-description: Provide sign-up and sign-in to customers with Twitter accounts in your applications using Azure Active Directory B2C.

-#Customer Intent: As a developer setting up sign-up and sign-in with a Twitter account using Azure Active Directory B2C, I want to configure Twitter as an identity provider so that I can enable users to sign in with their Twitter accounts.

-# Set up sign-up and sign-in with a Twitter account using Azure Active Directory B2C

-To enable sign-in for users with a Twitter account in Azure AD B2C, you need to create a Twitter application. If you don't already have a Twitter account, you can sign up at [`https://twitter.com/signup`](https://twitter.com/signup). You also need to [Apply for a developer account](https://developer.twitter.com/). For more information, see [Apply for access](https://developer.twitter.com/en/apply-for-access).

-1. Sign in to the [Twitter Developer Portal](https://developer.twitter.com/portal/projects-and-apps) with your Twitter account credentials.

- - `your-policy-id` with the identifier of your user flow. For example, `b2c_1a_signup_signin_twitter`.

-1. Sign in to the [Twitter Developer Portal](https://developer.twitter.com/portal/projects-and-apps) with your Twitter account credentials.

-1. Under **Keys & Tokens** tab, copy the value of **API Key** and **API Key Secret** for later. You use both of them to configure Twitter as an identity provider in your Azure AD B2C tenant.

- - `your-user-flow-name` with the identifier of your user flow. For example, `b2c_1_signup_signin_twitter`.

-## Configure Twitter as an identity provider

-1. Enter a **Name**. For example, *Twitter*.

-1. For the **Client ID**, enter the *API Key* of the Twitter application that you created earlier.

-## Add Twitter identity provider to a user flow

-At this point, the Twitter identity provider has been set up, but it's not yet available in any of the sign-in pages. To add the Twitter identity provider to a user flow:

-1. Select the user flow that you want to add the Twitter identity provider.

-1. From the sign-up or sign-in page, select **Twitter** to sign in with Twitter account.

-You need to store the secret key that you previously recorded for Twitter app in your Azure AD B2C tenant.

-1. Enter a **Name** for the policy key. For example, `TwitterSecret`. The prefix `B2C_1A_` is added automatically to the name of your key.

-## Configure Twitter as an identity provider

-To enable users to sign in using a Twitter account, you need to define the account as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated.

-You can define a Twitter account as a claims provider by adding it to the **ClaimsProviders** element in the extension file of your policy. Refer to the custom policy starter pack that you downloaded in the Prerequisites of this article.

- <Domain>twitter.com</Domain>

- <DisplayName>Twitter</DisplayName>

- <DisplayName>Twitter</DisplayName>

- <Item Key="client_id">Your Twitter application API key</Item>

-1. From the sign-up or sign-in page, select **Twitter** to sign in with Twitter account.

-> If you're facing `unauthorized` error while testing this identity provider, make sure you use the correct Twitter API Key and API Key Secret, or try to apply for [elevated](https://developer.twitter.com/en/portal/products/elevated) access. Also, we recommend you've a look at [Twitter's projects structure](https://developer.twitter.com/en/docs/projects/overview), if you registered your app before the feature was available.

-#Customer intent: As a developer implementing Azure Active Directory B2C custom policies, I want to define an OAuth1 technical profile, so that I can federate with an OAuth1 based identity provider like Twitter and allow users to sign in with their existing social or enterprise identities.

-Azure Active Directory B2C (Azure AD B2C) provides support for the [OAuth 1.0 protocol](https://tools.ietf.org/html/rfc5849) identity provider. This article describes the specifics of a technical profile for interacting with a claims provider that supports this standardized protocol. With an OAuth1 technical profile, you can federate with an OAuth1 based identity provider, such as Twitter. Federating with the identity provider allows users to sign in with their existing social or enterprise identities.

- <DisplayName>Twitter</DisplayName>

-The following example shows the claims returned by the Twitter identity provider:

-description: Tutorial to configure Sift Keyless with Azure Active Directory B2C for passwordless authentication

-Learn to configure Azure Active Directory B2C (Azure AD B2C) with the Sift Keyless passwordless solution. With Azure AD B2C as an identity provider (IdP), integrate Keyless with customer applications to provide passwordless authentication. The Keyless Zero-Knowledge Biometric (ZKB) is passwordless multifactor authentication that helps eliminate fraud, phishing, and credential reuse, while enhancing the customer experience and protecting privacy.

-* [Sift Keyless](https://keyless.io/)

-* **The Keyless Authenticator mobile app** ΓÇô Sift mobile app for authentication to the Azure AD B2C enabled applications

-In the following orchestration step, the user can choose to sign in with Facebook, LinkedIn, Twitter, Google, or a local account. If the user selects one of the social identity providers, the second orchestration step executes with the selected claim exchange specified in the `TargetClaimsExchangeId` attribute. The second orchestration step redirects the user to the social identity provider to complete the sign-in process. If the user chooses to sign in with the local account, Azure AD B2C stays on the same orchestration step (the same sign-up page or sign-in page) and skips the second orchestration step.

-|**Credit/Debit card** . |You want to extract key information bank cards such as card number and bank name. | [**Credit/Debit card model**](concept-credit-card.md)|

-|**Marriage Certificate** . |You want to extract key information from marriage certificates. | [**Marriage certificate model**](concept-marriage-certificate.md)|

-|**Invoice** or billing statement.|You want to extract key information such as customer name, billing address, and amount due.|[**Invoice model**](concept-invoice.md)

-|**Identity document (ID)** like a U.S. driver's license or international passport. |You want to extract key information such as first name, surname, date of birth, address, and signature. | [**Identity document (ID) model**](concept-id-document.md)|

-|**US Mortgage 1003** . |You want to extract key information from the Uniform Residential loan application. | [**1003 form model**](concept-mortgage-documents.md)|

-|**US Mortgage 1008** . |You want to extract key information from the Uniform Underwriting and Transmittal summary. | [**1008 form model**](concept-mortgage-documents.md)|

-|**US Mortgage Closing Disclosure** . |You want to extract key information from a mortgage closing disclosure form. | [**Mortgage closing disclosure form model**](concept-mortgage-documents.md)|

-|**Mixed-type document(s)** with structured, semi-structured, and/or unstructured elements. | You want to extract key-value pairs, selection marks, tables, signature fields, and selected regions not extracted by prebuilt or general document models.| [**Custom model**](concept-custom.md)|

-The following add-on capabilities are available for`2024-02-29-preview`, `2024-02-29-preview`, and later releases:

-> Model compose behavior is changing for api-version=2024-07-31-preview and later. The following behavior only applies to v3.1 and previous versions

-**Composed models**. A composed model is created by taking a collection of custom models and assigning them to a single model built from your form types. When a document is submitted for analysis using a composed model, the service performs a classification to decide which custom model best represents the submitted document.

-With composed models, you can assign multiple custom models to a composed model called with a single model ID. It's useful when you train several models and want to group them to analyze similar form types. For example, your composed model might include custom models trained to analyze your supply, equipment, and furniture purchase orders. Instead of manually trying to select the appropriate model, you can use a composed model to determine the appropriate custom model for each analysis and extraction.

-* ```Custom form``` and ```Custom template``` models can be composed together into a single composed model.

-* With the model compose operation, you can assign up to 200 trained custom models to a single composed model. To analyze a document with a composed model, Document Intelligence first classifies the submitted form, chooses the best-matching assigned model, and returns results.

-* For ```Custom template``` models, the composed model can be created using variations of a custom template or different form types. This operation is useful when incoming forms belong to one of several templates.

-* For ```Custom neural``` models the best practice is to add all the different variations of a single document type into a single training dataset and train on custom neural model. Model compose is best suited for scenarios when you have documents of different types being submitted for analysis.

-* The response includes a ```docType``` property to indicate which of the composed models was used to analyze the document.

-With the introduction of [**custom classification models**](./concept-custom-classifier.md), you can choose to use a [**composed model**](./concept-composed-models.md) or [**classification model**](concept-custom-classifier.md) as an explicit step before analysis. For a deeper understanding of when to use a classification or composed model, _see_ [**Custom classification models**](concept-custom-classifier.md#compare-custom-classification-and-composed-models).

-## Compose model limits

-> [!NOTE]

-> With the addition of **_custom neural model_** , there are a few limits to the compatibility of models that can be composed together.

-* With the model compose operation, you can assign up to 200 models to a single model ID. If the number of models that I want to compose exceeds the upper limit of a composed model, you can use one of these alternatives:

-* Analyzing a document by using composed models is identical to analyzing a document by using a single model. The `Analyze Document` result returns a `docType` property that indicates which of the component models you selected for analyzing the document. There's no change in pricing for analyzing a document by using an individual custom model or a composed custom model.

-* Model Compose is currently available only for custom models trained with labels.

-|Custom model type|Models trained with v2.1 and v2.0 | Custom template models v3.0 |Custom neural models 3.0|Custom Neural models v3.1|

-|**Models trained with version 2.1 and v2.0** |Supported|Supported|Not Supported|Not Supported|

-|**Custom template models v3.0** |Supported|Supported|Not Supported|Not Supported|

-|**Custom template models v3.1** |Not Supported|Not Supported|Not Supported|Not Supported|

-|**Custom Neural models v3.0**|Not Supported|Not Supported|Supported|Supported|

-|**Custom Neural models v3.1**|Not Supported|Not Supported|Supported|Supported|

-* For custom models, the maximum number that can be composed is 200.

-Document Intelligence **v4.0:2023-02-29-preview** supports the following tools, applications, and libraries:

-|_**Custom model**_| &bullet; [Document Intelligence Studio](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects)</br>&bullet; [REST API](/rest/api/aiservices/operation-groups?view=rest-aiservices-2024-07-31-preview&preserve-view=true)</br>&bullet; [C# SDK](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)</br>&bullet; [Java SDK](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)</br>&bullet; [JavaScript SDK](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)</br>&bullet; [Python SDK](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)|

-| _**Composed model**_| &bullet; [Document Intelligence Studio](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects)</br>&bullet; [REST API](/rest/api/aiservices/operation-groups?view=rest-aiservices-v4.0%20(2024-07-31-preview)&preserve-view=true)</br>&bullet; [C# SDK](/dotnet/api/azure.ai.formrecognizer.training.formtrainingclient.startcreatecomposedmodel)</br>&bullet; [Java SDK](/java/api/com.azure.ai.formrecognizer.training.formtrainingclient.begincreatecomposedmodel)</br>&bullet; [JavaScript SDK](/javascript/api/@azure/ai-form-recognizer/documentmodeladministrationclient?view=azure-node-latest#@azure-ai-form-recognizer-documentmodeladministrationclient-begincomposemodel&preserve-view=true)</br>&bullet; [Python SDK](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.formtrainingclient?view=azure-python#azure-ai-formrecognizer-formtrainingclient-begin-create-composed-model&preserve-view=true)|

-|_**Custom model**_| &bullet; [Document Intelligence Studio](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects)</br>&bullet; [REST API](/rest/api/aiservices/document-models/analyze-document?view=rest-aiservices-2023-07-31&preserve-view=true&tabs=HTTP)</br>&bullet; [C# SDK](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.1.0&preserve-view=true)</br>&bullet; [Java SDK](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.1.0&preserve-view=true)</br>&bullet; [JavaScript SDK](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.1.0&preserve-view=true)</br>&bullet; [Python SDK](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.1.0&preserve-view=true)|

-| _**Composed model**_| &bullet; [Document Intelligence Studio](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects)</br>&bullet; [REST API](/rest/api/aiservices/document-models/compose-model?view=rest-aiservices-2023-07-31&preserve-view=true&tabs=HTTP)</br>&bullet; [C# SDK](/dotnet/api/azure.ai.formrecognizer.training.formtrainingclient.startcreatecomposedmodel)</br>&bullet; [Java SDK](/java/api/com.azure.ai.formrecognizer.training.formtrainingclient.begincreatecomposedmodel)</br>&bullet; [JavaScript SDK](/javascript/api/@azure/ai-form-recognizer/documentmodeladministrationclient?view=azure-node-latest#@azure-ai-form-recognizer-documentmodeladministrationclient-begincomposemodel&preserve-view=true)</br>&bullet; [Python SDK](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.formtrainingclient?view=azure-python#azure-ai-formrecognizer-formtrainingclient-begin-create-composed-model&preserve-view=true)|

-|_**Custom model**_| &bullet; [Document Intelligence Studio](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects)</br>&bullet; [REST API](/rest/api/aiservices/document-models/analyze-document?view=rest-aiservices-v3.0%20(2022-08-31)&preserve-view=true&tabs=HTTP)</br>&bullet; [C# SDK](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)</br>&bullet; [Java SDK](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)</br>&bullet; [JavaScript SDK](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)</br>&bullet; [Python SDK](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)|

-| _**Composed model**_| &bullet; [Document Intelligence Studio](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects)</br>&bullet; [REST API](/rest/api/aiservices/document-models/compose-model?view=rest-aiservices-v3.0%20(2022-08-31)&preserve-view=true&tabs=HTTP)</br>&bullet; [C# SDK](/dotnet/api/azure.ai.formrecognizer.training.formtrainingclient.startcreatecomposedmodel)</br>&bullet; [Java SDK](/java/api/com.azure.ai.formrecognizer.training.formtrainingclient.begincreatecomposedmodel)</br>&bullet; [JavaScript SDK](/javascript/api/@azure/ai-form-recognizer/documentmodeladministrationclient?view=azure-node-latest#@azure-ai-form-recognizer-documentmodeladministrationclient-begincomposemodel&preserve-view=true)</br>&bullet; [Python SDK](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.formtrainingclient?view=azure-python#azure-ai-formrecognizer-formtrainingclient-begin-create-composed-model&preserve-view=true)|

-|_**Custom model**_| &bullet; [Document Intelligence labeling tool](https://fott-2-1.azurewebsites.net)</br>&bullet; [REST API](how-to-guides/compose-custom-models.md?view=doc-intel-2.1.0&tabs=rest&preserve-view=true)</br>&bullet; [Client library SDK](~/articles/ai-services/document-intelligence/how-to-guides/use-sdk-rest-api.md?view=doc-intel-2.1.0&preserve-view=true)</br>&bullet; [Document Intelligence Docker container](containers/install-run.md?tabs=custom#run-the-container-with-the-docker-compose-up-command)|

-| _**Composed model**_ |&bullet; [Document Intelligence labeling tool](https://fott-2-1.azurewebsites.net/)</br>&bullet; [REST API](/rest/api/aiservices/analyzer?view=rest-aiservices-v2.1&preserve-view=true)</br>&bullet; [C# SDK](/dotnet/api/azure.ai.formrecognizer.training.createcomposedmodeloperation?view=azure-dotnet&preserve-view=true)</br>&bullet; [Java SDK](/java/api/com.azure.ai.formrecognizer.models.createcomposedmodeloptions?view=azure-java-stable&preserve-view=true)</br>&bullet; JavaScript SDK</br>&bullet; [Python SDK](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.formtrainingclient?view=azure-python#azure-ai-formrecognizer-formtrainingclient-begin-create-composed-model&preserve-view=true)|

->

-Starting with version `2024-07-31-preview` and later you can receive **10 hours** of free model training. Billing charges are calculated for model trainings that exceed 10 hours. You can choose to spend all of 10 free hours on a single build with a large set of data, or utilize it across multiple builds by adjusting the maximum duration value for the `build` operation by specifying `maxTrainingHours`:

-Build time varies. Billing is calculated for the actual time spent (excluding time in queue), with a minimum of 30 minutes per training job. The elapsed time is converted to V100 equivalent training hours and reported as part of the model.

-> [**Compose custom models**](how-to-guides/compose-custom-models.md)

-| **Model** | **Description** |

-| | |

-|**Document analysis models**||

-| [Read OCR](#read-ocr) | Extract print and handwritten text including words, locations, and detected languages.|

-| [Layout analysis](#layout-analysis) | Extract text and document layout elements like tables, selection marks, titles, section headings, and more.|

-|**Prebuilt models**||

-| [Health insurance card](#health-insurance-card) | Automate healthcare processes by extracting insurer, member, prescription, group number, and other key information from US health insurance cards.|

-| [US Tax document models](#us-tax-documents) | Process US tax forms to extract employee, employer, wage, and other information. |

-| [US Mortgage document models](#us-mortgage-documents) | Process US mortgage forms to extract borrower loan and property information. |

-| [Contract](#contract) | Extract agreement and party details.|

-| [Invoice](#invoice) | Automate invoices. |

-| [Receipt](#receipt) | Extract receipt data from receipts.|

-| [Identity document (ID)](#identity-document-id) | Extract identity (ID) fields from US driver licenses and international passports. |

-| [Business card](#business-card) | Scan business cards to extract key fields and data into your applications. |

-|**Custom models**||

-| [Custom model (overview)](#custom-models) | Extract data from forms and documents specific to your business. Custom models are trained for your distinct data and use cases. |

-| [Custom extraction models](#custom-extraction)| &#9679; **Custom template models** use layout cues to extract values from documents and are suitable to extract fields from highly structured documents with defined visual templates.</br>&#9679; **Custom neural models** are trained on various document types to extract fields from structured, semi-structured, and unstructured documents.|

-| [Custom classification model](#custom-classifier)| The **Custom classification model** can classify each page in an input file to identify the documents within and can also identify multiple documents or multiple instances of a single document within an input file.

-| [Composed models](#composed-models) | Combine several custom models into a single model to automate processing of diverse document types with a single composed model.

-| ✔️ [**Document analysis models**](#document-analysis-models) | ✔️ [**Prebuilt models**](#prebuilt-models) | ✔️ [**Custom models**](#custom-model-overview) |

-## Document analysis models

-Document analysis models enable text extraction from forms and documents and return structured business-ready content ready for your organization's action, use, or development.

- :::image type="icon" source="media/overview/icon-read.png" link="#read":::</br>

- [**Read**](#read) | Extract printed </br>and handwritten text.

- :::image type="icon" source="media/overview/icon-layout.png" link="#layout":::</br>

- [**Layout**](#layout) | Extract text, tables, </br>and document structure.

- :::image type="icon" source="media/overview/icon-read.png" link="#read":::</br>

- :::image type="icon" source="media/overview/icon-layout.png" link="#layout":::</br>

- :::image type="icon" source="media/overview/icon-general-document.png" link="#general-document-deprecated-in-2023-10-31-preview":::</br>

- :::image type="icon" source="media/overview/icon-invoice.png" link="#invoice":::</br>

- [**Invoice**](#invoice) | Extract customer and vendor details.

- :::image type="icon" source="media/overview/icon-receipt.png" link="#receipt":::</br>

- [**Receipt**](#receipt) | Extract sales transaction details.

- :::image type="icon" source="media/overview/icon-id-document.png" link="#identity-id":::</br>

- [**Identity**](#identity-id) | Extract verification details.

- :::column span="":::

- :::image type="icon" source="media/overview/icon-check.png" link="#check":::</br>

- [**Check**](#check) | Extract relevant information from checks.

- :::image type="icon" source="media/overview/icon-pay-stub.png" link="#pay-stub":::</br>

- :::image type="icon" source="media/overview/icon-bank-statement.png" link="#bank-statement":::</br>

- [**Bank Statement**](#bank-statement) | Extract account information and details from bank statements.

- :::image type="icon" source="media/overview/icon-insurance-card.png" link="#health-insurance-card":::</br>

- [**Health Insurance card**](#health-insurance-card) | Extract insurance coverage details.

- :::image type="icon" source="media/overview/icon-contract.png" link="#contract-model":::</br>

- [**Contract**](#contract-model) | Extract agreement and party details.

- :::image type="icon" source="media/overview/icon-payment-card.png" link="#contract-model":::</br>

- [**Credit/Debit card**](#credit-card-model) | Extract payment card information.

