+| Max # tags per image | 1 | N/A |

+| Max # regions per image | N/A | 1,000 |

+- User prompts submitted to a generative AI service.

+- Content produced by generative AI models.

+> [!NOTE]

+>

+> Note that Studio container cannot be deployed and run in Azure Kubernetes Service. Studio container is only supported to be run on local machine.

+Overfitting happens when the model is fixated on the specific examples and isn't able to generalize well.

+Schema is defined as the combination of intents and entities within your project. Schema design is a crucial part of your project's success. When creating a schema, you want to think about which intents and entities should be included in your project.

+An utterance is user input that is short text representative of a sentence in a conversation. It's a natural language phrase such as "book 2 tickets to Seattle next Tuesday". Example utterances are added to train the model and the model predicts on new utterance at runtime

+# Migrate from QnA Maker to custom question answering

+You'll also need to [re-enable analytics](analytics.md) for the language resource.

+|Alternate Questions|✔️|✔️|The improved models in custom question answering reduce the need to add alternate questions.|

+When you're looking at migrating to custom question answering, please consider the following:

+- ΓÇ£Text RecordsΓÇ¥ in custom question answering features refers to the query submitted by the user to the runtime, and it's a concept common to all features within Language service. Sometimes a query may have more text records when the query length is higher.

+ Summary: Customers should save cost across the most common configurations as seen in the relative cost column.

+Additional links which can help you're given below:

+> Each custom question answering project is equivalent to a knowledge base in QnA Maker. Resource level settings such as Role-based access control (RBAC) are not migrated to the new resource. These resource level settings would have to be reconfigured for the language resource post migration. You'll also need to [re-enable analytics](analytics.md) for the language resource.

+# Migrate from QnA Maker knowledge bases to custom question answering

+1. Create a [language resource](https://aka.ms/create-language-resource) with custom question answering enabled in advance. When you create the language resource in the Azure portal, you'll see the option to enable custom question answering. When you select that option and proceed, you'll be asked for Azure Search details to save the knowledge bases.

+6. Select the language resource to which you want to migrate the knowledge bases. You'll only be able to see those language resources that have custom question answering enabled. The language setting for the language resource is displayed in the options. You wonΓÇÖt be able to migrate knowledge bases in multiple languages from QnA Maker resources to a language resource if its language setting isn't specified.

+ If you want to migrate knowledge bases in multiple languages to the language resource, you must enable the multiple language setting when creating the first custom question answering project for the language resource. You can do so by following the instructions in step #2. **If the language setting for the language resource isn't specified, it is assigned the language of the selected QnA Maker resource**.

+ > 

+ > 

+10. It will take a few minutes for the migration to occur. Don't cancel the migration while it is in progress. You can navigate to the migrated projects within the [Language Studio](https://language.azure.com/) post migration.

+ > 

+ - You're trying to migrate an empty knowledge base (KB).

+ - You've reached the limit for an Azure Search instance linked to your target resources.

+ > 

+| `gpt-4` | 1106-preview | To be upgraded to `gpt-4` Version: `turbo-2024-04-09`, starting on August 15, 2024, or later **¹** |

+| `gpt-4` | 0125-preview |To be upgraded to `gpt-4` Version: `turbo-2024-04-09`, starting on August 15, 2024, or later **¹** |

+| `gpt-4` | vision-preview | To be upgraded to `gpt-4` Version: `turbo-2024-04-09`, starting on August 15, 2024, or later **¹** |

+Send a POST request to `https://{RESOURCE_NAME}.openai.azure.com/openai/deployments/{DEPLOYMENT_NAME}/chat/completions?api-version=2024-02-15-preview` where

+ api_version = '2024-02-15-preview' # this might change in the future

+ base_url=f"{api_base}openai/deployments/{deployment_name}",

+Send a POST request to `https://{RESOURCE_NAME}.openai.azure.com/openai/deployments/{DEPLOYMENT_NAME}/chat/completions?api-version=2024-02-15-preview` where

+1. Prepare a POST request to `https://{RESOURCE_NAME}.openai.azure.com/openai/deployments/{DEPLOYMENT_NAME}/chat/completions?api-version=2024-02-15-preview` where

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+ > The serverless API model deployment offering for eligible models in the Mistral family is only available in hubs created in the **East US 2** and **Sweden Central** regions.

+1. Select the project in which you want to deploy your model. To deploy the Mistral model, your project must be in the *EastUS2* or *Sweden Central* region.

+Mistral-Large | [Microsoft Managed Countries](/partner-center/marketplace/tax-details-marketplace#microsoft-managed-countriesregions) <br> Brazil <br> Hong Kong <br> Israel| East US, East US 2, North Central US, South Central US, Sweden Central, West US, West US 3 | Not available

+Models deployed to [managed inference](../concepts/deployments-overview.md):

+> [!div class="checklist"]

+> * [Meta Llama 3 instruct](../how-to/deploy-models-llama.md) family of models

+> * [Phi-3](../how-to/deploy-models-phi-3.md) family of models

+> * Mixtral famility of models

+### Inference SDK support

+You can use streamlined inference clients in the language of your choice to consume predictions from models running the Azure AI model inference API.

+# [Python](#tab/python)

+Install the package `azure-ai-inference` using your package manager, like pip:

+```bash

+pip install azure-ai-inference

+```

+Then, you can use the package to consume the model. The following example shows how to create a client to consume chat completions:

+```python

+import os

+from azure.ai.inference import ChatCompletionsClient

+from azure.core.credentials import AzureKeyCredential

+model = ChatCompletionsClient(

+ endpoint=os.environ["AZUREAI_ENDPOINT_URL"],

+ credential=AzureKeyCredential(os.environ["AZUREAI_ENDPOINT_KEY"]),

+)

+```

+# [JavaScript](#tab/javascript)

+Install the package `@azure-rest/ai-inference` using npm:

+```bash

+npm install @azure-rest/ai-inference

+```

+Then, you can use the package to consume the model. The following example shows how to create a client to consume chat completions:

+```javascript

+import ModelClient from "@azure-rest/ai-inference";

+import { isUnexpected } from "@azure-rest/ai-inference";

+import { AzureKeyCredential } from "@azure/core-auth";

+const client = new ModelClient(

+ process.env.AZUREAI_ENDPOINT_URL,

+ new AzureKeyCredential(process.env.AZUREAI_ENDPOINT_KEY)

+);

+```

+# [REST](#tab/rest)

+Use the reference section to explore the API design and which parameters are available. For example, the reference section for [Chat completions](reference-model-inference-chat-completions.md) details how to use the route `/chat/completions` to generate predictions based on chat-formatted instructions:

+__Request__

+```HTTP/1.1

+POST /chat/completions?api-version=2024-04-01-preview

+Authorization: Bearer <bearer-token>

+Content-Type: application/json

+```

+# [Python](#tab/python)

+```python

+response = model.complete(

+ messages=[

+ SystemMessage(content="You are a helpful assistant."),

+ UserMessage(content="How many languages are in the world?"),

+ ],

+ model_extras={

+ "safe_mode": True

+ }

+)

+```

+# [JavaScript](#tab/javascript)

+```javascript

+var messages = [

+ { role: "system", content: "You are a helpful assistant" },

+ { role: "user", content: "How many languages are in the world?" },

+];

+var response = await client.path("/chat/completions").post({

+ body: {

+ messages: messages,

+ safe_mode: true

+ }

+});

+```

+# [REST](#tab/rest)

+# [Python](#tab/python)

+```python

+from azure.ai.inference.models import ChatCompletionsResponseFormat

+from azure.core.exceptions import HttpResponseError

+import json

+try:

+ response = model.complete(

+ messages=[

+ SystemMessage(content="You are a helpful assistant."),

+ UserMessage(content="How many languages are in the world?"),

+ ],

+ response_format={ "type": ChatCompletionsResponseFormat.JSON_OBJECT }

+ )

+except HttpResponseError as ex:

+ if ex.status_code == 422:

+ response = json.loads(ex.response._content.decode('utf-8'))

+ if isinstance(response, dict) and "detail" in response:

+ for offending in response["detail"]:

+ param = ".".join(offending["loc"])

+ value = offending["input"]

+ print(

+ f"Looks like the model doesn't support the parameter '{param}' with value '{value}'"

+ )

+ else:

+ raise ex

+```

+# [JavaScript](#tab/javascript)

+```javascript

+try {

+ var messages = [

+ { role: "system", content: "You are a helpful assistant" },

+ { role: "user", content: "How many languages are in the world?" },

+ ];

+

+ var response = await client.path("/chat/completions").post({

+ body: {

+ messages: messages,

+ response_format: { type: "json_object" }

+ }

+ });

+}

+catch (error) {

+ if (error.status_code == 422) {

+ var response = JSON.parse(error.response._content)

+ if (response.detail) {

+ for (const offending of response.detail) {

+ var param = offending.loc.join(".")

+ var value = offending.input

+ console.log(`Looks like the model doesn't support the parameter '${param}' with value '${value}'`)

+ }

+ }

+ }

+ else

+ {

+ throw error

+ }

+}

+```

+# [REST](#tab/rest)

+# [Python](#tab/python)

+```python

+from azure.ai.inference.models import AssistantMessage, UserMessage, SystemMessage

+try:

+ response = model.complete(

+ messages=[

+ SystemMessage(content="You are an AI assistant that helps people find information."),

+ UserMessage(content="Chopping tomatoes and cutting them into cubes or wedges are great ways to practice your knife skills."),

+ ]

+ )

+ print(response.choices[0].message.content)

+except HttpResponseError as ex:

+ if ex.status_code == 400:

+ response = json.loads(ex.response._content.decode('utf-8'))

+ if isinstance(response, dict) and "error" in response:

+ print(f"Your request triggered an {response['error']['code']} error:\n\t {response['error']['message']}")

+ else:

+ raise ex

+ else:

+ raise ex

+```

+# [JavaScript](#tab/javascript)

+```javascript

+try {

+ var messages = [

+ { role: "system", content: "You are an AI assistant that helps people find information." },

+ { role: "user", content: "Chopping tomatoes and cutting them into cubes or wedges are great ways to practice your knife skills." },

+ ]

+ var response = await client.path("/chat/completions").post({

+ body: {

+ messages: messages,

+ }

+ });

+

+ console.log(response.body.choices[0].message.content)

+}

+catch (error) {

+ if (error.status_code == 400) {

+ var response = JSON.parse(error.response._content)

+ if (response.error) {

+ console.log(`Your request triggered an ${response.error.code} error:\n\t ${response.error.message}`)

+ }

+ else

+ {

+ throw error

+ }

+ }

+}

+```

+# [REST](#tab/rest)

+The Azure AI Model Inference API is currently supported in certain models deployed as [Serverless API endpoints](../how-to/deploy-models-serverless.md) and Managed Online Endpoints. Deploy any of the [supported models](#availability) and use the exact same code to consume their predictions.

+[deployment-safeguards-list]: https://portal.azure.com/#view/Microsoft_Azure_Policy/InitiativeDetail.ReactView/id/%2Fproviders%2FMicrosoft.Authorization%2FpolicySetDefinitions%2Fc047ea8e-9c78-49b2-958b-37e56d291a44/scopes/

+## Contributors

+*This article is maintained by Microsoft. It was originally written by the following contributors*:

+- Ken Kilty | Principal TPM

+- Russell de Pina | Principal TPM

+- Jenny Hayes | Senior Content Developer

+- Carol Smith | Senior Content Developer

+- Erin Schaffer | Content Developer 2

+## Contributors

+*This article is maintained by Microsoft. It was originally written by the following contributors*:

+- Ken Kilty | Principal TPM

+- Russell de Pina | Principal TPM

+- Jenny Hayes | Senior Content Developer

+- Carol Smith | Senior Content Developer

+- Erin Schaffer | Content Developer 2

+## Contributors

+*This article is maintained by Microsoft. It was originally written by the following contributors*:

+- Ken Kilty | Principal TPM

+- Russell de Pina | Principal TPM

+- Jenny Hayes | Senior Content Developer

+- Carol Smith | Senior Content Developer

+- Erin Schaffer | Content Developer 2

+## Contributors

+*This article is maintained by Microsoft. It was originally written by the following contributors*:

+- Ken Kilty | Principal TPM

+- Russell de Pina | Principal TPM

+- Jenny Hayes | Senior Content Developer

+- Carol Smith | Senior Content Developer

+- Erin Schaffer | Content Developer 2

+## Contributors

+*This article is maintained by Microsoft. It was originally written by the following contributors*:

+- Ken Kilty | Principal TPM

+- Russell de Pina | Principal TPM

+- Jenny Hayes | Senior Content Developer

+- Carol Smith | Senior Content Developer

+- Erin Schaffer | Content Developer 2

+## Contributors

+*This article is maintained by Microsoft. It was originally written by the following contributors*:

+- Ken Kilty | Principal TPM

+- Russell de Pina | Principal TPM

+- Jenny Hayes | Senior Content Developer

+- Carol Smith | Senior Content Developer

+- Erin Schaffer | Content Developer 2

+> After utilizing the start/stop feature on AKS, it is essential to wait 15-30 minutes before restarting your AKS cluster. This waiting period is necessary because it takes several minutes for the relevant services to fully stop. Attempting to restart your cluster during this process can disrupt the shutdown process and potentially cause issues with the cluster or its workloads.

+> * Currently, only one rule can be configured for a backend circuit breaker.

+## Limitations

+- For **Developer** and **Premium** tiers, an API Management instance deployed in an [internal virtual network](api-management-using-with-internal-vnet.md) can throw HTTP 500 `BackendConnectionFailure` errors when the gateway endpoint URL and backend URL are the same. If you encounter this limitation, follow the instructions in the [Self-Chained API Management request limitation in internal virtual network mode](https://techcommunity.microsoft.com/t5/azure-paas-blog/self-chained-apim-request-limitation-in-internal-virtual-network/ba-p/1940417) article in the Tech Community blog.

+- Currently, only one rule can be configured for a backend circuit breaker.

+The certificate for custom domain suffix must be stored in an Azure Key Vault. The certificate must be uploaded in .PFX format and be smaller than 20 kb. Certificates in .PEM format aren't supported at this time. App Service Environment uses the managed identity you selected to get the certificate.

+### Network access to Key Vault

+The key vault can be accessed publicly or through a [private endpoint](../../private-link/private-endpoint-overview.md) accessible from the subnet that the App Service Environment is deployed to. To learn how to configure a private endpoint, see [Integrate Key Vault with Azure Private Link](../../key-vault/general/private-link-service.md). If you use public access, you can secure your key vault to only accept traffic from the outbound IP address of the App Service Environment. The App Service Environment uses the platform outbound IP address as the source address when accessing the key vault. You can find the IP address in the IP Addresses page in Azure portal.

+Note that _/api/health_ is just an example added for illustration purposes. We don't create a Health Check path by default. You should make sure that the path you are selecting is a valid path that exists within your application

+If the status of your application instance is unhealthy, you can restart the instance manually using the restart button in the table. Keep in mind that any other applications hosted on the same App Service Plan as the instance will also be affected by the restart. If there are other applications using the same App Service Plan as the instance, they're listed on the opening blade from the restart button.

+If you restart the instance and the restart process fails, you'll then be given the option to replace the worker (only one instance can be replaced per hour). This will also affect any applications using the same App Service Plan.

+After providing your application's Health check path, you can monitor the health of your site using Azure Monitor. From the **Health check** blade in the Portal, select the **Metrics** in the top toolbar. This opens a new blade where you can see the site's historical health status and option to create a new alert rule. Health check metrics aggregate the successful pings & display failures only when the instance was deemed unhealthy based on the health check configuration. For more information on monitoring your sites, [see the guide on Azure Monitor](web-sites-monitor.md).

+- Health check can be enabled for **Free** and **Shared** App Service Plans so you can have metrics on the site's health and setup alerts, but because **Free** and **Shared** sites can't scale out, any unhealthy instances won't be replaced. You should scale up to the **Basic** tier or higher so you can scale out to 2 or more instances and utilize the full benefit of Health check. This is recommended for production-facing applications as it increases your app's availability and performance.

+- There's a nonconfigurable limit on the total number of instances replaced by Health Check per scale unit. If this limit is reached, no unhealthy instances are replaced. This value gets reset every 12 hours.

+On Windows and Linux App Service, the Health check requests are sent via HTTPS when [HTTPS Only](configure-ssl-bindings.md#enforce-https) is enabled on the site. Otherwise, they're sent over HTTP.

+No, the Health check feature is pinging the path of the default domain of the web application. If there's a redirect from the default domain to a custom domain, then the status code that Health check is returning is not going to be a 200 but a redirect (301), which is going to mark the worker unhealthy.

+Imagine you have two applications (or one app with a slot) with Health check enabled, called App A and App B. They're on the same App Service Plan and that the Plan is scaled out to four instances. If App A becomes unhealthy on two instances, the load balancer stops sending requests to App A on those two instances. Requests are still routed to App B on those instances assuming App B is healthy. If App A remains unhealthy for over an hour on those two instances, those instances are only replaced if App B is **also** unhealthy on those instances. If App B is healthy, the instance isn't replaced.

+When you scale up/down in instance size, the amount of IP addresses used by the App Service plan is temporarily doubled while the scale operation completes. The new instances need to be fully operational before the existing instances are deprovisioned. The scale operation affects the real, available supported instances for a given subnet size. Platform upgrades need free IP addresses to ensure upgrades can happen without interruptions to outbound traffic. Finally, after scale up, down, or in operations complete, there might be a short period of time before IP addresses are released. In rare cases, this operation can be up to 12 hours and if you rapidly scaling in/out or up/down, you need more IPs than the maximum scale.

+Because subnet size can't be changed after assignment, use a subnet that's large enough to accommodate whatever scale your app might reach. You should also reserve IP addresses for platform upgrades. To avoid any issues with subnet capacity, we recommand allocating double the IPs of your planned maximum scale. A `/26` with 64 addresses cover the maximum scale of a single multitenant App Service plan. When you're creating subnets in Azure portal as part of integrating with the virtual network, a minimum size of `/27` is required. If the subnet already exists before integrating through the portal, you can use a `/28` subnet.

+Alternatively, you can navigate to your [AKS cluster in the Azure portal](https://portal.azure.com/?feature.aksagic=true) and enable the AGIC add-on in the **Virtual network integration** tab of your cluster. Select your existing Application Gateway when you choose which Application Gateway that the add-on should target.

+

+## Enable the AGIC add-on in existing AKS cluster through Azure portal

+If you'd like to use Azure portal to enable AGIC add-on, go to [(https://aka.ms/azure/portal/aks/agic)](https://aka.ms/azure/portal/aks/agic) and navigate to your AKS cluster through the portal link. Select the **Networking** menu item under **Settings**. From there, go to the **Virtual network integration** tab within your AKS cluster. You'll see an **Application gateway ingress controller** section, which allows you to enable and disable the ingress controller add-on. Select the **Manage** button, then the checkbox next to **Enable ingress controller**. Select the application gateway you created, **myApplicationGateway** and then select **Save**.

+> If you use an application gateway in a different resource group than the AKS cluster resource group, the managed identity **_ingressapplicationgateway-{AKSNAME}_** that is created must have **Network Contributor** and **Reader** roles set in the application gateway resource group.

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+description: This document introduces experimentation in Azure App Configuration, scenarios for using Split Experimentation, and more.

+ Title: Quickstart for adding feature flags to Python with Azure App Configuration

+# Quickstart: Add feature flags to a Python app

+> To avoid issues due to breaking changes, we recommend updating your deployments by July 29, 2024, so that they stop using the fields that will be removed and use the replacement fields instead. These new fields are already available in the current version of the APIs.

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+ Title: How to migrate from legacy Log Analytics agents in non-Azure environments with Azure Arc

+description: Learn how to migrate from legacy Log Analytics agents in non-Azure environments with Azure Arc.

+# Migrate from legacy Log Analytics agents in non-Azure environments with Azure Arc

+Azure Monitor Agent (AMA) replaces the Log Analytics agent (also known as Microsoft Monitor Agent (MMA) and OMS) for Windows and Linux machines. Azure Arc is required to migrate off the legacy Log Analytics agents for non-Azure environments, including on-premises or multicloud infrastructure.

+Azure Arc is a bridge, extending not only Azure Monitor but the breadth of Azure management capabilities across Microsoft Defender, Azure Policy, and Azure Update Manager to non-Azure environments. Through the lightweight Connected Machine agent, Azure Arc projects non-Azure servers into the Azure control plane, providing a consistent management experience across Azure VMs and non-Azure servers.

+This article focuses on considerations when migrating from legacy Log Analytics agents in non-Azure environments. For core migration guidance, see [Migrate to Azure Monitor Agent from Log Analytics agent](../../azure-monitor/agents/azure-monitor-agent-migration.md).

+## Advantages of Azure Arc

+Deploying Azure Monitor Agent as an extension with Azure Arc-enabled servers provides several benefits over the legacy Log Analytics agents (MMA and OMS), which directly connect non-Azure servers to Log Analytics workspaces:

+- Azure Arc centralizes the identity, connectivity, and governance of non-Azure resources. This streamlines operational overhead and improves the security posture and performance.

+- Azure Arc offers extension management capabilities including auto-extension upgrade, reducing typical maintenance overhead.

+- Azure Arc enables access to the breadth of server management capabilities beyond monitoring, such as Cloud Security Posture Management with [Microsoft Defender](../../defender-for-cloud/defender-for-cloud-introduction.md) or scripting with [Run Command](run-command.md). As you centralize operations in Azure, Azure Arc provides a robust foundation for these other capabilities.

+Azure Arc is the foundation for a cloud-based inventory bringing together Azure and on-premises, multicloud, and edge infrastructure that can be queried and organized through Azure Resource Manager (ARM).

+## Limitations on Azure Arc

+Azure Arc relies on the [Connected Machine agent](/azure/azure-arc/servers/agent-overview) and is an agent-based solution requiring connectivity and designed for server infrastructure:

+- Azure Arc requires the Connected Machine agent in addition to the Azure Monitor Agent as a VM extension. The Connected Machine agent must be configured specifying details of the Azure resource.

+- Azure Arc only supports client-like Operating Systems when computers are in a server-like environment and doesn't support short-lived servers or virtual desktop infrastructure.

+- Azure Arc has two regional availability gaps with Azure Monitor Agent:

+ - Qatar Central (Availability expected in August 2024)

+ - Australia Central (Other Australia regions are available)

+

+- Azure Arc requires servers to have regular connectivity and the allowance of key endpoints. While proxy and private link connectivity are supported, Azure Arc doesn't support completely disconnected scenarios. Azure Arc doesn't support the Log Analytics (OMS) Gateway.

+- Azure Arc defines a System Managed Identity for connected servers, but doesn't support User Assigned Identities.

+Learn more about the full Connected Machine agent [prerequisites](/azure/azure-arc/servers/prerequisites#supported-operating-systems) for environmental constraints.

+## Relevant services

+Azure Arc-enabled servers is required for deploying all solutions that previously required the legacy Log Analytics agents (MMA/OMS) to non-Azure infrastructure. The new Azure Monitor Agent is only required for a subset of these services.

+|Azure Monitor Agent and Azure Arc required |Only Azure Arc required |

+|||

+|Microsoft Sentinel |Microsoft Defender for Cloud |

+|Virtual Machine Insights (previously Dependency Agent) |Azure Update Management |

+|Change Tracking and Inventory |Automation Hybrid Runbook Worker |

+As you design the holistic migration from the legacy Log Analytics agents (MMA/OMS), it's critical to consider and prepare for the migration of these solutions.

+## Deploying Azure Arc

+Azure Arc can be deployed interactively on a single server basis or programmatically at scale:

+- PowerShell and Bash deployment scripts can be generated from Azure portal or written manually following documentation.

+- Windows Server machines can be connected through Windows Admin Center and the Windows Server Graphical Installer.

+- At scale deployment options include Configuration Manager, Ansible, and Group Policy using the Azure service principal, a limited identity for Arc server onboarding.

+- Azure Automation Update Manager customers can onboard from Azure portal with the Arc-enablement of all detected non-Azure servers connected to the Log Analytics workspace with the Azure Automation Update Management solution.

+See [Azure Connected Machine agent deployment options](/azure/azure-arc/servers/deployment-options) to learn more.

+## Agent control and footprint

+You can lock down the Connected Machine agent by specifying the extensions and capabilities that are enabled. If migrating from the legacy Log Analytics agent, the Monitor mode is especially salient. Monitor mode applies a Microsoft-managed extension allowlist, disables remote connectivity, and disables the machine configuration agent. If youΓÇÖre using Azure Arc solely for monitoring purposes, setting the agent to Monitor mode makes it easy to restrict the agent to just the functionality required to use Azure Monitor and solutions that use Azure Monitor. You can configure the agent mode with the following command (run locally on each machine):

+`azcmagent config set config.mode monitor`

+See [Extensions security](/azure/azure-arc/servers/security-extensions) to learn more.

+## Networking options

+Azure Arc-enabled servers supports three networking options:

+- Connectivity over public endpoint

+- Proxy

+- Private Link (Azure Express Route).

+All connections are TCP and outbound over port 443 unless specified. All HTTP connections use HTTPS and SSL/TLS with officially signed and verifiable certificates.

+Azure Arc doesn't officially support using the Log Analytics gateway as a proxy for the Connected Machine agent.

+The connectivity method specified can be changed after onboarding.

+See [Connected Machine agent network requirements](/azure/azure-arc/servers/network-requirements?tabs=azure-cloud) to learn more.

+## Deploying Azure Monitor Agent with Azure Arc

+There are multiple methods to deploy the Azure Monitor Agent extension on Azure Arc-enabled servers programmatically, graphically, and automatically. Some popular methods to deploy Azure Monitor Agent on Azure Arc-enabled servers include:

+- Azure portal

+- PowerShell, Azure CLI, or Azure Resource Manager (ARM) templates

+- Azure Policy

+Azure Arc doesn't eliminate the need to configure and define Data Collection Rules. You should configure Data Collection Rules similar to your Azure VMs for Azure Arc-enabled servers.

+See [Deployment options for Azure Monitor Agent on Azure Arc-enabled servers](/azure/azure-arc/servers/concept-log-analytics-extension-deployment) to learn more.

+## Standalone Azure Monitor Agent installation

+For Windows client machines running in non-Azure environments, use a standalone Azure Monitor Agent installation that doesn't require deployment of the Azure Connected Machine agent through Azure Arc. See [Install Azure Monitor Agent on Windows client devices using the client installer](/azure/azure-monitor/agents/azure-monitor-agent-windows-client) to learn more.

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+| Windows Server 2008 R2 SP1 | 1.39 [Download](https://aka.ms/AzureConnectedMachineAgent-1.39) | 03/31/2025 | Windows Server 2008 and 2008 R2 reached End of Support in January 2020. See [End of support for Windows Server 2008 and Windows Server 2008 R2](/troubleshoot/windows-server/windows-server-eos-faq/end-of-support-windows-server-2008-2008r2). |

+| CentOS 7 and 8 | 1.42 | 05/31/2025 | See the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md). |

+### Connect new limited support servers

+To connect a new server running a Limited Support operating system to Azure Arc, you will need to make some adjustments to the onboarding script.

+For Windows, modify the installation script to specify the version required, using the -AltDownload parameter.

+Instead of

+```pwsh

+ # Install the hybrid agent

+ & "$env:TEMP\install_windows_azcmagent.ps1";

+```

+Use

+```pwsh

+ # Install the hybrid agent

+ & "$env:TEMP\install_windows_azcmagent.ps1" -AltDownload https://aka.ms/AzureConnectedMachineAgent-1.39;

+```

+For Linux, the relevant package repository will only contain releases that are applicable, so no special considerations are required.

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+description: Learn how to use a secured storage account in a virtual network as the default storage account for a function app in Azure Functions.

+# Customer intent: As a developer, I want to understand how to use a secured storage account in a virtual network as the default storage account for my function app, so that my function app can be secure.

+This article shows you how to connect your function app to a secured storage account. For an in-depth tutorial on how to create your function app with inbound and outbound access restrictions, see the [Integrate with a virtual network](functions-create-vnet.md) tutorial. To learn more about Azure Functions and networking, see [Azure Functions networking options](functions-networking-options.md).

+## Restrict your storage account to a virtual network

+When you create a function app, you either create a new storage account or link to an existing one. Currently, only the Azure portal, [ARM template deployments](functions-infrastructure-as-code.md?tabs=json&pivots=premium-plan#secured-deployments), and [Bicep deployments](functions-infrastructure-as-code.md?tabs=bicep&pivots=premium-plan#secured-deployments) support function app creation with an existing secured storage account.

+> Secured storage accounts are supported for all tiers of the [Dedicated (App Service) plan](./dedicated-plan.md) and the [Elastic Premium plan](./functions-premium-plan.md). They're also supported by the [Flex Consumption plan](./flex-consumption-plan.md).

+## Secure storage during function app creation

+You can create a function app, along with a new storage account that is secured behind a virtual network. The following sections show you how to create these resources by using either the Azure portal or by using deployment templates.

+> [!NOTE]

+Use Bicep files or Azure Resource Manager (ARM) templates to create a secured function app and storage account resources. When you create a secured storage account in an automated deployment, you must set the `vnetContentShareEnabled` site property, create the file share as part of your deployment, and set the `WEBSITE_CONTENTSHARE` app setting to the name of the file share. For more information, including links to example deployments, see [Secured deployments](functions-infrastructure-as-code.md?pivots=premium-plan#secured-deployments).

+When you have an existing function app, you can directly configure networking on the storage account being used by the app. However, this process results in your function app being down while you configure networking and while your function app restarts.

+As a prerequisite, you need to enable virtual network integration for your function app:

+### 2. Create a secured storage account

+Set up a secured storage account for your function app:

+1. [Create a second storage account](../storage/common/storage-account-create.md). This storage account is the secured storage account for your function app to use instead of its original unsecured storage account. You can also use an existing storage account not already being used by Functions.

+1. Save the connection string for this storage account to use later.

+1. [Create a file share](../storage/files/storage-how-to-create-file-share.md#create-a-file-share) in the new storage account. For your convenience, you can use the same file share name from your original storage account. Otherwise, if you use a new file share name, you must update your app setting.

+ * [Create a private endpoint](../storage/common/storage-private-endpoints.md#creating-a-private-endpoint). As you set up your private endpoint connection, create private endpoints for the `file` and `blob` subresources. For Durable Functions, you must also make `queue` and `table` subresources accessible through private endpoints. If you're using a custom or on-premises Domain Name System (DNS) server, [configure your DNS server](../storage/common/storage-private-endpoints.md#dns-changes-for-private-endpoints) to resolve to the new private endpoints.

+ * [Restrict traffic to specific subnets](../storage/common/storage-network-security.md#grant-access-from-a-virtual-network). Ensure your function app is network integrated with an allowed subnet and that the subnet has a service endpoint to `Microsoft.Storage`.

+1. Copy the file and blob content from the current storage account used by the function app to the newly secured storage account and file share. [AzCopy](../storage/common/storage-use-azcopy-blobs-copy.md) and [Azure Storage Explorer](https://techcommunity.microsoft.com/t5/azure-developer-community-blog/azure-tips-and-tricks-how-to-move-azure-storage-blobs-between/ba-p/3545304) are common methods. If you use Azure Storage Explorer, you might need to allow your client IP address access to your storage account's firewall.

+> These configuration steps are required only for the [Elastic Premium](./functions-premium-plan.md) and [Dedicated (App Service)](./dedicated-plan.md) hosting plans.

+You're now ready to route your function app's traffic to go through the virtual network:

+1. Enable [application routing](../app-service/overview-vnet-integration.md#application-routing) to route your app's traffic to the virtual network:

+ 1. In your function app, expand **Settings**, and then select **Networking**. In the **Networking** page, under **Outbound traffic configuration**, select the subnet associated with your virtual network integration.

+ 1. In the new page, under **Application routing**, select **Outbound internet traffic**.

+1. Enable [content share routing](../app-service/overview-vnet-integration.md#content-share) to enable your function app to communicate with your new storage account through its virtual network. In the same page as the previous step, under **Configuration routing**, select **Content storage**.

+Finally, you need to update your application settings to point to the new secure storage account:

+1. In your function app, expand **Settings**, and then select **Environment variables**.

+1. In the **App settings** tab, update the following settings by selecting each setting, editing it, and then selecting **Apply**:

+ | [`AzureWebJobsStorage`](./functions-app-settings.md#azurewebjobsstorage)| Storage connection string | Use the connection string for your new secured storage account, which you saved earlier. |

+ | [`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`](./functions-app-settings.md#website_contentazurefileconnectionstring) | Storage connection string | Use the connection string for your new secured storage account, which you saved earlier. |

+ | [`WEBSITE_CONTENTSHARE`](./functions-app-settings.md#website_contentshare) | File share | Use the name of the file share created in the secured storage account where the project deployment files reside. |

+1. Select **Apply**, and then **Confirm** to save the new application settings in the function app.

