+To use identity-based connections in the WebJobs SDK, make sure you are using the latest versions of WebJobs packages in your project. You should also ensure you have a reference to [Microsoft.Azure.WebJobs.Host.Storage](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Host.Storage). The following is an example of what your project file might look like after making these updates:

+```xml

+<Project Sdk="Microsoft.NET.Sdk">

+ <PropertyGroup>

+ <OutputType>Exe</OutputType>

+ <TargetFramework>net48</TargetFramework>

+ <IsWebJobProject>true</IsWebJobProject>

+ <WebJobName>$(AssemblyName)</WebJobName>

+ <WebJobType>Continuous</WebJobType>

+ </PropertyGroup>

+ <ItemGroup>

+ <PackageReference Include="Microsoft.Azure.WebJobs" Version="3.0.41" />

+ <PackageReference Include="Microsoft.Azure.WebJobs.Extensions.Storage.Queues" Version="5.3.1" />

+ <PackageReference Include="Microsoft.Azure.WebJobs.Host.Storage" Version="5.0.1" />

+ <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="2.1.1" />

+ </ItemGroup>

+ <ItemGroup>

+ <None Update="appsettings.json">

+ <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>

+ </None>

+ </ItemGroup>

+</Project>

+```

+When setting up WebJobs within your HostBuilder, make sure to include a call to `AddAzureStorageCoreServices`, as this is what allows `AzureWebJobsStorage` and other Storage triggers and bindings to use identity:

+When your code is run locally, this will default to using your developer identity per the behavior described for [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential).

+Clone the [https://github.com/Azure-Samples/azure-cache-redis-samples](https://github.com/Azure-Samples/azure-cache-redis-samples) GitHub repo and navigate to the `quickstart/aspnet-core` directory to view the completed source code for the steps ahead.

+The `quickstart/aspnet-core` directory is also configured as an [Azure Developer CLI (`azd`)](/azure/developer/azure-developer-cli/overview) template. Use the open-source `azd` tool to streamline the provisioning and deployment from a local environment to Azure. Optionally, run the `azd up` command to automatically provision an Azure Cache for Redis instance, and to configure the local sample app to connect to it:

+```azdeveloper

+azd up

+```

+### Explore the eShop sample

+## Add a local secret for the host name

+In your command window, execute the following command to store a new secret named *RedisHostName*, after replacing the placeholders, including angle brackets, for your cache name and primary access key:

+dotnet user-secrets set RedisHostName "<cache-name>.redis.cache.windows.net"

+The `RedisConnection.cs` class includes the `StackExchange.Redis` and `Azure.Identity` namespaces at the top of the file to include essential types to connect to Azure Cache for Redis.

+using Azure.Identity;

+This property cannot be set for apps running on the Linux Consumption SKU, and it cannot be set for apps running on version 1.x of Azure Functions. If you are using version 1.x, you must first [migrate to version 4.x](./migrate-version-1-version-4.md).

+If you don't need these resources, you can delete them by running the following command:

+Function apps can serve administrative endpoints under the `/admin` route that can be used for operations such as obtaining host status information and performing test invocations. When exposed, requests against these endpoints must include the app's master key. Administrative operations are also available through the [Azure Resource Manager `Microsoft.Web/sites` API](/rest/api/appservice/web-apps), which offers Azure RBAC. You can disable the `/admin` endpoints by setting the `functionsRuntimeAdminIsolationEnabled` site property to `true`. This property cannot be set for apps running on the Linux Consumption SKU, and it cannot be set for apps running on version 1.x of Azure Functions. If you are using version 1.x, you must first [migrate to version 4.x](./migrate-version-1-version-4.md).

+> [!NOTE]

+> Multiline support that uses an [ISO 8601](https://wikipedia.org/wiki/ISO_8601) time stamp to delimited events is expected mid-October 2024

+> [!NOTE]

+> Multiline support that uses an [ISO 8601](https://wikipedia.org/wiki/ISO_8601) time stamp to delimited events is expected mid-October 2024

+> [!NOTE]

+> This feature is currently in public preview. For additional information, please read the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms).

+- This article describes how to connect your cluster to an existing Azure Monitor Private Link Scope (AMPLS). Create an AMPLS following the guidance in [Configure your private link](../logs/private-link-configure.md).

+ - Azure CLI version 2.61.0 or higher.

+| <a id='BCP001' />BCP001 | Error | The following token isn't recognized: "{token}". |

+| <a id='BCP002' />BCP002 | Error | The multi-line comment at this location isn't terminated. Terminate it with the */ character sequence. |

+| <a id='BCP003' />BCP003 | Error | The string at this location isn't terminated. Terminate the string with a single quote character. |

+| <a id='BCP004' />BCP004 | Error | The string at this location isn't terminated due to an unexpected new line character. |

+| <a id='BCP005' />BCP005 | Error | The string at this location isn't terminated. Complete the escape sequence and terminate the string with a single unescaped quote character. |

+| <a id='BCP006' />BCP006 | Error | The specified escape sequence isn't recognized. Only the following escape sequences are allowed: {ToQuotedString(escapeSequences)}. |

+| <a id='BCP007' />BCP007 | Error | This declaration type isn't recognized. Specify a metadata, parameter, variable, resource, or output declaration. |

+| <a id='BCP008' />BCP008 | Error | Expected the "=" token, or a newline at this location. |

+| <a id='BCP009' />BCP009 | Error | Expected a literal value, an array, an object, a parenthesized expression, or a function call at this location. |

+| <a id='BCP010' />BCP010 | Error | Expected a valid 64-bit signed integer. |

+| <a id='BCP011' />BCP011 | Error | The type of the specified value is incorrect. Specify a string, boolean, or integer literal. |

+| <a id='BCP012' />BCP012 | Error | Expected the "{keyword}" keyword at this location. |

+| <a id='BCP013' />BCP013 | Error | Expected a parameter identifier at this location. |

+| <a id='BCP015' />BCP015 | Error | Expected a variable identifier at this location. |

+| <a id='BCP016' />BCP016 | Error | Expected an output identifier at this location. |

+| <a id='BCP017' />BCP017 | Error | Expected a resource identifier at this location. |

+| <a id='BCP019' />BCP019 | Error | Expected a new line character at this location. |

+| <a id='BCP020' />BCP020 | Error | Expected a function or property name at this location. |

+| <a id='BCP021' />BCP021 | Error | Expected a numeric literal at this location. |

+| <a id='BCP022' />BCP022 | Error | Expected a property name at this location. |

+| <a id='BCP023' />BCP023 | Error | Expected a variable or function name at this location. |

+| <a id='BCP024' />BCP024 | Error | The identifier exceeds the limit of {LanguageConstants.MaxIdentifierLength}. Reduce the length of the identifier. |

+| <a id='BCP025' />BCP025 | Error | The property "{property}" is declared multiple times in this object. Remove or rename the duplicate properties. |

+| <a id='BCP026' />BCP026 | Error | The output expects a value of type "{expectedType}" but the provided value is of type "{actualType}". |

+| <a id='BCP028' />BCP028 | Error | Identifier "{identifier}" is declared multiple times. Remove or rename the duplicates. |

+| <a id='BCP029' />BCP029 | Error | The resource type isn't valid. Specify a valid resource type of format "\<types>@\<apiVersion>". |

+| <a id='BCP030' />BCP030 | Error | The output type isn't valid. Specify one of the following types: {ToQuotedString(validTypes)}. |

+| <a id='BCP031' />BCP031 | Error | The parameter type isn't valid. Specify one of the following types: {ToQuotedString(validTypes)}. |

+| <a id='BCP032' />BCP032 | Error | The value must be a compile-time constant. |

+| <a id='BCP034' />BCP034 | Error/Warning | The enclosing array expected an item of type "{expectedType}", but the provided item was of type "{actualType}". |

+| <a id='BCP041' />BCP041 | Error | Values of type "{valueType}" can't be assigned to a variable. |

+| <a id='BCP043' />BCP043 | Error | This isn't a valid expression. |

+| <a id='BCP044' />BCP044 | Error | Can't apply operator "{operatorName}" to operand of type "{type}". |

+| <a id='BCP045' />BCP045 | Error | Can't apply operator "{operatorName}" to operands of type "{type1}" and "{type2}".{(additionalInfo is null? string.Empty : " " + additionalInfo)} |

+| <a id='BCP046' />BCP046 | Error | Expected a value of type "{type}". |

+| <a id='BCP047' />BCP047 | Error | String interpolation is unsupported for specifying the resource type. |

+| <a id='BCP048' />BCP048 | Error | Can't resolve function overload. For details, see the documentation. |

+| <a id='BCP049' />BCP049 | Error | The array index must be of type "{LanguageConstants.String}" or "{LanguageConstants.Int}" but the provided index was of type "{wrongType}". |

+| <a id='BCP050' />BCP050 | Error | The specified path is empty. |

+| <a id='BCP051' />BCP051 | Error | The specified path begins with "/". Files must be referenced using relative paths. |

+| <a id='BCP052' />[BCP052](./diagnostics/bcp052.md) | Error/Warning | The type \<type-name> doesn't contain property \<property-name>. |

+| <a id='BCP054' />BCP054 | Error | The type "{type}" doesn't contain any properties. |

+| <a id='BCP055' />[BCP055](./diagnostics/bcp055.md) | Error | Can't access properties of type \<type-name>. A \<type-name> type is required. |

+| <a id='BCP056' />BCP056 | Error | The reference to name "{name}" is ambiguous because it exists in namespaces {ToQuotedString(namespaces)}. The reference must be fully qualified. |

+| <a id='BCP059' />BCP059 | Error | The name "{name}" isn't a function. |

+| <a id='BCP060' />BCP060 | Error | The "variables" function isn't supported. Directly reference variables by their symbolic names. |

+| <a id='BCP061' />BCP061 | Error | The "parameters" function isn't supported. Directly reference parameters by their symbolic names. |

+| <a id='BCP063' />BCP063 | Error | The name "{name}" isn't a parameter, variable, resource, or module. |

+| <a id='BCP064' />BCP064 | Error | Found unexpected tokens in interpolated expression. |

+| <a id='BCP065' />BCP065 | Error | Function "{functionName}" isn't valid at this location. It can only be used as a parameter default value. |

+| <a id='BCP066' />BCP066 | Error | Function "{functionName}" isn't valid at this location. It can only be used in resource declarations. |

+| <a id='BCP067' />BCP067 | Error | Can't call functions on type "{wrongType}". An "{LanguageConstants.Object}" type is required. |

+| <a id='BCP068' />BCP068 | Error | Expected a resource type string. Specify a valid resource type of format "\<types>@\<apiVersion>". |

+| <a id='BCP069' />BCP069 | Error | The function "{function}" isn't supported. Use the "{@operator}" operator instead. |

+| <a id='BCP070' />BCP070 | Error | Argument of type "{argumentType}" isn't assignable to parameter of type "{parameterType}". |

+| <a id='BCP071' />BCP071 | Error | Expected {expected}, but got {argumentCount}. |

+| <a id='BCP074' />BCP074 | Error | Indexing over arrays requires an index of type "{LanguageConstants.Int}" but the provided index was of type "{wrongType}". |

+| <a id='BCP075' />BCP075 | Error | Indexing over objects requires an index of type "{LanguageConstants.String}" but the provided index was of type "{wrongType}". |

+| <a id='BCP076' />BCP076 | Error | Can't index over expression of type "{wrongType}". Arrays or objects are required. |

+| <a id='BCP079' />BCP079 | Error | This expression is referencing its own declaration, which isn't allowed. |

+| <a id='BCP080' />BCP080 | Error | The expression is involved in a cycle ("{string.Join("\" -> \"", cycle)}"). |

+| <a id='BCP081' />BCP081 | Warning | Resource type "{resourceTypeReference.FormatName()}" doesn't have types available. Bicep is unable to validate resource properties prior to deployment, but this won't block the resource from being deployed. |

+| <a id='BCP082' />BCP082 | Error | The name "{name}" doesn't exist in the current context. Did you mean "{suggestedName}"? |

+| <a id='BCP084' />BCP084 | Error | The symbolic name "{name}" is reserved. Use a different symbolic name. Reserved namespaces are {ToQuotedString(namespaces.OrderBy(ns => ns))}. |

+| <a id='BCP085' />BCP085 | Error | The specified file path contains one or more invalid path characters. The following aren't permitted: {ToQuotedString(forbiddenChars.OrderBy(x => x).Select(x => x.ToString()))}. |

