

+- You can only share to subscriptions that are also in the preview.

+- You can only share to 30 subscriptions and 5 tenants.

+- A direct shared gallery cannot contain encrypted image versions. Encrypted images cannot be created within a gallery that is directly shared.

+- Only the owner of a subscription, or a user or service principal assigned to the `Compute Gallery Sharing Admin` role at the subscription or gallery level will be able to enable group-based sharing.

+- You need to create a new gallery, with the property `sharingProfile.permissions` set to `Groups`. When using the CLI to create a gallery, use the `--permissions groups` parameter. You can't use an existing gallery, the property can't currently be updated.

+### Community gallery

+To share a gallery with all Azure users, you can create a community gallery (preview). Community galleries can be used by anyone with an Azure subscription. Someone creating a VM can browse images shared with the community using the portal, REST, or the Azure CLI.

+Sharing images to the community is a new capability in [Azure Compute Gallery](./azure-compute-gallery.md). In the preview, you can make your image galleries public, and share them to all Azure customers. When a gallery is marked as a community gallery, all images under the gallery become available to all Azure customers as a new resource type under Microsoft.Compute/communityGalleries. All Azure customers can see the galleries and use them to create VMs. Your original resources of the type `Microsoft.Compute/galleries` are still under your subscription, and private.

+For more information, see [Share images using a community gallery](./share-gallery-community.md).

+> [!IMPORTANT]

+> Azure Compute Gallery ΓÇô community galleries is currently in PREVIEW and subject to the [Preview Terms for Azure Compute Gallery - community gallery](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+>

+> To publish a community gallery, you need to register for the preview at [https://aka.ms/communitygallery-preview](https://aka.ms/communitygallery-preview). Creating VMs from the community gallery is open to all Azure users.

+>

+> During the preview, the gallery must be created as a community gallery (for CLI, this means using the `--permissions community` parameter) you currently can't migrate a regular gallery to a community gallery.

+>

+> You can't currently create a Flexible virtual machine scale set from an image shared by another tenant.

+#### Why share to the community?

+#### How sharing with the community works

+You [create a gallery resource](create-gallery.md#create-a-community-gallery) under `Microsoft.Compute/Galleries` and choose `community` as a sharing option.

+#### Limitations for images shared to the community

+#### Community-shared images FAQ

+## Best practices

+- To prevent images from being accidentally deleted, use resource locks at the Gallery level. For more information, see [Protect your Azure resources with a lock](../azure-resource-manager/management/lock-resources.md).

+- Use ZRS wherever available for high availability. You can configure ZRS in the replication tab when you create the a version of the image or VM application.

+ For more information about which regions support ZRS, see [Azure regions with availability zones](../availability-zones/az-overview.md#azure-regions-with-availability-zones).

+- Keep a minimum of 3 replicas for production images. For every 20 VMs that you create concurrently, we recommend you keep one replica. For example, if you create 1000 VMΓÇÖs concurrently, you should keep 50 replicas (you can have a maximum of 50 replicas per region). To update the replica count, please go to the gallery -> Image Definition -> Image Version -> Update replication.

+- Maintain separate galleries for production and test images, donΓÇÖt put them in a single gallery.

+- When creating an image definition, keep the Publisher/Offer/SKU consistent with Marketplace images to easily identify OS versions. For example, if you are customizing a Windows server 2019 image from Marketplace and store it as a Compute gallery image, please use the same Publisher/Offer/SKU that is used in the Marketplace image in your compute gallery image.

+

+- Use `excludeFromLatest` when publishing images if you want to exclude a specific image version during VM or scale set creation.

+[Gallery Image Versions - Create Or Update](/rest/api/compute/gallery-image-versions/create-or-update#galleryimageversionpublishingprofile).

+ If you want to exclude a version in a specific region, use `regionalExcludeFromLatest` instead of the global `excludeFromLatest`. You can set both global and regional `excludeFromLatest` flag, but the regional flag will take precedence when both are specified.

+ ```

+ "publishingProfile": {

+ "targetRegions": [

+ {

+ "name": "brazilsouth",

+ "regionalReplicaCount": 1,

+ "regionalExcludeFromLatest": false,

+ "storageAccountType": "Standard_LRS"

+ },

+ {

+ "name": "canadacentral",

+ "regionalReplicaCount": 1,

+ "regionalExcludeFromLatest": true,

+ "storageAccountType": "Standard_LRS"

+ }

+ ],

+ "replicaCount": 1,

+ "excludeFromLatest": true,

+ "storageAccountType": "Standard_LRS"

+ }

+ ```

+- For disaster recovery scenarios, it is a best practice is to have at least two galleries, in different regions. You can still use image versions in other regions, but if the region your gallery is in goes down, you can't create new gallery resources or update existing ones.

+The gallery is a top-level resource that can be shared in multiple ways:

+| Share with\: | Option |

+|-|-|

+| [Specific people, groups, or service principals](#create-a-private-gallery) | Role-based access control (RBAC) lets you share resources to specific people, groups, or service principals on a granular level. |

+| [Subscriptions or tenants](#create-a-direct-shared-gallery) | Direct shared gallery (preview) lets you share to everyone in a subscription or tenant. |

+| [Everyone](#create-a-community-gallery) | Community gallery (preview) lets you share your entire gallery publicly, to all Azure users. |

+## Naming

+Allowed characters for gallery name are uppercase or lowercase letters, digits, dots, and periods. The gallery name can't contain dashes. Gallery names must be unique within your subscription.

+## Create a direct shared gallery

+> [!IMPORTANT]

+> Azure Compute Gallery ΓÇô direct shared gallery is currently in PREVIEW and subject to the [Preview Terms for Azure Compute Gallery](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+>

+> During the preview, you need to create a new gallery, with the property `sharingProfile.permissions` set to `Groups`. When using the CLI to create a gallery, use the `--permissions groups` parameter. You can't use an existing gallery, the property can't currently be updated.

+>

+> You can't currently create a Flexible virtual machine scale set from an image shared to you by another tenant.

+### [Portal](#tab/portaldirect)

+1. Sign in to the Azure portal at https://portal.azure.com.

+1. Type **Azure Compute Gallery** in the search box and select **Azure Compute Gallery** in the results.

+1. In the **Azure Compute Gallery** page, click **Add**.

+1. On the **Create Azure Compute Gallery** page, select the correct subscription.

+1. Complete all of the details on the page.

+1. At the bottom of the page, select **Next: Sharing method**.

+ :::image type="content" source="media/create-gallery/create-gallery.png" alt-text="Screenshot showing where to select to go on to sharing methods.":::

+1. On the **Sharing** tab, select **RBAC + share directly**.