+ The function app restarts.

+After the function app finishes restarting, it connects to the secured storage account.

+ Title: Azure Notification Hubs output bindings for Azure Functions

+description: Learn how to use Azure Notification Hub output bindings in Azure Functions.

+# Azure Notification Hubs output bindings for Azure Functions

+You must configure Notification Hubs for the Platform Notifications Service (PNS) you want to use. For more information about how to get push notifications in your client app from Notification Hubs, see [Quickstart: Set up push notifications in a notification hub](../notification-hubs/configure-notification-hub-portal-pns-settings.md).

+> Google has [deprecated Google Cloud Messaging (GCM) in favor of Firebase Cloud Messaging (FCM)](https://developers.google.com/cloud-messaging/faq). However, output bindings for Notification Hubs doesn't support FCM. To send notifications using FCM, use the [Firebase API](https://firebase.google.com/docs/cloud-messaging/server#choosing-a-server-option) directly in your function or use [template notifications](../notification-hubs/notification-hubs-templates-cross-platform-push-messages.md).

+## Packages: Functions 1.x

+## Packages: Functions 2.x and higher

+Output binding isn't available in Functions 2.x and higher.

+## Example: template

+The notifications you send can be native notifications or [template notifications](../notification-hubs/notification-hubs-templates-cross-platform-push-messages.md). A native notification targets a specific client platform, as configured in the `platform` property of the output binding. A template notification can be used to target multiple platforms.

+Template examples for each language:

+* [C# script: out parameter](#c-script-template-example-out-parameter)

+* [C# script: asynchronous](#c-script-template-example-asynchronous)

+* [C# script: JSON](#c-script-template-example-json)

+* [C# script: library types](#c-script-template-example-library-types)

+### C# script template example: out parameter

+This example sends a notification for a [template registration](../notification-hubs/notification-hubs-templates-cross-platform-push-messages.md) that contains a `message` placeholder in the template:

+### C# script template example: asynchronous

+If you're using asynchronous code, out parameters aren't allowed. In this case, use `IAsyncCollector` to return your template notification. The following code is an asynchronous example of the previous example:

+### C# script template example: JSON

+This example sends a notification for a [template registration](../notification-hubs/notification-hubs-templates-cross-platform-push-messages.md) that contains a `message` placeholder in the template using a valid JSON string:

+### C# script template example: library types

+This example shows how to use types defined in the [Microsoft Azure Notification Hubs Library](https://www.nuget.org/packages/Microsoft.Azure.NotificationHubs/):

+This example sends a notification for a [template registration](../notification-hubs/notification-hubs-templates-cross-platform-push-messages.md) that contains `location` and `message`:

+This example sends a notification for a [template registration](../notification-hubs/notification-hubs-templates-cross-platform-push-messages.md) that contains `location` and `message`:

+## Example: APNS native

+This C# script example shows how to send a native Apple Push Notification Service (APNS) notification:

+ // In this example, the queue item is a new user to be processed in the form of a JSON string with

+ // The JSON format for a native Apple Push Notification Service (APNS) notification is:

+## Example: WNS native

+This C# script example shows how to use types defined in the [Microsoft Azure Notification Hubs Library](https://www.nuget.org/packages/Microsoft.Azure.NotificationHubs/) to send a native Windows Push Notification Service (WNS) toast notification:

+ // In this example, the queue item is a new user to be processed in the form of a JSON string with

+The attribute's constructor parameters and properties are described in the [Configuration](#configuration) section.

+The following table lists the binding configuration properties that you set in the *function.json* file and the `NotificationHub` attribute:

+|**type** |n/a| Set to `notificationHub`. |

+|**direction** |n/a| Set to `out`. |

+|**tagExpression** |**TagExpression** | Tag expressions allow you to specify that notifications be delivered to a set of devices that are registered to receive notifications matching the tag expression. For more information, see [Routing and tag expressions](../notification-hubs/notification-hubs-tags-segment-push-message.md). |

+|**hubName** | **HubName** | The name of the notification hub resource in the Azure portal. |

+|**connection** | **ConnectionStringSetting** | The name of an app setting that contains a Notification Hubs connection string. Set the connection string to the *DefaultFullSharedAccessSignature* value for your notification hub. For more information, see [Connection string setup](#connection-string-setup). |

+|**platform** | **Platform** | The platform property indicates the client platform your notification targets. By default, if the platform property is omitted from the output binding, template notifications can be used to target any platform configured on the Azure Notification Hub. For more information about using templates to send cross-platform notifications with an Azure Notification Hub, see [Notification Hubs templates](../notification-hubs/notification-hubs-templates-cross-platform-push-messages.md). When **platform** is set, it must be one of the following values: <ul><li><code>apns</code>: Apple Push Notification Service. For more information on configuring the notification hub for APNS and receiving the notification in a client app, see [Send push notifications to iOS with Azure Notification Hubs](../notification-hubs/xamarin-notification-hubs-ios-push-notification-apns-get-started.md).</li><li><code>adm</code>: [Amazon Device Messaging](https://developer.amazon.com/device-messaging). For more information on configuring the notification hub for Azure Deployment Manager (ADM) and receiving the notification in a Kindle app, see [Send push notifications to Android devices using Firebase SDK](../notification-hubs/notification-hubs-android-push-notification-google-fcm-get-started.md).</li><li><code>wns</code>: [Windows Push Notification Services](/windows/uwp/design/shell/tiles-and-notifications/windows-push-notification-services--wns--overview) targeting Windows platforms. WNS also supports Windows Phone 8.1 and later. For more information, see [Send notifications to Universal Windows Platform apps using Azure Notification Hubs](../notification-hubs/notification-hubs-windows-store-dotnet-get-started-wns-push-notification.md).</li><li><code>mpns</code>: [Microsoft Push Notification Service](/previous-versions/windows/apps/ff402558(v=vs.105)). This platform supports Windows Phone 8 and earlier Windows Phone platforms. For more information, see [Send notifications to Universal Windows Platform apps using Azure Notification Hubs](../notification-hubs/notification-hubs-windows-mobile-push-notifications-mpns.md).</li></ul> |

+Here's an example of a Notification Hubs binding in a *function.json* file:

+To use a notification hub output binding, you must configure the connection string for the hub. You can select an existing notification hub or create a new one from the **Integrate** tab in the Azure portal. You can also configure the connection string manually.

+1. Navigate to your notification hub in the [Azure portal](https://portal.azure.com), choose **Access policies**, and select the copy button next to the **DefaultFullSharedAccessSignature** policy.

+ The connection string for the *DefaultFullSharedAccessSignature* policy is copied to your notification hub. This connection string lets your function send notification messages to the hub.

+ :::image type="content" source="./media/functions-bindings-notification-hubs/get-notification-hub-connection.png" alt-text="Screenshot that shows how to copy the notification hub connection string." lightbox="./media/functions-bindings-notification-hubs/get-notification-hub-connection.png":::

+1. Navigate to your function app in the Azure portal, expand **Settings**, and then select **Environment variables**.

+1. From the **App setting** tab, select **+ Add** to add a key such as **MyHubConnectionString**. The **Name** of this app setting is the output binding connection setting in *function.json* or the .NET attribute. For more information, see [Configuration](#configuration).

+1. For the value, paste the copied *DefaultFullSharedAccessSignature* connection string from your notification hub, and then select **Apply**.

+## Related content

+* [Azure Functions triggers and bindings concepts](functions-triggers-bindings.md)

+description: Learn how to customize an HTTP trigger endpoint in Azure Functions.

+#Customer intent: As a developer, I want to customize HTTP trigger endpoints in Azure Functions so that I can build a highly scalable API.

+In this article, you learn how to build highly scalable APIs with Azure Functions by customizing an HTTP trigger to handle specific actions in your API design. Azure Functions includes a collection of built-in HTTP triggers and bindings, which make it easy to author an endpoint in various languages, including Node.js, C#, and more. You also prepare to grow your API by integrating it with Azure Functions proxies and setting up mock APIs. Because these tasks are accomplished on top of the Functions serverless compute environment, you don't need to be concerned about scaling resources. Instead, you can just focus on your API logic.

+## Prerequisites

+After you create this function app, you can follow the procedures in this article.

+By default, you configure your HTTP trigger function to accept any HTTP method. In this section, you modify the function to respond only to GET requests with `/api/hello`. You can use the default URL, `https://<yourapp>.azurewebsites.net/api/<funcname>?code=<functionkey>`:

+ :::image type="content" source="./media/functions-create-serverless-api/customizing-http.png" alt-text="Screenshot that shows how to edit the HTTP trigger settings of a function." lightbox="./media/functions-create-serverless-api/customizing-http.png":::

+ Because a global setting handles the `/api` base path prefix in the route template, you don't need to set it here.

+For more information about customizing HTTP functions, see [Azure Functions HTTP triggers and bindings overview](./functions-bindings-http-webhook.md).

+1. On the **Function** page, select **Code + Test** from the left menu.

+1. Select **Get function URL** from the top menu and copy the URL. Confirm that your function now uses the `/api/hello` path.

+1. Copy the URL to a new browser tab or your preferred REST client. Browsers use GET by default.

+1. Add parameters to the query string in your URL. For example, `/api/hello/?name=John`.

+1. Press Enter to confirm that your function is working. You should see the response, "*Hello John*."

+1. You can also call the endpoint with another HTTP method to confirm that the function isn't executed. To do so, use a REST client, such as cURL, Postman, or Fiddler.

+In the next section, you surface your API through a proxy. Azure Functions proxies allow you to forward requests to other resources. You define an HTTP endpoint as you would with an HTTP trigger. However, instead of writing code to execute when that endpoint is called, you provide a URL to a remote implementation. Doing so allows you to compose multiple API sources into a single API surface, which is easier for clients to consume, and is useful if you wish to build your API as microservices.

+- Azure Functions

+To learn more about Azure Functions proxies, see [Work with legacy proxies].

+> Azure Functions proxies is available in Azure Functions versions 1.x to 3.x.

+In this section, you create a new proxy, which serves as a frontend to your overall API.

+### Set up the frontend environment

+Repeat the steps in [Create a function app](./functions-create-function-app-portal.md#create-a-function-app) to create a new function app in which you create your proxy. This new app's URL serves as the frontend for our API, and the function app you previously edited serves as a backend:

+1. Expand **Settings**, and then select **Environment variables**.

+1. Select the **App settings** tab, where key/value pairs are stored.

+1. Select **+ Add** to create a new setting. Enter **HELLO_HOST** for its **Name** and set its **Value** to the host of your backend function app, such as `<YourBackendApp>.azurewebsites.net`.

+ This value is part of the URL that you copied earlier when you tested your HTTP function. You later reference this setting in the configuration.

+ > [!NOTE]

+ > It's recommended that you use app settings for the host configuration to prevent a hard-coded environment dependency for the proxy. Using app settings means that you can move the proxy configuration between environments, and the environment-specific app settings will be applied.

+1. Select **Apply** to save the new setting. On the **App settings** tab, select **Apply**, and then select **Confirm** to restart the function app.

+### Create a proxy on the frontend

+1. In the left-hand menu, expand **Functions**, select **Proxies**, and then select **Add**.

+1. On the **New proxy** page, use the settings in the following table, and then select **Create**.

+ :::image type="content" source="./media/functions-create-serverless-api/creating-proxy.png" alt-text="Screenshot that shows the settings in the New proxy page." lightbox="./media/functions-create-serverless-api/creating-proxy.png":::

+ Because Azure Functions proxies don't provide the `/api` base path prefix, you must include it in the route template. The `%HELLO_HOST%` syntax references the app setting you created earlier. The resolved URL points to your original function.

+ - For an anonymous function, use:

+ - For a function with authorization, use:

+Next, you use a proxy to create a mock API for your solution. This proxy allows client development to progress, without needing to fully implement the backend. Later in development, you can create a new function app that supports this logic, and redirect your proxy to it:

+1. To create this mock API, create a new proxy, this time using [App Service Editor](https://github.com/projectkudu/kudu/wiki/App-Service-Editor). To get started, navigate to your function app in the Azure portal. Select **Platform features**, and then select **App Service Editor** under **Development Tools**.

+ The App Service Editor opens in a new tab.

+1. Select `proxies.json` in the left pane. This file stores the configuration for all of your proxies. If you use one of the [Functions deployment methods](./functions-continuous-deployment.md), you maintain this file in source control. For more information about this file, see [Proxies advanced configuration](./legacy-proxies.md#advanced-configuration).

+ Your *proxies.json* file should appear as follows:

+ ```json

+ {

+ "$schema": "http://json.schemastore.org/proxies",

+ "proxies": {

+ "HelloProxy": {

+ "matchCondition": {

+ "route": "/api/remotehello"

+ },

+ "backendUri": "https://%HELLO_HOST%/api/hello"

+ }

+ }

+ }

+ ```

+1. Add your mock API. Replace your *proxies.json* file with the following code:

+ ```json

+ {

+ "$schema": "http://json.schemastore.org/proxies",

+ "proxies": {

+ "HelloProxy": {

+ "matchCondition": {

+ "route": "/api/remotehello"

+ },

+ "backendUri": "https://%HELLO_HOST%/api/hello"

+ },

+ "GetUserByName" : {

+ "matchCondition": {

+ "methods": [ "GET" ],

+ "route": "/api/users/{username}"

+ },

+ "responseOverrides": {

+ "response.statusCode": "200",

+ "response.headers.Content-Type" : "application/json",

+ "response.body": {

+ "name": "{username}",

+ "description": "Awesome developer and master of serverless APIs",

+ "skills": [

+ "Serverless",

+ "APIs",

+ "Azure",

+ "Cloud"

+ ]

+ }

+ }

+ }

+ }

+ }

+ ```

+ This code adds a new proxy, `GetUserByName`, which omits the `backendUri` property. Instead of calling another resource, it modifies the default response from Azure Functions proxies by using a response override. You can also use request and response overrides with a backend URL. This technique is useful when you proxy to a legacy system, where you might need to modify headers, query parameters, and so on. For more information about request and response overrides, see [Modify requests and responses](./legacy-proxies.md#modify-requests-responses).

+1. Test your mock API by calling the `<YourProxyApp>.azurewebsites.net/api/users/{username}` endpoint with a browser or your favorite REST client. Replace *{username}* with a string value that represents a username.

+## Related content

+In this article, you learned how to build and customize an API with Azure Functions. You also learned how to bring multiple APIs, including mock APIS, together as a unified API surface. You can use these techniques to build out APIs of any complexity, all while running on the serverless compute model provided by Azure Functions.

+For more information about developing your API:

+- [Azure Functions HTTP triggers and bindings overview](./functions-bindings-http-webhook.md)

+- [Work with legacy proxies](./legacy-proxies.md)

+- [Expose serverless APIs from HTTP endpoints using Azure API Management](./functions-openapi-definition.md)

+description: Learn how to use identity-based connections instead of secrets when connecting to a Service Bus queue using Azure Functions.

+#Customer intent: As a function developer, I want to learn how to use managed identities so that I can avoid needing to handle secrets or connection strings in my application settings.

+This tutorial shows you how to configure Azure Functions to connect to Azure Service Bus queues by using managed identities, instead of secrets stored in the function app settings. The tutorial is a continuation of the [Create a function app without default storage secrets in its definition][previous tutorial] tutorial. To learn more about identity-based connections, see [Configure an identity-based connection.](functions-reference.md#configure-an-identity-based-connection).

+While the procedures shown work generally for all languages, this tutorial currently supports C# class library functions on Windows specifically.

+In this tutorial, you learn how to:

+> - Create a Service Bus namespace and queue.

+> - Configure your function app with a managed identity.

+> - Create a role assignment granting that identity permission to read from the Service Bus queue.

+> - Create and deploy a function app with a Service Bus trigger.

+> - Verify your identity-based connection to the Service Bus.

+## Create a Service Bus namespace and queue

+1. On the **Create a resource** page, search for and select **Service Bus**, and then select **Create**.

+1. Enter **myinputqueue** as the new queue's name and select **Create**.

+Now that you have a queue, you can add a role assignment to the managed identity of your function app.

+To use Service Bus triggers with identity-based connections, you need to add the **Azure Service Bus Data Receiver** role assignment to the managed identity in your function app. This role is required when using managed identities to trigger off of your Service Bus namespace. You can also add your own account to this role, which makes it possible to connect to the Service Bus namespace during local testing.

+> Role requirements for using identity-based connections vary depending on the service and how you are connecting to it. Needs vary across triggers, input bindings, and output bindings. For more information about specific role requirements, see the trigger and binding documentation for the service.

+1. In your Service Bus namespace that you created, select **Access control (IAM)**. This page is where you can view and configure who has access to the resource.

+1. Select **+ Add** and select **Add role assignment**.

+1. Search for **Azure Service Bus Data Receiver**, select it, and then select **Next**.

+1. Select **Select members** to open the **Select managed identities** panel.

+1. In the **Managed identity** selector, choose **Function App** from the **System-assigned managed identity** category. The **Function App** label might have a number in parentheses next to it, indicating the number of apps in the subscription with system-assigned identities.

+1. Select your application. It should move down into the **Selected members** section. Select **Select**.

+1. Back on the **Add role assignment** screen, select **Review + assign**. Review the configuration, and then select **Review + assign**.

+You've granted your function app access to the Service Bus namespace using managed identities.

+## Connect to the Service Bus in your function app

+1. In your function app, expand **Settings**, and then select **Environment variables**.

+1. In the **App settings** tab, select **+ Add** to create a setting. Use the information in the following table to enter the **Name** and **Value** for the new setting:

+1. Select **Apply**, and then select **Apply** and **Confirm** to save your changes and restart the app function.

+> When you use [Azure App Configuration](../../articles/azure-app-configuration/quickstart-azure-functions-csharp.md) or [Key Vault](../key-vault/general/overview.md) to provide settings for Managed Identity connections, setting names should use a valid key separator, such as `:` or `/`, in place of the `__` to ensure names are resolved correctly.

+>

+Now that you've prepared the function app to connect to the Service Bus namespace using a managed identity, you can add a new function that uses a Service Bus trigger to your local project.

+1. Navigate to the project folder:

+1. In the root project folder, run the following command:

+ This command replaces the default version of the Service Bus extension package with a version that supports managed identities.

+ This command adds the code for a new Service Bus trigger and a reference to the extension package. You need to add a Service Bus namespace connection setting for this trigger.

+1. Open the new *ServiceBusTrigger.cs* project file and replace the `ServiceBusTrigger` class with the following code:

+ This code sample updates the queue name to `myinputqueue`, which is the same name as you queue you created earlier. It also sets the name of the Service Bus connection to `ServiceBusConnection`. This name is the Service Bus namespace used by the identity-based connection `ServiceBusConnection__fullyQualifiedNamespace` you configured in the portal.

+> If you try to run your functions now using `func start`, you'll receive an error. This is because you don't have an identity-based connection defined locally. If you want to run your function locally, set the app setting `ServiceBusConnection__fullyQualifiedNamespace` in `local.settings.json` as you did in [the previous section](#connect-to-the service-bus-in-your-function-app). In addition, you need to assign the role to your developer identity. For more information, see [local development with identity-based connections](./functions-reference.md#local-development-with-identity-based-connections).

+>

+Now that you've updated the function app with the new trigger, you can verify that it works using the identity.

+1. Keep the previous tab open, and open the Azure portal in a new tab. In your new tab, navigate to your Service Bus namespace, select **Queues** from the left menu.

+1. Select **Service Bus Explorer** from the left menu.

+Congratulations! You have successfully set up your Service Bus queue trigger with a managed identity.

+Advance to the next article to learn how to manage identity.

+> [!div class="nextstepaction"]

+> [Managed identity in Azure Functions](../app-service/overview-managed-identity.md)

+description: Learn how to remove storage connection strings from your function app definition and use identity-based connections instead.

+#Customer intent: As a function developer, I want to learn how to use managed identities so that I can avoid needing to handle secrets or connection strings in my application settings.

+While the procedures shown work generally for all languages, this tutorial currently supports C# class library functions on Windows specifically.

+>

+> - Create a function app in Azure using an ARM template

+> - Enable both system-assigned and user-assigned managed identities on the function app

+> - Create role assignments that give permissions to other resources

+> - Move secrets that can't be replaced with identities into Azure Key Vault

+> - Configure an app to connect to the default host storage using its managed identity

+After you complete this tutorial, you should complete the follow-on tutorial that shows how to [use identity-based connections instead of secrets with triggers and bindings].

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio).

+- The [.NET 6.0 SDK](https://dotnet.microsoft.com/download)

+- The [Azure Functions Core Tools](functions-run-local.md#v2) version 4.x.

+Managing secrets and credentials is a common challenge for teams of all sizes. Secrets need to be secured against theft or accidental disclosure, and they might need to be periodically rotated. Many Azure services allow you to instead use an identity in [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) to authenticate clients and check against permissions, which can be modified and revoked quickly. Doing so allows for greater control over application security with less operational overhead. An identity could be a human user, such as the developer of an application, or a running application in Azure with a [managed identity](../active-directory/managed-identities-azure-resources/overview.md).

+Because some services don't support Microsoft Entra authentication, your applications might still require secrets in certain cases. However, these secrets can be stored in [Azure Key Vault](../key-vault/general/overview.md), which helps simplify the management lifecycle for your secrets. Access to a key vault is also controlled with identities.

+By understanding how to use identities instead of secrets when you can, and to use Key Vault when you can't, you reduce risk, decrease operational overhead, and generally improve the security posture for your applications.

+Azure Files is an example of a service that doesn't yet support Microsoft Entra authentication for Server Message Block (SMB) file shares. Azure Files is the default file system for Windows deployments on Premium and Consumption plans. While we could [remove Azure Files entirely](./storage-considerations.md#create-an-app-without-azure-files), doing so introduces limitations you might not want. Instead, you move the Azure Files connection string into Azure Key Vault. That way it's centrally managed, with access controlled by the identity.

+First you need a key vault to store secrets in. You configure it to use [Azure role-based access control (RBAC)](../role-based-access-control/overview.md) for determining who can read secrets from the vault.

+ | **[Resource Group](../azure-resource-manager/management/overview.md)** | myResourceGroup | Name for the new resource group where you create your function app. |

+ | **Key vault name** | Globally unique name | Name that identifies your new key vault. The vault name must only contain alphanumeric characters and dashes and can't start with a number. |

+ Use the default selections for the "Recovery options" sections.

+1. Make a note of the name you used, for use later.

+1. Select **Next: Access Policy** to navigate to the **Access Policy** tab.

+1. Select **Review + create**. Review the configuration, and then select **Create**.

+In order to use Azure Key Vault, your app needs to have an identity that can be granted permission to read secrets. This app uses a user-assigned identity so that the permissions can be set up before the app is even created. For more information about managed identities for Azure Functions, see [How to use managed identities in Azure Functions](../app-service/overview-managed-identity.md?toc=%2Fazure%2Fazure-functions%2Ftoc.json).

+ | **[Resource Group](../azure-resource-manager/management/overview.md)** | myResourceGroup | Name for the new resource group where you create your function app. |

+1. Select **Review + create**. Review the configuration, and then select **Create**.

+1. When the identity is created, navigate to it in the portal. Select **Properties**, and make note of the **Resource ID** for use later.

+1. Select **Azure Role Assignments**, and select **Add role assignment (Preview)**.

+1. In the **Add role assignment (Preview)** page, use options as shown in the following table.

+The identity is now able to read secrets stored in the key vault. Later in the tutorial, you add additional role assignments for different purposes.

+Because the portal experience for creating a function app doesn't interact with Azure Key Vault, you need to generate and edit an Azure Resource Manager template. You can then use this template to create your function app referencing the Azure Files connection string from your key vault.

+ | **[Resource Group](../azure-resource-manager/management/overview.md)** | myResourceGroup | Name for the new resource group where you create your function app. |

+1. Select **Review + create**. Your app uses the default values on the **Hosting** and **Monitoring** page. Review the default options, which are included in the ARM template that you generate.

+ :::image type="content" source="./media/functions-identity-connections-tutorial/function-app-portal-template-deploy-button.png" alt-text="Screenshot that shows the Deploy button at the top of the Template page.":::

+You now edit the template to store the Azure Files connection string in Key Vault and allow your function app to reference it. Make sure that you have the following values from the earlier sections before proceeding:

+1. In the editor, find where the `resources` array begins. Before the function app definition, add the following section, which puts the Azure Files connection string into Key Vault. Substitute "VAULT_NAME" with the name of your key vault.

+ ```

+1. In the definition for the function app resource (which has `type` set to `Microsoft.Web/sites`), add `Microsoft.KeyVault/vaults/VAULT_NAME/secrets/azurefilesconnectionstring` to the `dependsOn` array. Again, substitute "VAULT_NAME" with the name of your key vault. Doing so prevents your app from being created before the secret is defined. The `dependsOn` array should look like the following example:

+ This `identity` block also sets up a system-assigned identity, which you use later in this tutorial.

+1. Add the `keyVaultReferenceIdentity` property to the `properties` object for the function app, as in the following example. Substitute "IDENTITY_RESOURCE_ID" for the resource ID of your user-assigned identity.

+ You need this configuration because an app could have multiple user-assigned identities configured. Whenever you want to use a user-assigned identity, you must specify it with an ID. System-assigned identities don't need to be specified this way, because an app can only ever have one. Many features that use managed identity assume they should use the system-assigned one by default.

+1. Find the JSON objects that define the `WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` application setting, which should look like the following example:

+1. After your template validates, make a note of your **Storage Account Name**, since you'll use this account later. Finally, select **Create** to create your Azure resources and deploy your code to the function app.

+1. After deployment completes, select **Go to resource group** and then select the new function app.

+Whenever your app would need to add a reference to a secret, you would just need to define a new application setting pointing to the value stored in Key Vault. For more information, see [Key Vault references for Azure Functions](../app-service/app-service-key-vault-references.md?toc=%2Fazure%2Fazure-functions%2Ftoc.json).

+Next, you use the system-assigned identity you configured in the previous steps for the `AzureWebJobsStorage` connection. `AzureWebJobsStorage` is used by the Functions runtime and by several triggers and bindings to coordinate between multiple running instances. It's required for your function app to operate, and like Azure Files, is configured with a connection string by default when you create a new function app.

+Similar to the steps you previously followed with the user-assigned identity and your key vault, you now create a role assignment granting the system-assigned identity access to your storage account.

+1. Select **Access Control (IAM)**. This page is where you can view and configure who has access to the resource.

+1. Select **Add** and select **add role assignment**.

+1. Search for **Storage Blob Data Owner**, select it, and select **Next**

+1. Select **Select members** to open the **Select managed identities** panel.

+1. In the **Managed identity** selector, choose **Function App** from the **System-assigned managed identity** category. The **Function App** label might have a number in parentheses next to it, indicating the number of apps in the subscription with system-assigned identities.

+1. Select your application. It should move down into the **Selected members** section. Choose **Select**.

+1. On the **Add role assignment** screen, select **Review + assign**. Review the configuration, and then select **Review + assign**.

+Next you update your function app to use its system-assigned identity when it uses the blob service for host storage.

+1. In your function app, expand **Settings**, and then select **Environment variables**.

+1. In the **App settings** tab, select the **AzureWebJobsStorage** app setting, and edit it according to the following table:

+ | **Name** | AzureWebJobsStorage__accountName | Change the name from **AzureWebJobsStorage** to the exact name `AzureWebJobsStorage__accountName`. This setting instructs the host to use the identity instead of searching for a stored secret. The new setting uses a double underscore (`__`), which is a special character in application settings. |

+ This configuration tells the system to use an identity to connect to the resource.

+1. Select **Apply**, and then select **Apply** and **Confirm** to save your changes and restart the app function.

+You've now removed the storage connection string requirement for AzureWebJobsStorage by configuring your app to instead connect to blobs using managed identities.

+## Next steps

+Advance to the next tutorial to learn how to use identities in trigger and binding connections.

+> [Use identity-based connections with triggers and bindings](./functions-identity-based-connections-tutorial-2.md)

+description: Use Azure Functions to create a serverless function that's triggered by an HTTP request and creates a message in an Azure Storage queue.

+#Customer intent: As a function developer, I want to learn how to use Azure Functions to create a serverless function that's triggered by an HTTP request so that I can create a message in an Azure Storage queue.

+In Azure Functions, input and output bindings provide a declarative way to make data from external services available to your code. In this article, you use an output binding to create a message in a queue when an HTTP request triggers a function. You use Azure storage container to view the queue messages that your function creates.

+- Follow the directions in [Create your first function in the Azure portal](./functions-create-function-app-portal.md), omitting the **Clean up resources** step, to create the function app and function to use in this article.

+## Add an output binding

+In this section, you use the portal UI to add an Azure Queue Storage output binding to the function you created in the prerequisites. This binding makes it possible to write minimal code to create a message in a queue. You don't need to write code for such tasks as opening a storage connection, creating a queue, or getting a reference to a queue. The Azure Functions runtime and queue output binding take care of those tasks for you.

+1. In the Azure portal, search for and select the function app that you created in [Create your first function from the Azure portal](./functions-get-started.md).

+1. In your function app, select the function that you created.

+ :::image type="content" source="./media/functions-integrate-storage-queue-output-binding/function-create-output-binding.png" alt-text="Screenshot that shows how to create an output binding for your function." lightbox="./media/functions-integrate-storage-queue-output-binding/function-create-output-binding.png":::

+1. Select the **Azure Queue Storage** binding type and add the settings as specified in the table that follows this screenshot:

+ :::image type="content" source="./media/functions-integrate-storage-queue-output-binding/function-create-output-binding-details.png" alt-text="Screenshot that shows how to add a Queue Storage output binding to a function in the Azure portal.":::

+ | Setting | Suggested value | description |

+ | **Message parameter name** | outputQueueItem | The name of the output binding parameter. |

+ | **Queue name** | outqueue | The name of the queue to connect to in your storage account. |

+ | **Storage account connection** | AzureWebJobsStorage | You can use the existing storage account connection used by your function app or create a new one. |

+In this section, you add code that writes a message to the output queue. The message includes the value passed to the HTTP trigger in the query string. For example, if the query string includes `name=Azure`, the queue message is *Name passed to the function: Azure*.

+1. Update the function code, according to your function language:

+ Add an **outputQueueItem** parameter to the method signature as shown in the following example:

+ In the body of the function, just before the `return` statement, add code that uses the parameter to create a queue message:

+ To create a queue message, add code that uses the output binding on the `context.bindings` object:

+1. Select **Save** to save your changes.

+1. Confirm that your test matches this screenshot, and then select **Run**.

+ :::image type="content" source="./media/functions-integrate-storage-queue-output-binding/functions-test-run-function.png" alt-text="Screenshot that shows how to test the Queue Storage binding in the Azure portal." lightbox="./media/functions-integrate-storage-queue-output-binding/functions-test-run-function.png":::

+ Notice that the **Request body** contains the `name` value *Azure*. This value appears in the queue message created when the function is invoked.

+ As an alternative to selecting **Run**, you can call the function by entering a URL in a browser and specifying the `name` value in the query string. This browser method is shown in [Create your first function from the Azure portal](./functions-get-started.md).

+1. Check the logs to make sure that the function succeeded.

+ A new queue named **outqueue** is created in your storage account by the Functions runtime when the output binding is first used. You use storage account to verify that the queue and a message in it were created.

+### Find the storage account connected to AzureWebJobsStorage

+1. In your function app, expand **Settings**, and then select **Environment variables**.

+1. In the **App settings** tab, select **AzureWebJobsStorage**.

+ :::image type="content" source="./media/functions-integrate-storage-queue-output-binding/function-find-storage-account.png" alt-text="Screenshot that shows the Configuration page with AzureWebJobsStorage selected." lightbox="./media/functions-integrate-storage-queue-output-binding/function-find-storage-account.png":::

+ :::image type="content" source="./media/functions-integrate-storage-queue-output-binding/function-storage-account-name.png" alt-text="Screenshot that shows how to locate the storage account connected to AzureWebJobsStorage." lightbox="./media/functions-integrate-storage-queue-output-binding/function-storage-account-name.png":::

+1. In the resource group for your function app, select the storage account that you're using.

+1. Under **Queue service**, select **Queues**, and select the queue named **outqueue**.

+1. Run the function again.

+ A new message appears in the queue.

+## Related content

+In this article, you added an output binding to an existing function. For more information about binding to Queue Storage, see [Queue Storage trigger and bindings](functions-bindings-storage-queue.md).

+An HTTP trigger for the migrated version might look like the following example:

+description: Learn how to configure Azure Functions to run your function app from a deployment package file that contains your function app project.

+# Customer intent: As a function developer, I want to understand how to run my function app from a deployment package file, so I can make my function app run faster and easier to update.

+There are several benefits to running functions from a package file:

+To enable your function app to run from a package, add a `WEBSITE_RUN_FROM_PACKAGE` app setting to your function app. The `WEBSITE_RUN_FROM_PACKAGE` app setting can have one of the following values:

+The following table indicates the recommended `WEBSITE_RUN_FROM_PACKAGE` values for deployment to a specific operating system and hosting plan:

+> The `WEBSITE_RUN_FROM_PACKAGE` app setting does not work with MSDeploy as described in [MSDeploy VS. ZipDeploy](https://github.com/projectkudu/kudu/wiki/MSDeploy-VS.-ZipDeploy). You will receive an error during deployment, such as `ARM-MSDeploy Deploy Failed`. To resolve this error, hange `/MSDeploy` to `/ZipDeploy`.

+### Add the WEBSITE_RUN_FROM_PACKAGE setting

+## Use WEBSITE_RUN_FROM_PACKAGE = 1

+<a name="troubleshooting"></a>

+Zip deployment is a feature of Azure App Service that lets you deploy your function app project to the `wwwroot` directory. The project is packaged as a .zip deployment file. The same APIs can be used to deploy your package to the `c:\home\data\SitePackages` (Windows) or `/home/data/SitePackages` (Linux) folder.

+When you set the `WEBSITE_RUN_FROM_PACKAGE` app setting value to `1`, the zip deployment APIs copy your package to the `c:\home\data\SitePackages` (Windows) or `/home/dat).

+> When a deployment occurs, a restart of the function app is triggered. Function executions currently running during the deploy are terminated. For information about how to write stateless and defensive functions, sett [Write functions to be stateless](performance-reliability.md#write-functions-to-be-stateless).

+## Use WEBSITE_RUN_FROM_PACKAGE = URL

+This section provides information about how to run your function app from a package deployed to a URL endpoint. This option is the only one supported for running from a Linux-hosted package with a Consumption plan.

+To deploy a zipped package when using the URL option, you must create a .zip compressed deployment package and upload it to the destination. The following procedure deploys to a container in Blob Storage:

+1. In the [Azure portal](https://portal.azure.com), search for your storage account name or browse for it in the storage accounts list.

+1. In the **New container** page, provide a **Name** (for example, *deployments*), ensure the **Anonymous access level** is **Private**, and then select **Create**.

+1. Select the container you created, select **Upload**, browse to the location of the .zip file you created with your project, and then select **Upload**.

+1. After the upload completes, choose your uploaded blob file, and copy the URL. If you aren't [using a managed identity](#fetch-a-package-from-azure-blob-storage-using-a-managed-identity), you might need to generate a SAS URL.

+1. In your function app, expand **Settings**, and then select **Environment variables**.

+1. In the **App settings** tab, select **+ Add**.

+1. Enter the value `WEBSITE_RUN_FROM_PACKAGE` for the **Name**, and paste the URL of your package in Blob Storage for the **Value**.

+1. Select **Apply**, and then select **Apply** and **Confirm** to save the setting and restart the function app.

+Now you can run your function in Azure to verify that deployment of the deployment package .zip file was successful.

+## Related content

+## ODBC driver support

+This table indicates the ODBC driver support for your Python functions:

+| Driver version | Python version |

+| - | - |

+| ODBC driver 18 | ≥ Python 3.11 |

+| ODBC driver 17 | Γëñ Python 3.10 |

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> [!NOTE]

+> To ensure the highest level of accuracy in geocoding results within Filled Map, it's crucial to correctly set the data category. See [Categorize geographic fields in Power BI](./power-bi-visual-geocode.md#categorize-geographic-fields-in-power-bi).

+> [!NOTE]

+> When categorizing geographic fields in Power BI, be sure to enter **State** and **County** data separately for accurate geocoding. Incorrect categorization, such as entering both **State** and **County** data into either category, might work currently but can lead to issues in the future.

+>

+> For instance:

+> - Correct Usage: State = GA, County = Decatur County

+> - Incorrect Usage: State = Decatur County, GA or County = Decatur County, GA

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+Once you have created your managed identity or service principal and assigned **Monitoring Metrics Publisher** permissions, you can get an authorization token.

+When requesting a token specify `resource: https://monitoring.azure.com`.

+Once you've created a service principal, retrieve an access token. Specify `resource=https://management.azure.com` in the token request.

+Use `resource=https://api.loganalytics.azure.com`.

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+A storage snapshot based backup is run using the `azacsnap -c backup` command. This command performs the orchestration of a database consistent storage snapshot on the DATA volumes, and a storage snapshot (without any database consistency setup) on the OTHER volumes.

+For DATA volumes `azacsnap` prepares the database for a storage snapshot, then it takes a storage snapshot for all configured volumes, finally it tells the database the snapshot is complete. It also manages any database entries which record snapshot backup activity (for example, SAP HANA backup catalog).

+ 1. take snapshots of the Volumes listed in the configuration file's `"dataVolume"` stanza.

+ 1. take snapshots of the Volumes listed in the configuration file's `"otherVolume"` stanza.

+ - `all` snapshots all the volumes in the `dataVolume` stanza and then all the volumes in the `otherVolume` stanza of the configuration file. The

+ 1. take snapshots of the Volumes listed in the configuration file's `"dataVolume"` stanza.

+ 1. take snapshots of the Volumes listed in the configuration file's `"otherVolume"` stanza.

+- `--prefix=` the customer snapshot prefix for the snapshot name. This parameter has two purposes. Firstly provide a unique name for grouping of snapshots. Secondly to determine the `--retention` number of storage snapshots that are kept for the specified `--prefix`.

+- `--retention` the number of snapshots of the defined `--prefix` to be kept. Any extra snapshots are removed after a new snapshot is taken for this `--prefix`.

+- `--trim` available for SAP HANA v2 and later, this option maintains the backup catalog and on disk catalog and log backups. The number of entries to keep in the backup catalog is determined by the `--retention` option above, and deletes older entries for the defined prefix (`--prefix`) from the backup catalog, and the related physical logs backup. It also deletes any log backup entries that are older than the oldest non-log backup entry. This `--trim` operation helps to prevent the log backups from using up all available disk space.

+ the corresponding SID. Refer to [Using SSL for communication with SAP HANA](azacsnap-configure-database.md#using-ssl-for-communication-with-sap-hana). The following example takes a `hana` type snapshot with a prefix of `hana_TEST` and keeps `9` of them communicating with SAP HANA using SSL (`openssl`).

+within the same approximate time as a 10-GB volume.

+In the example configuration provided for **Azure Large Instance**, snapshots for the

+The command doesn't output to the console, but does write to a log file, a result file,

+In this example, the *log file* name is `azacsnap-backup-azacsnap.log` (see [Log files](#log-files)).

+When running the command `-c backup` with the `--volume data` option, a result file is also generated as a file to allow

+for quickly checking the result of a backup. The *result* file has the same base name as the log file, with `.result` as its suffix.

+In this example, the *result file* name is `azacsnap-backup-azacsnap.result` and contains the following output:

+The command doesn't output to the console, but does write to a log file only. It does _not_ write

+In this example, the *log file* name is `azacsnap-backup-azacsnap.log` (see [Log files](#log-files)).

+The command doesn't output to the console, but does write to a log file only. It does _not_ write

+In this example, the *log file* name is `azacsnap-backup-bootVol.log` (see [Log files](#log-files)).

+The log file name is constructed from the following "(command name)-(the `-c` option)-(the config filename)". For example, if running the command `azacsnap -c backup --configfile h80.json --retention 5 --prefix one-off` then the log file is called `azacsnap-backup-h80.log`. Or if using the `-c test` option with the same configuration file (e.g. `azacsnap -c test --configfile h80.json`) then the log file is called `azacsnap-test-h80.log`.

+ named after the corresponding SID. Refer to [Using SSL for communication with SAP HANA](azacsnap-configure-database.md#using-ssl-for-communication-with-sap-hana).

+ Title: Configure the database for Azure Application Consistent Snapshot tool for Azure NetApp Files

+description: Learn how to configure the database for use with the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.

+# Configure the database for Azure Application Consistent Snapshot tool

+This article provides a guide for configuring the database and the database prerequisites for use with the Azure Application Consistent Snapshot tool (AzAcSnap) that you can use with Azure NetApp Files or Azure Large Instances.

+## Enable communication with the database

+This section explains how to enable communication with the database. Use the following tabs to correctly select the database that you're using.

+# [SAP HANA](#tab/sap-hana)

+If you're deploying to a centralized virtual machine, you need to install and set up the SAP HANA client so that the AzAcSnap user can run `hdbsql` and `hdbuserstore` commands. You can download the SAP HANA client from the [SAP Development Tools website](https://tools.hana.ondemand.com/#hanatools).

+The snapshot tools communicate with SAP HANA and need a user with appropriate permissions to initiate and release the database save point. The following example shows the setup of the SAP HANA 2.0 user and `hdbuserstore` for communication to the SAP HANA database.

+The following example commands set up a user (`AZACSNAP`) in SYSTEMDB on an SAP HANA 2.0 database. Change the IP address, usernames, and passwords as appropriate.

+1. Connect to SYSTEMDB:

+ ```bash

+ hdbsql -n <IP_address_of_host>:30013 -i 00 -u SYSTEM -p <SYSTEM_USER_PASSWORD>

+ ```

+ ```output

+ Welcome to the SAP HANA Database interactive terminal.

+ Type: \h for help with commands

+ \q to quit

+ hdbsql SYSTEMDB=>

+ ```

+1. Create the user. This example creates the `AZACSNAP` user in SYSTEMDB:

+ ```sql

+ hdbsql SYSTEMDB=> CREATE USER AZACSNAP PASSWORD <AZACSNAP_PASSWORD_CHANGE_ME> NO FORCE_FIRST_PASSWORD_CHANGE;

+ ```

+1. Grant the user permissions. This example sets the permission for the `AZACSNAP` user to allow for performing a database-consistent storage snapshot:

+ - For SAP HANA releases up to version 2.0 SPS 03:

+ ```sql

+ hdbsql SYSTEMDB=> GRANT BACKUP ADMIN, CATALOG READ TO AZACSNAP;

+ ```

+ - For SAP HANA releases from version 2.0 SPS 04, SAP added new fine-grained privileges:

+ ```sql

+ hdbsql SYSTEMDB=> GRANT BACKUP ADMIN, DATABASE BACKUP ADMIN, CATALOG READ TO AZACSNAP;

+ ```

+1. *Optional*: Prevent the user's password from expiring.

+ > [!NOTE]

+ > Check with corporate policy before you make this change.

+ The following example disables the password expiration for the `AZACSNAP` user. Without this change, the user's password could expire and prevent snapshots from being taken correctly.

+ ```sql

+ hdbsql SYSTEMDB=> ALTER USER AZACSNAP DISABLE PASSWORD LIFETIME;

+ ```

+1. Set up the SAP HANA Secure User Store (change the password). This example uses the `hdbuserstore` command from the Linux shell to set up the SAP HANA Secure User Store:

+ ```bash

+ hdbuserstore Set AZACSNAP <IP_address_of_host>:30013 AZACSNAP <AZACSNAP_PASSWORD_CHANGE_ME>

+ ```

+1. Check that you correctly set up the SAP HANA Secure User Store. Use the `hdbuserstore` command to list the output, similar to the following example. More details on using `hdbuserstore` are available on the SAP website.

+ ```bash

+ hdbuserstore List

+ ```

+ ```output

+ DATA FILE : /home/azacsnap/.hdb/sapprdhdb80/SSFS_HDB.DAT

+ KEY FILE : /home/azacsnap/.hdb/sapprdhdb80/SSFS_HDB.KEY

+ KEY AZACSNAP

+ ENV : <IP_address_of_host>:

+ USER: AZACSNAP

+ ```

+### Using SSL for communication with SAP HANA

+AzAcSnap uses SAP HANA's `hdbsql` command to communicate with SAP HANA. Using `hdbsql` allows the use of SSL options to encrypt communication with SAP HANA.

+AzAcSnap always uses the following options when you're using the `azacsnap --ssl` option:

+- `-e`: Enables TLS/SSL encryption. The server chooses the highest available.

+- `-ssltrustcert`: Specifies whether to validate the server's certificate.

+- `-sslhostnameincert "*"`: Specifies the host name that verifies the server's identity. When you specify `"*"` as the host name, the server's host name isn't validated.

+SSL communication also requires key-store and trust-store files. It's possible for these files to be stored in default locations on a Linux installation. But to ensure that the correct key material is being used for the various SAP HANA systems (for the cases where different key-store and trust-store files are used for each SAP HANA system), AzAcSnap expects the key-store and trust-store files to be stored in the `securityPath` location. The AzAcSnap configuration file specifies this location.

+#### Key-store files

+If you're using multiple system identifiers (SIDs) with the same key material, it's easier to create links into the `securityPath` location as defined in the AzAcSnap configuration file. Ensure that these values exist for every SID that uses SSL.

+- For `openssl`: `ln $HOME/.ssl/key.pem <securityPath>/<SID>_keystore`

+- For `commoncrypto`: `ln $SECUDIR/sapcli.pse <securityPath>/<SID>_keystore`

+If you're using multiple SIDs with different key material per SID, copy (or move and rename) the files into the `securityPath` location as defined in the SID's AzAcSnap configuration file.

+- For `openssl`: `mv key.pem <securityPath>/<SID>_keystore`

+- For `commoncrypto`: `mv sapcli.pse <securityPath>/<SID>_keystore`

+When AzAcSnap calls `hdbsql`, it adds `-sslkeystore=<securityPath>/<SID>_keystore` to the `hdbsql` command line.

+#### Trust-store files

+If you're using multiple SIDs with the same key material, create hard links into the `securityPath` location as defined in the AzAcSnap configuration file. Ensure that these values exist for every SID that uses SSL.

+- For `openssl`: `ln $HOME/.ssl/trust.pem <securityPath>/<SID>_truststore`

+- For `commoncrypto`: `ln $SECUDIR/sapcli.pse <securityPath>/<SID>_truststore`

+If you're using multiple SIDs with the different key material per SID, copy (or move and rename) the files into the `securityPath` location as defined in the SID's AzAcSnap configuration file.

+- For `openssl`: `mv trust.pem <securityPath>/<SID>_truststore`

+- For `commoncrypto`: `mv sapcli.pse <securityPath>/<SID>_truststore`

+The `<SID>` component of the file names must be the SAP HANA system identifier in all uppercase (for example, `H80` or `PR1`). When AzAcSnap calls `hdbsql`, it adds `-ssltruststore=<securityPath>/<SID>_truststore` to the command line.

+If you run `azacsnap -c test --test hana --ssl openssl`, where `SID` is `H80` in the configuration file, it executes the `hdbsql`connections as follows:

+```bash

+hdbsql \

+ -e \

+ -ssltrustcert \

+ -sslhostnameincert "*" \

+ -sslprovider openssl \

+ -sslkeystore ./security/H80_keystore \

+ -ssltruststore ./security/H80_truststore

+ "sql statement"

+```

+In the preceding code, the backslash (`\`) character is a command-line line wrap to improve the clarity of the multiple parameters passed on the command line.

+# [Oracle](#tab/oracle)

+The snapshot tools communicate with the Oracle database and need a user with appropriate permissions to enable and disable backup mode.

+After AzAcSnap puts the database in backup mode, AzAcSnap queries the Oracle database to get a list of files that have backup mode as active. This file list is sent into an external file. The external file is in the same location and basename as the log file, but with a `.protected-tables` file name extension. (The AzAcSnap log file details the output file name.)

+The following example commands show the setup of the Oracle database user (`AZACSNAP`), the use of `mkstore` to create an Oracle wallet, and the `sqlplus` configuration files that are required for communication to the Oracle database. Change the IP address, usernames, and passwords as appropriate.

+1. Connect to the Oracle database:

+ ```bash

+ su ΓÇô oracle

+ sqlplus / AS SYSDBA

+ ```

+ ```output

+ SQL*Plus: Release 12.1.0.2.0 Production on Mon Feb 1 01:34:05 2021

+ Copyright (c) 1982, 2014, Oracle. All rights reserved.

+ Connected to:

+ Oracle Database 12c Standard Edition Release 12.1.0.2.0 - 64bit Production

+ SQL>

+ ```

+1. Create the user. This example creates the `azacsnap` user:

+ ```sql

+ SQL> CREATE USER azacsnap IDENTIFIED BY password;

+ ```

+ ```output

+ User created.

+ ```

+1. Grant the user permissions. This example sets the permission for the `azacsnap` user to allow for putting the database in backup mode:

+ ```sql

+ SQL> GRANT CREATE SESSION TO azacsnap;

+ ```

+ ```output

+ Grant succeeded.

+ ```

+ ```sql

+ SQL> GRANT SYSBACKUP TO azacsnap;

+ ```

+ ```output

+ Grant succeeded.

+ ```

+ ```sql

+ SQL> connect azacsnap/password

+ ```

+ ```output

+ Connected.

+ ```

+ ```sql

+ SQL> quit

+ ```

+1. *Optional*: Prevent the user's password from expiring. Without this change, the user's password could expire and prevent snapshots from being taken correctly.

+ > [!NOTE]

+ > Check with corporate policy before you make this change.

+ This example gets the password expiration for the `AZACSNAP` user:

+ ```sql

+ SQL> SELECT username,account_status,expiry_date,profile FROM dba_users WHERE username='AZACSNAP';

+ ```

+ ```output

+ USERNAME ACCOUNT_STATUS EXPIRY_DA PROFILE

+

+ AZACSNAP OPEN DD-MMM-YY DEFAULT

+ ```

+ There are a few methods for disabling password expiration in the Oracle database. Contact your database administrator for guidance. One method is to modify the `DEFAULT` user's profile so that the password lifetime is unlimited:

+ ```sql

+ SQL> ALTER PROFILE default LIMIT PASSWORD_LIFE_TIME unlimited;

+ ```

+ After you make this change to the database setting, there should be no password expiration date for users who have the `DEFAULT` profile:

+ ```sql

+ SQL> SELECT username, account_status,expiry_date,profile FROM dba_users WHERE username='AZACSNAP';

+ ```

+ ```output

+ USERNAME ACCOUNT_STATUS EXPIRY_DA PROFILE

+

+ AZACSNAP OPEN DEFAULT

+ ```

+1. Set up the Oracle wallet (change the password).

+ The Oracle wallet provides a method to manage database credentials across multiple domains. This capability uses a database connection string in the data-source definition, which is resolved with an entry in the wallet. When you use the Oracle wallet correctly, passwords in the data-source configuration are unnecessary.

+ This setup makes it possible to use the Oracle Transparent Network Substrate (TNS) administrative file with a connection string alias, which hides details of the database connection string. If the connection information changes, it's a matter of changing the `tnsnames.ora` file instead of (potentially) many data-source definitions.

+ Run the following commands on the Oracle database server. This example uses the `mkstore` command from the Linux shell to set up the Oracle wallet. These commands are run on the Oracle database server via unique user credentials to avoid any impact on the running database. This example creates a new user (`azacsnap`) and appropriately configures the environment variables.

+ 1. Get the Oracle environment variables to be used in setup. Run the following commands as the root user on the Oracle database server:

+ ```bash

+ su - oracle -c 'echo $ORACLE_SID'

+ ```

+ ```output

+ oratest1

+ ```

+ ```bash

+ su - oracle -c 'echo $ORACLE_HOME'

+ ```

+ ```output

+ /u01/app/oracle/product/19.0.0/dbhome_1

+ ```

+ 1. Create the Linux user to generate the Oracle wallet and associated `*.ora` files by using the output from the previous step.

+ These examples use the `bash` shell. If you're using a different shell (for example, `csh`), be sure to set environment variables correctly.

+ ```bash

+ useradd -m azacsnap

+ echo "export ORACLE_SID=oratest1" >> /home/azacsnap/.bash_profile

+ echo "export ORACLE_HOME=/u01/app/oracle/product/19.0.0/dbhome_1" >> /home/azacsnap/.bash_profile

+ echo "export TNS_ADMIN=/home/azacsnap" >> /home/azacsnap/.bash_profile

+ echo "export PATH=\$PATH:\$ORACLE_HOME/bin" >> /home/azacsnap/.bash_profile

+ ```

+ 1. As the new Linux user (`azacsnap`), create the wallet and `*.ora` files.

+ 1. Switch to the user created in the previous step:

+ ```bash

+ sudo su - azacsnap

+ ```

+ 1. Create the Oracle wallet:

+ ```bash

+ mkstore -wrl $TNS_ADMIN/.oracle_wallet/ -create

+ ```

+ ```output

+ Oracle Secret Store Tool Release 19.0.0.0.0 - Production

+ Version 19.3.0.0.0

+ Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

+

+ Enter password: <wallet_password>

+ Enter password again: <wallet_password>

+ ```

+ 1. Add the connection string credentials to the Oracle wallet. In the following example command, `AZACSNAP` is the connection string that AzAcSnap will use, `azacsnap` is the Oracle database user, and `AzPasswd1` is the Oracle user's database password.

+ ```bash

+ mkstore -wrl $TNS_ADMIN/.oracle_wallet/ -createCredential AZACSNAP azacsnap AzPasswd1

+ ```

+ ```output

+ Oracle Secret Store Tool Release 19.0.0.0.0 - Production

+ Version 19.3.0.0.0

+ Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

+

+ Enter wallet password: <wallet_password>

+ ```

+ 1. Create the `tnsnames-ora` file. In the following example command, set `HOST` to the IP address of the Oracle database server. Set `SID` to the Oracle database SID.

+ ```bash

+ echo "# Connection string

+ AZACSNAP=\"(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.1)(PORT=1521))(CONNECT_DATA=(SID=oratest1)))\"

+ " > $TNS_ADMIN/tnsnames.ora

+ ```

+ 1. Create the `sqlnet.ora` file:

+ ```bash

+ echo "SQLNET.WALLET_OVERRIDE = TRUE

+ WALLET_LOCATION=(

+ SOURCE=(METHOD=FILE)

+ (METHOD_DATA=(DIRECTORY=\$TNS_ADMIN/.oracle_wallet))

+ ) " > $TNS_ADMIN/sqlnet.ora

+ ```

+ 1. Test the Oracle wallet:

+ ```bash

+ sqlplus /@AZACSNAP as SYSBACKUP

+ ```

+ ```output

+ SQL*Plus: Release 19.0.0.0.0 - Production on Wed Jan 12 00:25:32 2022

+ Version 19.3.0.0.0

+

+ Copyright (c) 1982, 2019, Oracle. All rights reserved.

+

+

+ Connected to:

+ Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production

+ Version 19.3.0.0.0

+ ```

+ ```sql

+ SELECT MACHINE FROM V$SESSION WHERE SID=1;

+ ```

+ ```output

+ MACHINE

+ -

+ oradb-19c

+ ```

+ ```sql

+ quit

+ ```

+ ```output

+ Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production

+ Version 19.3.0.0.0

+ ```

+ 1. Create a ZIP file archive of the Oracle wallet and `*.ora` files:

+ ```bash

+ cd $TNS_ADMIN

+ zip -r wallet.zip sqlnet.ora tnsnames.ora .oracle_wallet

+ ```

+ ```output

+ adding: sqlnet.ora (deflated 9%)

+ adding: tnsnames.ora (deflated 7%)

+ adding: .oracle_wallet/ (stored 0%)

+ adding: .oracle_wallet/ewallet.p12.lck (stored 0%)

+ adding: .oracle_wallet/ewallet.p12 (deflated 1%)

+ adding: .oracle_wallet/cwallet.sso.lck (stored 0%)

+ adding: .oracle_wallet/cwallet.sso (deflated 1%)

+ ```

+ 1. Copy the ZIP file to the target system (for example, the centralized virtual machine running AzAcSnap).

+ > [!IMPORTANT]

+ > If you're deploying to a centralized virtual machine, you need to install and set up Oracle Instant Client on it so that the AzAcSnap user can run `sqlplus` commands. You can download Oracle Instant Client from the [Oracle downloads page](https://www.oracle.com/database/technologies/instant-client/linux-x86-64-downloads.html).

+ >

+ > For SQL\*Plus to run correctly, download both the required package (for example, Basic Light Package) and the optional SQL\*Plus tools package.

+ 1. Complete the following steps on the system running AzAcSnap:

+ 1. Deploy the ZIP file that you copied in the previous step.

+ This step assumes that you already created the user running AzAcSnap (by default, `azacsnap`) by using the AzAcSnap installer.

+ > [!NOTE]

+ > It's possible to use the `TNS_ADMIN` shell variable to allow for multiple Oracle targets by setting the unique shell variable value for each Oracle system as needed.

+ ```bash

+ export TNS_ADMIN=$HOME/ORACLE19c

+ mkdir $TNS_ADMIN

+ cd $TNS_ADMIN

+ unzip ~/wallet.zip

+ ```

+ ```output

+ Archive: wallet.zip

+ inflating: sqlnet.ora

+ inflating: tnsnames.ora

+ creating: .oracle_wallet/

+ extracting: .oracle_wallet/ewallet.p12.lck

+ inflating: .oracle_wallet/ewallet.p12

+ extracting: .oracle_wallet/cwallet.sso.lck

+ inflating: .oracle_wallet/cwallet.sso

+ ```

+ Check that the files were extracted correctly:

+ ```bash

+ ls

+ ```

+ ```output

+ sqlnet.ora tnsnames.ora wallet.zip

+ ```

+ Assuming that you completed all the previous steps correctly, it should be possible to connect to the database by using the `/@AZACSNAP` connection string:

+ ```bash

+ sqlplus /@AZACSNAP as SYSBACKUP

+ ```

+ ```output

+ SQL*Plus: Release 21.0.0.0.0 - Production on Wed Jan 12 13:39:36 2022

+ Version 21.1.0.0.0

+

+ Copyright (c) 1982, 2020, Oracle. All rights reserved.

+

+

+ Connected to:

+ Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production

+ Version 19.3.0.0.0

+

+ ```sql

+ SQL> quit

+ ```

+ ```output

+ Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production

+ Version 19.3.0.0.0

+ ```

+ 1. Test the setup with AzAcSnap

+ After you configure AzAcSnap (for example, `azacsnap -c configure --configuration new`) with the Oracle connection string (for example, `/@AZACSNAP`), it should be possible to connect to the Oracle database.

+ Check that the `$TNS_ADMIN` variable is set for the correct Oracle target system. The `$TNS_ADMIN` shell variable determines where to locate the Oracle wallet and `*.ora` files, so you must set it before you run the `azacsnap` command.

+ ```bash

+ ls -al $TNS_ADMIN

+ ```

+ ```output

+ total 16

+ drwxrwxr-x. 3 orasnap orasnap 84 Jan 12 13:39 .

+ drwx. 18 orasnap sapsys 4096 Jan 12 13:39 ..

+ drwx. 2 orasnap orasnap 90 Jan 12 13:23 .oracle_wallet

+ -rw-rw-r--. 1 orasnap orasnap 125 Jan 12 13:39 sqlnet.ora

+ -rw-rw-r--. 1 orasnap orasnap 128 Jan 12 13:24 tnsnames.ora

+ -rw-r--r--. 1 root root 2569 Jan 12 13:28 wallet.zip

+ ```

+ Run the `azacsnap` test command:

+ ```bash

+ cd ~/bin

+ azacsnap -c test --test oracle --configfile ORACLE.json

+ ```

+ ```output

+ BEGIN : Test process started for 'oracle'

+ BEGIN : Oracle DB tests

+ PASSED: Successful connectivity to Oracle DB version 1903000000

+ END : Test process complete for 'oracle'

+ ```

+ You must set up the `$TNS_ADMIN` variable correctly for `azacsnap` to run correctly. You can either add it to the user's `.bash_profile` file or export it before each run (for example, `export TNS_ADMIN="/home/orasnap/ORACLE19c" ; cd /home/orasnap/bin ; ./azacsnap --configfile ORACLE19c.json -c backup --volume data --prefix hourly-ora19c --retention 12`).

+# [IBM Db2](#tab/db2)

+The snapshot tools issue commands to the IBM Db2 database by using the command-line processor `db2` to enable and disable backup mode.

+After AzAcSnap puts the database in backup mode, it queries the IBM Db2 database to get a list of protected paths, which are part of the database where backup mode is active. This list is sent into an external file, which is in the same location and basename as the log file but has a `.\<DBName>-protected-paths` extension. (The AzAcSnap log file details the output file name.)

+AzAcSnap uses the IBM Db2 command-line processor `db2` to issue SQL commands, such as `SET WRITE SUSPEND` or `SET WRITE RESUME`. So you should install AzAcSnap in one of the following ways:

+- Install on the database server, and then complete the setup with [Db2 local connectivity](#db2-local-connectivity).

+- Install on a centralized backup system, and then complete the setup with [Db2 remote connectivity](#db2-remote-connectivity).

+#### Db2 local connectivity

+If you installed AzAcSnap on the database server, be sure to add the `azacsnap` user to the correct Linux group and import the Db2 instance user's profile. Use the following example setup.

+##### azacsnap user permissions

+The `azacsnap` user should belong to the same Db2 group as the database instance user. The following example gets the group membership of the IBM Db2 installation's database instance user `db2tst`:

+```bash

+id db2tst

+```

+```output

+uid=1101(db2tst) gid=1001(db2iadm1) groups=1001(db2iadm1)

+```

+From the output, you can confirm the `db2tst` user has been added to the `db2iadm1` group. Add the `azacsnap` user to the group:

+```bash

+usermod -a -G db2iadm1 azacsnap

+```

+##### azacsnap user profile

+The `azacsnap` user needs to be able to run the `db2` command. By default, the `db2` command isn't in the `azacsnap` user's `$PATH` information.

+Add the following code to the user's `.bashrc` file. Use your own IBM Db2 installation value for `INSTHOME`.

+```output

+# The following four lines have been added to allow this user to run the DB2 command line processor.

+INSTHOME="/db2inst/db2tst"

+if [ -f ${INSTHOME}/sqllib/db2profile ]; then

+ . ${INSTHOME}/sqllib/db2profile

+fi

+```

+Test that the user can run the `db2` command-line processor:

+```bash

+su - azacsnap

+db2

+```

+```output

+(c) Copyright IBM Corporation 1993,2007

+Command Line Processor for DB2 Client 11.5.7.0

+You can issue database manager commands and SQL statements from the command

+prompt. For example:

+ db2 => connect to sample

+ db2 => bind sample.bnd

+For general help, type: ?.

+For command help, type: ? command, where command can be

+the first few keywords of a database manager command. For example:

+ ? CATALOG DATABASE for help on the CATALOG DATABASE command

+ ? CATALOG for help on all of the CATALOG commands.

+To exit db2 interactive mode, type QUIT at the command prompt. Outside

+interactive mode, all commands must be prefixed with 'db2'.

+To list the current command option settings, type LIST COMMAND OPTIONS.

+For more detailed help, refer to the Online Reference Manual.

+```

+```sql

+db2 => quit

+DB20000I The QUIT command completed successfully.

+```

+Now configure `azacsnap` to user `localhost`. After this preliminary test as the `azacsnap` user is working correctly, go on to configure (`azacsnap -c configure`) with `serverAddress=localhost` and test (`azacsnap -c test --test db2`) AzAcSnap database connectivity.

+#### Db2 remote connectivity

+If you installed AzAcSnap on a centralized backup system, use the following example setup to allow SSH access to the Db2 database instance.

+Log in to the AzAcSnap system as the `azacsnap` user and generate a public/private SSH key pair:

+```bash

+ssh-keygen

+```

+```output

+Generating public/private rsa key pair.

+Enter file in which to save the key (/home/azacsnap/.ssh/id_rsa):

+Enter passphrase (empty for no passphrase):

+Enter same passphrase again:

+Your identification has been saved in /home/azacsnap/.ssh/id_rsa.

+Your public key has been saved in /home/azacsnap/.ssh/id_rsa.pub.

+The key fingerprint is:

+SHA256:4cr+0yN8/dawBeHtdmlfPnlm1wRMTO/mNYxarwyEFLU azacsnap@db2-02

+The key's randomart image is:

+| ... o. |

+| . . +. |

+| .. E + o.|

+| .... B..|

+| S. . o *=|

+| . . . o o=X|

+| o. . + .XB|

+| . + + + +oX|

+| ...+ . =.o+|

+```

+Get the contents of the public key:

+```bash

+cat .ssh/id_rsa.pub

+```

+```output

+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCb4HedCPdIeft4DUp7jwSDUNef52zH8xVfu5sSErWUw3hhRQ7KV5sLqtxom7an2a0COeO13gjCiTpwfO7UXH47dUgbz+KfwDaBdQoZdsp8ed1WI6vgCRuY4sb+rY7eiqbJrLnJrmgdwZkV+HSOvZGnKEV4Y837UHn0BYcAckX8DiRl7gkrbZUPcpkQYHGy9bMmXO+tUuxLM0wBrzvGcPPZ azacsnap@db2-02

+```

+Log in to the IBM Db2 system as the Db2 instance user.