- :::column span="":::

- :::image type="icon" source="media/overview/icon-marriage-certificate.png" link="#contract-model":::</br>

- [**Marriage certificate**](#marriage-certificate-model) | Extract certified marriage information.

- :::image type="icon" source="media/overview/icon-mortgage-1003.png" link="#us-mortgage-1003-form":::</br>

- :::image type="icon" source="media/overview/icon-mortgage-1004.png" link="#us-mortgage-1004-form":::</br>

- :::image type="icon" source="media/overview/icon-mortgage-1005.png" link="#us-mortgage-1005-form":::</br>

- :::image type="icon" source="media/overview/icon-mortgage-1008.png" link="#us-mortgage-1008-form":::</br>

- :::image type="icon" source="media/overview/icon-mortgage-disclosure.png" link="#us-mortgage-disclosure-form":::</br>

- :::image type="icon" source="media/overview/icon-w2.png" link="#us-tax-w-2-model":::</br>

- [**US Tax W-2**](#us-tax-w-2-model) | Extract taxable compensation details.

- :::column-end:::

- :::column span="":::

- :::image type="icon" source="media/overview/icon-1098.png" link="#us-tax-1098-form":::</br>

- [**US Tax 1098**](#us-tax-1098-form) | Extract mortgage interest details.

- :::column-end:::

- :::column span="":::

- :::image type="icon" source="media/overview/icon-1098-e.png" link="#us-tax-1098-e-form":::</br>

- [**US Tax 1098-E**](#us-tax-1098-e-form) | Extract student loan interest details.

- :::column-end:::

- :::column span="":::

- :::image type="icon" source="media/overview/icon-1098-t.png" link="#us-tax-1098-t-form":::</br>

- [**US Tax 1098-T**](#us-tax-1098-t-form) | Extract qualified tuition details.

- :::column span="":::

- :::image type="icon" source="media/overview/icon-1099.png" link="#us-tax-1098-t-form":::</br>

- [**US Tax 1099**](#us-tax-1099-and-variations-forms) | Extract `1099` variation details.

- :::column span="":::

- :::image type="icon" source="media/overview/icon-1040.png" link="#us-tax-1098-t-form":::</br>

- [**US Tax 1040**](#us-tax-1040-form) | Extract `1040` variation details.

- :::image type="icon" source="media/overview/icon-invoice.png" link="#invoice":::</br>

- :::image type="icon" source="media/overview/icon-receipt.png" link="#receipt":::</br>

- :::image type="icon" source="media/overview/icon-id-document.png" link="#identity-id":::</br>

- :::image type="icon" source="media/overview/icon-insurance-card.png" link="#health-insurance-card":::</br>

- :::image type="icon" source="media/overview/icon-business-card.png" link="#business-card":::</br>

- :::image type="icon" source="media/overview/icon-contract.png" link="#contract-model":::</br>

- :::image type="icon" source="media/overview/icon-w2.png" link="#us-tax-w-2-model":::</br>

- :::image type="icon" source="media/overview/icon-1098.png" link="#us-tax-1098-form":::</br>

- [**US Tax 1098**](#us-tax-1098-form) | Extract mortgage interest details.

- :::column-end:::

- :::column span="":::

- :::image type="icon" source="media/overview/icon-1098-e.png" link="#us-tax-1098-e-form":::</br>

- [**US Tax 1098-E**](#us-tax-1098-e-form) | Extract student loan interest details.

- :::column-end:::

- :::column span="":::

- :::image type="icon" source="media/overview/icon-1098-t.png" link="#us-tax-1098-t-form":::</br>

- [**US Tax 1098-T**](#us-tax-1098-t-form) | Extract qualified tuition details.

-* Custom models are trained using your labeled datasets to extract distinct data from forms and documents, specific to your use cases.

-* Standalone custom models can be combined to create composed models.

- :::column:::

- * **Extraction models**</br>

- ✔️ Custom extraction models are trained to extract labeled fields from documents.

- :::column-end:::

- :::image type="icon" source="media/overview/icon-custom-generative.png" link="#custom-generative":::</br>

- [**Custom generative**](#custom-generative) | Extract data from unstructured documents and structured documents with varying templates.

- :::image type="icon" source="media/overview/icon-custom-neural.png" link="#custom-neural":::</br>

- :::image type="icon" source="media/overview/icon-custom-template.png" link="#custom-template":::</br>

- :::image type="icon" source="media/overview/icon-custom-composed.png" link="#custom-composed":::</br>

- :::column:::

- * **Classification model**</br>

- ✔️ Custom classifiers identify document types before invoking an extraction model.

- :::column-end:::

- :::image type="icon" source="media/overview/icon-custom-classifier.png" link="#custom-classification-model":::</br>

- [**Custom classifier**](#custom-classification-model) | Identify designated document types (classes) </br>before invoking an extraction model.

-Document Intelligence supports optional features that can be enabled and disabled depending on the document extraction scenario. The following add-on capabilities are available for`2024-02-29-preview`, `2023-10-31-preview`, and later releases:

-> [Return to model types](#document-analysis-models)

-> [Return to model types](#document-analysis-models)

-> [Return to model types](#document-analysis-models)

-### US tax 1098 form

-|[**prebuilt-tax.us.1098**](concept-tax-document.md)|Extract mortgage interest information and details. </br>&#9679; [Data and field extraction](concept-tax-document.md#field-extraction-1098)|&#9679; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=tax.us.1098)</br>&#9679; [**REST API**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true&pivots=programming-language-rest-api#analyze-document-post-request)</br>&#9679; [**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**JavaScript**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)|

-> [!div class="nextstepaction"]

-> [Return to model types](#prebuilt-models)

-### US tax 1098-E form

-| Model ID | Description |Development options |

-|-|--|-|

-|[**prebuilt-tax.us.1098E**](concept-tax-document.md)|Extract student loan information and details. </br>&#9679; [Data and field extraction](concept-tax-document.md#field-extraction-1098)|&#9679; [**Document Intelligence Studio**](https://documentintelligence.ai.azure.com/studio/prebuilt?formCategory=tax.us.1098&formType=tax.us.1098E)</br>&#9679; </br>&#9679; [**REST API**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true&pivots=programming-language-rest-api#analyze-document-post-request)</br>&#9679; [**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**JavaScript**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)|

-### US tax 1098-T form

-|[**prebuilt-tax.us.1098T**](concept-tax-document.md)|Extract tuition information and details. </br>&#9679; [Data and field extraction](concept-tax-document.md#field-extraction-1098)|&#9679; [**Document Intelligence Studio**](https://documentintelligence.ai.azure.com/studio/prebuilt?formCategory=tax.us.1098&formType=tax.us.1098T)</br>&#9679; [**REST API**](/rest/api/aiservices/document-models/analyze-document?view=rest-aiservices-2023-07-31&preserve-view=true&tabs=HTTP)|

-### US tax 1099 (and variations) forms

-|[**prebuilt-tax.us.1099{`variation`}**](concept-tax-document.md)|Extract information from 1099-form variations.|&#9679; </br>&#9679; [Data and field extraction](concept-tax-document.md#field-extraction-1099-nec) [**Document Intelligence Studio**](https://documentintelligence.ai.azure.com/studio/prebuilt?formCategory=tax.us.1099)</br>&#9679; [**REST API**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true&pivots=programming-language-rest-api#analyze-document-post-request)</br>&#9679; [**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**JavaScript**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)|

-> [!div class="nextstepaction"]

-> [Return to model types](#prebuilt-models)

-### US tax 1040 form

-|**prebuilt-tax.us.1040**|Extract information from 1040-form variations.|&#9679; </br>&#9679; [Data and field extraction](concept-tax-document.md#field-extraction-1040-tax-form) [**Document Intelligence Studio**](https://documentintelligence.ai.azure.com/studio/prebuilt?formCategory=tax.us.1040)</br>&#9679; [**REST API**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true&pivots=programming-language-rest-api#analyze-document-post-request)</br>&#9679; [**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)</br>&#9679; [**JavaScript**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#prebuilt-model)|

-#### Custom generative

-> ² See [best practices](#example-of-a-workload-pattern-best-practice), and [adjustment instructions(#create-and-submit-support-request).</br>

- Now users will be asked to sign in with their Microsoft Entra account to access your app. You can follow a similar process to add another identity provider if you prefer. The app doesn't use the user's sign-in information in any way other than verifying that the user is a member of your tenant.

-Deleting your web app does not delete your Cosmos DB instance automatically. To delete your Cosmos DB instance along with all stored chats, you need to go to the associated resource in the [Azure portal](https://portal.azure.com) and delete it. If you delete the Cosmos DB resource but keep the chat history option turned on in the studio, your users are notified of a connection error but can continue to use the web app without access to the chat history.

-| Team lead/Lead developer | Azure AI Developer on the hub | Lead developers can create projects for their team and create shared resources (ex: compute and connections) at the hub level. After project creation, project owners can invite other members. |

-print("Model provider name:", model_info.model_provider)

- Prints the chat completion with streaming. Some delay is added to simulate

- a real-time conversation.

- time.sleep(0.05)

- Console.WriteLine($"Your query has trigger Azure Content Safeaty: {ex.Message}");

-print("Model provider name:", model_info.model_provider)

- Prints the chat completion with streaming. Some delay is added to simulate

- a real-time conversation.

- time.sleep(0.05)

- Console.WriteLine($"Your query has trigger Azure Content Safeaty: {ex.Message}");

-print("Model provider name:", model_info.model_provider)

- Prints the chat completion with streaming. Some delay is added to simulate

- a real-time conversation.

- time.sleep(0.05)

- Console.WriteLine($"Your query has trigger Azure Content Safeaty: {ex.Message}");

-print("Model provider name:", model_info.model_provider)

- Prints the chat completion with streaming. Some delay is added to simulate

- a real-time conversation.

- time.sleep(0.05)

- Console.WriteLine($"Your query has trigger Azure Content Safeaty: {ex.Message}");

-print("Model provider name:", model_info.model_provider)

- Prints the chat completion with streaming. Some delay is added to simulate

- a real-time conversation.

- time.sleep(0.05)

- Console.WriteLine($"Your query has trigger Azure Content Safeaty: {ex.Message}");

-print("Model provider name:", model_info.model_provider)

- Prints the chat completion with streaming. Some delay is added to simulate

- a real-time conversation.

- time.sleep(0.05)

-print("Model provider name:", model_info.model_provider)

- Prints the chat completion with streaming. Some delay is added to simulate

- a real-time conversation.

- time.sleep(0.05)

- Console.WriteLine($"Your query has trigger Azure Content Safeaty: {ex.Message}");

-print("Model provider name:", model_info.model_provider)

- Prints the chat completion with streaming. Some delay is added to simulate

- a real-time conversation.

- time.sleep(0.05)

-print("Model provider name:", model_info.model_provider)

- Prints the chat completion with streaming. Some delay is added to simulate

- a real-time conversation.

- time.sleep(0.05)

- Console.WriteLine($"Your query has trigger Azure Content Safeaty: {ex.Message}");

- __template.json__

- --name model-subscription-deployment \

- --resource-group <resource-group> \

-description: This article provides instructions on how to get started with Azure AI SDKs.

- * [Azure Machine Learning](../../../machine-learning/overview-what-is-azure-machine-learning.md) for the hub and project infrastructure used in AI Studio to organize your work into projects, manage project artifacts (data, evaluation runs, traces), fine-tune & deploy models, and connect to external services and resources

- * [Azure AI Services](../../../ai-services/what-are-ai-services.md) provides pre-built and customizable intelligent APIs and models, with support for Azure OpenAI, Search, Speech, Vision, and Language

-Azure [Management libraries](/azure/developer/python/sdk/azure-sdk-overview#create-and-manage-azure-resources-with-management-libraries) (also "control plane" or "management plane"), for creating and managing cloud resources that are used by your application.

-Azure AI Services

-Azure AI Services

-> Granting permissions (adding role assignment) is only enabled to the **Owner** of the specific Azure resources. You might need to ask your IT admin for help.

-You can grant all permissions in Azure portal UI by following steps.

-Cohere family models | Not available | Cohere-command-r-plus <br> Cohere-command-r <br> Cohere-embed-v3-english <br> Cohere-embed-v3-multilingual

-description: This article provides instructions on how to set up your development environment for Azure AI SDKs.

-Also, you must have the necessary permissions to add role assignments for storage accounts in your Azure subscription. Granting permissions (adding role assignment) is only allowed by the **Owner** of the specific Azure resources. You might need to ask your IT admin for help to [grant access to call Azure OpenAI Service using your identity](#grant-access-to-call-azure-openai-service-using-your-identity).

-## Install the Azure CLI and login

-Now we install the Azure CLI and login from your local development environment, so that you can use your user credentials to call the Azure OpenAI service.

-After you install the Azure CLI, login using the ``az login`` command and sign-in using the browser:

-Activating the Python environment means that when you run ```python``` or ```pip``` from the command line, you'll be using the Python interpreter contained in the ```.venv``` folder of your application.

-First create a prompt template file, for this we'll use **Prompty** which is the prompt template format supported by prompt flow.

-> [Augment the model with data for retrieval augmented generation (RAG)](../tutorials/copilot-sdk-build-rag.md)

-> * Mixtral famility of models

-The infernce task associated with the mode.

-> This tutorial is based on code in the sample repo for a [copilot application that implements RAG](https://github.com/Azure-Samples/rag-data-openai-python-promptflow).

-This part one shows you how to enhance a basic chat application by adding retrieval augmented generation (RAG) to ground the responses in your custom data.

-For the RAG capability, we need to be able to embed the search query to search the Azure AI Search index we create.

-> Creating an Azure AI Search service and subsequent search indexes has associated costs. You can see details about pricing and pricing tiers for the Azure AI Search service on the creation page, to confirm cost before creating the resource.

-1. Type `az` and then enter to verify that the Azure CLI tool is installed. If it's installed, a help menu with `az` commands appears. If you get an error, make sure you followed the [steps for installing the Azure CLI in the quickstart](../quickstarts/get-started-code.md#install-the-azure-cli-and-login).

-> [!TIP]

-> This tutorial is based on code in the sample repo for a [copilot application that implements RAG](https://github.com/Azure-Samples/rag-data-openai-python-promptflow).

-### Assign access for the endpoint

-While you wait for your application to deploy, you or your administrator can assign role-based access to the endpoint. These roles allow the application to run without keys in the deployed environment, just like it did locally.

-Previously, you provided your account with a specific role to be able to access the resource using Microsoft Entra ID authentication. Now, assign the endpoint that same role.

-### Endpoint access for Azure OpenAI resource

-You or your administrator needs to grant your endpoint the **Cognitive Services OpenAI User** role on the Azure AI Services resource that you're using. This role lets your endpoint call the Azure OpenAI service.

-> [!div class="nextstepaction"]

-> [Learn more about prompt flow](../how-to/prompt-flow.md)

-1. Deploy and test a chat model without your data

-1. Add your data

-1. Test the model with your data

-1. Deploy your web app

-In this tutorial, your web app is deployed to the same resource group as your AI Studio hub. Later you configure authentication for the web app in the Azure portal.

-1. You should now be in the Azure portal, viewing the contents of the resource group where you deployed the hub. Keep this page open in a browser tab - you return to it later.

-1. In your web app, you can ask the same question as before ("How much are the TrailWalker hiking shoes"), and this time it uses information from your data to construct the response. You can expand the **references** button to see the data that was used.

-## Next steps

-previously in the [AI Studio](https://ai.azure.com) chat playground, you [added your data](#add-your-data-and-try-the-chat-model-again) to create one search index that contained product data for the Contoso copilot. So far, users can only inquire about products with questions such as "How much do the TrailWalker hiking shoes cost?". But they can't get answers to questions such as "How many TrailWalker hiking shoes did Daniel Wilson buy?" To enable this scenario, we add another index with customer information to the flow.

-| [Limit Azure OpenAI Service token usage](azure-openai-token-limit-policy.md) | Prevents Azure OpenAI API usage spikes by limiting language model tokens per calculated key. | Yes | Yes | No | No |

-| [Get cached responses of Azure OpenAI API requests](azure-openai-semantic-cache-lookup-policy.md) | Performs cache lookup using semantic search and returns a valid cached response when available. | Yes | Yes | Yes | Yes |

-| [Emit Azure OpenAI token metrics](azure-openai-emit-token-metric-policy.md) | Sends metrics to Application Insights for consumption of language model tokens through Azure OpenAI service APIs. | Yes | Yes | No | No |

-## Create a backend for Embeddings API

-Configure a [backend](backends.md) resource for the Embeddings API deployment with the following settings:

-* **Runtime URL** - The URL of the Embeddings API deployment in the Azure OpenAI Service, similar to:

- * Twitter: `twitterConsumerSecret`

- # For Azure Functions, Twitter example

- * Twitter: `twitterConsumerSecretSettingName`

-The portal configuration doesn't offer a turn-key way to present multiple sign-in providers to your users (such as both Facebook and Twitter). However, it isn't difficult to add the functionality to your app. The steps are outlined as follows:

-<a href="/.auth/login/twitter">Log in with Twitter</a>

-| Twitter | `X-MS-TOKEN-TWITTER-ACCESS-TOKEN` <br/> `X-MS-TOKEN-TWITTER-ACCESS-TOKEN-SECRET` |

-description: Learn how to configure Twitter authentication as an identity provider for your App Service or Azure Functions app.

-# Configure your App Service or Azure Functions app to use Twitter login

-This article shows how to configure Azure App Service or Azure Functions to use Twitter as an authentication provider.

-To complete the procedure in this article, you need a Twitter account that has a verified email address and phone number. To create a new Twitter account, go to [twitter.com].

-## <a name="register"> </a>Register your application with Twitter

-1. Sign in to the [Azure portal] and go to your application. Copy your **URL**. You'll use it to configure your Twitter app.

-1. Go to the [Twitter Developers] website, sign in with your Twitter account credentials, and select **Create an app**.

-1. Enter the **App name** and the **Application description** for your new app. Paste your application's **URL** into the **Website URL** field. In the **Callback URLs** section, enter the HTTPS URL of your App Service app and append the path `/.auth/login/twitter/callback`. For example, `https://contoso.azurewebsites.net/.auth/login/twitter/callback`.

-## <a name="secrets"> </a>Add Twitter information to your application

-You're now ready to use Twitter for authentication in your app. The provider will be listed on the **Authentication** screen. From there, you can edit or delete this provider configuration.

-[Twitter Developers]: https://go.microsoft.com/fwlink/p/?LinkId=268300

-[twitter.com]: https://go.microsoft.com/fwlink/p/?LinkID=268287

-> [!NOTE]

-> Due to a known bug, for ELB App Service Environment migrations, the inbound IP address may change again once the [migration step](#8-migrate-to-app-service-environment-v3-and-check-status) is complete. This bug is being addressed and will be fixed as soon as possible. Open a support case to receive the correct IP address upfront or if you have any questions or concerns about this issue.

->

-> [!NOTE]

-> Due to a known bug, for ELB App Service Environment migrations, the inbound IP address may change once the [migration step](#8-migrate-to-app-service-environment-v3) is complete. Check your App Service Environment v3's IP addresses and make any needed updates if there have been changes since the IP generation step. Open a support case if you have any questions or concerns about this issue or need help with the confirming the new IPs.

->

-> [!NOTE]

-> Due to a known bug, for ELB App Service Environment migrations, the inbound IP address may change again once the migration step is complete. This bug is being addressed and will be fixed as soon as possible. Open a support case to receive the correct IP address upfront or if you have any questions or concerns about this issue.