+| <a id='BCP086' />BCP086 | Error | The specified file path ends with an invalid character. The following aren't permitted: {ToQuotedString(forbiddenPathTerminatorChars.OrderBy(x => x).Select(x => x.ToString()))}. |

+| <a id='BCP087' />BCP087 | Error | Array and object literals aren't allowed here. |

+| <a id='BCP090' />BCP090 | Error | This module declaration is missing a file path reference. |

+| <a id='BCP091' />BCP091 | Error | An error occurred reading file. {failureMessage} |

+| <a id='BCP092' />BCP092 | Error | String interpolation isn't supported in file paths. |

+| <a id='BCP093' />BCP093 | Error | File path "{filePath}" couldn't be resolved relative to "{parentPath}". |

+| <a id='BCP094' />BCP094 | Error | This module references itself, which isn't allowed. |

+| <a id='BCP095' />BCP095 | Error | The file is involved in a cycle ("{string.Join("\" -> \"", cycle)}"). |

+| <a id='BCP096' />BCP096 | Error | Expected a module identifier at this location. |

+| <a id='BCP097' />BCP097 | Error | Expected a module path string. This should be a relative path to another Bicep file, e.g. 'myModule.bicep' or '../parent/myModule.bicep' |

+| <a id='BCP098' />BCP098 | Error | The specified file path contains a "\" character. Use "/" instead as the directory separator character. |

+| <a id='BCP099' />BCP099 | Error | The "{LanguageConstants.ParameterAllowedPropertyName}" array must contain one or more items. |

+| <a id='BCP100' />BCP100 | Error | The function "if" isn't supported. Use the "?:\" (ternary conditional) operator instead, e.g. condition ? ValueIfTrue : ValueIfFalse |

+| <a id='BCP101' />BCP101 | Error | The "createArray" function isn't supported. Construct an array literal using []. |

+| <a id='BCP102' />BCP102 | Error | The "createObject" function isn't supported. Construct an object literal using {}. |

+| <a id='BCP103' />BCP103 | Error | The following token isn't recognized: "{token}". Strings are defined using single quotes in Bicep. |

+| <a id='BCP104' />BCP104 | Error | The referenced module has errors. |

+| <a id='BCP105' />BCP105 | Error | Unable to load file from URI "{fileUri}". |

+| <a id='BCP106' />BCP106 | Error | Expected a new line character at this location. Commas aren't used as separator delimiters. |

+| <a id='BCP107' />BCP107 | Error | The function "{name}" doesn't exist in namespace "{namespaceType.Name}". |

+| <a id='BCP108' />BCP108 | Error | The function "{name}" doesn't exist in namespace "{namespaceType.Name}". Did you mean "{suggestedName}"? |

+| <a id='BCP109' />BCP109 | Error | The type "{type}" doesn't contain function "{name}". |

+| <a id='BCP110' />BCP110 | Error | The type "{type}" doesn't contain function "{name}". Did you mean "{suggestedName}"? |

+| <a id='BCP111' />BCP111 | Error | The specified file path contains invalid control code characters. |

+| <a id='BCP112' />BCP112 | Error | The "{LanguageConstants.TargetScopeKeyword}" can't be declared multiple times in one file. |

+| <a id='BCP113' />BCP113 | Warning | Unsupported scope for module deployment in a "{LanguageConstants.TargetScopeTypeTenant}" target scope. Omit this property to inherit the current scope, or specify a valid scope. Permissible scopes include tenant: tenant(), named management group: managementGroup(\<name>), named subscription: subscription(\<subId>), or named resource group in a named subscription: resourceGroup(\<subId>, \<name>). |

+| <a id='BCP114' />BCP114 | Warning | Unsupported scope for module deployment in a "{LanguageConstants.TargetScopeTypeManagementGroup}" target scope. Omit this property to inherit the current scope, or specify a valid scope. Permissible scopes include current management group: managementGroup(), named management group: managementGroup(\<name>), named subscription: subscription(\<subId>), tenant: tenant(), or named resource group in a named subscription: resourceGroup(\<subId>, \<name>). |

+| <a id='BCP115' />BCP115 | Warning | Unsupported scope for module deployment in a "{LanguageConstants.TargetScopeTypeSubscription}" target scope. Omit this property to inherit the current scope, or specify a valid scope. Permissible scopes include current subscription: subscription(), named subscription: subscription(\<subId>), named resource group in same subscription: resourceGroup(\<name>), named resource group in different subscription: resourceGroup(\<subId>, \<name>), or tenant: tenant(). |

+| <a id='BCP116' />BCP116 | Warning | Unsupported scope for module deployment in a "{LanguageConstants.TargetScopeTypeResourceGroup}" target scope. Omit this property to inherit the current scope, or specify a valid scope. Permissible scopes include current resource group: resourceGroup(), named resource group in same subscription: resourceGroup(\<name>), named resource group in a different subscription: resourceGroup(\<subId>, \<name>), current subscription: subscription(), named subscription: subscription(\<subId>) or tenant: tenant(). |

+| <a id='BCP117' />BCP117 | Error | An empty indexer isn't allowed. Specify a valid expression. |

+| <a id='BCP118' />BCP118 | Error | Expected the "{" character, the "[" character, or the "if" keyword at this location. |

+| <a id='BCP119' />BCP119 | Warning | Unsupported scope for extension resource deployment. Expected a resource reference. |

+| <a id='BCP120' />BCP120 | Error | This expression is being used in an assignment to the "{propertyName}" property of the "{objectTypeName}" type, which requires a value that can be calculated at the start of the deployment. |

+| <a id='BCP121' />BCP121 | Error | Resources: {ToQuotedString(resourceNames)} are defined with this same name in a file. Rename them or split into different modules. |

+| <a id='BCP122' />BCP122 | Error | Modules: {ToQuotedString(moduleNames)} are defined with this same name and this same scope in a file. Rename them or split into different modules. |

+| <a id='BCP123' />BCP123 | Error | Expected a namespace or decorator name at this location. |

+| <a id='BCP124' />BCP124 | Error | The decorator "{decoratorName}" can only be attached to targets of type "{attachableType}", but the target has type "{targetType}". |

+| <a id='BCP125' />BCP125 | Error | Function "{functionName}" can't be used as a parameter decorator. |

+| <a id='BCP126' />BCP126 | Error | Function "{functionName}" can't be used as a variable decorator. |

+| <a id='BCP127' />BCP127 | Error | Function "{functionName}" can't be used as a resource decorator. |

+| <a id='BCP128' />BCP128 | Error | Function "{functionName}" can't be used as a module decorator. |

+| <a id='BCP129' />BCP129 | Error | Function "{functionName}" can't be used as an output decorator. |

+| <a id='BCP130' />BCP130 | Error | Decorators aren't allowed here. |

+| <a id='BCP132' />BCP132 | Error | Expected a declaration after the decorator. |

+| <a id='BCP133' />BCP133 | Error | The unicode escape sequence isn't valid. Valid unicode escape sequences range from \\u{0} to \\u{10FFFF}. |

+| <a id='BCP134' />BCP134 | Warning | Scope {ToQuotedString(LanguageConstants.GetResourceScopeDescriptions(suppliedScope))} isn't valid for this module. Permitted scopes: {ToQuotedString(LanguageConstants.GetResourceScopeDescriptions(supportedScopes))}. |

+| <a id='BCP135' />BCP135 | Warning | Scope {ToQuotedString(LanguageConstants.GetResourceScopeDescriptions(suppliedScope))} isn't valid for this resource type. Permitted scopes: {ToQuotedString(LanguageConstants.GetResourceScopeDescriptions(supportedScopes))}. |

+| <a id='BCP136' />BCP136 | Error | Expected a loop item variable identifier at this location. |

+| <a id='BCP137' />BCP137 | Error | Loop expected an expression of type "{LanguageConstants.Array}" but the provided value is of type "{actualType}". |

+| <a id='BCP138' />BCP138 | Error | For-expressions aren't supported in this context. For-expressions may be used as values of resource, module, variable, and output declarations, or values of resource and module properties. |

+| <a id='BCP139' />BCP139 | Warning | A resource's scope must match the scope of the Bicep file for it to be deployable. You must use modules to deploy resources to a different scope. |

+| <a id='BCP140' />BCP140 | Error | The multi-line string at this location isn't terminated. Terminate it with "'''. |

+| <a id='BCP141' />BCP141 | Error | The expression can't be used as a decorator as it isn't callable. |

+| <a id='BCP142' />BCP142 | Error | Property value for-expressions can't be nested. |

+| <a id='BCP143' />BCP143 | Error | For-expressions can't be used with properties whose names are also expressions. |

+| <a id='BCP144' />BCP144 | Error | Directly referencing a resource or module collection isn't currently supported here. Apply an array indexer to the expression. |

+| <a id='BCP145' />BCP145 | Error | Output "{identifier}" is declared multiple times. Remove or rename the duplicates. |

+| <a id='BCP147' />BCP147 | Error | Expected a parameter declaration after the decorator. |

+| <a id='BCP148' />BCP148 | Error | Expected a variable declaration after the decorator. |

+| <a id='BCP149' />BCP149 | Error | Expected a resource declaration after the decorator. |

+| <a id='BCP150' />BCP150 | Error | Expected a module declaration after the decorator. |

+| <a id='BCP151' />BCP151 | Error | Expected an output declaration after the decorator. |

+| <a id='BCP152' />BCP152 | Error | Function "{functionName}" can't be used as a decorator. |

+| <a id='BCP153' />BCP153 | Error | Expected a resource or module declaration after the decorator. |

+| <a id='BCP154' />BCP154 | Error | Expected a batch size of at least {limit} but the specified value was "{value}". |

+| <a id='BCP155' />BCP155 | Error | The decorator "{decoratorName}" can only be attached to resource or module collections. |

+| <a id='BCP156' />BCP156 | Error | The resource type segment "{typeSegment}" is invalid. Nested resources must specify a single type segment, and optionally can specify an API version using the format "\<type>@\<apiVersion>". |

+| <a id='BCP157' />BCP157 | Error | The resource type can't be determined due to an error in the containing resource. |

+| <a id='BCP158' />BCP158 | Error | Can't access nested resources of type "{wrongType}". A resource type is required. |

+| <a id='BCP159' />BCP159 | Error | The resource "{resourceName}" doesn't contain a nested resource named "{identifierName}". Known nested resources are: {ToQuotedString(nestedResourceNames)}. |

+| <a id='BCP160' />BCP160 | Error | A nested resource can't appear inside of a resource with a for-expression. |

+| <a id='BCP162' />BCP162 | Error | Expected a loop item variable identifier or "(" at this location. |

+| <a id='BCP164' />BCP164 | Error | A child resource's scope is computed based on the scope of its ancestor resource. This means that using the "scope" property on a child resource is unsupported. |

+| <a id='BCP165' />BCP165 | Error | A resource's computed scope must match that of the Bicep file for it to be deployable. This resource's scope is computed from the "scope" property value assigned to ancestor resource "{ancestorIdentifier}". You must use modules to deploy resources to a different scope. |

+| <a id='BCP166' />BCP166 | Error | Duplicate "{decoratorName}" decorator. |

+| <a id='BCP167' />BCP167 | Error | Expected the "{" character or the "if" keyword at this location. |

+| <a id='BCP168' />BCP168 | Error | Length must not be a negative value. |

+| <a id='BCP169' />BCP169 | Error | Expected resource name to contain {expectedSlashCount} "/" character(s). The number of name segments must match the number of segments in the resource type. |

+| <a id='BCP170' />BCP170 | Error | Expected resource name to not contain any "/" characters. Child resources with a parent resource reference (via the parent property or via nesting) must not contain a fully-qualified name. |

+| <a id='BCP171' />BCP171 | Error | Resource type "{resourceType}" isn't a valid child resource of parent "{parentResourceType}". |

+| <a id='BCP172' />BCP172 | Error | The resource type can't be validated due to an error in parent resource "{resourceName}". |

+| <a id='BCP173' />BCP173 | Error | The property "{property}" can't be used in an existing resource declaration. |

+| <a id='BCP174' />BCP174 | Warning | Type validation isn't available for resource types declared containing a "/providers/" segment. Instead use the "scope" property. |

+| <a id='BCP176' />BCP176 | Error | Values of the "any" type aren't allowed here. |

+| <a id='BCP177' />BCP177 | Error | This expression is being used in the if-condition expression, which requires a value that can be calculated at the start of the deployment.{variableDependencyChainClause}{accessiblePropertiesClause} |

