+## June 2023

+### New articles

+- [Configure app multi-instancing](configure-app-multi-instancing.md) - Configuration of multiple instances of the same application within a tenant

+- [Migrate away from using email claims for user identification or authorization](migrate-off-email-claim-authorization.md) - Migration guidance for insecure authorization pattern

+- [Optional claims reference](optional-claims-reference.md) - v1.0 and v2.0 optional claims reference

+### Updated articles

+- [A web app that calls web APIs: Code configuration](scenario-web-app-call-api-app-configuration.md) - Editorial review of Node.js code snippet

+- [Claims mapping policy type](reference-claims-mapping-policy-type.md) - Editorial review of claims mapping policy type

+- [Configure token lifetime policies (preview)](configure-token-lifetimes.md) - Adding service principal policy commands

+- [Customize SAML token claims](saml-claims-customization.md) - Review of claims mapping policy type

+- [Microsoft identity platform code samples](sample-v2-code.md) - Reworking code samples file to add extra tab

+- [Refresh tokens in the Microsoft identity platform](refresh-tokens.md) - Editorial review of refresh tokens

+- [Tokens and claims overview](security-tokens.md) - Editorial review of security tokens

+- [Tutorial: Sign in users and call Microsoft Graph from an iOS or macOS app](tutorial-v2-ios.md) - Editorial review

+- [What's new for authentication?](reference-breaking-changes.md) - Identity breaking change: omission of unverified emails by default

+| June | 99.999% | 99.999% | 99.999% |

+When using a *Standard* SKU load balancer with managed outbound public IPs (which are created by default), you can scale the number of managed outbound public IPs using the **`--load-balancer-managed-outbound-ip-count`** parameter.

+At cluster creation time, you can also set the initial number of managed outbound public IPs by appending the **`--load-balancer-managed-outbound-ip-count`** parameter and setting it to your desired value. The default number of managed outbound public IPs is *1*.

+## Disable pod-managed identity on an existing cluster

+To disable pod-managed identity on an existing cluster, remove the pod-managed identities from the cluster. Then disable the feature on the cluster.

+```azurecli

+az aks pod-identity delete --name ${POD_IDENTITY_NAME} --namespace ${POD_IDENTITY_NAMESPACE} --resource-group myResourceGroup --cluster-name myAKSCluster

+```

+```azurecli

+az aks update --resource-group myResourceGroup --cluster-name myAKSCluster --disable-pod-identity

+```

+ Title: Add and manage App Service certificates

+description: Create an App Service certificate and manage it (such as renew, sync, and delete).

+tags: buy-ssl-certificates

+# Create and manage an App Service certificate for your web app

+This article shows how to create an App Service certificate and manage it (such as renew, sync, and delete). Once you have an App Service certificate, you can then import it into an App Service app. An App Service certificate is a private certificate that's managed by Azure. It combines the simplicity of automated certificate management and the flexibility of renewal and export options.

+If you purchase an App Service certificate from Azure, Azure manages the following tasks:

+- Handles the purchase process from GoDaddy.

+- Performs domain verification of the certificate.

+- Maintains the certificate in [Azure Key Vault](../key-vault/general/overview.md).

+- Manages [certificate renewal](#renew-an-app-service-certificate).

+- Synchronizes the certificate automatically with the imported copies in App Service apps.

+> [!NOTE]

+> After you upload a certificate to an app, the certificate is stored in a deployment unit that's bound to the App Service plan's resource group, region, and operating system combination, internally called a *webspace*. That way, the certificate is accessible to other apps in the same resource group and region combination. Certificates uploaded or imported to App Service are shared with App Services in the same deployment unit.

+## Prerequisites

+- [Create an App Service app](./index.yml). The app's [App Service plan](overview-hosting-plans.md) must be in the **Basic**, **Standard**, **Premium**, or **Isolated** tier. See [Scale up an app](manage-scale-up.md#scale-up-your-pricing-tier) to update the tier.

+> [!NOTE]

+> Currently, App Service certificates aren't supported in Azure National Clouds.

+## Buy and configure an App Service certificate

+#### Start certificate purchase

+1. Go to the [App Service Certificate creation page](https://portal.azure.com/#create/Microsoft.SSL), and start your purchase for an App Service certificate.

+ > [!NOTE]

+ > App Service Certificates purchased from Azure are issued by GoDaddy. For some domains, you must explicitly allow GoDaddy as a certificate issuer by creating a [CAA domain record](https://wikipedia.org/wiki/DNS_Certification_Authority_Authorization) with the value: `0 issue godaddy.com`

+ :::image type="content" source="./media/configure-ssl-certificate/purchase-app-service-cert.png" alt-text="Screenshot of 'Create App Service Certificate' pane with purchase options.":::

+1. To help you configure the certificate, use the following table. When you're done, select **Review + Create**, then select **Create**.

+ | Setting | Description |

+ |-|-|

+ | **Subscription** | The Azure subscription to associate with the certificate. |

+ | **Resource group** | The resource group that will contain the certificate. You can either create a new resource group or select the same resource group as your App Service app. |

+ | **SKU** | Determines the type of certificate to create, either a standard certificate or a [wildcard certificate](https://wikipedia.org/wiki/Wildcard_certificate). |

+ | **Naked Domain Host Name** | Specify the root domain. The issued certificate secures *both* the root domain and the `www` subdomain. In the issued certificate, the **Common Name** field specifies the root domain, and the **Subject Alternative Name** field specifies the `www` domain. To secure any subdomain only, specify the fully qualified domain name for the subdomain, for example, `mysubdomain.contoso.com`.|

+ | **Certificate name** | The friendly name for your App Service certificate. |

+ | **Enable auto renewal** | Select whether to automatically renew the certificate before expiration. Each renewal extends the certificate expiration by one year and the cost is charged to your subscription. |

+1. When deployment is complete, select **Go to resource**.

+#### Store certificate in Azure Key Vault

+[Key Vault](../key-vault/general/overview.md) is an Azure service that helps safeguard cryptographic keys and secrets used by cloud applications and services. For App Service certificates, the storage of choice is Key Vault. After you finish the certificate purchase process, you must complete a few more steps before you start using this certificate.

+1. On the [App Service Certificates page](https://portal.azure.com/#blade/HubsExtension/Resources/resourceType/Microsoft.CertificateRegistration%2FcertificateOrders), select the certificate. On the certificate menu, select **Certificate Configuration** > **Step 1: Store**.

+ :::image type="content" source="media/configure-ssl-certificate/configure-key-vault.png" alt-text="Screenshot of 'Certificate Configuration' pane with 'Step 1: Store' selected.":::

+1. On the **Key Vault Status** page, select **Select from Key Vault**.

+1. If you create a new vault, set up the vault based on the following table, and make sure to use the same subscription and resource group as your App Service app.

+ | Setting | Description |

+ |-|-|

+ | **Resource group** | Recommended: The same resource group as your App Service certificate. |

+ | **Key vault name** | A unique name that uses only alphanumeric characters and dashes. |

+ | **Region** | The same location as your App Service app. |

+ | **Pricing tier** | For information, see [Azure Key Vault pricing details](https://azure.microsoft.com/pricing/details/key-vault/). |

+ | **Days to retain deleted vaults** | The number of days after deletion, in which objects remain recoverable (see [Azure Key Vault soft-delete overview](../key-vault/general/soft-delete-overview.md)). Set a value between 7 and 90. |

+ | **Purge protection** | Prevents objects soft-deleted st objects to be manually purged. Enabling this option forces all deleted objects to remain in soft-deleted state for the entire duration of the retention period. |

+1. Select **Next** and select **Vault access policy**. Currently, App Service certificates support only Key Vault access policies, not the RBAC model.

+1. Select **Review + create**, then select **Create**.

+1. After the key vault is created, don't select **Go to resource** but wait for the **Select key vault from Azure Key Vault page** to reload.

+1. Select **Select**.

+1. After you select the vault, close the **Key Vault Repository** page. The **Step 1: Store** option should show a green check mark to indicate success. Keep the page open for the next step.

+#### Confirm domain ownership

+1. From the same **Certificate Configuration** page in the previous section, select **Step 2: Verify**.

+ :::image type="content" source="media/configure-ssl-certificate/verify-domain.png" alt-text="Screenshot of 'Certificate Configuration' pane with 'Step 2: Verify' selected.":::

+1. Select **App Service Verification**. However, because you previously mapped the domain to your web app per the [Prerequisites](#prerequisites), the domain is already verified. To finish this step, just select **Verify**, and then select **Refresh** until the message **Certificate is Domain Verified** appears.

+The following domain verification methods are supported:

+| Method | Description |

+|--|-|

+| **App Service Verification** | The most convenient option when the domain is already mapped to an App Service app in the same subscription because the App Service app has already verified the domain ownership. Review the last step in [Confirm domain ownership](#confirm-domain-ownership). |

+| **Domain Verification** | Confirm an [App Service domain that you purchased from Azure](manage-custom-dns-buy-domain.md). Azure automatically adds the verification TXT record for you and completes the process. |

+| **Mail Verification** | Confirm the domain by sending an email to the domain administrator. Instructions are provided when you select the option. |

+| **Manual Verification** | Confirm the domain by using either a DNS TXT record or an HTML page, which applies only to **Standard** certificates per the following note. The steps are provided after you select the option. The HTML page option doesn't work for web apps with "HTTPS Only' enabled. |

+> [!IMPORTANT]

+> With the **Standard** certificate, you get a certificate for the requested top-level domain *and* the `www` subdomain, for example, `contoso.com` and `www.contoso.com`. However, **App Service Verification** and **Manual Verification** both use HTML page verification, which doesn't support the `www` subdomain when issuing, rekeying, or renewing a certificate. For the **Standard** certificate, use **Domain Verification** and **Mail Verification** to include the `www` subdomain with the requested top-level domain in the certificate.

+Once your certificate is domain-verified, [you're ready to import it into an App Service app](configure-ssl-certificate.md#import-an-app-service-certificate).

+## Renew an App Service certificate

+By default, App Service certificates have a one-year validity period. Before and nearer to the expiration date, you can automatically or manually renew App Service certificates in one-year increments. The renewal process effectively gives you a new App Service certificate with the expiration date extended to one year from the existing certificate's expiration date.

+> [!NOTE]

+> Starting September 23 2021, if you haven't verified the domain in the last 395 days, App Service certificates require domain verification during a renew or rekey process. The new certificate order remains in "pending issuance" mode during the renew or rekey process until you complete the domain verification.

+>

+> Unlike the free App Service managed certificate, domain re-verification for App Service certificates *isn't* automated. Failure to verify domain ownership results in failed renewals. For more information about how to verify your App Service certificate, review [Confirm domain ownership](#confirm-domain-ownership).

+>

+> The renewal process requires that the well-known [service principal for App Service has the required permissions on your key vault](deploy-resource-manager-template.md#deploy-web-app-certificate-from-key-vault). These permissions are set up for you when you import an App Service certificate through the Azure portal. Make sure that you don't remove these permissions from your key vault.

+1. To change the automatic renewal setting for your App Service certificate at any time, on the [App Service Certificates page](https://portal.azure.com/#blade/HubsExtension/Resources/resourceType/Microsoft.CertificateRegistration%2FcertificateOrders), select the certificate.

+1. On the left menu, select **Auto Renew Settings**.

+1. Select **On** or **Off**, and select **Save**.

+ If you turn on automatic renewal, certificates can start automatically renewing 32 days before expiration.

+ > [!div class="mx-imgBorder"]

+ > 

+1. To manually renew the certificate instead, select **Manual Renew**. You can request to manually renew your certificate 60 days before expiration.

+1. After the renew operation completes, select **Sync**.

+ The sync operation automatically updates the hostname bindings for the certificate in App Service without causing any downtime to your apps.

+ > [!NOTE]

+ > If you don't select **Sync**, App Service automatically syncs your certificate within 24 hours.

+## Rekey and App Service certificate

+If you think your certificate's private key is compromised, you can rekey your certificate. This action rolls the certificate with a new certificate issued from the certificate authority.

+1. On the [App Service Certificates page](https://portal.azure.com/#blade/HubsExtension/Resources/resourceType/Microsoft.CertificateRegistration%2FcertificateOrders), select the certificate. From the left menu, select **Rekey and Sync**.

+1. To start the process, select **Rekey**. This process can take 1-10 minutes to complete.

+ > [!div class="mx-imgBorder"]

+ > 

+1. You might also be required to [reconfirm domain ownership](#confirm-domain-ownership).

+1. After the rekey operation completes, select **Sync**.

+ The sync operation automatically updates the hostname bindings for the certificate in App Service without causing any downtime to your apps.

+ > [!NOTE]

+ > If you don't select **Sync**, App Service automatically syncs your certificate within 24 hours.

+## Export an App Service certificate

+Because an App Service certificate is a [Key Vault secret](../key-vault/general/about-keys-secrets-certificates.md), you can export a copy as a PFX file, which you can use for other Azure services or outside of Azure.

+> [!IMPORTANT]

+> The exported certificate is an unmanaged artifact. App Service doesn't sync such artifacts when the App Service Certificate is [renewed](#renew-an-app-service-certificate). You must export and install the renewed certificate where necessary.

+#### [Azure portal](#tab/portal)

+1. On the [App Service Certificates page](https://portal.azure.com/#blade/HubsExtension/Resources/resourceType/Microsoft.CertificateRegistration%2FcertificateOrders), select the certificate.

+1. On the left menu, select **Export Certificate**.

+1. Select **Open Key Vault Secret**.

+1. Select the certificate's current version.

+1. Select **Download as a certificate**.

+#### [Azure CLI](#tab/cli)

+Run the following commands in [Azure Cloud Shell](https://shell.azure.com), or run them locally if you [installed Azure CLI](/cli/azure/install-azure-cli). Replace the placeholders with the names that you used when you [bought the App Service certificate](#start-certificate-purchase).

+```azurecli-interactive

+secretname=$(az resource show \

+ --resource-group <group-name> \

+ --resource-type "Microsoft.CertificateRegistration/certificateOrders" \

+ --name <app-service-cert-name> \

+ --query "properties.certificates.<app-service-cert-name>.keyVaultSecretName" \

+ --output tsv)

+az keyvault secret download \

+ --file appservicecertificate.pfx \

+ --vault-name <key-vault-name> \

+ --name $secretname \

+ --encoding base64

+```

+#### [Azure PowerShell](#tab/powershell)

+```azurepowershell-interactive

+$ascName = <app-service-cert-name>

+$ascResource = Get-AzResource -ResourceType "Microsoft.CertificateRegistration/certificateOrders" -Name $ascName -ResourceGroupName <group-name> -ExpandProperties

+$keyVaultSecretName = $ascResource.Properties.certificates[0].$ascName.KeyVaultSecretName

+$CertBase64 = Get-AzKeyVaultSecret -VaultName <key-vault-name> -Name $keyVaultSecretName -AsPlainText

+$CertBytes = [Convert]::FromBase64String($CertBase64)

+Set-Content -Path appservicecertificate.pfx -Value $CertBytes -AsByteStream

+```

+The downloaded PFX file is a raw PKCS12 file that contains both the public and private certificates and has an import password that's an empty string. You can locally install the file by leaving the password field empty. You can't [upload the file as-is into App Service](configure-ssl-certificate.md#upload-a-private-certificate) because the file isn't [password protected](configure-ssl-certificate.md#private-certificate-requirements).

+## Delete an App Service certificate

+If you delete an App Service certificate, the delete operation is irreversible and final. The result is a revoked certificate, and any binding in App Service that uses this certificate becomes invalid.

+1. On the [App Service Certificates page](https://portal.azure.com/#blade/HubsExtension/Resources/resourceType/Microsoft.CertificateRegistration%2FcertificateOrders), select the certificate.

+1. From the left menu, select **Overview** > **Delete**.

+1. When the confirmation box opens, enter the certificate name, and select **OK**.

+## Frequently asked questions

+#### My App Service certificate doesn't have any value in Key Vault

+Your App Service certificate is most likely still not yet domain-verified. Until [domain ownership is confirmed](#confirm-domain-ownership), your App Service certificate isn't ready for use. As a key vault secret, it maintains an `Initialize` tag, and its value and content-type remain empty. When domain ownership is confirmed, the key vault secret shows a value and a content-type, and the tag changes to `Ready`.

+#### I can't export my App Service certificate with PowerShell

+Your App Service certificate is most likely still not yet domain-verified. Until [domain ownership is confirmed](#confirm-domain-ownership), your App Service certificate isn't ready for use.

+#### What changes does the App Service certificate creation process make to my existing Key Vault?

+The creation process makes the following changes:

+- Adds two access policies in the vault:

+ - **Microsoft.Azure.WebSites** (or `Microsoft Azure App Service`)

+ - **Microsoft certificate reseller CSM Resource Provider** (or `Microsoft.Azure.CertificateRegistration`)

+- Creates a [delete lock](../azure-resource-manager/management/lock-resources.md) on the vault called: `AppServiceCertificateLock` to prevent accidental deletion of the key vault.