->

-> [!NOTE]

-> Due to a known bug, for ELB App Service Environment migrations, the inbound IP address may change once the migration step is complete. Check your App Service Environment v3's IP addresses and make any needed updates if there have been changes since the IP generation step. Open a support case if you have any questions or concerns about this issue or need help confirming the new IPs.

->

-The new outbound IPs are created and given to you before you start the actual migration. The new default outbound to the internet public addresses are given so you can adjust any external firewalls, DNS routing, network security groups, and any other resources that rely on these IPs before completing the migration. **It's your responsibility to update any and all resources that will be impacted by the IP address change associated with the new App Service Environment v3. Don't move on to the next step until you've made all required updates.** You might experience downtime during and after the migration step if you have dependencies on the outbound IPs and fail to make all necessary updates. This is because once the migration starts, even though traffic still goes to your App Service Environment v2 front ends, your underlying compute is your new App Service Environment v3 in the new subnet.

-There's a new version of App Service Environment that is easier to use and runs on more powerful infrastructure. To learn more about the new version, start with the [Introduction to the App Service Environment](overview.md). If you're currently using App Service Environment v1 or v2, please follow the steps in [this article](upgrade-to-asev3.md) to migrate to the new version.

-| [Twitter](https://developer.twitter.com/en/docs/basics/authentication) | `/.auth/login/twitter` | [App Service Twitter login](configure-authentication-provider-twitter.md) |

-zip default.zip *.*

-az webapp create --resource-group $groupName --plan $appName --name $appName --runtime "node|14-lts"

-az webapp deployment source config-zip --resource-group $groupName --name $appName --src ./default.zip

-* Create a web app for Node.js 14 LTS

-## <a name="diagnostic-logging"></a>Types of Diagnostic logs

-You can use different types of logs in Azure to manage and troubleshoot application gateways. You can learn more about these types below:

-* **Activity log**: You can use [Azure activity logs](../azure-monitor/essentials/activity-log.md) (formerly known as operational logs and audit logs) to view all operations that are submitted to your Azure subscription, and their status. Activity log entries are collected by default, and you can view them in the Azure portal.

-* **Access log**: You can use this log to view Application Gateway access patterns and analyze important information. This includes the caller's IP, requested URL, response latency, return code, and bytes in and out. An access log is collected every 60 seconds. This log contains one record per instance of Application Gateway. The Application Gateway instance is identified by the instanceId property.

-* **Performance log**: You can use this log to view how Application Gateway instances are performing. This log captures performance information for each instance, including total requests served, throughput in bytes, total requests served, failed request count, and healthy and unhealthy backend instance count. A performance log is collected every 60 seconds. The Performance log is available only for the v1 SKU. For the v2 SKU, use [Metrics](application-gateway-metrics.md) for performance data.

-* **Firewall log**: You can use this log to view the requests that are logged through either detection or prevention mode of an application gateway that is configured with the web application firewall. Firewall logs are collected every 60 seconds.

-## Storage locations

-You have the following options to store the logs in your preferred location.

-**Log Analytic workspace**: This option allows you to readily use the predefined queries, visualizations, and set alerts based on specific log conditions. The tables used by resource logs in log analytics workspace depend on what type of collection the resource is using:

-

-* **Azure diagnostics**: Data is written to the [Azure Diagnostics table](/azure/azure-monitor/reference/tables/azurediagnostics). Azure Diagnostics table is shared between multiple resource type, with each of them adding their own custom fields. When number of custom fields ingested to Azure Diagnostics table exceeds 500, new fields aren't added as top level but added to "AdditionalFields" field as dynamic key value pairs.

-* **Resource-specific(recommended)**: Data is written to dedicated tables for each category of the resource. In resource specific mode, each log category selected in the diagnostic setting is assigned its own table within the chosen workspace. This has several benefits, including:

- - Easier data manipulation in log queries

- - Improved discoverability of schemas and their structures

- - Enhanced performance in terms of ingestion latency and query times

- - The ability to assign [Azure role-based access control rights to specific tables](../azure-monitor/logs/manage-access.md?tabs=portal#set-table-level-read-access)

- For Application Gateway, resource specific mode creates three tables:

- * [AGWAccessLogs](/azure/azure-monitor/reference/tables/agwaccesslogs)

- * [AGWPerformanceLogs](/azure/azure-monitor/reference/tables/agwperformancelogs)

- * [AGWFirewallLogs](/azure/azure-monitor/reference/tables/agwfirewalllogs)

-> [!NOTE]

-> The resource specific option is currently available in all **clouds**.<br>

-> Existing users can continue using Azure Diagnostics, or can opt for dedicated tables by switching the toggle in Diagnostic settings to **Resource specific**, or to **Dedicated** in API destination. Dual mode isn't possible. The data in all the logs can either flow to Azure Diagnostics, or to dedicated tables. However, you can have multiple diagnostic settings where one data flow is to azure diagnostic and another is using resource specific at the same time.

- **Selecting the destination table in Log analytics :** All Azure services eventually use the resource-specific tables. As part of this transition, you can select Azure diagnostic or resource specific table in the diagnostic setting using a toggle button. The toggle is set to **Resource specific** by default and in this mode, logs for new selected categories are sent to dedicated tables in Log Analytics, while existing streams remain unchanged. See the following example.

- [](./media/application-gateway-diagnostics/resource-specific.png#lightbox)

-

-**Workspace Transformations:** Opting for the Resource specific option allows you to filter and modify your data before itΓÇÖs ingested with [workspace transformations](../azure-monitor/essentials/data-collection-transformations-workspace.md). This provides granular control, allowing you to focus on the most relevant information from the logs there by reducing data costs and enhancing security.

-For detailed instructions on setting up workspace transformations, please refer:[Tutorial: Add a workspace transformation to Azure Monitor Logs by using the Azure portal](../azure-monitor/logs/tutorial-workspace-transformations-portal.md).

- ### Examples of optimizing access logs using Workspace Transformations

-

- > Within the Logs blade, selecting the **Try New Log Analytics** option gives greater control over the columns displayed in your user interface.

-1. Assess current data retention: Determine the duration for which data is presently retained in the Azure diagnostics table (for example: assume the diagnostics table retains data for 15 days).

-2. Establish resource-specific retention: Implement a new Diagnostic setting with resource specific table.

-3. Parallel data collection: For a temporary period, collect data concurrently in both the Azure Diagnostics and the resource-specific settings.

-4. Confirm data accuracy: Verify that data collection is accurate and consistent in both settings.

-5. Remove Azure diagnostics setting: Remove the Azure Diagnostic setting to prevent duplicate data collection.

-2. To start collecting data, select **Turn on diagnostics**.

-3. The **Diagnostics settings** page provides the settings for the diagnostic logs. In this example, Log Analytics stores the logs. You can also use event hubs and a storage account to save the diagnostic logs.

-5. Type a name for the settings, confirm the settings, and select **Save**.

-## Activity log

-Azure generates the activity log by default. The logs are preserved for 90 days in the Azure event logs store. Learn more about these logs by reading the [View events and activity log](../azure-monitor/essentials/activity-log.md) article.

-## Access log

-The access log is generated only if you've enabled it on each Application Gateway instance, as detailed in the preceding steps. The data is stored in the storage account that you specified when you enabled the logging. Each access of Application Gateway is logged in JSON format as shown below.

-### For Application Gateway and WAF v2 SKU

-> [!NOTE]

-> * For TLS/TCP proxy related information, visit [data reference](monitor-application-gateway-reference.md#tlstcp-proxy-logs).

-> * Some columns from the shared AzureDiagnostics table are still being ported to the dedicated tables. Therefore, the columns with Mutual Authentication details are currently available only through the [AzureDiagnostics table](#storage-locations).

-> * Access logs with clientIP value 127.0.0.1 originate from an internal security process running on the application gateway instances. You can safely ignore these log entries.

-|Value |Description |

-|||

-|instanceId | Application Gateway instance that served the request. |

-|clientIP | IP of the immediate client of Application Gateway. If another proxy fronts your application gateway, this displays the IP of that fronting proxy. |

-|httpMethod | HTTP method used by the request. |

-|requestUri | URI of the received request. |

-|UserAgent | User agent from the HTTP request header. |

-|httpStatus | HTTP status code returned to the client from Application Gateway. |

-|httpVersion | HTTP version of the request. |

-|receivedBytes | Size of packet received, in bytes. |

-|sentBytes| Size of packet sent, in bytes.|

-|clientResponseTime| Time difference (in seconds) between the first byte and the last byte application gateway sent to the client. Helpful in gauging Application Gateway's processing time for responses or slow clients. |

-|timeTaken| Length of time (in **seconds**) that it takes for the first byte of a client request to be processed and its last-byte sent in the response to the client. It's important to note that the Time-Taken field usually includes the time that the request and response packets are traveling over the network. |

-|WAFEvaluationTime| Length of time (in **seconds**) that it takes for the request to be processed by the WAF. |

-|WAFMode| Value can be either Detection or Prevention |

-|transactionId| Unique identifier to correlate the request received from the client |

-|sslEnabled| Whether communication to the backend pools used TLS. Valid values are on and off.|

-|sslCipher| Cipher suite being used for TLS communication (if TLS is enabled).|

-|sslProtocol| SSL/TLS protocol being used (if TLS is enabled).|

-|sslClientVerify | Shows the result of client certificate verification as SUCCESS or FAILED. Failed status will include error information.|

-|sslClientCertificateFingerprint|The SHA1 thumbprint of the client certificate for an established TLS connection.|

-|sslClientCertificateIssuerName|The issuer DN string of the client certificate for an established TLS connection.|

-|serverRouted| The backend server that application gateway routes the request to.|

-|serverStatus| HTTP status code of the backend server.|

-|serverResponseLatency| Latency of the response (in **seconds**) from the backend server.|

-|host| Address listed in the host header of the request. If rewritten using header rewrite, this field contains the updated host name|

-|originalRequestUriWithArgs| This field contains the original request URL |

-|upstreamSourcePort| The source port used by Application Gateway when initiating a connection to the backend target|

-|originalHost| This field contains the original request host name|

-|error_info|The reason for the 4xx and 5xx error. Displays an error code for a failed request. More details in [Error code information.](./application-gateway-diagnostics.md#error-code-information) |

-|contentType|The type of content or data that is being processed or delivered by the application gateway

-```json

-{

- "timeStamp": "2021-10-14T22:17:11+00:00",

- "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{applicationGatewayName}",

- "listenerName": "HTTP-Listener",

- "ruleName": "Storage-Static-Rule",

- "backendPoolName": "StaticStorageAccount",

- "backendSettingName": "StorageStatic-HTTPS-Setting",

- "operationName": "ApplicationGatewayAccess",

- "category": "ApplicationGatewayAccessLog",

- "properties": {

- "instanceId": "appgw_2",

- "clientIP": "185.42.129.24",

- "clientPort": 45057,

- "httpMethod": "GET",

- "originalRequestUriWithArgs": "\/",

- "requestUri": "\/",

- "requestQuery": "",

- "userAgent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.116 Safari\/537.36",

- "httpStatus": 200,

- "httpVersion": "HTTP\/1.1",

- "receivedBytes": 184,

- "sentBytes": 466,

- "clientResponseTime": 0,

- "timeTaken": 0.034,

- "WAFEvaluationTime": "0.000",

- "WAFMode": "Detection",

- "transactionId": "592d1649f75a8d480a3c4dc6a975309d",

- "sslEnabled": "on",

- "sslCipher": "ECDHE-RSA-AES256-GCM-SHA384",

- "sslProtocol": "TLSv1.2",

- "sslClientVerify": "NONE",

- "sslClientCertificateFingerprint": "",

- "sslClientCertificateIssuerName": "",

- "serverRouted": "52.239.221.65:443",

- "serverStatus": "200",

- "serverResponseLatency": "0.028",

- "upstreamSourcePort": "21564",

- "originalHost": "20.110.30.194",

- "host": "20.110.30.194",

- "error_info":"ERRORINFO_NO_ERROR",

- "contentType":"application/json"

- }

-}

-```

-### For Application Gateway Standard and WAF SKU (v1)

-|Value |Description |

-|||

-|instanceId | Application Gateway instance that served the request. |

-|clientIP | Originating IP for the request. |

-|clientPort | Originating port for the request. |

-|httpMethod | HTTP method used by the request. |

-|requestUri | URI of the received request. |

-|RequestQuery | **Server-Routed**: Backend pool instance that was sent the request.</br>**X-AzureApplicationGateway-LOG-ID**: Correlation ID used for the request. It can be used to troubleshoot traffic issues on the backend servers. </br>**SERVER-STATUS**: HTTP response code that Application Gateway received from the back end. |

-|UserAgent | User agent from the HTTP request header. |

-|httpStatus | HTTP status code returned to the client from Application Gateway. |

-|httpVersion | HTTP version of the request. |

-|receivedBytes | Size of packet received, in bytes. |

-|sentBytes| Size of packet sent, in bytes.|

-|timeTaken| Length of time (in milliseconds) that it takes for a request to be processed and its response to be sent. This is calculated as the interval from the time when Application Gateway receives the first byte of an HTTP request to the time when the response send operation finishes. It's important to note that the Time-Taken field usually includes the time that the request and response packets are traveling over the network. |

-|sslEnabled| Whether communication to the backend pools used TLS/SSL. Valid values are on and off.|

-|host| The hostname for which the request has been sent to the backend server. If backend hostname is being overridden, this name reflects that.|

-|originalHost| The hostname for which the request was received by the Application Gateway from the client.|

-```json

-{

- "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/PEERINGTEST/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{applicationGatewayName}",

- "operationName": "ApplicationGatewayAccess",

- "time": "2017-04-26T19:27:38Z",

- "category": "ApplicationGatewayAccessLog",

- "properties": {

- "instanceId": "ApplicationGatewayRole_IN_0",

- "clientIP": "191.96.249.97",

- "clientPort": 46886,

- "httpMethod": "GET",

- "requestUri": "/phpmyadmin/scripts/setup.php",

- "requestQuery": "X-AzureApplicationGateway-CACHE-HIT=0&SERVER-ROUTED=10.4.0.4&X-AzureApplicationGateway-LOG-ID=874f1f0f-6807-41c9-b7bc-f3cfa74aa0b1&SERVER-STATUS=404",

- "userAgent": "-",

- "httpStatus": 404,

- "httpVersion": "HTTP/1.0",

- "receivedBytes": 65,

- "sentBytes": 553,

- "timeTaken": 205,

- "sslEnabled": "off",

- "host": "www.contoso.com",

- "originalHost": "www.contoso.com"

- }

-}

-```

-### Error code Information

-If the application gateway can't complete the request, it stores one of the following reason codes in the error_info field of the access log.

-|4XX Errors | (The 4xx error codes indicate that there was an issue with the client's request, and the Application Gateway can't fulfill it.) |

-|||

-| ERRORINFO_INVALID_METHOD| The client has sent a request which is non-RFC compliant. Possible reasons: client using HTTP method not supported by server, misspelled method, incompatible HTTP protocol version etc.|

- | ERRORINFO_INVALID_REQUEST | The server can't fulfill the request because of incorrect syntax.|

- | ERRORINFO_INVALID_VERSION| The application gateway received a request with an invalid or unsupported HTTP version.|

- | ERRORINFO_INVALID_09_METHOD| The client sent request with HTTP Protocol version 0.9.|

- | ERRORINFO_INVALID_HOST |The value provided in the "Host" header is either missing, improperly formatted, or doesn't match the expected host value. For example, when there's no Basic listener, and none of the hostnames of Multisite listeners match with the host.|

- | ERRORINFO_INVALID_CONTENT_LENGTH | The length of the content specified by the client in the content-Length header doesn't match the actual length of the content in the request.|

- | ERRORINFO_INVALID_METHOD_TRACE | The client sent HTTP TRACE method, which isn't supported by the application gateway.|

- | ERRORINFO_CLIENT_CLOSED_REQUEST | The client closed the connection with the application gateway before the idle timeout period elapsed. Check whether the client timeout period is greater than the [idle timeout period](./application-gateway-faq.yml#what-are-the-settings-for-keep-alive-timeout-and-tcp-idle-timeout) for the application gateway.|

- | ERRORINFO_REQUEST_URI_INVALID |Indicates issue with the Uniform Resource Identifier (URI) provided in the client's request. |

- | ERRORINFO_HTTP_NO_HOST_HEADER | Client sent a request without Host header. |

- | ERRORINFO_HTTP_TO_HTTPS_PORT |The client sent a plain HTTP request to an HTTPS port. |

- | ERRORINFO_HTTPS_NO_CERT | Indicates client isn't sending a valid and properly configured TLS certificate during Mutual TLS authentication. |

-|5XX Errors | Description |

-|||

- | ERRORINFO_UPSTREAM_NO_LIVE | The application gateway is unable to find any active or reachable backend servers to handle incoming requests |

- | ERRORINFO_UPSTREAM_CLOSED_CONNECTION | The backend server closed the connection unexpectedly or before the request was fully processed. This could happen due to backend server reaching its limits, crashing etc.|

- | ERRORINFO_UPSTREAM_TIMED_OUT | The established TCP connection with the server was closed as the connection took longer than the configured timeout value. |

-## Performance log

-The performance log is generated only if you have enabled it on each Application Gateway instance, as detailed in the preceding steps. The data is stored in the storage account that you specified when you enabled the logging. The performance log data is generated in 1-minute intervals. It's available only for the v1 SKU. For the v2 SKU, use [Metrics](application-gateway-metrics.md) for performance data. The following data is logged:

-|Value |Description |

-|||

-|instanceId | Application Gateway instance for which performance data is being generated. For a multiple-instance application gateway, there's one row per instance. |

-|healthyHostCount | Number of healthy hosts in the backend pool. |

-|unHealthyHostCount | Number of unhealthy hosts in the backend pool. |

-|requestCount | Number of requests served. |

-|latency | Average latency (in milliseconds) of requests from the instance to the back end that serves the requests. |

-|failedRequestCount| Number of failed requests.|

-|throughput| Average throughput since the last log, measured in bytes per second.|

-```json

-{

- "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{applicationGatewayName}",

- "operationName": "ApplicationGatewayPerformance",

- "time": "2016-04-09T00:00:00Z",

- "category": "ApplicationGatewayPerformanceLog",

- "properties":

- {

- "instanceId":"ApplicationGatewayRole_IN_1",

- "healthyHostCount":"4",

- "unHealthyHostCount":"0",

- "requestCount":"185",

- "latency":"0",

- "failedRequestCount":"0",

- "throughput":"119427"

- }

-}

-```

-> [!NOTE]

-> Latency is calculated from the time when the first byte of the HTTP request is received to the time when the last byte of the HTTP response is sent. It's the sum of the Application Gateway processing time plus the network cost to the back end, plus the time that the back end takes to process the request.