+ :::image type="content" source="media/create-gallery/share-direct.png" alt-text="Screenshot showing the option to share using both role-based access control and share directly.":::

+1. When you are done, select **Review + create**.

+1. After validation passes, select **Create**.

+1. When the deployment is finished, select **Go to resource**.

+To start sharing the gallery with a subscription or tenant, see [Share a gallery with a subscription or tenant](./share-gallery-direct.md).

+### [CLI](#tab/clidirect)

+To create a gallery that can be shared to a subscription or tenant using a direct shared gallery, you need to create the gallery with the `--permissions` parameter set to `groups`.

+```azurecli-interactive

+az sig create \

+ --gallery-name myGallery \

+ --permissions groups \

+ --resource-group myResourceGroup

+```

+

+To start sharing the gallery with a subscription or tenant, use see [Share a gallery with a subscription or tenant](./share-gallery-direct.md).

+

+### [REST](#tab/restdirect)

+Create a gallery for subscription or tenant-level sharing using the Azure REST API.

+```rest

+PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{rgName}/providers/Microsoft.Compute/galleries/{gallery-name}?api-version=2020-09-30

+{

+ "properties": {

+ "sharingProfile": {

+ "permissions": "Groups"

+ }

+ },

+ "location": "{location}

+}

+```

+To start sharing the gallery with a subscription or tenant, use see [Share a gallery with a subscription or tenant](./share-gallery-direct.md).

+Reset sharing to clear everything in the `sharingProfile`.

+```rest

+POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{rgName}/providers/Microsoft.Compute/galleries/{galleryName}/share?api-version=2020-09-30

+{

+ "operationType" : "Reset",

+}

+```

+To start sharing the gallery with a subscription or tenant, use see [Share a gallery with a subscription or tenant](./share-gallery-direct.md).

+<a name=community></a>

+## Create a community gallery

+When creating an image to share with the community, you'll need to provide contact information. This information will be shown **publicly**, so be careful when providing:

+To start sharing the gallery to all Azure users, see [Share images using a community gallery](share-gallery-community.md).

+To start sharing the gallery to all Azure users, see [Share images using a community gallery](share-gallery-community.md).

+Making a community gallery available to all Azure users is a two-step process. First you create the gallery with community sharing enabled, when you're ready to make it public, you share the gallery.

+1. When you're done, select **Review + create**.

+To start sharing the gallery to all Azure users, see [Share images using a community gallery](share-gallery-community.md).

+The Azure CLI can be used to deploy the Log Analytics agent VM extension to an existing virtual machine. Replace the *myWorkspaceKey* value below with your workspace key and the *myWorkspaceId* value with your workspace ID. These values can be found in your Log Analytics workspace in the Azure portal under *Advanced Settings*. Replace the latestVersion value with a version from [Log Analytics Linux VM extension version](oms-linux.md#agent-and-vm-extension-version).

+ --settings '{"workspaceId":"myWorkspaceId","skipDockerProviderInstall": true}' \

+ --version latestVersion

+```

+## Azure PowerShell deployment

+The Azure Powershell cmdlets can be used to deploy the Log Analytics agent VM extension to an existing virtual machine. Replace the *myWorkspaceKey* value below with your workspace key and the *myWorkspaceId* value with your workspace ID. These values can be found in your Log Analytics workspace in the Azure portal under *Advanced Settings*. Replace the latestVersion value with a version from [Log Analytics Linux VM extension version](oms-linux.md#agent-and-vm-extension-version).

+```powershell

+Set-AzVMExtension \

+ -ResourceGroupName myResourceGroup \

+ -VMName myVM \

+ -ExtensionName OmsAgentForLinux \

+ -ExtensionType OmsAgentForLinux \

+ -Publisher Microsoft.EnterpriseCloud.Monitoring \

+ -TypeHandlerVersion latestVersion

+ -ProtectedSettingString '{"workspaceKey":"myWorkspaceKey"}' \

+ -SettingString '{"workspaceId":"myWorkspaceId","skipDockerProviderInstall": true}'

+Data about the state of extension deployments can be retrieved from the Azure portal, and by using the Azure CLI or Azure Powershell. To see the deployment state of extensions for a given VM, run the following command if you are using the Azure CLI.

+/var/log/azure/Microsoft.EnterpriseCloud.Monitoring.OmsAgentForLinux/extension.log

+```

+To retrieve the OMS extension version installed on a VM, run the following command if you are using Azure CLI.

+```azurecli

+az vm extension show --resource-group myResourceGroup --vm-name myVM -instance-view

+To retrieve the OMS extension version installed on a VM, run the following command if you are using Azure PowerShell.

+```azurecli-interactive

+| Ubuntu by Canonical |Ubuntu Server and Pro. 18.x, 20.x 22.x<p>Information about extended support for Ubuntu 14.04 pro and 16.04 pro can be found here: [Ubuntu Extended Security Maintenance](https://www.ubuntu.com/esm). |In kernel |Package: In repo under "walinuxagent" <br/>Source code: [GitHub](https://github.com/Azure/WALinuxAgent) |

+ Title: Share Azure Compute Gallery resources with a community gallery

+description: Learn how to use a community gallery to share VM images stored in an Azure Compute Gallery.

+ms.devlang: azurecli

+# Share images using a community gallery (preview)

+To share a gallery with all Azure users, you can create a community gallery (preview). Community galleries can be used by anyone with an Azure subscription. Someone creating a VM can browse images shared with the community using the portal, REST, or the Azure CLI.

+Sharing images to the community is a new capability in [Azure Compute Gallery](./azure-compute-gallery.md#community). In the preview, you can make your image galleries public, and share them to all Azure customers. When a gallery is marked as a community gallery, all images under the gallery become available to all Azure customers as a new resource type under Microsoft.Compute/communityGalleries. All Azure customers can see the galleries and use them to create VMs. Your original resources of the type `Microsoft.Compute/galleries` are still under your subscription, and private.

+> [!IMPORTANT]

+> Azure Compute Gallery ΓÇô community galleries is currently in PREVIEW and subject to the [Preview Terms for Azure Compute Gallery - community gallery](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+>

+> To publish a community gallery, you need to register for the preview at [https://aka.ms/communitygallery-preview](https://aka.ms/communitygallery-preview). Creating VMs from the community gallery is open to all Azure users.

+>

+> During the preview, the gallery must be created as a community gallery (for CLI, this means using the `--permissions community` parameter) you currently can't migrate a regular gallery to a community gallery.

+>

+> You can't currently create a Flexible virtual machine scale set from an image shared by another tenant.