+| <a id='BCP178' />BCP178 | Error | This expression is being used in the for-expression, which requires a value that can be calculated at the start of the deployment.{variableDependencyChainClause}{accessiblePropertiesClause} |

+| <a id='BCP179' />BCP179 | Warning | Unique resource or deployment name is required when looping. The loop item variable "{itemVariableName}" or the index variable "{indexVariableName}" must be referenced in at least one of the value expressions of the following properties in the loop body: {ToQuotedString(expectedVariantProperties)} |

+| <a id='BCP180' />BCP180 | Error | Function "{functionName}" isn't valid at this location. It can only be used when directly assigning to a module parameter with a secure decorator. |

+| <a id='BCP181' />BCP181 | Error | This expression is being used in an argument of the function "{functionName}", which requires a value that can be calculated at the start of the deployment.{variableDependencyChainClause}{accessiblePropertiesClause} |

+| <a id='BCP182' />BCP182 | Error | This expression is being used in the for-body of the variable "{variableName}", which requires values that can be calculated at the start of the deployment.{variableDependencyChainClause}{violatingPropertyNameClause}{accessiblePropertiesClause} |

+| <a id='BCP183' />BCP183 | Error | The value of the module "params" property must be an object literal. |

+| <a id='BCP184' />BCP184 | Error | File '{filePath}' exceeded maximum size of {maxSize} {unit}. |

+| <a id='BCP185' />BCP185 | Warning | Encoding mismatch. File was loaded with '{detectedEncoding}' encoding. |

+| <a id='BCP186' />BCP186 | Error | Unable to parse literal JSON value. Ensure that it's well-formed. |

+| <a id='BCP187' />BCP187 | Warning | The property "{property}" doesn't exist in the resource or type definition, although it might still be valid.{TypeInaccuracyClause} |

+| <a id='BCP188' />BCP188 | Error | The referenced ARM template has errors. See [https://aka.ms/arm-template](https://aka.ms/arm-template) for information on how to diagnose and fix the template. |

+| <a id='BCP189' />BCP189 | Error | (allowedSchemes.Contains(ArtifactReferenceSchemes.Local, StringComparer.Ordinal), allowedSchemes.Any(scheme => !string.Equals(scheme, ArtifactReferenceSchemes.Local, StringComparison.Ordinal))) switch { (false, false) => "Module references aren't supported in this context.", (false, true) => $"The specified module reference scheme \"{badScheme}\" isn't recognized. Specify a module reference using one of the following schemes: {FormatSchemes()}", (true, false) => $"The specified module reference scheme \"{badScheme}\" isn't recognized. Specify a path to a local module file.", (true, true) => $"The specified module reference scheme \"{badScheme}\" isn't recognized. Specify a path to a local module file or a module reference using one of the following schemes: {FormatSchemes()}"} |

+| <a id='BCP190' />BCP190 | Error | The artifact with reference "{artifactRef}" hasn't been restored. |

+| <a id='BCP191' />BCP191 | Error | Unable to restore the artifact with reference "{artifactRef}". |

+| <a id='BCP193' />BCP193 | Error | {BuildInvalidOciArtifactReferenceClause(aliasName, badRef)} Specify a reference in the format of "{ArtifactReferenceSchemes.Oci}:\<artifact-uri>:\<tag>", or "{ArtifactReferenceSchemes.Oci}/\<module-alias>:\<module-name-or-path>:\<tag>". |

+| <a id='BCP194' />BCP194 | Error | {BuildInvalidTemplateSpecReferenceClause(aliasName, badRef)} Specify a reference in the format of "{ArtifactReferenceSchemes.TemplateSpecs}:\<subscription-ID>/\<resource-group-name>/\<template-spec-name>:\<version>", or "{ArtifactReferenceSchemes.TemplateSpecs}/\<module-alias>:\<template-spec-name>:\<version>". |

+| <a id='BCP195' />BCP195 | Error | {BuildInvalidOciArtifactReferenceClause(aliasName, badRef)} The artifact path segment "{badSegment}" isn't valid. Each artifact name path segment must be a lowercase alphanumeric string optionally separated by a ".", "_", or \"-\"." |

+| <a id='BCP196' />BCP196 | Error | The module tag or digest is missing. |

+| <a id='BCP197' />BCP197 | Error | The tag "{badTag}" exceeds the maximum length of {maxLength} characters. |

+| <a id='BCP198' />BCP198 | Error | The tag "{badTag}" isn't valid. Valid characters are alphanumeric, ".", "_", or "-" but the tag can't begin with ".", "_", or "-". |

+| <a id='BCP199' />BCP199 | Error | Module path "{badRepository}" exceeds the maximum length of {maxLength} characters. |

+| <a id='BCP200' />BCP200 | Error | The registry "{badRegistry}" exceeds the maximum length of {maxLength} characters. |

+| <a id='BCP201' />BCP201 | Error | Expected a provider specification string of with a valid format at this location. Valid formats are "br:\<providerRegistryHost>/\<providerRepositoryPath>@\<providerVersion>" or "br/\<providerAlias>:\<providerName>@\<providerVersion>". |

+| <a id='BCP202' />BCP202 | Error | Expected a provider alias name at this location. |

+| <a id='BCP203' />BCP203 | Error | Using provider statements requires enabling EXPERIMENTAL feature "Extensibility". |

+| <a id='BCP204' />BCP204 | Error | Provider namespace "{identifier}" isn't recognized. |

+| <a id='BCP205' />BCP205 | Error | Provider namespace "{identifier}" doesn't support configuration. |

+| <a id='BCP206' />BCP206 | Error | Provider namespace "{identifier}" requires configuration, but none was provided. |

+| <a id='BCP207' />BCP207 | Error | Namespace "{identifier}" is declared multiple times. Remove the duplicates. |

+| <a id='BCP208' />BCP208 | Error | The specified namespace "{badNamespace}" isn't recognized. Specify a resource reference using one of the following namespaces: {ToQuotedString(allowedNamespaces)}. |

+| <a id='BCP209' />BCP209 | Error | Failed to find resource type "{resourceType}" in namespace "{@namespace}". |

+| <a id='BCP210' />BCP210 | Error | Resource type belonging to namespace "{childNamespace}" can't have a parent resource type belonging to different namespace "{parentNamespace}". |

+| <a id='BCP211' />BCP211 | Error | The module alias name "{aliasName}" is invalid. Valid characters are alphanumeric, "_", or "-". |

+| <a id='BCP212' />BCP212 | Error | The Template Spec module alias name "{aliasName}" doesn't exist in the {BuildBicepConfigurationClause(configFileUri)}. |

+| <a id='BCP213' />BCP213 | Error | The OCI artifact module alias name "{aliasName}" doesn't exist in the {BuildBicepConfigurationClause(configFileUri)}. |

+| <a id='BCP214' />BCP214 | Error | The Template Spec module alias "{aliasName}" in the {BuildBicepConfigurationClause(configFileUri)} is invalid. The "subscription" property can't be null or undefined. |

+| <a id='BCP215' />BCP215 | Error | The Template Spec module alias "{aliasName}" in the {BuildBicepConfigurationClause(configFileUri)} is invalid. The "resourceGroup" property can't be null or undefined. |

+| <a id='BCP216' />BCP216 | Error | The OCI artifact module alias "{aliasName}" in the {BuildBicepConfigurationClause(configFileUri)} is invalid. The "registry" property can't be null or undefined. |

+| <a id='BCP217' />BCP217 | Error | {BuildInvalidTemplateSpecReferenceClause(aliasName, referenceValue)} The subscription ID "{subscriptionId}" isn't a GUID. |

+| <a id='BCP218' />BCP218 | Error | {BuildInvalidTemplateSpecReferenceClause(aliasName, referenceValue)} The resource group name "{resourceGroupName}" exceeds the maximum length of {maximumLength} characters. |

+| <a id='BCP219' />BCP219 | Error | {BuildInvalidTemplateSpecReferenceClause(aliasName, referenceValue)} The resource group name "{resourceGroupName}" is invalid. Valid characters are alphanumeric, unicode characters, ".", "_", "-", "(", or ")", but the resource group name can't end with ".". |

+| <a id='BCP220' />BCP220 | Error | {BuildInvalidTemplateSpecReferenceClause(aliasName, referenceValue)} The Template Spec name "{templateSpecName}" exceeds the maximum length of {maximumLength} characters. |

+| <a id='BCP221' />BCP221 | Error | {BuildInvalidTemplateSpecReferenceClause(aliasName, referenceValue)} The Template Spec name "{templateSpecName}" is invalid. Valid characters are alphanumeric, ".", "_", "-", "(", or ")", but the Template Spec name can't end with ".". |

+| <a id='BCP222' />BCP222 | Error | {BuildInvalidTemplateSpecReferenceClause(aliasName, referenceValue)} The Template Spec version "{templateSpecVersion}" exceeds the maximum length of {maximumLength} characters. |

+| <a id='BCP223' />BCP223 | Error | {BuildInvalidTemplateSpecReferenceClause(aliasName, referenceValue)} The Template Spec version "{templateSpecVersion}" is invalid. Valid characters are alphanumeric, ".", "_", "-", "(", or ")", but the Template Spec version can't end with ".". |

+| <a id='BCP224' />BCP224 | Error | {BuildInvalidOciArtifactReferenceClause(aliasName, badRef)} The digest "{badDigest}" isn't valid. The valid format is a string "sha256:" followed by exactly 64 lowercase hexadecimal digits. |

+| <a id='BCP225' />BCP225 | Warning | The discriminator property "{propertyName}" value can't be determined at compilation time. Type checking for this object is disabled. |

+| <a id='BCP226' />BCP226 | Error | Expected at least one diagnostic code at this location. Valid format is "#disable-next-line diagnosticCode1 diagnosticCode2 ...". |

+| <a id='BCP227' />BCP227 | Error | The type "{resourceType}" can't be used as a parameter or output type. Extensibility types are currently not supported as parameters or outputs. |

+| <a id='BCP229' />BCP229 | Error | The parameter "{parameterName}" can't be used as a resource scope or parent. Resources passed as parameters can't be used as a scope or parent of a resource. |

+| <a id='BCP230' />BCP230 | Warning | The referenced module uses resource type "{resourceTypeReference.FormatName()}" which doesn't have types available. Bicep is unable to validate resource properties prior to deployment, but this won't block the resource from being deployed. |

+| <a id='BCP231' />BCP231 | Error | Using resource-typed parameters and outputs requires enabling EXPERIMENTAL feature "{nameof(ExperimentalFeaturesEnabled.ResourceTypedParamsAndOutputs)}". |

+| <a id='BCP232' />BCP232 | Error | Unable to delete the module with reference "{moduleRef}" from cache. |

+| <a id='BCP233' />BCP233 | Error | Unable to delete the module with reference "{moduleRef}" from cache: {message} |

+| <a id='BCP234' />BCP234 | Warning | The ARM function "{armFunctionName}" failed when invoked on the value [{literalValue}]: {message} |

+| <a id='BCP235' />BCP235 | Error | Specified JSONPath doesn't exist in the given file or is invalid. |

+| <a id='BCP236' />BCP236 | Error | Expected a new line or comma character at this location. |

+| <a id='BCP237' />BCP237 | Error | Expected a comma character at this location. |

+| <a id='BCP238' />BCP238 | Error | Unexpected new line character after a comma. |

+| <a id='BCP239' />BCP239 | Error | Identifier "{name}" is a reserved Bicep symbol name and can't be used in this context. |

+| <a id='BCP240' />BCP240 | Error | The "parent" property only permits direct references to resources. Expressions aren't supported. |

+| <a id='BCP241' />BCP241 | Warning | The "{functionName}" function is deprecated and will be removed in a future release of Bicep. Add a comment to https://github.com/Azure/bicep/issues/2017 if you believe this will impact your workflow. |

+| <a id='BCP242' />BCP242 | Error | Lambda functions may only be specified directly as function arguments. |

+| <a id='BCP243' />BCP243 | Error | Parentheses must contain exactly one expression. |

+| <a id='BCP244' />BCP244 | Error | {minArgCount == maxArgCount ? $"Expected lambda expression of type "{lambdaType}" with {minArgCount} arguments but received {actualArgCount} arguments." : $"Expected lambda expression of type "{lambdaType}" with between {minArgCount} and {maxArgCount} arguments but received {actualArgCount} arguments."} |