+## More resources

+* [Secure a custom DNS name with a TLS/SSL binding in Azure App Service](configure-ssl-bindings.md)

+* [Enforce HTTPS](configure-ssl-bindings.md#enforce-https)

+* [Enforce TLS 1.1/1.2](configure-ssl-bindings.md#enforce-tls-versions)

+* [Use a TLS/SSL certificate in your code in Azure App Service](configure-ssl-certificate-in-code.md)

+* [FAQ : App Service Certificates](./faq-configuration-and-management.yml)

+ - **Import App Service Certificate** - In **App Service Certificate**, choose an [App Service certificate](configure-ssl-app-service-certificate.md) you've purchased for your selected domain.

+This approach to using certificates in your code makes use of the TLS functionality in App Service, which requires your app to be in **Basic** tier or higher. If your app is in **Free** or **Shared** tier, you can [include the certificate file in your app repository](#load-certificate-from-file).

+> This approach to using certificates in your code makes use of the TLS functionality in App Service, which requires your app to be in **Basic** tier or higher.

+The `WEBSITE_LOAD_CERTIFICATES` app setting makes the specified certificates accessible to your Windows or Linux custom containers (including built-in Linux containers) as files. The files are found under the following directories:

+In addition, [Windows Server Core containers](configure-custom-container.md#supported-parent-images) load the certificates into the certificate store automatically, in **LocalMachine\My**. To load the certificates, follow the same pattern as [Load certificate in Windows apps](#load-certificate-in-windows-apps). For Windows Nano based containers, use these file paths [Load the certificate directly from file](#load-certificate-from-file).

+If you renew a certificate [in Key Vault](configure-ssl-certificate.md#renew-a-certificate-imported-from-key-vault), such as with an [App Service certificate](configure-ssl-app-service-certificate.md#renew-an-app-service-certificate), the daily sync from Key Vault makes the necessary update automatically when synchronizing your app with the renewed certificate.

+| Import an App Service certificate | A private certificate that's managed by Azure. It combines the simplicity of automated certificate management and the flexibility of renewal and export options. |

+- [Create an App Service app](./index.yml). The app's [App Service plan](overview-hosting-plans.md) must be in the **Basic**, **Standard**, **Premium**, or **Isolated** tier. See [Scale up an app](manage-scale-up.md#scale-up-your-pricing-tier) to update the tier.

+The [free App Service managed certificate](#create-a-free-managed-certificate) and the [App Service certificate](configure-ssl-app-service-certificate.md) already satisfy the requirements of App Service. If you choose to upload or import a private certificate to App Service, your certificate must meet the following requirements:

+The free App Service managed certificate is a turn-key solution for securing your custom DNS name in App Service. Without any action from you, this TLS/SSL server certificate is fully managed by App Service and is automatically renewed continuously in six-month increments, 45 days before expiration, as long as the prerequisites that you set up stay the same. All the associated bindings are updated with the renewed certificate. You create and bind the certificate to a custom domain, and let App Service do the rest.

+1. On your app's navigation menu, select **Certificates**. In the **Managed certificates** pane, select **Add certificate**.

+ :::image type="content" source="media/configure-ssl-certificate/create-free-cert.png" alt-text="Screenshot of app menu with 'Certificates', 'Managed certificates', and 'Add certificate' selected.":::

+1. Select the custom domain for the free certificate, and then select **Validate**. When validation completes, select **Add**. You can create only one managed certificate for each supported custom domain.

+ When the operation completes, the certificate appears in the **Managed certificates** list.

+ :::image type="content" source="media/configure-ssl-certificate/create-free-cert-finished.png" alt-text="Screenshot of 'Managed certificates' pane with newly created certificate listed.":::

+## Import an App Service certificate

+To import an App Service certificate, first [buy and configure an App Service certificate](configure-ssl-app-service-certificate.md#buy-and-configure-an-app-service-certificate), then follow the steps here.

+1. From your app's navigation menu, select **Certificates** > **Bring your own certificates (.pfx)** > **Add certificate**.

+1. In Source, select **Import App Service Certificate**.

+1. In **App Service certificate**, select the certificate you just created.

+1. In **Certificate friendly name**, give the certificate a name in your app.

+1. Select **Validate**. When validation succeeds, select **Add**.

+ :::image type="content" source="media/configure-ssl-certificate/import-app-service-cert.png" alt-text="Screenshot of app management page with 'Certificates', 'Bring your own certificates (.pfx)', and 'Import App Service certificate' selected, and the completed 'Add private key certificate' page with the **Validate** button.":::

+ When the operation completes, the certificate appears in the **Bring your own certificates** list.

+ :::image type="content" source="media/configure-ssl-certificate/import-app-service-cert-finished.png" alt-text="Screenshot of 'Bring your own certificates (.pfx)' pane with purchased certificate listed.":::

+1. In the [Azure portal](https://portal.azure.com), from the left menu, select **App Services** > **\<app-name>**.

+1. From your app's navigation menu, select **Certificates** > **Bring your own certificates (.pfx)** > **Add certificate**.

+1. In Source, select **Import from Key Vault**.

+1. Select **Select key vault certificate**.

+ :::image type="content" source="media/configure-ssl-certificate/import-key-vault-cert.png" alt-text="Screenshot of app management page with 'Certificates', 'Bring your own certificates (.pfx)', and 'Import from Key Vault' selected":::

+ | **Key vault** | The key vault that has the certificate you want to import. |

+1. When finished with your selection, select **Select**, **Validate**, then **Add**.

+ When the operation completes, the certificate appears in the **Bring your own certificates** list. If the import fails with an error, the certificate doesn't meet the [requirements for App Service](#private-certificate-requirements).

+ :::image type="content" source="media/configure-ssl-certificate/import-app-service-cert-finished.png" alt-text="Screenshot of 'Bring your own certificates (.pfx)' pane with imported certificate listed.":::

+#### Merge intermediate certificates

+#### Export merged private certificate to PFX

+#### Upload certificate to App Service

+1. From your app's navigation menu, select **Certificates** > **Bring your own certificates (.pfx)** > **Upload Certificate**.

+ :::image type="content" source="media/configure-ssl-certificate/upload-private-cert.png" alt-text="Screenshot of 'Certificates', 'Bring your own certificates (.pfx)', 'Upload Certificate' selected.":::

+1. To help you upload the .pfx certificate, use the following table:

+ | Setting | Description |

+ |-|-|

+ | **PFX certificate file** | Select your .pfx file. |

+ | **Certificate password** | Enter the password that you created when you exported the PFX file. |

+ | **Certificate friendly name** | The certificate name that will be shown in your web app. |

+1. When finished with your selection, select **Select**, **Validate**, then **Add**.

+ When the operation completes, the certificate appears in the **Bring your own certificates** list.

+ :::image type="content" source="media/configure-ssl-certificate/import-app-service-cert-finished.png" alt-text="Screenshot of 'Bring your own certificates' pane with uploaded certificate listed.":::

+1. From your app's navigation menu, select **Certificates** > **Public key certificates (.cer)** > **Add certificate**.

+1. To help you upload the .cer certificate, use the following table:

+ | Setting | Description |

+ |-|-|

+ | **CER certificate file** | Select your .pfx file. |

+ | **Certificate friendly name** | The certificate name that will be shown in your web app. |

+1. When you're done, select **Add**.

+ :::image type="content" source="media/configure-ssl-certificate/upload-public-cert.png" alt-text="Screenshot of name and public key certificate to upload.":::

+Before a certificate expires, make sure to add the renewed certificate to App Service, and update any certificate bindings where the process depends on the certificate type. For example, a [certificate imported from Key Vault](#import-a-certificate-from-key-vault), including an [App Service certificate](configure-ssl-app-service-certificate.md), automatically syncs to App Service every 24 hours and updates the TLS/SSL binding when you renew the certificate. For an [uploaded certificate](#upload-a-private-certificate), there's no automatic binding update. Based on your scenario, review the corresponding section:

+- [Renew an App Service certificate](configure-ssl-app-service-certificate.md#renew-an-app-service-certificate)

+#### Renew uploaded certificate

+1. Go to the **Custom domains** page for your app, select the **...** actions button, and select **Update binding**.

+1. Select the new certificate and select **Update**.

+#### Renew a certificate imported from Key Vault

+> To renew an App Service certificate, see [Renew an App Service certificate](configure-ssl-app-service-certificate.md#renew-an-app-service-certificate).

+After the certificate renews inside your key vault, App Service automatically syncs the new certificate, and updates any applicable certificate binding within 24 hours. To sync manually, follow these steps:

+1. Go to your app's **Certificate** page.

+1. Under **Bring your own certificates (.pfx)**, select the **...** details button for the imported key vault certificate, and then select **Sync**.

+## Frequently asked questions

+- [How can I automate adding a bring-your-owncertificate to an app?](#how-can-i-automate-adding-a-bring-your-owncertificate-to-an-app)

+- [Frequently asked questions for App Service certificates](configure-ssl-app-service-certificate.md#frequently-asked-questions)

+#### How can I automate adding a bring-your-owncertificate to an app?

+- [Azure CLI: Bind a custom TLS/SSL certificate to a web app](scripts/cli-configure-ssl-certificate.md)

+- [Azure PowerShell Bind a custom TLS/SSL certificate to a web app using PowerShell](scripts/powershell-configure-ssl-certificate.md)

+For security enhancement, it's recommended to bind TLS/SSL certificate for session encryption. To bind TLS/SSL certificate to the application gateway, a valid public certificate with following information is required. With [App Service certificates](../configure-ssl-app-service-certificate.md), you can buy a TLS/SSL certificate and export it in .pfx format.

+Azure App Service runs on Azure infrastructure that accrues costs when you deploy new resources. It's important to understand that there could be other infrastructure costs that might accrue.

+- [App Service certificates](configure-ssl-app-service-certificate.md) One-time charge at the time of purchase. If you have multiple subdomains to secure, you can reduce cost by purchasing one wildcard certificate instead of multiple standard certificates.

+- [IP-based SSL binding](configure-ssl-bindings.md) The binding is configured on a certificate at the app level. Costs are accrued for each binding. For **Standard** tier and higher, the first IP-based binding isn't charged.

+To use the pricing calculator, select **App Service** in the **Products** tab. Then, scroll down to work with the calculator. The following screenshot is an example and doesn't reflect current pricing.

+1. On the create page, scroll down to **App Service plan**, and select **Create new**.

+1. Specify a name and select **OK**.

+1. Next to **Sku and size**, select **Change size**.

+- **Instance count** dedicated tiers (Basic and higher) can be scaled out, and each scaled out instance accrues costs.

+Production workloads come with the recommendation of the dedicated **Standard** pricing tier or higher. While the price goes up for higher tiers, it also gives you more memory and storage and higher-performing hardware, giving you higher app density per compute instance. That translates to lower instance count for the same number of apps, and therefore lower cost. In fact, **Premium V3** (the highest non-**Isolated** tier) is the most cost effective way to serve your app at scale. To add to the savings, you can get deep discounts on [Premium V3 reservations](#azure-reservations).

+Once you choose the pricing tier you want, you should minimize the idle instances. In a scale-out deployment, you can waste money on underutilized compute instances. You should [configure autoscaling](../azure-monitor/autoscale/autoscale-get-started.md), available in **Standard** tier and higher. By creating scale-out schedules, as well as metric-based scale-out rules, you only pay for the instances you really need at any given time.

+The reserved instance pricing applies to the applicable instances in your subscription, up to the number of instances that you reserve. The reserved instances are a billing matter and aren't tied to specific compute instances. If you run fewer instances than you reserve at any point during the reservation period, you still pay for the reserved instances. If you run more instances than you reserve at any point during the reservation period, you pay the normal accrued cost for the additional instances.

+In the Azure portal, you can't purchase an [Azure App Service certificate](configure-ssl-app-service-certificate.md).

+To modify the access policies for the key vault, follow these steps:

+Starting on July 24, 2017, Azure hosts App Service domains purchased from the Azure portal on Azure DNS. If you prefer to use a different hosting provider, you must go to their website to obtain a domain hosting solution.

+Yes, when you access the **Custom domains** and **Certificates** pages in the Azure portal, you see the domains that you purchased. You can configure your app to use any of those domains.

+> [!IMPORTANT]

+> The subnet named "GatewaySubnet" is reserved for VPN gateways. The Application Gateway V1 resources using the "GatewaySubnet" subnet need to be moved to a different subnet or migrated to V2 SKU before September 30, 2023 to avoid control plane failures and platform inconsistencies. For changing the subnet of an existing Application gateway, see [steps here](application-gateway-faq.yml#can-i-change-the-virtual-network-or-subnet-for-an-existing-application-gateway).

+- **Redis Modules**: Enterprise tiers support [RediSearch](https://docs.redis.com/latest/modules/redisearch/), [RedisBloom](https://docs.redis.com/latest/modules/redisbloom/), [RedisTimeSeries](https://docs.redis.com/latest/modules/redistimeseries/), and [RedisJSON](https://docs.redis.com/latest/modules/redisjson/). These modules add new data types and functionality to Redis.

+The Azure Maps Web SDK includes an [Indoor Maps] module, enabling you to render indoor maps created in Azure Maps Creator services.

+> [Drawing package requirements]

+> [Creator for indoor maps]

+> [Indoor Maps dynamic styling]

+> [Code samples]

+[Indoor Maps]: https://www.npmjs.com/package/azure-maps-indoor

+[Code samples]: /samples/browse/?products=azure-maps

+[Creator for indoor maps]: creator-indoor-maps.md

+[Drawing package requirements]: drawing-requirements.md

+[Indoor Maps dynamic styling]: indoor-map-dynamic-styling.md

+[style-loader]: https://webpack.js.org/loaders/style-loader

+[visual style editor]: https://azure.github.io/Azure-Maps-Style-Editor

+[Webpack]: https://webpack.js.org

+The Azure Maps Web SDK provides a [Map Control] that enables the customization of interactive maps with your own content and imagery for display in your web or mobile applications. This module is a helper library that makes it easy to use the Azure Maps REST services in web or Node.js applications by using JavaScript or TypeScript.

+* A [subscription key] or Azure Active Directory (Azure AD) credentials. For more information, see [authentication options].

+[Map Control]: https://www.npmjs.com/package/azure-maps-control

+The Azure Maps Web SDK provides a [services module]. This module is a helper library that makes it easy to use the Azure Maps REST services in web or Node.js applications by using JavaScript or TypeScript.

+> [MapsURL]

+> [SearchURL]

+> [RouteURL]

+> [SubscriptionKeyCredential]

+> [TokenCredential]

+> [Show search results on the map]

+> [Get information from a coordinate]

+> [Show directions from A to B]

+[MapsURL]: /javascript/api/azure-maps-rest/atlas.service.mapsurl

+[SearchURL]: /javascript/api/azure-maps-rest/atlas.service.searchurl

+[RouteURL]: /javascript/api/azure-maps-rest/atlas.service.routeurl

+[SubscriptionKeyCredential]: /javascript/api/azure-maps-rest/atlas.service.subscriptionkeycredential

+[TokenCredential]: /javascript/api/azure-maps-rest/atlas.service.tokencredential

+[Show search results on the map]: map-search-location.md

+[Get information from a coordinate]: map-get-information-from-coordinate.md

+[Show directions from A to B]: map-route.md

+[services module]: https://www.npmjs.com/package/azure-maps-rest

+ Title: How to use the Azure Maps spatial IO module

+The Azure Maps Web SDK provides the [Spatial IO module], which integrates spatial data with the Azure Maps web SDK using JavaScript or TypeScript. The robust features in this module allow developers to:

+[Azure Maps account]: quick-demo-map-app.md#create-an-azure-maps-account

+[Azure Maps map control]: how-to-use-map-control.md

+[Azure Maps Spatial IO package]: /javascript/api/azure-maps-spatial-io

+[azure-maps-spatial-io]: https://www.npmjs.com/package/azure-maps-spatial-io

+[Connect to a WFS service]: spatial-io-connect-wfs-service.md

+[Core IO operations]: spatial-io-core-operations.md

+[Read and write spatial data]: spatial-io-read-write-spatial-data.md

+[Spatial IO module]: https://www.npmjs.com/package/azure-maps-spatial-io

+[subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account

+ Title: Create a map with Azure Maps

+To load a map, create a new instance of the [Map class]. When initializing the map, pass a DIV element ID to render the map and pass a set of options to use when loading the map. If default authentication information isn't specified on the `atlas` namespace, this information needs to be specified in the map options when loading the map. The map loads several resources asynchronously for performance. As such, after creating the map instance, attach a `ready` or `load` event to the map and then add more code that interacts with the map to the event handler. The `ready` event fires as soon as the map has enough resources loaded to be interacted with programmatically. The `load` event fires after the initial map view has finished loading completely.

+- [CameraOptions] and [CameraBoundOptions] are used to specify the area the map should display.

+- [ServiceOptions] are used to specify how the map should interact with services that power the map.

+- [StyleOptions] are used to specify the map should be styled and rendered.

+- [UserInteractionOptions] are used to specify how the map should reach when the user is interacting with the map.

+Map properties, such as center and zoom level, are part of the [CameraOptions] properties.

+A bounding box can be used to update the map camera. If the bounding box was calculated from point data, it's often useful to specify a pixel padding value in the camera options to account for the icon size. This pixel padding helps ensure that points don't fall off the edge of the map viewport.

+In the following code, a [Map object] is constructed via `new atlas.Map()`. Map properties such as `CameraBoundsOptions` can be defined via [setCamera] function of the Map class. Bounds and padding properties are set using `setCamera`.