+There are three main ways to share images in an Azure Compute Gallery, depending on who you want to share with:

+| Share with\: | Option |

+|-|-|

+| [Specific people, groups, or service principals](./share-gallery.md) | Role-based access control (RBAC) lets you share resources to specific people, groups, or service principals on a granular level. |

+| [Subscriptions or tenants](./share-gallery-direct.md) | Direct shared gallery lets you share to everyone in a subscription or tenant. |

+| Everyone (described in this article) | Community gallery lets you share your entire gallery publicly, to all Azure users. |

+## Limitations for images shared to the community

+There are some limitations for sharing your gallery to the community:

+- Encrypted images aren't supported.

+- For the preview, image resources need to be created in the same region as the gallery. For example, if you create a gallery in West US, the image definitions and image versions should be created in West US if you want to make them available during the public preview.

+- For the preview, you can't share [VM Applications](vm-applications.md) to the community.

+- The gallery must be created as a community gallery. For the preview, there is no way to migrate an existing gallery to be a community gallery.

+- To find images shared to the community from the Azure portal, you need to go through the VM create or scale set creation pages. You can't search the portal or Azure Marketplace for the images.

+> [!IMPORTANT]

+> Microsoft does not provide support for images you share to the community.

+## How sharing with the community works

+You [create a gallery resource](create-gallery.md#create-a-community-gallery) under `Microsoft.Compute/Galleries` and choose `community` as a sharing option.

+When you are ready, you flag your gallery as ready to be shared publicly. Only the owner of a subscription, or a user or service principal with the `Compute Gallery Sharing Admin` role at the subscription or gallery level, can enable a gallery to go public to the community. At this point, the Azure infrastructure creates proxy read-only regional resources, under `Microsoft.Compute/CommunityGalleries`, which are public.

+The end-users can only interact with the proxy resources, they never interact with your private resources. As the publisher of the private resource, you should consider the private resource as your handle to the public proxy resources. The `prefix` you provide when you create the gallery will be used, along with a unique GUID, to create the public facing name for your gallery.

+Azure users can see the latest image versions shared to the community in the portal, or query for them using the CLI. Only the latest version of an image is listed in the community gallery.

+When creating a community gallery, you will need to provide contact information for your images. This information will be shown **publicly**, so be careful when providing it:

+- Community gallery prefix

+- Publisher support email

+- Publisher URL

+- Legal agreement URL

+Information from your image definitions will also be publicly available, like what you provide for **Publisher**, **Offer**, and **SKU**.

+> [!WARNING]

+> If you want to stop sharing a gallery publicly, you can update the gallery to stop sharing, but making the gallery private will prevent existing virtual machine scale set users from scaling their resources.

+>

+> If you stop sharing your gallery during the preview, you won't be able to re-share it.

+## Start sharing publicly

+In order to share a gallery publicly, it needs to be created as a community gallery. For more information, see [Create a community gallery](create-gallery.md#create-a-community-gallery)

+### [CLI](#tab/cli)

+Once you are ready to make the gallery available to the public, enable the community gallery using [az sig share enable-community](/cli/azure/sig/share#az-sig-share-enable-community). Only a user in the `Owner` role definition can enable a gallery for community sharing.

+```azurecli-interactive

+az sig share enable-community \

+ --gallery-name $galleryName \

+ --resource-group $resourceGroup

+```

+To go back to only RBAC based sharing, use the [az sig share reset](/cli/azure/sig/share#az-sig-share-reset) command.

+To delete a gallery shared to community, you must first run `az sig share reset` to stop sharing, then delete the gallery.

+### [REST](#tab/rest)

+To go live with community sharing, send the following POST request. As part of the request, include the property `operationType` with value `EnableCommunity`.

+```rest

+POST

+https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compu

+te/galleries/{galleryName}/share?api-version=2021-07-01

+{ΓÇ»

+ΓÇ» "operationType" : "EnableCommunity"

+}ΓÇ»

+```

+### [Portal](#tab/portal)

+When you're ready to make the gallery public:

+1. On the page for the gallery, select **Sharing** from the left menu.

+1. Select **Share** from the top of the page.

+ :::image type="content" source="media/create-gallery/share.png" alt-text="Screenshot showing the Share button for sharing your gallery to the community.":::

+1. When you are done, select **Save**.

+> [!IMPORTANT]

+> If you are listed as the owner of your subscription, but you are having trouble sharing the gallery publicly, you may need to explicitly [add yourself as owner again](../role-based-access-control/role-assignments-portal-subscription-admin.md).

+To go back to only RBAC based sharing, use the [az sig share reset](/cli/azure/sig/share#az-sig-share-reset) command.

+To delete a gallery shared to community, you must first run `az sig share reset` to stop sharing, then delete the gallery.

+## Next steps

+Create an [image definition and an image version](image-version.md).

+Create a VM from a [generalized](vm-generalized-image-version.md#create-a-vm-from-a-community-gallery-image) or [specialized](vm-specialized-image-version.md#create-a-vm-from-a-community-gallery-image) image in a community gallery.

+ Title: Share Azure Compute Gallery resources directly with subscriptions and tenants

+description: Learn how to share Azure Compute Gallery resources explicitly with subscriptions and tenants.

+ms.devlang: azurecli

+# Share a gallery with subscriptions or tenants (preview)

+This article covers how to share an Azure Compute Gallery with specific subscriptions or tenants using a direct shared gallery. Sharing a gallery with tenants and subscriptions give them read-only access to your gallery.

+> [!IMPORTANT]

+> Azure Compute Gallery ΓÇô direct shared gallery is currently in PREVIEW and subject to the [Preview Terms for Azure Compute Gallery](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+>

+> To publish images to a direct shared gallery during the preview, you need to register at [https://aka.ms/directsharedgallery-preview](https://aka.ms/directsharedgallery-preview). Creating VMs from a direct shared gallery is open to all Azure users.

+>

+> During the preview, you need to create a new gallery, with the property `sharingProfile.permissions` set to `Groups`. When using the CLI to create a gallery, use the `--permissions groups` parameter. You can't use an existing gallery, the property can't currently be updated.

+There are three main ways to share images in an Azure Compute Gallery, depending on who you want to share with:

+| Share with\: | Option |

+|-|-|

+| [Specific people, groups, or service principals](./share-gallery.md) | Role-based access control (RBAC) lets you share resources to specific people, groups, or service principals on a granular level. |

+| [Subscriptions or tenants](explained in this article) | Direct shared gallery lets you share to everyone in a subscription or tenant. |

+| [Everyone](./share-gallery-community.md) | Community gallery lets you share your entire gallery publicly, to all Azure users. |

+## Limitations

+During the preview:

+- You can only share to subscriptions that are also in the preview.