+Add the contents of the AzAcSnap user's public key to the Db2 instance user's `authorized_keys` file:

+```bash

+echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCb4HedCPdIeft4DUp7jwSDUNef52zH8xVfu5sSErWUw3hhRQ7KV5sLqtxom7an2a0COeO13gjCiTpwfO7UXH47dUgbz+KfwDaBdQoZdsp8ed1WI6vgCRuY4sb+rY7eiqbJrLnJrmgdwZkV+HSOvZGnKEV4Y837UHn0BYcAckX8DiRl7gkrbZUPcpkQYHGy9bMmXO+tUuxLM0wBrzvGcPPZ azacsnap@db2-02" >> ~/.ssh/authorized_keys

+```

+Log in to the AzAcSnap system as the `azacsnap` user and test SSH access:

+```bash

+ssh <InstanceUser>@<ServerAddress>

+```

+```output

+[InstanceUser@ServerName ~]$

+```

+Test that the user can run the `db2` command-line processor:

+```bash

+db2

+```

+```output

+(c) Copyright IBM Corporation 1993,2007

+Command Line Processor for DB2 Client 11.5.7.0

+You can issue database manager commands and SQL statements from the command

+prompt. For example:

+ db2 => connect to sample

+ db2 => bind sample.bnd

+For general help, type: ?.

+For command help, type: ? command, where command can be

+the first few keywords of a database manager command. For example:

+ ? CATALOG DATABASE for help on the CATALOG DATABASE command

+ ? CATALOG for help on all of the CATALOG commands.

+To exit db2 interactive mode, type QUIT at the command prompt. Outside

+interactive mode, all commands must be prefixed with 'db2'.

+To list the current command option settings, type LIST COMMAND OPTIONS.

+For more detailed help, refer to the Online Reference Manual.

+```

+```sql

+db2 => quit

+DB20000I The QUIT command completed successfully.

+```

+```bash

+[prj@db2-02 ~]$ exit

+```

+```output

+logout

+Connection to <serverAddress> closed.

+```

+## Configure the database

+This section explains how to configure the database.

+# [SAP HANA](#tab/sap-hana)

+### Configure SAP HANA

+There are changes that you can apply to SAP HANA to help protect the log backups and catalog. By default, `basepath_logbackup` and `basepath_catalogbackup` are set so that SAP HANA will put related files into the `$(DIR_INSTANCE)/backup/log` directory. It's unlikely that this location is on a volume that AzAcSnap is configured to snapshot, so storage snapshots won't protect these files.

+The following `hdbsql` command examples demonstrate setting the log and catalog paths to locations on storage volumes that AzAcSnap can snapshot. Be sure to check that the values on the command line match the local SAP HANA configuration.

+### Configure the log backup location

+This example shows a change to the `basepath_logbackup` parameter:

+```bash

+hdbsql -jaxC -n <HANA_ip_address>:30013 -i 00 -u SYSTEM -p <SYSTEM_USER_PASSWORD> "ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('persistence', 'basepath_logbackup') = '/hana/logbackups/H80' WITH RECONFIGURE"

+```

+### Configure the catalog backup location

+This example shows a change to the `basepath_catalogbackup` parameter. First, ensure that the `basepath_catalogbackup` path exists on the file system. If not, create the path with the same ownership as the directory.

+```bash

+ls -ld /hana/logbackups/H80/catalog

+```

+```output

+drwxr-x 4 h80adm sapsys 4096 Jan 17 06:55 /hana/logbackups/H80/catalog

+```

+If you need to create the path, the following example creates the path and sets the correct ownership and permissions. You need to run these commands as root.

+```bash

+mkdir /hana/logbackups/H80/catalog

+chown --reference=/hana/shared/H80/HDB00 /hana/logbackups/H80/catalog

+chmod --reference=/hana/shared/H80/HDB00 /hana/logbackups/H80/catalog

+ls -ld /hana/logbackups/H80/catalog

+```

+```output

+drwxr-x 4 h80adm sapsys 4096 Jan 17 06:55 /hana/logbackups/H80/catalog

+```

+The following example changes the SAP HANA setting:

+```bash

+hdbsql -jaxC -n <HANA_ip_address>:30013 -i 00 -u SYSTEM -p <SYSTEM_USER_PASSWORD> "ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('persistence', 'basepath_catalogbackup') = '/hana/logbackups/H80/catalog' WITH RECONFIGURE"

+```

+### Check log and catalog backup locations

+After you make the changes to the log and catalog backup locations, confirm that the settings are correct by using the following command.

+In this example, the settings appear as `SYSTEM` settings. This query also returns the `DEFAULT` settings for comparison.

+```bash

+hdbsql -jaxC -n <HANA_ip_address> - i 00 -U AZACSNAP "select * from sys.m_inifile_contents where (key = 'basepath_databackup' or key ='basepath_datavolumes' or key = 'basepath_logbackup' or key = 'basepath_logvolumes' or key = 'basepath_catalogbackup')"

+```

+```output

+global.ini,DEFAULT,,,persistence,basepath_catalogbackup,$(DIR_INSTANCE)/backup/log

+global.ini,DEFAULT,,,persistence,basepath_databackup,$(DIR_INSTANCE)/backup/data

+global.ini,DEFAULT,,,persistence,basepath_datavolumes,$(DIR_GLOBAL)/hdb/data

+global.ini,DEFAULT,,,persistence,basepath_logbackup,$(DIR_INSTANCE)/backup/log

+global.ini,DEFAULT,,,persistence,basepath_logvolumes,$(DIR_GLOBAL)/hdb/log

+global.ini,SYSTEM,,,persistence,basepath_catalogbackup,/hana/logbackups/H80/catalog

+global.ini,SYSTEM,,,persistence,basepath_datavolumes,/hana/data/H80

+global.ini,SYSTEM,,,persistence,basepath_logbackup,/hana/logbackups/H80

+global.ini,SYSTEM,,,persistence,basepath_logvolumes,/hana/log/H80

+```

+### Configure the log backup timeout

+The default setting for SAP HANA to perform a log backup is `900` seconds (15 minutes). We recommend that you reduce this value to `300` seconds (5 minutes). Then it's possible to run regular backups of these files (for example, every 10 minutes). You can take these backups by adding the `log_backup` volumes to the `OTHER` volume section of the

+configuration file.

+```bash

+hdbsql -jaxC -n <HANA_ip_address>:30013 -i 00 -u SYSTEM -p <SYSTEM_USER_PASSWORD> "ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('persistence', 'log_backup_timeout_s') = '300' WITH RECONFIGURE"

+```

+### Check the log backup timeout

+After you make the change to the log backup timeout, ensure that the timeout is set by using the following command.

+In this example, the settings are displayed as `SYSTEM` settings. This query also returns the `DEFAULT` settings for comparison.

+```bash

+hdbsql -jaxC -n <HANA_ip_address> - i 00 -U AZACSNAP "select * from sys.m_inifile_contents where key like '%log_backup_timeout%' "

+```

+```output

+global.ini,DEFAULT,,,persistence,log_backup_timeout_s,900

+global.ini,SYSTEM,,,persistence,log_backup_timeout_s,300

+```

+# [Oracle](#tab/oracle)

+Apply the following changes to the Oracle database to allow for monitoring by the database administrator:

+1. Set up Oracle alert logging.

+ Use the following Oracle SQL commands while you're connected to the database as `SYSDBA` to create a stored procedure under the default Oracle SYSBACKUP database account. These SQL commands allow AzAcSnap to send messages to:

+ - Standard output by using the `PUT_LINE` procedure in the `DBMS_OUTPUT` package.

+ - The Oracle database `alert.log` file by using the `KSDWRT` procedure in the `DBMS_SYSTEM` package.

+ ```bash

+ sqlplus / As SYSDBA

+ ```

+ ```sql

+ GRANT EXECUTE ON DBMS_SYSTEM TO SYSBACKUP;

+ CREATE PROCEDURE sysbackup.azmessage(in_msg IN VARCHAR2)

+ AS

+ v_timestamp VARCHAR2(32);

+ BEGIN

+ SELECT TO_CHAR(SYSDATE, 'YYYY-MM-DD HH24:MI:SS')

+ INTO v_timestamp FROM DUAL;

+ SYS.DBMS_SYSTEM.KSDWRT(SYS.DBMS_SYSTEM.ALERT_FILE, in_msg);

+ END azmessage;

+ /

+ SHOW ERRORS

+ QUIT

+ ```

+# [IBM Db2](#tab/db2)

+No special database configuration is required for Db2 because you're using the instance user's local operating system environment.

+## Next steps

+- [Configure storage for Azure Application Consistent Snapshot tool](azacsnap-configure-storage.md)

+ Title: Configure storage for Azure Application Consistent Snapshot tool for Azure NetApp Files

+description: Learn how to configure storage for use with the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.

+# Configure storage for Azure Application Consistent Snapshot tool

+This article provides a guide for configuring the Azure storage to be used with the Azure Application Consistent Snapshot tool (AzAcSnap).

+Select the storage you're using with AzAcSnap.

+# [Azure NetApp Files](#tab/azure-netapp-files)

+Either set up a system-managed identity (recommended) or generate the service principal's authentication file.

+When you're validating communication with Azure NetApp Files, communication might fail or time out. Check that firewall rules aren't blocking outbound traffic from the system running AzAcSnap to the following addresses and TCP/IP ports:

+ - (https://)management.azure.com:443

+ - (https://)login.microsoftonline.com:443

+# [Azure Large Instances (bare metal)](#tab/azure-large-instance)

+You'll need to generate your own self-signed certificate and then share the contents of the PEM (Privacy Enhanced Mail) file with Microsoft Operations so it can be installed to the Storage back-end to allow AzAcSnap to securely authenticate with ONTAP.

+Combine the PEM and KEY into a single PKCS12 file which is needed by AzAcSnap for certificate-based authentication to ONTAP.

+Test the PKCS12 file by using `curl` to connect to one of the nodes.

+> Microsoft Operations provides the storage username and storage IP address at the time of provisioning.

+## Enable communication with storage

+This section explains how to enable communication with storage. Use the following tabs to correctly select the storage back end that you're using.

+# [Azure NetApp Files (with virtual machine)](#tab/azure-netapp-files)

+There are two ways to authenticate to the Azure Resource Manager using either a system-managed identity or a service principal file. The options are described here.

+### Azure system-managed identity

+From AzAcSnap 9, it's possible to use a system-managed identity instead of a service principal for operation. Using this feature avoids the need to store service principal credentials on a virtual machine (VM). To set up an Azure managed identity by using Azure Cloud Shell, follow these steps:

+1. Within a Cloud Shell session with Bash, use the following example to set the shell variables appropriately and apply them to the subscription where you want to create the Azure managed identity. Set `SUBSCRIPTION`, `VM_NAME`, and `RESOURCE_GROUP` to your site-specific values.

+ ```azurecli-interactive

+ export SUBSCRIPTION="99z999zz-99z9-99zz-99zz-9z9zz999zz99"

+ export VM_NAME="MyVM"

+ export RESOURCE_GROUP="MyResourceGroup"

+ export ROLE="Contributor"

+ export SCOPE="/subscriptions/${SUBSCRIPTION}/resourceGroups/${RESOURCE_GROUP}"

+ ```

+1. Set Cloud Shell to the correct subscription:

+ ```azurecli-interactive

+ az account set -s "${SUBSCRIPTION}"

+ ```

+1. Create the managed identity for the virtual machine. The following command sets (or shows if it's already set) the AzAcSnap VM's managed identity:

+ ```azurecli-interactive

+ az vm identity assign --name "${VM_NAME}" --resource-group "${RESOURCE_GROUP}"

+ ```

+1. Get the principal ID for assigning a role:

+ ```azurecli-interactive

+ PRINCIPAL_ID=$(az resource list -n ${VM_NAME} --query [*].identity.principalId --out tsv)

+ ```

+1. Assign the Contributor role to the principal ID:

+ ```azurecli-interactive

+ az role assignment create --assignee "${PRINCIPAL_ID}" --role "${ROLE}" --scope "${SCOPE}"

+ ```

+#### Optional RBAC

+It's possible to limit the permissions for the managed identity by using a custom role definition in role-based access control (RBAC). Create a suitable role definition for the virtual machine to be able to manage snapshots. You can find example permissions settings in [Tips and tricks for using the Azure Application Consistent Snapshot tool](azacsnap-tips.md).

+Then assign the role to the Azure VM principal ID (also displayed as `SystemAssignedIdentity`):

+```azurecli-interactive

+az role assignment create --assignee ${PRINCIPAL_ID} --role "AzAcSnap on ANF" --scope "${SCOPE}"

+```

+### Generate a service principal file

+1. In a Cloud Shell session, make sure you're logged on at the subscription where you want to be associated with the service principal by default:

+ ```azurecli-interactive

+ az account show

+ ```

+1. If the subscription isn't correct, use the `az account set` command:

+ ```azurecli-interactive

+ az account set -s <subscription name or id>

+ ```

+1. Create a service principal by using the Azure CLI, as shown in this example:

+ ```azurecli-interactive

+ az ad sp create-for-rbac --name "AzAcSnap" --role Contributor --scopes /subscriptions/{subscription-id} --sdk-auth

+ ```

+ The command should generate output like this example:

+ ```output

+ {

+ "clientId": "00aa000a-aaaa-0000-00a0-00aa000aaa0a",

+ "clientSecret": "00aa000a-aaaa-0000-00a0-00aa000aaa0a",

+ "subscriptionId": "00aa000a-aaaa-0000-00a0-00aa000aaa0a",

+ "tenantId": "00aa000a-aaaa-0000-00a0-00aa000aaa0a",

+ "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",

+ "resourceManagerEndpointUrl": "https://management.azure.com/",

+ "activeDirectoryGraphResourceId": "https://graph.windows.net/",

+ "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",

+ "galleryEndpointUrl": "https://gallery.azure.com/",

+ "managementEndpointUrl": "https://management.core.windows.net/"

+ }

+ ```

+ This command automatically assigns the RBAC Contributor role to the service principal at the subscription level. You can narrow down the scope to the specific resource group where your tests will create the resources.

+1. Cut and paste the output content into a file called `azureauth.json` that's stored on the same system as the `azacsnap` command. Secure the file with appropriate system permissions.

+ Make sure the format of the JSON file is exactly as described in the previous step, with the URLs enclosed in double quotation marks (").

+# [Azure Large Instances (bare metal)](#tab/azure-large-instance)

+> [!IMPORTANT]

+> From AzAcSnap 10, communicatoin with Azure Large Instance storage is using the REST API over HTTPS. Versions prior to AzAcSnap 10 use the CLI over SSH.

+### Azure Large Instance REST API over HTTPS

+Communication with the storage back end occurs over an encrypted HTTPS channel using certificate-based authentication. The following example steps provide guidance on setup of the PKCS12 certificate for this communication:

+1. Generate the PEM and KEY files.

+ > The CN equals the SVM username, ask Microsoft Operations for this SVM username.

+ In this example we are using `svmadmin01` as our SVM username, modify this as necessary for your installation.

+

+ ```bash

+ openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout svmadmin01.key -out svmadmin01.pem -subj "/C=US/ST=WA/L=Redmond/O=MSFT/CN=svmadmin01"

+ ```

+

+ Refer to the following output:

+ ```output

+ Generating a RSA private key

+ ........................................................................................................+++++

+ ....................................+++++

+ writing new private key to 'svmadmin01.key'

+ --

+ ```

+1. Output the contents of the PEM file.

+ The contents of the PEM file are used for adding the client-ca to the SVM.

+ > ! Send the contents of the PEM file to the Microsoft BareMetal Infrastructure (BMI) administrator.

+ ```bash

+ cat svmadmin01.pem

+ ```

+ ```output

+ --BEGIN CERTIFICATE--

+ MIIDgTCCAmmgAwIBAgIUGlEfGBAwSzSFx8s19lsdn9EcXWcwDQYJKoZIhvcNAQEL

+ /zANBgkqhkiG9w0BAQsFAAOCAQEAFkbKiQ3AF1kaiOpl8lt0SGuTwKRBzo55pwqf

+ PmLUFF2sWuG5Yaw4sGPGPgDrkIvU6jcyHpFVsl6e1tUcECZh6lcK0MwFfQZjHwfs

+ MRAwDgYDVQQHDAdSZWRtb25kMQ0wCwYDVQQKDARNU0ZUMRMwEQYDVQQDDApzdm1h

+ ZG1pbjAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuE6H2/DK9xjz

+ TY1JSYIeArJ3GQnBz7Fw2KBT+Z9dl2kO8p3hjSE/5W1vY+5NLDjEH6HG1xH12QUO

+ y2+NoT2s4KhGgWbHuJHpQqLsNFqaOuLyc3ofK7BPz/9JHz5JKmNu1Fn9Ql8s4FRQ

+ 4GzXDf4qC+JhQBO3iSvXuwDRfGs9Ja2x1r8yOJEHxmnLgGVw6Q==

+ --END CERTIFICATE--

+ ```

+1. Combine the PEM and KEY into a single PKCS12 file (needed for AzAcSnap).

+ ```bash

+ openssl pkcs12 -export -out svmadmin01.p12 -inkey svmadmin01.key -in svmadmin01.pem

+ ```

+ > The file svmadmin01.p12 is used as the value for certificateFile in the aliStorageResource section of the AzAcSnap configuration file.

+1. Test the PKCS12 file using curl.

+ After getting confirmation from Microsoft Operations they have applied the certificate to the SVM to allow certificate-based login, then test connectivity to the SVM.

+ In this example we are using the PKCS12 file called svmadmin01.p12 to connect to the SVM host "X.X.X.X" (this IP address will be provided by Microsoft Operations).

+ ```bash

+ curl --cert-type P12 --cert svmadmin01.p12 -k 'https://X.X.X.X/api/cluster?fields=version'

+ ```

+ ```output

+ {

+ "version": {

+ "full": "NetApp Release 9.15.1: Wed Feb 21 05:56:27 UTC 2024",

+ "generation": 9,

+ "major": 15,

+ "minor": 1

+ },

+ "_links": {

+ "self": {

+ "href": "/api/cluster"

+ }

+ }

+ }

+ ```

+### Azure Large Instance CLI over SSH

+> [!WARNING]

+> These instructions are for versions prior to AzAcSnap 10 and we are no longer updating this section of the content regularly.

+Communication with the storage back end occurs over an encrypted SSH channel. The following example steps provide guidance on setup of SSH for this communication:

+1. Modify the `/etc/ssh/ssh_config` file.

+ Refer to the following output, which includes the `MACs hmac-sha` line:

+ ```output

+ # RhostsRSAAuthentication no

+ # RSAAuthentication yes

+ # PasswordAuthentication yes

+ # HostbasedAuthentication no

+ # GSSAPIAuthentication no

+ # GSSAPIDelegateCredentials no

+ # GSSAPIKeyExchange no

+ # GSSAPITrustDNS no

+ # BatchMode no

+ # CheckHostIP yes

+ # AddressFamily any

+ # ConnectTimeout 0

+ # StrictHostKeyChecking ask

+ # IdentityFile ~/.ssh/identity

+ # IdentityFile ~/.ssh/id_rsa

+ # IdentityFile ~/.ssh/id_dsa

+ # Port 22

+ Protocol 2

+ # Cipher 3des

+ # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-

+ cbc

+ # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd

+ MACs hmac-sha

+ # EscapeChar ~

+ # Tunnel no

+ # TunnelDevice any:any

+ # PermitLocalCommand no

+ # VisualHostKey no

+ # ProxyCommand ssh -q -W %h:%p gateway.example.com

+ ```

+1. Use the following example command to generate a private/public key pair. Don't enter a password when you're generating a key.

+ ```bash

+ ssh-keygen -t rsa ΓÇôb 5120 -C ""

+ ```

+1. The output of the `cat /root/.ssh/id_rsa.pub` command is the public key. Send it to Microsoft Operations, so that the snapshot tools can communicate with the storage subsystem.

+ ```bash

+ cat /root/.ssh/id_rsa.pub

+ ```

+ ```output

+ ssh-rsa

+ AAAAB3NzaC1yc2EAAAADAQABAAABAQDoaRCgwn1Ll31NyDZy0UsOCKcc9nu2qdAPHdCzleiTWISvPW

+ FzIFxz8iOaxpeTshH7GRonGs9HNtRkkz6mpK7pCGNJdxS4wJC9MZdXNt+JhuT23NajrTEnt1jXiVFH

+ bh3jD7LjJGMb4GNvqeiBExyBDA2pXdlednOaE4dtiZ1N03Bc/J4TNuNhhQbdsIWZsqKt9OPUuTfD

+ j0XvwUTLQbR4peGNfN1/cefcLxDlAgI+TmKdfgnLXIsSfbacXoTbqyBRwCi7p+bJnJD07zSc9YCZJa

+ wKGAIilSg7s6Bq/2lAPDN1TqwIF8wQhAg2C7yeZHyE/ckaw/eQYuJtN+RNBD

+ ```

+## Next steps

+- [Configure Azure Application Consistent Snapshot tool](azacsnap-cmd-ref-configure.md)

+## Installation and setup workflow for AzAcSnap

+This workflow provides the main steps to install, setup and configure AzAcSnap along with your chosen database and storage option.

+**Steps**:

+1. [Install AzAcSnap](azacsnap-installation.md)

+1. [Configure Database](azacsnap-configure-database.md)

+ 1. [SAP HANA](azacsnap-configure-database.md?tabs=sap-hana)

+ 1. [Oracle DB](azacsnap-configure-database.md?tabs=oracle)

+ 1. [IBM Db2](azacsnap-configure-database.md?tabs=db2)

+ 1. Microsoft SQL Server (PREVIEW)

+1. [Configure Storage](azacsnap-configure-storage.md)

+ 1. [Azure NetApp Files](azacsnap-configure-storage.md?tabs=azure-netapp-files)

+ 1. [Azure Large Instance](azacsnap-configure-storage.md?tabs=azure-large-instance)

+ 1. Azure Managed Disk (PREVIEW)

+1. [Configure AzAcSnap](azacsnap-cmd-ref-configure.md)

+1. [Test AzAcSnap](azacsnap-cmd-ref-test.md)

+1. [Take a backup with AzAcSnap](azacsnap-cmd-ref-backup.md)

+## Technical articles

+The following technical articles describe how to set up AzAcSnap as part of a data protection strategy:

+- [Manual Recovery Guide for SAP HANA on Azure VMs from Azure NetApp Files snapshot with AzAcSnap](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/manual-recovery-guide-for-sap-hana-on-azure-vms-from-azure/ba-p/3290161)

+- [Manual Recovery Guide for SAP HANA on Azure Large Instance from storage snapshot with AzAcSnap](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/manual-recovery-guide-for-sap-hana-on-azure-large-instance-from/ba-p/3242347)

+- [Manual Recovery Guide for SAP Oracle 19c on Azure VMs from Azure NetApp Files snapshot with AzAcSnap](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/manual-recovery-guide-for-sap-oracle-19c-on-azure-vms-from-azure/ba-p/3242408)

+- [Manual Recovery Guide for SAP Db2 on Azure VMs from Azure NetApp Files snapshot with AzAcSnap](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/manual-recovery-guide-for-sap-db2-on-azure-vms-from-azure-netapp/ba-p/3865379)

+- [SAP Oracle 19c System Refresh Guide on Azure VMs using Azure NetApp Files Snapshots with AzAcSnap](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-oracle-19c-system-refresh-guide-on-azure-vms-using-azure/ba-p/3708172)

+- [Protecting HANA databases configured with HSR on Azure NetApp Files with AzAcSnap](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/protecting-hana-databases-configured-with-hsr-on-azure-netapp/ba-p/3654620)

+- [Automating SAP system copy operations with Libelle SystemCopy](https://docs.netapp.com/us-en/netapp-solutions-sap/lifecycle/libelle-sc-overview.html)

+## Get command help

+To see a list of commands and examples, type `azacsnap -h` and then press the ENTER key.

+The general format of the commands is:

+`azacsnap -c [command] --[command] [sub-command] --[flag-name] [flag-value]`.

+### Command options

+The command options are as follows. The main bullets are commands, and the indented bullets are subcommands.

+- `-h` provides extended command-line help with examples on AzAcSnap usage.

+- [`-c configure`](azacsnap-cmd-ref-configure.md) provides an interactive Q&A style interface to create or modify the `azacsnap` configuration file (default = `azacsnap.json`).

+ - `--configuration new` creates a new configuration file.

+ - `--configuration edit` enables editing an existing configuration file.

+- [`-c test`](azacsnap-cmd-ref-test.md) validates the configuration file and tests connectivity.

+ - `--test <DbType>`, where DbType is one of `hana`, `oracle`, or `db2`, tests the connection to the specified database.

+ - `--test storage` tests communication with the underlying storage interface by creating a temporary storage snapshot on all the configured `data` volumes, and then removing them.

+ - `--test all` performs both the `hana` and `storage` tests in sequence.

+- [`-c backup`](azacsnap-cmd-ref-backup.md) is the primary command to execute database-consistent storage snapshots for SAP HANA data volumes and for other (for example, shared, log backup, or boot) volumes.

+ - `--volume data` takes a snapshot of all the volumes in the `dataVolume` stanza of the configuration file.

+ - `--volume other` takes a snapshot of all the volumes in the `otherVolume` stanza of the configuration file.

+ - `--volume all` takes a snapshot of all the volumes in the `dataVolume` stanza and then all the volumes in the `otherVolume` stanza of the configuration file.

+- [`-c details`](azacsnap-cmd-ref-details.md) provides information on snapshots or replication.

+ - `--details snapshots` (optional) provides a list of basic details about the snapshots for each volume that you configured.

+ - `--details replication` (optional) provides basic details about the replication status from the production site to the disaster-recovery site.

+- [`-c delete`](azacsnap-cmd-ref-delete.md) deletes a storage snapshot or a set of snapshots.

+- [`-c restore`](azacsnap-cmd-ref-restore.md) provides two methods to restore a snapshot to a volume.

+ - `--restore snaptovol` creates a new volume based on the latest snapshot on the target volume.

+ - `-c restore --restore revertvolume` reverts the target volume to a prior state, based on the most recent snapshot.

+- `[--configfile <configfilename>]` is an optional command-line parameter to provide a different file name for the JSON configuration. It's useful for creating a separate configuration file per security ID (for example, `--configfile H80.json`).

+- [`[--runbefore]` and `[--runafter]`](azacsnap-cmd-ref-runbefore-runafter.md) are optional commands to run external commands or shell scripts before and after the execution of the main AzAcSnap logic.

+- `[--preview]` is an optional command-line option that's required when you're using preview features.

+ For more information, see [Preview features of the Azure Application Consistent Snapshot tool](azacsnap-preview.md).

+- After the setup of the snapshot tools, continuously monitor the storage space available and if necessary, delete the old snapshots on a regular basis to avoid running out of storage capacity.

+ - [Enable communication with storage](azacsnap-configure-storage.md#enable-communication-with-storage)

+ - [Enable communication with database](azacsnap-configure-database.md#enable-communication-with-the-database)

+AzAcSnap 10 supports more databases and operating systems, therefore a self-installer is no longer available.

+## Download AzAcSnap

+First, download the AzAcSnap executable file to any directory on your computer. AzAcSnap is provided as an executable file, so there's nothing to install.

+- [Linux x86-64](https://aka.ms/azacsnap-linux) (binary)

+ - The Linux binary has an associated [Linux signature file](https://aka.ms/azacsnap-linux-signature). This file is signed with Microsoft's public key to allow for GPG verification of the downloaded installer.

+ > [!IMPORTANT]

+ > The installer is no longer available for Linux. Please follow the [guidelines here](azacsnap-installation.md) to setup the user's profile to run AzAcSnap and its dependencies.

+- [Windows 64-bit](https://aka.ms/azacsnap-windows) (executable)

+ - The Windows binary is signed by Microsoft.

+Once these downloads are completed, then [Install Azure Application Consistent Snapshot tool](azacsnap-installation.md).

+## Prerequisites for installation

+Follow the guidelines to set up and run the snapshots and disaster-recovery commands. We recommend that you complete the following steps as root before you install and use the snapshot tools:

+1. Patch the operating system

+ 1. For SUSE on Azure Large Instances, set up SUSE Subscription Management Tool (SMT). For more information, see [Install and configure SAP HANA (Large Instances) on Azure](../virtual-machines/workloads/sap/hana-installation.md#operating-system).

+1. Set up time synchronization. Provide a time server that's compatible with the Network Time Protocol (NTP), and configure the operating system accordingly.

+1. Install the database. Follow the instructions for the supported database that you're using.

+1. Select the storage back end that you're using for your deployment. For more information, see [Enable communication with storage](azacsnap-configure-storage.md#enable-communication-with-storage) later in this article.

+1. Enable communication with the database. For more information, see [Enable communication with the database](azacsnap-configure-database.md#enable-communication-with-the-database) later in this article.

+ Set up an appropriate SAP HANA user by following the instructions in the section to [enable communication with the database](azacsnap-configure-database.md#enable-communication-with-the-database) in the database configuration document.

+ Set up an appropriate Oracle database and Oracle wallet by following the instructions in the section to [enable communication with the database](azacsnap-configure-database.md#enable-communication-with-the-database) in the database configuration document.

+ Set up an appropriate IBM Db2 connection method by following the instructions in the section to [enable communication with the database](azacsnap-configure-database.md#enable-communication-with-the-database) in the database configuration document.

+ - Install onto the database server, and then complete the setup with [Db2 local connectivity](azacsnap-configure-database.md#db2-local-connectivity):

+ - Install onto a centralized backup system, and then complete the setup with [Db2 remote connectivity](azacsnap-configure-database.md#db2-remote-connectivity):

+With the [prerequisite steps](#prerequisites-for-installation) completed, the steps to install AzAcSnap are as follows:

+1. Search the file system for directories to add to `$PATH` (Linux) or `%PATH%` (Windows) for AzAcSnap. This task allows the user who runs AzAcSnap to use database specific commands, such as `hdbsql` and `hdbuserstore`.

+1. Search the file system for directories to add to `$LD_LIBRARY_PATH` (Linux) for AzAcSnap. Many commands require you to set a library path to run them correctly.

+1. Copy AzAcSnap binary into a location on the user's `$PATH` (Linux) or `%PATH%` (Windows).

+1. On Linux it may be necessary to set the `azacsnap` binary permissions set correctly, including ownership and executable bit.

+Performing the following steps to get azacsnap running:

+- For Linux via a shell session:

+ 1. As the root superuser, create a Linux User

+ 1. `useradd -m azacsnap`

+ 1. Log in as the user

+ 1. `su ΓÇô azacsnap`

+ 1. `cd $HOME/bin`

+ 1. Download [azacsnap](https://aka.ms/azacsnap-linux)

+ 1. `wget -O azacsnap https://aka.ms/azacsnap-linux`

+ 1. Run azacsnap

+ 1. `azacsnap -c about`

+- For Windows via a GUI:

+ 1. Create a Windows User

+ 1. Log in as the user

+ 1. Download [`azacsnap.exe`](https://aka.ms/azacsnap-windows)

+ 1. Open a terminal session and run azacsnap

+ 1. `azacsnap.exe -c about`

+## Update user profile

+The user running AzAcSnap needs to have any environment variables updated to ensure AzAcSnap can run the database specific commands without needing the command's full path. This method allows for overriding the database commands if needed for special purposes.

+- SAP HANA requires `hdbuserstore` and `hdbsql`.

+- OracleDB requires `sqlplus`.

+- IBM Db2 requires `db2` and `ssh` (for remote access to Db2 when doing a centralized installation).

+### Linux

+On Linux setup of the user's `$PATH` is typically done by updating the users `$HOME/.profile` with the appropriate `$PATH` information for locating binaries, and potentially the `LD_LIBRARY_PATH` variable to ensure availability of shared objects for the Linux binaries.

+1. Search the file system for directories to add to `$PATH` for AzAcSnap.

+ For example:

+ # find the path for the hdbsql command

+ export DBCMD="hdbsql"

+ find / -name ${DBCMD} -exec dirname {} + 2> | sort | uniq | tr '\n' ':'

+ /hana/shared/PR1/exe/linuxx86_64/HDB_2.00.040.00.1553674765_c8210ee40a82860643f1874a2bf4ffb67a7b2add

+ #

+ # add the output to the user's profile

+ echo "export PATH=\"\$PATH:/hana/shared/PR1/exe/linuxx86_64/HDB_2.00.040.00.1553674765_c8210ee40a82860643f1874a2bf4ffb67a7b2add\"" >> /home/azacsnap/.profile

+ #

+ # add any shared objects to the $LD_LIBRARY_PATH

+ export SHARED_OBJECTS='*.so'

+ #

+ # add the output to the user's profile

+ echo "export LD_LIBRARY_PATH=\"\$LD_LIBRARY_PATH:$NEW_LIB_PATH\"" >> /home/azacsnap/.profile

+

+### Windows

+Use the Windows specific tools to find the location of the commands and add their directories to the users profile.