+| <a id='BCP245' />BCP245 | Warning | Resource type "{resourceTypeReference.FormatName()}" can only be used with the 'existing' keyword. |

+| <a id='BCP246' />BCP246 | Warning | Resource type "{resourceTypeReference.FormatName()}" can only be used with the 'existing' keyword at the requested scope. Permitted scopes for deployment: {ToQuotedString(LanguageConstants.GetResourceScopeDescriptions(writableScopes))}. |

+| <a id='BCP247' />BCP247 | Error | Using lambda variables inside resource or module array access isn't currently supported. Found the following lambda variable(s) being accessed: {ToQuotedString(variableNames)}. |

+| <a id='BCP248' />BCP248 | Error | Using lambda variables inside the "{functionName}" function isn't currently supported. Found the following lambda variable(s) being accessed: {ToQuotedString(variableNames)}. |

+| <a id='BCP249' />BCP249 | Error | Expected loop variable block to consist of exactly 2 elements (item variable and index variable), but found {actualCount}. |

+| <a id='BCP250' />BCP250 | Error | Parameter "{identifier}" is assigned multiple times. Remove or rename the duplicates. |

+| <a id='BCP256' />BCP256 | Error | The using declaration is missing a Bicep template file path reference. |

+| <a id='BCP257' />BCP257 | Error | Expected a Bicep file path string. This should be a relative path to another Bicep file, e.g. 'myModule.bicep' or '../parent/myModule.bicep' |

+| <a id='BCP258' />BCP258 | Warning | The following parameters are declared in the Bicep file but are missing an assignment in the params file: {ToQuotedString(identifiers)}. |

+| <a id='BCP259' />BCP259 | Error | The parameter "{identifier}" is assigned in the params file without being declared in the Bicep file. |

+| <a id='BCP260' />BCP260 | Error | The parameter "{identifier}" expects a value of type "{expectedType}" but the provided value is of type "{actualType}". |

+| <a id='BCP261' />BCP261 | Error | A using declaration must be present in this parameters file. |

+| <a id='BCP262' />BCP262 | Error | More than one using declaration is present. |

+| <a id='BCP263' />BCP263 | Error | The file specified in the using declaration path doesn't exist. |

+| <a id='BCP264' />BCP264 | Error | Resource type "{resourceTypeName}" is declared in multiple imported namespaces ({ToQuotedStringWithCaseInsensitiveOrdering(namespaces)}), and must be fully-qualified. |

+| <a id='BCP265' />BCP265 | Error | The name "{name}" isn't a function. Did you mean "{knownFunctionNamespace}.{knownFunctionName}"? |

+| <a id='BCP266' />BCP266 | Error | Expected a metadata identifier at this location. |

+| <a id='BCP267' />BCP267 | Error | Expected a metadata declaration after the decorator. |

+| <a id='BCP268' />BCP268 | Error | Invalid identifier: "{name}". Metadata identifiers starting with '_' are reserved. Use a different identifier. |

+| <a id='BCP269' />BCP269 | Error | Function "{functionName}" can't be used as a metadata decorator. |

+| <a id='BCP271' />BCP271 | Error | Failed to parse the contents of the Bicep configuration file "{configurationPath}" as valid JSON: {parsingErrorMessage.TrimEnd('.')}. |

+| <a id='BCP272' />BCP272 | Error | Couldn't load the Bicep configuration file "{configurationPath}": {loadErrorMessage.TrimEnd('.')}. |

+| <a id='BCP273' />BCP273 | Error | Failed to parse the contents of the Bicep configuration file "{configurationPath}" as valid JSON: {parsingErrorMessage.TrimEnd('.')}. |

+| <a id='BCP274' />BCP274 | Warning | Error scanning "{directoryPath}" for Bicep configuration: {scanErrorMessage.TrimEnd('.')}. |

+| <a id='BCP275' />BCP275 | Error | Unable to open file at path "{directoryPath}". Found a directory instead. |

+| <a id='BCP276' />BCP276 | Error | A using declaration can only reference a Bicep file. |

+| <a id='BCP277' />BCP277 | Error | A module declaration can only reference a Bicep file, an ARM template, a registry reference, or a template spec reference. |

+| <a id='BCP278' />BCP278 | Error | This parameters file references itself, which isn't allowed. |

+| <a id='BCP279' />BCP279 | Error | Expected a type at this location. Specify a valid type expression or one of the following types: {ToQuotedString(LanguageConstants.DeclarationTypes.Keys)}. |

+| <a id='BCP285' />BCP285 | Error | The type expression couldn't be reduced to a literal value. |

+| <a id='BCP286' />BCP286 | Error | This union member is invalid because it can't be assigned to the '{keystoneType}' type. |

+| <a id='BCP287' />BCP287 | Error | '{symbolName}' refers to a value but is being used as a type here. |

+| <a id='BCP289' />BCP289 | Error | The type definition isn't valid. |

+| <a id='BCP290' />BCP290 | Error | Expected a parameter or type declaration after the decorator. |

+| <a id='BCP291' />BCP291 | Error | Expected a parameter or output declaration after the decorator. |

+| <a id='BCP292' />BCP292 | Error | Expected a parameter, output, or type declaration after the decorator. |

+| <a id='BCP293' />BCP293 | Error | All members of a union type declaration must be literal values. |

+| <a id='BCP295' />BCP295 | Error | The '{decoratorName}' decorator may not be used on targets of a union or literal type. The allowed values for this parameter or type definition will be derived from the union or literal type automatically. |

+| <a id='BCP296' />BCP296 | Error | Property names on types must be compile-time constant values. |

+| <a id='BCP297' />BCP297 | Error | Function "{functionName}" can't be used as a type decorator. |

+| <a id='BCP298' />BCP298 | Error | This type definition includes itself as a required component, which creates a constraint that can't be fulfilled. |

+| <a id='BCP299' />BCP299 | Error | This type definition includes itself as a required component via a cycle ("{string.Join("\" -> \"", cycle)}"). |

+| <a id='BCP300' />BCP300 | Error | Expected a type literal at this location. Specify a concrete value or a reference to a literal type. |

+| <a id='BCP301' />BCP301 | Error | The type name "{reservedName}" is reserved and may not be attached to a user-defined type. |

+| <a id='BCP303' />BCP303 | Error | String interpolation is unsupported for specifying the provider. |

+| <a id='BCP304' />BCP304 | Error | Invalid provider specifier string. Specify a valid provider of format "\<providerName>@\<providerVersion>". |

+| <a id='BCP305' />BCP305 | Error | Expected the "with" keyword, "as" keyword, or a new line character at this location. |

+| <a id='BCP306' />BCP306 | Error | The name "{name}" refers to a namespace, not to a type. |

+| <a id='BCP307' />BCP307 | Error | The expression can't be evaluated, because the identifier properties of the referenced existing resource including {ToQuotedString(runtimePropertyNames.OrderBy(x => x))} can't be calculated at the start of the deployment. In this situation, {accessiblePropertyNamesClause}{accessibleFunctionNamesClause}. |

+| <a id='BCP308' />BCP308 | Error | The decorator "{decoratorName}" may not be used on statements whose declared type is a reference to a user-defined type. |

+| <a id='BCP309' />BCP309 | Error | Values of type "{flattenInputType.Name}" can't be flattened because "{incompatibleType.Name}" isn't an array type. |

+| <a id='BCP311' />BCP311 | Error | The provided index value of "{indexSought}" isn't valid for type "{typeName}". Indexes for this type must be between 0 and {tupleLength - 1}. |

+| <a id='BCP315' />BCP315 | Error | An object type may have at most one additional properties declaration. |

+| <a id='BCP316' />BCP316 | Error | The "{LanguageConstants.ParameterSealedPropertyName}" decorator may not be used on object types with an explicit additional properties type declaration. |

+| <a id='BCP317' />BCP317 | Error | Expected an identifier, a string, or an asterisk at this location. |

+| <a id='BCP318' />BCP318 | Warning | The value of type "{possiblyNullType}" may be null at the start of the deployment, which would cause this access expression (and the overall deployment with it) to fail. If you don't know whether the value will be null and the template would handle a null value for the overall expression, use a `.?` (safe dereference) operator to short-circuit the access expression if the base expression's value is null: {accessExpression.AsSafeAccess().ToString()}. If you know the value won't be null, use a non-null assertion operator to inform the compiler that the value won't be null: {SyntaxFactory.AsNonNullable(expression).ToString()}. |

+| <a id='BCP319' />BCP319 | Error | The type at "{errorSource}" couldn't be resolved by the ARM JSON template engine. Original error message: "{message}" |

+| <a id='BCP320' />BCP320 | Error | The properties of module output resources can't be accessed directly. To use the properties of this resource, pass it as a resource-typed parameter to another module and access the parameter's properties therein. |

+| <a id='BCP321' />BCP321 | Warning | Expected a value of type "{expectedType}" but the provided value is of type "{actualType}". If you know the value won't be null, use a non-null assertion operator to inform the compiler that the value won't be null: {SyntaxFactory.AsNonNullable(expression).ToString()}. |

+| <a id='BCP322' />BCP322 | Error | The `.?` (safe dereference) operator may not be used on instance function invocations. |

+| <a id='BCP323' />BCP323 | Error | The `[?]` (safe dereference) operator may not be used on resource or module collections. |

+| <a id='BCP325' />BCP325 | Error | Expected a type identifier at this location. |

+| <a id='BCP326' />BCP326 | Error | Nullable-typed parameters may not be assigned default values. They have an implicit default of 'null' that can't be overridden. |

+| <a id='BCP329' />BCP329 | Warning | The provided value can be as small as {sourceMin} and may be too small to assign to a target with a configured minimum of {targetMin}. |

+| <a id='BCP330' />BCP330 | Warning | The provided value can be as large as {sourceMax} and may be too large to assign to a target with a configured maximum of {targetMax}. |

+| <a id='BCP331' />BCP331 | Error | A type's "{minDecoratorName}" must be less than or equal to its "{maxDecoratorName}", but a minimum of {minValue} and a maximum of {maxValue} were specified. |

+| <a id='BCP334' />BCP334 | Warning | The provided value can have a length as small as {sourceMinLength} and may be too short to assign to a target with a configured minimum length of {targetMinLength}. |

+| <a id='BCP335' />BCP335 | Warning | The provided value can have a length as large as {sourceMaxLength} and may be too long to assign to a target with a configured maximum length of {targetMaxLength}. |

+| <a id='BCP337' />BCP337 | Error | This declaration type isn't valid for a Bicep Parameters file. Specify a "{LanguageConstants.UsingKeyword}", "{LanguageConstants.ParameterKeyword}" or "{LanguageConstants.VariableKeyword}" declaration. |

+| <a id='BCP339' />BCP339 | Error | The provided array index value of "{indexSought}" isn't valid. Array index should be greater than or equal to 0. |

+| <a id='BCP340' />BCP340 | Error | Unable to parse literal YAML value. Ensure that it's well-formed. |

+| <a id='BCP341' />BCP341 | Error | This expression is being used inside a function declaration, which requires a value that can be calculated at the start of the deployment. {variableDependencyChainClause}{accessiblePropertiesClause} |

+| <a id='BCP342' />BCP342 | Error | User-defined types aren't supported in user-defined function parameters or outputs. |

+| <a id='BCP344' />BCP344 | Error | Expected an assert identifier at this location. |

+| <a id='BCP345' />BCP345 | Error | A test declaration can only reference a Bicep File |

+| <a id='BCP346' />BCP346 | Error | Expected a test identifier at this location. |

+| <a id='BCP347' />BCP347 | Error | Expected a test path string at this location. |

+| <a id='BCP348' />BCP348 | Error | Using a test declaration statement requires enabling EXPERIMENTAL feature "{nameof(ExperimentalFeaturesEnabled.TestFramework)}". |

+| <a id='BCP349' />BCP349 | Error | Using an assert declaration requires enabling EXPERIMENTAL feature "{nameof(ExperimentalFeaturesEnabled.Assertions)}". |

+| <a id='BCP350' />BCP350 | Error | Value of type "{valueType}" can't be assigned to an assert. Asserts can take values of type 'bool' only. |

+| <a id='BCP351' />BCP351 | Error | Function "{functionName}" isn't valid at this location. It can only be used when directly assigning to a parameter. |

+| <a id='BCP352' />BCP352 | Error | Failed to evaluate variable "{name}": {message} |