+When setting the camera options of the map, [animation options] can also be set. These options specify the type of animation and duration it should take to move the camera.

+In the following code, the first code block creates a map and sets the enter and zoom map styles. In the second code block, a click event handler is created for the animate button. When this button is selected, the `setCamera` function is called with some random values for the [CameraOptions] and [AnimationOptions].

+- Add more headers to tile requests for password protected services.

+The [service options] of the map has a `transformRequest` that can be used to modify all requests made by the map before they're made. The `transformRequest` option is a function that takes in two parameters; a string URL, and a resource type string that indicates what the request is used for. This function must return a [RequestParameters] result.

+| WFS | A request from a `WfsClient` in the Spatial IO module to an OGC Web Feature Service. For more information, see [Connect to a WFS service]. |

+| WebMapService | A request from the `OgcMapLayer` in the Spatial IO module to a WMS or WMTS service. For more information, see [Add a map layer from the Open Geospatial Consortium (OGC)]. |

+Here are some resource types, typically ignored, that are passed through the request transform and are related to the base map styles: StyleDefinitions, Style, SpriteImage, SpriteJSON, Glyphs, Attribution.

+The following example shows how to modify all requests to the size `https://example.com` by adding a username and password as headers to the request.

+> [Map]

+> [CameraOptions]

+> [AnimationOptions]

+> [Change style of the map]

+> [Add controls to the map]

+> [Code samples]

+[Add a map layer from the Open Geospatial Consortium (OGC)]: spatial-io-add-ogc-map-layer.md

+[Add controls to the map]: map-add-controls.md

+[animation options]: /javascript/api/azure-maps-control/atlas.animationoptions

+[AnimationOptions]: /javascript/api/azure-maps-control/atlas.animationoptions

+[CameraBoundOptions]: /javascript/api/azure-maps-control/atlas.cameraboundsoptions

+[CameraOptions]: /javascript/api/azure-maps-control/atlas.cameraoptions

+[Change style of the map]: choose-map-style.md

+[Code samples]: /samples/browse/?products=azure-maps

+[Connect to a WFS service]: spatial-io-connect-wfs-service.md

+[Map class]: /javascript/api/azure-maps-control/atlas.map

+[Map object]: /javascript/api/azure-maps-control/atlas.map

+[Map]: /javascript/api/azure-maps-control/atlas.map

+[Multiple Maps]: https://samples.azuremaps.com/map/multiple-maps

+[RequestParameters]: /javascript/api/azure-maps-control/atlas.requestparameters

+[service options]: /javascript/api/azure-maps-control/atlas.serviceoptions

+[ServiceOptions]: /javascript/api/azure-maps-control/atlas.serviceoptions

+[setCamera]: /javascript/api/azure-maps-control/atlas.map

+[StyleOptions]: /javascript/api/azure-maps-control/atlas.styleoptions

+[UserInteractionOptions]: /javascript/api/azure-maps-control/atlas.userinteractionoptions

+ Title: Drawing tools module

+The Azure Maps Web SDK provides a [drawing tools module]. This module makes it easy to draw and edit shapes on the map using an input device such as a mouse or touch screen. The core class of this module is the [drawing manager](/javascript/api/azure-maps-drawing-tools/atlas.drawing.drawingmanager#setoptions-drawingmanageroptions-). The drawing manager provides all the capabilities needed to draw and edit shapes on the map. It can be used directly, and it's integrated with a custom toolbar UI. You can also use the built-in [drawing toolbar](/javascript/api/azure-maps-drawing-tools/atlas.control.drawingtoolbar) class.

+- `click` - Coordinates are added when the mouse or touch is clicked.

+- `freehand` - Coordinates are added when the mouse or touch is dragged on the map.

+- `hybrid` - Coordinates are added when the mouse or touch is clicked or dragged.

+The following code enables the polygon drawing mode and sets the type of drawing interaction that the drawing manager should adhere to `freehand`.

+[drawing tools module]: https://www.npmjs.com/package/azure-maps-drawing-tools

+| May 2023 | **Windows** <ul><li>Enable Large Event support for all regions.</li><li>Update to TroubleShooter 1.4.0.</li><li>Fixed issue when Event Log subscription become invalid; will resubscribe.</li><li>AMA: Fixed issue with Large Event sending too large data. Also affecting Custom Log.</li></ul> **Linux** <ul><li>Support for CIS and SELinux [hardening](https://learn.microsoft.com/azure/azure-monitor/agents/agents-overview#linux-hardening-standards)</li><li>Include Ubuntu 22.04 (jammy) in azure-mdsd package publishing</li><li>Move storage SDK patch to build container</li><li>Add system telegraf counters to AMA</li><li>Drop msgpack and syslog data if not configured in active configuration</li><li>Limit the events sent to Public ingestion pipeline</li><li>**Fixes** <ul><li>Fix mdsd crash in init when in persistent mode </li><li>Remove FdClosers from ProtocolListeners to avoid a race condition</li><li>Fix sed regex special character escaping issue in rpm macro for Centos 7.3.Maipo</li><li>Fix latency and future timestamp issue for 3P</li><li>Install AMA syslog configs only if customer is opted in for syslog in DCR</li><li>Fix heartbeat time check</li><li>Skip unnecessary cleanup in fatal signal handler</li><li>Fix case where fast-forwarding may cause intervals to be skipped</li><li>Fix comma separated custom log paths with fluent</li></ul></li><ul> | 1.16.0.0 | 1.26.2 |

+1. Start by setting up some environment variables. Change the values to suit your AKS cluster.

+ export AKS_CLUSTER_NAME="aks-cluster-name"

+ + `SERVICE_ACCOUNT_NAME` - KEDA must use the service account that was used to create federated credentials. This can be any user defined name.

+ + `AKS_CLUSTER_NAME`- The name of the AKS cluster where you want to deploy KEDA.

+ export AKS_OIDC_ISSUER="$(az aks show -n $AKS_CLUSTER_NAME -g $RESOURCE_GROUP --query "oidcIssuerProfile.issuerUrl" -otsv)"

+ az identity create --name $USER_ASSIGNED_IDENTITY_NAME --resource-group $RESOURCE_GROUP --location $LOCATION --subscription $SUBSCRIPTION

+ export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group $RESOURCE_GROUP --name $USER_ASSIGNED_IDENTITY_NAME --query 'clientId' -otsv)"

+ export TENANT_ID="$(az identity show --resource-group $RESOURCE_GROUP --name $USER_ASSIGNED_IDENTITY_NAME --query 'tenantId' -otsv)"

+1. Assign the *Monitoring Data Reader* role to the identity for your Azure Monitor workspace. This role allows the identity to read metrics from your workspace. Replace the *Azure Monitor Workspace resource group* and *Azure Monitor Workspace name* with the resource group and name of the Azure Monitor workspace which is configured to collect metrics from the AKS cluster.

+ --scope /subscriptions/$SUBSCRIPTION/resourceGroups/<Azure Monitor Workspace resource group>/providers/microsoft.monitor/accounts/<Azure monitor workspace name>

+1. Create the KEDA namespace, then create Kubernetes service account. This service account is used by KEDA to authenticate with Azure.

+ az aks get-credentials -n $AKS_CLUSTER_NAME -g $RESOURCE_GROUP

+ kubectl describe serviceaccount $SERVICE_ACCOUNT_NAME -n keda

+ az identity federated-credential create --name $FEDERATED_IDENTITY_CREDENTIAL_NAME --identity-name $USER_ASSIGNED_IDENTITY_NAME --resource-group $RESOURCE_GROUP --issuer $AKS_OIDC_ISSUER --subject system:serviceaccount:$SERVICE_ACCOUNT_NAMESPACE:$SERVICE_ACCOUNT_NAME --audience api://AzureADTokenExchange

+Add helm repository:

+```bash

+helm repo add kedacore https://kedacore.github.io/charts

+helm repo update

+```

+Deploy KEDA using the following command:

+Date list was last updated: 07/03/2023.

+|AclMatchedPackets |Yes |Acl Matched Packets |Count |Average |Count of the number of packets matching the current ACL entry. |FabricId, AclSetName, AclEntrySequenceId, AclSetType |

+|BgpPeerStatus |Yes |BGP Peer Status |Unspecified |Minimum |Operational state of the BGP peer. State is represented in numerical form. Idle : 1, Connect : 2, Active : 3, Opensent : 4, Openconfirm : 5, Established : 6 |FabricId, IpAddress |

+|ComponentOperStatus |Yes |Component Operational State |Unspecified |Minimum |The current operational status of the component. |FabricId, ComponentName |

+|CpuUtilizationMax |Yes |Cpu Utilization Max |Percent |Average |Max cpu utilization. The maximum value of the percentage measure of the statistic over the time interval. |FabricId, ComponentName |

+|CpuUtilizationMin |Yes |Cpu Utilization Min |Percent |Average |Min cpu utilization. The minimum value of the percentage measure of the statistic over the time interval. |FabricId, ComponentName |

+|FanSpeed |Yes |Fan Speed |Unspecified |Average |Current fan speed. |FabricId, ComponentName |

+|IfEthInCrcErrors |Yes |Ethernet Interface In CRC Errors |Count |Average |The total number of frames received that had a length (excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive, but had either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error) |FabricId, InterfaceName |

+|IfEthInFragmentFrames |Yes |Ethernet Interface In Fragment Frames |Count |Average |The total number of frames received that were less than 64 octets in length (excluding framing bits but including FCS octets) and had either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error). |FabricId, InterfaceName |

+|IfEthInJabberFrames |Yes |Ethernet Interface In Jabber Frames |Count |Average |Number of jabber frames received on the interface. Jabber frames are typically defined as oversize frames which also have a bad CRC. |FabricId, InterfaceName |

+|IfEthInMacControlFrames |Yes |Ethernet Interface In MAC Control Frames |Count |Average |MAC layer control frames received on the interface |FabricId, InterfaceName |

+|IfEthInMacPauseFrames |Yes |Ethernet Interface In MAC Pause Frames |Count |Average |MAC layer PAUSE frames received on the interface |FabricId, InterfaceName |

+|IfEthInMaxsizeExceeded |Yes |Ethernet Interface In Maxsize Exceeded |Count |Average |The total number frames received that are well-formed dropped due to exceeding the maximum frame size on the interface. |FabricId, InterfaceName |

+|IfEthInOversizeFrames |Yes |Ethernet Interface In Oversize Frames |Count |Average |The total number of frames received that were longer than 1518 octets (excluding framing bits, but including FCS octets) and were otherwise well formed. |FabricId, InterfaceName |

+|IfEthOutMacControlFrames |Yes |Ethernet Interface Out MAC Control Frames |Count |Average |MAC layer control frames sent on the interface. |FabricId, InterfaceName |

+|IfEthOutMacPauseFrames |Yes |Ethernet Interface Out MAC Pause Frames |Count |Average |MAC layer PAUSE frames sent on the interface. |FabricId, InterfaceName |

+|IfInBroadcastPkts |Yes |Interface In Broadcast Pkts |Count |Average |The number of packets, delivered by this sub-layer to a higher (sub-)layer, that were addressed to a broadcast address at this sub-layer. |FabricId, InterfaceName |

+|IfInDiscards |Yes |Interface In Discards |Count |Average |The number of inbound packets that were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol. |FabricId, InterfaceName |

+|IfInErrors |Yes |Interface In Errors |Count |Average |For packet-oriented interfaces, the number of inbound packets that contained errors preventing them from being deliverable to a higher-layer protocol. |FabricId, InterfaceName |

+|IfInFcsErrors |Yes |Interface In FCS Errors |Count |Average |Number of received packets which had errors in the frame check sequence (FCS), i.e., framing errors. |FabricId, InterfaceName |

+|IfInMulticastPkts |Yes |Interface In Multicast Pkts |Count |Average |The number of packets, delivered by this sub-layer to a higher (sub-)layer, that were addressed to a multicast address at this sub-layer. For a MAC-layer protocol, this includes both Group and Functional addresses. |FabricId, InterfaceName |

+|IfInOctets |Yes |Interface In Octets |Count |Average |The total number of octets received on the interface, including framing characters. |FabricId, InterfaceName |

+|IfInPkts |Yes |Interface In Pkts |Count |Average |The total number of packets received on the interface, including all unicast, multicast, broadcast and bad packets etc. |FabricId, InterfaceName |

+|IfInUnicastPkts |Yes |Interface In Unicast Pkts |Count |Average |The number of packets, delivered by this sub-layer to a higher (sub-)layer, that were not addressed to a multicast or broadcast address at this sub-layer. |FabricId, InterfaceName |

+|IfOutBroadcastPkts |Yes |Interface Out Broadcast Pkts |Count |Average |The total number of packets that higher-level protocols requested be transmitted, and that were addressed to a broadcast address at this sub-layer, including those that were discarded or not sent. |FabricId, InterfaceName |

+|IfOutDiscards |Yes |Interface Out Discards |Count |Average |The number of outbound packets that were chosen to be discarded even though no errors had been detected to prevent their being transmitted. |FabricId, InterfaceName |

+|IfOutErrors |Yes |Interface Out Errors |Count |Average |For packet-oriented interfaces, the number of outbound packets that could not be transmitted because of errors. |FabricId, InterfaceName |

+|IfOutMulticastPkts |Yes |Interface Out Multicast Pkts |Count |Average |The total number of packets that higher-level protocols requested be transmitted, and that were addressed to a multicast address at this sub-layer, including those that were discarded or not sent. For a MAC-layer protocol, this includes both Group and Functional addresses. |FabricId, InterfaceName |

+|IfOutOctets |Yes |Interface Out Octets |Count |Average |The total number of octets transmitted out of the interface, including framing characters. |FabricId, InterfaceName |

+|IfOutPkts |Yes |Interface Out Pkts |Count |Average |The total number of packets transmitted out of the interface, including all unicast, multicast, broadcast, and bad packets etc. |FabricId, InterfaceName |

+|IfOutUnicastPkts |Yes |Interface Out Unicast Pkts |Count |Average |The total number of packets that higher-level requested be transmitted, and that were not addressed to a multicast or broadcast address at this sub-layer, including those that were discarded or not sent. |FabricId, InterfaceName |

+|InterfaceOperStatus |Yes |Interface Operational State |Unspecified |Minimum |The current operational state of the interface. State is represented in numerical form. Up: 0, Down: 1, Lower_layer_down: 2, Testing: 3, Unknown: 4, Dormant: 5, Not_present: 6. |FabricId, InterfaceName |

+|LacpErrors |Yes |Lacp Errors |Count |Average |Number of LACPDU illegal packet errors. |FabricId, InterfaceName |

+|LacpInPkts |Yes |Lacp In Pkts |Count |Average |Number of LACPDUs received. |FabricId, InterfaceName |

+|LacpOutPkts |Yes |Lacp Out Pkts |Count |Average |Number of LACPDUs transmitted. |FabricId, InterfaceName |

+|LacpRxErrors |Yes |Lacp Rx Errors |Count |Average |Number of LACPDU receive packet errors. |FabricId, InterfaceName |

+|LacpTxErrors |Yes |Lacp Tx Errors |Count |Average |Number of LACPDU transmit packet errors. |FabricId, InterfaceName |

+|LacpUnknownErrors |Yes |Lacp Unknown Errors |Count |Average |Number of LACPDU unknown packet errors. |FabricId, InterfaceName |

+|LldpFrameIn |Yes |Lldp Frame In |Count |Average |The number of lldp frames received. |FabricId, InterfaceName |

+|LldpFrameOut |Yes |Lldp Frame Out |Count |Average |The number of frames transmitted out. |FabricId, InterfaceName |

+|LldpTlvUnknown |Yes |Lldp Tlv Unknown |Count |Average |The number of frames received with unknown TLV. |FabricId, InterfaceName |

+|MemoryAvailable |Yes |Memory Available |Bytes |Average |The available memory physically installed, or logically allocated to the component. |FabricId, ComponentName |

+|MemoryUtilized |Yes |Memory Utilized |Bytes |Average |The memory currently in use by processes running on the component, not considering reserved memory that is not available for use. |FabricId, ComponentName |

+|PowerSupplyCapacity |Yes |Power Supply Maximum Power Capacity |Unspecified |Average |Maximum power capacity of the power supply (watts). |FabricId, ComponentName |

+|PowerSupplyInputCurrent |Yes |Power Supply Input Current |Unspecified |Average |The input current draw of the power supply (amps). |FabricId, ComponentName |

+|PowerSupplyInputVoltage |Yes |Power Supply Input Voltage |Unspecified |Average |Input voltage to the power supply (volts). |FabricId, ComponentName |

+|PowerSupplyOutputCurrent |Yes |Power Supply Output Current |Unspecified |Average |The output current supplied by the power supply (amps) |FabricId, ComponentName |

+|PowerSupplyOutputPower |Yes |Power Supply Output Power |Unspecified |Average |Output power supplied by the power supply (watts) |FabricId, ComponentName |

+|PowerSupplyOutputVoltage |Yes |Power Supply Output Voltage |Unspecified |Average |Output voltage supplied by the power supply (volts). |FabricId, ComponentName |

+|TemperatureMax |Yes |Temperature Max |Unspecified |Average |Max temperature in degrees Celsius of the component. The maximum value of the statistic over the sampling period. |FabricId, ComponentName |