-## Firewall log

-The firewall log is generated only if you have enabled it for each application gateway, as detailed in the preceding steps. This log also requires that the web application firewall is configured on an application gateway. The data is stored in the storage account that you specified when you enabled the logging. The following data is logged:

-|Value |Description |

-|||

-|instanceId | Application Gateway instance for which firewall data is being generated. For a multiple-instance application gateway, there's one row per instance. |

-|clientIp | Originating IP for the request. |

-|clientPort | Originating port for the request. |

-|requestUri | URL of the received request. |

-|ruleSetType | Rule set type. The available value is OWASP. |

-|ruleSetVersion | Rule set version used. Available values are 2.2.9 and 3.0. |

-|ruleId | Rule ID of the triggering event. |

-|message | User-friendly message for the triggering event. More details are provided in the details section. |

-|action | Action taken on the request. Available values are Blocked and Allowed (for custom rules), Matched (when a rule matches a part of the request), and Detected and Blocked (these are both for mandatory rules, depending on if the WAF is in detection or prevention mode). |

-|site | Site for which the log was generated. Currently, only Global is listed because rules are global.|

-|details | Details of the triggering event. |

-|details.message | Description of the rule. |

-|details.data | Specific data found in request that matched the rule. |

-|details.file | Configuration file that contained the rule. |

-|details.line | Line number in the configuration file that triggered the event. |

-|hostname | Hostname or IP address of the Application Gateway. |

-|transactionId | Unique ID for a given transaction which helps group multiple rule violations that occurred within the same request. |

-```json

-{

- "timeStamp": "2021-10-14T22:17:11+00:00",

- "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{applicationGatewayName}",

- "operationName": "ApplicationGatewayFirewall",

- "category": "ApplicationGatewayFirewallLog",

- "properties": {

- "instanceId": "appgw_2",

- "clientIp": "185.42.129.24",

- "clientPort": "",

- "requestUri": "\/",

- "ruleSetType": "OWASP_CRS",

- "ruleSetVersion": "3.0.0",

- "ruleId": "920350",

- "message": "Host header is a numeric IP address",

- "action": "Matched",

- "site": "Global",

- "details": {

- "message": "Warning. Pattern match \\\"^[\\\\d.:]+$\\\" at REQUEST_HEADERS:Host .... ",

- "data": "20.110.30.194:80",

- "file": "rules\/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",

- "line": "791"

- },

- "hostname": "20.110.30.194:80",

- "transactionId": "592d1649f75a8d480a3c4dc6a975309d",

- "policyId": "default",

- "policyScope": "Global",

- "policyScopeName": "Global"

- }

-}

-```

-## View and analyze the activity log

-You can view and analyze activity log data by using any of the following methods:

-* **Azure tools**: Retrieve information from the activity log through Azure PowerShell, the Azure CLI, the Azure REST API, or the Azure portal. Step-by-step instructions for each method are detailed in the [Activity operations with Resource Manager](../azure-monitor/essentials/activity-log.md) article.

-* **Power BI**: If you don't already have a [Power BI](https://powerbi.microsoft.com/pricing) account, you can try it for free. By using the [Power BI template apps](/power-bi/service-template-apps-overview), you can analyze your data.

-[Azure Monitor logs](/previous-versions/azure/azure-monitor/insights/azure-networking-analytics) can collect the counter and event log files from your Blob storage account. It includes visualizations and powerful search capabilities to analyze your logs.

->

->

-### Analyzing Access logs through GoAccess

-We have published a Resource Manager template that installs and runs the popular [GoAccess](https://goaccess.io/) log analyzer for Application Gateway Access Logs. GoAccess provides valuable HTTP traffic statistics such as Unique Visitors, Requested Files, Hosts, Operating Systems, Browsers, HTTP Status codes and more. For more details, please see the [Readme file in the Resource Manager template folder in GitHub](https://github.com/Azure/azure-quickstart-templates/tree/master/demos/application-gateway-logviewer-goaccess).

-Application Gateway provides several builtΓÇæin timing metrics related to the request and response, which are all measured in milliseconds.

-> If there are more than one listener in the Application Gateway, then always filter by *Listener* dimension while comparing different latency metrics in order to get meaningful inference.

- *Aggregation type:Avg/Max*

- Time spent establishing a connection with the backend application.

- This includes the network latency as well as the time taken by the backend serverΓÇÖs TCP stack to establish new connections. For TLS, it also includes the time spent on handshake.

- *Aggregation type:Avg/Max*

- Time interval between start of establishing a connection to backend server and receiving the first byte of the response header.

- This approximates the sum of *Backend connect time*, time taken by the request to reach the backend from Application Gateway, time taken by backend application to respond (the time the server took to generate content, potentially fetch database queries), and the time taken by first byte of the response to reach the Application Gateway from the backend.

- *Aggregation type:Avg/Max*

- Time interval between start of establishing a connection to backend server and receiving the last byte of the response body.

- This approximates the sum of *Backend first byte response time* and data transfer time (this number may vary greatly depending on the size of objects requested and the latency of the server network).

- *Aggregation type:Avg/Max*

- This metric captures either the Average/Max time taken for a request to be received, processed and its response to be sent.

- This is the interval from the time when Application Gateway receives the first byte of the HTTP request to the time when the last response byte has been sent to the client. This includes the processing time taken by Application Gateway, the *Backend last byte response time*, and the time taken by Application Gateway to send all the response.

- *Aggregation type:Avg/Max*

- This metric captures the Average/Max round trip time between clients and Application Gateway.

-These metrics can be used to determine whether the observed slowdown is due to the client network, Application Gateway performance, the backend network and backend server TCP stack saturation, backend application performance, or large file size.

-For example, If thereΓÇÖs a spike in *Backend first byte response time* trend but the *Backend connect time* trend is stable, then it can be inferred that the Application gateway to backend latency and the time taken to establish the connection is stable, and the spike is caused due to an increase in the response time of backend application. On the other hand, if the spike in *Backend first byte response time* is associated with a corresponding spike in *Backend connect time*, then it can be deduced that either the network between Application Gateway and backend server or the backend server TCP stack has saturated.

-If you notice a spike in *Backend last byte response time* but the *Backend first byte response time* is stable, then it can be deduced that the spike is because of a larger file being requested.

-For Application Gateway, the following metrics are available:

- Count of bytes received by the Application Gateway from the clients. (Reported based on the request "content size" only. It doesn't account for TLS negotiations overhead, TCP/IP packet headers, or retransmissions, and hence doesn't represent the complete bandwidth utilization.)

- Count of bytes sent by the Application Gateway to the clients. (Reported based on the response "content size" only. It doesn't account for TCP/IP packet headers or retransmissions, and hence doesn't represent the complete bandwidth utilization.)

- Count of TLS and non-TLS requests initiated by the client that established connection with the Application Gateway. To view TLS protocol distribution, filter by the dimension TLS Protocol. This metric includes requests served by the gateway, such as redirects.

- Count of capacity units consumed to load balance the traffic. There are three determinants to capacity unit - compute unit, persistent connections and throughput. Each capacity unit is composed of at most: 1 compute unit, or 2500 persistent connections, or 2.22-Mbps throughput.

- Count of processor capacity consumed. Factors affecting compute unit are TLS connections/sec, URL Rewrite computations, and WAF rule processing.

- The total number of concurrent connections active from clients to the Application Gateway

-

- With the v2 SKU, the pricing model is driven by consumption. Capacity units measure consumption-based cost that is charged in addition to the fixed cost. *Estimated Billed Capacity units* indicate the number of capacity units using which the billing is estimated. This is calculated as the greater value between *Current capacity units* (capacity units required to load balance the traffic) and *Fixed billable capacity units* (minimum capacity units kept provisioned).

- Number of requests that Application Gateway has served with 5xx server error codes. This includes the 5xx codes that are generated from the Application Gateway as well as the 5xx codes that are generated from the backend. The request count can be further filtered to show count per each/specific backend pool-http setting combination.

-

- The minimum number of capacity units kept provisioned as per the *Minimum scale units* setting (one instance translates to 10 capacity units) in the Application Gateway configuration.

-

- The average number of new TCP connections per second established from clients to the Application Gateway and from the Application Gateway to the backend members.

- HTTP response status returned by Application Gateway. The response status code distribution can be further categorized to show responses in 2xx, 3xx, 4xx, and 5xx categories.

- Number of bytes per second the Application Gateway has served. (Reported based on the "content size" only. It doesn't account for TLS negotiations overhead, TCP/IP packet headers, or retransmissions, and hence doesn't represent the complete bandwidth utilization.)

- Count of successful requests that Application Gateway has served by the backend pool targets. Pages served directly by the gateway, such as redirects, are not counted and should be found in the Client TLS protocol metric. Total requests count metric can be further filtered to show count per each/specific backend pool-http setting combination.

-### Backend metrics

-For Application Gateway, the following metrics are available:

- Count of HTTP response status codes returned by the backends. This doesn't include any response codes generated by the Application Gateway. The response status code distribution can be further categorized to show responses in 2xx, 3xx, 4xx, and 5xx categories.

- The number of backends that are determined healthy by the health probe. You can filter on a per backend pool basis to show the number of healthy hosts in a specific backend pool.

- The number of backends that are determined unhealthy by the health probe. You can filter on a per backend pool basis to show the number of unhealthy hosts in a specific backend pool.

-

- The average number of requests received by each healthy member in a backend pool in a minute. You must specify the backend pool using the *BackendPool HttpSettings* dimension.

-

-### Web Application Firewall (WAF) metrics

-For information on WAF Monitoring, see [WAF v2 Metrics](../../articles/web-application-firewall/ag/application-gateway-waf-metrics.md#application-gateway-waf-v2-metrics)

-## Metrics supported by Application Gateway V1 SKU

-### Application Gateway metrics

-For Application Gateway, the following metrics are available:

- Displays the utilization of the CPUs allocated to the Application Gateway. Under normal conditions, CPU usage should not regularly exceed 90%, as this may cause latency in the websites hosted behind the Application Gateway and disrupt the client experience. You can indirectly control or improve CPU utilization by modifying the configuration of the Application Gateway by increasing the instance count or by moving to a larger SKU size, or doing both.

- Count of current connections established with Application Gateway

- Number of requests that failed due to connection issues. This count includes requests that failed due to exceeding the "Request time-out" HTTP setting and requests that failed due to connection issues between Application gateway and backend. This count doesn't include failures due to no healthy backend being available. 4xx and 5xx responses from the backend are also not considered as part of this metric.

- HTTP response status returned by Application Gateway. The response status code distribution can be further categorized to show responses in 2xx, 3xx, 4xx, and 5xx categories.

- Number of bytes per second the Application Gateway has served

- Count of successful requests that Application Gateway has served. The request count can be further filtered to show count per each/specific backend pool-http setting combination.

-For Application Gateway, the following metrics are available:

- The number of backends that are determined healthy by the health probe. You can filter on a per backend pool basis to show the number of healthy hosts in a specific backend pool.

- The number of backends that are determined unhealthy by the health probe. You can filter on a per backend pool basis to show the number of unhealthy hosts in a specific backend pool.

-For information on WAF Monitoring, see [WAF v1 Metrics](../../articles/web-application-firewall/ag/application-gateway-waf-metrics.md#application-gateway-waf-v1-metrics)

-## Configure alerts using ARM templates

-You can use ARM templates to quickly configure important alerts for Application Gateway. Before you begin, consider the following details:

- :::image type="content" source="media/configure-alerts-with-templates/alert-pricing.png" alt-text="Image showing application gateway pricing details":::

->[!TIP]

-> You can manually form the ResourceID for your Action Group by following these steps.

-> 1. Select Azure Monitor in your Azure portal.

-> 1. Open the Alerts page and select Action Groups.

-> 1. Select the action group to view its details.

-> 1. Use the Resource Group Name, Action Group Name and Subscription Info here to form the ResourceID for the action group as shown here: <br>

-> `/subscriptions/<subscription-id-from-your-account>/resourcegroups/<resource-group-name>/providers/microsoft.insights/actiongroups/<action-group-name>`

-## ARM templates

-The following ARM templates are available to configure Azure Monitor alerts for Application Gateway.

-### Alert for Backend Response Status as 5xx

-[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fdemos%2Fag-alert-backend-5xx%2Fazuredeploy.json)

-This notification is based on Metrics signal.

-### Alert for average Unhealthy Host Count

-[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fdemos%2Fag-alert-unhealthy-host%2Fazuredeploy.json)

-This notification is based on Metrics signal.

-### Alert for Backend Last Byte Response Time

-[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fdemos%2Fag-alert-backend-lastbyte-resp%2Fazuredeploy.json)

-This notification is based on Metrics signal.

-### Alert for Key Vault integration issues

-[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fdemos%2Fag-alert-keyvault-advisor%2Fazuredeploy.json)

-This notification is based on its Azure Advisor recommendation.

-## Next steps

-<!-- Add additional links. You can change the wording of these and add more if useful. -->

-description: This article provides information on how to configure Application Gateway Standard v2 with a private frontend IP address

-Azure Application Gateway Standard v2 can be configured with an Internet-facing VIP or with an internal endpoint that isn't exposed to the Internet. An internal endpoint uses a private IP address for the frontend, which is also known as an *internal load balancer (ILB) endpoint*.

-This article guides you through the steps to configure a Standard v2 Application Gateway with an ILB using the Azure portal.

-5. For **Tier**, select **Standard V2**.

-12. For **Add backend pool without targets**, select **Yes**. You'll add the targets later.

-The backend pool is used to route requests to the backend servers that serve the request. The backend can be composed of NICs, virtual machine scale sets, public IP addresses, internal IP addresses, fully qualified domain names (FQDN), and multi-tenant backends like Azure App Service. In this example, you use virtual machines as the target backend. You can either use existing virtual machines or create new ones. In this example, you create two virtual machines that Azure uses as backend servers for the application gateway.

-To do this, you:

-description: Important reference material needed when you monitor Application Gateway

-<!-- VERSION 2.2

-Template for monitoring data reference article for Azure services. This article is support for the main "Monitoring [servicename]" article for the service. -->

-# Monitoring Azure Application Gateway data reference

-See [Monitoring Azure Application Gateway](monitor-application-gateway.md) for details on collecting and analyzing monitoring data for Azure Application Gateway.

-## Application Gateway v2 metrics

-Resource Provider and Type: [Microsoft.Network/applicationGateways](../azure-monitor/essentials/metrics-supported.md#microsoftnetworkapplicationgateways)

-### Timing metrics

-Application Gateway provides several builtΓÇæin timing metrics related to the request and response, which are all measured in milliseconds.

-> [!NOTE]

->

-> If the Application Gateway has more than one listener, then always filter by the *Listener* dimension while comparing different latency metrics to get more meaningful inference.

-| Metric | Unit | Description|

-|:-|:--|:|

-|**Backend connect time**|Milliseconds|Time spent establishing a connection with the backend application.<br><br>This includes the network latency and the time taken by the backend serverΓÇÖs TCP stack to establish new connections. For TLS, it also includes the time spent on handshake.|

-|**Backend first byte response time**|Milliseconds|Time interval between start of establishing a connection to backend server and receiving the first byte of the response header.<br><br>This approximates the sum of Backend connect time, time taken by the request to reach the backend from Application Gateway, time taken by backend application to respond (the time the server took to generate content, potentially fetch database queries), and the time taken by first byte of the response to reach the Application Gateway from the backend.|

-|**Backend last byte response time**|Milliseconds|Time interval between start of establishing a connection to backend server and receiving the last byte of the response body.<br><br>This approximates the sum of backend first byte response time and data transfer time. This number may vary greatly depending on the size of objects requested and the latency of the server network.|

-|**Application gateway total time**|Milliseconds|Average time that it takes for a request to be received, processed and its response to be sent.<br><br>This is the interval from the time when Application Gateway receives the first byte of the HTTP request to the time when the last response byte has been sent to the client. This includes the processing time taken by Application Gateway, the Backend last byte response time, the time taken by Application Gateway to send all the response, and the Client RTT.|

-|**Client RTT**|Milliseconds|Average round-trip time between clients and Application Gateway.|

-These metrics can be used to determine whether the observed slowdown is due to the client network, Application Gateway performance, the backend network and backend server TCP stack saturation, backend application performance, or large file size.

-For example, if thereΓÇÖs a spike in *Backend first byte response time* trend but the *Backend connect time* trend is stable, then it can be inferred that the Application gateway to backend latency and the time taken to establish the connection is stable, and the spike is caused due to an increase in the response time of backend application. On the other hand, if the spike in *Backend first byte response time* is associated with a corresponding spike in *Backend connect time*, then it can be deduced that either the network between Application Gateway and backend server or the backend server TCP stack has saturated.

-If you notice a spike in *Backend last byte response time* but the *Backend first byte response time* is stable, then it can be deduced that the spike is because of a larger file being requested.

-Similarly, if the *Application gateway total time* has a spike but the *Backend last byte response time* is stable, then it can either be a sign of performance bottleneck at the Application Gateway or a bottleneck in the network between client and Application Gateway. Additionally, if the *client RTT* also has a corresponding spike, then it indicates that the degradation is because of the network between client and Application Gateway.

-### Application Gateway metrics

-| Metric | Unit | Description|

-|:-|:--|:|

-|**Bytes received**|Bytes|Count of bytes received by the Application Gateway from the clients. (This metric accounts for only the Request content size observed by the Application Gateway. It doesn't include data transfers such as TLS header negotiations, TCP/IP packet headers, or retransmissions.)|

-|**Bytes sent**|Bytes|Count of bytes sent by the Application Gateway to the clients. (This metric accounts for only the Response Content size served by the Application Gateway. It doesn't include data transfers such as TCP/IP packet headers or retransmissions.)|

-|**Client TLS protocol**|Count|Count of TLS and non-TLS requests initiated by the client that established connection with the Application Gateway. To view TLS protocol distribution, filter by the TLS Protocol dimension.|

-|**Current capacity units**|Count|Count of capacity units consumed to load balance the traffic. There are three determinants to capacity unit - compute unit, persistent connections, and throughput. Each capacity unit is composed of at most: one compute unit, or 2500 persistent connections, or 2.22-Mbps throughput.|

-|**Current compute units**|Count|Count of processor capacity consumed. Factors affecting compute unit are TLS connections/sec, URL Rewrite computations, and WAF rule processing.|

-|**Current connections**|Count|The total number of concurrent connections active from clients to the Application Gateway.|

-|**Estimated Billed Capacity units**|Count|With the v2 SKU, the pricing model is driven by consumption. Capacity units measure consumption-based cost that is charged in addition to the fixed cost. *Estimated Billed Capacity units indicate the number of capacity units using which the billing is estimated. This is calculated as the greater value between *Current capacity units* (capacity units required to load balance the traffic) and *Fixed billable capacity units* (minimum capacity units kept provisioned).|

-|**Failed Requests**|Count|Number of requests that Application Gateway has served with 5xx server error codes. This includes the 5xx codes that are generated from the Application Gateway and the 5xx codes that are generated from the backend. The request count can be further filtered to show count per each/specific backend pool-http setting combination.|

-|**Fixed Billable Capacity Units**|Count|The minimum number of capacity units kept provisioned as per the *Minimum scale units* setting (one instance translates to 10 capacity units) in the Application Gateway configuration.|

-|**New connections per second**|Count|The average number of new TCP connections per second established from clients to the Application Gateway and from the Application Gateway to the backend members.|

-|**Response Status**|Status code|HTTP response status returned by Application Gateway. The response status code distribution can be further categorized to show responses in 2xx, 3xx, 4xx, and 5xx categories.|

-|**Throughput**|Bytes/sec|Number of bytes per second the Application Gateway has served. (This metric accounts for only the Content size served by the Application Gateway. It doesn't include data transfers such as TLS header negotiations, TCP/IP packet headers, or retransmissions.)|

-|**Total Requests**|Count|Count of successful requests that Application Gateway has served. The request count can be further filtered to show count per each/specific backend pool-http setting combination.|

-### Backend metrics

-| Metric | Unit | Description|

-|:-|:--|:|

-|**Backend response status**|Count|Count of HTTP response status codes returned by the backends. This doesn't include any response codes generated by the Application Gateway. The response status code distribution can be further categorized to show responses in 2xx, 3xx, 4xx, and 5xx categories.|

-|**Healthy host count**|Count|The number of backends that are determined healthy by the health probe. You can filter on a per backend pool basis to show the number of healthy hosts in a specific backend pool.|

-|**Unhealthy host count**|Count|The number of backends that are determined unhealthy by the health probe. You can filter on a per backend pool basis to show the number of unhealthy hosts in a specific backend pool.|

-|**Requests per minute per Healthy Host**|Count|The average number of requests received by each healthy member in a backend pool in a minute. Specify the backend pool using the *BackendPool HttpSettings* dimension.|

-### Backend health API

-See [Application Gateways - Backend Health](/rest/api/application-gateway/application-gateways/backend-health?tabs=HTTP) for details of the API call to retrieve the backend health of an application gateway.