+ No special actions for Azure NetApp Files.

+ 1. Make sure the PKCS12 certificate file is available for the AzAcSnap user to read. This step assumes connectivity to the storage is already configured. For more information, see the earlier section [Enable communication with storage](azacsnap-configure-storage.md#enable-communication-with-storage).

+### Uninstall the snapshot tools

+If you installed the snapshot tools by using the default settings, uninstallation requires only removing the user that you installed the commands for and deleting the AzAcSnap binary.

+These steps can be followed to configure and test the snapshot tools.

+1. Log in to the AzAcSnap user account.

+ a. For Linux, `su - azacsnap`.

+ a. For Windows, log in as the AzAcSnap user.

+1. If you have added the AzAcSnap binary to the user's `$PATH` (Linux) or `%PATH%` (Windows), then run AzAcSnap with `azacsnap`, or you need to add the full path to the AzAcSnap binary (for example. `/home/azacsnap/bin/azacsnap` (Linux) or `C:\Users\AzAcSnap\azacsnap.exe` (Windows)).

+1. Configure the customer details file.

+ `azacsnap -c configure --configuration new`

+1. Test the connection to storage.

+ `azacsnap -c test --test storage`

+1. Test the connection to the database.

+ a. SAP HANA

+ `azacsnap -c test --test hana`

+ a. Oracle DB

+ `azacsnap -c test --test oracle`

+ a. IBM Db2

+ `azacsnap -c test --test db2`

+- `azacsnap -c backup --volume data --prefix adhoc_test --retention 1`

+- [Configure the database for Azure Application Consistent Snapshot tool](azacsnap-configure-database.md)

+Check out the steps to [get started with the Azure Application Consistent Snapshot tool](azacsnap-get-started.md).

+## Architecture overview

+You can install AzAcSnap on the same host as the database, or you can install it on a centralized system. But, you must have network connectivity to the database servers and the storage back end (Azure Resource Manager for Azure NetApp Files or HTTPS for Azure Large Instances).

+AzAcSnap is a lightweight application that's typically run from an external scheduler. On most Linux systems, this operation is `cron`, which is what the documentation focuses on. But the scheduler could be an alternative tool, as long as it can import the `azacsnap` user's shell profile. Importing the user's environment settings ensures that file paths and permissions are initialized correctly.

+ AzAcSnap takes an almost instantaneous snapshot of the database with zero performance hit, regardless of the size of the database volumes. It takes snapshots in parallel across all the volumes, to allow multiple volumes to be part of the database storage.

+

+ You can deploy AzAcSnap as a centralized or distributed solution for backing up critical database files. It ensures database consistency before it performs a storage volume snapshot. As a result, it ensures that you can use the storage volume snapshot for database recovery. Database roll forward options are available when used with log files.

+ This capability is helpful for non-database volumes that don't need application quiescing before the tool takes a storage snapshot. These can be any unstructured file-system, which includes database files like SAP HANA log-backup volumes and shared file systems, or SAPTRANS volumes.

+ This capability provides space-efficient storage volume clones for rapid development and test purposes.

+## Supported databases, operating systems, and Azure platforms

+- **Databases**

+ - SAP HANA (see the [support matrix](#snapshot-support-matrix-from-sap) for details)

+ - Oracle Database release 12 or later (see [Oracle VM images and their deployment on Microsoft Azure](../virtual-machines/workloads/oracle/oracle-vm-solutions.md) for details)

+ - IBM Db2 for LUW on Linux-only version 10.5 or later (see [IBM Db2 Azure Virtual Machines DBMS deployment for SAP workload](../virtual-machines/workloads/sap/dbms_guide_ibm.md) for details)

+- **Operating systems**

+ - SUSE Linux Enterprise Server 12+

+ - Red Hat Enterprise Linux 7+

+ - Oracle Linux 7+

+- **Azure platforms**

+ - Azure Virtual Machines with Azure NetApp Files storage

+ - Azure Large Instances (on bare-metal infrastructure)

+> [!TIP]

+> If you're looking for new features (or support for other databases, operating systems, and platforms), see [Preview features of the Azure Application Consistent Snapshot tool](azacsnap-preview.md). You can also provide [feedback or suggestions](https://aka.ms/azacsnap-feedback).

+## Supported scenarios

+The snapshot tools can be used in the following [Supported scenarios for HANA Large Instances](../virtual-machines/workloads/sap/hana-supported-scenario.md) and [SAP HANA with Azure NetApp Files](../virtual-machines/workloads/sap/hana-vm-operations-netapp.md).

+## Snapshot Support Matrix from SAP

+The following matrix is provided as a guideline on which versions of SAP HANA are supported by SAP for Storage Snapshot Backups.

+

+| Database type | Minimum database versions | Notes |

+|||--|

+| Single Container Database | 1.0 SPS 12, 2.0 SPS 00 | |

+| MDC Single Tenant | [2.0 SPS 01](https://help.sap.com/docs/SAP_HANA_PLATFORM/42668af650f84f9384a3337bcd373692/2194a981ea9e48f4ba0ad838abd2fb1c.html?version=2.0.01&locale=en-US) | or later versions where MDC Single Tenant supported by SAP for storage/data snapshots.* |

+| MDC Multiple Tenants | [2.0 SPS 04](https://help.sap.com/docs/SAP_HANA_PLATFORM/42668af650f84f9384a3337bcd373692/7910eb4a498246b1b0435a4e9bf938d1.html?version=2.0.04&locale=en-US) | or later where MDC Multiple Tenants supported by SAP for data snapshots. |

+> \* [SAP changed terminology from Storage Snapshots to Data Snapshots from 2.0 SPS 02](https://help.sap.com/docs/SAP_HANA_PLATFORM/42668af650f84f9384a3337bcd373692/7f203cf75ae4445d96ad0012c67c0480.html?version=2.0.02&locale=en-US)

+**Additional SAP deployment considerations:**

+- When setting up the HANA user for backup, you need to set up the user for each HANA instance. Create an SAP HANA user account to access HANA instance under the SYSTEMDB (and not in the tenant database).

+- Automated log deletion is managed with the `--trim` option of the `azacsnap -c backup` for SAP HANA 2 and later releases.

+> [!IMPORTANT]

+> The snapshot tools only interact with the node of the SAP HANA system specified in the configuration file. If this node becomes unavailable, there's no mechanism to automatically start communicating with another node.

+ - For an **SAP HANA Scale-Out with Standby** scenario it's typical to install and configure the snapshot tools on the primary node. But, if the primary node becomes

+ unavailable, the standby node will take over the primary node role. In this case, the implementation team should configure the snapshot tools on both

+ nodes (Primary and Stand-By) to avoid any missed snapshots. In the normal state, the primary node will take HANA snapshots initiated by crontab. If the primary

+ node fails over those snapshots will have to be executed from another node, such as the new primary node (former standby). To achieve this outcome, the standby

+ node would need the snapshot tool installed, storage communication enabled, hdbuserstore configured, `azacsnap.json` configured, and crontab commands staged

+ in advance of the failover.

+ - For an **SAP HANA HSR HA** scenario, it's recommended to install, configure, and schedule the snapshot tools on both (Primary and Secondary) nodes. Then, if

+ the Primary node becomes unavailable, the Secondary node will take over with snapshots being taken on the Secondary. In the normal state, the Primary node

+ will take HANA snapshots initiated by crontab. The Secondary node would attempt to take snapshots but fail as the Primary is functioning correctly. But,

+ after Primary node failover, those snapshots will be executed from the Secondary node. To achieve this outcome, the Secondary node needs the snapshot tool

+ installed, storage communication enabled, `hdbuserstore` configured, `azacsnap.json` configured, and crontab enabled in advance of the failover.

+ > See the technical article on [Protecting HANA databases configured with HSR on Azure NetApp Files with AzAcSnap](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/manual-recovery-guide-for-sap-oracle-19c-on-azure-vms-from-azure/ba-p/3242408)

+The preview features provided with AzAcSnap 10 are:

+- Microsoft SQL Server

+> Previews are provided "as is," "with all faults," and "as available," and are excluded from the service-level agreements and may not be covered by customer support.

+> Previews are subject to the supplemental terms of use for Microsoft Azure Previews found at https://azure.microsoft.com/support/legal/preview-supplemental-terms/

+## Using AzAcSnap preview features

+AzAcSnap preview features are offered together with generally available features. Using the preview features requires the use of the `--preview` command-line option. To set up and install AzAcSnap, see [Get started with the Azure Application Consistent Snapshot tool](azacsnap-get-started.md).

+## Microsoft SQL Server

+### Supported platforms and operating systems

+> [!NOTE]

+> Support for Microsoft SQL Server is Preview feature.

+> This section's content supplements [What is Azure Application Consistent Snapshot tool](azacsnap-introduction.md) page.

+New database platforms and operating systems supported with this preview release.

+- **Databases**

+ - Microsoft SQL Server 2022 (or later) on Windows Server 2019 (or later) only is in preview.

+### Enable communication with database

+> [!NOTE]

+> Support for Microsoft SQL Server is Preview feature.

+> This section's content supplements [Install Azure Application Consistent Snapshot tool](azacsnap-installation.md) page.

+This section explains how to enable communication with the database. Ensure the database you're using is correctly selected from the tabs.

+# [Microsoft SQL Server](#tab/mssql)

+The snapshot tools issue commands to the Microsoft SQL Server database directly to enable and disable backup mode.

+AzAcSnap connects directly to Microsoft SQL Server using the provided connect-string to issue SQL commands, such as `ALTER SERVER CONFIGURATION SET SUSPEND_FOR_SNAPSHOT_BACKUP = ON` or `ALTER SERVER CONFIGURATION SET SUSPEND_FOR_SNAPSHOT_BACKUP = OFF`. The connect-string will determine if the installation is on the database server or a centralized "backup" server. Typical installations of AzAcSnap would be onto the database server to ensure features such as flushing file buffers can work as expected. If AzAcSnap has been installed onto the database server, then be sure the user running azacsnap has the required permissions.

+##### `azacsnap` user permissions

+Refer to [Get started with Azure Application Consistent Snapshot tool](azacsnap-get-started.md)

+The `azacsnap` user should have permissions to put Microsoft SQL Server into backup mode, and have permissions to flush I/O buffers to the volumes configured.

+Configure (`.\azacsnap.exe -c configure`) with the correct values for Microsoft SQL Server and test (`.\azacsnap.exe -c test --test mssql`) azacsnap database connectivity.

+Run the `azacsnap` test command

+```shell

+.\azacsnap.exe -c test --test mssql

+```

+```output

+BEGIN : Test process started for 'mssql'

+BEGIN : Database tests

+PASSED: Successful connectivity to MSSQL version 16.00.1115

+END : Test process complete for 'mssql'

+```

+### Configuring the database

+This section explains how to configure the data base.

+# [Microsoft SQL Server](#tab/mssql)

+No special database configuration is required for Microsoft SQL Server as we are using the User's local operating system environment.

+### Configuring AzAcSnap

+This section explains how to configure AzAcSnap for the specified database.

+> [!NOTE]

+> Support for Microsoft SQL Server is Preview feature.

+> This section's content supplements [Configure Azure Application Consistent Snapshot tool](azacsnap-cmd-ref-configure.md) website page.

+### Details of required values

+The following sections provide detailed guidance on the various values required for the configuration file.

+# [Microsoft SQL Server](#tab/mssql)

+#### Microsoft SQL Server Database values for configuration

+When adding a Microsoft SQL Server database to the configuration, the following values are required:

+- **connectionString** = The Connection String used to connect to the database. For a typical AzAcSnap installation on to the system running Microsoft SQL Server where the Database Instance is MSSQL2022 the connection string = "Trusted_Connection=True;Persist Security Info=True;Data Source=MSSQL2022;TrustServerCertificate=true".

+- **instanceName** = The database instance name.

+- **metaDataFileLocation** = The location where Microsoft SQL Server will write out the backup meta-data file (for example, "C:\\MSSQL_BKP\\").

+AzAcSnap can take application-consistent database snapshots when you deploy it on this type of architecture (that is, a virtual machine [VM] with managed disks). But the setup for this platform is slightly more complicated because in this scenario AzAcSnap takes an additional step to try and flush all I/O buffers and ensure they are written out to persistent storage. On Linux AzAcSnap will call the `sync` command to flush file buffers, on Windows it uses the kernel call to FlushFileBuffers, before it takes a snapshot of the managed disks in the mounted logical volumes.

+> AzAcSnap will need appropriate operating system permissions for the volume so it can perform the flush.

+1. Enable communication in the same way as for Azure NetApp Files in the [AzAcSnap installation](azacsnap-configure-storage.md?tabs=azure-netapp-files#enable-communication-with-storage).

+ "storage": [

+ "dataVolumes": [

+ "aliStorageResources": [

+ "authFile": ""

+ "authFile": ""

+ ]

+ }

+## May-2024

+### AzAcSnap 10 (Build: 1B55F1*)

+AzAcSnap 10 is being released with the following fixes and improvements:

+- Features added to [Preview](azacsnap-preview.md):

+ - **Microsoft SQL Server** support adding options to configure, test, and snapshot backup Microsoft SQL Server in an application consistent manner.

+- Features moved to GA (generally available):

+ - **Windows** support with AzAcSnap now able to be run on supported Linux distributions and Windows.

+ - New configuration file layout.

+ - To upgrade pre-AzAcSnap 10 configurations use the `azacsnap -c configure --configuration new` command to create a new configuration file and use the values in your existing configuration file.

+ - Azure Large Instance storage management via REST API over HTTPS.

+ - This allows the use of Consistency Group snapshots on supported Azure Large Instance storage.

+- Fixes and Improvements:

+ - New `--flush` option which will flush in memory file buffers for local storage, useful for Azure Large Instance and Azure Managed Disk when connected as block storage.

+ - Logging improvements.

+- Features removed:

+ - AzAcSnap installer for Linux.

+ - AzAcSnap is now downloadable as a binary for supported versions of Linux and Windows. This simplifies access to the AzAcSnap program allowing you to get started quickly.

+ - Azure Large Instance storage management via CLI over SSH.

+ - CLI over SSH replaced with the REST API over HTTPS.

+Download the binary of [AzAcSnap 10 for Linux](https://aka.ms/azacsnap-10-linux) or [AzAcSnap 10 for Windows](https://aka.ms/azacsnap-10-windows).

+ - [System Managed Identity](azacsnap-configure-storage.md#azure-system-managed-identity) support for easier setup while improving security posture.

+- Removed the need to add the AZACSNAP user into the SAP HANA Tenant DBs, see the [Enable communication with database](azacsnap-configure-database.md#enable-communication-with-the-database) section.

+> For more information on generating a new Service Principal, refer to the section [Enable communication with Storage](azacsnap-configure-storage.md?tabs=azure-netapp-files#enable-communication-with-storage) in the [Install Azure Application Consistent Snapshot tool](azacsnap-installation.md) guide.

+If running `azacsnap` presents an error such as `* 258: insufficient privilege`, check that the user has the appropriate AZACSNAP database user privileges set up per the [installation guide](azacsnap-configure-database.md#enable-communication-with-the-database). Verify the user's privileges with the following command:

+If a volume CRUD operation is performed on a volume that is not in a terminal state, then the operation will fail. Automation workflows and portal users should check for the terminal state of the volume before executing another asynchronous operation on the volume.

+This example shows you how to configure a system-assigned managed identity on an App Service by using the Azure portal:

+1. Access your app's settings in the [Azure portal](https://portal.azure.com) under the **Settings** group in the left navigation pane.

+

+1. Select **Identity**.

+1. Within the **System assigned** tab, switch **Status** to **On**. Click **Save**.

+ 

+To learn more how to configure managed identities in other ways for Azure App Service and Azure Functions, see [How to use managed identities for App Service and Azure Functions](../app-service/overview-managed-identity.md).

+To learn more about configuring managed identities on an Azure VM, see [Configure managed identities on Azure virtual machines (VMs)](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md)

+### NegotiateThrottled

+When there are too many client negotiate requests at the **same** time, it may get throttled. The limit relates to the unit counts that more units has a higher limit. Besides, we suggest having a random delay before reconnecting, check [here](#restart_connection) for retry samples.

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+ Title: Admin UI

+description: This article explains how to use Admin UI when you're using Web PubSub for Socket.IO.

+keywords: Socket.IO, Socket.IO on Azure, multi-node Socket.IO, scaling Socket.IO, Socket.IO logging, Socket.IO debugging, socketio, azure socketio

+# Azure Socket.IO Admin UI

+[Socket.IO Admin UI](https://socket.io/docs/v4/admin-ui/) is a website tool developed by Socket.IO official team and it can be used to have an overview of the state of your Socket.IO deployment. See how it works and explore its advanced usage in [Socket.IO Admin UI Doc](https://socket.io/docs/v4/admin-ui/).

+[Azure Socket.IO Admin UI](https://github.com/Azure/azure-webpubsub/tree/main/tools/azure-socketio-admin-ui) is a customized version of it for Azure Socket.IO.

+## Deploy the website

+Azure Socket.IO Admin UI doesn't have a hosted version so far. Users should host the website by themselves.

+The static website files could be either downloaded from release or built from source code:

+### Download the released version

+1. Download the released zip file such as `azure-socketio-admin-ui-0.1.0.zip` from [release page](https://github.com/Azure/azure-webpubsub/releases)

+2. Extract the zip file

+### Build from source code

+1. Clone the repository

+ ```bash

+ git clone https://github.com/Azure/azure-webpubsub.git

+ ```

+2. Build the project

+ ```bash

+ cd tools/azure-socketio-admin-ui

+ yarn install

+ yarn build

+ ```

+3. Host the static files using any HTTP server. Let's use [a tiny static HTTP server](https://www.npmjs.com/package/http-server) as an example:

+ ```bash

+ cd dist

+ npm install -g http-server

+ http-server

+ ```

+ The http server is hosted on port 8080 by default.

+4. Visit `http://localhost:8080` in browser

+## Update server-side code

+1. install the `@socket.io/admin-ui` package:

+ ```bash

+ npm i @socket.io/admin-ui

+ ```

+2. Invoke the instrument method on your Socket.IO server:

+ ```javascript

+ const azure = require("@azure/web-pubsub-socket.io");

+ const { Server } = require("socket.io");

+ const { instrument } = require("@socket.io/admin-ui");

+ const httpServer = require('http').createServer(app);

+ const wpsOptions = {

+ hub: "eio_hub",

+ connectionString: process.argv[2] || process.env.WebPubSubConnectionString

+ };

+ const io = await new Server(httpServer).useAzureSocketIO(wpsOptions);

+ instrument(io, { auth: false, mode: "development" });

+ // Note: The next three lines are necessary to make the development mode work

+ Namespace.prototype["fetchSockets"] = async function() {

+ return this.local.fetchSockets();

+ };

+ httpServer.listen(3000);

+ ```

+## Open Admin UI website

+1. Visit `http://localhost:8080` in browser.

+2. You should see the following modal:

+3. Fill in your service endpoint and hub name.

+## Assign network access settings during restore

+>This feature is generally available for backed-up VMs that use private endpoint-enabled disks.

+>[!Note]

+>The option to choose the network configuration of the restored disks the same as that of the source disks or specify the access from specific networks only is currently not available from Azure PowerShell/ Azure CLI.

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+- July 2024

+ - [Backup and restore of virtual machines with private endpoint enabled disks is now Generally Available](#backup-and-restore-of-virtual-machines-with-private-endpoint-enabled-disks-is-now-generally-available)

+## Backup and restore of virtual machines with private endpoint enabled disks is now Generally Available

+Azure Backup now allows you to back up the Azure Virtual Machines that use disks with private endpoints (disk access). This support is extended for Virtual Machines that are backed up using Enhanced backup policies, along with the existing support for those that were backed up using Standard backup policies. While initiating the restore operation, you can specify the network access settings required for the restored disks. You can choose to keep the network configuration of the restored disks the same as that of the source disks, specify the access from specific networks only, or allow public access from all networks.

+

+For more information, see [Assign network access settings during restore](backup-azure-arm-restore-vms.md#assign-network-access-settings-during-restore).

+## June 2024 Guest OS

+| Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced |

+| | | | | |

+| Rel 24-06 | 5039217 | Latest Cumulative Update(LCU) | [6.72] | Jun 11, 2024 |

+| Rel 24-06 | 5039227 | Latest Cumulative Update(LCU) | [7.42] | Jun 11, 2024 |

+| Rel 24-06 | 5039214 | Latest Cumulative Update(LCU) | [5.96] | Jun 11, 2024 |

+| Rel 24-06 | 5036626 | .NET Framework 3.5 Security and Quality Rollup | [2.152] | May 14, 2024 |

+| Rel 24-06 | 5036607 | .NET Framework 4.7.2 Cumulative Update LKG | [2.152] | Apr 9, 2024 |

+| Rel 24-06 | 5036627 | .NET Framework 3.5 Security and Quality Rollup LKG |[4.132] | May 14, 2024 |

+| Rel 24-06 | 5036606 | .NET Framework 4.7.2 Cumulative Update LKG |[4.132] | Apr 9, 2024 |

+| Rel 24-06 | 5036624 | .NET Framework 3.5 Security and Quality Rollup LKG | [3.140] | May 14, 2024 |

+| Rel 24-06 | 5036605 | .NET Framework 4.7.2 Cumulative Update LKG | [3.140] | Apr 9, 2024 |

+| Rel 24-06 | 5036604 | . NET Framework Dot Net | [6.72] | Apr 9, 2024 |

+| Rel 24-06 | 5036613 | .NET Framework 4.8 Security and Quality Rollup LKG | [7.42] | Apr 9, 2024 |

+| Rel 24-06 | 5039289 | Monthly Rollup | [2.152] | Jun 11, 2024 |

+| Rel 24-06 | 5039260 | Monthly Rollup | [3.140] | Jun 11, 2024 |

+| Rel 24-06 | 5039294 | Monthly Rollup | [4.132] | Jun 11, 2024 |

+| Rel 24-06 | 5039342 | Servicing Stack Update | [3.140] | Jun 11, 2024 |

+| Rel 24-06 | 5039340 | Servicing Stack Update | [4.132] | Jun 11, 2024 |

+| Rel 24-06 | 5039334 | Servicing Stack Update | [5.96] | Jun 11, 2024 |

+| Rel 24-06 | 5039339 | Servicing Stack Update LKG | [2.152] | Jun 11, 2024 |

+| Rel 24-06 | 5039335 | Servicing Stack Update | [7.42] | Jun 11, 2024 |

+| Rel 24-06 | 5039343 | Servicing Stack Update | [6.72] | Jun 11, 2024 |

+| Rel 24-06 | 4494175 | January '20 Microcode | [5.96] | Sep 1, 2020 |

+| Rel 24-06 | 4494175 | January '20 Microcode | [6.72] | Sep 1, 2020 |

+[5039217]: https://support.microsoft.com/kb/5039217

+[5039227]: https://support.microsoft.com/kb/5039227

+[5039214]: https://support.microsoft.com/kb/5039214

+[5036626]: https://support.microsoft.com/kb/5036626

+[5036607]: https://support.microsoft.com/kb/5036607

+[5036627]: https://support.microsoft.com/kb/5036627

+[5036606]: https://support.microsoft.com/kb/5036606

+[5036624]: https://support.microsoft.com/kb/5036624

+[5036605]: https://support.microsoft.com/kb/5036605

+[5036604]: https://support.microsoft.com/kb/5036604

+[5036613]: https://support.microsoft.com/kb/5036613

+[5039289]: https://support.microsoft.com/kb/5039289

+[5039260]: https://support.microsoft.com/kb/5039260

+[5039294]: https://support.microsoft.com/kb/5039294

+[5039342]: https://support.microsoft.com/kb/5039342

+[5039340]: https://support.microsoft.com/kb/5039340

+[5039334]: https://support.microsoft.com/kb/5039334

+[5039339]: https://support.microsoft.com/kb/5039339

+[5037960]: https://support.microsoft.com/kb/5037960

+[5039335]: https://support.microsoft.com/kb/5039335

+[4494175]: https://support.microsoft.com/kb/4494175

+[2.152]: ./cloud-services-guestos-update-matrix.md#family-2-releases

+[3.140]: ./cloud-services-guestos-update-matrix.md#family-3-releases

+[4.132]: ./cloud-services-guestos-update-matrix.md#family-4-releases

+[5.96]: ./cloud-services-guestos-update-matrix.md#family-5-releases

+[6.72]: ./cloud-services-guestos-update-matrix.md#family-6-releases

+[7.42]: ./cloud-services-guestos-update-matrix.md#family-7-releases

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+Before acquiring a phone number, make sure your subscription meets the [geographic and subscription](./telephony/plan-solution.md) requirements. Otherwise, you can't purchase a phone number. The following limitations apply to purchasing numbers through the [Phone Numbers SDK](./reference.md) and the [Azure portal](https://portal.azure.com/).

+You can send a limited number of email messages. If you exceed the following limits for your subscription, your requests are rejected. You can attempt these requests again, after the Retry-After time passes. Take action before reaching the limit by requesting to raise your sending volume limits if needed.

+### Send attachments larger than 10 MB

+To email file attachments up to 30 MB, complete a [support request](../support.md).

+If you need to send email file attachments larger than 30 MB, you can use this alternative solution. Store the files in an Azure Blob Storage account and include a link to the files in your email. You can secure the files with a Shared Access Signature (SAS). SAS provides secure delegated access to resources in your storage account. By using SAS, you have granular control over how clients can access your data.

+

+Benefits of using an Azure Blob Storage account:

+ - You can handle large scale files.

+ - You can use SAS keys to precisely manage file access.

+For more information, see:

+ - [Introduction to Azure Blob Storage](/azure/storage/blobs/storage-blobs-introduction)

+ - [Grant limited access to Azure Storage resources using shared access signatures (SAS)](/azure/storage/common/storage-sas-overview)

+To increase your email quota, follow the instructions at [Quota increase for email domains](./email/email-quota-increase.md).

+| | | | |

+| Create chat thread | per User | 10 | - |

+| Delete chat thread | per User | 10 | - |

+| Update chat thread | per Chat thread | 5 | - |

+| Add participants / remove participants | per Chat thread | 10 | 30 |

+| Get chat thread / List chat threads | per User | 50 | - |

+| Get chat message | per User per chat thread | 50 | - |

+| Get chat message | per Chat thread | 250 | - |

+| List chat messages | per User per chat thread | 50 | 200 |

+| List chat messages | per Chat thread | 250 | 400 |

+| Get read receipts (20 participant limit\*) | per User per chat thread | 5 | - |

+| Get read receipts (20 participant limit\*) | per Chat thread | 100 | - |

+| List chat thread participants | per User per chat thread | 10 | - |

+| List chat thread participants | per Chat thread | 250 | - |

+| Send message / update message / delete message | per Chat thread | 10 | 30 |

+| Send read receipt | per User per chat thread | 10 | 30 |

+| Send typing indicator | per User per chat thread | 5 | 15 |

+| Send typing indicator | per Chat thread | 10 | 30 |

+> \* Read receipts and typing indicators are not supported on chat threads with more than 20 participants.

+| **Name** | **Scope** | Limit |

+| | | |

+| Default number of outbound* concurrent calls | per Number | 2 |

+> [!NOTE]

+> \* No limits on inbound concurrent calls. You can also [submit a request to Azure Support](../../azure-portal/supportability/how-to-create-azure-support-request.md) to increase the outbound concurrent calls limit, which is reviewed by our vetting team.

+| **Name** | Limit |

+| | |

+| Number of participants | 350 |

+| Limit | Web | Windows/Android/iOS |

+| | | |

+| **Maximum # of outgoing local streams that you can send simultaneously** | one video or one screen sharing | one video + one screen sharing |

+| **Maximum # of incoming remote streams that you can render simultaneously** | nine videos + one screen sharing | nine videos + one screen sharing |

+The Calling SDK doesn't enforce these limits, but your users might experience performance degradation if you exceed these limits.

+For more information about the voice and video calling SDK and service, see the [calling SDK overview](./voice-video-calling/calling-sdk-features.md) page or [known issues](./known-issues.md). You can also [submit a request to Azure Support](../../azure-portal/supportability/how-to-create-azure-support-request.md) to increase some of the limits, pending review by our vetting team.

+When sending or receiving a high volume of requests, you might receive a ```ThrottleLimitExceededException``` error. This error indicates you're hitting the service limitations, and your requests fail until the token of bucket to handle requests is replenished after a certain time.

+When you implement error handling, use the HTTP error code 429 to detect throttling. The failed response includes the `Retry-After` response header. Backing off requests using the `Retry-After` delay is the fastest way to recover from throttling because Microsoft Graph continues to log resource usage while a client is being throttled.

+See the [help and support](../support.md) options.

+Toll-free numbers aren't capable of sending or receiving messages to/from countries/regions outside of US, CA, and PR.

+Short codes are domestic numbers and aren't capable of sending or receiving messages to/from outside of the country/region it was registered for. *Example: US short code can only send and receive messages to/from US recipients.*

+In the United States, Azure Communication Services doesn't check for landline numbers and attempts to send it to carriers for delivery. Customers are charged for messages sent to landline numbers.

+The 202 returned by the service means that your message was queued to be sent and not delivered. Use this [quickstart](../../quickstarts/sms/handle-sms-events.md) to subscribe to delivery report events and troubleshoot. Once the events are configured, inspect the "deliveryStatus" field of your delivery report to verify delivery success/failure.

+Shortened URLs are a good way to keep messages short and readable. However, US carriers prohibit the use of free publicly available URL shortener services. This is because the ΓÇÿfree-publicΓÇÖ URL shorteners are used by bad-actors to evade detection and get their SPAM messages passed through text messaging platforms. When sending messages in the US, we encourage using custom URL shorteners to create URLs with dedicated domain that belongs to your brand. Many US carriers block SMS traffic if they contain publicly available URL shorteners.

+Following is a list with examples of common URL shorteners you should avoid to maximize deliverability:

+Opt-outs for US toll-free numbers are mandated and enforced by US carriers and can't be overridden.

+- Azure Communication Services detects STOP messages and blocks all further messages to the recipient. The delivery report indicates a failed delivery with the status message as ΓÇ£Sender blocked for given recipient.ΓÇ¥

+- The STOP, UNSTOP, and START messages are relayed back to you. Azure Communication Services encourages you to monitor and implement these opt-outs to ensure that no further message-send attempts are made to recipients who opted out of your communications.

+### How does Azure Communication Services handle opt-outs for short codes in United States?

+Azure communication service offers an opt-out management service for short codes in US that allows customers to configure responses to mandatory keywords STOP/START/HELP. Before you provision your short code, you're asked for your preference to manage opt-outs. If you opt in, the opt-out management service automatically uses your responses in the program brief for Opt in/ Opt out/ Help keywords in response to STOP/START/HELP keyword.

+Alphanumeric sender ID isn't capable of receiving inbound messages or STOP messages. Azure Communication Services doesn't enforce or manage opt-out lists for alphanumeric sender ID. You must provide customers with instructions to opt out using other channels such as, calling support, providing an opt-out link in the message, or emailing support. See [messaging policy guidelines](./messaging-policy.md#how-we-handle-opt-out-requests-for-sms) for further details.

+### How does Azure Communication Services handle opt outs for short codes in Canada and United Kingdom?

+Azure Communication Services doesn't control or implement opt-out mechanisms for short codes within Canada and the United Kingdom. Recipients of text messages have the option to text ΓÇÿSTOPΓÇÖ to unsubscribe or ΓÇÿSTARTΓÇÖ to subscribe to the short code. These requests are relayed as incoming messages to your event grid. It is your responsibility to act on these messages by resubscribing recipients or ceasing message delivery accordingly.

+Short Code availability is currently restricted to paid Azure subscriptions that have a billing address in the United States. Short Codes can't be acquired on trial accounts or using Azure free credits. For more details, check out our [subscription eligibility page](../numbers/sub-eligibility-number-capability.md).

+Azure Communication Services toll-free numbers are enabled to receive messages from short codes. However, short codes aren't typically enabled to send messages to toll-free numbers. If your messages from short codes to Azure Communication Services toll-free numbers are failing, check with your short code provider if the short code is enabled to send messages to toll-free numbers.

+Short codes don't fall under E.164 formatting guidelines and don't have a country code, or a "+" sign prefix. In the SMS API request, your short code should be passed as the 5-6 digit number you see in your short codes page without any prefix.