+- You can only share to 30 subscriptions and 5 tenants.

+- Only images can be shared. You can't directly share a [VM application](vm-applications.md) during the preview.

+- A direct shared gallery can't contain encrypted image versions. Encrypted images can't be created within a gallery that is directly shared.

+- Only the owner of a subscription, or a user or service principal assigned to the `Compute Gallery Sharing Admin` role at the subscription or gallery level will be able to enable group-based sharing.

+- You need to create a new gallery, with the property `sharingProfile.permissions` set to `Groups`. When using the CLI to create a gallery, use the `--permissions groups` parameter. You can't use an existing gallery, the property can't currently be updated.

+- PowerShell, Ansible, and Terraform aren't supported at this time.

+- **Known issue**: When creating a VM from a direct shared image using the Azure portal, if you select a region, select an image, then change the region, you will get an error message: "You can only create VM in the replication regions of this image" even when the image is replicated to that region. To get rid of the error, select a different region, then switch back to the region you want. If the image is available, it should clear the error message.

+## Prerequisites

+You need to create a [new direct shared gallery ](./create-gallery.md#create-a-direct-shared-gallery). A direct shared gallery has the `sharingProfile.permissions` property is set to `Groups`. When using the CLI to create a gallery, use the `--permissions groups` parameter. You can't use an existing gallery, the property can't currently be updated.

+## Share to subscriptions and tenants

+First you create a gallery under `Microsoft.Compute/Galleries` and choose `groups` as a sharing option.

+When you are ready, you share your gallery with subscriptions and tenants. Only the owner of a subscription, or a user or service principal with the `Compute Gallery Sharing Admin` role at the subscription or gallery level, can share the gallery. At this point, the Azure infrastructure creates proxy read-only regional resources, under `Microsoft.Compute/SharedGalleries`. Only subscriptions and tenants you have shared with can interact with the proxy resources, they never interact with your private resources. As the publisher of the private resource, you should consider the private resource as your handle to the public proxy resources. The subscriptions and tenants you have shared your gallery with will see the gallery name as the subscription ID where the gallery was created, followed by the gallery name.

+### [Portal](#tab/portaldirect)

+1. Sign in to the Azure portal at https://portal.azure.com.

+1. Type **Azure Compute Gallery** in the search box and select **Azure Compute Gallery** in the results.

+1. In the **Azure Compute Gallery** page, click **Add**.

+1. On the **Create Azure Compute Gallery** page, select the correct subscription.

+1. Complete all of the details on the page.

+1. At the bottom of the page, select **Next: Sharing method**.

+ :::image type="content" source="media/create-gallery/create-gallery.png" alt-text="Screenshot showing where to select to go on to sharing methods.":::

+1. On the **Sharing** tab, select **RBAC + share directly**.

+ :::image type="content" source="media/create-gallery/share-direct.png" alt-text="Screenshot showing the option to share using both role-based access control and share directly.":::

+1. When you are done, select **Review + create**.

+1. After validation passes, select **Create**.

+1. When the deployment is finished, select **Go to resource**.

+To share the gallery:

+1. On the page for the gallery, select **Sharing** from the left menu.

+1. Under **Direct sharing settings**, select **Add**.

+ :::image type="content" source="media/create-gallery/direct-share-add.png" alt-text="Screenshot showing the option to share with a subscription or tenant.":::

+1. If you would like to share with someone within your organization, for **Type** select *Subscription* or *Tenant* and choose the appropriate item from the **Tenants and subscriptions** drop-down. If you want to share with someone outside of your organization, select either *Subscription outside of my organization* or *Tenant outside of my organization* and then paste or type the ID into the text box.

+1. When you are done adding items, select **Save**.

+### [CLI](#tab/clidirect)

+To create a direct shared gallery, you need to create the gallery with the `--permissions` parameter set to `groups`.

+```azurecli-interactive

+az sig create \

+ --gallery-name myGallery \

+ --permissions groups \

+ --resource-group myResourceGroup

+```

+

+To start sharing the gallery with a subscription or tenant, use [az sig share add](/cli/azure/sig#az-sig-share-add)

+```azurecli-interactive

+sub=<subscription-id>

+tenant=<tenant-id>

+gallery=<gallery-name>

+rg=<resource-group-name>

+az sig share add \

+ --subscription-ids $sub \

+ --tenant-ids $tenant \

+ --gallery-name $gallery \

+ --resource-group $rg

+```

+

+Remove access for a subscription or tenant using [az sig share remove](/cli/azure/sig#az-sig-share-remove).

+```azurecli-interactive

+sub=<subscription-id>

+tenant=<tenant-id>

+gallery=<gallery-name>

+rg=<resource-group-name>

+az sig share remove \

+ --subscription-ids $sub \

+ --tenant-ids $tenant \

+ --gallery-name $gallery \

+ --resource-group $rg

+```

+

+

+### [REST](#tab/restdirect)

+Create a gallery for subscription or tenant-level sharing using the Azure REST API.

+```rest

+PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{rgName}/providers/Microsoft.Compute/galleries/{gallery-name}?api-version=2020-09-30

+{

+ "properties": {

+ "sharingProfile": {

+ "permissions": "Groups"

+ }

+ },

+ "location": "{location}

+}

+

+```

+Share a gallery to subscription or tenant.

+```rest

+POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{rgName}/providers/Microsoft.Compute/galleries/{galleryName}/share?api-version=2020-09-30

+{

+ "operationType": "Add",

+ "groups": [

+ {

+ "type": "Subscriptions",

+ "ids": [

+ "{SubscriptionID}"

+ ]

+ },

+ {

+ "type": "AADTenants",

+ "ids": [

+ "{tenantID}"

+ ]

+ }

+ ]

+}

+```

+

+Remove access for a subscription or tenant.

+```rest

+POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{rgName}/providers/Microsoft.Compute/galleries/{galleryName}/share?api-version=2020-09-30

+{

+ "operationType": "Remove",

+ "groups":[

+ {

+ "type": "Subscriptions",

+ "ids": [

+ "{subscriptionId1}",

+ "{subscriptionId2}"

+ ],

+},

+{

+ "type": "AADTenants",

+ "ids": [

+ "{tenantId1}",

+ "{tenantId2}"

+ ]

+ }

+ ]

+}

+```

+Reset sharing to clear everything in the `sharingProfile`.

+```rest

+POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{rgName}/providers/Microsoft.Compute/galleries/{galleryName}/share?api-version=2020-09-30

+{

+ "operationType" : "Reset",

+}

+```

+## Next steps

+- Create an [image definition and an image version](image-version.md).