-Sample Request:

-``output

-POST

-https://management.azure.com/subscriptions/subid/resourceGroups/rg/providers/Microsoft.Network/

-applicationGateways/appgw/backendhealth?api-version=2021-08-01

-After

-``

-After sending this POST request, you should see an HTTP 202 Accepted response. In the response headers, find the Location header and send a new GET request using that URL.

-``output

-GET

-https://management.azure.com/subscriptions/subid/providers/Microsoft.Network/locations/region-name/operationResults/GUID?api-version=2021-08-01

-``

-### Application Gateway TLS/TCP proxy monitoring

-#### TLS/TCP proxy metrics

-With layer 4 proxy feature now available with Application Gateway, there are some Common metrics (apply to both layer 7 as well as layer 4), and some layer 4 specific metrics. The following table describes all the metrics are the applicable for layer 4 usage.

-| Metric | Description | Type | Dimension |

-|:--|:|:-|:-|

-| Current Connections | The number of active connections: reading, writing, or waiting. The count of current connections established with Application Gateway. | Common metric | None |

-| New Connections per second | The average number of connections handled per second during that minute. | Common metric | None |

-| Throughput | The rate of data flow (inBytes+ outBytes) during that minute. | Common metric | None |

-| Healthy host count | The number of healthy backend hosts. | Common metric | BackendSettingsPool |

-| Unhealthy host | The number of unhealthy backend hosts. | Common metric | BackendSettingsPool |

-| ClientRTT | Average round trip time between clients and Application Gateway. | Common metric | Listener |

-| Backend Connect Time | Time spent establishing a connection with a backend server. | Common metric | Listener, BackendServer, BackendPool, BackendSetting |

-| Backend First Byte Response Time | Time interval between start of establishing a connection to backend server and receiving the first byte of data (approximating processing time of backend server). | Common metric | Listener, BackendServer, BackendPool, BackendHttpSetting`*` |

-| Backend Session Duration | The total time of a backend connection. The average time duration from the start of a new connection to its termination. | L4-specific | Listener, BackendServer, BackendPool, BackendHttpSetting`*` |

-| Connection Lifetime | The total time of a client connection to application gateway. The average time duration from the start of a new connection to its termination in milliseconds. | L4-specific | Listener |

-`*` BackendHttpSetting dimension includes both layer 7 and layer 4 backend settings.

-#### TLS/TCP proxy logs

-Application GatewayΓÇÖs Layer 4 proxy provides log data through access logs. These logs are only generated and published if they are configured in the diagnostic settings of your gateway. Also see: [Supported categories for Azure Monitor resource logs](/azure/azure-monitor/essentials/resource-logs-categories#microsoftnetworkapplicationgateways).

-> [!NOTE]

-> The columns with Mutual Authentication details for a TLS listener are currently available only through the [AzureDiagnostics table](application-gateway-diagnostics.md#storage-locations).

-| Category | Resource log category |

-|:--|:-|

-| ResourceGroup | The resource group to which the application gateway resource belongs. |

-| SubscriptionId |The subscription ID of the application gateway resource. |

-| ResourceProvider |This will be MICROSOFT.NETWORK for application gateway. |

-| Resource |The name of the application gateway resource. |

-| ResourceType |This will be APPLICATIONGATEWAYS. |

-| ruleName |The name of the routing rule that served the connection request. |

-| instanceId |Application Gateway instance that served the request. |

-| clientIP |Originating IP for the request. |

-| receivedBytes |Data received from client to gateway, in bytes. |

-| sentBytes |Data sent from gateway to client, in bytes. |

-| listenerName |The name of the listener that established the frontend connection with client. |

-| backendSettingName |The name of the backend setting used for the backend connection. |

-| backendPoolName |The name of the backend pool from which a target server was selected to establish the backend connection. |

-| protocol |TCP (Irrespective of it being TCP or TLS, the protocol value will always be TCP). |

-| sessionTime |session duration, in seconds (this is for the client->appgw session) |

-| upstreamSentBytes |Data sent to backend server, in bytes. |

-| upstreamReceivedBytes |Data received from backend server, in bytes. |

-| upstreamSessionTime |session duration, in seconds (this is for the appgw->backend session) |

-| sslCipher |Cipher suite being used for TLS communication (for TLS protocol listeners). |

-| sslProtocol |SSL/TLS protocol being used (for TLS protocol listeners). |

-| serverRouted |The backend server IP and port number to which the traffic was routed. |

-| serverStatus |200 - session completed successfully. 400 - client data could not be parsed. 500 - internal server error. 502 - bad gateway. For example, when an upstream server could not be reached. 503 - service unavailable. For example, if access is limited by the number of connections. |

-| ResourceId |Application Gateway resource URI |

-### TLS/TCP proxy backend health

-Application GatewayΓÇÖs layer 4 proxy provides the capability to monitor the health of individual members of the backend pools through the portal and REST API.

-

-## Application Gateway v1 metrics

-### Application Gateway metrics

-| Metric | Unit | Description|

-|:-|:--|:|

-|**CPU Utilization**|Percent|Displays the CPU usage allocated to the Application Gateway. Under normal conditions, CPU usage should not regularly exceed 90%, as this may cause latency in the websites hosted behind the Application Gateway and disrupt the client experience. You can indirectly control or improve CPU usage by modifying the configuration of the Application Gateway by increasing the instance count or by moving to a larger SKU size, or doing both.|

-|**Current connections**|Count|Count of current connections established with Application Gateway.|

-|**Failed Requests**|Count|Number of requests that failed because of connection issues. This count includes requests that failed due to exceeding the *Request time-out* HTTP setting and requests that failed due to connection issues between Application Gateway and the backend. This count doesn't include failures due to no healthy backend being available. 4xx and 5xx responses from the backend are also not considered as part of this metric.|

-|**Response Status**|Status code|HTTP response status returned by Application Gateway. The response status code distribution can be further categorized to show responses in 2xx, 3xx, 4xx, and 5xx categories.|

-|**Throughput**|Bytes/sec|Number of bytes per second the Application Gateway has served.|

-|**Total Requests**|Count|Count of successful requests that Application Gateway has served. The request count can be further filtered to show count per each/specific backend pool-http setting combination.|

-|**Web Application Firewall Blocked Requests Count**|Count|Number of requests blocked by WAF.|

-|**Web Application Firewall Blocked Requests Distribution**|Count|Number of requests blocked by WAF filtered to show count per each/specific WAF rule group or WAF rule ID combination.|

-|**Web Application Firewall Total Rule Distribution**|Count|Number of requests received per each specific WAF rule group or WAF rule ID combination.|

-<!-- Keep this text as-is -->

-For more information, see a list of [all platform metrics supported in Azure Monitor](../azure-monitor/essentials/metrics-supported.md).

-## Metrics Dimensions

-<!-- REQUIRED. Please keep headings in this order -->

-<!-- If you have metrics with dimensions, outline it here. If you have no dimensions, say so. Questions email azmondocs@microsoft.com -->

-For more information on what metrics dimensions are, see [Multi-dimensional metrics](../azure-monitor/essentials/data-platform-metrics.md#multi-dimensional-metrics).

-<!-- See https://learn.microsoft.com/azure/storage/common/monitor-storage-reference#metrics-dimensions for an example. Part is copied below. -->

-Azure Application Gateway supports dimensions for some of the metrics in Azure Monitor. Each metric includes a description that explains the available dimensions specifically for that metric.

-## Resource logs

-<!-- REQUIRED. Please keep headings in this order -->

-This section lists the types of resource logs you can collect for Azure Application Gateway.

-<!-- List all the resource log types you can have and what they are for -->

-For reference, see a list of [all resource logs category types supported in Azure Monitor](../azure-monitor/essentials/resource-logs-schema.md).

-> The Performance log is available only for the v1 SKU. For the v2 SKU, use [Application Gateway v2 metrics](#application-gateway-v2-metrics) for performance data.

-For more information, see [Backend health and diagnostic logs for Application Gateway](application-gateway-diagnostics.md#access-log).

-<!-- OPTION 2 - Link to the resource logs as above, but work in extra information not found in the automated metric-supported reference article. NOTE: YOU MUST MANUALLY MAINTAIN THIS SECTION to make sure it stays in sync with the resource-log-categories link. You can group these sections however you want provided you include the proper links back to resource-log-categories article.

-<!-- Example format. Add extra information -->

-## Application Gateway

-Resource Provider and Type: [Microsoft.Network/applicationGateways](../azure-monitor/essentials/resource-logs-categories.md#microsoftnetworkapplicationgateways)

-| Category | Display Name | Information|

-|:|:-||

-| **Activitylog** | Activity log | Activity log entries are collected by default. You can use [Azure activity logs](../azure-monitor/essentials/activity-log.md) (formerly known as operational logs and audit logs) to view all operations that are submitted to your Azure subscription, and their status. |

-|**ApplicationGatewayAccessLog**|Access log| You can use this log to view Application Gateway access patterns and analyze important information. This includes the caller's IP address, requested URL, response latency, return code, and bytes in and out. An access log is collected every 60 seconds. This log contains one record per instance of Application Gateway. The Application Gateway instance is identified by the instanceId property.|

-| **ApplicationGatewayPerformanceLog**|Performance log|You can use this log to view how Application Gateway instances are performing. This log captures performance information for each instance, including total requests served, throughput in bytes, total requests served, failed request count, and healthy and unhealthy backend instance count. A performance log is collected every 60 seconds. The Performance log is available only for the v1 SKU. For the v2 SKU, use [Application Gateway v2 metrics](#application-gateway-v2-metrics) for performance data.|

-|**ApplicationGatewayFirewallLog**|Firewall log|You can use this log to view the requests that are logged through either detection or prevention mode of an application gateway that is configured with the web application firewall. Firewall logs are collected every 60 seconds.|

-## Azure Monitor Logs tables

-<!-- REQUIRED. Please keep heading in this order -->

-This section refers to all of the Azure Monitor Logs Kusto tables relevant to Azure Application Gateway and available for query by Log Analytics.

-<!-- OPTION 1 - Minimum - Link to relevant bookmarks in https://learn.microsoft.com/azure/azure-monitor/reference/tables/tables-resourcetype where your service tables are listed. These files are auto generated from the REST API. If this article is missing tables that you and the PM know are available, both of you contact azmondocs@microsoft.com.

-<!-- Example format. There should be AT LEAST one Resource Provider/Resource Type here. -->

-|Resource Type | Notes |

-|-|--|

-| [Application Gateway](/azure/azure-monitor/reference/tables/tables-resourcetype#application-gateways) |Includes AzureActivity, AzureDiagnostics, and AzureMetrics |

-For a reference of all Azure Monitor Logs / Log Analytics tables, see the [Azure Monitor Log Table Reference](/azure/azure-monitor/reference/tables/tables-resourcetype).

-### Diagnostics tables

-<!-- REQUIRED. Please keep heading in this order -->

-<!-- If your service uses the AzureDiagnostics table in Azure Monitor Logs / Log Analytics, list what fields you use and what they are for. Azure Diagnostics is over 500 columns wide with all services using the fields that are consistent across Azure Monitor and then adding extra ones just for themselves. If it uses service specific diagnostic table, refers to that table. If it uses both, put both types of information in. Most services in the future have their own specific table. If you have questions, contact azmondocs@microsoft.com -->

-**Azure Diagnostics**

-|: |:|

-requestUri_s | The URI of the client request.|

-Message | Informational messages such as "SQL Injection Attack"|

-userAgent_s | User agent details of the client request|

-ruleName_s | Request routing rule that is used to serve this request|

-httpMethod_s | HTTP method of the client request|

-instanceId_s | The Appgw instance to which the client request is routed to for evaluation|

-httpVersion_s | HTTP version of the client request|

-clientIP_s | IP from which is request is made|

-host_s | Host header of the client request|

-requestQuery_s | Query string as part of the client request|

-sslEnabled_s | Does the client request have SSL enabled|

-## See Also

-<!-- replace below with the proper link to your main monitoring service article -->

-description: Start here to learn how to monitor Azure Application Gateway

-<!-- VERSION 2.2

-Template for the main monitoring article for Azure services.

-Keep the required sections and add/modify any content for any information specific to your service.

-This article should be in your TOC with the name *monitor-[Azure Application Gateway].md* and the TOC title "Monitor Azure Application Gateway".

-Put accompanying reference information into an article in the Reference section of your TOC with the name *monitor-[service-name]-reference.md* and the TOC title "Monitoring data".

-Keep the headings in this order.

-# Monitoring Azure Application Gateway

-<!-- REQUIRED. Please keep headings in this order -->

-<!-- Most services can use this section unchanged. Add to it if there are any unique charges if your service has significant monitoring beyond Azure Monitor. -->

-When you have critical applications and business processes relying on Azure resources, you want to monitor those resources for their availability, performance, and operation.

-This article describes the monitoring data generated by Azure Application Gateway. Azure Application Gateway uses [Azure Monitor](../azure-monitor/overview.md). If you're unfamiliar with the features of Azure Monitor common to all Azure services that use it, read [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md).

-<!-- Optional diagram showing monitoring for your service. If you need help creating one, contact robb@microsoft.com -->

-## Monitoring overview page in Azure portal

-<!-- OPTIONAL. Please keep headings in this order -->

-<!-- Most services can use this section unchanged. Edit it if there are any unique charges if your service has significant monitoring beyond Azure Monitor. -->

-This list is just a subset of the metrics available for Application Gateway. For more information, see [Monitoring Azure Application Gateway data reference](monitor-application-gateway-reference.md).

-## Azure Monitor Network Insights

-Some services in Azure have a special focused prebuilt monitoring dashboard in the Azure portal that provides a starting point for monitoring your service. These special dashboards are called "insights".

-<!-- Give a quick outline of what your "insight page" provides and refer to another article that gives details -->

-Azure Monitor Network Insights provides a comprehensive view of health and metrics for all deployed network resources (including Application Gateway), without requiring any configuration. For more information, see [Azure Monitor Network Insights](../network-watcher/network-insights-overview.md).

-## Monitoring data

-<!-- REQUIRED. Please keep headings in this order -->

-Azure Application Gateway collects the same kinds of monitoring data as other Azure resources that are described in [Monitoring data from Azure resources](../azure-monitor/essentials/monitor-azure-resource.md#monitoring-data).

-See [Monitoring Azure Application Gateway data reference](monitor-application-gateway-reference.md) for detailed information on the metrics and logs metrics created by Azure Application Gateway.

-<!-- If your service has additional non-Azure Monitor monitoring data then outline and refer to that here. Also include that information in the data reference as appropriate. -->

-## Collection and routing

-<!-- REQUIRED. Please keep headings in this order -->

-Platform metrics and the Activity log are collected and stored automatically, but can be routed to other locations by using a diagnostic setting.

-Resource Logs aren't collected and stored until you create a diagnostic setting and route them to one or more locations.

-<!-- Include any additional information on collecting logs. The number of things that diagnostics settings control is expanding -->

-See [Create diagnostic setting to collect platform logs and metrics in Azure](../azure-monitor/essentials/diagnostic-settings.md) for the detailed process for creating a diagnostic setting using the Azure portal, CLI, or PowerShell. When you create a diagnostic setting, you specify which categories of logs to collect. The categories for Azure Application Gateway are listed in [Azure Application Gateway monitoring data reference](monitor-application-gateway-reference.md#resource-logs).

-<!-- OPTIONAL: Add specific examples of configuration for this service. For example, CLI and PowerShell commands for creating diagnostic setting. Ideally, customers should set up a policy to automatically turn on collection for services. Azure monitor has Resource Manager template examples you can point to. See https://learn.microsoft.com/azure/azure-monitor/samples/resource-manager-diagnostic-settings. Contact azmondocs@microsoft.com if you have questions. -->

-The metrics and logs you can collect are discussed in the following sections.

-## Analyzing metrics

-<!-- REQUIRED. Please keep headings in this order

-If you don't support metrics, say so. Some services might be only onboarded to logs -->

-You can analyze metrics for Azure Application Gateway with metrics from other Azure services using metrics explorer by opening **Metrics** from the **Azure Monitor** menu. See [Analyze metrics with Azure Monitor metrics explorer](../azure-monitor/essentials/analyze-metrics.md) for details on using this tool.

-<!-- Point to the list of metrics available in your monitor-service-reference article. -->

-For a list of the platform metrics collected for Azure Application Gateway, see [Monitoring Application Gateway data reference](monitor-application-gateway-reference.md).

-For reference, you can see a list of [all resource metrics supported in Azure Monitor](../azure-monitor/essentials/metrics-supported.md).

-<!-- Optional: Call out additional information to help your customers. For example, you can include additional information here about how to use metrics explorer specifically for your service. Remember that the UI is subject to change quite often so you need to maintain these screenshots yourself if you add them in. -->

-## Analyzing logs

-<!-- REQUIRED. Please keep headings in this order

-If you don't support resource logs, say so. Some services might be only onboarded to metrics and the activity log. -->

-All resource logs in Azure Monitor have the same fields followed by service-specific fields. The common schema is outlined in [Common and service-specific schema for Azure Resource Logs](../azure-monitor/essentials/resource-logs-schema.md#top-level-common-schema).

-The [Activity log](../azure-monitor/essentials/activity-log.md) is a platform login Azure that provides insight into subscription-level events. You can view it independently or route it to Azure Monitor Logs, where you can do much more complex queries using Log Analytics.

-For a list of the types of resource logs collected for Azure Application Gateway, see [Monitoring Azure Application Gateway data reference](monitor-application-gateway-reference.md#resource-logs).

-For a list of the tables used by Azure Monitor Logs and queryable by Log Analytics, see [Monitoring Azure Application Gateway data reference](monitor-application-gateway-reference.md#azure-monitor-logs-tables).

-<!-- Optional: Call out additional information to help your customers. For example, you can include additional information here about log usage or what logs are most important. Remember that the UI is subject to change quite often so you need to maintain these screenshots yourself if you add them in. -->

-### Sample Kusto queries

-<!-- REQUIRED if you support logs. Please keep headings in this order -->

-<!-- Add sample Log Analytics Kusto queries for your service. -->

-> [!IMPORTANT]

-> When you select **Logs** from the Application Gateway menu, Log Analytics is opened with the query scope set to the current Application Gateway. This means that log queries only include data from that resource. If you want to run a query that includes data from other Application Gateways or data from other Azure services, select **Logs** from the **Azure Monitor** menu. See [Log query scope and time range in Azure Monitor Log Analytics](/azure/azure-monitor/log-query/scope/) for details.

-<!-- REQUIRED: Include queries that are helpful for figuring out the health and state of your service. Ideally, use some of these queries in the alerts section. It's possible that some of your queries might be in the Log Analytics UI (sample or example queries). Check if so. -->

-You can use the following queries to help you monitor your Application Gateway resource.

-<!-- Put in a code section here. -->

-```Kusto

-## Alerts

-<!-- SUGGESTED: Include useful alerts on metrics, logs, log conditions or activity log. Ask your PMs if you don't know.

-This information is the BIGGEST request we get in Azure Monitor so do not avoid it long term. People don't know what to monitor for best results. Be prescriptive

-Azure Monitor alerts proactively notify you when important conditions are found in your monitoring data. They allow you to identify and address issues in your system before your customers notice them. You can set alerts on [metrics](../azure-monitor/alerts/alerts-metric-overview.md), [logs](../azure-monitor/alerts/alerts-unified-log.md), and the [activity log](../azure-monitor/alerts/activity-log-alerts.md). Different types of alerts have benefits and drawbacks

-<!-- only include next line if applications run on your service and work with App Insights. -->

-If you're creating or running an application that uses Application Gateway, [Azure Monitor Application Insights](../azure-monitor/app/app-insights-overview.md) can offer additional types of alerts.