+After you submit the short code program brief application in the Azure portal, the service desk works with the aggregators to get your application approved by each wireless carrier. This process generally takes 8-12 weeks. All updates and the status changes for your applications are communicated via the email you provide in the application. For more questions about your submitted application, email acstnrequest@microsoft.com.

+The use of alphanumeric sender ID doesn't require purchase of any phone number. Alphanumeric sender ID can be enabled through the Azure portal. See [enable alphanumeric sender ID quickstart](../../quickstarts/sms/enable-alphanumeric-sender-id.md) for instructions.

+Alphanumeric sender ID replacement with a number may occur when a certain wireless carrier doesn't support alphanumeric sender ID. This is done to ensure high delivery rate.

+After submission of the form, we'll coordinate with our downstream peer to get the application verified by the toll-free messaging aggregator. While we are reviewing your application, we may reach out to you for more information.

+Updates for changes and the status of your applications are communicated via the regulatory blade in Azure portal.

+The better the quality of your application, the greater the likelihood of it being approved.

+Pointers to ensure you're submitting a high-quality application:

+- The use case isn't listed on our [Ineligible Use Case](#what-are-the-ineligible-use-cases-for-toll-free-verification) list

+### Can I send/receive long messages (>2,048 chars)?

+US and CA carriers charge an added fee for SMS messages sent and/or received from toll-free numbers and short codes. The carrier surcharge is calculated based on the destination of the message for sent messages and based on the sender of the message for received messages. Azure Communication Services charges a standard carrier fee per message segment. Carrier fees are subject to change by mobile carriers. For more information, see [SMS pricing](../sms-pricing.md).

+As with similar Azure services, customers are notified at least 30 days before the implementation of any price changes. These charges are reflected on our SMS pricing page along with the effective dates.

+Azure Communication Services doesn't support text-to-911 functionality in the United States, but itΓÇÖs possible that you may have an obligation to do so under the rules of the Federal Communications Commission (FCC). You should assess whether the FCCΓÇÖs text-to-911 rules apply to your service or application. To the extent you're covered by these rules, you're responsible for routing 911 text messages to emergency call centers that request them. You're free to determine your own text-to-911 delivery model, but one approach accepted by the FCC involves automatically launching the native dialer on the userΓÇÖs mobile device to deliver 911 texts through the underlying mobile carrier.

+To utilize a new toll-free number for sending SMS messages, it is mandatory to undergo a toll-free verification process. For guidance on how to complete the verification of your toll-free number, please refer to the [Quickstart for submitting a toll-free verification](./apply-for-toll-free-verification.md). Note that only toll-free numbers that have been fully verified are authorized to send out SMS traffic. Any SMS traffic from unverified toll-free numbers directed to US and CA phone numbers will be blocked.

+ <script src="./main.js"></script>

+const { CallClient, Features } = require('@azure/communication-calling');

+const { AzureCommunicationTokenCredential } = require('@azure/communication-common');

+const { AzureLogger, setLogLevel } = require("@azure/logger");

+ placeInteropGroupCallButton.disabled = false;

+ microsoftTeamsUserId: `${participantId}`

+npx webpack serve --config webpack.config.js

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+In the Azure portal, state is shown in various locations. All state values are accessible via the JSON definition of the resource. This value can be found under Essentials in the Overview blade, shown in the following image.

+- **Running**: The container group is running and continues to run until a user action or a stop caused by the restart policy occurs.

+- **Stopped**: The container group is stopped and won't run without user action.

+- **Succeeded**: The container group ran to completion successfully. Only applicable for *Never* and *On Failure* restart policies.

+- **Failed**: The container group failed to run to completion. Only applicable with a *Never* restart policy. This state indicates either an infrastructure failure (example: incorrect Azure file share credentials) or user application failure (example: application references an environment variable that doesn't exist).

+There are two state values for containers- a current state and a previous state. In the Azure portal, shown in the following image, only current state is displayed. All state values are applicable for any given container regardless of the container group's restart policy.

+- **Terminated**: The container terminated, accompanied with an exit code value.

+In addition to the JSON view, provisioning state can also be found in the [response body of the HTTP call](/rest/api/container-instances/2022-09-01/container-groups/create-or-update#response).

+ Title: Distance functions

+description: Distance functions overview.

+# What are distance functions?

+Distance functions are mathematical formulas used to measure the similarity or dissimilarity between vectors (see [vector search](vector-search-overview.md)). Common examples include Manhattan distance, Euclidean distance, cosine similarity, and dot product. These measurements are crucial for determining how closely related two pieces of data.

+## Manhattan distance

+This measures the distance between two points by adding up the absolute differences of their coordinates. Imagine walking in a grid-like city, such as many neighborhoods in Manhattan; it is the total number of blocks you walk north-south and east-west.

+## Euclidean distance

+Euclidean distance measures the straight-line distance between two points. It is named after the ancient Greek mathematician Euclid, who is often referred to as the ΓÇ£father of geometryΓÇ¥.

+## Cosine similarity

+Cosine similarity measures the cosine of the angle between two vectors projected in a multidimensional space. Two documents may be far apart by Euclidean distance because of document sizes, but they could still have a smaller angle between them and therefore high cosine similarity.

+## Dot product

+Two vectors are multiplied to return a single number. It combines the two vectors' magnitudes, as well as the cosine of the angle between them, showing how much one vector goes in the direction of another.

+## Related content

+- [VectorDistance system function](../nosql/query/vectordistance.md) in Azure Cosmos DB NoSQL

+- [What is a vector database?](../vector-database.md)

+- [Vector database in Azure Cosmos DB NoSQL](../nosql/vector-search.md)

+- [Vector database in Azure Cosmos DB for MongoDB](../mongodb/vcore/vector-search.md)

+- [What is vector search?](vector-search-overview.md)

+- LLM [tokens](tokens.md)

+- Vector [embeddings](vector-embeddings.md)

+- [kNN vs ANN vector search algorithms](knn-vs-ann.md)

+ Title: kNN vs ANN

+description: Explanation and comparison of kNN and ANN algorithms.

+# kNN vs ANN

+Two popular vector search algorithms are k-Nearest Neighbors (kNN) and Approximate Nearest Neighbors (ANN, not to be confused with Artificial Neural Network). kNN is precise but computationally intensive, making it less suitable for large datasets. ANN, on the other hand, offers a balance between accuracy and efficiency, making it better suited for large-scale applications.

+## How kNN works

+1. Vectorization: Each data point in the dataset is represented as a vector in a multi-dimensional space.

+2. Distance Calculation: To classify a new data point (query point), the algorithm calculates the distance between the query point and all other points in the dataset using a [distance function](distance-functions.md).

+3. Finding Neighbors: The algorithm identifies the k closest data points (neighbors) to the query point based on the calculated distances. The value of k (the number of neighbors) is crucial. A small k can be sensitive to noise, while a large k can smooth out details.

+4. Making Predictions:

+ - Classification: For classification tasks, kNN assigns the class label to the query point that is most common among the k neighbors. Essentially, it performs a "majority vote."

+ - Regression: For regression tasks, kNN predicts the value for the query point as the average (or sometimes weighted average) of the values of the k neighbors.

+## How ANN works

+1. Vectorization: Each data point in the dataset is represented as a vector in a multi-dimensional space.

+2. Indexing and Data Structures: ANN algorithms use advanced data structures (e.g., KD-trees, locality-sensitive hashing, or graph-based methods) to index the data points, allowing for faster searches.

+3. Distance Calculation: Instead of calculating the exact distance to every point, ANN algorithms use heuristics to quickly identify regions of the space that are likely to contain the nearest neighbors.

+4. Finding Neighbors: The algorithm identifies a set of data points that are likely to be close to the query point. These neighbors are not guaranteed to be the exact closest points but are close enough for practical purposes.

+4. Making Predictions:

+ - Classification: For classification tasks, ANN assigns the class label to the query point that is most common among the identified neighbors, similar to kNN.

+ - Regression: For regression tasks, ANN predicts the value for the query point as the average (or weighted average) of the values of the identified neighbors.

+## Related content

+- [What is a vector database?](../vector-database.md)

+- [Vector database in Azure Cosmos DB NoSQL](../nosql/vector-search.md)

+- [Vector database in Azure Cosmos DB for MongoDB](../mongodb/vcore/vector-search.md)

+- [What is vector search?](vector-search-overview.md)

+- LLM [tokens](tokens.md)

+- Vector [embeddings](vector-embeddings.md)

+- [Distance functions](distance-functions.md)

+ Title: LLM tokens

+description: Overview of tokens in large language models.

+# What are tokens?

+Tokens are small chunks of text generated by splitting the input text into smaller segments. These segments can either be words or groups of characters, varying in length from a single character to an entire word. For instance, the word hamburger would be divided into tokens such as ham, bur, and ger while a short and common word like pear would be considered a single token. LLMs like GPT-3.5 or GPT-4 break words into tokens for processing.

+## Related content

+- [What is a vector database?](../vector-database.md)

+- [Vector database in Azure Cosmos DB NoSQL](../nosql/vector-search.md)

+- [Vector database in Azure Cosmos DB for MongoDB](../mongodb/vcore/vector-search.md)

+- [What is vector search?](vector-search-overview.md)

+- Vector [embeddings](vector-embeddings.md)

+- [Distance functions](distance-functions.md)

+- [kNN vs ANN vector search algorithms](knn-vs-ann.md)

+ Title: Vector embeddings

+description: Vector embeddings overview.

+# What are vector embeddings?

+Vectors, also known as embeddings or vector embeddings, are mathematical representations of data in a high-dimensional space. They represent various types of information ΓÇö text, images, audio ΓÇö a format that machine learning models can process. When an AI model receives text input, it first tokenizes the text into tokens. Each token is then converted into its corresponding embedding. This conversion process can be done using an embedding generation model, such as [Azure OpenAI Embeddings](../../ai-services/openai/how-to/embeddings.md) or [Hugging Face on Azure](https://azure.microsoft.com/solutions/hugging-face-on-azure). The model processes these embeddings through multiple layers, capturing complex patterns and relationships within the text. The output embeddings can then be converted back into tokens if needed, generating readable text.

+Each embedding is a vector of floating-point numbers, such that the distance between two embeddings in the vector space is correlated with semantic similarity between two inputs in the original format. For example, if two texts are similar, then their vector representations should also be similar. These high-dimensional representations capture semantic meaning, making it easier to perform tasks like searching, clustering, and classifying.

+Here are two examples of texts represented as vectors:

+Image source: [OpenAI](https://openai.com/index/introducing-text-and-code-embeddings/)

+Each box containing floating-point numbers corresponds to a dimension, and each dimension corresponds to a feature or attribute that may or may not be comprehensible to humans. Large language model text embeddings typically have a few thousand dimensions, while more complex data models may have tens of thousands of dimensions.

+Between the two vectors in the above example, some dimensions are similar while other dimensions are different, which are due to the similarities and differences in the meaning of the two phrases.

+This image shows the spatial closeness of vectors that are similar, contrasting vectors that are drastically different:

+Image source: [OpenAI](https://openai.com/index/introducing-text-and-code-embeddings/)

+You can see more examples in this [interactive visualization](https://openai.com/index/introducing-text-and-code-embeddings/#_1Vr7cWWEATucFxVXbW465e) that transforms data into a three-dimensional space.

+## Related content

+- [What is a vector database?](../vector-database.md)

+- [Vector database in Azure Cosmos DB NoSQL](../nosql/vector-search.md)

+- [Vector database in Azure Cosmos DB for MongoDB](../mongodb/vcore/vector-search.md)

+- [What is vector search?](vector-search-overview.md)

+- LLM [tokens](tokens.md)

+- [Distance functions](distance-functions.md)

+- [kNN vs ANN vector search algorithms](knn-vs-ann.md)

+ Title: Vector search concept overview

+description: Vector search concept overview

+# What is vector search?

+Vector search is a method that helps you find similar items based on their data characteristics rather than by exact matches on a property field. This technique is useful in applications such as searching for similar text, finding related images, making recommendations, or even detecting anomalies. It works by taking the [vector embeddings](vector-embeddings.md) of your data and query, and then measuring the [distance](distance-functions.md) between the data vectors and your query vector. The data vectors that are closest to your query vector are the ones that are found to be most similar semantically.

+This [interactive visualization](https://openai.com/index/introducing-text-and-code-embeddings/#_1Vr7cWWEATucFxVXbW465e) shows some examples of closeness and distance between vectors.

+Two popular types of vector search algorithms are [k-nearest neighbors (kNN) and approximate nearest neighbor (ANN)](knn-vs-ann.md). Some well-known vector search algorithms belonging to these categories include Inverted File (IVF), Hierarchical Navigable Small World (HNSW), and the state-of-the-art DiskANN.

+Using an integrated vector search feature in a fully featured database ([as opposed to a pure vector database](../vector-database.md#integrated-vector-database-vs-pure-vector-database)) offers an efficient way to store, index, and search high-dimensional vector data directly alongside other application data. This approach removes the necessity of migrating your data to costlier alternative vector databases and provides a seamless integration of your AI-driven applications.

+## Related content

+- [What is a vector database?](../vector-database.md)

+- [Vector database in Azure Cosmos DB NoSQL](../nosql/vector-search.md)

+- [Vector database in Azure Cosmos DB for MongoDB](../mongodb/vcore/vector-search.md)

+- LLM [tokens](tokens.md)

+- Vector [embeddings](vector-embeddings.md)

+- [Distance functions](distance-functions.md)

+- [kNN vs ANN vector search algorithms](knn-vs-ann.md)

+The use of Azure Cosmos DB role-based access control within Data Explorer (either exposed in the Azure Portal or at [https://cosmos.azure.com](https://cosmos.azure.com)) is governed by the **Enable Entra ID RBAC** setting. You can access this setting via the "wheel" icon at the upper right-hand side of the Data Explorer interface.

+The setting has three possible values:

+- **Automatic (default)**: In this mode, role-based access control will be automatically used if the account has [disabled the use of keys](#disable-local-auth). Otherwise, Data Explorer will use account keys for data requests.

+- **True**: In this mode, role-based access will always be used for Data Explorer data requests. If the account has not been enabled for role-based access , then the requests will fail.

+- **False**: In this mode, account keys will always be used for Data Explorer data requests. If the account has disabled the use of keys, then the requests will fail.

+When using modes that enable role-based access in the Azure Portal Data Explorer, you must click on the **Login for Entra ID RBAC** button (located on the Data Explorer command bar) prior to making any data requests. This is not necessary when using the Cosmos Explorer at cosmos.azure.com. Please ensure that the signed in identity has been [assigned with proper role definitions](#role-assignments) to enable data access.

+Also note that changing the mode to one that uses account keys may trigger a request to fetch the primary key on behalf of the identity that is signed in.

+> [!NOTE]

+> Previously, role-based access was only supported in Cosmos Explorer using `https://cosmos.azure.com/?feature.enableAadDataPlane=true`. This is still supported and will override the value of the **Enable Entra ID RBAC** setting. Using this query parameter is equivalent to using the 'Automatic' mode mentioned above.

+- Integrations:

+ - [LangChain, Python](https://python.langchain.com/v0.2/docs/integrations/vectorstores/azure_cosmos_db_no_sql/)

+ - [Semantic Kernel, .NET](https://github.com/microsoft/semantic-kernel/tree/main/dotnet/src/Connectors/Connectors.Memory.AzureCosmosDBNoSQL)

+ - [Semantic Kernel, Python](https://github.com/microsoft/semantic-kernel/tree/main/python/semantic_kernel/connectors/memory/azure_cosmosdb_no_sql)

+If you have existing Azure subscriptions or other products such as Azure Marketplace and App source resources, you can move them from their existing invoice section to another invoice section to reorganize your costs. However, you can't change the invoice section for a reservation, savings plan, or seat-based subscriptions.

+## August 2023

+### Change Data Capture

+- Azure Synapse Analytics target availability in top-level CDC resource [Learn more](concepts-change-data-capture-resource.md#azure-synapse-analytics-as-target)

+- Snowflake connector in Mapping Data Flows support for Change Data Capture in public preview [Learn more](connector-snowflake.md?tabs=data-factory#mapping-data-flow-properties)

+### Data flow

+- Integer type available for pipeline variables [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/integer-type-available-for-pipeline-variables/ba-p/3902472)

+- Snowflake CDC source connector available in top-level CDC resource [Learn more](concepts-change-data-capture-resource.md)

+- Native UI support of parameterization for more linked services [Learn more](parameterize-linked-services.md?tabs=data-factory#supported-linked-service-types)

+### Data movement

+- Managed private endpoints support for Application Gateway and MySQL Flexible Server [Learn more](managed-virtual-network-private-endpoint.md#time-to-live)

+- Managed virtual network time-to-live (TTL) general availability [Learn more](managed-virtual-network-private-endpoint.md#time-to-live)

+### Integration runtime

+Self-hosted integration runtime now supports self-contained interactive authoring (Preview) [Learn more](create-self-hosted-integration-runtime.md?tabs=data-factory#self-contained-interactive-authoring-preview)

+## June 2024

+### Data movement

+The new ServiceNow connector provides improved native support in Copy and Lookup activities. [Learn more](connector-servicenow.md)

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly.

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+ * **FastPath**: Leave this box unchecked. FastPath is a feature that improves data path performance between on-premises and Azure by bypassing the Azure VPN gateway for data traffic. For more information, see [FastPath](about-fastpath.md).

+> * Customers need to ensure their on-premises configuration, including router & firewall settings are correctly setup to ensure that packets for the IP 5-tuple transits via a single next hop (Microsoft Enterprise Edge router - MSEE) unless there is a maintenance event. If a customer's on-premises firewall or router configuration is causing the same IP 5-tuple to frequently switch next hops, then the customer will experience connectivity issues.

+ If you're using a dual stack virtual network and plan to use IPv6-based private peering over ExpressRoute, select **Add IPv6 address space** and enter **IPv6 address range** values.

+You can configure NAT rules, network rules, and applications rules on Azure Firewall using either classic rules or Firewall Policy. Azure Firewall denies all traffic by default, until rules are manually configured to allow traffic. The rules are terminating, so rule proceisng stops on a match.

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+Attestations are used by Azure Policy to set compliance states of resources or scopes targeted by [manual policies](effect-manual.md). They also allow users to provide more metadata or link to evidence that accompanies the attested compliance state.

+> Attestations can be created and managed only through Azure Policy [Azure Resource Manager (ARM) API](/rest/api/policy/attestations), [PowerShell](/powershell/module/az.policyinsights) or [Azure CLI](/cli/azure/policy/attestation).

+Attestations can be used to set the compliance state of an individual resource for a given manual policy. Each applicable resource requires one attestation per manual policy assignment. For ease of management, manual policies should be designed to target the scope that defines the boundary of resources whose compliance state needs to be attested.

+For example, suppose an organization divides teams by resource group, and each team is required to attest to development of procedures for handling resources within that resource group. In this scenario, the conditions of the policy rule should specify that type equals `Microsoft.Resources/resourceGroups`. This way, one attestation is required for the resource group, rather than for each individual resource within. Similarly, if the organization divides teams by subscriptions, the policy rule should target `Microsoft.Resources/subscriptions`.

+Typically, the provided evidence should correspond with relevant scopes of the organizational structure. This pattern prevents the need to duplicate evidence across many attestations. Such duplications would make manual policies difficult to manage, and indicate that the policy definition targets the wrong resources.

+The following example creates a new attestation resource that sets the compliance state for a resource group targeted by a manual policy assignment:

+The following code is a sample attestation resource JSON object:

+ "policyAssignmentId": "/subscriptions/{subscriptionID}/providers/microsoft.authorization/policyassignments/{assignmentID}",

+ "policyDefinitionReferenceId": "{definitionReferenceID}",

+ "complianceState": "Compliant",

+ "expiresOn": "2023-07-14T00:00:00Z",

+ "owner": "{AADObjectID}",

+ "comments": "This subscription has passed a security audit. See attached details for evidence",

+ "evidence": [

+ {

+ "description": "The results of the security audit.",

+ "sourceUri": "https://gist.github.com/contoso/9573e238762c60166c090ae16b814011"

+ },

+ {

+ "description": "Description of the attached evidence document.",

+ "sourceUri": "https://contoso.blob.core.windows.net/contoso-container/contoso_file.docx"

+ },

+ ],

+ "assessmentDate": "2022-11-14T00:00:00Z",

+ "metadata": {

+ "departmentId": "{departmentID}"

+ }

+| Property | Description |

+| - | - |

+| `policyAssignmentId` | Required assignment ID for which the state is being set. |

+| `policyDefinitionReferenceId` | Optional definition reference ID, if within a policy initiative. |

+| `complianceState` | Desired state of the resources. Allowed values are `Compliant`, `NonCompliant`, and `Unknown`. |

+| `expiresOn` | Optional date on which the compliance state should revert from the attested compliance state to the default state. |

+| `owner` | Optional Microsoft Entra ID object ID of responsible party. |

+| `comments` | Optional description of why state is being set. |

+| `evidence` | Optional array of links to attestation evidence. |

+| `assessmentDate` | Date at which the evidence was assessed. |

+| `metadata` | Optional additional information about the attestation. |

+Because attestations are a separate resource from policy assignments, they have their own lifecycle. You can PUT, GET, and DELETE attestations using the Azure Resource Manager API. Attestations are removed if the related manual policy assignment or `policyDefinitionReferenceId` are deleted, or if a resource unique to the attestation is deleted. For more information, go to [Policy REST API Reference](/rest/api/policy) for more details.

+- [Azure Policy definitions effect basics](effect-basics.md).

+- [Azure Policy initiative definition structure](./initiative-definition-structure.md).

+- [Azure Policy samples](../samples/index.md).

+When a policy definition is assigned to a scope, Azure Policy determines which resources in that scope should be considered for compliance evaluation. A resource is only assessed for compliance if it's considered **applicable** to the given policy assignment.

+Several factors determine applicability:

+Conditions in the `if` block of the policy rule are evaluated for applicability in slightly different ways based on the effect.

+### ifNotExists policy effects

+| Scenario | Result |

+| - | - |

+| Any invalid aliases in the `if` conditions | The policy isn't applicable |

+| When the `if` conditions consist of only `kind` conditions | The policy is applicable to all resources |

+| When the `if` conditions consist of only `name` conditions | The policy is applicable to all resources |

+| When the `if` conditions consist of only `type` and `kind` conditions | Only `type` conditions are considered when deciding applicability |

+| When the `if` conditions consist of only `type` and `name` conditions | Only `type` conditions are considered when deciding applicability |

+| When the `if` conditions consist of `type`, `kind`, and other conditions | Both `type` and `kind` conditions are considered when deciding applicability |

+| When the `if` conditions consist of `type`, `name`, and other conditions | Both `type` and `name` conditions are considered when deciding applicability |

+| When any conditions (including deployment parameters) include a `location` condition | Isn't applicable to subscriptions |

+Policies with these resource provider modes are applicable if the `type` condition of the policy rule evaluates to true. The `type` refers to component type.

+- `Microsoft.KeyVault.Data/vaults/certificates`

+- `Microsoft.KeyVault.Data/vaults/keys`

+- `Microsoft.KeyVault.Data/vaults/secrets`

+Managed Hardware Security Module (HSM) component type:

+- `Microsoft.ManagedHSM.Data/managedHsms/keys`

+- `Microsoft.DataFactory.Data/factories/outboundTraffic`

+- `Microsoft.MachineLearningServices.v2.Data/workspaces/deployments`

+- `Microsoft.Network/virtualNetworks`

+> By design, Azure Policy does not evaluate resources under the `Microsoft.Resources` resource provider from policy evaluation, except for subscriptions and resource groups.

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+Mistral-Large | [Microsoft Managed Countries](/partner-center/marketplace/tax-details-marketplace#microsoft-managed-countriesregions) <br> Brazil <br> Hong Kong <br> Israel| East US, East US 2, North Central US, South Central US, Sweden Central, West US, West US 3 | Not available

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+To further enhance security, when you create a compute instance on behalf of a data scientist and assign the instance to them, single sign on (SSO) will be disabled.

+The assigned to user needs to enable SSO on compute instance themselves after the compute is assigned to them by updating the SSO setting on the compute instance.

+ > The pay-as-you-go model deployment offering for eligible models in the Mistral family is only available in workspaces created in the **East US 2** and **Sweden Central** regions.

+1. Select the workspace in which you want to deploy your models. To use the pay-as-you-go model deployment offering, your workspace must belong to the **East US 2** or **Sweden Central** region.

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+ [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 07783A31D1E66BE963349B5553DC1F1E94C70AA149E11AC7D8914F4076480731

+07783A31D1E66BE963349B5553DC1F1E94C70AA149E11AC7D8914F4076480731

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+ Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 07783A31D1E66BE963349B5553DC1F1E94C70AA149E11AC7D8914F4076480731

+ Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 07783A31D1E66BE963349B5553DC1F1E94C70AA149E11AC7D8914F4076480731

+ Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 07783A31D1E66BE963349B5553DC1F1E94C70AA149E11AC7D8914F4076480731

+ Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 07783A31D1E66BE963349B5553DC1F1E94C70AA149E11AC7D8914F4076480731

+SHA256 | 07783A31D1E66BE963349B5553DC1F1E94C70AA149E11AC7D8914F4076480731

+ Hyper-V (8.91 GB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191848) | 952e493a63a45f97ecdc0945807d504f4bd2f0f4f8248472b784c3e6bd25eb13

+ Hyper-V (85.8 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 07783A31D1E66BE963349B5553DC1F1E94C70AA149E11AC7D8914F4076480731

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+ VMware (85.8 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 07783A31D1E66BE963349B5553DC1F1E94C70AA149E11AC7D8914F4076480731

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+ VMware (85.8 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 07783A31D1E66BE963349B5553DC1F1E94C70AA149E11AC7D8914F4076480731

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+- [**Application delivery services**](#deliver): Deliver applications in the Azure network using any or a combination of these networking services in Azure - Azure Front Door Service, Traffic Manager, Application Gateway, Internet Analyzer, and Load Balancer.

+Chicago 311 service request call data covers

+- all open sanitation code complaints made to 311

+- all requests completed since January 1, 2011

+- historical sanitation code complaints

+- pot hole reports

+- street light issues

+The Department of Streets and Sanitation investigates and remedies reported violations of ChicagoΓÇÖs sanitation code. Residents can request service for overflowing dumpster and alley garbage violations, for example. The Chicago 311 service sometimes receives duplicate sanitation code complaints. Identified duplicate service requests are located in the same geographic area as a previous request, and were entered into the 311 Customer Service Request (CSR) system at about the same time. Duplicate complaints are labeled as such in the status field, as either "Open - Dup" or "Completed - Dup."

+The Chicago Department of Transportation (CDOT) oversees pothole repair for 4,000 miles of arterial and residential streets in Chicago. CDOT receives pothole reports through the 311 call center. CDOT uses a mapping and tracking system to identify pothole locations and schedule crews.

+One call to 311 can generate multiple pothole repairs. When a crew arrives to repair a pothole based on a 311 call, that crew fills all the other potholes found on that block. Pothole repairs are completed within seven days from the first report of a pothole to 311. Weather conditions, frigid temps, and precipitation can influence the time needed to complete a pothole repair. On days of cooperative weather and no precipitation, crews can fill several thousand potholes.

+If a previous request is already open for a buffer of four addresses, the request gets a status of "Duplicate (Open)" status. For example, for an existing CSR for address **6535 N Western**, and 311 receives a new CSR for address **6531 N Western**, then the new request receives a status of ΓÇ£Duplicate (Open)ΓÇ¥, the new request receives a "Duplicate (Open)" status. In this example, the new CSR is at an address within four addresses of the original CSR. Once the crews repair the street, the CSR status reads ΓÇ£CompletedΓÇ¥ for the original request, and ΓÇ£Duplicate (Closed)ΓÇ¥ for any duplicate requests. A service request also receives the status of ΓÇ£CompletedΓÇ¥ when the reported address is inspected but no potholes are found or were filled. If another issue is found with the street, such as a ΓÇ£cave-inΓÇ¥ or ΓÇ£failed utility cutΓÇ¥, then the issue is directed to the appropriate department or contractor.

+Open reports made to 311 of street light outages involving three or more lights are defined as "Street Lights - All Out." The Chicago Department of Transportation (CDOT) oversees approximately 250,000 street lights that illuminate arterial and residential streets in Chicago. CDOT performs repairs and bulb replacements in response to residentsΓÇÖ reports of street light outages. Whenever CDOT receives a report of an ΓÇ£All OutΓÇ¥ the electrician assigned to make the repair looks at the lights in that circuit (each circuit has 8-16 lights) to make sure they all operate properly. If a second request of lights out in the same circuit is made within four calendar days of the original request, the newest request is automatically given the status of ΓÇ£Duplicate (Open).ΓÇ¥ Since the CDOT electrician looks at the lights in a circuit to verify their operation, any ΓÇ£Duplicate (Open)ΓÇ¥ address is automatically observed and repaired. Once the street lights are repaired, the status in CSR reads ΓÇ£CompletedΓÇ¥ for the original request and ΓÇ£Duplicate (Closed)ΓÇ¥ for any duplicate requests. A service request also receives the status of ΓÇ£CompletedΓÇ¥ when

+- the reported lights are inspected but found to be in good repair and functioning

+- the service request is for a nonexistent address

+- a contractor maintains the lights

+The data resource received daily updates.

+This dataset is stored in Parquet format. It received daily updates, and contains about 1M rows (80 MB) in total as of 2019.

+Reference here for the terms of use for this dataset resource. Email [dataportal@cityofchicago.org](mailto:dataportal@cityofchicago.org) with questions about the data source.