+- Create a VM from a [generalized](vm-generalized-image-version.md#create-a-vm-from-a-community-gallery-image) or [specialized](vm-specialized-image-version.md#create-a-vm-from-a-community-gallery-image) image in a direct shared gallery.

+As the Azure Compute Gallery, definition, and version are all resources, they can be shared using the built-in native Azure Roles-based Access Control (RBAC) roles. Using Azure RBAC roles you can share these resources to other users, service principals, and groups. You can even share access to individuals outside of the tenant they were created within. Once a user has access, they can use the gallery resources to deploy a VM or a Virtual Machine Scale Set. Here's the sharing matrix that helps understand what the user gets access to:

+| Shared with User | Azure Compute Gallery | Image Definition | Image version |

+|-|-|--|-|

+| Azure Compute Gallery | Yes | Yes | Yes |

+| Image Definition | No | Yes | Yes |

+We recommend sharing at the Gallery level for the best experience. We don't recommend sharing individual image versions. For more information about Azure RBAC, see [Assign Azure roles](../role-based-access-control/role-assignments-portal.md).

+There are three main ways to share images in an Azure Compute Gallery, depending on who you want to share with:

+| Share with\: | Option |

+|-|-|

+| Specific people, groups, or service principals (described in this article) | Role-based access control (RBAC) lets you share resources to specific people, groups, or service principals on a granular level. |

+| [Subscriptions or tenants](./share-gallery-direct.md) | A direct shared gallery lets you share to everyone in a subscription or tenant. |

+| [Everyone](./share-gallery-community.md) | Community gallery lets you share your entire gallery publicly, to all Azure users. |

+## Share using RBAC

+1. If the user is outside of your organization, you'll see the message **This user will be sent an email that enables them to collaborate with Microsoft.** Select the user with the email address and then click **Save**.

+- Create an [image definition and an image version](image-version.md).

+- Create a VM from a [generalized](vm-generalized-image-version.md#create-a-vm-from-your-gallery) or [specialized](vm-specialized-image-version.md#create-a-vm-from-your-gallery) private gallery.

+There are three main ways to share an Azure Compute Gallery, depending on who you want to share with:

+| Share with\: | Option |

+|-|-|

+|[Specific people, groups, or service principals](./share-gallery.md) | Role-based access control (RBAC) lets you share resources to specific people, groups, or service principals on a granular level. |

+| [Subscriptions or tenants](./share-gallery-direct.md) | A direct shared gallery (preview) lets you share to everyone in a subscription or tenant. |

+| [Everyone](./share-gallery-community.md) | Community gallery (preview) lets you share your entire gallery publicly, to all Azure users. |

+# List, update, and delete gallery resources

+## List galleries shared with you

+### [CLI](#tab/cli)

+List Galleries shared with your subscription.

+```azurecli-interactive

+region=westus

+az sig list-shared --location $region

+```

+List Galleries shared with your tenant.

+```azurecli-interactive

+region=westus

+az sig list-shared --location $region --shared-to tenant

+```

+The output will contain the public `name` and `uniqueID` of the gallery that is shared with you. You can use the name of the gallery to query for images that are available through the gallery.

+Here is example output:

+```output

+[

+ {

+ "location": "westus",

+ "name": "1231b567-8a99-1a2b-1a23-123456789abc-MYDIRECTSHARED",

+ "uniqueId": "/SharedGalleries/1231b567-8a99-1a2b-1a23-123456789abc-MYDIRECTSHARED"

+ }

+]

+```

+### [REST](#tab/rest)

+List galleries shared with a subscription.

+```REST

+GET

+https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{rgName}/providers/Microsoft.Compute/Locations/{location}/SharedGalleries?api-version=2020-09-30

+```

+

+The response should look similar to this:

+```rest

+{

+"value": [

+{

+"identifier": {

+"uniqueId": "/SharedGalleries/{SharedGalleryUniqueName}"

+},

+"name": "galleryuniquename1",

+ "type": "Microsoft. Compute/sharedGalleries",

+ "location": "location"

+ },

+ {

+"identifier": {

+"uniqueName": "/SharedGalleries/{SharedGalleryUniqueName}"

+},

+"name": "galleryuniquename2",

+"type": "Microsoft. Compute/sharedGalleries",

+"location": "location"

+ }

+],

+}

+```

+

+List the galleries shared with a tenant.

+```rest

+GET

+https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/Locations/{location}/SharedGalleries?api-version=2020-09-30&sharedTo=tenant

+```

+

+The response should look similar to this:

+```

+{

+"value": [

+{

+"identifier": {

+"uniqueName": "/SharedGalleries/{SharedGalleryUniqueName}"

+},

+"name": "galleryuniquename1",

+ "type": "Microsoft. Compute/sharedGalleries",

+ "location": "location"

+ },

+ {

+"identifier": {

+"uniqueName": "/SharedGalleries/{SharedGalleryUniqueName}"

+},

+"name": "galleryuniquename2",

+"type": "Microsoft. Compute/sharedGalleries",

+"location": "location"

+ }

+],

+}

+### [CLI](#tab/cli2)

+### [PowerShell](#tab/powershell2)

+You have to delete resources in reverse order, by deleting the image version first. After you delete all of the image versions, you can delete the image definition. After you delete all image definitions, you can delete the gallery.

+### [CLI](#tab/cli4)

+Before you can delete a community shared gallery, you need to use [az sig share reset](/cli/azure/sig/share#az-sig-share-reset) to stop sharing the gallery publicly.

+### [PowerShell](#tab/powershell4)

+## Direct shared galleries

+> [!IMPORTANT]

+> Azure Compute Gallery ΓÇô direct shared gallery is currently in PREVIEW and subject to the [Preview Terms for Azure Compute Gallery](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+>

+> To publish images to a direct shared gallery during the preview, you need to register at [https://aka.ms/directsharedgallery-preview](https://aka.ms/directsharedgallery-preview). Creating VMs from a direct shared gallery is open to all Azure users.

+>

+> During the preview, you need to create a new gallery, with the property `sharingProfile.permissions` set to `Groups`. When using the CLI to create a gallery, use the `--permissions groups` parameter. You can't use an existing gallery, the property can't currently be updated.

+To find the `uniqueID` of a gallery that is shared with you, use [az sig list-shared](/cli/azure/sig/image-definition#az-sig-image-definition-list-shared). In this example, we are looking for galleries in the West US region.

+```azurecli-interactive

+region=westus

+az sig list-shared --location $region --query "[].uniqueId" -o tsv

+```

+List all of the image definitions that are shared directly with you, use [az sig image-definition list-shared](/cli/azure/sig/image-definition#az-sig-image-definition-list-shared).