+|HostBootTimeSeconds |No |Host Boot Seconds (Preview) |Seconds |Average |Unix time of last boot |Host |

+|HostDiskReadSeconds |No |Host Disk Read Seconds (Preview) |Seconds |Average |Disk read time by node |Device, Host |

+|HostDiskWriteSeconds |No |Host Disk Write Seconds (Preview) |Seconds |Average |Disk write time by node |Device, Host |

+|HostDmiInfo |No |Host DMI Info (Preview) |Unspecified |Count |Host Desktop Management Interface (DMI) environment information |BiosDate, BiosRelease, BiosVendor, BiosVersion, BoardAssetTag, BoardName, BoardVendor, BoardVersion, ChassisAssetTag, ChassisVendor, ChassisVersion, Host, ProductFamily, ProductName, ProductSku, ProductUuid, ProductVersion, SystemVendor |

+|HostLoad1 |No |Average Load In 1 Minute (Preview) |Count |Average |1 minute load average |Host |

+|HostLoad15 |No |Average Load In 15 Minutes (Preview) |Count |Average |15 minute load average |Host |

+|HostLoad5 |No |Average load in 5 minutes (Preview) |Count |Average |5 minute load average |Host |

+|HostSpecificCPUUtilization |No |Host Specific CPU Utilization (Preview) |Seconds |Average |A counter metric that counts the number of seconds the CPU has been running in a particular mode |Cpu, Host, Mode |

+|NodeBondingActive |No |Node Bonding Active (Preview) |Count |Average |Number of active interfaces per bonding interface |Master |

+|NodeMemHugePagesFree |No |Node Memory Huge Pages Free (Preview) |Bytes |Average |NUMA hugepages free by node |Host, Node |

+|NodeNetworkMtuBytes |No |Node Network Maximum Transmission Unit Bytes |Bytes |Average |Node network Maximum Transmission Unit (mtu_bytes) value of /sys/class/net/\<iface\> |Device, Host |

+|NodeNetworkSpeedBytes |No |Node Network Speed Bytes |Bytes |Average |speed_bytes value of /sys/class/net/\<iface\> |Device, Host |

+|NodeNvmeInfo |No |Node NVMe Info (Preview) |Count |Count |Non-numeric data from /sys/class/nvme/\<device\>, value is always 1. Provides firmware, model, state and serial for a device |Device, State |

+|ApiserverClientCertificateExpirationSecondsSum |No |API Server Client Certificate Expiration Seconds Sum (Preview) |Seconds |Average |Sum of API server client certificate expiration (seconds) |Component, Pod Name |

+|ApiserverTlsHandshakeErrorsTotal |No |API Server TLS Handshake Errors Total (Preview) |Count |Average |Number of requests dropped with 'TLS handshake' error |Component, Pod Name |

+|ContainerFsIoTimeSecondsTotal |No |Container FS I/O Time Seconds Total (Preview) |Seconds |Average |Time taken for container Input/Output (I/O) operations |Device, Host |

+|ContainerNetworkReceiveErrorsTotal |No |Container Network Receive Errors Total (Preview) |Count |Average |Number of errors encountered while receiving bytes over the network |Interface, Namespace, Pod |

+|ContainerNetworkTransmitErrorsTotal |No |Container Network Transmit Errors Total (Preview) |Count |Average |Count of errors that happened while transmitting |Interface, Namespace, Pod |

+|CorednsForwardHealthcheckBrokenTotal |No |CoreDNS Forward Healthcheck Broken Total (Preview) |Count |Average |Total number of times all upstreams are unhealthy |Pod Name, Namespace |

+|CorednsForwardMaxConcurrentRejectsTotal |No |CoreDNS Forward Max Concurrent Rejects Total (Preview) |Count |Average |Total number of rejected queries because concurrent queries were at the maximum limit |Pod Name, Namespace |

+|EtcdServerSlowApplyTotal |No |Etcd Server Slow Apply Total (Preview) |Count |Average |The total number of slow apply requests |Pod Name, Tier |

+|KubePodContainerStateStarted |No |Container State Started (Preview) |Count |Average |Unix timestamp start time of a container |Container, Namespace, Pod |

+|KubePodDeletionTimestamp |No |Pod Deletion Timestamp (Preview) |Count |Average |The timestamp of the pod's deletion |Namespace, Pod |

+|KubevirtVmiMemoryDomainBytesTotal |No |Kubevirt VMI Memory Domain Bytes Total (Preview) |Bytes |Average |The amount of memory (in bytes) allocated to the domain. The memory value in domain XML file |Node |

+|KubevirtVmiStorageReadTimesMsTotal |No |Kubevirt VMI Storage Read Times Total (Preview) |Milliseconds |Average |Total time in milliseconds (ms) spent on read operations |Drive, Name, Node |

+|KubevirtVmiStorageWriteTimesMsTotal |No |Kubevirt VMI Storage Write Times Total (Preview) |Milliseconds |Average |Total time in milliseconds (ms) spent on write operations |Drive, Name, Node |

+|NcVmiCpuAffinity |No |CPU Pinning Map (Preview) |Count |Average |Pinning map of virtual CPUs (vCPUs) to CPUs |CPU, NUMA Node, VMI Namespace, VMI Node, VMI Name |

+|TyphaClientLatencySecsCount |No |Typha Client Latency Secs |Count |Average |Per-client latency. I.e. how far behind the current state each client is. |Pod Name |

+|PurefaInfo |No |Nexus Storage Info (Preview) |Unspecified |Average |Storage array system information |Array Name |

+|connection_successful |Yes |Successful Connections |Count |Total |Successful Connections |SslProtocol, ConnectionPolicyResult |

+<!--Gen Date: Mon Jul 03 2023 13:34:26 GMT+0800 (China Standard Time)-->

+|AutoscaleEvaluationPooled |Autoscale logs for pooled host pools - private preview [Microsoft internal only] |Yes |

+|DefenderSecurity |Security - Defender |Yes |

+|VNetAndIPFilteringLogs |VNet/IP Filtering Connection Logs |Yes |

+<!--Gen Date: Mon Jul 03 2023 13:34:26 GMT+0800 (China Standard Time)-->

+ Title: Understand NAS concepts in Azure NetApp Files

+description: This article covers important information about NAS volumes when using Azure NetApp Files.

+documentationcenter: ''

+editor: ''

+ms.assetid:

+ na

+# Understand NAS concepts in Azure NetApp Files

+Network Attached Storage (NAS) is a way for a centralized storage system to present data to multiple networked clients across a WAN or LAN.

+Datasets in a NAS environment can be structured (data in a well-defined format, such as databases) or unstructured (data not stored in a structured database format, such as images, media files, logs, home directories, etc.). Regardless of the structure, the data is served through a standard conversation between a NAS client and the Azure NetApp Files NAS services. The conversation happens following these basic steps:

+1. A client requests access to a NAS share in Azure NetApp Files using either SMB or NFS.

+1. Access controls can be as basic as a client hostname/IP address or more complex, such as username authentication and share-level permissions.

+1. Azure NetApp Files receives this request and checks the access controls to verify if the client is allowed to access the NAS share.

+1. Once the share-level access has been verified successfully, the client attempts to populate the NAS shareΓÇÖs contents via a basic read/listing.

+1. Azure NetApp Files then checks file-level permissions. If the user attempting access to the share does not have the proper permissions, then access is denied--even if the share-level permissions allowed access.

+1. Once this process is complete, file and folder access controls take over in the same way youΓÇÖd expect for any Linux or Windows client.

+1. Azure NetApp Files configuration handles share permission controls. File and folder permissions are always controlled from the NAS clients accessing the shares by the NAS administrator.

+## NAS use cases

+NAS is a common protocol across many industries, including oil & gas, high performance computing, media and entertainment, EDA, financial services, healthcare, genomics, manufacturing, higher education, and many others. Workloads can vary from simple file shares and home directories to applications with thousands of cores pushing operations to a single share, as well as more modernized application stacks, such as Kubernetes and container deployments.

+## Next steps

+* [Understand NAS protocols](network-attached-storage-protocols.md)

+* [Azure NetApp Files NFS FAQ](faq-nfs.md)

+* [Azure NetApp Files SMB FAQ](faq-smb.md)

+ Title: Understand NAS protocols in Azure NetApp Files

+description: Learn how SMB and NFS operate in Azure NetApp Files.

+documentationcenter: ''

+editor: ''

+ms.assetid:

+ na

+# Understand NAS protocols in Azure NetApp Files

+NAS protocols are how conversations happen between clients and servers. NFS and SMB are the NAS protocols used in Azure NetApp Files. Each offers their own distinct methods for communication, but at their root, they operate mostly in the same way.

+* Both serve a single dataset to many disparate networked attached clients.

+* Both can leverage encrypted authentication methods for sharing data.

+* Both can be gated with share and file permissions.

+* Both can encrypt data in-flight.

+* Both can use multiple connections to help parallelize performance.

+## Network File System (NFS)

+NFS is primarily used with Linux/UNIX based clients such as Red Hat, SUSE, Ubuntu, AIX, Solaris, Apple OS, etc. and Azure NetApp Files supports any NFS client that operates in the RFC standards. Windows can also use NFS for access, but it does not operate using Request for Comments (RFC) standards.

+RFC standards for NFS protocols can be found here:

+* [RFC-1813: NFSv3](https://www.ietf.org/rfc/rfc1813.txt)

+* [RFC 8881: NFSv4.1](https://www.rfc-editor.org/rfc/rfc8881)

+* [RFC 7862: NFSv4.2](https://datatracker.ietf.org/doc/html/rfc7862)

+### NFSv3

+NFSv3 is a basic offering of the protocol and has the following key attributes:

+* NFSv3 is stateless, meaning that the NFS server does not keep track of the states of connections (including locks).

+* Locking is handled outside of the NFS protocol, using Network Lock Manager (NLM). Because locks are not integrated into the protocol, stale locks can sometimes occur.

+* Since NFSv3 is stateless, performance with NFSv3 can be substantially better in some workloads (particularly workloads with high metadata operations such as OPEN, CLOSE, SETATTR, GETATTR), as there is less general work that needs to be done to process requests on the server and client.

+* NFSv3 uses a basic file permission model where only the owner of the file, a group and everyone else can be assigned a combination of read/write/execute permissions.

+* NFSv3 can use NFSv4.x ACLs, but an NFSv4.x management client would be required to configure and manage the ACLs. Azure NetApp Files does not support the use of nonstandard POSIX draft ACLs.

+* NFSv3 also requires use of other ancillary protocols for regular operations such as port discovery, mounting, locking, status monitoring and quotas. Each ancillary protocol uses a unique network port, which means NFSv3 operations require more exposure through firewalls with well-known port numbers.

+* Azure NetApp Files uses the following port numbers for NFSv3 operations. It's not possible to change these port numbers:

+ * Portmapper (111)

+ * Mount (635)

+ * NFS (2049)

+ * NLM (4045)

+ * NSM (4046)

+ * Rquota (4049)

+* NFSv3 can use security enhancements such as Kerberos, but Kerberos only affects the NFS portion of the packets; ancillary protocols (such as NLM, portmapper, mount) are not included in the Kerberos conversation.

+ * Azure NetApp Files only supports NFSv4.1 Kerberos encryption

+* NFSv3 uses numeric IDs for its user and group authentication. Usernames and group names are not required for communication or permissions, which can make spoofing a user easier, but configuration and management are simpler.

+* NFSv3 can use LDAP for user and group lookups.

+### NFSv4.x

+NFSv4.x refers to all NFS versions/minor versions that are under NFSv4. This includes NFSv4.0, NFSv4.1 and NFSv4.2. Azure NetApp Files currently only supports NFSv4.1.

+NFSv4.x has the following characteristics:

+* NFSv4.x is a stateful protocol, which means that the client and server keep track of the states of the NFS connections, including lock states. The NFS mount uses a concept known as a ΓÇ£state IDΓÇ¥ to keep track of the connections.

+* Locking is integrated into the NFS protocol and does not require ancillary locking protocols to keep track of NFS locks. Instead, locks are granted on a lease basis and will expire after a certain period of time if a client/server connection is lost, thus returning the lock back to the system for use with other NFS clients.

+* The statefulness of NFSv4.x does contain some drawbacks, such as potential disruptions during network outages or storage failovers, and performance overhead in certain workload types (such as high metadata workloads).

+* NFSv4.x provides many significant advantages over NFSv3, including:

+ * Better locking concepts (lease-based locking)

+ * Better security (fewer firewall ports needed, standard integration with Kerberos, granular access controls)

+ * More features

+ * Compound NFS operations (multiple commands in a single packet request to reduce network chatter)

+ * TCP-only

+* NFSv4.x can use a more robust file permission model that is similar to Windows NTFS permissions. These granular ACLs can be applied to users or groups and allow for permissions to be set on a wider range of operations than basic read/write/execute operations. NFSv4.x can also use the standard POSIX mode bits that NFSv3 employs.

+* Since NFSv4.x does not use ancillary protocols, Kerberos is applied to the entire NFS conversation when in use.

+* NFSv4.x uses a combination of user/group names and domain strings to verify user and group information. The client and server must agree on the domain strings for proper user and group authentication to occur. If the domain strings do not match, then the NFS user or group gets squashed to the specified user in the /etc/idmapd.conf file on the NFS client (for example, nobody).

+* While NFSv4.x does default to using domain strings, it is possible to configure the client and server to fall back on the classic numeric IDs seen in NFSv3 when AUTH_SYS is in use.

+* Because NFSv4.x has such deep integration with user and group name strings and because the server and clients must agree on these users/groups, using a name service server for user authentication such as LDAP is recommended on NFS clients and servers.

+For frequently asked questions regarding NFS in Azure NetApp Files, see the [Azure NetApp Files NFS FAQ](faq-nfs.md).

+## Server Message Block (SMB)

+SMB is primarily used with Windows clients for NAS functionality. However, it can also be used on Linux-based operating systems such as AppleOS, RedHat, etc. This deployment is generally accomplished using an application called Samba. Azure NetApp Files has official support for SMB using Windows and macOS. SMB/Samba on Linux operating systems can work with Azure NetApp Files, but there is no official support.

+Azure NetApp Files supports only SMB 2.1 and SMB 3.1 versions.

+SMB has the following characteristics:

+* SMB is a stateful protocol: the clients and server maintain a ΓÇ£stateΓÇ¥ for SMB share connections for better security and locking.

+* Locking in SMB is considered mandatory. Once a file is locked, no other client can write to that file until the lock is released.

+* SMBv2.x and later leverage compound calls to perform operations.

+* SMB supports full Kerberos integration. With the way Windows clients are configured, Kerberos is often in use without end users ever knowing.

+* When Kerberos is unable to be used for authentication, Windows NT LAN Manager (NTLM) may be used as a fallback. If NTLM is disabled in the Active Directory environment, then authentication requests that cannot use Kerberos fail.

+* SMBv3.0 and later supports [end-to-end encryption](azure-netapp-files-create-volumes-smb.md) for SMB shares.

+* SMBv3.x supports [multichannel](../storage/files/storage-files-smb-multichannel-performance.md) for performance gains in certain workloads.

+* SMB uses user and group names (via SID translation) for authentication. User and group information is provided by an Active Directory domain controller.

+* SMB in Azure NetApp Files uses standard Windows New Technology File System (NTFS) [ACLs](/windows/win32/secauthz/access-control-lists) for file and folder permissions.

+For frequently asked questions regarding SMB in Azure NetApp Files, see the [Azure NetApp Files SMB FAQ](faq-smb.md).

+## Next steps

+* [Azure NetApp Files NFS FAQ](faq-nfs.md)

+* [Azure NetApp Files SMB FAQ](faq-smb.md)

+| Microsoft.CertificateRegistration | [App Service Certificates](../../app-service/configure-ssl-app-service-certificate.md) |

+> Pick a project name. When you go through the tutorial, replace any of the **ARMPipelineProj** with your project name.

+1. In **Repository name**, enter a repository name. For example, **ARMPipeline-repo**. Remember to replace any of **ARMPipeline** with your project name. You can select either **Public** or **private** for going through this tutorial. And then select **Create repository**.

+1. Sign in to [Azure DevOps](https://go.microsoft.com/fwlink/?LinkId=307137).

+1. Select a DevOps organization from the left, and then select **New project**. If you don't have any projects, the create project page is opened automatically.

+1. Enter the following values:

+ * **Project name**: Enter a project name. You can use the project name you picked at the very beginning of the tutorial.

+ * **Visibility**: Select **Private**.

+1. Select **Service principal (automatic)**, and then select **Next**.

+ * **Connection name**: enter a connection name. For example, **ARMPipeline-conn**. Write down this name, you need the name when you create your pipeline.

+ * **Resource group**: Enter a new resource group name. For example, **ARMPipeline-rg**.

+Starting August 1st 2021, Azure Video Indexer enabled [Reserved Units](/azure/media-services/latest/concept-media-reserved-units)(MRUs) auto scaling by [Azure Media Services](/azure/media-services/latest/media-services-overview) (AMS), as a result you do not need to manage them through Azure Video Indexer. That allows price optimization, e.g. price reduction in many cases, based on your business needs as it is being auto scaled.