-<!-- end -->

-The following tables list common and recommended alert rules for Application Gateway.

-<!-- Fill in the table with metric and log alerts that would be valuable for your service. Change the format as necessary to make it more readable -->

-**Application Gateway v1**

-|Metric|CPU utilization crosses 80%|Under normal conditions, CPU usage shouldn't regularly exceed 90%. This can cause latency in the websites hosted behind the Application Gateway and disrupt the client experience.|

-|Metric|Unhealthy host count crosses threshold|Indicates the number of backend servers that Application Gateway is unable to probe successfully. This catches issues where the Application Gateway instances are unable to connect to the backend. Alert if this number goes above 20% of backend capacity.|

-|Metric|Failed requests crosses threshold|When failed requests metric crosses a threshold. You should observe the gateway in production to determine static threshold or use dynamic threshold for the alert.|

-**Application Gateway v2**

-|Metric|Compute Unit utilization crosses 75% of average usage|Compute unit is the measure of compute utilization of your Application Gateway. Check your average compute unit usage in the last one month and set alert if it crosses 75% of it.|

-|Metric|Capacity Unit utilization crosses 75% of peak usage|Capacity units represent overall gateway utilization in terms of throughput, compute, and connection count. Check your maximum capacity unit usage in the last one month and set alert if it crosses 75% of it.|

-|Metric|Unhealthy host count crosses threshold|Indicates number of backend servers that application gateway is unable to probe successfully. This catches issues where Application gateway instances are unable to connect to the backend. Alert if this number goes above 20% of backend capacity.|

-|Metric|Failed requests crosses threshold|When Failed requests metric crosses threshold. You should observe the gateway in production to determine static threshold or use dynamic threshold for the alert.|

-|Metric|Backend last byte response time crosses threshold|Indicates the time interval between start of establishing a connection to backend server and receiving the last byte of the response body. Create an alert if the backend response latency is more that certain threshold from usual.|

-|Metric|Application Gateway total time crosses threshold|This is the interval from the time when Application Gateway receives the first byte of the HTTP request to the time when the last response byte has been sent to the client. Should create an alert if the backend response latency is more that certain threshold from usual.|

-## Next steps

-<!-- Add additional links. You can change the wording of these and add more if useful. -->

-To verify OCSP revocation status has been evaluated for the client request, [access logs](./application-gateway-diagnostics.md#access-log) will contain a property called "sslClientVerify", with the status of the OCSP response.

-For more information on all the fields in the access logs, see [here](application-gateway-diagnostics.md#for-application-gateway-and-waf-v2-sku).

-> This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

-By enabling Azure Automation State Configuration, you can manage and monitor the configurations of your Windows and Linux servers using Desired State Configuration (DSC). Configurations that drift from a desired configuration can be identified or auto-corrected. This quickstart steps through enabling an Azure Linux VM and deploying a LAMP stack using Azure Automation State Configuration.

-* An Azure Resource Manager virtual machine running Red Hat Enterprise Linux, or Oracle Linux. For instructions on creating a VM, see [Create your first Linux virtual machine in the Azure portal](../../virtual-machines/linux/quick-create-portal.md)

-

-

-1. Select the node configuration `LAMPServer.localhost` and click **OK**. State Configuration now assigns the compiled configuration to the node, and the node status changes to `Pending`. On the next periodic check, the node retrieves the configuration, applies it, and reports status. It can take up to 30 minutes for the node to retrieve the configuration, depending on the node settings.

-1. To force an immediate check, you can run the following command locally on the Linux virtual machine:

- `sudo /opt/microsoft/dsc/Scripts/PerformRequiredConfigurationChecks.py`

-

-In this quickstart, you enabled an Azure Linux VM for State Configuration, created a configuration for a LAMP stack, and deployed the configuration to the VM. To learn how you can use Azure Automation State Configuration to enable continuous deployment, continue to the article:

-Within each of the version folders, copy your PowerShell .psm1, .psd1, or PowerShell module **.dll** files that make up a module into the respective version folder. Zip up the module folder so that Azure Automation can import it as a single .zip file. While Automation only shows the highest version of the module imported, if the module package contains side-by-side versions of the module, they are all available for use in your runbooks or DSC configurations.

-This article applies to API version 1.0.

-For additional options, see the "Filtering" section later in this article.

-|`label=%00`|Matches KV without label|

-In the case of a filter validation error, the response is HTTP `400` with error details:

-If the item is locked, you'll receive the following response:

-api-version: 1.0

-api-version: 1.0

-|Key Filter|Effect|

-This API (version 1.0) provides lock and unlock semantics for the key-value resource. It supports the following operations:

-This article applies to API version 1.0.

-|`label` is omitted or `label=`|Matches entry without label|

-A snapshot is a resource identified uniquely by its name. See details for each operation.

-This article applies to API version 2022-11-01-preview.

-or

-For additional options, see the "Filtering" section later in this article.

-If a reserved character is part of the value, then it must be escaped by using `\{Reserved Character}`. Non-reserved characters can also be escaped.

-In the case of a filter validation error, the response is HTTP `400` with error details:

-| name | yes | n/a | Length <br/> &nbsp;&nbsp;&nbsp;&nbsp; maximum: 256 |

-| filters | yes | n/a | Count <br/> &nbsp;&nbsp;&nbsp;&nbsp; minimum: 1<br/> &nbsp;&nbsp;&nbsp;&nbsp; maximum: 3 |

-| filters[\<index\>].label | no | null | Multi-match label filters (E.g.: "*", "comma,separated") aren't supported with 'key' composition type. |

-| retention_period | no | Standard tier <br/>&nbsp;&nbsp;&nbsp;&nbsp; 2592000 (30 days) <br/> Free tier <br/> &nbsp;&nbsp;&nbsp;&nbsp; 604800 (7 days) | Standard tier <br/> &nbsp;&nbsp;&nbsp;&nbsp; minimum: 3600 (1 hour) <br/> &nbsp;&nbsp;&nbsp;&nbsp; maximum: 7776000 (90 days) <br/> Free tier <br/> &nbsp;&nbsp;&nbsp;&nbsp; minimum: 3600 (1 hour) <br/> &nbsp;&nbsp;&nbsp;&nbsp; maximum: 604800 (7 days) |

-The status of the newly created snapshot will be "provisioning".

-Once the snapshot is fully provisioned, the status will update to "ready".

-If the snapshot already exists, you'll receive the following response:

-If any error occurs during the provisioning of the snapshot, the `error` property will contain details describing the error.

-An archived snapshot will be assigned an expiration date, based off the retention period established at the time of its creation.

-Once the snapshot is recovered the snapshot's expiration date is removed.

-or

-> The [Flux v2.3.0 release](https://fluxcd.io/blog/2024/05/flux-v2.3.0/) includes API changes to the HelmRelease and HelmChart APIs, with deprecated fields removed. An upcoming minor version update of Microsoft's Flux extension will include these changes, consistent with the upstream OSS Flux project.

-> To avoid issues due to breaking changes, we recommend updating your deployments by July 29, 2024, so that they stop using the fields that will be removed and use the replacement fields instead. These new fields are already available in the current version of the APIs.

-> Many Arc-enabled Kubernetes features and scenarios are supported on ARM64 nodes, such as [cluster connect](cluster-connect.md) and [viewing Kubernetes resources in the Azure portal](kubernetes-resource-view.md). However, if using Azure CLI to enable these scenarios, [Azure CLI must be installed](/cli/azure/install-azure-cli) and run from an AMD64 machine.

->

-+ In setting names, double-underscore (`__`) and semicolon (`:`) are considered reserved values. Double-underscores are interpreted as hierarchical delimiters on both Windows and Linux, and colons are interpreted in the same way only on Linux. For example, the setting `AzureFunctionsWebHost__hostid=somehost_123456` would be interpreted as the following JSON object:

-This tutorial shows you how to create a workflow to analyze Twitter activity. As tweets are evaluated, the workflow sends notifications when positive sentiments are detected.

-> * Create a logic app that connects to Twitter.

-* An active [Twitter](https://twitter.com/) account.

-Next, create a logic app that integrates with Azure Functions, Twitter, and the Azure AI services API.

-## Connect to Twitter

-Create a connection to Twitter so your app can poll for new tweets.

-1. Search for **Twitter** in the top search box.

-1. Select the **Twitter** icon.

- | Connection name | **MyTwitterConnection** |

-1. Follow the prompts in the pop-up window to complete signing in to Twitter.

- | Search text | **#my-twitter-tutorial** |

- | How often do you want to check for items? | **1** in the textbox, and <br> **Hour** in the dropdown. You may enter different values but be sure to review the current [limitations](/connectors/twitterconnector/#limits) of the Twitter connector. |

-1. From your Twitter account, tweet the following text: **I'm enjoying #my-twitter-tutorial**.

-Optionally, you may want to return to your Twitter account and delete any test tweets from your feed.

-<!

-<br/>

-> [!VIDEO https://codepen.io/azuremaps/embed/dyPMRWo?height=500&theme-id=default&default-tab=js,result&editable=true]

-<!-

-<br/>

-> [!VIDEO https://codepen.io/azuremaps/embed/XWJdeja?height=500&theme-id=default&default-tab=result]

-<!-

-<br/>

-> [!VIDEO https://codepen.io/azuremaps/embed/eYmZGNv?height=500&theme-id=default&default-tab=js,result&editable=true]

-<!-

-> [!VIDEO https://codepen.io/azuremaps/embed/RwNaZXe?height=500&theme-id=default&default-tab=js,result&editable=true]

-custom.ms: subject-rbac-steps

- >[!IMPORTANT]

- >The [Get Minute Forecast API] requires a Gen1 (S1) or Gen2 pricing tier.

-This tutorial uses the [Postman] application, but you may choose a different API development environment.

-1. Open the Postman app. Select **New** to create the request. In the **Create New** window, select **HTTP Request**. Enter a **Request name** for the request.

-2. Select the **GET** HTTP method in the builder tab and enter the following URL. For this request, and other requests mentioned in this article, replace `{Your-Azure-Maps-Subscription-key}` with your Azure Maps subscription key.

-3. Select the blue **Send** button. The response body contains current weather information.

- "results": [

- "dateTime": "2020-10-19T20:39:00+00:00",

- "phrase": "Cloudy",

- "iconCode": 7,

- "hasPrecipitation": false,

- "isDayTime": true,

- "temperature": {

- "value": 12.4,

- },

- "realFeelTemperature": {

- "value": 13.7,

- "realFeelTemperatureShade": {

- "value": 13.7,

- },

- "relativeHumidity": 87,

- "dewPoint": {

- "value": 10.3,

- "wind": {

- "direction": {

- "degrees": 23.0,

- "localizedDescription": "NNE"

- },

- "speed": {

- "value": 4.5,

- "unit": "km/h",

- "unitType": 7

- }

- },

- "windGust": {

- "speed": {

- "value": 9.0,

- "unit": "km/h",

- "unitType": 7

- }

- },

- "uvIndex": 1,

- "uvIndexPhrase": "Low",

- "visibility": {

- "value": 9.7,

- "unit": "km",

- "unitType": 6

- },

- "obstructionsToVisibility": "",

- "cloudCover": 100,

- "ceiling": {

- "value": 1494.0,

- "unit": "m",

- "unitType": 5

- },

- "pressure": {

- "value": 1021.2,

- "unit": "mb",

- "unitType": 14

- },

- "pressureTendency": {

- "localizedDescription": "Steady",

- "code": "S"

- },

- "past24HourTemperatureDeparture": {

- "value": -2.1,

- "unit": "C",

- "unitType": 17

- },

- "apparentTemperature": {

- "value": 15.0,

- },

- "windChillTemperature": {

- "value": 12.2,

- },

- "wetBulbTemperature": {

- "value": 11.3,

- "unit": "C",

- "unitType": 17

- },

- "precipitationSummary": {

- "pastHour": {

- "value": 0.0,

- "unit": "mm",

- "unitType": 3

- },

- "past3Hours": {

- "value": 0.0,

- "unit": "mm",

- "unitType": 3

- },

- "past6Hours": {

- "value": 0.0,

- "unit": "mm",

- "unitType": 3

- },

- "past9Hours": {

- "value": 0.0,

- "unit": "mm",

- "unitType": 3

- },

- "past12Hours": {

- "value": 0.0,

- "unit": "mm",

- "unitType": 3

- },

- "past18Hours": {

- "value": 0.0,

- "unit": "mm",

- "unitType": 3

- },

- "past24Hours": {

- "value": 0.4,

- "unit": "mm",

- "unitType": 3

- }

- },

- "temperatureSummary": {

- "past6Hours": {

- "minimum": {

- "value": 12.2,

- "unit": "C",

- "unitType": 17

- },

- "maximum": {

- "value": 14.0,

- "unit": "C",

- "unitType": 17

- }

- },

- "past12Hours": {

- "minimum": {

- "value": 12.2,

- "unit": "C",

- "unitType": 17

- },

- "maximum": {

- "value": 14.0,

- "unit": "C",

- "unitType": 17

- }

- },

- "past24Hours": {

- "minimum": {

- "value": 12.2,

- "unit": "C",

- "unitType": 17

- },

- "maximum": {

- "value": 15.6,

- "unit": "C",

- "unitType": 17

- }

- }

- ]

-Azure Maps [Get Severe Weather Alerts API] returns the severe weather alerts that are available worldwide from both official Government Meteorological Agencies and leading global to regional weather alert providers. The service returns details like alert type, category, level. The service also returns detailed descriptions about the active severe alerts for the requested location, such as hurricanes, thunderstorms, lightning, heat waves or forest fires. As an example, logistics managers can visualize severe weather conditions on a map, along with business locations and planned routes, and coordinate further with drivers and local workers.

->[!NOTE]

->This example retrieves severe weather alerts at the time of this writing. It is likely that there are no longer any severe weather alerts at the requested location. To retrieve actual severe alert data when running this example, you'll need to retrieve data at a different coordinate location.

-1. In the Postman app, select **New** to create the request. In the **Create New** window, select **HTTP Request**. Enter a **Request name** for the request.

-2. Select the **GET** HTTP method in the builder tab and enter the following URL. For this request, and other requests mentioned in this article, replace `{Your-Azure-Maps-Subscription-key}` with your Azure Maps subscription key.

-3. Select the blue **Send** button. If there are no severe weather alerts, the response body contains an empty `results[]` array. If there are severe weather alerts, the response body contains something like the following JSON response:

- "summary": "Red Flag Warning in effect until 7:00 PM MDT. Source: U.S. National Weather Service",

-The [Get Daily Forecast API] returns detailed daily weather forecast such as temperature and wind. The request can specify how many days to return: 1, 5, 10, 15, 25, or 45 days for a given coordinate location. The response includes details such as temperature, wind, precipitation, air quality, and UV index. In this example, we request for five days by setting `duration=5`.

->[!IMPORTANT]

->In the S0 pricing tier, you can request daily forecast for the next 1, 5, 10, and 15 days. In either Gen1 (S1) or Gen2 pricing tier, you can request daily forecast for the next 25 days, and 45 days.

-1. In the Postman app, select **New** to create the request. In the **Create New** window, select **HTTP Request**. Enter a **Request name** for the request.

-2. Select the **GET** HTTP method in the builder tab and enter the following URL. For this request, and other requests mentioned in this article, replace `{Your-Azure-Maps-Subscription-key}` with your Azure Maps subscription key.

-3. Select the blue **Send** button. The response body contains the five-day weather forecast data. For the sake of brevity, the following JSON response shows the forecast for the first day.

- "summary": {

- "startDate": "2020-10-18T17:00:00+00:00",

- "endDate": "2020-10-19T23:00:00+00:00",

- "severity": 2,

- "phrase": "Snow, mixed with rain at times continuing through Monday evening and a storm total of 3-6 cm",

- "category": "snow/rain"

- },

- "forecasts": [

- "date": "2020-10-19T04:00:00+00:00",

- "temperature": {

- "minimum": {

- "value": -1.1,

- "unit": "C",

- "unitType": 17

- },

- "maximum": {

- "value": 1.3,

- "unit": "C",

- "unitType": 17

- }

- "realFeelTemperature": {

- "minimum": {

- "value": -6.0,

- "unit": "C",

- "unitType": 17

- },

- "maximum": {

- "value": 0.5,

- "unit": "C",

- "unitType": 17

- }

- "realFeelTemperatureShade": {

- "minimum": {

- "value": -6.0,

- "unit": "C",

- "unitType": 17

- },

- "maximum": {

- "value": 0.7,

- "unit": "C",

- "unitType": 17

- }

- "hoursOfSun": 1.8,

- "degreeDaySummary": {

- "heating": {

- "value": 18.0,

- "unit": "C",

- "unitType": 17

- },

- "cooling": {

- "value": 0.0,

- "unit": "C",

- "unitType": 17

- }

- "airAndPollen": [

- {

- "name": "AirQuality",

- "value": 23,

- "category": "Good",

- "categoryValue": 1,

- "type": "Ozone"

- },

- {

- "name": "Grass",

- "value": 0,

- "category": "Low",

- "categoryValue": 1

- },

- {

- "name": "Mold",

- "value": 0,

- "category": "Low",

- "categoryValue": 1

- },

- {

- "name": "Ragweed",

- "value": 0,

- "category": "Low",

- "categoryValue": 1

- },

- {

- "name": "Tree",

- "value": 0,

- "category": "Low",

- "categoryValue": 1

- },

- {

- "name": "UVIndex",

- "value": 0,

- "category": "Low",

- "categoryValue": 1

- }

- ],

- "day": {

- "iconCode": 22,

- "iconPhrase": "Snow",

- "hasPrecipitation": true,

- "precipitationType": "Mixed",

- "precipitationIntensity": "Light",

- "shortPhrase": "Chilly with snow, 2-4 cm",

- "longPhrase": "Chilly with snow, accumulating an additional 2-4 cm",

- "precipitationProbability": 90,

- "thunderstormProbability": 0,

- "rainProbability": 54,

- "snowProbability": 85,

- "iceProbability": 8,

- "wind": {

- "direction": {

- "degrees": 36.0,

- "localizedDescription": "NE"

- },

- "speed": {

- "value": 9.3,

- "unit": "km/h",

- "unitType": 7

- }

- },

- "windGust": {

- "direction": {

- "degrees": 70.0,

- "localizedDescription": "ENE"

- },

- "speed": {

- "value": 25.9,

- "unit": "km/h",

- "unitType": 7

- }

- },

- "totalLiquid": {

- "value": 4.3,

- "unit": "mm",

- "unitType": 3

- },

- "rain": {

- "value": 0.5,

- "unit": "mm",

- "unitType": 3

- },

- "snow": {

- "value": 2.72,

- "unit": "cm",

- "unitType": 4

- },

- "ice": {

- "value": 0.0,

- "unit": "mm",

- "unitType": 3

- },

- "hoursOfPrecipitation": 9.0,

- "hoursOfRain": 1.0,

- "hoursOfSnow": 9.0,

- "hoursOfIce": 0.0,

- "cloudCover": 96

- },

- "night": {

- "iconCode": 29,

- "iconPhrase": "Rain and snow",

- "hasPrecipitation": true,

- "precipitationType": "Mixed",

- "precipitationIntensity": "Light",

- "shortPhrase": "Showers of rain and snow",

- "longPhrase": "A couple of showers of rain or snow this evening; otherwise, cloudy; storm total snowfall 1-3 cm",

- "precipitationProbability": 65,

- "thunderstormProbability": 0,

- "rainProbability": 60,

- "snowProbability": 54,

- "iceProbability": 4,

- "wind": {

- "direction": {

- "degrees": 16.0,

- "localizedDescription": "NNE"

- },

- "speed": {

- "value": 16.7,

- "unit": "km/h",

- "unitType": 7

- }

- },

- "windGust": {

- "direction": {

- "degrees": 1.0,

- "localizedDescription": "N"

- },

- "speed": {

- "value": 35.2,

- "unit": "km/h",

- "unitType": 7

- }

- },

- "totalLiquid": {

- "value": 4.3,

- "unit": "mm",

- "unitType": 3

- },

- "rain": {

- "value": 3.0,

- "unit": "mm",

- "unitType": 3

- },

- "snow": {

- "value": 0.79,

- "unit": "cm",

- "unitType": 4

- },

- "ice": {

- "value": 0.0,

- "unit": "mm",

- "unitType": 3

- },

- "hoursOfPrecipitation": 4.0,

- "hoursOfRain": 1.0,

- "hoursOfSnow": 3.0,

- "hoursOfIce": 0.0,

- "cloudCover": 94

- },

- "sources": [

- "AccuWeather"

- ]

- },...