+In this example, we list all of the images in the gallery in *West US* and by name, the unique ID that is needed to create a VM, OS and OS state.

+```azurecli-interactive

+name="1a2b3c4d-1234-abcd-1234-1a2b3c4d5e6f-myDirectShared"

+ az sig image-definition list-shared \

+ --gallery-unique-name $name

+ --location $region \

+ --query [*]."{Name:name,ID:uniqueId,OS:osType,State:osState}" -o table

+```

+List image versions directly shared to you using [az sig image-version list-shared](/cli/azure/sig/image-version#az-sig-image-version-list-shared):

+```azurecli-interactive

+imgDef="myImageDefinition"

+az sig image-version list-shared \

+ --location $region \

+ --public-gallery-name $name \

+ --gallery-image-definition $imgDef \

+ --query [*]."{Name:name,UniqueId:uniqueId}" \

+ -o table

+```

+- Create an [image definition and an image version](image-version.md).

+- Create a VM from a [generalized](vm-generalized-image-version.md#create-a-vm-from-a-community-gallery-image) or [specialized](vm-specialized-image-version.md#create-a-vm-from-a-community-gallery-image) image in a direct shared gallery.

+Create a VM from a [generalized image version](./shared-image-galleries.md#generalized-and-specialized-images) stored in an Azure Compute Gallery (formerly known as Shared Image Gallery). If you want to create a VM using a specialized image, see [Create a VM from a specialized image](vm-specialized-image-version.md).

+This article shows how to create a VM from a generalized image:

+- [In your own gallery](#create-a-vm-from-your-gallery)

+- Shared to a [community gallery](#create-a-vm-from-a-community-gallery-image)

+- [Directly shared to your subscription or tenant](#create-a-vm-from-a-gallery-shared-with-your-subscription-or-tenant)

+## Create a VM from a gallery shared with your subscription or tenant

+> [!IMPORTANT]

+> Azure Compute Gallery ΓÇô direct shared gallery is currently in PREVIEW and subject to the [Preview Terms for Azure Compute Gallery](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+>

+> To publish images to a direct shared gallery during the preview, you need to register at [https://aka.ms/directsharedgallery-preview](https://aka.ms/directsharedgallery-preview). Creating VMs from a direct shared gallery is open to all Azure users.

+>

+> During the preview, you need to create a new gallery, with the property `sharingProfile.permissions` set to `Groups`. When using the CLI to create a gallery, use the `--permissions groups` parameter. You can't use an existing gallery, the property can't currently be updated.

+### [CLI](#tab/cli2)

+To create a VM using an image shared to your subscription or tenant, you need the unique ID of the image in the following format:

+```

+/SharedGalleries/<uniqueID>/Images/<image name>/Versions/latest

+```

+To find the `uniqueID` of a gallery that is shared with you, use [az sig list-shared](/cli/azure/sig/image-definition#az-sig-image-definition-list-shared). In this example, we are looking for galleries in the West US region.

+```azurecli-interactive

+region=westus

+az sig list-shared --location $region --query "[].name" -o tsv

+```

+Use the gallery name to find the images that are available. In this example, we list all of the images in *West US* and by name, the unique ID that is needed to create a VM, OS and OS state.

+```azurecli-interactive

+galleryName="1a2b3c4d-1234-abcd-1234-1a2b3c4d5e6f-myDirectShared"

+ az sig image-definition list-shared \

+ --gallery-unique-name $galleryName \

+ --location $region \

+ --query [*]."{Name:name,ID:uniqueId,OS:osType,State:osState}" -o table

+```

+Make sure the state of the image is `Generalized`. If you want to use an image with the `Specialized` state, see [Create a VM from a specialized image version](vm-specialized-image-version.md).

+Use the `Id` from the output, appended with `/Versions/latest` to use the latest version, as the value for `--image`` to create a VM. In this example, we are creating a VM from a Linux image that is directly shared to us, and creating SSH keys for authentication.

+```azurecli-interactive

+imgDef="/SharedGalleries/1a2b3c4d-1234-abcd-1234-1a2b3c4d5e6f-MYDIRECTSHARED/Images/myDirectDefinition/Versions/latest"

+vmResourceGroup=myResourceGroup

+location=westus

+vmName=myVM

+adminUsername=azureuser

+az group create --name $vmResourceGroup --location $location

+az vm create\

+ --resource-group $vmResourceGroup \

+ --name $vmName \

+ --image $imgDef \

+ --admin-username $adminUsername \

+ --generate-ssh-keys

+```

+### [Portal](#tab/portal2)

+> [!NOTE]

+> **Known issue**: In the Azure portal, if you you select a region, select an image, then change the region, you will get an error message: "You can only create VM in the replication regions of this image" even when the image is replicated to that region. To get rid of the error, select a different region, then switch back to the region you want. If the image is available, it should clear the error message.

+>

+> You can also use the Azure CLI to check what images are shared with you. For example, you can use `az sig list-shared --location westus" to see what images are shared with you in the West US region.

+1. Type **virtual machines** in the search.

+1. Under **Services**, select **Virtual machines**.

+1. In the **Virtual machines** page, select **Create** and then **Virtual machine**. The **Create a virtual machine** page opens.

+1. In the **Basics** tab, under **Project details**, make sure the correct subscription is selected and then choose to **Create new** resource group or select one from the drop-down.

+1. Under **Instance details**, type a name for the **Virtual machine name**.

+1. For **Security type**, make sure *Standard* is selected.

+1. For your **Image**, select **See all images**. The **Select an image** page will open.

+1. In the left menu, under **Other Items**, select **Direct Shared Images (PREVIEW)**. The **Other Items | Direct Shared Images (PREVIEW)** page will open.

+1. Select an image from the list. Make sure that the **OS state** is *Generalized*. If you want to use a specialized image, see [Create a VM using a specialized image version](vm-specialized-image-version.md). Depending on the image you choose, the **Region** the VM will be created in will change to match the image.

+1. Complete the rest of the options and then select the **Review + create** button at the bottom of the page.

+1. On the **Create a virtual machine** page, you can see the details about the VM you are about to create. When you are ready, select **Create**.

+### [REST](#tab/rest2)

+Get the ID of the image version. The value will be used in the VM deployment request.

+```rest

+GET

+https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/Locations/{location}/CommunityGalleries/{CommunityGalleryPublicName}/Images/{galleryImageName}/Versions/{1.0.0}?api-version=2021-07-01

+```

+Response:

+```json

+"location": "West US",

+ "identifier": {

+ "uniqueId": "/CommunityGalleries/{PublicGalleryName}/Images/{imageName}/Versions/{verionsName}"

+ },

+ "name": "1.0.0"

+```

+

+Now you can deploy the VM. The example requires API version 2021-07-01 or later.