+Azure Video Indexer is built to deal with indexing at scale, and when you want to get the most out of it you should also be aware of the system's capabilities and design your integration accordingly. You don't want to send an upload request for a batch of videos just to discover that some of the movies didn't upload and you are receiving an HTTP 429 response code (too many requests). There is an API request limit of 120 requests per minute.

+ Azure Video Indexer adds a `retry-after` header in the HTTP response, the header specifies when you should attempt your next retry. Make sure you respect it before trying your next request.

+For example, for the face detection feature, a higher resolution can help with the scenario where there are many small but contextually important faces. However, this comes with a quadratic increase in runtime and an increased risk of false positives.

+The Face Redactor in Video Indexer relies on the output of the existing Video Indexer Face Detection results provided in our Video Standard and Advanced Analysis presets. In order to redact a video, you must first upload a video to Video Indexer and perform an analysis using the **standard** or **Advanced** video presets. This can be done using the [Azure Video Indexer website](https://www.videoindexer.ai/media/library) or [API](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Upload-Video). You can then use the Redactor API to reference this video using the `videoId` and we create a new video with the redacted faces. Both the Video Analysis and Face Redaction are separate billable jobs. See our [pricing page](https://azure.microsoft.com/pricing/details/video-indexer/) for more information.

+|Will the Face Redaction overwrite my original video? |No, the Redaction job will create a new video output file. |

+### Redact faces with Azure Video Indexer API

+### Upload a video API request limit increase

+An upload a video API request limit was increased from 60 to 120 requests per minute.

+* There is an API request limit of 120 requests per minute.

+- On the vCenter Server, allow inbound connections on TCP port 443, so that the Arc resource bridge and VMware cluster extension can communicate with the vCenter server.

+- Please validate the regional support before starting the onboarding. Arc for Azure VMware Solution is supported in all regions where Arc for VMware vSphere on-premises is supported. For more details, see [Azure Arc-enabled VMware vSphere](https://learn.microsoft.com/azure/azure-arc/vmware-vsphere/overview).

+- The firewall and proxy URLs below must be allowlisted in order to enable communication from the management machine, Appliance VM, and Control Plane IP to the required Arc resource bridge URLs.

+[Azure Arc resource bridge (preview) network requirements](../azure-arc/resource-bridge/network-requirements.md)

+1. Select **Virtual machines** in **Private cloud**, found in the left navigation under ΓÇ£vCenter Server Inventory Page"

+For the final step, you'll need to delete the resource bridge VM and the VM template that were created during the onboarding process. Login to vCenter and delete resource bridge VM and the VM template from inside the arc-folder. Once that step is done, Arc won't work on the Azure VMware Solution SDDC. When you delete Arc resources from vCenter, it won't affect the Azure VMware Solution private cloud for the customer.

+Appendix 1 shows proxy URLs required by the Azure Arc-enabled private cloud. The URLs will get pre-fixed when the script runs and can be run from the jumpbox VM to ping them. The firewall and proxy URLs below must be allowlisted in order to enable communication from the management machine, Appliance VM, and Control Plane IP to the required Arc resource bridge URLs.

+[Azure Arc resource bridge (preview) network requirements](../azure-arc/resource-bridge/network-requirements.md)

+|`features`|`denseCaptions` | Generates detailed captions for up to 10 prominent image regions. |

+`https://<endpoint>/computervision/imageanalysis:analyze?api-version=2023-02-01-preview&features=tags,read,caption,denseCaptions,smartCrops,objects,people`

+ Title: 'Use your own data with Azure OpenAI Service'

+- [Chat app sample code on GitHub](https://github.com/microsoft/sample-app-aoai-chatGPT/tree/main).

+ Title: Teams meeting lobby

+description: Use Azure Communication Services SDKs to admit or reject users from Teams meeting lobby.

+# Manage Teams meeting lobby

+In this article, you will learn how to implement the Teams meetings lobby capability by using Azure Communication Service calling SDKs. This capability allows users to admit and reject participants from Teams meeting lobby, receive the join lobby notification and get the lobby participants list.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- A deployed Communication Services resource. [Create a Communication Services resource](../../quickstarts/create-communication-resource.md).

+- A user access token to enable the calling client. For more information, see [Create and manage access tokens](../../quickstarts/access-tokens.md).

+- Optional: Complete the quickstart to [add voice calling to your application](../../quickstarts/voice-video-calling/getting-started-with-calling.md)

+User ends up in the lobby depending on Microsoft Teams configuration. The controls are described here:

+[Learn more about Teams configuration ](../../concepts/interop/guest/teams-administration.md)

+Microsoft 365 or Azure Communication Services users can admit or reject users from lobby, if they're connected to Teams meeting and have Organizer, Co-organizer, or Presenter meeting role.

+[Learn more about meeting roles](https://support.microsoft.com/office/roles-in-a-teams-meeting-c16fa7d0-1666-4dde-8686-0a0bfe16e019)

+To update or check current meeting join & lobby policies in Teams admin center:

+[Learn more about Teams policies](/microsoftteams/settings-policies-reference#automatically-admit-people)

+**The following APIs are supported for both Communication Services and Microsoft 365 users**

+|APIs| Organizer | Co-Organizer | Presenter | Attendee |

+|-|--|--|--|--|

+| admit | ✔️ | ✔️ | ✔️ | |

+| reject | ✔️ | ✔️ | ✔️ | |

+| admitAll | ✔️ | ✔️ | ✔️ | |

+| getParticipants | ✔️ | ✔️ | ✔️ | ✔️ |

+| lobbyParticipantsUpdated | ✔️ | ✔️ | ✔️ | ✔️ |

+## Next steps

+- [Learn how to manage calls](./manage-calls.md)

+- [Learn how to manage Teams calls](../cte-calling-sdk/manage-calls.md)

+- [Learn how to join Teams meeting](./teams-interoperability.md)

+- [Learn how to manage video](./manage-video.md)

+| Task | API reference |

+| - | - |

+| [Create a database if it doesn't exist](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/DatabaseManagement.ts#LL26C3-L27C63) | [Databases.createIfNotExists](/javascript/api/@azure/cosmos/databases#createifnotexists-databaserequest--requestoptions-) |

+| [List databases for an account](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/DatabaseManagement.ts#L30-L31) | [Databases.readAll](/javascript/api/@azure/cosmos/databases#readall-feedoptions-) |

+| [Read a database by ID](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/DatabaseManagement.ts#L34) | [Database.read](/javascript/api/@azure/cosmos/database#read-requestoptions-) |

+| [Delete a database](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/DatabaseManagement.ts#LL46C18-L46C18) | [Database.delete](/javascript/api/@azure/cosmos/database#delete-requestoptions-) |

+| Task | API reference |

+| -- | - |

+| [Create a container if it doesn't exist](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/ContainerManagement.ts#L27) | [Containers.createIfNotExists](/javascript/api/@azure/cosmos/containers#createifnotexists-containerrequest--requestoptions-) |

+| [List containers for an account](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/ContainerManagement.ts#L30-L32) | [Containers.readAll](/javascript/api/@azure/cosmos/containers#readall-feedoptions-) |

+| [Read a container definition](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/ContainerManagement.ts#L36-L37) | [Container.read](/javascript/api/@azure/cosmos/container#read-requestoptions-) |

+| [Delete a container](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/ContainerManagement.ts#L42-L43) | [Container.delete](/javascript/api/@azure/cosmos/container#delete-requestoptions-) |

+| Task | API reference |

+| -- | - |

+| [Create items](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/ItemManagement.ts#L33-L34) | [Items.create](/javascript/api/@azure/cosmos/items#create-t--requestoptions-) |

+| [Read all items in a container](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/ItemManagement.ts#L37) | [Items.readAll](/javascript/api/@azure/cosmos/items#readall-feedoptions-) |

+| [Read an item by ID](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/ItemManagement.ts#L46-L49) | [Item.read](/javascript/api/@azure/cosmos/item#read-requestoptions-) |

+| [Read item only if item has changed](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/ItemManagement.ts#L51-L74) | [Item.read](/javascript/api/%40azure/cosmos/item) - [RequestOptions.accessCondition](/javascript/api/%40azure/cosmos/requestoptions#accesscondition) |

+| [Query for documents](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/ItemManagement.ts#L76-L97) | [Items.query](/javascript/api/%40azure/cosmos/items) |

+| [Replace an item](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/ItemManagement.ts#L100-L118) | [Item.replace](/javascript/api/%40azure/cosmos/item) |

+| [Replace item with conditional ETag check](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/ItemManagement.ts#L127-L128) | [Item.replace](/javascript/api/%40azure/cosmos/item) - [RequestOptions.accessCondition](/javascript/api/%40azure/cosmos/requestoptions#accesscondition) |

+| [Delete an item](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/ItemManagement.ts#L234-L235) | [Item.delete](/javascript/api/%40azure/cosmos/item) |

+The [IndexManagement](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/IndexManagement.ts) file shows how to manage indexing. To learn about indexing in Azure Cosmos DB before running the following samples, see [indexing policies](../index-policy.md), [indexing types](../index-overview.md#types-of-indexes), and [indexing paths](../index-policy.md#include-exclude-paths) conceptual articles.

+| Task | API reference |

+| -- | |

+| [Manually index a specific item](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/IndexManagement.ts#L71-L106) | [RequestOptions.indexingDirective: 'include'](/javascript/api/%40azure/cosmos/requestoptions#indexingdirective) |

+| [Manually exclude a specific item from the index](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/IndexManagement.ts#L33-L69) | [RequestOptions.indexingDirective: 'exclude'](/javascript/api/%40azure/cosmos/requestoptions#indexingdirective) |

+| [Exclude a path from the index](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/IndexManagement.ts#L165-L237) | [IndexingPolicy.ExcludedPath](/javascript/api/%40azure/cosmos/indexingpolicy#excludedpaths) |

+| [Create a range index on a string path](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/IndexManagement.ts#L108-L163) | [IndexKind.Range](/javascript/api/%40azure/cosmos/indexkind), [IndexingPolicy](/javascript/api/%40azure/cosmos/indexingpolicy), [Items.query](/javascript/api/%40azure/cosmos/items) |

+| [Create a container with default indexPolicy, then update the container online](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/IndexManagement.ts#L27-L31) | [Containers.create](/javascript/api/%40azure/cosmos/containers) |

+The [index.ts](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/ServerSideScripts.ts) file shows how to perform the following tasks. To learn about Server-side programming in Azure Cosmos DB before running the following samples, see [Stored procedures, triggers, and user-defined functions](stored-procedures-triggers-udfs.md) conceptual article.

+| Task | API reference |

+| -- | |

+| [Create a stored procedure](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/ServerSideScripts.ts#L117-L118) | [StoredProcedures.create](/javascript/api/%40azure/cosmos/storedprocedures) |

+| [Execute a stored procedure](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/ServerSideScripts.ts#L120-L121) | [StoredProcedure.execute](/javascript/api/%40azure/cosmos/storedprocedure) |

+| [Bulk update with stored procedure](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/BulkUpdateWithSproc.ts#L70-L101) | [StoredProcedure.execute](/javascript/api/%40azure/cosmos/storedprocedure) |

+## Azure Identity(AAD) Auth Examples

+The [AADAuth.ts](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/AADAuth.ts) file shows how to perform the following tasks.

+| Task | API reference |

+| - | |

+| [Create credential object from @azure/identity](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/AADAuth.ts#L23-L28) | [API](/javascript/api/@azure/identity/usernamepasswordcredential#constructors) |

+| [Pass credentials to client object with key aadCredentials](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/AADAuth.ts#L29-L38) | [API](/javascript/api/@azure/cosmos/cosmosclientoptions#@azure-cosmos-cosmosclientoptions-aadcredentials) |

+| [Execute cosmos client with aad credentials](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/AADAuth.ts#L40-L52) | [API](/javascript/api/@azure/cosmos/databases#readall-feedoptions-) |

+## Miscellaneous samples

+Following curated samples illustrate common scenarios.

+| Task | API reference |

+| | |

+| [Alter Query throughput ](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/AlterQueryThroughput.ts#L40-L43) | [API](/javascript/api/@azure/cosmos/offer#@azure-cosmos-offer-replace) |

+| [Getting query throughput ](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/QueryThroughput.ts) | [API](/javascript/api/@azure/cosmos/queryiterator#@azure-cosmos-queryiterator-hasmoreresults) |

+| [using SasTokens for granting scoped access to Cosmos DB resources](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/cosmosdb/cosmos/samples-dev/SasTokenAuth.ts) | [API](/javascript/api/@azure/cosmos#@azure-cosmos-createauthorizationsastoken) |

+ Title: Connection configurations for Azure Cosmos DB .NET SDK v3

+description: Learn how to tune connection configurations to improve Azure Cosmos DB database performance for .NET SDK v3

+ms.devlang: csharp

+# Tune connection configurations for Azure Cosmos DB .NET SDK v3

+> [!IMPORTANT]

+> The information in this article are for Azure Cosmos DB .NET SDK v3 only. Please view the [Azure Cosmos DB SQL SDK connectivity modes](sdk-connection-modes.md) the Azure Cosmos DB .NET SDK v3 [Release notes](sdk-dotnet-v3.md), [Nuget repository](https://www.nuget.org/packages/Microsoft.Azure.Cosmos), and Azure Cosmos DB .NET SDK v3 [troubleshooting guide](troubleshoot-dotnet-sdk.md) for more information. If you are currently using an older version than v3, see the [Migrate to Azure Cosmos DB .NET SDK v3](migrate-dotnet-v3.md) guide for help upgrading to v3.

+Azure Cosmos DB is a fast and flexible distributed database that scales seamlessly with guaranteed latency and throughput. You don't have to make major architecture changes or write complex code to scale your database with Azure Cosmos DB. Scaling up and down is as easy as making a single API call or SDK method call. However, because Azure Cosmos DB is accessed via network calls there are connection configurations you can tune to achieve peak performance when using Azure Cosmos DB .NET SDK v3.

+## Connection configuration

+> [!NOTE]

+> In Azure Cosmos DB .NETS SDK v3, *Direct mode* is the best choice in most cases to improve database performance with most workloads.

+To learn more about different connectivity options, see the [connectivity modes](sdk-connection-modes.md) article.

+## Direct connection mode

+.NET SDK default connection mode is direct. In direct mode, requests are made using the TCP protocol. Internally Direct mode uses a special architecture to dynamically manage network resources and get the best performance. The client-side architecture employed in Direct mode enables predictable network utilization and multiplexed access to Azure Cosmos DB replicas. To learn more about architecture, see the [direct mode connection architecture](sdk-connection-modes.md#direct-mode).

+You configure the connection mode when you create the `CosmosClient` instance in `CosmosClientOptions`.

+```csharp

+string connectionString = "<your-account-connection-string>";

+CosmosClient client = new CosmosClient(connectionString,

+new CosmosClientOptions

+{

+ ConnectionMode = ConnectionMode.Gateway // ConnectionMode.Direct is the default

+});

+```

+### Customizing direct connection mode

+Direct mode can be customized through the *CosmosClientOptions* passed to the *CosmosClient* constructor. We recommend users avoid modifying these unless they feel comfortable in understanding the tradeoffs and it's necessary.

+| Configuration option | Default | Recommended | Details |

+| :: | :--: | :: | :--: |

+| EnableTcpConnectionEndpointRediscovery | true | true | This represents the flag to enable detection of connections closing from the server. |

+| IdleTcpConnectionTimeout | By default, idle connections are kept open indefinitely. | 20h-24h | This represents the amount of idle time after which unused connections are closed. Recommended values are between 20 minutes and 24 hours. |

+| MaxRequestsPerTcpConnection | 30 | 30 | This represents the number of requests allowed simultaneously over a single TCP connection. When more requests are in flight simultaneously, the direct/TCP client opens extra connections. Don't set this value lower than four requests per connection or higher than 50-100 requests per connection. Applications with a high degree of parallelism per connection, with large requests or responses, or with tight latency requirements might get better performance with 8-16 requests per connection. |

+| MaxTcpConnectionsPerEndpoint | 65535 | 65535 | This represents the maximum number of TCP connections that may be opened to each Cosmos DB back-end. Together with MaxRequestsPerTcpConnection, this setting limits the number of requests that are simultaneously sent to a single Cosmos DB back-end(MaxRequestsPerTcpConnection x MaxTcpConnectionPerEndpoint). Value must be greater than or equal to 16. |

+| OpenTcpConnectionTimeout | 5 seconds | >= 5 seconds | This represents the amount of time allowed for trying to establish a connection. When the time elapses, the attempt is canceled and an error is returned. Longer timeouts delay retries and failures. |

+| PortReuseMode | PortReuseMode.ReuseUnicastPort | PortReuseMode.ReuseUnicastPort | This represents the client port reuse policy used by the transport stack. |

+> [!NOTE]

+> See also [Networking perfomance tips for direct connection mode](performance-tips-dotnet-sdk-v3.md?tabs=trace-net-core#networking)

+#### Customizing gateway connection mode

+The Gateway mode can be customized through the *CosmosClientOptions* passed to the *CosmosClient* constructor. We recommend users avoid modifying these unless they feel comfortable in understanding the tradeoffs and it's necessary.