- ]

-1. In the Postman app, select **New** to create the request. In the **Create New** window, select **HTTP Request**. Enter a **Request name** for the request.

-2. Select the **GET** HTTP method in the builder tab and enter the following URL. For this request, and other requests mentioned in this article, replace `{Your-Azure-Maps-Subscription-key}` with your Azure Maps subscription key.

-3. Select the blue **Send** button. The response body contains weather forecast data for the next 12 hours. For the sake of brevity, the following JSON response shows the forecast for the first hour.

- "forecasts": [

- "date": "2020-10-19T21:00:00+00:00",

- "iconCode": 12,

- "iconPhrase": "Showers",

- "hasPrecipitation": true,

- "precipitationType": "Rain",

- "precipitationIntensity": "Light",

- "isDaylight": true,

- "temperature": {

- "value": 14.7,

- "unit": "C",

- "unitType": 17

- },

- "realFeelTemperature": {

- "value": 13.3,

- "unit": "C",

- "unitType": 17

- },

- "wetBulbTemperature": {

- "value": 12.0,

- "unit": "C",

- "unitType": 17

- },

- "dewPoint": {

- "value": 9.5,

- "unit": "C",

- "unitType": 17

- },

- "wind": {

- "direction": {

- "degrees": 242.0,

- "localizedDescription": "WSW"

- },

- "speed": {

- "value": 9.3,

- "unit": "km/h",

- "unitType": 7

- }

- },

- "windGust": {

- "speed": {

- "value": 14.8,

- "unit": "km/h",

- "unitType": 7

- }

- },

- "relativeHumidity": 71,

- "visibility": {

- "value": 9.7,

- "unit": "km",

- "unitType": 6

- },

- "cloudCover": 100,

- "ceiling": {

- "value": 1128.0,

- "unit": "m",

- "unitType": 5

- },

- "uvIndex": 1,

- "uvIndexPhrase": "Low",

- "precipitationProbability": 51,

- "rainProbability": 51,

- "snowProbability": 0,

- "iceProbability": 0,

- "totalLiquid": {

- "value": 0.3,

- "unit": "mm",

- "unitType": 3

- },

- "rain": {

- "value": 0.3,

- "unit": "mm",

- "unitType": 3

- },

- "snow": {

- "value": 0.0,

- "unit": "cm",

- "unitType": 4

- },

- "ice": {

- "value": 0.0,

- "unit": "mm",

- "unitType": 3

- }...

- ]

-1. In the Postman app, select **New** to create the request. In the **Create New** window, select **HTTP Request**. Enter a **Request name** for the request.

-2. Select the **GET** HTTP method in the builder tab and enter the following URL. For this request, and other requests mentioned in this article, replace `{Your-Azure-Maps-Subscription-key}` with your Azure Maps subscription key.

-3. Select the blue **Send** button. The response body contains weather forecast data for the next 120 minutes, in 15-minute intervals.

- "summary": {

- "iconCode": 7

- },

- "intervalSummaries": [

- "startMinute": 0,

- "endMinute": 119,

- "totalMinutes": 120,

- "shortPhrase": "No precip for %MINUTE_VALUE min",

- "briefPhrase": "No precipitation for at least %MINUTE_VALUE min",

- "longPhrase": "No precipitation for at least %MINUTE_VALUE min",

- "iconCode": 7

- ],

- "intervals": [

- "startTime": "2020-10-19T20:51:00+00:00",

- "minute": 0,

- "dbz": 0.0,

- "shortPhrase": "No Precipitation",

- "iconCode": 7,

- "cloudCover": 100

- "startTime": "2020-10-19T21:06:00+00:00",

- "minute": 15,

- "dbz": 0.0,

- "shortPhrase": "No Precipitation",

- "iconCode": 7,

- "cloudCover": 100

- "startTime": "2020-10-19T21:21:00+00:00",

- "minute": 30,

- "dbz": 0.0,

- "shortPhrase": "No Precipitation",

- "iconCode": 7,

- "cloudCover": 100

- "startTime": "2020-10-19T21:36:00+00:00",

- "minute": 45,

- "dbz": 0.0,

- "shortPhrase": "No Precipitation",

- "iconCode": 7,

- "cloudCover": 100

- "startTime": "2020-10-19T21:51:00+00:00",

- "minute": 60,

- "dbz": 0.0,

- "shortPhrase": "No Precipitation",

- "iconCode": 7,

- "cloudCover": 100

- "startTime": "2020-10-19T22:06:00+00:00",

- "minute": 75,

- "dbz": 0.0,

- "shortPhrase": "No Precipitation",

- "iconCode": 7,

- "cloudCover": 100

- "startTime": "2020-10-19T22:21:00+00:00",

- "minute": 90,

- "dbz": 0.0,

- "shortPhrase": "No Precipitation",

- "iconCode": 7,

- "cloudCover": 100

- "startTime": "2020-10-19T22:36:00+00:00",

- "minute": 105,

- "dbz": 0.0,

- "shortPhrase": "No Precipitation",

- "iconCode": 7,

- "cloudCover": 100

- ]

-[Postman]: https://www.postman.com/

-This tutorial uses the [Postman] application, but you may choose a different API development environment.

->[!TIP]

->If you have a set of addresses to geocode, you can use [Post Search Address Batch] to send a batch of queries in a single request.

-1. In the Postman app, select **New** to create the request. In the **Create New** window, select **HTTP Request**. Enter a **Request name** for the request.

-2. Select the **GET** HTTP method in the builder tab and enter the following URL. In this request, we're searching for a specific address: `400 Braod St, Seattle, WA 98109`. For this request, and other requests mentioned in this article, replace `{Your-Azure-Maps-Subscription-key}` with your Azure Maps subscription key.

-3. Select the blue **Send** button. The response body contains data for a single location.

-4. Next, search an address that has more than one possible locations. In the **Params** section, change the `query` key to `400 Broad, Seattle`. Select the blue **Send** button.

-5. Next, try setting the `query` key to `400 Broa`.

-6. Select the **Send** button. The response includes results from multiple countries/regions. To geobias results to the relevant area for your users, always add as many location details as possible to the request.

-[Fuzzy Search] supports standard single line and free-form searches. We recommend that you use the Azure Maps Search Fuzzy API when you don't know your user input type for a search request. The query input can be a full or partial address. It can also be a Point of Interest (POI) token, like a name of POI, POI category or name of brand. Furthermore, to improve the relevance of your search results, constrain the query results using a coordinate location and radius, or by defining a bounding box.

-1. In the Postman app, select **New** to create the request. In the **Create New** window, select **HTTP Request**. Enter a **Request name** for the request.

-2. Select the **GET** HTTP method in the builder tab and enter the following URL. For this request, and other requests mentioned in this article, replace `{Your-Azure-Maps-Subscription-key}` with your Azure Maps subscription key.

- https://atlas.microsoft.com/search/fuzzy/json?&api-version=1.0&subscription-key={Your-Azure-Maps-Subscription-key}&language=en-US&query=pizza

-3. Select **Send** and review the response body.

- The ambiguous query string for "pizza" returned 10 [point of interest result] (POI) in both the "pizza" and "restaurant" categories. Each result includes details such as street address, latitude and longitude values, view port, and entry points for the location. The results are now varied for this query, and aren't tied to any reference location.

- In the next step, you'll use the `countrySet` parameter to specify only the countries/regions for which your application needs coverage. For a complete list of supported countries/regions, see [Search Coverage].

-4. The default behavior is to search the entire world, potentially returning unnecessary results. Next, search for pizza only in the United States. Add the `countrySet` key to the **Params** section, and set its value to `US`. Setting the `countrySet` key to `US` bounds the results to the United States.

-5. To get an even more targeted search, you can search over the scope of a lat/lon coordinate pair. The following example uses the lat/lon coordinates of the Seattle Space Needle. Since we only want to return results within a 400-meters radius, we add the `radius` parameter. Also, we add the `limit` parameter to limit the results to the five closest pizza places.

-6. Select **Send**. The response includes results for pizza restaurants near the Seattle Space Needle.

-> To geobias results to the relevant area for your users, always add as many location details as possible. For more information, see [Best Practices for Search].

-1. In the Postman app, select **New** to create the request. In the **Create New** window, select **HTTP Request**. Enter a **Request name** for the request.

-2. Select the **GET** HTTP method in the builder tab and enter the following URL. For this request, and other requests mentioned in this article, replace `{Your-Azure-Maps-Subscription-key}` with your Azure Maps subscription key. The request should look like the following URL:

- https://atlas.microsoft.com/search/address/reverse/json?api-version=1.0&subscription-key={Your-Azure-Maps-Subscription-key}&language=en-US&query=47.591180,-122.332700&number=1

-3. Select **Send**, and review the response body. You should see one query result. The response includes key address information about Safeco Field.

-4. Next, add the following key/value pairs to the **Params** section:

- | Key | Value | Returns

- |--|||

- | number | 1 |The response may include the side of the street (Left/Right) and also an offset position for the number.|

- | returnMatchType | true| Returns the type of match. For all possible values, see [Reverse Address Search Results].

-5. Select **Send**, and review the response body.

-6. Next, we add the `entityType` key, and set its value to `Municipality`. The `entityType` key overrides the `returnMatchType` key in the previous step. `returnSpeedLimit` and `returnRoadUse` also need removed since you're requesting information about the municipality. For all possible entity types, see [Entity Types].

-7. Select **Send**. Compare the results to the results returned in step 5. Because the requested entity type is now `municipality`, the response doesn't include street address information. Also, the returned `geometryId` can be used to request boundary polygon through Azure Maps Get [Search Polygon API].

-1. In the Postman app, select **New** to create the request. In the **Create New** window, select **HTTP Request**. Enter a **Request name** for the request.

-2. Select the **GET** HTTP method in the builder tab and enter the following URL. For this request, and other requests mentioned in this article, replace `{Your-Azure-Maps-Subscription-key}` with your Azure Maps subscription key. The request should look like the following URL:

- https://atlas.microsoft.com/search/address/reverse/crossstreet/json?&api-version=1.0&subscription-key={Your-Azure-Maps-Subscription-key}&language=en-US&query=47.591180,-122.332700

- :::image type="content" source="./media/how-to-search-for-address/search-address-cross.png" alt-text="Search cross street.":::

-

-3. Select **Send**, and review the response body. Notice that the response contains a `crossStreet` value of `South Atlantic Street`.

-[point of interest result]: /rest/api/maps/search/getsearchpoi?view=rest-maps-1.0&preserve-view=true#searchpoiresponse

-[Postman]: https://www.postman.com/

-[Search Coverage]: geocoding-coverage.md

-custom.ms: subject-rbac-steps

-#Customer intent: As an Azure Maps web sdk user, I want to install and use the spatial io module so that I can integrate spatial data with the Azure Maps web sdk.

-# PS> .\MMAUnistallUtilityScript.ps1 GetInventory

-# The above command will generate a csv file with the details of Vm's and Vmss that has MMA extension installed.

-# Remove the MMA by running the script again as shown below:

-# PS> .\MMAUnistallUtilityScript.ps1 UninstallMMAExtension

-function GetVmsWithMMAExtensionInstalled

- $vmList = az vm list --query "[].{ResourceGroup:resourceGroup, VmName:name}" | ConvertFrom-Json

-

- Write-Host "Detected $vmsCount Vm's running in this subscription."

- Write-Progress -Activity "Getting VM Inventory" -PercentComplete $percent

- $extensionName = az vm extension list -g $resourceGroup --vm-name $vmName --query "[?name == 'MicrosoftMonitoringAgent' || name == 'OmsAgentForLinux'].name" | ConvertFrom-Json

- if ($extensionName)

- {

- 'Name' = $vmName

- 'Resource_Group' = $resourceGroup

- 'Resource_Type' = "VM"

- 'Install_Type' = "Extension"

- 'Extension_Name' = $extensionName

-function GetVmssWithMMAExtensionInstalled

- $vmssList = az vmss list --query "[?provisioningState=='Succeeded'].{ResourceGroup:resourceGroup, VmssName:name}" | ConvertFrom-Json

- Write-Host "Detected $vmssCount Vmss running in this subscription."

- Write-Progress -Activity "Getting VMSS Inventory" -PercentComplete $percent

- $extensionName = az vmss extension list -g $resourceGroup --vmss-name $vmssName --query "[?name == 'MicrosoftMonitoringAgent' || name == 'OmsAgentForLinux'].name" | ConvertFrom-Json

- if ($extensionName)

- {

- 'Name' = $vmssName

- 'Resource_Group' = $resourceGroup

- 'Resource_Type' = "VMSS"

- 'Install_Type' = "Extension"

- 'Extension_Name' = $extensionName

- }

- $fileName = "MMAInventory.csv"

- GetVmsWithMMAExtensionInstalled $fileName

- GetVmssWithMMAExtensionInstalled $fileName

-function UninstallMMAExtension

- $fileName = "MMAInventory.csv"

- az vmss extension delete --name $_.Extension_Name --vmss-name $_.Name --resource-group $_.Resource_Group --output none --no-wait

- else

- az vm extension delete --name $_.Extension_Name --vm-name $_.Name --resource-group $_.Resource_Group --output none --no-wait

-$logFileName = "MMAUninstallUtilityScriptLog.log"

- Write-Host "To get the Inventory: Run the script as: PS> .\MMAUnistallUtilityScript.ps1 GetInventory"

- Write-Host "To uninstall MMA from Inventory: Run the script as: PS> .\MMAUnistallUtilityScript.ps1 UninstallMMAExtension"

-|Resource_Group | Resource_Type | Name | Install_Type |Extension_Name |

-||||||

-| Linux-AMA-E2E | VM | Linux-ama-e2e-debian9 | Extension | OmsAgentForLinux |

-|AMA-ADMIN | VM | test2012-r2-da | Extension | MicrosoftMonitorAgent |

-| SUSE Linux Enterprise Server 15 SP4 | Γ£ô² | Γ£ô |

-description: Learn how to enable private link on an Azure Kubernetes Service (AKS) cluster.

-# Enable private link with Container insights

-This article describes how to configure Container insights to use Azure Private Link for your AKS cluster.

-## Prerequisites

-## Cluster using managed identity authentication

-### [CLI](#tab/cli)

-### Prerequisites

-### Existing AKS Cluster

-**Use default Log Analytics workspace**

-```azurecli

-az aks enable-addons --addon monitoring --name <cluster-name> --resource-group <cluster-resource-group-name> --ampls-resource-id "<azure-monitor-private-link-scope-resource-id>"

-```

-Example:

-```azurecli

-az aks enable-addons --addon monitoring --name "my-cluster" --resource-group "my-resource-group" --workspace-resource-id "/subscriptions/my-subscription/resourceGroups/my-resource-group/providers/Microsoft.OperationalInsights/workspaces/my-workspace" --ampls-resource-id "/subscriptions/my-subscription /resourceGroups/my-resource-group/providers/microsoft.insights/privatelinkscopes/my-ampls-resource"

-```

-**Use existing Log Analytics workspace**

-```azurecli

-az aks enable-addons --addon monitoring --name <cluster-name> --resource-group <cluster-resource-group-name> --workspace-resource-id <workspace-resource-id> --ampls-resource-id "<azure-monitor-private-link-scope-resource-id>"

-```

-Example:

-```azurecli

-az aks enable-addons --addon monitoring --name "my-cluster" --resource-group "my-resource-group" --workspace-resource-id "/subscriptions/my-subscription/resourceGroups/my-resource-group/providers/Microsoft.OperationalInsights/workspaces/my-workspace" --ampls-resource-id "/subscriptions/my-subscription /resourceGroups/ my-resource-group/providers/microsoft.insights/privatelinkscopes/my-ampls-resource"

-```

-### New AKS cluster

-```azurecli

-az aks create --resource-group rgName --name clusterName --enable-addons monitoring --workspace-resource-id "workspaceResourceId" --ampls-resource-id "azure-monitor-private-link-scope-resource-id"

-```

-Example:

-```azurecli

-az aks create --resource-group "my-resource-group" --name "my-cluster" --enable-addons monitoring --workspace-resource-id "/subscriptions/my-subscription/resourceGroups/my-resource-group/providers/Microsoft.OperationalInsights/workspaces/my-workspace" --ampls-resource-id "/subscriptions/my-subscription /resourceGroups/ my-resource-group/providers/microsoft.insights/privatelinkscopes/my-ampls-resource"

-```

-### [ARM](#tab/arm)

-The following sections provide links to the template and parameter files for enabling private link with Container insights on an AKS and Arc-enabled clusters.

-Edit the values in the parameter file and deploy the template using any valid method for deploying ARM templates. Retrieve the **resource ID** of the resources from the **JSON** View of their **Overview** page.

- Based on your requirements, you can configure other parameters such `streams`, `enableContainerLogV2`, `enableSyslog`, `syslogLevels`, `syslogFacilities`, `dataCollectionInterval`, `namespaceFilteringModeForDataCollection` and `namespacesForDataCollection`.

-### Prerequisites

-### AKS cluster

-**Template file:** https://aka.ms/aks-enable-monitoring-msi-onboarding-template-file<br>

-**Parameter file:** https://aka.ms/aks-enable-monitoring-msi-onboarding-template-parameter-file

-| Parameter | Description |

-|:|:|

-| `aksResourceId`| Resource ID of the cluster. |

-| `aksResourceLocation` | Azure Region of the cluster. |

-| `workspaceResourceId`| Resource ID of the Log Analytics workspace. |

-| `workspaceRegion` | Region of the Log Analytics workspace. |

-| `resourceTagValues` | Tag values specified for the existing Container insights extension data collection rule (DCR) of the cluster and the name of the DCR. The name will be MSCI-\<clusterName\>-\<clusterRegion\>, and this resource created in an AKS clusters resource group. For first time onboarding, you can set arbitrary tag values. |

-| `useAzureMonitorPrivateLinkScope` | Boolean flag to indicate whether Azure Monitor link scope is used or not. |

-| `azureMonitorPrivateLinkScopeResourceId` | Resource ID of the Azure Monitor Private link scope. This only used if `useAzureMonitorPrivateLinkScope` is set to **true**. |

-### Arc-enabled Kubernetes cluster

-**Template file:** https://aka.ms/arc-k8s-azmon-extension-msi-arm-template<br>

-**Parameter file:** https://aka.ms/arc-k8s-azmon-extension-msi-arm-template-params

-| Parameter | Description |

-|:|:|

-| `clusterResourceId` | Resource ID of the cluster. |

-| `clusterRegion` | Azure Region of the cluster. |

-| `workspaceResourceId` | Resource ID of the Log Analytics workspace. |

-| `workspaceRegion` | Region of the Log Analytics workspace. |

-| `workspaceDomain` | Domain of the Log Analytics workspace:<br>`opinsights.azure.com` for Azure public cloud<br>`opinsights.azure.us` for Azure US Government<br>`opinsights.azure.cn` for Azure China Cloud |

-| `resourceTagValues` | Tag values specified for the existing Container insights extension data collection rule (DCR) of the cluster and the name of the DCR. The name will be MSCI-\<clusterName\>-\<clusterRegion\>, and this resource created in an AKS clusters resource group. For first time onboarding, you can set arbitrary tag values. |

-| `useAzureMonitorPrivateLinkScope` | Boolean flag to indicate whether Azure Monitor link scope is used or not. |

-| `azureMonitorPrivateLinkScopeResourceId` | Resource ID of the Azure Monitor Private link scope. This is only used if `useAzureMonitorPrivateLinkScope` is set to **true**. |

-## Cluster using legacy authentication

-Use the following procedures to enable network isolation by connecting your cluster to the Log Analytics workspace using [Azure Private Link](../logs/private-link-security.md) if your cluster is not using managed identity authentication. This requires a [private AKS cluster](/azure/aks/private-clusters).