+| <a id='BCP353' />BCP353 | Error | The {itemTypePluralName} {ToQuotedString(itemNames)} differ only in casing. The ARM deployments engine isn't case sensitive and won't be able to distinguish between them. |

+| <a id='BCP354' />BCP354 | Error | Expected left brace ('{') or asterisk ('*') character at this location. |

+| <a id='BCP355' />BCP355 | Error | Expected the name of an exported symbol at this location. |

+| <a id='BCP356' />BCP356 | Error | Expected a valid namespace identifier at this location. |

+| <a id='BCP358' />BCP358 | Error | This declaration is missing a template file path reference. |

+| <a id='BCP360' />BCP360 | Error | The '{symbolName}' symbol wasn't found in (or wasn't exported by) the imported template. |

+| <a id='BCP361' />BCP361 | Error | The "@export()" decorator must target a top-level statement. |

+| <a id='BCP362' />BCP362 | Error | This symbol is imported multiple times under the names {string.Join(", ", importedAs.Select(identifier => $"'{identifier}'"))}. |

+| <a id='BCP363' />BCP363 | Error | The "{LanguageConstants.TypeDiscriminatorDecoratorName}" decorator can only be applied to object-only union types with unique member types. |

+| <a id='BCP364' />BCP364 | Error | The property "{discriminatorPropertyName}" must be a required string literal on all union member types. |

+| <a id='BCP365' />BCP365 | Error | The value "{discriminatorPropertyValue}" for discriminator property "{discriminatorPropertyName}" is duplicated across multiple union member types. The value must be unique across all union member types. |

+| <a id='BCP366' />BCP366 | Error | The discriminator property name must be "{acceptablePropertyName}" on all union member types. |

+| <a id='BCP367' />BCP367 | Error | The "{featureName}" feature is temporarily disabled. |

+| <a id='BCP368' />BCP368 | Error | The value of the "{targetName}" parameter can't be known until the template deployment has started because it uses a reference to a secret value in Azure Key Vault. Expressions that refer to the "{targetName}" parameter may be used in {LanguageConstants.LanguageFileExtension} files but not in {LanguageConstants.ParamsFileExtension} files. |

+| <a id='BCP369' />BCP369 | Error | The value of the "{targetName}" parameter can't be known until the template deployment has started because it uses the default value defined in the template. Expressions that refer to the "{targetName}" parameter may be used in {LanguageConstants.LanguageFileExtension} files but not in {LanguageConstants.ParamsFileExtension} files. |

+| <a id='BCP372' />BCP372 | Error | The "@export()" decorator may not be applied to variables that refer to parameters, modules, or resource, either directly or indirectly. The target of this decorator contains direct or transitive references to the following unexportable symbols: {ToQuotedString(nonExportableSymbols)}. |

+| <a id='BCP373' />BCP373 | Error | Unable to import the symbol named "{name}": {message} |

+| <a id='BCP374' />BCP374 | Error | The imported model can't be loaded with a wildcard because it contains the following duplicated exports: {ToQuotedString(ambiguousExportNames)}. |

+| <a id='BCP375' />BCP375 | Error | An import list item that identifies its target with a quoted string must include an 'as \<alias>' clause. |

+| <a id='BCP376' />BCP376 | Error | The "{name}" symbol can't be imported because imports of kind {exportMetadataKind} aren't supported in files of kind {sourceFileKind}. |

+| <a id='BCP377' />BCP377 | Error | The provider alias name "{aliasName}" is invalid. Valid characters are alphanumeric, "_", or "-". |

+| <a id='BCP378' />BCP378 | Error | The OCI artifact provider alias "{aliasName}" in the {BuildBicepConfigurationClause(configFileUri)} is invalid. The "registry" property can't be null or undefined. |

+| <a id='BCP379' />BCP379 | Error | The OCI artifact provider alias name "{aliasName}" doesn't exist in the {BuildBicepConfigurationClause(configFileUri)}. |

+| <a id='BCP380' />BCP380 | Error | Artifacts of type: "{artifactType}" aren't supported. |

+| <a id='BCP381' />BCP381 | Warning | Declaring provider namespaces with the "import" keyword has been deprecated. Use the "provider" keyword instead. |

+| <a id='BCP383' />BCP383 | Error | The "{typeName}" type isn't parameterizable. |

+| <a id='BCP384' />BCP384 | Error | The "{typeName}" type requires {requiredArgumentCount} argument(s). |

+| <a id='BCP385' />BCP385 | Error | Using resource-derived types requires enabling EXPERIMENTAL feature "{nameof(ExperimentalFeaturesEnabled.ResourceDerivedTypes)}". |

+| <a id='BCP386' />BCP386 | Error | The decorator "{decoratorName}" may not be used on statements whose declared type is a reference to a resource-derived type. |

+| <a id='BCP387' />BCP387 | Error | Indexing into a type requires an integer greater than or equal to 0. |

+| <a id='BCP388' />BCP388 | Error | Can't access elements of type "{wrongType}" by index. A tuple type is required. |

+| <a id='BCP389' />BCP389 | Error | The type "{wrongType}" doesn't declare an additional properties type. |

+| <a id='BCP390' />BCP390 | Error | The array item type access operator ('[*]') can only be used with typed arrays. |

+| <a id='BCP391' />BCP391 | Error | Type member access is only supported on a reference to a named type. |

+| <a id='BCP392' />BCP392 | Warning | The supplied resource type identifier "{resourceTypeIdentifier}" wasn't recognized as a valid resource type name. |

+| <a id='BCP393' />BCP393 | Warning | The type pointer segment "{unrecognizedSegment}" wasn't recognized. Supported pointer segments are: "properties", "items", "prefixItems", and "additionalProperties". |

+| <a id='BCP394' />BCP394 | Error | Resource-derived type expressions must dereference a property within the resource body. Using the entire resource body type isn't permitted. |

+| <a id='BCP395' />BCP395 | Error | Declaring provider namespaces using the '\<providerName>@\<version>' expression has been deprecated. Use an identifier instead. |

+| <a id='BCP396' />BCP396 | Error | The referenced provider types artifact has been published with malformed content. |

+| <a id='BCP397' />BCP397 | Error | Provider {name} is incorrectly configured in the {BuildBicepConfigurationClause(configFileUri)}. It's referenced in the "{RootConfiguration.ImplicitProvidersConfigurationKey}" section, but is missing corresponding configuration in the "{RootConfiguration.ProvidersConfigurationKey}" section. |

+| <a id='BCP398' />BCP398 | Error | Provider {name} is incorrectly configured in the {BuildBicepConfigurationClause(configFileUri)}. It's configured as built-in in the "{RootConfiguration.ProvidersConfigurationKey}" section, but no built-in provider exists. |

+| <a id='BCP399' />BCP399 | Error | Fetching az types from the registry requires enabling EXPERIMENTAL feature "{nameof(ExperimentalFeaturesEnabled.DynamicTypeLoading)}". |

+| <a id='BCP400' />BCP400 | Error | Fetching types from the registry requires enabling EXPERIMENTAL feature "{nameof(ExperimentalFeaturesEnabled.ProviderRegistry)}". |

+| <a id='BCP402' />BCP402 | Error | The spread operator "{spread.Ellipsis.Text}" can only be used in this context for an expression assignable to type "{requiredType}". |

+| <a id='BCP403' />BCP403 | Error/Warning | The enclosing array expects elements of type "{expectedType}", but the array being spread contains elements of incompatible type "{actualType}". |

+| <a id='BCP404' />BCP404 | Error | The "{LanguageConstants.ExtendsKeyword}" declaration is missing a bicepparam file path reference. |

+| <a id='BCP405' />BCP405 | Error | More than one "{LanguageConstants.ExtendsKeyword}" declaration are present. |

+| <a id='BCP406' />BCP406 | Error | The "{LanguageConstants.ExtendsKeyword}" keyword isn't supported. |

+Learn how to create user-defined data types in Bicep. For system-defined data types, see [Data types](./data-types.md).

+You can use the `type` statement to create user-defined data types. In addition, you can also use type expressions in some places to define custom types.

+The [`@allowed`](./parameters.md#decorators) decorator is only permitted on [`param` statements](./parameters.md). To declare a type with a set of predefined values in a `type`, use [union type syntax](./data-types.md#union-types).

+- You can declare array types by appending `[]` to any valid type expression:

+ Each property in an object consists of a key and a value, separated by a colon `:`. The key can be any string, with nonidentifier values enclosed in quotes, and the value can be any type of expression.

+ Decorators can be used on properties. `*` can be used to make all values require a constraint. Additional properties can still be defined when using `*`. This example creates an object that requires a key of type `int` named _id_, and that all other entries in the object must be a string value at least 10 characters long.

+ Object types can use direct or indirect recursion so long as at least leg of the path to the recursion point is optional. For example, the `myObjectType` definition in the following example is valid because the directly recursive `recursiveProp` property is optional:

+- Unions can include any number of literal-typed expressions. Union types are translated into the [allowed-value constraint](./parameters.md#decorators) in Bicep, so only literals are permitted as members.

+## Elevate error level

+By default, declaring an object type in Bicep allows it to accept additional properties of any type. For example, the following Bicep is valid but raises a warning of [BCP089] - `The property "otionalProperty" is not allowed on objects of type "{ property: string, optionalProperty: null | string }". Did you mean "optionalProperty"?`:

+```bicep

+type anObject = {

+ property: string

+ optionalProperty: string?

+}

+

+param aParameter anObject = {

+ property: 'value'

+ otionalProperty: 'value'

+}

+```

+The warning informs you that the _anObject_ type doesn't include a property named _otionalProperty_. While no errors occur during deployment, the Bicep compiler assumes _otionalProperty_ is a typo, that you intended to use _optionalProperty_ but misspelled it, and alert you to the inconsistency.

+To escalate these warnings to errors, apply the `@sealed()` decorator to the object type:

+```bicep

+@sealed()

+type anObject = {

+ property: string

+ optionalProperty?: string

+}

+```

+You get the same results by applying the `@sealed()` decorator to the `param` declaration:

+```bicep

+type anObject = {

+ property: string

+ optionalProperty: string?

+}

+

+@sealed()

+param aParameter anObject = {

+ property: 'value'

+ otionalProperty: 'value'

+}

+```

+The ARM deployment engine also checks sealed types for additional properties. Providing any extra properties for sealed parameters results in a validation error, causing the deployment to fail. For example:

+```bicep

+@sealed()

+type anObject = {

+ property: string

+}

+param aParameter anObject = {

+ property: 'value'

+ optionalProperty: 'value'

+}

+```

+> | mongoClusters | Yes | No |

+Azure VMware Solution private clouds require a minimum `/22` CIDR network address block for subnets. This network complements your on-premises networks, so the address block shouldn't overlap with address blocks used in other virtual networks in your subscription and on-premises networks. Management, vMotion, and Replication networks are provisioned automatically within this address block.

+> Replication network is not applicable to AV64 nodes and is slated for general deprecation at a future date.

+- Use [Azure Resource Manager templates (ARM templates)](../azure-resource-manager/templates/overview.md) to deploy confidential VMs on AMD processors.

+Also, in Standard workflows, some [built-in connectors with specific attributes are informally known as *service providers*](../logic-apps/custom-connector-overview.md#service-provider-interface-implementation). Some built-in connectors support only a single way to authenticate a connection to the underlying service. Other built-in connectors can offer a choice, such as using a connection string, Microsoft Entra ID, or a managed identity. All built-in connectors run in the same process as the Azure Logic Apps runtime. For more information, review [Single-tenant versus multitenant in Azure Logic Apps](../logic-apps/single-tenant-overview-compare.md).

+In Azure Logic Apps, connectors are either *built in* or *managed*. Some connectors have both versions. The available versions depend on whether you create a *Consumption* logic app workflow that runs in multitenant Azure Logic Apps or a *Standard* logic app workflow that runs in single-tenant Azure Logic Apps. For more information about logic app resource types, see [Resource types and host environment differences](../logic-apps/logic-apps-overview.md#resource-environment-differences).

+In Consumption workflows for multitenant Azure Logic Apps, you can call Swagger-based or SOAP-based APIs that aren't available as out-of-the-box connectors. You can also run custom code by creating custom API Apps. For more information, see the following documentation:

+> [!IMPORTANT]

+>

+> On August 31, 2024, the ISE resource retires, due to its dependency on Azure Cloud Services (classic),

+> which retires at the same time. Before the retirement date, export any logic apps from your ISE to Standard

+> logic apps to avoid service disruption. Standard logic app workflows run in single-tenant Azure Logic Apps

+> and provide the same capabilities plus more. For example, Standard workflows support using private endpoints

+> for inbound traffic so that your workflows can communicate privately and securely with virtual networks.