+| Configuration option | Default | Recommended | Details |

+| :: | :--: | :: | :--: |

+| GatewayModeMaxConnectionLimit | 50 | 50 | This represents the maximum number of concurrent connections allowed for the target service endpoint in the Azure Cosmos DB service. |

+| WebProxy | null | null | This represents the proxy information used for web requests. |

+> [!NOTE]

+> See also [Best practices when using Gateway mode for Azure Cosmos DB NET SDK v3](best-practice-dotnet.md#best-practices-when-using-gateway-mode).

+## Next steps

+To learn more about performance tips for .NET SDK, see [Performance tips for Azure Cosmos DB NET SDK v3](performance-tips-dotnet-sdk-v3.md).

+* If all you know is the number of vCores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](../convert-vcore-to-request-unit.md)

+* If you know typical request rates for your current database workload, read about [estimating request units using Azure Cosmos DB capacity planner](estimate-ru-with-capacity-planner.md)

+> [!Note]

+> When deploying your SQL Server on a virtual machine within a virtual network, it is essential to enhance your FQDN by appending **privatelink**. Otherwise, it will be conflicted with other records in the DNS setting. For example, you can simply modify the SQL Server's FQDN from **sqlserver.westus.cloudapp.azure.net** to **sqlserver.privatelink.westus.cloudapp.azure.net**.

+ > [!Note]

+ > If you have more than one SQL Server and need to define multiple load balancer rules and IP table records with different ports, make sure you explicitly add the port name after the FQDN when you edit Linked Service. The NAT VM will handle the port translation. If it's not explicitly specified, the connection will always time-out.

+2. Via Azure CLI

+ ```azurecli

+ az rest --method patch --url /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.AgFoodPlatform/farmBeats/{ADMA_instance_name}?api-version=2023-06-01-preview --body "{'identity': {'type': 'SystemAssigned'}}"

+ Title: How to create an Azure support request for Azure Data Manager for Agriculture resource

+description: Customers who need assistance can use the Azure portal to find self-service solutions and to create and manage support requests for Azure Data Manager for Agriculture resource.

+# Create an Azure Data Manager for Agriculture support request

+Azure enables you to create and manage support requests, also known as support tickets. You can create and manage requests in the [Azure portal](https://portal.azure.com), which is covered in the [Create an Azure support request](/azure/azure-portal/supportability/how-to-create-azure-support-request) article. You can also create and manage requests programmatically, using the [Azure support ticket REST API](/rest/api/support), or by using [Azure CLI](/cli/azure/azure-cli-support-request).

+## Steps for creating a support request

+Following are the steps to create a support request in the context of the Azure Data Manager for Agriculture resource, you're currently working with:

+1. From the resource menu, in the **Support + troubleshooting** section, select **New Support Request**.

+ :::image type="content" source="media/how-to-create-azure-support-request.png" alt-text="Screenshot of the New Support Request option in the Azure Data Manager for Agriculture resource pane.":::

+2. Follow the prompts to provide us with information about the problem you're having. When you start the support request process from a resource, some options are preselected for you.

+It's recommended to explore [Create an Azure support request](/azure/azure-portal/supportability/how-to-create-azure-support-request) article to know more about the management of support tickets.

+## Next steps

+- [How to manage an Azure support request](/azure/azure-portal/supportability/how-to-manage-azure-support-request)

+- [Create Azure support shortcut](https://azure.microsoft.com/support/create-ticket)

+- [Understanding more about Azure portal](/azure/azure-portal)

+* **Subscription ID** : Choose the allow listed subscription ID for your tenant

+With working **API endpoint (instanceUri)** and **access_token**, you now can start making requests to our service APIs. If there are any queries in setting up the environment, [raise a support request](./how-to-create-azure-support-request.md) to get required help.

+* See the Hierarchy Model and learn how to create and organize your agriculture data [here](./concepts-hierarchy-model.md)

+* Understand our REST APIs [here](/rest/api/data-manager-for-agri)

+* [How to create an Azure support request](./how-to-create-azure-support-request.md)

+Use Data Box Disk to transfer TBs of data in scenarios with limited network connectivity. The data movement can be one-time, periodic, or an initial bulk data transfer followed by periodic transfers.

+- Quickly deploy [Azure Data Box Disk](data-box-disk-quickstart-portal.md) in Azure portal.

+> When reviewing test alerts for Windows, make sure that you have Defender for Endpoint running with Real-Time protection enabled. Learn how to [validate this configuration](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus).

+1. Open a Terminal window, copy and run the following command:

+> When reviewing test alerts for Linux, make sure that you have Defender for Endpoint running with Real-Time protection enabled. Learn how to [validate this configuration](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus).

+1. Find the HTTP endpoint of the website either by going into Azure portal blade for the App Services website or using the custom DNS entry associated with this website. (The default URL endpoint for Azure App Services website has the suffix `https://XXXXXXX.azurewebsites.net`). The website should be an existing website and not one that was created prior to the alert simulation.

+1. If you donΓÇÖt have a Key Vault created yet, make sure to [create one](/azure/key-vault/general/quick-create-portal).

+- [Validating Azure Key Vault threat detection in Microsoft Defender for Cloud](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/validating-azure-key-vault-threat-detection-in-microsoft/ba-p/1220336)

+The discovery process is based on snapshots taken at intervals:

+> This feature supports scanning of images in the Azure Container Registry (ACR) only. If you want to find vulnerabilities stored in other container registries, you can import the images into ACR, after which the imported images are scanned by the built-in vulnerability assessment solution. Learn how to [import container images to a container registry](/azure/container-registry/container-registry-import-images).

+Defender for Containers provides real-time threat protection for [supported containerized environments](support-matrix-defender-for-containers.md) and generates alerts for suspicious activities. You can use this information to quickly remediate security issues and improve the security of your containers.

+The security alerts page opens.

+Defender for Containers also includes host-level threat detection with over 60 Kubernetes-aware analytics, AI, and anomaly detections based on your runtime workload.

+Defender for Cloud monitors the attack surface of multicloud Kubernetes deployments based on the [MITRE ATT&CK® matrix for Containers](https://www.microsoft.com/security/blog/2021/04/29/center-for-threat-informed-defense-teams-up-with-microsoft-partners-to-build-the-attck-for-containers-matrix/), a framework developed by the [Center for Threat-Informed Defense](https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/) in close partnership with Microsoft.

+|Protected SQL versions:|SQL Server version: 2012 R2, 2014, 2016, 2017, 2019, 2022 <br>- [SQL on Azure virtual machines](/azure/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview)<br>- [SQL Server on Azure Arc-enabled servers](/sql/sql-server/azure-arc/overview)<br>- On-premises SQL servers on Windows machines without Azure Arc<br>|

+1. Search for "deploy export" and select the **Deploy export to Event Hub for Microsoft Defender for Cloud data** built-in policy.

+To continue setting up export of alerts, [install the built-in connectors](export-to-siem.md#step-2-connect-the-event-hub-to-your-preferred-solution-using-the-built-in-connectors) for the SIEM you're using.

+- Ensure that [Workflow permissions are set to Read and Write](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository) on the GitHub repository.

+1. Copy and paste the following [sample action workflow](https://github.com/microsoft/security-devops-action/blob/main/.github/workflows/sample-workflow.yml) into the Edit new file tab.

+ For details on various input options, see [action.yml](https://github.com/microsoft/security-devops-action/blob/main/action.yml)

+1. Select **Start commit**

+1. Select **Commit new file**.

+1. Navigate to **Security** > **Code scanning alerts** > **Tool**.

+1. Enable the feature flag manually via CLI by using [Trusted Access](/azure/aks/trusted-access-feature).

+1. At the same time, the Cloud Security Benchmark initiative that's responsible for creating security recommendations and calculating the secure score is assigned to the subscription.

+If vulnerability assessment has already been configured using the classic configuration, this script migrates it to the express configuration and copies all of the pre-existing baseline definitions.

+|**Security control's current score**|<br><br><br>Each individual security control contributes towards the secure score. Each resource affected by a recommendation within the control, contributes towards the control's current score. The current score for each control is a measure of the status of the resources *within* the control.<br><br>In this example, the max score of 6 would be divided by 78 because that's the sum of the healthy and unhealthy resources.<br>6 / 78 = 0.0769<br>Multiplying that by the number of healthy resources (4) results in the current score:<br>0.0769 * 4 = **0.31**<br><br>|

+You can enable the Defender for Containers plan and deploy all of the relevant components in different ways. We walk you through the steps to accomplish this using the Azure portal. Learn how to [deploy the Defender profile](defender-for-containers-enable.md#deploy-the-defender-profile) with REST API, Azure CLI or with a Resource Manager template.

+Defender for Servers in Microsoft Defender for Cloud brings threat detection and advanced defenses to your Windows and Linux machines that run in Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and on-premises environments. This plan includes the integrated license for Microsoft Defender for Endpoint, security baselines and OS level assessments, vulnerability assessment scanning, adaptive application controls (AAC), file integrity monitoring (FIM), and more.

+Defender for Servers offers two plan options that offer different levels of protection and their own cost. You can learn more about Defender for Clouds pricing on [the pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).

+When you enable the Defender for Servers plan, you're then given the option to select which plan you want to enable. There are two plans you can choose from that offer different levels of protections for your resources.

+ :::image type="content" source="media/tutorial-enable-servers-plan/servers-change-plan.png" alt-text="Screenshot that shows you where on the environment settings page to select change plans." lightbox="media/tutorial-enable-servers-plan/servers-change-plan.png":::

+| [Log Analytics agent/Azure Monitor agent](plan-defender-for-servers-agents.md) | Collects security-related configurations and event logs from the machine and stores the data in your Log Analytics workspace for analysis. | [Learn more](../azure-monitor/agents/log-analytics-agent.md) about the Log Analytics agent. |

+If you are also using our public preview offering for Windows containers vulnerability assessment powered by Qualys, and you would like to continue using it, you need to [disable Linux findings](defender-for-containers-vulnerability-assessment-azure.md#disable-specific-findings) using disable rules rather than disable the registry recommendation.

+ Customers with both Defender for the Containers plan and Defender CSPM plan should [disable the Qualys running containers recommendation](tutorial-security-policy.md#disable-a-security-recommendation), to avoid multiple reports for the same images with potential impact on the secure score.

+If you are also using our public preview offering for Windows containers vulnerability assessment powered by Qualys, and you would like to continue using it, you need to [disable Linux findings](defender-for-containers-vulnerability-assessment-azure.md#disable-specific-findings) using disable rules rather than disable the runtime recommendation.

+## Optional Storage Controllers

+Multi-disk RAID arrays combine multiple physical drives into one logical drive for increased redundancy and performance. The optional modules below have been tested in our lab for compatibility and sustained performance:

+|Quantity|PN|Description|

+|-||-|

+|1| 405-ABBT | PERC H755 Controller Card (RAID10) |

+## Optional port expansion

+### Setup the BIOS and RAID array

+This procedure describes how to configure the BIOS configuration for an unconfigured sensor appliance.

+In the event that any of the steps below are missing in the BIOS, please make sure that the hardware matches the specifications above.

+Dell BIOS iDRAC is a system management software designed to give administrators control of Dell hardware remotely. It allows administrators to monitor system performance, configure settings, and troubleshoot hardware issues from a web browser. It can also be used to update system BIOS and firmware. The BIOS can be setup locally or remotely. To setup the BIOS remotely from a management computer, you need to define the iDRAC IP address and the management computer's IP address on the same subnet.

+## Optional Storage Controllers

+Multi-disk RAID arrays combine multiple physical drives into one logical drive for increased redundancy and performance. The optional modules below have been tested in our lab for compatibility and sustained performance:

+|1| 869079-B21 | HPE Smart Array E208i-a SR G10 LH Ctrlr (RAID10) |

+## Optional port expansion

+>

+### Setup the BIOS and RAID array

+This procedure describes how to configure the BIOS configuration for an unconfigured sensor appliance.

+In the event that any of the steps below are missing in the BIOS, please make sure that the hardware matches the specifications above.

+HPE BIOS iLO is a system management software designed to give administrators control of HPE hardware remotely. It allows administrators to monitor system performance, configure settings, and troubleshoot hardware issues from a web browser. It can also be used to update system BIOS and firmware. The BIOS can be setup locally or remotely. To setup the BIOS remotely from a management computer, you need to define the HPE IP address and the management computer's IP address on the same subnet.

+## Optional Storage Controllers

+Multi-disk RAID arrays combine multiple physical drives into one logical drive for increased redundancy and performance. The optional modules below have been tested in our lab for compatibility and sustained performance:

+|Quantity|PN|Description|

+|-||-|

+|1| 804331-B21 | HPE Smart Array P408i-a SR Gen10 Controller (RAID10) |

+## Optional port expansion

+### Setup the BIOS and RAID array

+This procedure describes how to configure the BIOS configuration for an unconfigured sensor appliance.

+In the event that any of the steps below are missing in the BIOS, please make sure that the hardware matches the specifications above.

+HPE BIOS iLO is a system management software designed to give administrators control of HPE hardware remotely. It allows administrators to monitor system performance, configure settings, and troubleshoot hardware issues from a web browser. It can also be used to update system BIOS and firmware. The BIOS can be setup locally or remotely. To setup the BIOS remotely from a management computer, you need to define the HPE IP address and the management computer's IP address on the same subnet.

+> [!IMPORTANT]

+> Removing packages from your sensor without Microsoft approval can cause unexpected results. All packages installed on the sensor are required for correct sensor functionality.

+> If your appliance has a RAID storage array, make sure to configure it before you continue installation.<br>

+

+If you'd like to restrict network access to the resources involved in data history (your Azure Digital Twins instance, event hub, or Azure Data Explorer cluster), you should set those restrictions *after* setting up the data history connection. For more information about this process, see [Restrict network access to data history resources](how-to-create-data-history-connection.md#restrict-network-access-to-data-history-resources).

+>[!NOTE]

+>While setting up data history, local authorization must be *enabled* on the event hub. If you ultimately want to have local authorization disabled on your event hub, disable the authorization after setting up the connection. You'll also need to adjust some permissions, described in [Restrict network access to data history resources](#restrict-network-access-to-data-history-resources) later in this article.

+### Restrict network access to data history resources

+If you'd like to restrict network access to the resources involved in data history (your Azure Digital Twins instance, event hub, or Azure Data Explorer cluster), you should set those restrictions *after* setting up the data history connection. This includes disabling local access for your resources, among other measures to reduce network access.

+To make sure your data history resources can communicate with each other, you should also modify the data connection for the Azure Data Explorer database to use a system-assigned managed identity.

+Follow the order of steps below to make sure your data history connection is set up properly when your resources need reduced network access.

+1. Make sure local authorization is *enabled* on your data history resources (your Azure Digital Twins instance, event hub, and Azure Data Explorer cluster)

+1. [Create the data history connection](#set-up-data-history-connection)

+1. Update the data connection for the Azure Data Explorer database to use a system-assigned managed identity. In the Azure portal, you can do this by navigating to the Azure Data Explorer cluster and using **Databases** in the menu to navigate to the data history database. In the database menu, select **Data connections**. In the table entry for your data history connection, you should see the option to **Assign managed identity**, where you can choose **System-assigned**.