+```rest

+PUT

+https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{rg}/providers/Microsoft.Compute/virtualMachines/{VMName}?api-version=2021-03-01

+{

+ "location": "{location}",

+ "properties": {

+ "hardwareProfile": {

+ "vmSize": "Standard_D1_v2"

+ },

+ "storageProfile": {

+ "imageReference": {

+ "communityGalleryImageId":"/communityGalleries/{publicGalleryName}/images/{galleryImageName}/versions/1.0.0"

+ },

+ "osDisk": {

+ "caching": "ReadWrite",

+ "managedDisk": {

+ "storageAccountType": "Standard_LRS"

+ },

+ "name": "myVMosdisk",

+ "createOption": "FromImage"

+ }

+ },

+ "osProfile": {

+ "adminUsername": "azureuser",

+ "computerName": "myVM",

+ "adminPassword": "{password}}"

+ },

+ "networkProfile": {

+ "networkInterfaces": [

+ {

+ "id": "/subscriptions/00000000-0000-0000-0000-

+000000000000/resourceGroups/{rg}/providers/Microsoft.Network/networkInterfaces/{networkIntefaceName}",

+ "properties": {

+ "primary": true

+ }

+ }

+ ]

+ }

+ }

+}

+```

+- [Create an Azure Compute Gallery](create-gallery.md)

+- [Create an image in an Azure Compute Gallery](image-version.md)

+This article shows how to create a VM from a specialized image:

+- [In your own gallery](#create-a-vm-from-your-gallery)

+- Shared to a [community gallery](#create-a-vm-from-a-community-gallery-image)

+- [Directly shared to your subscription or tenant](#create-a-vm-from-a-gallery-shared-with-your-subscription-or-tenant)

+In this example, we're creating a VM from the latest version of the *myImageDefinition* image.

+In this example, we're using the image definition ID to ensure your new VM will use the most recent version of an image. You can also use a specific version by using the image version ID for `Set-AzVMSourceImage -Id`. For example, to use image version *1.0.0* type: `Set-AzVMSourceImage -Id "/subscriptions/<subscription ID where the gallery is located>/resourceGroups/myGalleryRG/providers/Microsoft.Compute/galleries/myGallery/images/myImageDefinition/versions/1.0.0"`.

+### [Portal](#tab/portal)

+Now you can create one or more new VMs. This example creates a VM named *myVM*, in the *myResourceGroup*, in the *East US* datacenter.

+1. Go to your image definition. You can use the resource filter to show all image definitions available.

+1. On the page for your image definition, select **Create VM** from the menu at the top of the page.

+1. For **Resource group**, select **Create new** and type *myResourceGroup* for the name.

+1. In **Virtual machine name**, type *myVM*.

+1. For **Region**, select *East US*.

+1. For **Availability options**, leave the default of *No infrastructure redundancy required*.

+1. The value for **Image** is automatically filled with the `latest` image version if you started from the page for the image definition.

+1. For **Size**, choose a VM size from the list of available sizes and then choose **Select**.

+1. Under **Administrator account**, the username will be greyed out because the username and credentials from the source VM are used.

+1. If you want to allow remote access to the VM, under **Public inbound ports**, choose **Allow selected ports** and then select **SSH (22)** or **RDP (3389)** from the drop-down. If you don't want to allow remote access to the VM, leave **None** selected for **Public inbound ports**.

+1. When you're finished, select the **Review + create** button at the bottom of the page.

+1. After the VM passes validation, select **Create** at the bottom of the page to start the deployment.

+In this example, we're creating a VM from the latest version of the *myImageDefinition* image.

+1. On the **Create a virtual machine** page, you can see the details about the VM you're about to create. When you're ready, select **Create**.

+## Create a VM from a gallery shared with your subscription or tenant

+> [!IMPORTANT]

+> Azure Compute Gallery ΓÇô direct shared gallery is currently in PREVIEW and subject to the [Preview Terms for Azure Compute Gallery](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+>

+> To publish images to a direct shared gallery during the preview, you need to register at [https://aka.ms/directsharedgallery-preview](https://aka.ms/directsharedgallery-preview). Creating VMs from a direct shared gallery is open to all Azure users.

+>

+> During the preview, you need to create a new gallery, with the property `sharingProfile.permissions` set to `Groups`. When using the CLI to create a gallery, use the `--permissions groups` parameter. You can't use an existing gallery, the property can't currently be updated.

+### [CLI](#tab/cli2)

+To create a VM using the latest version of an image shared to your subscription or tenant, you need the ID of the image in the following format:

+```

+/SharedGalleries/<uniqueID>/Images/<image name>/Versions/latest

+```

+To find the `uniqueID` of a gallery that is shared with you, use [az sig list-shared](/cli/azure/sig/image-definition#az-sig-image-definition-list-shared). In this example, we're looking for galleries in the West US region.

+```azurecli-interactive

+region=westus

+az sig list-shared --location $region --query "[].name" -o tsv

+```

+Use the gallery name to find all of the images that are available. In this example, we list all of the images in *West US* and by name, the unique ID that is needed to create a VM, OS and OS state.

+```azurecli-interactive

+galleryName="1a2b3c4d-1234-abcd-1234-1a2b3c4d5e6f-myDirectShared"

+ az sig image-definition list-shared \

+ --gallery-unique-name $galleryName \

+ --location $region \

+ --query [*]."{Name:name,ID:uniqueId,OS:osType,State:osState}" -o table

+```

+Make sure the state of the image is `Specialized`. If you want to use an image with the `Generalized` state, see [Create a VM from a generalized image version](vm-generalized-image-version.md).

+Create the VM using [az vm create](/cli/azure/vm#az-vm-create) using the `--specialized` parameter to indicate that the image is a specialized image.

+Use the `Id`, appended with `/Versions/latest` to use the latest version, as the value for `--image`` to create a VM.

+In this example, we're creating a VM from the latest version of the *myImageDefinition* image.

+```azurecli

+imgDef="/SharedGalleries/1a2b3c4d-1234-abcd-1234-1a2b3c4d5e6f-MYDIRECTSHARED/Images/myDirectDefinition/Versions/latest"

+vmResourceGroup=myResourceGroup

+location=westus

+vmName=myVM

+az group create --name $vmResourceGroup --location $location

+az vm create\

+ --resource-group $vmResourceGroup \

+ --name $vmName \

+ --image $imgDef \

+ --specialized

+```

+### [Portal](#tab/portal2)

+> [!NOTE]

+> **Known issue**: In the Azure portal, if you select a region, select an image, then change the region, you will get an error message: "You can only create VM in the replication regions of this image" even when the image is replicated to that region. To get rid of the error, select a different region, then switch back to the region you want. If the image is available, it should clear the error message.