+311 Service Requests - Street Lights - All Out - Historical

+| Name | Data type | Values (sample) | Description |

+|-|-|-|-|

+| Creation Date | Floating Timestamp | 10/9/2017 | Request creation date |

+| Status | Text | Completed - Dup | Request status |

+| Completion Date | Floating Timestamp | 10/11/2017 | Request completion date |

+| Service Request Number | Text | 17-06773249 | Service number of the request |

+| Type of Service Request | Text | Street Lights - All/Out | Service request type |

+| Street Address | Text | 2826 N TALMAN AVE | Address of request |

+| ZIP Code | Number | 60618 | ZIP code value of request address |

+| X Coordinate | Number | 1158230.1582963 | X Coordinate value |

+| Y Coordinate | Number | 1918676.90199051 | Y Coordinate value |

+| Ward | Number | 33 | Ward Number value |

+| Police District | Number | 14 | Police District number |

+| Community Area | Number | 21 | Community Area number |

+| Latitude | Number | 41.93259686594802 | The request location latitude value. Latitude lines are parallel to the equator. |

+| Longitude | Number | -87.6939355144751 | The request location longitude value. Longitude lines run perpendicular to lines of latitude, and all pass through both poles. |

+| Location | Location | (41.932596865948, -87.693935514475) | Combined latitude and longitude values for the address |

+Preview

+| Creation Date | Status | Completion Date | Service Request Number | Type of Service Request | Street Address | ZIP Code | X Coordinate | Y Coordinate | Ward | Police District | Community Area | Latitude | Longitude | Location |

+|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|

+| 10/9/2017 | Completed - Dup | 10/11/2017 | 17-06773249 | Street Lights - All/Out | 2826 N TALMAN AVE | 60618 | 1158230.158 | 1918676.902 | 33 | 14 | 21 | 41.93259686594802 | -87.69393551 | (41.932596865948, -87.693935514475) |

+| 10/11/2017 | Completed | 10/11/2017 | 17-06816558 | Street Lights - All/Out | 6200 S LAKE SHORE DR | 60637 | 1190863.778 | 1864244.283 | 5 | 3 | 42 | 41.78250135027194 | -87.57577731 | (41.782501350272, -87.575777307852) |

+| 3/20/2014 | Completed - Dup | 8/4/2017 | 14-00400272 | Street Lights - All/Out | 5730 N KINGSDALE AVE | 60646 | 1143691.393 | 1937640.891 | 39 | 17 | 12 | 41.984920748899164 | -87.74688744 | (41.984920748899, -87.746887444765) |

+| 10/9/2017 | Completed | 10/11/2017 | 17-06772762 | Street Lights - All/Out | 5246 S LUNA AVE | 60638 | 1140255.697 | 1869109.118 | 14 | 8 | 56 | 41.79692498298546 | -87.7612044 | (41.796924982985, -87.761204398005) |

+| 10/10/2017 | Completed | 10/11/2017 | 17-06786335 | Street Lights - All/Out | 954 E 111TH ST | 60628 | 1184652.066 | 1831465.656 | 9 | 5 | 50 | 41.69270116620948 | -87.59957553 | (41.692701166209, -87.599575527098) |

+| 10/8/2017 | Completed | 10/11/2017 | 17-06752801 | Street Lights - All/Out | 4399 N DAMEN AVE | 60618 | 1162224.952 | 1929224.823 | 47 | 19 | 5 | 41.961458246672315 | -87.67895915 | (41.961458246672, -87.67895914919) |

+| 10/6/2017 | Completed | 10/11/2017 | 17-06696916 | Street Lights - All/Out | 4730 N BROADWAY | 60640 | 1167596.292 | 1931650.772 | 46 | 19 | 3 | 41.968000877697875 | -87.65914105 | (41.968000877698, -87.659141052722) |

+| 10/7/2017 | Completed | 10/11/2017 | 17-06734666 | Street Lights - All/Out | 6449 S VERNON AVE | 60637 | 1180358.718 | 1862347.753 | 20 | 3 | 42 | 41.77754460257851 | -87.61434958 | (41.777544602579, -87.61434958023) |

+311 Service Requests - Pot Holes Reported - Historical

+| Name | Data type | Values (sample) | Description |

+|-|-|-|-|

+| Creation Date | Floating Timestamp | 4/25/2018 | Request creation date |

+| Status | Text | Completed | Request status |

+| Completion Date | Floating Timestamp | 4/26/2018 | Request completion date |

+| Service Request Number | Text | 18-01325016 | Service number of the request |

+| Type of Service Request | Text | Pothole in Street | Service request type |

+| Current Activity | Text | Final Outcome | Latest Activity Description |

+| Most Recent Action | Text | No Potholes Found | Latest action taken |

+| Number of Potholes Filled on Block | 0 | | Count of repaired potholes |

+| Street Address | Text | 5100 S LAWLER AVE | Address of request |

+| ZIP Code | Number | 60638 | ZIP code value of request address |

+| X Coordinate | Number | 1143556.31919224 | X Coordinate value |

+| Y Coordinate | Number | 1870339.26041166 | Y Coordinate value |

+| Ward | Number | 14 | Ward Number value |

+| Police District | Number | 8 | Police District number |

+| Community Area | Number | 56 | Community Area number |

+| SSA | Number | 26 | |

+| Latitude | double | 41.80014700738077 | This is the latitude value. Lines of latitude are parallel to the equator. |

+| Longitude | double | -87.7492147421616 | This is the longitude value. Lines of longitude run perpendicular to lines of latitude, and all pass through both poles. |

+| Location | Location | (41.80014700738077, -87.7492147421616) | Combined latitude and longitude values for the address |

+Preview

+| Creation Date | Status | Completion Date | Service Request Number | Type of Service Request | Current Activity | Most Recent Action | Number of Potholes Filled on Block | Street Address | ZIP Code | X Coordinate | Y Coordinate | Ward | Police District | Community Area | SSA | Latitude | Longitude | Location |

+|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|

+| 6/13/2012 | Completed | 6/18/2012 | 12-01071965 | Pot Hole in Street | Dispatch Crew | Pothole Patched | 14 | 7040 N FRANCISCO AVE | 60645 | 1155793.815 | 1946654.94 | 50 | 24 | 2 | | 42.0096087 | -87.70227538 | (42.009608698109, -87.702275384338) |

+| 6/15/2017 | Completed | 6/29/2017 | 17-03958579 | Pothole in Street | Final Outcome | WM Sewer Cave In Inspection Transfer Outcome | 0 | 4216 W CORTEZ ST | 60651 | 1148081.734 | 1906667.21 | 37 | 11 | 23 | | 41.89994838998482 | -87.73187935 | (41.899948389985, -87.731879353699) |

+| 1/13/2014 | Completed | 1/24/2014 | 14-00052283 | Pot Hole in Street | Final Outcome | Pothole Patched | 5 | 1200 S CANAL ST | 60607 | 1173311.531 | 1894981.335 | 2 | 1 | 28 | | 41.86717512472001 | -87.63937581 | (41.86717512472, -87.639375812581) |

+| 10/13/2015 | Completed | 11/24/2015 | 15-05364068 | Pothole in Street | Final Outcome | Pothole Patched | 3 | 6318 N WESTERN AVE | 60659 | 1159171.947 | 1941877.852 | 50 | 24 | 2 | 43 | 41.996507559859445 | -87.68999022 | (41.996507559859, -87.689990223964) |

+| 2/23/2014 | Completed | 4/8/2014 | 14-00256448 | Pot Hole in Street | Final Outcome | Pothole Patched | 12 | 6800 N KEDZIE AVE | 60645 | 1153845.564 | 1944905.48 | 50 | 0 | 2 | | 42.004746892817465 | -87.70949265 | (42.004746892817, -87.709492653059) |

+| 10/16/2015 | Completed | 11/24/2015 | 15-05416322 | Pothole in Street | Final Outcome | CDOT Asphalt Top Off Restoration Transfer Outcome | 0 | 6430 N KEDZIE AVE | 60645 | 1153862.527 | 1942457.906 | 50 | 0 | 2 | 43 | 41.998328665333965 | -87.70950507 | (41.998328665334, -87.7095050747) |

+| 4/1/2013 | Completed | 7/30/2013 | 13-00360362 | Pot Hole in Street | Final Outcome | Pothole Patched | 40 | 3738 N TRIPP AVE | 60641 | 1147334.393 | 1924509.895 | 38 | 17 | 16 | | 41.94928712004567 | -87.73398704 | (41.949287120046, -87.733987044713) |

+Sanitation Code Complaints

+| Name | Data type | Values (sample) | Description |

+|-|-|-|-|

+| Creation Date | Floating Timestamp | 9/17/2017 | Request creation date |

+| Status | Text | Completed | Request status |

+| Completion Date | Floating Timestamp | 10/11/2017 | Request completion date |

+| Service Request Number | Text | 17-06208608 | Service number of the request |

+| Type of Service Request | Text | Sanitation Code Violation | Service request type |

+| What is the Nature of this Code Violation? | Text | Overflowing carts | Latest Activity Description |

+| Street Address | Text | 6327 S KENNETH AVE | Address of request |

+| ZIP Code | Number | 60629 | ZIP code value of request address |

+| X Coordinate | Number | 1147796.475 | X Coordinate value |

+| Y Coordinate | Number | 1862216.771 | Y Coordinate value |

+| Ward | Number | 13 | Ward Number value |

+| Police District | Number | 8 | Police District number |

+| Community Area | Number | 65 | Community Area number |

+| Latitude | double | 41.77787022898461 | This is the latitude value. Lines of latitude are parallel to the equator. |

+| Longitude | double | -87.73372735 | This is the longitude value. Lines of longitude run perpendicular to lines of latitude, and all pass through both poles. |

+| Location | Location | (41.932596865948, -87.693935514475) | Combined latitude and longitude values for the address |

+Preview

+| Creation Date | Status | Completion Date | Service Request Number | Type of Service Request | What is the Nature of this Code Violation? | Street Address | ZIP Code | X Coordinate | Y Coordinate | Ward | Police District | Community Area | Latitude | Longitude | Location |

+|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|-|

+| 9/17/2017 | Completed | 10/11/2017 | 17-06208608 | Sanitation Code Violation | Overflowing carts | 6327 S KENNETH AVE | 60629 | 1147796.475 | 1862216.771 | 13 | 8 | 65 | 41.77787022898461 | -87.73372735 | (41.777870228985, -87.733727348463) |

+| 10/5/2017 | Completed | 10/11/2017 | 17-06678788 | Sanitation Code Violation | Garbage in alley | 3020 W MONTROSE AVE | 60618 | 1155359.487 | 1929084.561 | 33 | 17 | 14 | 41.961214454744535 | -87.70420422 | (41.961214454745, -87.704204220358) |

+| 8/21/2017 | Completed | 10/11/2017 | 17-05591233 | Sanitation Code Violation | Garbage in yard | 1500 S DAMEN AVE | 60608 | 1163279.962 | 1892714.436 | 28 | 12 | 28 | 41.86124902532175 | -87.67610892 | (41.861249025322, -87.676108920835) |

+| 9/23/2017 | Completed | 10/11/2017 | 17-06370432 | Sanitation Code Violation | Construction Site Cleanliness/Fence | 6442 S CENTRAL AVE | 60638 | 1140196.719 | 1861187.963 | 13 | 8 | 64 | 41.77518903 | -87.76161383 | (41.775189032012, -87.761613831651) |

+| 8/1/2017 | Completed - Dup | 8/4/2017 | 17-05101063 | Sanitation Code Violation | Garbage in alley | 3016 W MONTROSE AVE | 60618 | 1155405.587 | 1929085.161 | 33 | 17 | 14 | 41.96121517 | -87.70403472 | (41.961215172275, -87.704034715236) |

+| 9/26/2017 | Completed | 10/11/2017 | 17-06440193 | Sanitation Code Violation | Other | 8830 S WABASH AVE | 60619 | 1178255.291 | 1846460.484 | 9 | 6 | 44 | 41.733996131384714 | -87.6225419 | (41.733996131385, -87.622541895911) |

+| 10/10/2017 | Completed | 10/11/2017 | 17-06786539 | Sanitation Code Violation | Other | 4523 N LAWNDALE AVE | 60625 | 1150908.388 | 1929805.543 | 35 | 17 | 14 | 41.963281388376565 | -87.72054998 | (41.963281388377, -87.7205499839) |

+| 5/31/2017 | Completed | 8/4/2017 | 17-03559234 | Sanitation Code Violation | Other | 3359 W 19TH ST | 60623 | 1154204.655 | 1890509.209 | 24 | 10 | 29 | 41.85538344067419 | -87.70948151 | (41.855383440674, -87.709481507782) |

+# This is package is in preview.

+View the rest of the datasets in the [Open Datasets catalog](./dataset-catalog.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+| 1.25.6 | 4 | Calico v3.26.1<br>metrics-server v0.6.3<br>Multus v3.8.0<br>azure-arc-servers v1.0.0<br>CoreDNS v1.9.3<br>etcd v3.5.6-5<br>sriov-dp v3.7.0-48 | Azure Linux 2.0 | No breaking changes | Beginning with this version bundle, cluster nodes are Azure Arc-enabled |

+| 1.25.6 | 6 | Calico v3.27.2<br>metrics-server v0.6.3<br>Multus v3.8.0<br>azure-arc-servers v1.0.0<br>CoreDNS v1.9.3<br>etcd v3.5.6-5<br>sriov-dp v3.10.0-60<br>Csi-nfs v4.6.0 | Azure Linux 2.0 | No breaking changes | |

+| 1.25.6 | 7 |Calico v3.27.3<br>metrics-server v0.7.1<br>Multus v4.0.0<br>azure-arc-servers v1.1.0<br>CoreDNS v1.9.4<br>etcd v3.5.13<br>sriov-dp v3.11.0-68<br>Csi-nfs v4.7.0<br>csi-volume v0.1.0 | Azure Linux 2.0 | No breaking changes | Beginning with this version bundle, volume orchestration connectivity is TLS encrypted |

+| 1.25.11 | 2 | Calico v3.26.1<br>metrics-server v0.6.3<br>Multus v3.8.0<br>azure-arc-servers v1.0.0<br>CoreDNS v1.9.3<br>etcd v3.5.6-5<br>sriov-dp v3.7.0-48 | Azure Linux 2.0 | No breaking changes | Beginning with this version bundle, cluster nodes are Azure Arc-enabled |

+| 1.25.11 | 4 | Calico v3.27.2<br>metrics-server v0.6.3<br>Multus v3.8.0<br>azure-arc-servers v1.0.0<br>CoreDNS v1.9.3<br>etcd v3.5.6-5<br>sriov-dp v3.10.0-60<br>Csi-nfs v4.6.0 | Azure Linux 2.0 | No breaking changes | |

+| 1.25.11 | 5 | Calico v3.27.3<br>metrics-server v0.7.1<br>Multus v4.0.0<br>azure-arc-servers v1.1.0<br>CoreDNS v1.9.4<br>etcd v3.5.13<br>sriov-dp v3.11.0-68<br>Csi-nfs v4.7.0<br>csi-volume v0.1.0 | Azure Linux 2.0 | No breaking changes | Beginning with this version bundle, volume orchestration connectivity is TLS encrypted |

+| 1.26.3 | 4 | Calico v3.26.1<br>metrics-server v0.6.3<br>Multus v3.8.0<br>azure-arc-servers v1.0.0<br>CoreDNS v1.9.3<br>etcd v3.5.6-5<br>sriov-dp v3.7.0-48 | Azure Linux 2.0 | No breaking changes | Beginning with this version bundle, cluster nodes are Azure Arc-enabled |

+| 1.26.3 | 6 | Calico v3.27.2<br>metrics-server v0.6.3<br>Multus v3.8.0<br>azure-arc-servers v1.0.0<br>CoreDNS v1.9.3<br>etcd v3.5.6-5<br>sriov-dp v3.10.0-60<br>Csi-nfs v4.6.0 | Azure Linux 2.0 | No breaking changes | |

+| 1.26.3 | 7 | Calico v3.27.3<br>metrics-server v0.7.1<br>Multus v4.0.0<br>azure-arc-servers v1.1.0<br>CoreDNS v1.9.4<br>etcd v3.5.13<br>sriov-dp v3.11.0-68<br>Csi-nfs v4.7.0<br>csi-volume v0.1.0 | Azure Linux 2.0 | No breaking changes | Beginning with this version bundle, volume orchestration connectivity is TLS encrypted |

+| 1.26.6 | 2 | Calico v3.26.1<br>metrics-server v0.6.3<br>Multus v3.8.0<br>azure-arc-servers v1.0.0<br>CoreDNS v1.9.3<br>etcd v3.5.6-5<br>sriov-dp v3.7.0-48 | Azure Linux 2.0 | No breaking changes | Beginning with this version bundle, cluster nodes are Azure Arc-enabled |

+| 1.26.6 | 4 | Calico v3.27.2<br>metrics-server v0.6.3<br>Multus v3.8.0<br>azure-arc-servers v1.0.0<br>CoreDNS v1.9.3<br>etcd v3.5.6-5<br>sriov-dp v3.10.0-60<br>Csi-nfs v4.6.0 | Azure Linux 2.0 | No breaking changes | |

+| 1.26.6 | 5 | Calico v3.27.3<br>metrics-server v0.7.1<br>Multus v4.0.0<br>azure-arc-servers v1.1.0<br>CoreDNS v1.9.4<br>etcd v3.5.13<br>sriov-dp v3.11.0-68<br>Csi-nfs v4.7.0<br>csi-volume v0.1.0 | Azure Linux 2.0 | No breaking changes | Beginning with this version bundle, volume orchestration connectivity is TLS encrypted |

+| 1.26.12 | 1 | Calico v3.27.3<br>metrics-server v0.7.1<br>Multus v4.0.0<br>azure-arc-servers v1.1.0<br>CoreDNS v1.9.4<br>etcd v3.5.13<br>sriov-dp v3.11.0-68<br>Csi-nfs v4.7.0<br>csi-volume v0.1.0 | Azure Linux 2.0 | No breaking changes | Beginning with this version bundle, volume orchestration connectivity is TLS encrypted and cluster nodes are Azure Arc-enabled |

+| 1.27.1 | 4 | Calico v3.26.1<br>metrics-server v0.6.3<br>Multus v3.8.0<br>azure-arc-servers v1.0.0<br>CoreDNS v1.9.3<br>etcd v3.5.6-5<br>sriov-dp v3.7.0-48 | Azure Linux 2.0 | No breaking changes | Beginning with this version bundle, cluster nodes are Azure Arc-enabled |

+| 1.27.1 | 6 | Calico v3.27.2<br>metrics-server v0.6.3<br>Multus v3.8.0<br>azure-arc-servers v1.0.0<br>CoreDNS v1.9.3<br>etcd v3.5.6-5<br>sriov-dp v3.10.0-60<br>Csi-nfs v4.6.0 | Azure Linux 2.0 | No breaking changes | |

+| 1.27.1 | 7 | Calico v3.27.3<br>metrics-server v0.7.1<br>Multus v4.0.0<br>azure-arc-servers v1.1.0<br>CoreDNS v1.9.4<br>etcd v3.5.13<br>sriov-dp v3.11.0-68<br>Csi-nfs v4.7.0<br>csi-volume v0.1.0 | Azure Linux 2.0 | No breaking changes | Beginning with this version bundle, volume orchestration connectivity is TLS encrypted |

+| 1.27.3 | 2 | Calico v3.26.1<br>metrics-server v0.6.3<br>Multus v3.8.0<br>azure-arc-servers v1.0.0<br>CoreDNS v1.9.3<br>etcd v3.5.6-5<br>sriov-dp v3.7.0-48 | Azure Linux 2.0 | No breaking changes | Beginning with this version bundle, cluster nodes are Azure Arc-enabled |

+| 1.27.3 | 4 | Calico v3.27.2<br>metrics-server v0.6.3<br>Multus v3.8.0<br>azure-arc-servers v1.0.0<br>CoreDNS v1.9.3<br>etcd v3.5.6-5<br>sriov-dp v3.10.0-60<br>Csi-nfs v4.6.0 | Azure Linux 2.0 | No breaking changes | |

+| 1.27.3 | 5 | Calico v3.27.3<br>metrics-server v0.7.1<br>Multus v4.0.0<br>azure-arc-servers v1.1.0<br>CoreDNS v1.9.4<br>etcd v3.5.13<br>sriov-dp v3.11.0-68<br>Csi-nfs v4.7.0<br>csi-volume v0.1.0 | Azure Linux 2.0 | No breaking changes | Beginning with this version bundle, volume orchestration connectivity is TLS encrypted |

+| 1.27.9 | 1 | Calico v3.27.3<br>metrics-server v0.7.1<br>Multus v4.0.0<br>azure-arc-servers v1.1.0<br>CoreDNS v1.9.4<br>etcd v3.5.13<br>sriov-dp v3.11.0-68<br>Csi-nfs v4.7.0<br>csi-volume v0.1.0 | Azure Linux 2.0 | No breaking changes | Beginning with this version bundle, volume orchestration connectivity is TLS encrypted and cluster nodes are Azure Arc-enabled |

+| 1.28.0 | 1 | Calico v3.26.1<br>metrics-server v0.6.3<br>Multus v3.8.0<br>CoreDNS v1.9.3<br>etcd v3.5.6-5<br>sriov-dp v3.7.0-48 | Azure Linux 2.0 | No breaking changes | |

+| 1.28.0 | 2 | Calico v3.26.1<br>metrics-server v0.6.3<br>Multus v3.8.0<br>azure-arc-servers v1.0.0<br>CoreDNS v1.9.3<br>etcd v3.5.6-5<br>sriov-dp v3.7.0-48 | Azure Linux 2.0 | No breaking changes | Beginning with this version bundle, cluster nodes are Azure Arc-enabled |

+| 1.28.0 | 4 | Calico v3.27.2<br>metrics-server v0.6.3<br>Multus v3.8.0<br>azure-arc-servers v1.0.0<br>CoreDNS v1.9.3<br>etcd v3.5.6-5<br>sriov-dp v3.10.0-60<br>Csi-nfs v4.6.0 | Azure Linux 2.0 | No breaking changes | |

+| 1.28.0 | 5 | Calico v3.27.3<br>metrics-server v0.7.1<br>Multus v4.0.0<br>azure-arc-servers v1.1.0<br>CoreDNS v1.9.4<br>etcd v3.5.13<br>sriov-dp v3.11.0-68<br>Csi-nfs v4.7.0<br>csi-volume v0.1.0 | Azure Linux 2.0 | No breaking changes | Beginning with this version bundle, volume orchestration connectivity is TLS encrypted |

+| 1.28.9 | 1 | Calico v3.27.3<br>metrics-server v0.7.1<br>Multus v4.0.0<br>azure-arc-servers v1.1.0<br>CoreDNS v1.9.4<br>etcd v3.5.13<br>sriov-dp v3.11.0-68<br>Csi-nfs v4.7.0<br>csi-volume v0.1.0 | Azure Linux 2.0 | No breaking changes | Beginning with this version bundle, volume orchestration connectivity is TLS encrypted and cluster nodes are Azure Arc-enabled |

+ - China North 2

+ - China East 2

+The troubleshooting guides for Azure Database for PostgreSQL flexible server are designed to help you quickly identify and resolve common challenges you may encounter while using Azure Database for PostgreSQL flexible server. Integrated directly into the Azure portal, the troubleshooting guides provide actionable insights, recommendations, and data visualizations to assist you in diagnosing and addressing issues related to common performance problems. With these guides at your disposal, you are better equipped to optimize your Azure Database for PostgreSQL flexible server experience and ensure a smoother, more efficient database operation.

+* CPU

+* Memory

+* IOPS

+* Temporary files

+* Autovacuum monitoring

+* Autovacuum blockers

+- **CPU**

+ * CPU

+ * Workload

+ * Transactions

+ * Long running transactions

+ * Queries

+ * User connections

+ * Locking and blocking

+- **Memory**

+ * Memory

+ * Workload

+ * Sessions

+ * Queries

+ * User connections

+ * Memory parameters

+- **IOPS**

+ * IOPS

+ * Workload

+ * Sessions

+ * Queries

+ * Waits

+ * Checkpoints

+ * Storage

+- **Temporary files**

+ * Storage

+ * Temporary files

+ * Workload

+ * Queries

+- **Autovacuum monitoring**

+ * Bloat

+ * Tuples

+ * Vacuum and analyze

+ * Autovacuum workers

+ * Autovacuum per table

+ * Enhanced metrics

+- **Autovacuum blockers**

+ * Emergency autovacuum and wraparound

+ * Autovacuum blockers

+Before using any troubleshooting guide, it's essential to ensure that all prerequisites are in place. For a detailed list of prerequisites refer to the article [Use troubleshooting guides](how-to-troubleshooting-guides.md).

+* Troubleshooting guides aren't available for [read replicas](concepts-read-replicas.md).

+* Be aware that enabling Query Store on the Burstable pricing tier can lead to a negative impact on performance. As a result, it's not recommended to use Query Store with this particular pricing tier.

+* Learn more about [How to use troubleshooting guides](how-to-troubleshooting-guides.md).

+To effectively troubleshoot a specific issue, you need to make sure that you have all the necessary data in place.

+Each troubleshooting guide requires a specific set of data, which is sourced from three separate features: [Diagnostic settings](how-to-configure-and-access-logs.md), [Query Store](concepts-query-store.md), and [Enhanced metrics](concepts-monitoring.md#enabling-enhanced-metrics).

+All troubleshooting guides require logs to be sent to a Log Analytics workspace, but the specific category of logs to be captured may vary depending on the particular guide.

+Please, follow the steps described in [Configure and Access Logs - Azure Database for PostgreSQL - Flexible Server](howto-configure-and-access-logs.md) to configure diagnostic settings and send the logs to a Log Analytics workspace.

+Query Store, and Enhanced metrics are configured via Server parameters. Please follow the steps described in the configure server parameters in Azure Database for PostgreSQL flexible server articles for [Azure portal](howto-configure-server-parameters-using-portal.md) or [Azure CLI](howto-configure-server-parameters-using-cli.md).

+The table below provides information on the required log categories for each troubleshooting guide, as well as the necessary Query Store, Enhanced metrics and Server parameters prerequisites.

+| Troubleshooting guide | Diagnostic settings log categories and metrics | Query Store | Enhanced metrics | Server parameters |

+|:-|:-|--|-|--|

+| CPU | PostgreSQL Server Logs<br/>PostgreSQL Server Sessions data<br/>PostgreSQL Server Query Store Runtime<br/>AllMetrics | pg_qs.query_capture_mode to TOP or ALL | metrics.collector_database_activity | N/A |

+| Memory | PostgreSQL Server Logs<br/>PostgreSQL Server Sessions data<br/>PostgreSQL Server Query Store Runtime | pg_qs.query_capture_mode to TOP or ALL | metrics.collector_database_activity | N/A |

+| IOPS | PostgreSQL Server Query Store Runtime<br/>PostgreSQL Server Logs<br/>PostgreSQL Server Sessions data<br/>PostgreSQL Server Query Store Wait Statistics | pg_qs.query_capture_mode to TOP or ALL<br/>pgms_wait_sampling.query_capture_mode to ALL | metrics.collector_database_activity | track_io_timing to ON |

+| Temporary files | PostgreSQL Server Sessions data<br/>PostgreSQL Server Query Store Runtime<br/>PostgreSQL Server Query Store Wait Statistics | pg_qs.query_capture_mode to TOP or ALL<br/>pgms_wait_sampling.query_capture_mode to ALL | metrics.collector_database_activity | N/A |

+| Autovacuum monitoring | PostgreSQL Server Logs<br/>PostgreSQL Autovacuum and schema statistics<br/>PostgreSQL remaining transactions | N/A | N/A | log_autovacuum_min_duration |

+| Autovacuum blockers | PostgreSQL Server Sessions data<br/>PostgreSQL remaining transactions | N/A | N/A | N/A |

+## Using the troubleshooting guides

+To use the troubleshooting guides, follow these steps:

+2. From the left-side menu, under the *Monitoring* section, select *Troubleshooting guides*.

+4. Select the period of time which you want to analyze.

+### Retrieving the text of queries collected by query store

+To retrieve the text of those queries collected by query store, you need to log in to your Azure Database for PostgreSQL flexible server instance.

+Using the PostgreSQL client of your choice, access the `azure_sys` database where query store data is stored.

+### Retrieving the name of a user or role

+In the following example you would be retrieving the name of the user or role whose identifier is 24776.

+```sql

+SELECT '24776'::regrole;

+```

+* Support for [built-in Azure Policy definitions](concepts-security.md#azure-policy-support)

+ Title: Automigration

+description: This tutorial describes how to configure notifications, review migration details, and FAQs for an Azure Database for PostgreSQL Single Server instance schedule for automigration to Flexible Server.

+ - mvc

+ - mode-api

+# Automigration from Azure Database for Postgresql ΓÇô Single Server to Flexible Server

+**Automigration** from Azure Database for Postgresql ΓÇô Single Server to Flexible Server is a service-initiated migration during a planned downtime window for Single Server running PostgreSQL 11 and database workloads with **Basic, General Purpose or Memory Optimized SKU**, data storage used **<= 5 GiB** and **no complex features (CMK, Microsoft Entra ID, Read Replica, Private Link) enabled**. The eligible servers are identified by the service and are sent advance notifications detailing steps to review migration details and make modifications if necessary.

+The automigration provides a highly resilient and self-healing offline migration experience during a planned migration window, with up to **20 mins** of downtime. The migration service is a hosted solution using the [pgcopydb](https://github.com/dimitri/pgcopydb) binary and provides a fast and efficient way of copying databases from the source PostgreSQL instance to the target. This migration removes the overhead to manually migrate your server. Post migration, you can take advantage of the benefits of Flexible Server, including better price & performance, granular control over database configuration, and custom maintenance windows. Following described are the key phases of the migration:

+- **Target Flexible Server is deployed** and matches your Single server SKU in terms of performance and cost, inheriting all firewall rules from source Single Server.

+- **Date is migrated** during the migration window chosen by the service or elected by you. If the window is chosen by the service, it's typically outside business hours of the specific region the server is hosted in. Source Single Server is set to read-only and the data & schema is migrated from the source Single Server to the target Flexible Server. User roles, privileges, and ownership of all database objects are also migrated to the flexible server.

+- **DNS switch and cutover** are performed within the planned migration window with minimal downtime, allowing usage of the same connection string post-migration. Client applications seamlessly connect to the target flexible server without any user driven manual updates or changes. In addition to both connection string formats (Single and Flexible Server) being supported on migrated Flexible Server, both username formats ΓÇô username@server_name and username are also supported on the migrated Flexible Server.

+- The **migrated Flexible Server is online** and can now be managed via Azure portal/CLI.

+- The **updated connection strings** to connect to your old single server are shared with you by email. The connection strings can be used to log in to the Single server if you want to copy any settings to your new Flexible server.

+- The **legacy Single Server** is deleted **seven days** after the migration.

+## Nomination Eligibility

+If you own a Single Server workload with no complex features (CMK, Microsoft Entra ID, Read Replica, Private Link) enabled, you can now nominate yourself (if not already scheduled by the service) for automigration. Submit your server details through this [form](https://forms.office.com/r/4pF55L8TxY).

+## Configure migration alerts and review migration schedule

+Servers eligible for automigration are sent an advance notification by the service.

+Following described are the ways to check and configure automigration notifications:

+- Subscription owners for Single Servers scheduled for automigration receive an email notification.

+- Configure **service health alerts** to receive automigration schedule and progress notifications via email/SMS by following steps [here](../single-server/concepts-planned-maintenance-notification.md#to-receive-planned-maintenance-notification).

+- Check the automigration **notification on the Azure portal** by following steps [here](../single-server/concepts-planned-maintenance-notification.md#check-planned-maintenance-notification-from-azure-portal).

+Following described are the ways to review your migration schedule once you receive the automigration notification:

+> [!NOTE]

+> The migration schedule will be locked 7 days prior to the scheduled migration window during which you'll be unable to reschedule.

+- The **Single Server overview page** for your instance displays a portal banner with information about your migration schedule.

+- For Single Servers scheduled for automigration, the **Overview** page is updated with the relevant information. You can review the migration schedule by navigating to the Overview page of your Single Server instance.

+- If you wish to defer the migration, you can defer by a month at a time on the Azure portal. You can reschedule the migration by selecting another migration window within a month.

+> [!NOTE]

+> Typically, candidate servers short-listed for automigration do not use cross region or Geo redundant backups. And these features can only be enabled during create time for a postgresql Flexible Server. In case you plan to use any of these features, it's recommended to opt out of the automigration schedule and migrate your server manually.

+## Prerequisite checks for automigration

+Review the following prerequisites to ensure a successful automigration:

+- The Single Server instance should be in **ready state** during the planned migration window for automigration to take place.

+- For Single Server instance with **SSL enabled**, ensure you have all certificates (**[DigiCertGlobalRootG2 Root CA](https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem) and [DigiCertGlobalRootCA Root CA](https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem)**) available in the trusted root store. Additionally, if you have the certificate pinned to the connection string create a combined CA certificate with all three certificates before scheduled automigration to ensure business continuity post-migration.

+- If your source Azure Database for postgresql Single Server has firewall rule names exceeding 80 characters, rename them to ensure length of name is fewer than 80 characters. (The firewall rule name length supported on Flexible Server is 80 characters whereas on Single Server the allowed length is 128 characters.)

+## How is the target postgresql Flexible Server provisioned?

+The compute tier and SKU for the target flexible server is provisioned based on the source single server's pricing tier and VCores as shown below.

+| Single Server Pricing Tier | Single Server VCores | Flexible Server Tier | Flexible Server SKU Name |

+| | | :: | :: |

+| Basic | 1 | Burstable | B1ms |

+| Basic | 2 | Burstable | B2s |

+| General Purpose | 2 | GeneralPurpose | Standard_D2s_v3 |

+| General Purpose | 4 | GeneralPurpose | Standard_D4s_v3 |

+| General Purpose | 8 | GeneralPurpose | Standard_D8s_v3 |

+| General Purpose | 16 | GeneralPurpose | Standard_D16s_v3 |

+| General Purpose | 32 | GeneralPurpose | Standard_D32s_v3 |

+| General Purpose | 64 | GeneralPurpose | Standard_D64s_v3 |

+| Memory Optimized | 2 | MemoryOptimized | Standard_E2s_v3 |

+| Memory Optimized | 4 | MemoryOptimized | Standard_E4s_v3 |

+| Memory Optimized | 8 | MemoryOptimized | Standard_E8s_v3 |

+| Memory Optimized | 16 | MemoryOptimized | Standard_E16s_v3 |

+| Memory Optimized | 32 | MemoryOptimized | Standard_E32s_v3 |

+- The postgresql version, region, connection string, subscription, and resource group for the target Flexible Server will remain the same as that of the source Single Server.

+- For Single Servers with less than 20-GiB storage, the storage size is set to 32 GiB as that is the minimum storage limit on Azure Database for postgresql - Flexible Server.

+- For Single Servers with greater storage requirement, sufficient storage equivalent to 1.25 times or 25% more storage than what is being used in the Single server is allocated. During the initial base copy of data, multiple insert statements are executed on the target, which generates WALs (Write Ahead Logs). Until these WALs are archived, the logs consume storage at the target and hence the margin of safety.

+- Both username formats ΓÇô username@server_name (Single Server) and username (Flexible Server) are supported on the migrated Flexible Server.

+- Both connection string formats ΓÇô Single Server and Flexible Server are supported on the migrated Flexible Server.

+## Post-migration steps

+Here's the info you need to know post automigration:

+- The server parameters in Flexible server are tuned to the community standards. If you want to retain the same server parameter values as your Single server, you can log in via PowerShell and run the script [here](https://github.com/hariramt/auto-migration/tree/main) to copy the parameter values.

+- To enable [query perf insights](../flexible-server/concepts-query-performance-insight.md), you need to enable query store on the Flexible server which isn't enabled by default

+- If [High Availability](../../reliability/reliability-postgresql-flexible-server.md) is needed, you can enable it with zero downtime.