-1. Create a private AKS cluster following the guidance in [Create a private Azure Kubernetes Service cluster](/azure/aks/private-clusters).

-2. Disable public Ingestion on your Log Analytics workspace.

- Use the following command to disable public ingestion on an existing workspace.

- ```cli

- az monitor log-analytics workspace update --resource-group <azureLogAnalyticsWorkspaceResourceGroup> --workspace-name <azureLogAnalyticsWorkspaceName> --ingestion-access Disabled

- ```

- Use the following command to create a new workspace with public ingestion disabled.

- ```cli

- az monitor log-analytics workspace create --resource-group <azureLogAnalyticsWorkspaceResourceGroup> --workspace-name <azureLogAnalyticsWorkspaceName> --ingestion-access Disabled

- ```

-3. Configure private link by following the instructions at [Configure your private link](../logs/private-link-configure.md). Set ingestion access to public and then set to private after the private endpoint is created but before monitoring is enabled. The private link resource region must be same as AKS cluster region.

-4. Enable monitoring for the AKS cluster.

- ```cli

- az aks enable-addons -a monitoring --resource-group <AKSClusterResourceGorup> --name <AKSClusterName> --workspace-resource-id <workspace-resource-id>

- ```

-## Next steps

-* If you experience issues while you attempt to onboard the solution, review the [Troubleshooting guide](container-insights-troubleshoot.md).

-* With monitoring enabled to collect health and resource utilization of your AKS cluster and workloads running on them, learn [how to use](container-insights-analyze.md) Container insights.

-> For full instructions on how to configure the DCEs associated with your Azure Monitor workspace to use a Private Link for data ingestion, see [Use a private link for Managed Prometheus data ingestion](../essentials/private-link-data-ingestion.md).

-description: Overview of private link for secure data ingestion to Azure Monitor workspace from virtual networks.

-# Private Link for data ingestion for Managed Prometheus and Azure Monitor workspace

-Private links for data ingestion for Managed Prometheus are configured on the Data Collection Endpoints (DCE) of the workspace that stores the data.

-This article shows you how to configure the DCEs associated with your Azure Monitor workspace to use a Private Link for data ingestion.

-To define your Azure Monitor Private Link scope (AMPLS), see [Azure Monitor private link documentation](../logs/private-link-configure.md), then associate your DCEs with the AMPLS.

-Find the DCEs associated with your Azure Monitor workspace.

-1. Open the Azure Monitor workspaces menu in the Azure portal

-2. Select your workspace

-3. Select Data Collection Endpoints from the workspace menu

-The page displays all of the DCEs that are associated with the Azure Monitor workspace and that enable data ingestion into the workspace. Select the DCE you want to configure with Private Link and then follow the steps to [create an Azure Monitor private link scope](../logs/private-link-configure.md) to complete the process.

-Once this is done, navigate to the DCR resource which was created during managed prometheus enablement from the Azure portal and choose 'Resources' under Configuration menu.

-In the Data collection endpoint dropdown, pick a DCE in the same region as the AKS cluster. If the Azure Monitor Workspace is in the same region as the AKS cluster, you can reuse the DCE created during managed prometheus enablement. If not, create a DCE in the same region as the AKS cluster and pick that in the dropdown.

-> [!NOTE]

-> Please refer to [Connect to a data source privately](../../../articles/managed-grafan) for details on how to configure private link for querying data from your Azure Monitor workspace using Grafana.

->

-> Please refer to [use private endpoints for queries](azure-monitor-workspace-private-endpoint.md) for details on how to configure private link for querying data from your Azure Monitor workspace using workbooks (non-grafana).

-## Private link ingestion from a private AKS cluster

-A private Azure Kubernetes Service cluster can by default, send data to Managed Prometheus and your Azure Monitor workspace over the public network, and to the public Data Collection Endpoint.

-If you choose to use an Azure Firewall to limit the egress from your cluster, you can implement one of the following:

-+ Open a path to the public ingestion endpoint. Update the routing table with the following two endpoints:

- - *.handler.control.monitor.azure.com

- - *.ingest.monitor.azure.com

-+ Enable the Azure Firewall to access the Azure Monitor Private Link scope and Data Collection Endpoint that's used for data ingestion

-## Private link ingestion for remote write

-The following steps show how to set up remote write for a Kubernetes cluster over a private link VNET and an Azure Monitor Private Link scope.

-The following are the steps for setting up remote write for a Kubernetes cluster over a private link VNET and an Azure Monitor Private Link scope.

-We start with your on-premises Kubernetes cluster.

-1. Create your Azure virtual network.

-1. Configure the on-premises cluster to connect to an Azure VNET using a VPN gateway or ExpressRoutes with private-peering.

-1. Create an Azure Monitor Private Link scope.

-1. Connect the Azure Monitor Private Link scope to a private endpoint in the virtual network used by the on-premises cluster. This private endpoint is used to access your Data Collection Endpoint(s).

-1. Navigate to your Azure Monitor workspace in the portal. As part of creating your Azure Monitor workspace a system Data Collection Endpoint is created that you can use to ingest data via remote write.

-1. Choose **Data Collection Endpoints** from the Azure Monitor workspace menu.

-1. By default, the system Data Collection Endpoint has the same name as your Azure Monitor workspace. Select this Data Collection Endpoint.

-1. The Data Collection Endpoint, Network Isolation page displays. From this page, select **Add** and choose the Azure Monitor Private Link scope you created. It takes a few minutes for the settings to propagate. Once completed, data from your private AKS cluster is ingested into your Azure Monitor workspace over the private link.

-## Verify that data is being ingested

-To verify data is being ingested, try one of the following methods:

-

-## Next steps

-Capacity pools must be at least 1 TiB and can be increased or decreased in 1-TiB intervals. Capacity pools contain volumes that range in size from a minimum of 100 GiB to a maximum of 100 TiB for regular volumes and up to 1 PiB for [large volumes](azure-netapp-files-understand-storage-hierarchy.md#large-volumes). Volumes are assigned quotas that are subtracted from the capacity poolΓÇÖs provisioned size. For an active volume, capacity consumption against the quota is based on logical (effective) capacity, being active filesystem data or snapshot data. See [How Azure NetApp Files snapshots work](snapshots-introduction.md) for details.

-| Small-to-large volumes | Easily resize file volumes from 100 GiB up to 100 TiB without downtime. | Scale storage as business needs grow without over-provisioning, avoiding upfront cost.

-| Minimum size of a single regular volume | 100 GiB | No |

-* In Example 2, a volume from an auto QoS capacity pool with the Premium storage tier that is assigned 100 GiB of quota will be assigned a throughput limit of 6.25 MiB/s (0.09765625 TiB * 64 MiB/s). This scenario applies regardless of the capacity pool size or the actual volume consumption.

-Before creating a volume in Azure NetApp Files, you must purchase and set up a pool for provisioned capacity. To set up a capacity pool, you must have a NetApp account. Understanding the storage hierarchy helps you set up and manage your Azure NetApp Files resources.

-The following example shows the relationships of the Azure subscription, NetApp accounts, capacity pools, and volumes.

-Azure NetApp Files allows you to create large volumes up to 1 PiB in size. Large volumes begin at a capacity of 50 TiB and scale up to 1 PiB. Regular Azure NetApp Files volumes are offered between 100 GiB and 102,400 GiB.

-See [Requirements and considerations for Azure NetApp Files backup](backup-requirements-considerations.md) for more considerations about using Azure NetApp Files backup.

- * The **Quota** value must be **at least 20% greater** than the size of the backup from which the restore is triggered (minimum 100 GiB). Once the restore is complete, the volume can be resized depending on the size used.

-The following table describes the request body parameters and group level properties required to create a SAP HANA application volume group.

-This table describes the request body parameters and volume properties for creating a volume in a SAP HANA application volume group.

-| `usageThreshhold` | Size of the volume in bytes. This must be in the 100 GiB to 100-TiB range. For instance, 100 GiB = 107374182400 bytes. | None. You should set volume size depending on the volume type. |

-1. Extract the subscription ID. This automates the extraction of the subscription ID and generate the authorization token:

-| `usageThreshhold` | Size of the volume in bytes. This value must be in the 100 GiB to 100-TiB range. For instance, 100 GiB = 107374182400 bytes. | You should set volume size in bytes. |

- * If you choose **System-assigned**, select the **Save** button. The Azure portal configures the NetApp account automatically with the following process: A system-assigned identity is added to your NetApp account. An access policy is to be created on your Azure Key Vault with key permissions Get, Encrypt, Decrypt.

-All Azure NetApp Files volumes are encrypted using the FIPS 140-2 standard. Learn [how encryption keys managed](#how-are-encryption-keys-managed).

-Also, customer-managed keys using Azure Dedicated HSM is supported on a controlled basis. Support is currently available in the East US, South Central US, West US 2, and US Gov Virginia regions. You can request access [with the Azure NetApp Files feedback form](https://aka.ms/ANFFeedback). As capacity becomes available, requests will be approved.

-## August 2024

-[Shared disks](../virtual-machines/disks-shared-enable.md) | Not supported. <br><br> You can exclude shared disk with Enhanced policy and backup the other supported disks in the VM.

-# Authenticate Batch Management solutions with Active Directory

-Applications that call the Azure Batch Management service authenticate with [Microsoft Authentication Library](../active-directory/develop/msal-overview.md) (Microsoft Entra ID). Microsoft Entra ID is Microsoft's multi-tenant cloud based directory and identity management service. Azure itself uses Microsoft Entra ID for the authentication of its customers, service administrators, and organizational users.

-| | Connect to an ongoing call or Room | ✔️ | ✔️ | ✔️ | ✔️ |

-| | Blind Transfer* a 1:1 call to another endpoint | ✔️ | ✔️ | ✔️ | ✔️ |

-| | Blind Transfer* a participant from group call to another endpoint| ✔️ | ✔️ | ✔️ | ✔️ |

-*Transfer or redirect of a VoIP call to a phone number is currently not supported.

-**Connect Call**

-## Connect to a call

-* This workflow uses the Gmail connector with the Twitter connector:

-description: Learn to use the built-in Twitter authentication provider in Azure Container Apps.

-# Enable authentication and authorization in Azure Container Apps with Twitter

-This article shows how to configure Azure Container Apps to use Twitter as an authentication provider.

-To complete the procedure in this article, you need a Twitter account that has a verified email address and phone number. To create a new Twitter account, go to [twitter.com].

-## <a name="twitter-register"> </a>Register your application with Twitter

-1. Sign in to the [Azure portal] and go to your application. Copy your **URL**. You'll use it to configure your Twitter app.

-1. Go to the [Twitter Developers] website, sign in with your Twitter account credentials, and select **Create an app**.

-1. Enter the **App name** and the **Application description** for your new app. Paste your application's **URL** into the **Website URL** field. In the **Callback URLs** section, enter the HTTPS URL of your container app and append the path `/.auth/login/twitter/callback`. For example, `https://<hostname>.azurecontainerapps.io/.auth/login/twitter/callback`.

-## <a name="twitter-secrets"> </a>Add Twitter information to your application

-You're now ready to use Twitter for authentication in your app. The provider will be listed on the **Authentication** screen. From there, you can edit or delete this provider configuration.

-* [Twitter](authentication-twitter.md)

-* You can integrate with multiple providers including Microsoft Entra ID, Facebook, Google, and Twitter.

-| [Twitter](https://developer.twitter.com/en/docs/basics/authentication) | `/.auth/login/twitter` | [Twitter](authentication-twitter.md) |

-The portal configuration doesn't offer a turn-key way to present multiple sign-in providers to your users (such as both Facebook and Twitter). However, it isn't difficult to add the functionality to your app. The steps are outlined as follows:

-<a href="/.auth/login/twitter">Log in with Twitter</a>

-* [Twitter](authentication-twitter.md)

-* The [Azure Container Registry](../container-registry/container-registry-vnet.md) must have [Public Access set to 'All Networks'](../container-registry/container-registry-access-selected-networks.md). To use an Azure container registry with Public Access set to 'Select Networks' or 'None', visit [ACI's article for using Managed-Identity based authentication with ACR](../container-registry/container-registry-authentication-managed-identity.md).

-1. On the **Which API best suits your workload?** page, select the **Create** option within the **Azure Cosmos DB for MongoDB** section. For more information, see [API for MongoDB and it's various models](../choose-model.md).

- :::image type="content" source="media/quickstart-portal/select-resource-type.png" alt-text="Screenshot of the select resource type option page for Azure Cosmos DB for MongoDB.":::

- :::image type="content" source="media/quickstart-portal/select-cluster-option.png" alt-text="Screenshot of the configure cluster option for a new Azure Cosmos DB for MongoDB cluster.":::

-1. Unselect **High availability** option. In the high availability (HA) acknowledgment section, select **I understand**. Finally, select **Save** to persist your changes to the cluster tier.

- :::image type="content" source="media/quickstart-portal/configure-scale.png" alt-text="Screenshot of cluster tier and scale options for a cluster.":::

-

- You can always turn HA on after cluster creation for another layer of protection from failures.

- | MongoDB version | Version of MongoDB to run in your cluster | This value is set to a default of the latest available MongoDB version. |

- :::image type="content" source="media/quickstart-portal/select-delete-resource-group-option.png" alt-text="Screenshot of the delete resource group option in the menu for a specific resource group.":::

-| Location | MCA | Normalized location of the resource, if different resource locations are configured for the same regions. Purchases and Marketplace usage might be shown as blank or `unassigned`. |

-| MeterRegion | All | Name of the datacenter location for services priced based on location. See `Location`. |

-| ResourceLocation┬╣ | All | Datacenter location where the resource is running. See `Location`. |

-5. Specify the storage container and directory path for the export file.

-6. File partitioning is enabled by default. It splits large files into smaller ones.

-7. **Overwrite data** is enabled by default. For daily exports, it replaces the previous day's file with an updated file.

-8. Select **Next** to move to the **Review + create** tab.

-| Cost and usage (actual) | ΓÇó EA<br> ΓÇó MCA that you bought through the Azure website <br> ΓÇó MCA enterprise<br> ΓÇó MCA that you buy through a Microsoft partner <br> ΓÇó Microsoft Online Service Program (MOSP), also known as pay-as-you-go (PAYG) <br> ΓÇó Azure internal | ΓÇó EA - Enrollment, department, account, management group, subscription, and resource group <br> ΓÇó MCA - Billing account, billing profile, Invoice section, subscription, and resource group <br> ΓÇó Microsoft Partner Agreement (MPA) - Customer, subscription, and resource group |

-| Cost and usage (amortized) | ΓÇó EA <br> ΓÇó MCA that you bought through the Azure website <br> ΓÇó MCA enterprise <br> ΓÇó MCA that you buy through a Microsoft partner <br> ΓÇó Microsoft Online Service Program (MOSP), also known as pay-as-you-go (PAYG) <br> ΓÇó Azure internal | ΓÇó EA - Enrollment, department, account, management group, subscription, and resource group <br> ΓÇó MCA - Billing account, billing profile, Invoice section, subscription, and resource group <br> ΓÇó MPA - Customer, subscription, and resource group |

-1. Why is file partitioning enabled in exports?

-If you're a billing administrator (partner billing administrator or Enterprise Administrator), you might not have the required permission to reactive the subscription. If this situation applies to you, contact the Account Administrator, or subscription Owner and ask them to reactivate the subscription.

-For other subscription types, [contact support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade) to have your subscription reactivated.

-You can't transfer support plans. If you have a support plan, then you should cancel it. Then you can buy a new one for the new agreement. If you cancel an Azure support plan, you're billed for the rest of the month. Cancelling a support plan doesn't result in a prorated refund. For more information about support plans, see [Azure support plans](https://azure.microsoft.com/support/plans/).

-You can assign these roles from the [Azure portal](https://portal.azure.com).

->[!NOTE]

->Currently, the user-assigned managed identity authentication is not supported in data flow.

- }

-To create a cluster, copy the following command to your REST API tool e.g Postman

-description: Learn how to use Apache Hive and Apache Hadoop on HDInsight to transform raw TWitter data into a searchable Hive table.

-# Analyze Twitter data using Apache Hive and Apache Hadoop on HDInsight

-Learn how to use [Apache Hive](https://hive.apache.org/) to process Twitter data. The result is a list of Twitter users who sent the most tweets that contain a certain word.

-Twitter allows you to retrieve the data for each tweet as a JavaScript Object Notation (JSON) document through a REST API. [OAuth](https://oauth.net) is required for authentication to the API.

-### Create a Twitter application

-1. From a web browser, sign in to [https://developer.twitter.com](https://developer.twitter.com). Select the **Sign-up now** link if you don't have a Twitter account.

-The following Python code downloads 10,000 tweets from Twitter and save them to a file named **tweets.txt**.

-1. Edit the code below by replacing `Your consumer secret`, `Your consumer key`, `Your access token`, and `Your access token secret` with the relevant information from your twitter application. Then paste the edited code as the contents of the **gettweets.py** file.

- #Twitter app information

-hdfs dfs -mkdir -p /tutorials/twitter/data

-hdfs dfs -put tweets.txt /tutorials/twitter/data/tweets.txt

- nano twitter.hql

- -- Create it, pointing toward the tweets logged from Twitter

- STORED AS TEXTFILE LOCATION '/tutorials/twitter/data';

- beeline -u 'jdbc:hive2://headnodehost:10001/;transportMode=http' -i twitter.hql

- This command runs the **twitter.hql** file. Once the query completes, you see a `jdbc:hive2//localhost:10001/>` prompt.

-## Fixed issues

-## :::image type="icon" border="false" source="./media/hdinsight-release-notes/clock.svg"::: Coming soon

-### Release date: Jul 05, 2024

-> [!NOTE]

-> This is a Hotfix / maintenance release for Resource Provider. For more information see, [Resource Provider](.//hdinsight-overview-versioning.md#hdinsight-resource-provider)

-### Fixed issues

-* HOBO tags overwrite user tags.

- * HOBO tags overwrite user tags on sub-resources in HDInsight cluster creation.

-### Release date: Jun 19, 2024

-HDInsight release will be available to all regions over several days. This release note is applicable for image number **2406180258**. [How to check the image number?](./view-hindsight-cluster-image-version.md)

-## Fixed issues

-* Security enhancements

- * Improvements on using Tags for clusters in line with the [SFI](https://www.microsoft.com/microsoft-cloud/resources/secure-future-initiative) requirements.

- * Improvements in probes scripts as per the [SFI](https://www.microsoft.com/microsoft-cloud/resources/secure-future-initiative) requirements.