+>

+> You can also use the Azure CLI to check what images are shared with you. For example, you can use `az sig list-shared --location westus" to see what images are shared with you in the West US region.

+1. Type **virtual machines** in the search.

+1. Under **Services**, select **Virtual machines**.

+1. In the **Virtual machines** page, select **Create** and then **Virtual machine**. The **Create a virtual machine** page opens.

+1. In the **Basics** tab, under **Project details**, make sure the correct subscription is selected and then choose to **Create new** resource group or select one from the drop-down.

+1. Under **Instance details**, type a name for the **Virtual machine name**.

+1. For **Security type**, make sure *Standard* is selected.

+1. For your **Image**, select **See all images**. The **Select an image** page will open.

+1. In the left menu, under **Other Items**, select **Direct Shared Images (PREVIEW)**. The **Other Items | Direct Shared Images (PREVIEW)** page will open.

+1. Select an image from the list. Make sure that the **OS state** is *Specialized*. If you want to use a generalized image, see [Create a VM using a generalized image version](vm-generalized-image-version.md). Depending on the image you choose, the **Region** the VM will be created in will change to match the image.

+1. Complete the rest of the options and then select the **Review + create** button at the bottom of the page.

+1. On the **Create a virtual machine** page, you can see the details about the VM you're about to create. When you're ready, select **Create**.

+- [Create an Azure Compute Gallery](create-gallery.md)

+- [Create an image in an Azure Compute Gallery](image-version.md)

+The solution is based on the SAP-HANA certified dedicated hardware stamp ([SAP HANA tailored data center integration ΓÇô TDI](https://www.sap.com/documents/2017/09/e6519450-d47c-0010-82c7-eda71af511fa.html)). If you run an SAP HANA TDI-configured solution, all the above SAP HANA-based applications work on the hardware infrastructure.

+The storage layout for SAP HANA on Azure (Large Instances) is configured by SAP HANA on the classic deployment model per SAP recommended guidelines.

+In this configuration, you keep the **/hana/data** and **/hana/log** volumes separately. The suggested values are derived out of the KPIs that SAP has to certify VM types for SAP HANA and storage configurations as recommended in the [SAP TDI Storage Whitepaper](https://www.sap.com/documents/2017/09/e6519450-d47c-0010-82c7-eda71af511fa.html).

+Sizing the volumes or disks, you need to check the document [SAP HANA TDI Storage Requirements](https://www.sap.com/documents/2017/09/e6519450-d47c-0010-82c7-eda71af511fa.html), for the size required dependent on the number of worker nodes. The document releases a formula you need to apply to get the required capacity of the volume

+- [High availability of SAP HANA on Azure VMs on Red Hat Enterprise Linux](./sap-hana-high-availability-rhel.md)

+(https://help.sap.com/docs/Security/575a9f0e56f34c6e8138439eefc32b16/616a3c0b1cc748238de9c0341b15c63c.html). Using this document, you can open dedicated ports in the VPN device necessary for specific SAP products and scenarios.

+SAP High Availability in Azure has some differences compared to SAP High Availability in an on-premises physical or virtual environment. The following paper from SAP describes [standard SAP High Availability configurations in virtualized environments on Windows](https://help.sap.com/docs/SAP_NETWEAVER_703/a2cf03bc73a44b2a87d535cdb35e529e/45237d7e9f9b4002e10000000a155369.html). There is no sapinst-integrated SAP-HA configuration for Linux. For more information about SAP HA on-premises for Linux, see [SAP High Availability Partner Information](https://scn.sap.com/docs/DOC-8541).

+- [SAP HANA infrastructure configurations and operations on Azure](./hana-vm-operations.md)

+- Delta_datashipping might require drastically less memory without the preload option than logreplay could require. See chapter 4.3 of the SAP document [How To Perform System Replication for SAP HANA](https://www.sap.com/documents/2017/07/606a676e-c97c-0010-82c7-eda71af511fa.html)

+- [FAQ: High availability for SAP HANA](https://www.sap.com/documents/2016/05/c6f37cb5-737c-0010-82c7-eda71af511fa.html)

+- [Perform system replication for SAP HANA](https://www.sap.com/documents/2017/07/606a676e-c97c-0010-82c7-eda71af511fa.html)

+- Learn about [SAP HANA availability across Azure regions](./sap-hana-availability-across-regions.md).

+- Standard internal load balancers support dynamic allocation from within the subnet to which they're assigned.

+- Routing preference Internet IPs are not supported in a public IP address prefix.

+* Internet routing preference IPs are not supported in a public IP address prefix.

+#customer intent: As a cloud architect, I need to know how to use virtual network peering for connecting virtual networks. This will allow me to design connectivity correctly, understand future scalability options, and limitations.

+The network latency between virtual machines in peered virtual networks in the same region is the same as the latency within a single virtual network. The network throughput is based on the bandwidth that's allowed for the virtual machine, proportionate to its size. There isn't any extra restriction on bandwidth within the peering.

+When you configure virtual network peering, either open or close the network security group rules between the virtual networks. If you open full connectivity between peered virtual networks, you can apply network security groups to block or deny specific access. Full connectivity is the default option. To learn more about network security groups, see [Security groups](./network-security-groups-overview.md).

+## Resize the address space of Azure virtual networks that are peered

+You can resize the address space of Azure virtual networks that are peered without incurring any downtime on the currently peered address space. This feature is useful when you need to resize the virtual network's address space after scaling your workloads. After resizing the address space, all that is required is for peers to be synced with the new address space changes. Resizing works for both IPv4 and IPv6 address spaces.

+Addresses can be resized in the following ways:

+- Modifying the address range prefix of an existing address range (For example changing 10.1.0.0/16 to 10.1.0.0/18)

+- Adding address ranges to a virtual network

+- Deleting address ranges from a virtual network

+Synching of virtual network peers can be performed through the Azure portal or with Azure PowerShell.

+> [!IMPORTANT]

+> This feature doesn't support scenarios where the virtual network to be updated is peered with:

+> * A classic virtual network

+> * A managed virtual network such as the Azure VWAN hub

+## <a name="openvpn-macOS"></a>OpenVPN Client - macOS steps

+## <a name="OpenVPN-iOS"></a>OpenVPN Client - iOS steps

+The following steps use **OpenVPN Connect** from the App store.

+|**[APPLICATION-ATTACK-XSS](#drs941-10)**|Protect against cross-site scripting attacks|