+## Frequently Asked Questions (FAQs)

+**Q. Why am I being auto-migratedΓÇï?**

+**A.** Your Azure Database for Postgresql - Single Server instance is eligible for automigration to our flagship offering Azure Database for Postgresql - Flexible Server. This automigration will remove the overhead to manually migrate your server. You can take advantage of the benefits of Flexible Server, including better price & performance, granular control over database configuration, and custom maintenance windows.

+**Q. How does the automigration take place? What all does it migrate?ΓÇï**

+**A.** The Flexible Server is provisioned to closely match the same VCores and storage as that of your Single Server. Next the source Single Server is put in a read-only state, schema and data is copied to target Flexible Server. The DNS switch is performed to route all existing connections to target and the target Flexible Server is brought online. The automigration migrates the databases (including schema, data, users/roles, and privileges). The migration is offline where you see downtime of up to 20 minutes.

+**Q. How can I set up or view automigration alerts?ΓÇï**

+**A.** Following are the ways you can set up alerts:

+- Configure service health alerts to receive automigration schedule and progress notifications via email/SMS by following steps [here](../single-server/concepts-planned-maintenance-notification.md#to-receive-planned-maintenance-notification).

+- Check the automigration notification on the Azure portal by following steps [here](../single-server/concepts-planned-maintenance-notification.md#check-planned-maintenance-notification-from-azure-portal).

+**Q. How can I defer the scheduled migration of my Single server?ΓÇï**

+**A.** You can review the migration schedule by navigating to the Overview page of your Single Server instance. If you wish to defer the migration, you can defer by a month at the most by navigating to the Overview page of your single server instance on the Azure portal. You can reschedule the migration by selecting another migration window within a month. The migration details will be locked seven days before the scheduled migration window after which you're unable to reschedule. This automigration can be deferred monthly until 30 March 2025.

+**Q. How can I opt out of a scheduled automigration of my Single server?ΓÇï**

+**A.** If you wish to opt out of the automigration, you can raise a support ticket for this purpose.

+**Q. What username and connection string would be supported for the migrated Flexible Server? ΓÇïΓÇï**

+**A.** Both username formats - username@server_name (Single Server format) and username (Flexible Server format) are supported for the migrated Flexible Server, and hence you aren't required to update them to maintain your application continuity post migration. Additionally, both connection string formats (Single and Flexible server format) are also supported for the migrated Flexible Server.

+**Q. I see a pricing difference on my potential move from postgresql Basic Single Server to postgresql Flexible Server??ΓÇï**

+**A.** Few servers might see a small price revision after migration as the minimum storage limit on both offerings is different (5 GiB on Single Server and 32 GiB on Flexible Server). Storage cost for Flexible Server is marginally higher than Single Server. Any price increase is offset through better throughput and performance compared to Single Server. For more information on Flexible server pricing, click [here](https://azure.microsoft.com/pricing/details/postgresql/flexible-server/)

+## Related content

+- [Manage an Azure Database for postgresql - Flexible Server using the Azure portal.](../flexible-server/how-to-manage-server-portal.md)

+|[Virtual WAN hubs on Cloud Services](/azure/virtual-wan/virtual-wan-faq#update-router?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) | July 2024 | [Migrate Virtual WAN to ARM](/azure/virtual-wan/virtual-wan-faq?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json#update-router) |[Virtual WAN Support](https://ms.portal.azure.com/#create/Microsoft.Support/Parameters/%7B%0D%0A%09%22pesId%22%3A+%22d3b69052-33aa-55e7-6d30-ebb7040f9766%22%2C%09%0D%0A%09%22supportTopicId%22%3A+%229fce0565-284f-2521-c1ac-6c80f954b323%22%2C%0D%0A%09%22contextInfo%22%3A+%22RDFE+Migration+to+ARM%22%2C%0D%0A%09%22severity%22%3A+%224%22%0D%0A+%7D) |

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+² AI search service currently can't connect to tables on a storage account that has [shared key access turned off](../storage/common/shared-key-authorization-prevent.md).

+# Connect to Azure AI Search using keys

+Azure AI Search offers key-based authentication for connections to your search service. An API key is a unique string composed of 52 randomly generated numbers and letters. In your source code, you can specify it as an [environment variable](/azure/ai-services/cognitive-services-environment-variables) or as an app setting in your project, and then reference the variable on the request. A request made to a search service endpoint is accepted if both the request and the API key are valid.

+Key-based authentication is the default.

+You can replace it with [role-based access](search-security-enable-roles.md), which eliminates the need for hardcoded keys in your codebase.

+Before you can assign roles for authorized access to Azure AI Search, enable role-based access control on your search service.

+# Connect to Azure AI Search using roles

+If you enable dead-lettering on filter evaluation exceptions, any errors that occur while a subscription's SQL filter rule executes are captured in the DLQ along with the offending message. Don't use this option in a production environment where you have message types that are sent to the topic, which don't have subscribers, as this may result in a large load of DLQ messages. As such, ensure that all messages sent to the topic have at least one matching subscription.

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+| |**Data Dynamics**<br>Data Dynamics provides enterprise solutions to manage unstructured data for hybrid and multicloud environments. Their Unified Unstructured Data Management Platform uses analytics and automation to help you intelligently and efficiently move data from heterogenous storage environments (SMB, NFS, or S3 Object) into Azure. The platform provides seamless integration, enterprise scale, and performance that enables the efficient management of data for hybrid and multicloud environments. Use cases include: intelligent cloud migration, disaster recovery, archive, backup, and infrastructure optimization and data management. |[Partner page](https://www.datadynamicsinc.com/partners-2/)|

+| |**Datadobi**<br> Datadobi can optimize your unstructured storage environments. DobiMigrate is enterprise-class software that gets your file and object data ΓÇô safely, quickly, easily, and cost effectively ΓÇô to Azure. Focus on value-added activities instead of time-consuming migration tasks. Grow your storage footprint without CAPEX investments.|[Partner page](https://datadobi.com/partners/microsoft/)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/datadobi1602192408529.datadobi_license_purchase?tab=Overview)|

+| |**Komprise**<br>Komprise enables visibility across silos to manage file and object data and save costs. Komprise Intelligent Data Management software lets you consistently analyze, move, and manage data across clouds.<br><br>Komprise helps you to analyze data growth across any network attached storage (NAS) and object storage to identify significant cost savings. You can also archive cold data to Azure, and runs data migrations, transparent data archiving, and data replications to Azure Files and Blob storage. Patented Komprise Transparent Move Technology enables you to archive files without changing user access. Global search and tagging enables virtual data lakes for AI, big data, and machine learning applications. |[Partner page](https://www.komprise.com/partners/microsoft-azure/)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/komprise_inc.intelligent_data_management?tab=Overview)|

+| |**Peer Software**<br>Peer Software provides real-time file management solutions for hybrid and multicloud environments. Key use cases include high availability for user and application data across branch offices, Azure regions and availability zones, file sharing with version integrity, and migration to file or object storage with minimal cutover downtime. |[Partner page](https://go.peersoftware.com/azure_file_management_solutions)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/peer-software-inc.peergfs?tab=overview)

+| |**Privacera**<br>Privacera provides a unified system for data governance and security across multiple cloud services and analytical platforms. Privacera enables IT and data platform teams to democratize data for analytics, while ensuring compliance with privacy regulations.  |[Partner page](https://privacera.com/azure/)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/globaltenetincdbaprivacera1585932150924.privacera_platform)|

+||**Tape Ark**<br>Tape Ark is focused on migration of data from physical tapes to Azure Storage allowing customers to break free from the management and costs of legacy tapes. Tape Ark offers a fully managed SaaS service allowing companies to go completely tape free. Retrieve the legacy tapes from offsite storage, send them to Tape Ark, and Tape Ark will migrate the media (irrespective of age, type or format) to Azure Storage. This provides a fully cloud based tape management, and restore platform. Tape Ark has built mass data ingest facilities in Australia, India, UK, USA & Canada.|[Partner page](https://www.tapeark.com/partners/microsoft-azure/)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/globaldataanalyticsptyltdtatapeark1636285238780.tapearkrestoresaas?tab=Overview)|

+| |**Tiger Technology**<br>Tiger Technology offers high-performance, secure data & storage management software solutions. It enables organizations of any size to manage their digital assets on-premises, in any public cloud, or through an on-premises-first hybrid model. Specializes in migrating mission-critical workflows, application servers, and NAS/tape-to-cloud migrations. Tiger Bridge is a non-proprietary, software-only data management solution. It blends a file system and multi-tier cloud storage into a single space and enables hybrid workflows. Tiger Bridge addresses several data management challenges: file server and application server extension, migration, disaster recovery, backup and archive, and multi-site sync. It also offers continuous data protection and ransomware protection capabilities. |[Partner page](https://www.tiger-technology.com/partners/microsoft-azure/)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/tiger-technology.tiger_bridge_saas_soft_only)|

+Are you a storage partner but your solution isn't listed yet? Send us your info [here](https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR3i8TQB_XnRAsV3-7XmQFpFUQjY4QlJYUzFHQ0ZBVDNYWERaUlNRVU5IMyQlQCN0PWcu).

+- Serverless SQL pools in Synapse Analytics are compatible with **Delta reader version 1**.

+### Serverless support Delta 1.0 version

+Serverless SQL pools are reading only Delta Lake 1.0 version. Serverless SQL pools is a [Delta reader with level 1](https://github.com/delta-io/delt#reader-version-requirements), and doesnΓÇÖt support the following features:

+- Column mappings are ignored - serverless SQL pools will return original column names.

+- Delete vectors are ignored and the old version of deleted/updated rows will be returned (possibly wrong results).

+- The following Delta Lake features are not supported: [V2 checkpoints](https://github.com/delta-io/delt#vacuum-protocol-check)

+#### Delete vectors are ignored

+If your Delta lake table is configured to use Delta writer version 7, it will store deleted rows and old versions of updated rows in Delete Vectors (DV). Since serverless SQL pools have Delta reader 1 level, they will ignore the delete vectors and probably produce **wrong results** when reading unsupported Delta Lake version.

+#### Column rename in Delta table is not supported

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly.

+| Users from one organization with standard privileges | Use a Windows Enterprise multi-session operating system (OS). |

+Trusted launch are Azure VMs with enhanced security features aimed to protect against persistent attack techniques such as bottom-of-the-stack threats through attack vectors such as rootkits, boot kits, and kernel-level malware. It allows for secure deployment of VMs with verified boot loaders, OS kernels, and drivers, and also protects keys, certificates, and secrets in the VMs. Learn more about trusted launch at [Trusted launch for Azure virtual machines](../virtual-machines/trusted-launch.md).

+When you add session hosts using the Azure portal, the default security type is **Trusted virtual machines**. This ensures that your VM meets the mandatory requirements for Windows 11. For more information about these requirements, see [Virtual machine support](/windows/whats-new/windows-11-requirements#virtual-machine-support).

+## Azure confidential computing virtual machines

+Azure Virtual Desktop support for [Azure confidential computing](../confidential-computing/overview.md) virtual machines ensures a user's virtual desktop is encrypted in memory, protected in use, and backed by a hardware root of trust.

+Deploying confidential virtual machines with Azure Virtual Desktop gives users access to Microsoft 365 and other applications on session hosts that use hardware-based isolation, which hardens isolation from other virtual machines, the hypervisor, and the host OS. Memory encryption keys are generated and safeguarded by a dedicated secure processor inside the CPU that can't be read from software. For more information, including the VM sizes available, see the [Azure confidential computing overview](../confidential-computing/overview.md).

+The following operating systems are supported for use as session hosts with confidential virtual machines on Azure Virtual Desktop, for versions that are in active support. For support dates, see [Microsoft Lifecycle Policy](/lifecycle/).

+- Windows 11 Enterprise

+- Windows 11 Enterprise multi-session

+- Windows 10 Enterprise

+- Windows 10 Enterprise multi-session

+You can create session hosts using confidential virtual machines when you [deploy Azure Virtual Desktop](deploy-azure-virtual-desktop.md) or [add session hosts to a host pool](add-session-hosts-host-pool.md).

+## Operating system disk encryption

+Encrypting the operating system disk is an extra layer of encryption that binds disk encryption keys to the confidential computing VM's Trusted Platform Module (TPM). This encryption makes the disk content accessible only to the VM. Integrity monitoring allows cryptographic attestation and verification of VM boot integrity and monitoring alerts if the VM didnΓÇÖt boot because attestation failed with the defined baseline. For more information about integrity monitoring, see [Microsoft Defender for Cloud Integration](../virtual-machines/trusted-launch.md#microsoft-defender-for-cloud-integration). You can enable confidential compute encryption when you create session hosts using confidential VMs when you [create a host pool](create-host-pool.md) or [add session hosts to a host pool](add-session-hosts-host-pool.md).

+## Secure Boot

+## Monitor boot integrity using Remote Attestation

+## vTPM

+## Virtualization-based Security

+### Hypervisor-Protected Code Integrity

+### Windows Defender Credential Guard

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](../workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly.

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+1. Under **Role**, select **Contributor**.

+ --role "Contributor" \

+ -RoleDefinitionName Contributor `

+ - To validate if scale set is configured with data disk, navigate to scale set -> **Disks** under **Settings** menu -> check under heading **Data disks**

+> - Existing [virtual machines (VMs)](overview.md) can have Trusted Launch enabled after being created. For more information, see [Enable Trusted Launch on existing VMs](trusted-launch-existing-vm.md).

+> - Existing [virtual machine scale sets (VMSS)](../virtual-machine-scale-sets/overview.md) can have Trusted Launch enabled after being created. For more information, see [Enable Trusted Launch on existing scale sets](trusted-launch-existing-vmss.md).

+>

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+- CIQ: [CIQ Bridge - Extending the life of CentOS 7](https://ciq.com/products/ciq-bridge/)

+> [!NOTE]

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+This article shows you how to quickly deploy WebLogic Server (WLS) on an Azure Virtual Machine (VM) with the simplest possible set of configuration choices using the Azure portal. In this quickstart, you learn how to:

+- Deploy WebLogic Server with Administration Server enabled on a VM using the Azure portal.

+- Deploy a sample Java application with the WebLogic Server Administration Console.

+- Connect to the VM running WebLogic using SSH.

+The following steps show you how to deploy WebLogic Server on a VM using the [single instance with an admin server](https://aka.ms/wls-vm-admin) offer on the Azure portal. There are other offers that meet different scenarios such as [WebLogic cluster on multiple VMs](https://aka.ms/wls-vm-cluster).

+1. In the search bar at the top of the portal, enter *weblogic*. In the autosuggested search results, in the **Marketplace** section, select **WebLogic Server with Admin Console on VM**. You can also go directly to the offer using the portal link.

+1. On the offer page, select **Create**. You then see the **Basics** pane.

+ :::image type="content" source="media/weblogic-server-azure-virtual-machine/portal-start-experience.png" alt-text="Screenshot of the Azure portal that shows the Create WebLogic Server With Admin console on Azure VM page." lightbox="media/weblogic-server-azure-virtual-machine/portal-start-experience.png":::

+1. Under **Instance details**, select the region for the deployment.

+1. Select **Review + create**.

+1. Ensure the green **Validation Passed** message appears at the top. If it doesn't, fix any validation problems and select **Review + create** again.

+Depending on network conditions and other activity in your selected region, the deployment might take up to 30 minutes to complete.

+x

+1. In the left panel, select **Outputs**. This list shows useful output values from the deployment.

+1. The **sshCommand** value is the fully qualified SSH command to connect to the VM that runs WebLogic Server. Select the copy icon next to the field value to copy the link to your clipboard. Save this value aside for later.

+1. The **adminConsoleURL** value is the fully qualified public internet visible link to the WebLogic Server admin console. Select the copy icon next to the field value to copy the link to your clipboard. Save this value aside for later.

+## Deploy a Java application from Administration Console

+Use the following steps to run a sample application on the WebLogic Server:

+ 1. Accept the defaults in the next few screens and select **Finish**.

+ 1. On the application configuration screen, select **Save**.

+1. Navigate back to your working resource group in the Azure portal. In the overview page, you can find a network security group named **wls-nsg**. Select **wls-nsg**.

+1. Connect to the VM with the value of **sshCommand** and your password (this article uses *wlsVmCluster2022*).

+If you're not going to continue to use the WebLogic Server, navigate back to your working resource group in the Azure portal. At the top of the page, under the text **Resource group**, select **Delete resource group**.

+* [WebLogic Server on Azure Kubernetes Service](/azure/virtual-machines/workloads/oracle/weblogic-aks?toc=/azure/developer/java/ee/toc.json&bc=/azure/developer/java/breadcrumb/toc.json)

+ Title: How to deploy hub and spoke topology with Azure Firewall

+description: Learn how to deploy a hub and spoke topology with Azure Firewall using Virtual Network Manager.

+# How to deploy hub and spoke topology with Azure Firewall

+In this article, you learn how to deploy a hub and spoke topology with Azure Firewall using Azure Virtual Network Manager (AVNM). You create a network manager instance, and implement network groups for trusted and untrusted traffic. Next, you deploy a connectivity configuration for defining your hub and spoke topology. When deploying the connectivity configuration, you have a choice of adding [direct connectivity](concept-connectivity-configuration.md#direct-connectivity) for direct, trusted communication between spoke virtual networks, or requiring spokes to communicate through the hub network. You finish by deploying a routing configuration to route all traffic to Azure Firewall, except the traffic within the same virtual network when the virtual networks are trusted.

+Many organizations use Azure Firewall to protect their virtual networks from threats and unwanted traffic, and they route all traffic to Azure Firewall except trusted traffic within the same virtual network. Traditionally, setting up such a scenario is cumbersome because new user-defined routes (UDRs) need to be created for each new subnet, and all route tables have different UDRs. UDR management in Azure Virtual Network Manager can help you easily achieve this scenario by creating a routing rule that routes all traffic to Azure Firewall, except the traffic within the same virtual network.

+## Prerequisites

+- An Azure subscription with permissions to create resources in the subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+- Three virtual networks with subnets in the same region. One virtual network is the hub virtual network, and the other two virtual networks are the spoke virtual networks.

+ - For this example, the hub virtual network is named **hub-vnet**, and the spoke virtual networks are **spoke-vnet-1** and **spoke-vnet-2**.

+ - The hub virtual network requires a subnet for the Azure Firewall named **AzureFirewallSubnet**.

+- An Azure Virtual Network Manager instance with user-defined routing and connectivity configurations enabled.

+- All virtual networks configured in a hub and spoke topology.

+- An Azure Firewall in the hub virtual network. For more information, see [Deploy and configure Azure Firewall and policy using the Azure portal](../firewall/tutorial-firewall-deploy-portal-policy.md).

+## Create a routing configuration and rule collection

+In this task, you create a routing configuration and rule collection that includes your spoke network group. Routing configurations define the routing rules for traffic between virtual networks.

+1. In the network manager instance, select **Configurations** under **Settings**.

+2. On the **Create a routing configuration** page, enter the routing configuration **Name** and **Description** on the **Basics** tab then select **Next: Rule collection >**.

+3. Select **Add** on the **Rule collections** tab.

+4. In the **Add a rule collection** window, enter or select the following settings for the rule collection:

+ | **Setting** | **Value** |

+ |||

+ | **Name** | Enter a name for your rule collection. |

+ | **Description** | (Optional) Enter a description for your rule collection. |

+ | **Local route setting** | Select **Direct routing within virtual network**. |

+ | **Enable BGP route propagation** | (Optional) Select **Enable BGP route propagation** if you want to enable BGP route propagation. |

+ | **Target network group** | Select your spoke network group. |

+1. Under **Routing rules**, select **Add** to create a new routing rule.

+2. In the **Add a routing rule** window, enter or select the following settings for the routing rule:

+ | **Setting** | **Value** |

+ |||

+ | **Name** | Enter a name for your routing rule. |

+ | **Destination** | |

+ | **Destination type** | Select **IP Address**. |

+ | **Destination IP Addresses/CIDR ranges** | enter **0.0.0.0/0**. |

+ | **Next hop** | |

+ | **Next hop type** | Select **Virtual Appliance**.</br> Select **Import Azure firewall private IP address**|

+ | **Azure firewalls** | Select your Azure firewall then choose **Select**. |

+3. Select **Add** to add the routing rule to the rule collection.

+4. Select **Add** to add the rule collection to the routing configuration.

+ :::image type="content" source="media/how-to-deploy-hub-spoke-topology-with-azure-firewall/add-routing-rule.png" alt-text="Screenshot of Add a routing rule window with firewall as next hop.":::

+5. Select **Review + create** then select **Create**.

+## Deploy the routing configuration

+In this task, you deploy the routing configuration to create the routing rules for the hub and spoke topology.

+1. In the network manager instance, select **Deployments** under **Settings**.

+2. Select **Deploy configurations** then select **Routing configuration - Preview**.

+3. In the **Deploy a configuration** window, select the routing configuration you created, and select the **Target Regions** you wish to deploy the configuration to.

+1. Select **Next** or **Review + deploy** to review the deployment then select **Deploy**.

+## Delete all resources

+If you no longer need the resources created in this article, you can delete them to avoid incurring more costs.

+1. In the Azure portal, search for and select **Resource groups**.

+2. Select the resource group that contains the resources you want to delete.

+## Next steps

+> [!div class="nextstepaction"]

+> [Learn more about User defined routes (UDRs)](../virtual-network/virtual-networks-udr-overview.md)

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+In this tutorial, you learn to create a virtual network peering between virtual networks created through Resource Manager. The virtual networks exist in different subscriptions that might belong to different Microsoft Entra tenants. Peering two virtual networks enables resources in different virtual networks to communicate with each other with the same bandwidth and latency as though the resources were in the same virtual network. Learn more about [Virtual network peering](virtual-network-peering-overview.md).

+This tutorial peers virtual networks in the same region. You can also peer virtual networks in different [supported regions](virtual-network-manage-peering.md#cross-region). Familiarize yourself with the [peering requirements and constraints](virtual-network-manage-peering.md#requirements-and-constraints) before peering virtual networks.

+- An Azure account or accounts with two active subscriptions. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- An Azure account or accounts with two active subscriptions. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- Sign in to Azure PowerShell and select the subscription with which you want to use this feature. For more information, see [Sign in with Azure PowerShell](/powershell/azure/authenticate-azureps).

+- An Azure account or accounts with two active subscriptions. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+Create a second virtual network with the following values by repeating the steps in the [previous section](#create-virtual-network).

+ | **Remote virtual network summary** | |

+ | Peering link name | **vnet-2-to-vnet-1** |

+ | Virtual network deployment model | **Resource Manager** |

+ | I know my resource ID | **Select the box** |

+ | Resource ID | **Enter the Resource ID for vnet-2** |

+ | Directory | Select the Microsoft Entra ID directory that corresponds with **vnet-2** and **user-2** |

+ | **Remote virtual network peering settings** | |

+ | Allow 'the peered virtual network' to access 'vnet-1' | Leave the default of **Enabled** |

+ | Allow 'the peered virtual network' to receive forwarded traffic from 'vnet-1' | **Select the box** |

+ | **Local virtual network summary** | |

+ | Peering link name | **vnet-1-to-vnet-2** |

+ | **Local virtual network peering settings** | |

+ | Allow 'vnet-1' to access 'the peered virtual network' | Leave the default of **Enabled** |

+ | Allow 'vnet-1' to receive forwarded traffic from 'the peered virtual network' | **Select the box** |

+

+ :::image type="content" source="./media/create-peering-different-subscriptions/vnet-1-to-vnet-2-peering.png" alt-text="Screenshot of peering from vnet-1 to vnet-2.":::

+You might have to switch back to **subscription-1** to continue with the actions in **subscription-1**.

+You might have to switch back to **subscription-1** to continue with the actions in **subscription-1**.

+ | **Remote virtual network summary** | |

+ | Peering link name | **vnet-1-to-vnet-2** |

+ | Virtual network deployment model | **Resource Manager** |

+ | I know my resource ID | **Select the box** |

+ | Resource ID | **Enter the Resource ID for vnet-2** |

+ | Directory | Select the Microsoft Entra ID directory that corresponds with **vnet-1** and **user-1** |

+ | **Remote virtual network peering settings** | |

+ | Allow 'the peered virtual network' to access 'vnet-1' | Leave the default of **Enabled** |

+ | Allow 'the peered virtual network' to receive forwarded traffic from 'vnet-1' | **Select the box** |

+ | **Local virtual network summary** | |

+ | Peering link name | **vnet-1-to-vnet-2** |

+ | **Local virtual network peering settings** | |

+ | Allow 'vnet-1' to access 'the peered virtual network' | Leave the default of **Enabled** |

+ | Allow 'vnet-1' to receive forwarded traffic from 'the peered virtual network' | **Select the box** |

+1. Select **Add**.

+

+You might have to switch back to **subscription-2** to continue with the actions in **subscription-2**.

+You might have to switch back to **subscription-2** to continue with the actions in **subscription-2**.

+The peering is successfully established after you see **Connected** in the **Peering status** column for both virtual networks in the peering. Any Azure resources you create in either virtual network are now able to communicate with each other through their IP addresses. If you're using Azure name resolution for the virtual networks, the resources in the virtual networks aren't able to resolve names across the virtual networks. If you want to resolve names across virtual networks in a peering, you must create your own DNS (Domain Name System) server or use Azure DNS.

+> [!IMPORTANT]

+> If you update the address space in one of the members of the peer, you must resync the connection to reflect the address space changes. For more information, see [Update the address space for a peered virtual network using the Azure portal](/azure/virtual-network/update-virtual-network-peering-address-space#modify-the-address-range-prefix-of-an-existing-address-range)

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+* Deployed in the backend pool of a standard load balancer with outbound rules defined.

+* Deployed in the backend pool of a basic public load balancer.

+- When you have multiple NICs on the same VM, default outbound IPs won't consistently be the same across all NICs.

+- When scaling up/down Virtual Machine Scale sets, default outbound IPs assigned to individual instances can and change.

+* In configurations using a User Defined Route (UDR) with a default route (0/0) that sends traffic to an upstream firewall/network virtual appliance, any traffic that bypasses this route (for example, to Service Tagged destinations) breaks in a Private subnet.

+* Flexible scale sets are secure by default. Any instances created via Flexible scale sets don't have the default outbound access IP associated with them, so an explicit outbound method is required. For more information, see [Flexible orchestration mode for Virtual Machine Scale Sets](../../virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes.md#what-has-changed-with-flexible-orchestration-mode)

+The MANA PMD probes all devices and ports on the system when no `--vdev` argument is present; the `--vdev` argument isn't mandatory. In testing environments, it's often desirable to leave one (primary) interface available for servicing the SSH connection to the VM. To use DPDK with a subset of the available VFs, users should pass both the bus address of the MANA device and the MAC address of the interfaces in the `--vdev` argument. For more detail, example code is available to demonstrate [DPDK EAL initialization on MANA](#example-testpmd-setup-and-netvsc-test).

+### Supported Marketplace Images

+A nonexhaustive list of images with backported patches for DPDK with MANA:

+- Red Hat Enterprise Linux 8.9

+- Red Hat Enterprise Linux 9.4

+- Canonical Ubuntu Server 20.04 (5.15.0-1045-azure)

+- Canonical Ubuntu Server 22.04 (5.15.0-1045-azure)

+>DPDK requires either 2MB or 1GB hugepages to be enabled.

+>Example assumes an Azure VM with 2 accelerated networking NICs attached.

+dpdk-testpmd -l 1-6 --vdev="$BUS_INFO,mac=$MANA_MAC" -- --forward-mode=txonly --auto-start --nb-cores=4 --txd=128 --rxd=128 --txq=8 --rxq=8 --stats 2

+```log

+```log

+### Low throughput with use of `--vdev="net_vdev_netvsc0,iface=eth1"`

+### Version mismatch for rdma-core

+Mismatches in rdma-core and the linux kernel can occur anytime; often they occur when a user is building some combination of rdma-core, DPDK, and the linux kernel from source. This type of version mismatch can cause a failed probe of the MANA virtual function (VF).

+```log

+EAL: Probe PCI driver: net_mana (1414:ba) device: 7870:00:00.0 (socket 0)

+mana_arg_parse_callback(): key=mac value=00:0d:3a:76:3b:d0 index=0

+mana_init_once(): MP INIT PRIMARY

+mana_pci_probe_mac(): Probe device name mana_0 dev_name uverbs0 ibdev_path /sys/class/infiniband/mana_0

+mana_probe_port(): device located port 2 address 00:0D:3A:76:3B:D0

+mana_probe_port(): ibv_alloc_parent_domain failed port 2

+mana_pci_probe_mac(): Probe on IB port 2 failed -12

+EAL: Requested device 7870:00:00.0 cannot be used

+EAL: Bus (pci) probe failed.

+hn_vf_attach(): Couldn't find port for VF

+hn_vf_add(): RNDIS reports VF but device not found, retrying

+```

+This likely results from using a kernel with backported patches for mana_ib with a newer version of rdma-core. The root cause is an interaction between the kernel RDMA drivers and user space rdma-core libraries.

+The Linux kernel uapi for RDMA has a list of RDMA provider IDs, in backported versions of the kernel this ID value can differ from the version in the rdma-core libraries.

+> {!NOTE}

+> Example snippets are from [Ubuntu 5.150-1045 linux-azure](https://git.launchpad.net/~canonical-kernel/ubuntu/+source/linux-azure/+git/focal/tree/include/uapi/rdma/ib_user_ioctl_verbs.h?h=azure-5.15-next) and [rdma-core v46.0](https://github.com/linux-rdma/rdma-core/blob/4cce53f5be035137c9d31d28e204502231a56382/kernel-headers/rdma/ib_user_ioctl_verbs.h#L220)

+```c

+// Linux kernel header

+// include/uapi/rdma/ib_user_ioctl_verbs.h

+enum rdma_driver_id {

+ RDMA_DRIVER_UNKNOWN,

+ RDMA_DRIVER_MLX5,

+ RDMA_DRIVER_MLX4,

+ RDMA_DRIVER_CXGB3,

+ RDMA_DRIVER_CXGB4,

+ RDMA_DRIVER_MTHCA,

+ RDMA_DRIVER_BNXT_RE,

+ RDMA_DRIVER_OCRDMA,

+ RDMA_DRIVER_NES,

+ RDMA_DRIVER_I40IW,

+ RDMA_DRIVER_IRDMA = RDMA_DRIVER_I40IW,

+ RDMA_DRIVER_VMW_PVRDMA,

+ RDMA_DRIVER_QEDR,

+ RDMA_DRIVER_HNS,

+ RDMA_DRIVER_USNIC,

+ RDMA_DRIVER_RXE,

+ RDMA_DRIVER_HFI1,

+ RDMA_DRIVER_QIB,

+ RDMA_DRIVER_EFA,

+ RDMA_DRIVER_SIW,

+ RDMA_DRIVER_MANA, //<- MANA added as last member of enum after backporting

+};

+// Example mismatched rdma-core ioctl verbs header

+// on github: kernel-headers/rdma/ib_user_ioctl_verbs.h

+// or in release tar.gz: include/rdma/ib_user_ioctl_verbs.h

+enum rdma_driver_id {

+ RDMA_DRIVER_UNKNOWN,

+ RDMA_DRIVER_MLX5,

+ RDMA_DRIVER_MLX4,

+ RDMA_DRIVER_CXGB3,

+ RDMA_DRIVER_CXGB4,

+ RDMA_DRIVER_MTHCA,

+ RDMA_DRIVER_BNXT_RE,

+ RDMA_DRIVER_OCRDMA,

+ RDMA_DRIVER_NES,

+ RDMA_DRIVER_I40IW,

+ RDMA_DRIVER_IRDMA = RDMA_DRIVER_I40IW,

+ RDMA_DRIVER_VMW_PVRDMA,

+ RDMA_DRIVER_QEDR,

+ RDMA_DRIVER_HNS,

+ RDMA_DRIVER_USNIC,

+ RDMA_DRIVER_RXE,

+ RDMA_DRIVER_HFI1,

+ RDMA_DRIVER_QIB,

+ RDMA_DRIVER_EFA,

+ RDMA_DRIVER_SIW,

+ RDMA_DRIVER_ERDMA, // <- This upstream has two additional providers

+ RDMA_DRIVER_MANA, // <- So MANA's ID in the enum does not match

+};

+```

+This mismatch results in the MANA provider code failing to load. Use `gdb` to trace the execution of `dpdk-testpmd` to confirm the ERDMA provider is loaded instead of the MANA provider. The MANA driver_id must be consistent for both the kernel and rdma-core. The MANA PMD loads correctly when those IDs match.

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+ $rg = Get-AzResourceGroup -Name $resourceGroupName