+> Standard workflows also support virtual network integration for outbound traffic. For more information,

+> review [Secure traffic between virtual networks and single-tenant Azure Logic Apps using private endpoints](/azure/logic-apps/secure-single-tenant-workflow-virtual-network-private-endpoint).

+If you use a dedicated [integration service environment (ISE)](../logic-apps/connect-virtual-network-vnet-isolated-environment-overview.md) where workflows can directly access to resources in an Azure virtual network, you can build, deploy, and run your workflows on dedicated resources.

+ <br><br>**CORE**

+ <br><br>Built-in connectors with this label run in the same ISE as your workflows.

+ <br><br>**ISE**

+ <br><br>Managed connectors with this label run in the same ISE as your workflows.

+ <br><br>If you have an on-premises system that's connected to an Azure virtual network, an ISE lets your workflows directly access that system without using the [on-premises data gateway](../logic-apps/logic-apps-gateway-connection.md). Instead, you can either use that system's **ISE** connector if available, an HTTP action, or a [custom connector](#custom-connectors-and-apis).

+ <br><br>For on-premises systems that don't have **ISE** connectors, use the on-premises data gateway. To find available ISE connectors, review [ISE connectors](#ise-and-connectors).

+ 

+ <br><br>No label

+ <br><br>All other connectors without a label, which you can continue to use, run in the global, multitenant Logic Apps service.

+For example, a Standard workflow can use both managed connectors and built-in connectors for Azure Blob, Azure Cosmos DB, Azure Event Hubs, Azure Service Bus, DB2, FTP, MQ, SFTP, and SQL Server, while a Consumption workflow doesn't have the built-in versions. A Consumption workflow can use built-in connectors for Azure API Management, Azure App Services, and Batch, while a Standard workflow doesn't have these built-in connectors. For more information, review [Built-in connectors in Azure Logic Apps](built-in.md) and [Single-tenant versus multitenant in Azure Logic Apps](../logic-apps/single-tenant-overview-compare.md).

+# Import certificates from Azure Key Vault to Azure Container Apps

+You can set up Azure Key Vault to centrally manage your container app's TLS/SSL certificates and handle updates, renewals, and monitoring.

+An Azure Key Vault resource is required to store your certificate. See [Import a certificate in Azure Key Vault](/azure/key-vault/certificates/tutorial-import-certificate?tabs=azure-portal) or [Configure certificate auto-rotation in Key Vault](/azure/key-vault/certificates/tutorial-rotate-certificates) to create a Key Vault and add a certificate.

+## Enable managed identity for Container Apps environment

+Azure Container Apps uses an environment level managed identity to access your Key Vault and import your certificate. To enable system-assigned managed identity, follow these steps:

+1. Open the [Azure portal](https://portal.azure.com) and find your Azure Container Apps environment where you want to import a certificate.

+ | Role | Select **Key Vault Secrets User**. |

+## Import certificate from Key Vault

+1. Open the Azure portal and go to your Azure Container Apps environment.

+1. From *Settings*, select **Certificates**.

+1. Select the **Bring your own certificates (.pfx)** tab.

+1. Select **Add certificate**.

+1. In the *Add certificate* panel, in *Source*, select **Import from Key Vault**.

+1. Select **Select key vault certificate** and select the following values:

+ | Property | Value |

+ |--|--|

+ | Subscription | Select your Azure subscription. |

+ | Key vault | Select your vault. |

+ | Certificate | Select your certificate. |

+ > [!NOTE]

+ > If you see an error, *"The operation "List" is not enabled in this key vault's access policy."*, you need to configure an access policy in your Key Vault to allow your user account to list certificates. For more information, see [Assign a Key Vault access policy](/azure/key-vault/general/assign-access-policy?tabs=azure-portal).

+1. Select **Select**.

+1. In the *Add certificate* panel, in *Managed identity*, select **System assigned**. If you're using a user-assigned managed identity, select your user-assigned managed identity.

+1. Select **Add**.

+> [!NOTE]

+> If you receive an error message, verify that the managed identity is assigned the **Key Vault Secrets User** role on the Key Vault.

+## Configure a custom domain

+After configuring your certificate, you can use it to secure your custom domain. Follow the steps in [Add a custom domain](custom-domains-certificates.md#add-a-custom-domain-and-certificate) and select the certificate you imported from Key Vault.

+## Rotate certificates

+When you rotate your certificate in Key Vault, Azure Container Apps automatically updates the certificate in your environment. It takes up to 12 hours for the new certificate to be applied.

+> [Certificates in Azure Container Apps](certificates-overview.md)

+If the **Add Savings Plan** option is disabled in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_GTM/ModernBillingMenuBlade/BillingAccounts), then no user can purchase the Savings Plan. Go to the **Policies** menu to change settings to purchase the Savings Plan.

+|**1.**|VM creation | If you have a Marketplace image created with Azure Stack Edge earlier than 2403 and then create a VM from the existing Marketplace image, your VM creation fails because Azure Stack Edge 2407 changed the download path for the Marketplace image. | Delete the Marketplace image and then create a new image from Azure portal. For detailed steps, see [Troubleshoot VM creation issues](azure-stack-edge-gpu-troubleshoot-virtual-machine-provisioning.md#vm-creation-fails). |

+|**26.**|Azure IoT Edge |The managed Azure IoT Edge solution on Azure Stack Edge is running on an older, obsolete IoT Edge runtime that is at end of life. For more information, see [IoT Edge v1.1 end of life: What does that mean for me?](https://techcommunity.microsoft.com/t5/internet-of-things-blog/iot-edge-v1-1-eol-what-does-that-mean-for-me/ba-p/3662137). Although the solution doesn't stop working past end of life, there are no plans to update it. |To run the latest version of Azure IoT Edge [LTSs](../iot-edge/version-history.md#version-history) with the latest updates and features on their Azure Stack Edge, we **recommend** that you deploy a [customer self-managed IoT Edge solution](azure-stack-edge-gpu-deploy-iot-edge-linux-vm.md) that runs on a Linux VM. For more information, see [Move workloads from managed IoT Edge on Azure Stack Edge to an IoT Edge solution on a Linux VM](azure-stack-edge-move-to-self-service-iot-edge.md). |

+GPU-accelerated workloads on an Azure Stack Edge Pro GPU device require a GPU VM (virtual machine). This article provides an overview of GPU VMs, including supported OSs, GPU drivers, and VM sizes. Deployment options for GPU VMs used with Kubernetes clusters also are discussed.

+If your device has a Kubernetes cluster configured, be sure to review [deployment considerations for Kubernetes clusters](#gpu-vms-and-kubernetes) before you deploy GPU VMs.

+This extension supports the following operating systems (OSs). Other versions may work but haven't been tested in-house on GPU VMs running on Azure Stack Edge devices.

+This extension supports the following OS distro, depending on the driver support for specific OS version. Other versions may work but haven't been tested in-house on GPU VMs running on Azure Stack Edge devices.

+> [!NOTE]

+> Ubuntu 18.04 LTS GPU extension has been deprecated. The GPU extension is no longer supported on Ubuntu 18.04 GPU VMs running on Azure Stack Edge devices. If you plan to utilize the Ubuntu version 18.04 LTS distro, see steps for manual GPU driver installation at [CUDA Toolkit 12.1 Update 1 Downloads](https://developer.nvidia.com/cuda-12-1-1-download-archive?target_os=Linux&target_arch=x86_64&Distribution=Ubuntu&target_version=18.04&target_type=deb_local). You may need to download the CUDA signing key before the installation. For an example of installing the signing key, see [Troubleshoot GPU extension issues for GPU VMs on Azure Stack Edge Pro GPU](azure-stack-edge-gpu-troubleshoot-virtual-machine-gpu-extension-installation.md#in-versions-lower-than-2205-linux-gpu-extension-installs-old-signing-keys-signature-andor-required-key-missing).

+- **Create a GPU VM followed by Kubernetes configuration on your device**: In this scenario, the GPU VM creation and Kubernetes configuration will both be successful. Kubernetes won't have access to the GPU in this case.

+- **Configure Kubernetes on your device followed by creation of a GPU VM**: In this scenario, the Kubernetes claims the GPU on your device and the VM creation will fail as there are no GPU resources available.

+- **Create two GPU VMs followed by Kubernetes configuration on your device**: In this scenario, the two GPU VMs claim the two GPUs on the device and the Kubernetes is configured successfully with no GPUs.

+- **Configure Kubernetes on your device followed by creation of a GPU VM**: In this scenario, the Kubernetes claims both the GPUs on your device and the VM creation will fail as no GPU resources are available.

+To diagnose any VM provisioning failure, review guest logs for the failed virtual machine. For steps to collect VM guest logs and include them in a Support package, see [Collect guest logs for VMs on Azure Stack Edge Pro](azure-stack-edge-gpu-collect-virtual-machine-guest-logs.md).

+- For a Linux VM deployed using a custom VM image, the Provisioning flags in the /etc/waagent.conf file aren't correct. (Linux VMs only) [Learn more](#provisioning-flags-set-incorrectly-linux-vms)

+**Suggested solution:** Use a static IP address that isn't in use, or use a dynamic IP address provided by the DHCP server.

+**Error description:** If the default gateway and DNS server can't be reached during VM deployment, VM provisioning times out and the VM deployment fails.

+**Error description:** `cloud init` didn't run, or there were issues while `cloud init` was running. `cloud-init` is used to customize a Linux VM when the VM boots for the first time. For more information, see [cloud-init support for virtual machines in Azure](../virtual-machines/linux/using-cloud-init.md).

+ The command should return the cloud init version number. If the image isn't `cloud init`-based, the command won't return version information.

+ If the data source isn't set to Azure, you may need to revise your `cloud init` script. For more information, see [Diving deeper into cloud-init](../virtual-machines/linux/cloud-init-deep-dive.md).

+**Error description:** The primary network interface attached to a single root I/O virtualization (SRIOV) interface-enabled virtual switch caused network traffic to bypass the Hyper-V, so the host couldn't receive DHCP requests from the VM, resulting in a provisioning timeout.

+- On an Azure Stack Edge Pro 1 device, virtual switches created on Port 1 to Port 4 don't enable accelerated networking. On Port 5 or Port 6, virtual switches enable accelerated networking by default.

+- On an Azure Stack Edge Pro 2 device, virtual switches created on Port 1 or Port 2 don't enable accelerated networking. On Port 3 or Port 4, virtual switches enable accelerated networking by default.

+1. If a network interface wasn't created successfully, you see the following error.

+### VM creation fails

+**Error description:** If you have a Marketplace image created with Azure Stack Edge earlier than 2403 and then create a VM from the existing Marketplace image, your VM creation fails because Azure Stack Edge 2407 changed the download path for the Marketplace image.

+**Suggested solution:** Use the following steps to delete the existing Marketplace image and then create a new Marketplace image from Azure portal.

+1. From Azure portal, delete the existing Marketplace image.

+ 1. List the ingestion and the BlobDownload ingestion job for the Marketplace image. Use these steps to [Connect to Azure Resource Manager](azure-stack-edge-gpu-connect-resource-manager.md?tabs=Az).

+

+ Run the following script to list ingestion jobs:

+

+ Specify the subscription ID in the following Uri:

+

+ $uri1 = "https://management.appliance name.DNS domain/subscriptions/sid/providers/Microsoft.AzureBridge/locations/DBELocal/ingestionJobs/?api-version=2022-03-01"

+ ```powershell

+ Function Get-AzCachedAccessToken()

+ {

+ $ErrorActionPreference = 'Stop'

+ $azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile

+ $currentAzureContext = Get-AzContext

+ $profileClient = New-Object Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient($azureRmProfile)

+ Write-Debug ("Getting access token for tenant" + $currentAzureContext.Subscription.TenantId)

+ $token = $profileClient.AcquireAccessToken($currentAzureContext.Subscription.TenantId)

+ $token.AccessToken

+ }

+ $token = Get-AzCachedAccessToken

+ $headers = @{Authorization = "Bearer $token"; "Content-Type" = "application/json" }

+ $v = Invoke-RestMethod -Method Get -Uri $uri1 -Headers $headers

+ v.value

+ ```

+ 1. Find the ingestion job name = `Marketplace image sku name` and kind = `BlobDownload`.

+ Example: ingestion job name = `Ubuntu-18-04` and kind = `BlobDownload`.