+ :::image type="content" source="media/how-to-create-data-history-connection/database-managed-identity.png" alt-text="Screenshot of the option to assign a managed identity to a data connection in the Azure portal." lightbox="media/how-to-create-data-history-connection/database-managed-identity.png":::

+1. Now, you can disable local authorization or set other network restrictions for your desired resources, by changing the access settings on your Azure Digital Twins instance, event hub, or Azure Data Explorer cluster.

+Azure Load Balancer has a 4 minutes to 100 minutes timeout range for Load Balancer rules, Outbound Rules, and Inbound NAT rules.

+ Title: Load testing for Azure App Service

+description: 'Learn how to use Azure Load Testing with apps hosted on Azure App Service. Run load tests, use environment variables, and gain insights with server metrics and diagnostics.'

+# Load testing for Azure App Service

+Azure App Service is a fully managed service that enables you to build, deploy, and scale web applications and APIs in the cloud. This article provides an overview of the key capabilities of Azure Load Testing that are relevant for applications hosted on Azure App Service.

+With Azure Load Testing, you can simulate real-world, large-scale traffic to your application and services. Even though [Azure App Service](/azure/app-service/overview) is a fully managed service that can scale automatically, load testing can offer significant benefits in terms of reliability, performance, and cost optimization:

+- Ensure that all application components, not only the web application, can handle the expected load.

+- Verify that the application meets your performance and stability requirements.

+- Use application resource metrics and diagnostics to identify performance bottleneck across the entire application.

+- Avoid over-allocation of computing resources and reduce cost inefficiencies.

+- Detect performance regressions early by integrating load testing in your CI/CD pipeline and specifying test fail criteria.

+## Create a load test

+You can create a load test to simulate traffic to your application on Azure App Service. Azure Load Testing provides two options to create a load test:

+- Create a URL-based quick test

+- Use an Apache JMeter script (JMX file)

+After you create and run a load test, you can [monitor the resource metrics](#monitor-application-metrics) for the web application and all dependent Azure components to identify performance and scalability issues.

+### Create a URL-based quick test

+You can use the quick test experience to create a load test for a specific endpoint URL, directly from within the Azure portal. For example, use the App Service web app *default domain* to perform a load test of the web application home page.

+When you create a URL-based test, you specify the endpoint and basic load test configuration settings, such as the number of [virtual users](./concept-load-testing-concepts.md#virtual-users), test duration, and [ramp-up time](./concept-load-testing-concepts.md#ramp-up-time).

+The following screenshot shows how to create a URL-based load test in the Azure portal.

+Get started by [creating a URL-based load test](./quickstart-create-and-run-load-test.md).

+### Create a load test by uploading a JMeter script

+Azure Load Testing provides high-fidelity support of JMeter. You can create a new load test by uploading an Apache JMeter script. You might use this approach in the following scenarios:

+- Test multiple pages or endpoints in a single test

+- Test authenticated endpoints

+- Pass parameters to the load test, such as environment variables or secrets

+- Test non-HTTP based endpoints, such as database connections

+- Configure more advanced load patters

+- Reuse existing JMeter scripts

+Get started [create a load test by uploading a JMeter script](./how-to-create-and-run-load-test-with-jmeter-script.md).

+If you previously created a [URL-based test](#create-a-url-based-quick-test), Azure Load Testing generates a JMeter test script. You can download this generated test script, modify or extend it, and then reupload the script.

+During a load test, Azure Load Testing collects [metrics](./concept-load-testing-concepts.md#metrics) about the test run:

+- Client-side metrics: test engine metrics, such as the end-to-end response time, number of requests per second, or the error percentage. These metrics give an overall indication whether the application can support the simulated user load.

+- Server-side metrics: resource metrics of the Azure application components, such as CPU percentage of the app service plan, HTTP response codes, or database resource usage.

+Use the Azure Load Testing dashboard to analyze the test run metrics and identify performance bottlenecks in your application, or find out if you over-provisioned some compute resources. For example, you could evaluate if the service plan instances are right-sized for your workload.

+For applications that are hosted on Azure App Service, you can use [App Service diagnostics](/azure/app-service/overview-diagnostics) to get extra insights into the performance and health of the application. When you add an app service application component to your load test configuration, the load testing dashboard provides a direct link to the App Service diagnostics dashboard for your App service resource.

+## Set criteria for test failures

+Test fail criteria enable you to configure conditions for load test client-side metrics. If a load test run doesn't meet these conditions, the test is considered to fail. For example, specify that the average response time of requests, or that the percentage of failed requests is above a given threshold. You can add fail criteria to your load test at any time, regardless if it's a quick test or if you uploaded a JMeter script.

+When you run load tests as part of your CI/CD pipeline, you can use test fail criteria to identify performance regressions with an application build.

+Learn how to [configure test fail criteria](./how-to-define-test-criteria.md) for your load test.

+## Use parameters to test across deployment slots

+When you configure a load test, you can specify parameters to pass environment variables or secrets to the load test script. For example, to avoid that you need to store the application endpoint URL in the test script, you can use an environment variable. By using parameters, you can make your test script configurable.

+With [Azure App Service deployment slots](/azure/app-service/deploy-staging-slots) you can set up staging environments for your application. Each deployment slot has a separate URL. To reuse your test script across multiple deployment slots, use a parameter for the application endpoint.

+Learn how to [use parameters to pass environment variables to a load test](./how-to-parameterize-load-tests.md).

+> If you have any existing compute targets associated with this workspace, and they are not behind the same virtual network that the private endpoint is created in, they will not work.

+* Compute clusters can be created in a different region than your workspace. This functionality is only available for __compute clusters__, not compute instances.

+ | n02088094_Afghan_hound.JPEG | 161 | 0.994745 | Afghan hound |

+ | n02088238_basset | 162 | 0.999397 | basset |

+ | n02088466_bloodhound.JPEG | 164 | 0.926464 | bloodhound |

+ :::code language="python" source="~/azureml-examples-main/cli/endpoints/batch/deploy-models/imagenet-classifier/code/score-by-batch/batch_driver.py" :::

+The following diagram shows how a managed virtual network uses private endpoints to communicate with the storage, key vault, and container registry used by the workspace.

+| Allow only approved outbound | Outbound traffic is allowed by specifying service tags. | Recommended if you want to minimize the risk of data exfiltration but you will need to prepare all required machine learning artifacts in your private locations. |

+ from azure.ai.ml.entities import (

+ Workspace,

+ ManagedNetwork,

+ IsolationMode,

+ ServiceTagDestination,

+ PrivateEndpointDestination

+ )

+ # get a handle to the subscription

+ ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group)

+ service_resource_id: /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGE_ACCOUNT_NAME>

+ service_resource_id: /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGE_ACCOUNT_NAME>

+ service_resource_id = "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGE_ACCOUNT_NAME>"

+ spark_enabled = True

+ service_resource_id = "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGE_ACCOUNT_NAME>"

+ spark_enabled = True

+ service_resource_id: /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGE_ACCOUNT_NAME>

+ service_resource_id: /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGE_ACCOUNT_NAME>

+ service_resource_id = "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGE_ACCOUNT_NAME>"

+ spark_enabled = True

+ service_resource_id = "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGE_ACCOUNT_NAME>"

+ spark_enabled = True

+ service_resource_id: /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGE_ACCOUNT_NAME>

+ service_resource_id = "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGE_ACCOUNT_NAME>"

+ spark_enabled = True

+__Private endpoints__:

+* When the isolation mode for the managed network is `Allow internet outbound`, private endpoint outbound rules will be automatically created as required rules from the managed network for the workspace and associated resources __with public network access disabled__ (Key Vault, Storage Account, Container Registry, Azure ML Workspace).

+* When the isolation mode for the managed network is `Allow only approved outbound`, private endpoint outbound rules will be automatically created as required rules from the managed network for the workspace and associated resources __regardless of public network access mode for those resources__ (Key Vault, Storage Account, Container Registry, Azure ML Workspace).

+__Outbound__ service tag rules:

+__Inbound__ service tag rules:

+* The managed network will be deleted and cleaned up when the workspace is deleted.

+* Compute cluster/instance deployment in virtual network isn't supported with Azure Lighthouse.

+* __Port 445__ must be open for _private_ network communications between your compute instances and the default storage account during training. For example, if your computes are in one VNet and the storage account is in another, don't block port 445 to the storage account VNet.

+## Compute cluster in a different VNet/region from workspace

+> [!IMPORTANT]

+> You can't create a *compute instance* in a different region/VNet, only a *compute cluster*.

+To create a compute cluster in an Azure Virtual Network in a different region than your workspace virtual network, you have couple of options to enable communication between the two VNets.

+* Use [VNet Peering](/azure/virtual-network/virtual-network-peering-overview).

+* Add a private endpoint for your workspace in the virtual network that will contain the compute cluster.

+> [!IMPORTANT]

+> Regardless of the method selected, you must also create the VNet for the compute cluster; Azure Machine Learning will not create it for you.

+>

+> You must also allow the default storage account, Azure Container Registry, and Azure Key Vault to access the VNet for the compute cluster. There are multiple ways to accomplish this. For example, you can create a private endpoint for each resource in the VNet for the compute cluster, or you can use VNet peering to allow the workspace VNet to access the compute cluster VNet.

+### Scenario: VNet peering

+1. Configure your workspace to use an Azure Virtual Network. For more information, see [Secure your workspace resources](how-to-secure-workspace-vnet.md).

+1. Create a second Azure Virtual Network that will be used for your compute clusters. It can be in a different Azure region than the one used for your workspace.

+1. Configure [VNet Peering](/azure/virtual-network/virtual-network-peering-overview) between the two VNets.

+ > [!TIP]

+ > Wait until the VNet Peering status is **Connected** before continuing.

+1. Modify the `privatelink.api.azureml.ms` DNS zone to add a link to the VNet for the compute cluster. This zone is created by your Azure Machine Learning workspace when it uses a private endpoint to participate in a VNet.

+ 1. Add a new __virtual network link__ to the DNS zone. You can do this multiple ways:

+

+ * From the Azure portal, navigate to the DNS zone and select **Virtual network links**. Then select **+ Add** and select the VNet that you created for your compute clusters.

+ * From the Azure CLI, use the `az network private-dns link vnet create` command. For more information, see [az network private-dns link vnet create](/cli/azure/network/private-dns/link/vnet#az-network-private-dns-link-vnet-create).

+ * From Azure PowerShell, use the `New-AzPrivateDnsVirtualNetworkLink` command. For more information, see [New-AzPrivateDnsVirtualNetworkLink](/powershell/module/az.privatedns/new-azprivatednsvirtualnetworklink).

+1. Repeat the previous step and sub-steps for the `privatelink.notebooks.azure.net` DNS zone.

+1. Configure the following Azure resources to allow access from both VNets.

+ * The default storage account for the workspace.

+ * The Azure Container registry for the workspace.

+ * The Azure Key Vault for the workspace.

+ > [!TIP]

+ > There are multiple ways that you might configure these services to allow access to the VNets. For example, you might create a private endpoint for each resource in both VNets. Or you might configure the resources to allow access from both VNets.

+1. Create a compute cluster as you normally would when using a VNet, but select the VNet that you created for the compute cluster. If the VNet is in a different region, select that region when creating the compute cluster.

+ > When setting the region, if it is a different region than your workspace or datastores you may see increased network latency and data transfer costs. The latency and costs can occur when creating the cluster, and when running jobs on it.

+### Scenario: Private endpoint

+1. Configure your workspace to use an Azure Virtual Network. For more information, see [Secure your workspace resources](how-to-secure-workspace-vnet.md).

+1. Create a second Azure Virtual Network that will be used for your compute clusters. It can be in a different Azure region than the one used for your workspace.

+1. Create a new private endpoint for your workspace in the VNet that will contain the compute cluster.

+ * To add a new private endpoint using the __Azure portal__, select your workspace and then select __Networking__. Select __Private endpoint connections__, __+ Private endpoint__ and use the fields to create a new private endpoint.

+ * When selecting the __Region__, select the same region as your virtual network.

+ * When selecting __Resource type__, use __Microsoft.MachineLearningServices/workspaces__.

+ * Set the __Resource__ to your workspace name.

+ * Set the __Virtual network__ and __Subnet__ to the VNet and subnet that you created for your compute clusters.

+ Finally, select __Create__ to create the private endpoint.

+ * To add a new private endpoint using the Azure CLI, use the `az network private-endpoint create`. For an example of using this command, see [Configure a private endpoint for Azure Machine Learning workspace](how-to-configure-private-link.md#add-a-private-endpoint-to-a-workspace).

+1. Create a compute cluster as you normally would when using a VNet, but select the VNet that you created for the compute cluster. If the VNet is in a different region, select that region when creating the compute cluster.

+ > [!WARNING]

+ > When setting the region, if it is a different region than your workspace or datastores you may see increased network latency and data transfer costs. The latency and costs can occur when creating the cluster, and when running jobs on it.

+# [Python SDK](#tab/python)

+# [Python SDK](#tab/python)

+When developing a complex machine learning pipeline, it's common to have sub-pipelines that use multi-step to perform tasks such as data preprocessing and model training. These sub-pipelines can be developed and tested standalone. Pipeline component groups multi-step as a component that can be used as a single step to create complex pipelines. Which will help you share your work and better collaborate with team members.

+In general, pipeline components are similar to pipeline jobs because they both contain a group of jobs/components.

+Here are some main differences you need to be aware of when defining pipeline components:

+| `read_parquet` | Adds a transformation step to read Parquet formatted file(s) provided in `paths`. | `include_path_column`: Boolean to keep path information as a table column. Defaults to False. This setting helps when you read multiple files, and you want to know from which file a specific record originated. Additionally, you can keep useful information in the file path.<br><br>**NOTE:** MLTable only supports reading parquet files that have columns consisting of primitive types. Columns containing arrays are **not** supported. |

+- [Working with tables in Azure Machine Learning](how-to-mltable.md)

+| `managed_network` | object | Azure Machine Learning Workspace managed network isolation. For more information, see [Workspace managed network isolation](how-to-managed-network.md). | | |

+## YAML: managed network with allow internet outbound

+## YAML: managed network with allow only approved outbound

+* Compute clusters can be created in a different region and VNet than your workspace. However, this functionality is only available using the SDK v2, CLI v2, or studio. For more information, see the [v2 version of secure training environments](../how-to-secure-training-vnet.md?view=azureml-api-2&preserve-view=true#compute-cluster-in-a-different-vnetregion-from-workspace).

+* __Compute clusters__ can be created in a different region and VNet than your workspace. However, this functionality is only available using the SDK v2, CLI v2, or studio. For more information, see the [v2 version of secure training environments](../how-to-secure-training-vnet.md?view=azureml-api-2&preserve-view=true#compute-cluster-in-a-different-vnetregion-from-workspace).