+ 

+1. If the ingestion job is found in Step 1, use the following steps to delete the ingestion job and delete the image. For example, the ingestion job name in the example above is `ubuntu-18-04`. Additionally, `Subscription ID` and `Resource group` name can be found in the example.

+ ```powershell

+ $uri2 = "https://management.<appliance name>.<DNS domain>/subscriptions/sid/resourceGroups/rgname/providers/Microsoft.AzureBridge/locations/dbelocal/ingestionJobs/<ingestion job name>?api-version=2018-06-01"

+ ```

+ ```powershell

+ Invoke-RestMethod -Method DELETE -Uri $uri2 -Headers $headers

+ ```

+1. Follow steps to [Create a new VM image from Azure Marketplace](azure-stack-edge-create-a-vm-from-azure-marketplace.md).

+**Error description:** When VM creation fails because of insufficient memory, you see the following error.

+If you try to deploy a VM on a GPU device that already has Kubernetes enabled, no GPUs are available, and VM provisioning fails with the following error:

+If Kubernetes is enabled before the VM is created, Kubernetes uses all the available GPUs, and you wonΓÇÖt be able to create any GPU-size VMs. You can create as many GPU-size VMs as the number of available GPUs. Your Azure Stack Edge device can be equipped with 1 or 2 GPUs.

+* **Name**: A Microsoft Entra application display name to associate with the registration.

+* **Supported account types**: Select **Accounts in this organizational directory only (Default Directory only - Single tenant)**.

+az ad app create --display-name <app-registration-name> --sign-in-audience AzureADMyOrg --required-resource-accesses "manifest.json"

+You can find the app ID in the output from the `az ad app create` command that you ran [earlier](#run-the-creation-command) (or bring up the information again using [az ad app show](/cli/azure/ad/app#az-ad-app-show)).

+Look for `appId` in the result:

+You can display your tenant ID in the shell using the [az account tenant list](/cli/azure/account/tenant) command.

+>[!NOTE]

+>This command group is experimental and currently under development.

+ 1. In the **New widget** options, enter a **Label** of *Live arm camera*. For the **URL**, you can use the example URL *http://contoso.armstreams.com/${PrimaryTwin.$dtId}*. There's no live camera hosted at the URL for this sample, but the link represents where the video feed might be hosted in a real scenario.

+ > For more information about multitenant versus single-tenant Azure Logic Apps, review [Single-tenant versus multitenant](../logic-apps/single-tenant-overview-compare.md).

+If you're using an existing VM to monitor connectivity, you can install the Network Agent separately for [Linux](../network-watcher/network-watcher-agent-linux.md) and [Windows](../network-watcher/network-watcher-agent-windows.md).

+## What are the available Azure Extended Zones?

+Currently, Los Angeles is the only available Azure Extended Zone.

+## How will I be charged for resources I create in an Azure Extended Zone?

+Currently, you won't be billed for any resources that you create in Los Angles Extended Zone. However, any resources you create in the parent region are subject to charges. For example, if you create a virtual machine in Los Angeles with a network security group in West US, you'll only be billed for the network security group.

+| Service category | Available Azure services and features |

+| **Compute** | Azure Kubernetes Service <br> Azure Virtual Desktop <br> Virtual Machine Scale Sets <br> Virtual machines (general purpose: A, B, D, E, and F series and GPU NVadsA10 v5 series) |

+| **Networking** | DDoS (Standard protection) <br> ExpressRoute <br> Private Link <br> Standard Load Balancer <br> Standard public IP <br> Virtual Network <br> Virtual network peering |

+| **Storage** | Managed disks <br> Premium Page Blobs <br> Premium Block Blobs <br> Premium Files <br> Data Lake Storage Gen2<br> Hierarchical Namespace <br>Data Lake Storage Gen2 Flat Namespace <br> Change Feed <br> Blob Features <br> - SFTP <br> - NFS |

+## Availability

+Currently, Los Angeles is the only available Extended Zone in preview.

+## Pricing

+Currently, resources created in Los Angeles Extended Zone aren't billed. However, any resources you create in the parent region to use with Extended Zone resources are subject to charges. For example, if you create a virtual machine in Los Angeles with a network security group in West US, you'll only be billed for the network security group.

+ Title: Quickstart - Set up in portal

+# Quickstart: Set up IoT Hub Device Provisioning Service with the Azure portal

+In this quickstart, you learn how to set up Azure IoT Hub Device Provisioning Service in the Azure portal. Device Provisioning Service enables zero-touch, just-in-time device provisioning to any IoT hub. The Device Provisioning Service enables customers to provision millions of IoT devices in a secure and scalable manner, without requiring human intervention. Azure IoT Hub Device Provisioning Service supports IoT devices with TPM, symmetric key, and X.509 certificate authentications.

+Before you can provision your devices, you first perform the following steps:

+1. In the Azure portal, select **Create a resource**.

+ | **Resource group** | This field allows you to create a new resource group, or choose an existing one to contain the new instance. Choose the same resource group that contains the IoT hub that you created in the previous steps. By putting all related resources in a group together, you can manage them together. |

+ :::image type="content" source="./media/quick-setup-auto-provision/create-iot-dps-portal.png" alt-text="Screenshot showing the Basics tab of the IoT Hub device provisioning service. Enter basic information about your Device Provisioning Service instance in the portal.":::

+In this section, you add a configuration to the Device Provisioning Service instance. This configuration sets the IoT hub to which the instance provisions IoT devices.

+1. In the **Settings** menu of your Device Provisioning Service instance, select **Linked IoT hubs**.

+1. Select **Add**.

+ :::image type="content" source="./media/quick-setup-auto-provision/link-iot-hub-to-dps-portal.png" alt-text="Screenshot showing how to link an IoT hub to the Device Provisioning Service instance in the portal.":::

+1. Select **Refresh**. You should now see the selected hub under the list of **Linked IoT hubs**.

+1. In the Azure portal, navigate to the resource group that you used in this quickstart.

+1. If you want to delete the resource group and all of the resources it contains, select **Delete resource group**.

+ Otherwise, select your Device Provisioning Service instance and your IoT hub from the list of resources, then select **Delete**.

+ { "name": "stateStoreLogLevel", "value": "Information" },

+ { "name": "defaultLogLevel", "value": "Warning" }

+> | `containers:name` | A name given to your application container |

+> | `containers:image` | The application container you want to deploy |

+This tutorial uses a prebuilt container of the Dapr application. If you would like to modify and build the code yourself, follow these steps:

+- [Single-tenant versus multitenant in Azure Logic Apps](../logic-apps/single-tenant-overview-compare.md)

+ "value": "dotnet"

+ "value": "dotnet"

+- [Single-tenant versus multitenant in Azure Logic Apps](../logic-apps/single-tenant-overview-compare.md)

+Minor differences exist between the Azure Arc and single-tenant Azure Logic Apps experiences for creating, designing, and deploying logic apps. When you use Azure Arc-enabled Logic Apps, the major difference is that your logic apps run in a *custom location*. This location is mapped to an Azure Arc-enabled Kubernetes cluster where you have installed and enabled the Azure App Service platform extensions bundle.

+- [Single-tenant versus multitenant in Azure Logic Apps](../logic-apps/single-tenant-overview-compare.md)

+Although Kubernetes provides more control and flexibility, you also have operational overhead. If you're satisfied that Azure Logic Apps meets your needs, you're encouraged to continue using this service. However, consider using Azure Arc-enabled Logic Apps when you have the following scenarios:

+- You want to use Azure Logic Apps as your integration platform. However, you need fine grained networking with compute control and flexibility. You don't want to use an App Service Environment (ASE).

+- You want to run your logic apps in multi-cloud scenarios and use Azure Logic Apps as your sole integration platform for all your applications wherever they run.

+ **Multitenant Azure Logic Apps (Consumption)**

+ **Single-tenant Azure Logic Apps (Standard)**

+ Fully managed Azure Logic Apps experience

+ Fully managed Azure Logic Apps experience

+ Managed Azure Logic Apps experience with operational control at the Kubernetes level

+Each logic app needs to specify the location that you want to use for deployment, such as an Azure region, for example, "West US". This disaster recovery strategy focuses on setting up your primary logic app to [*failover*](https://en.wikipedia.org/wiki/Failover) onto a standby or backup logic app in an alternate location where Azure Logic Apps is also available. That way, if the primary suffers losses, disruptions, or failures, the secondary can take on the work. This strategy requires that your secondary logic app and dependent resources are already deployed and ready in the alternate location.

+>

+> which are stored in an integration account, both your integration account and logic apps must use the same location.

+* Both logic app instances have the same host type. So, either both instances are deployed to regions in global multitenant Azure, or both instances are deployed to ISEs, which let your logic apps directly access resources in an Azure virtual network. For best practices and more information about paired regions for BCDR, see [Cross-region replication in Azure: Business continuity and disaster recovery](../availability-zones/cross-region-replication-azure.md).

+ > For more advanced scenarios, you can mix both multitenant Azure and an

+ > [differences between how logic apps run in an ISE versus multitenant Azure](../logic-apps/connect-virtual-network-vnet-isolated-environment-overview.md#difference).

+#### Example: Multitenant Azure

+This example shows primary and secondary logic app instances, which are deployed to separate regions in the global multitenant Azure for this scenario. A single [Resource Manager template](../logic-apps/logic-apps-azure-resource-manager-templates-overview.md) defines both logic app instances and the dependent resources required by those logic apps. Separate parameter files specify the configuration values to use for each deployment location:

+If your logic app runs in multitenant Azure and needs access to on-premises resources such as SQL Server databases, you need to install the [on-premises data gateway](../logic-apps/logic-apps-gateway-install.md) on a local computer. You can then create a data gateway resource in the Azure portal so that your logic app can use the gateway when you create a connection to the resource.

+> which runs in the global multitenant Azure, not your ISE. However, this connection

+ * [Single-tenant versus multitenant in Azure Logic Apps](single-tenant-overview-compare.md)

+This article introduces how to create, use, and edit parameters for multitenant Consumption logic app workflows and for single-tenant Standard logic app workflows. You'll also learn how to manage environment variables.

+For more information about multitenant and single-tenant Azure Logic Apps, review [Single-tenant versus multitenant in Azure Logic Apps](single-tenant-overview-compare.md).

+In multitenant Consumption logic app workflows, after you create and use parameters in the designer, you define and set the environment variables in your Azure Resource Manager template (ARM template) and template parameters files. In this scenario, you have to define and set the parameters *at deployment*, which means that even if you only have to change one variable, you have to redeploy your logic app's ARM template.

+## Related content

+* [Single-tenant versus multitenant in Azure Logic Apps](single-tenant-overview-compare.md)

+This article provides an overview about replication tasks powered by Azure Logic Apps and shows how to create an example replication task for Azure Service Bus queues. If you're new to logic apps and workflows, review [What is Azure Logic Apps](logic-apps-overview.md) and [Single-tenant versus multitenant in Azure Logic Apps](single-tenant-overview-compare.md).

+ > [!NOTE]

+ >

+ > By default, the language worker runtime value for your Standard logic app is **`dotnet`**.

+ > Previously, **`node`** was the default value. However, **`dotnet`** is now the default value

+ > for all new and existing deployed Standard logic apps, even for apps that had a different value.

+ > This change shouldn't affect your workflow's runtime, and everything should work the same way

+ > as before. For more information, see the [**FUNCTIONS_WORKER_RUNTIME** app setting](edit-app-settings-host-settings.md#reference-local-settings-json).

+ For more information about single-tenant Azure Logic Apps, review [Single-tenant versus multitenant in Azure Logic Apps](single-tenant-overview-compare.md#resource-environment-differences).

+ "FUNCTIONS_WORKER_RUNTIME": "dotnet",

+ [!INCLUDE [functions-language-runtime](./includes/functions-language-runtime.md)]

+ "FUNCTIONS_WORKER_RUNTIME": "dotnet",

+ "FUNCTIONS_WORKER_RUNTIME": "dotnet",

+ "FUNCTIONS_WORKER_RUNTIME": "dotnet",

+* [Single-tenant versus multitenant in Azure Logic Apps](single-tenant-overview-compare.md)

+> environments in Logic Apps, review [Single-tenant versus multi-tenant in Azure Logic Apps](single-tenant-overview-compare.md).