+ ```

+ ```

+- Below [static privileges](https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#privileges-provided-static) are restricted.

+ - [SUPER privilege](https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_super)

+ - [FILE privilege](https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_file)

+ - [CREATE TABLESPACE](https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_create-tablespace)

+ - [SHUTDOWN](https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_shutdown)

+- [BACKUP_ADMIN](https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_backup-admin) privilege: Granting BACKUP_ADMIN privilege isn't supported for taking backups using any [utility tools](../migrate/how-to-decide-on-right-migration-tools.md). Refer [Supported](././concepts-limitations.md#supported-1) section for list of supported [dynamic privileges](https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#privileges-provided-dynamic).

+ Title: Azure Operator Nexus storage appliance

+description: Overview of storage appliance resources for Azure Operator Nexus.

+# Azure Operator Nexus storage appliance

+Operator Nexus is built on some basic constructs like compute servers, storage appliance, and network fabric devices. These storage appliances, also referred to as Nexus storage appliances, represent the persistent storage appliance in the rack. In each Nexus storage appliance, there are multiple storage devices, which are aggregated to provide a single storage pool. This storage pool is then carved out into multiple volumes, which are then presented to the compute servers as block storage devices. The compute servers can then use these block storage devices as persistent storage for their workloads. Each Nexus cluster is provisioned with a single storage appliance that is shared across all the tenant workloads.

+The storage appliance within an Operator Nexus instance is represented as an Azure resource and operators (end users) get access to view its attributes like any other Azure resource.

+## Key capabilities offered in Azure Operator Nexus Storage software stack

+## Kubernetes storage classes

+The Nexus Software Kubernetes stack offers two types of storage, selectable using the Kubernetes StorageClass mechanism.

+#### **StorageClass: ΓÇ£nexus-volumeΓÇ¥**

+The default storage mechanism, known as "nexus-volume," is the preferred choice for most users. It provides the highest levels of performance and availability. However, it's important to note that volumes can't be simultaneously shared across multiple worker nodes. These volumes can be accessed and managed using the Azure API and Portal through the Volume Resource.

+#### **StorageClass: ΓÇ£nexus-sharedΓÇ¥**

+In situations where a "shared filesystem" is required, the "nexus-shared" storage class is available. This storage class enables multiple pods to concurrently access and share the same volume, providing a shared storage solution. While the performance and availability of "nexus-shared" are sufficient for most applications, it's recommended that workloads with heavy IO (input/output) requirements utilize the "nexus-volume" option mentioned earlier for optimal performance.

+## Storage appliance status

+There are multiple properties, which reflect the operational state of storage appliance. Some of these include:

+- Status

+- Provisioning state

+- Capacity total / used

+- Remote Vendor Management

+_`Status`_ field indicates the state as derived from the storage appliance. The state can be Available, Error or Provisioning.

+The _`Provisioning State`_ field provides the current provisioning state of the storage appliance. The provisioning state can be Succeeded, Failed, or InProgress.

+The _`Capacity`_ field provides the total and used capacity of the storage appliance.

+The _`Remote Vendor Management`_ field indicates whether the remote vendor management is enabled or disabled for the storage appliance.

+## Storage appliance operations

+- **List Storage Appliances** List storage appliances in the provided resource group or subscription.

+- **Show Storage Appliance** Get properties of the provided storage appliance.

+- **Update Storage Appliance** Update properties or provided tags of the provided storage appliance.

+- **Enable/Disable Remote Vendor Management for Storage Appliance** Enable/Disable remote vendor management for the provided storage appliance.

+> [!NOTE]

+> Customers cannot explicitly create or delete storage appliances directly. These resources are only created as the realization of the Cluster lifecycle. Implementation will block any creation or delete requests from any user, and only allow internal/application driven creates or deletes.

+ Title: Azure Operator Nexus Storage Appliance Overview

+description: Storage Appliance SKUs and resources available in Azure Operator Nexus Near-edge.

+# Near-edge Nexus storage appliance

+The architecture of Azure Operator Nexus revolves around core components such as compute servers, storage appliances, and network fabric devices. A single Storage Appliance referred to as the "Nexus Storage Appliance," is attached to each near-edge Nexus instance. These appliances play a vital role as the dedicated and persistent storage solution for the tenant workloads hosted within the Nexus instance.

+Within each Nexus storage appliance, multiple storage devices are grouped together to form a unified storage pool. This pool is then divided into multiple volumes, which are then presented to the compute servers and tenant workloads as persistent volumes.

+## SKUs available

+This table lists the SKUs available for the storage appliance in Near-edge Nexus offering:

+| SKU | Description |

+| -- | - |

+| Pure x70r3-91 | Storage appliance model x70r3-91 provided by PURE Storage |

+## Storage connectivity

+This diagram shows the connectivity model followed by storage appliance in the Near Edge offering:

+## Storage limits

+This table lists the characteristics for the storage appliance:

+| Property | Specification/Description |

+| -- | -|

+| Raw storage capacity | 91 TB |

+| Usable capacity | 50 TB |

+| Number of maximum IO operations supported per second <br>(with 80/20 R/W ratio) | 250K+ (4K) <br>150K+ (16K) |

+| Number of IO operations supported per volume per second | 50K+ |

+| Maximum IO latency supported | 10 ms |

+| Nominal failover time supported | 10 s |

+Flexible Server is a managed service that you use to run, manage, and scale highly available PostgreSQL databases in the cloud. You can use Python SDK to provision a PostgreSQL Flexible Server, multiple servers or multiple databases on a server.

+### Important considerations

+As you are creating your Azure NetApp Files volumes for SAP HANA Scale-up systems, be aware of the important considerations documented in [NFS v4.1 volumes on Azure NetApp Files for SAP HANA](./hana-vm-operations-netapp.md#important-considerations).

+### Sizing of HANA database on Azure NetApp Files

+The throughput of an Azure NetApp Files volume is a function of the volume size and service level, as documented in [Service level for Azure NetApp Files](../../azure-netapp-files/azure-netapp-files-service-levels.md).

+While designing the infrastructure for SAP HANA on Azure with Azure NetApp Files, be aware of the recommendations in [NFS v4.1 volumes on Azure NetApp Files for SAP HANA](./hana-vm-operations-netapp.md#sizing-for-hana-database-on-azure-netapp-files).

+### Important considerations

+As you're creating your Azure NetApp Files volumes for SAP HANA scale-out with stand by nodes scenario, be aware of the important considerations documented in [NFS v4.1 volumes on Azure NetApp Files for SAP HANA](./hana-vm-operations-netapp.md#important-considerations).

+### Sizing for HANA database on Azure NetApp Files

+The throughput of an Azure NetApp Files volume is a function of the volume size and service level, as documented in [Service level for Azure NetApp Files](../../azure-netapp-files/azure-netapp-files-service-levels.md).

+While designing the infrastructure for SAP HANA on Azure with Azure NetApp Files, be aware of the recommendations in [NFS v4.1 volumes on Azure NetApp Files for SAP HANA](./hana-vm-operations-netapp.md#sizing-for-hana-database-on-azure-netapp-files).

+ In this example, we used a separate Azure NetApp Files volume for each HANA data and log volume. For a more cost-optimized configuration on smaller or non-productive systems, it's possible to place all data mounts on a single volume and all logs mounts on a different single volume.

+### Important considerations

+As you're creating your Azure NetApp Files for SAP NetWeaver on SUSE High Availability architecture, be aware of the important considerations documented in [NFS v4.1 volumes on Azure NetApp Files for SAP HANA](./hana-vm-operations-netapp.md#important-considerations).

+### Sizing for HANA database on Azure NetApp Files

+The throughput of an Azure NetApp Files volume is a function of the volume size and service level, as documented in [Service level for Azure NetApp Files](../../azure-netapp-files/azure-netapp-files-service-levels.md).

+As you design the infrastructure for SAP HANA on Azure with Azure NetApp Files, be aware of the recommendations in [NFS v4.1 volumes on Azure NetApp Files for SAP HANA](./hana-vm-operations-netapp.md#sizing-for-hana-database-on-azure-netapp-files).

+**Azure Dedicated HSM**: A FIPS 140-2 Level 3 validated single-tenant bare metal HSM offering that lets customers lease a general-purpose HSM appliance that resides in Microsoft datacenters. The customer has complete ownership over the HSM device and is responsible for patching and updating the firmware when required. Microsoft has no permissions on the device or access to the key material, and Azure Dedicated HSM is not integrated with any Azure PaaS offerings. Customers can interact with the HSM using the PKCS#11, JCE/JCA, and KSP/CNG APIs. This offering is most useful for legacy lift-and-shift workloads, PKI, SSL Offloading and Keyless TLS (supported integrations include F5, Nginx, Apache, Palo Alto, IBM GW and more), OpenSSL applications, Oracle TDE, and Azure SQL TDE IaaS. For more information, see [What is Azure Dedicated HSM?](../../dedicated-hsm/overview.md)

+ * **Send to partner solution**

+**This article applies to:** ❌ Basic ✔️ Standard ✔️ Enterprise

+ Title: Set or change a blob's access tier with .NET

+description: Learn how to set or change a blob's access tier in your Azure Storage account using the .NET client library.

+ms.devlang: csharp

+# Set or change a block blob's access tier with .NET

+This article shows how to set or change the access tier for a block blob using the [Azure Storage client library for .NET](/dotnet/api/overview/azure/storage).

+## Prerequisites

+To work with the code examples in this article, make sure you have:

+- An authorized client object to connect to Blob Storage data resources. To learn more, see [Create and manage client objects that interact with data resources](storage-blob-client-management.md).

+- Permissions to perform an operation to set the blob's access tier. To learn more, see the authorization guidance for the following REST API operation:

+ - [Set Blob Tier](/rest/api/storageservices/set-blob-tier#authorization)

+- The package **Azure.Storage.Blobs** installed to your project directory. To learn more about setting up your project, see [Get Started with Azure Storage and .NET](storage-blob-dotnet-get-started.md#set-up-your-project).

+> [!NOTE]

+> To set the access tier to `Cold` using .NET, you must use a minimum [client library](/dotnet/api/azure.storage.blobs) version of 12.15.0.

+## Set a blob's access tier during upload

+You can set a blob's access tier on upload by using the [BlobUploadOptions](/dotnet/api/azure.storage.blobs.models.blobuploadoptions) class. The following code example shows how to set the access tier when uploading a blob:

+To learn more about uploading a blob with .NET, see [Upload a blob with .NET](storage-blob-upload.md).

+## Change the access tier for an existing block blob

+You can change the access tier of an existing block blob by using one of the following functions:

+- [SetAccessTier](/dotnet/api/azure.storage.blobs.specialized.blobbaseclient.setaccesstier)

+- [SetAccessTierAsync](/dotnet/api/azure.storage.blobs.specialized.blobbaseclient.setaccesstierasync)

+The following code example shows how to change the access tier for an existing blob to `Cool`:

+If you are rehydrating an archived blob, you can optionally set the `rehydratePriority` parameter to `High` or `Standard`.

+## Copy a blob to a different access tier

+You can change the access tier of an existing block blob by specifying an access tier as part of a copy operation. To change the access tier during a copy operation, use the [BlobCopyFromUriOptions](/dotnet/api/azure.storage.blobs.models.blobcopyfromurioptions) class and specify the [AccessTier](/dotnet/api/azure.storage.blobs.models.blobcopyfromurioptions.accesstier#azure-storage-blobs-models-blobcopyfromurioptions-accesstier) property. If you're rehydrating a blob from the archive tier using a copy operation, you can optionally set the [RehydratePriority](/dotnet/api/azure.storage.blobs.models.blobcopyfromurioptions.rehydratepriority#azure-storage-blobs-models-blobcopyfromurioptions-rehydratepriority) property to `High` or `Standard`.

+The following code example shows how to rehydrate an archived blob to the `Hot` tier using a copy operation:

+## Resources

+To learn more about setting access tiers using the Azure Blob Storage client library for .NET, see the following resources.

+### REST API operations

+The Azure SDK for .NET contains libraries that build on top of the Azure REST API, allowing you to interact with REST API operations through familiar .NET paradigms. The client library methods for setting access tiers use the following REST API operation:

+- [Set Blob Tier](/rest/api/storageservices/set-blob-tier) (REST API)

+### Code samples

+- [View code samples from this article (GitHub)](https://github.com/Azure-Samples/AzureStorageSnippets/blob/master/blobs/howto/dotnet/BlobDevGuideBlobs/AccessTiers.cs)

+### See also

+- [Access tiers best practices](access-tiers-best-practices.md)

+- [Blob rehydration from the Archive tier](archive-rehydrate-overview.md)

+## Unable to change the patch orchestration option to manual updates from automatic updates

+### Issue

+Azure machine has the patch orchestration option as AutomaticByOS/Windows automatic updates and you are unable to change the patch orchestration to Manual Updates using Change update settings.

+### Resolution

+If you don't want any patch installation to be orchestrated by Azure or aren't using custom patching solutions, you must change the patch orchestration option to **Customer Managed Schedules (Preview)** and don't associate a schedule/maintenance configuration to the machine. This will ensure that no patching is performed on the machine until you change it explicitly. For more information, see [User scenarios](prerequsite-for-schedule-patching.md#user-scenarios).

+## June 2023

+In June 2023, we published the following changes:

+- Updated [Use Azure Virtual Desktop Insights](insights.md) to use the Azure Monitor Agent.

+- Updated [Supported features for Microsoft Teams on Azure Virtual Desktop](teams-supported-features.md) to include simulcast, mirror my video, manage breakout rooms, call health panel.

+- New article to [Assign RBAC roles to the Azure Virtual Desktop service principal](service-principal-assign-roles.md).

+- Added Intune to [Administrative template for Azure Virtual Desktop](administrative-template.md).

+- Updated [Configure single sign-on using Azure AD Authentication](configure-single-sign-on.md) to include how to use an Active Directory domain admin account with single sign-on, and highlight the need to create a Kerberos server object.

+## Limitations

+Spot Priority Mix is not supported with `singlePlacementMode` enabled on the scale set.

+The eviction policy of your Spot VMs follows what is set for the Spot VMs in your scale set. *Deallocate* is the default behavior, wherein evicted Spot VMs move to a stop-deallocated state. Alternatively, the Spot eviction policy can be set to *Delete*, wherein the VM and its underlying disks are deleted.

+### ARM Template

+You can set your Spot Priority Mix by using an ARM template to add the following properties to a scale set with Flexible orchestration using a Spot priority VM profile:

+1 In the **Spot** tab, select the check-box next to *Scale with VMs and Spot VMs* option under the **Scale with VMs and discounted Spot VMs** section.

+1. Fill out the **Base VM (uninterruptible) count** and **Instance distribution** fields to configure your percentage split between Spot and Standard VMs.

+You can set your Spot Priority Mix using Azure PowerShell by setting the `Priority` parameter to `Spot` and including the `BaseRegularPriorityCount` and `RegularPriorityPercentage` parameters.

+## Updating your Spot Priority Mix

+Should your ideal percentage split of Spot and Standard VMs change, you can update your Spot Priority Mix after your scale set has been deployed. Updating your Spot Priority Mix will apply for all scale set actions *after* the change is made, existing VMs will remain as is.

+### [Portal](#tab/portal-2)

+You can update your existing Spot Priority Mix in the Configuration tab of the Virtual Machine Scale Set resource page in the Azure portal. The following steps instruct you on how to access this feature during that process. Note: in Portal, you can only update the Spot Priority Mix for scale sets that already have Spot Priority Mix enabled.

+1. Navigate to the specific virtual machine scale set that you're adjusting the Spot Priority Mix on.

+1. In the left side bar, scroll down to and select **Configuration**.

+1. Your current Spot Priority Mix should be visible. Here you can change the **Base VM (uninterruptible) count** and **Instance distribution** of Spot and Standard VMs.

+1. Update your Spot Mix as needed.

+1. Press the **Save** button to apply your changes.

+### [Azure CLI](#tab/cli-2)

+You can update your Spot Priority Mix using Azure CLI by updating the `regular-priority-count` and `regular-priority-percentage` parameters.

+```azurecli

+az vmss update --resource-group myResourceGroup \

+ --name myScaleSet \

+ --regular-priority-count 10 \

+ --regular-priority-percentage 80 \

+```

+### [Azure PowerShell](#tab/powershell-2)

+You can update your Spot Priority Mix using Azure PowerShell by updating the `BaseRegularPriorityCount` and `RegularPriorityPercentage` parameters.

+```azurepowershell

+$vmss = Get-AzVmss `

+ -ResourceGroupName "myResourceGroup" `

+ -VMScaleSetName "myScaleSet"

+Update-AzVmss `

+ -ResourceGroupName "myResourceGroup" `

+ -VirtualMachineScaleSet $vmss

+ -VMScaleSetName "myScaleSet" `

+ -BaseRegularPriorityCount 10 `

+ -RegularPriorityPercentage 80;

+```

+- **sku.capacity** is variable, as Autoscale will add or remove VMs from the scale set

+| Action | sku.capacity | Base (standard) VMs | Extra standard VMs | Spot priority VMs |

+|--|-||--|-|

+| Create | 10 | 10 | 0 | 0 |

+| Scale out | 20 | 10 | 5 | 5 |

+| Scale out | 30 | 10 | 10 | 10 |

+| Scale out | 40 | 10 | 15 | 15 |

+| Scale out | 41 | 10 | 15 | 16 |

+| Scale out | 42 | 10 | 16 | 16 |

+| Scale in - Evict-Delete (all Spot instances) | 26 | 10 | 16 | 0 |

+| Scale out | 30 | 10 | 16 | 4 |

+| Scale out | 42 | 10 | 16 | 16 |

+| Scale out | 44 | 10 | 17 | 17 |

+1. You then scale in your scale set with the eviction policy being *evict-delete*, which deletes all the Spot VMs.

+| Action | sku.capacity | Base (standard) VMs | Extra standard VMs | Spot priority VMs |

+|--|--||--|-|

+| Create | 20 | 10 | 2 | 8 |

+| Scale out | 50 | 10 | 10 | 30 |

+| Scale out | 110 | 10 | 25 | 75 |

+| Scale In: Stop-Deallocate (10 instances) | 100 | 10 | 25 | 75 (65 running VMs, 10 Stop-Deallocated VMs) |

+| Scale out | 120 | 10 | 27 | 83 (73 running VMs, 10 Stop-Deallocated VMs) |

+1. You then scale out twice to create 90 more VMs; 23 standard VMs and 67 Spot VMs.

+1. Your next scale out operation creates another 2 standard VMs and 8 Spot VMs, bringing you closer to your 25% above base ratio.

+If Spot Priority Mix isn't available to you, be sure to configure the `priorityMixPolicy` to specify a *Spot* priority in the `virtualMachineProfile`. Without enabling the `priorityMixPolicy` setting, you won't be able to access this Spot feature.

+## FAQs

+### Q: I changed the Spot Priority Mix settings, why aren't my existing VMs changing?

+Spot Priority Mix applies for scale actions on the scale set. Changing the percentage split of Spot and Standard VMs won't rebalance existing scale set. You'll see the actual percentage split change as you scale the scale set.

+### Q: Is Spot Priority Mix enabled for Uniform orchestration mode?

+Spot Priority Mix is only available on Virtual Machine Scale Sets with Flexible orchestration mode.

+### Q: Which regions is Spot Priority Mix enabled in?

+Spot VMs, and therefore Spot Priority Mix, are available in all global Azure regions.

+1. Make your choices on the **Basics**, then select **Next : Disks >** to open the **Disks** tab.

+ - If you choose **Create and attach a new disk**, the **Create a new disk** page opens and you can select whether to delete the disk when you delete the VM.

+ - If you choose to **Attach an existing disk**, can choose the disk, LUN, and whether you want to delete the data disk when you delete the VM.

+1. When you're done adding your disk information, select **Next : Networking >** to open the **Networking** tab.

+1. When you're done making selections, select **Review + create**.

+This example shows how to set the data disk and NIC to be deleted when the VM is deleted. Note, the API version specified in the api-version parameter must be '2021-03-01' or newer to configure the delete option.

+ "primary": true,

+ "deleteOption": "Delete"

+### [PowerShell](#tab/powershell3)

+The following example updates VM to delete the OS disk, all data disks, and all NICs when the VM is deleted.

+```azurepowershell

+$vmConfig = Get-AzVM -ResourceGroupName myResourceGroup -Name myVM

+$vmConfig.StorageProfile.OsDisk.DeleteOption = 'Delete'

+$vmConfig.StorageProfile.DataDisks | ForEach-Object { $_.DeleteOption = 'Delete' }

+$vmConfig.NetworkProfile.NetworkInterfaces | ForEach-Object { $_.DeleteOption = 'Delete' }

+$vmConfig | Update-AzVM

+```

+The following example updates the VM to delete the NIC, OS disk, and data disk when the VM is deleted. Note, the API version specified in the api-version parameter must be '2021-03-01' or newer to configure the delete option.

+Force delete allows you to forcefully delete your virtual machine, reducing delete latency and immediately freeing up attached resources. For VMs that don't require graceful shutdown, Force Delete will delete the VM as fast as possible while relieving the logical resources from the VM, bypassing the graceful shutdown and some of the cleanup operations. Force Delete won't immediately free the MAC address associated with a VM, as this is a physical resource that may take up to 10 min to free. If you need to immediately reuse the MAC address on a new VM, Force Delete isn't recommended. Force delete should only be used when you aren't intending to reuse virtual hard disks. You can use force delete through Portal, CLI, PowerShell, and REST API.

+Force delete allows you to forcefully delete your **Uniform** Virtual Machine Scale Set, reducing delete latency and immediately freeing up attached resources. Force Delete won't immediately free the MAC address associated with a VM, as this is a physical resource that may take up to 10 min to free. If you need to immediately reuse the MAC address on a new VM, Force Delete is not recommended. Force delete should only be used when you are not intending to reuse virtual hard disks. You can use force delete through Portal, CLI, PowerShell, and REST API.

+ --force-deletion true