+| `FUNCTIONS_WORKER_RUNTIME` | `dotnet` | Sets the language worker runtime to use with your logic app resource and workflows. However, this setting is no longer necessary due to automatically enabled multi-language support. <br><br>**Note**: Previously, this setting's default value was **`node`**. Now, **`dotnet`** is the default value for all new and existing deployed Standard logic apps, even for apps that had a different different value. This change shouldn't affect your workflow's runtime, and everything should work the same way as before.<br><br>For more information, see [FUNCTIONS_WORKER_RUNTIME](../azure-functions/functions-app-settings.md#functions_worker_runtime). |

+ "FUNCTIONS_WORKER_RUNTIME": "dotnet",

+> This article applies to workflows in the single-tenant Azure Logic Apps environment. These workflows exist in the same logic app and in a single tenant that share the same storage. For more information, see [Single-tenant versus multitenant in Azure Logic Appst](single-tenant-overview-compare.md).

+1. In the logic app menu, under **Development tools**, select **Logic app code view**.

+For Consumption logic app workflows in multitenant Azure Logic Apps, throttling happens at the *connection* level.

+For template resource information specific to logic apps, integration accounts, and integration account artifacts, see [Microsoft.Logic resource types](/azure/templates/microsoft.logic/allversions).

+For the Azure Logic Apps REST API, start with the [Azure Logic Apps REST API overview](/rest/api/logic).

+For more information about resource definitions for these Azure Logic Apps objects, see [Microsoft.Logic resource types](/azure/templates/microsoft.logic/allversions):

+| **Consumption** | Integration service environment (ISE) | **AS2 (v2)** and **AS2** managed connectors (Standard class) and **AS2** ISE version, which has different message limits than the Standard class. The **AS2 (v2)** connector provides only actions, but you can use any trigger that works for your scenario. For more information, review the following documentation: <br><br>- [AS2 managed connector reference](/connectors/as2/) <br>- [AS2 (v2) managed connector operations](#as2-v2-operations) <br>- [AS2 message limits](logic-apps-limits-and-config.md#b2b-protocol-limits) |

+After you add the trigger, continue building your workflow by adding one or more actions. The following quickstarts help you build your first Consumption logic app workflow, which runs in global, multitenant Azure Logic Apps:

+* [Quickstart: Create an example Consumption logic app workflow in multitenant Azure Logic Apps - Azure portal](quickstart-create-example-consumption-workflow.md)

+Sometimes, your logic app workflow might need access to secured resources, such as virtual machines (VMs) in an Azure virtual network. To directly access such resources, [create a Standard logic app workflow](create-single-tenant-workflows-azure-portal.md). This type of logic app workflow runs in single-tenant Azure Logic Apps, separately from Consumption logic app workflows in multitenant Azure Logic Apps, and uses dedicated storage and other resources. With this option, you can reduce the impact that other Azure tenants might have on your apps' performance, which is also known as the "noisy neighbors" effect.

+| UK South | 51.140.79.109, 51.140.78.71, 51.140.84.39, 51.140.155.81, 20.108.102.180, 20.90.204.232, 20.108.148.173, 20.254.10.157, 4.159.25.35, 4.159.25.50, 4.250.87.43, 4.158.106.183, 4.250.53.153, 4.159.26.160, 4.159.25.103, 4.159.59.224, 4.158.138.59, 85.210.163.36, 85.210.34.209, 85.210.36.40 |

+| West Central US | 52.161.26.172, 52.161.8.128, 52.161.19.82, 13.78.137.247, 52.161.64.217, 52.161.91.215, 20.165.255.229, 4.255.162.134, 20.165.228.184, 4.255.178.108, 20.165.225.209, 4.255.145.22, 20.165.245.151, 20.165.232.221 |

+| UK South | 51.140.74.14, 51.140.73.85, 51.140.78.44, 51.140.137.190, 51.140.153.135, 51.140.28.225, 51.140.142.28, 51.140.158.24, 20.108.102.142, 20.108.102.123, 20.90.204.228, 20.90.204.188, 20.108.146.132, 20.90.223.4, 20.26.15.70, 20.26.13.151, 4.159.24.241, 4.250.55.134, 4.159.24.255, 4.250.55.217, 172.165.88.82, 4.250.82.111, 4.158.106.101, 4.158.105.106, 4.250.51.127, 4.250.49.230, 4.159.26.128, 172.166.86.30, 4.159.26.151, 4.159.26.77, 4.159.59.140, 4.159.59.13, 85.210.65.206, 85.210.120.102, 4.159.57.40, 85.210.66.97 |

+| West Central US | 52.161.27.190, 52.161.18.218, 52.161.9.108, 13.78.151.161, 13.78.137.179, 13.78.148.140, 13.78.129.20, 13.78.141.75, 13.71.199.128 - 13.71.199.159, 13.78.212.163, 13.77.220.134, 13.78.200.233, 13.77.219.128, 52.150.226.148, 4.255.161.16, 4.255.195.186, 4.255.168.251, 4.255.219.152, 20.165.235.148, 20.165.249.200, 20.165.232.68 |

+Based on your scenario, solution requirements, and desired capabilities, choose whether to create a Consumption or Standard logic app workflow. Based on this choice, the workflow runs in either multitenant Azure Logic Apps, single-tenant Azure Logic Apps, or an App Service Environment (v3). With single-tenant Azure Logic Apps, your workflows can more easily access resources protected by Azure virtual networks. If you create single tenant-based workflows using Azure Arc enabled Logic Apps, you can also run workflows in containers. For more information, see [Single-tenant versus multitenant in Azure Logic Apps](single-tenant-overview-compare.md) and [What is Arc enabled Logic Apps](azure-arc-enabled-logic-apps-overview.md)?

+Based on the logic app resource type that you choose, the associated workflow runs in either multitenant Azure Logic Apps or single-tenant Azure Logic Apps. Each has their own capabilities, benefits, and billing models. The Azure portal provides the fastest way to get started creating logic app workflows. However, you can also use other tools such as Visual Studio Code, Visual Studio, Azure PowerShell, and others. For more information, review [What is Azure Logic Apps](logic-apps-overview.md)?

+To get started with Azure Logic Apps, try a [quickstart to create an example Consumption logic app workflow in multitenant Azure Logic Apps using the Azure portal](quickstart-create-example-consumption-workflow.md). Or, try these [steps that create an example serverless app with Azure Logic Apps and Azure Functions in Visual Studio](create-serverless-apps-visual-studio.md).

+* [Single-tenant versus multitenant in Azure Logic Apps](single-tenant-overview-compare.md)

+ The logic app opens in the workflow designer.

+ 

+1. Make sure that the workflow designer has focus by selecting the designer's tab or surface so that the Properties window shows the **Integration Account** property for your logic app.

+In Visual Studio, if your logic app exists as a JSON (.json) file within an [Azure Resource Group project](../azure-resource-manager/templates/create-visual-studio-deployment-project.md) that you use to automate deployment, that logic app is set to a location type and a specific location, which is an Azure region.

+To change your logic app's location type or location, you have to open your logic app's workflow definition (.json) file from Solution Explorer by using the workflow designer. You can't change these properties by using Cloud Explorer.

+ 

+1. Make sure that the workflow designer has focus by selecting the designer's tab or surface so that the Properties window shows the **Choose Location Type** and **Location** properties for your logic app. The project's location type is set to either **Region** or **Integration Service Environment**.

+* In Visual Studio, on the workflow designer toolbar, select **Refresh**.

+When you're ready to deploy your logic app updates from Visual Studio to Azure, on the workflow designer toolbar, select **Publish**.

+You can manually trigger a logic app deployed in Azure from Visual Studio. On the workflow designer toolbar, select **Run Trigger**.

+For these scenarios, use the **Data Operations** actions named **Parse a document** and **Chunk text** in your Standard logic app workflow. These actions respectively transform content, such as a PDF document, CSV file, Excel file, and so on, into tokenized string output and then split the string into pieces, based on the number of tokens. You can then reference and use these outputs with subsequent actions in your workflow.

+1. After the action information pane opens, on the **Parameters** tab, for the **Chunking Strategy** property, select **TokenSize** as the chunking method, if not already selected.

+| **Chunking Strategy** | **TokenSize** | String enum | Split the content, based on the number of tokens. <br><br>Default: **TokenSize** | Not applicable |

+| **EncodingModel** | <*encoding-method*> | String enum | The encoding model to use: <br><br>- Default: **cl100k_base (gpt4, gpt-3.5-turbo, gpt-35-turbo)** <br><br>- **r50k_base (gpt-3)** <br><br>- **p50k_base (gpt-3)** <br><br>- **p50k_edit (gpt-3)** <br><br>- **cl200k_base (gpt-4o)** <br><br>For more information, see [OpenAI - Models overview](https://platform.openai.com/docs/models/overview). | Not applicable |

+| **PageOverlapLength** | <*number-of-overlapping-characters*> | Integer | The number of characters from the end of the previous chunk to include in the next chunk. This setting helps you avoid losing important information when splitting content into chunks and preserves continuity and context across chunks. <br><br>Default: **0** - No overlapping characters exist. | Minimum: **0** |

+| 5 | Create content chunks. | **Chunk text** | A **Data Operations** action that splits the token string into pieces, based on the number of tokens per content chunk. |

+This quickstart shows how to create and manage logic app workflows that help you automate tasks and processes that integrate apps, data, systems, and services across organizations and enterprises by using multitenant [Azure Logic Apps](../logic-apps/logic-apps-overview.md) and Visual Studio Code. You can create and edit the underlying workflow definitions, which use JavaScript Object Notation (JSON), for logic apps through a code-based experience. You can also work on existing logic apps that are already deployed to Azure. For more information about multitenant versus single-tenant model, review [Single-tenant versus multitenant in Azure Logic Apps](single-tenant-overview-compare.md).

+This quickstart shows how to design, develop, and deploy automated workflows that integrate apps, data, systems, and services across enterprises and organizations by using multitenant [Azure Logic Apps](logic-apps-overview.md) and Visual Studio. Although you can perform these tasks in the Azure portal, Visual Studio lets you add your logic apps to source control, publish different versions, and create Azure Resource Manager templates for different deployment environments. For more information about multitenant versus single-tenant model, review [Single-tenant versus multitenant in Azure Logic Apps](single-tenant-overview-compare.md).

+This quickstart shows how to create and manage automated workflows that run in Azure Logic Apps by using the [Azure CLI Logic Apps extension](/cli/azure/logic) (`az logic`). From the command line, you can create a [Consumption logic app](logic-apps-overview.md#resource-environment-differences) in multitenant Azure Logic Apps by using the JSON file for a logic app workflow definition. You can then manage your logic app by running operations such as `list`, `show` (`get`), `update`, and `delete` from the command line.

+This quickstart currently applies only to Consumption logic app workflows that run in multitenant Azure Logic Apps. Azure CLI is currently unavailable for Standard logic app workflows that run in single-tenant Azure Logic Apps. For more information, review [Resource type and host differences in Azure Logic Apps](logic-apps-overview.md#resource-environment-differences).

+You can also include additional [optional parameters](/cli/azure/logic/workflow#az-logic-workflow-create-optional-parameters) to configure your logic app's access controls, endpoints, integration account, state, and resource tags.

+- [Single-tenant versus multitenant in Azure Logic Apps](single-tenant-overview-compare.md)

+When you use a managed network, compute resources managed by Azure Machine Learning can participate in the virtual network. Azure Machine Learning _compute clusters_, _compute instances_, and _managed online endpoints_ are created in the managed network.

+* The examples in this article assume that your code begins with the following Python. This code imports the classes required when creating a workspace with managed virtual network, sets variables for your Azure subscription and resource group, and creates the `ml_client`:

+ workspace_name = "<WORKSPACE_NAME>"

+ ml_client = MLClient(

+ workspace_name=workspace_name,

+ subscription_id=subscription_id,

+ resource_group_name=resource_group,

+ credential=DefaultAzureCredential()

+ )

+Use the following tabs to learn how to configure compute clusters and compute instances in a managed virtual network:

+> When using a managed virtual network, compute clusters and compute instances are automatically created in the managed network. The following steps focus on configuring the compute resources to not use a public IP address.

+ name="mycomputecluster",

+ | **Region** | Yes | **West US** | The Azure datacenter region for storing your app's information. This example deploys the sample logic app to the **West US** region in Azure. |

+* An Azure Machine Learning workspace that uses a private endpoint to communicate using the virtual network.

+* An Azure Storage Account that uses private endpoints to allow storage services such as blob and file to communicate using the virtual network.

+* An Azure Container Registry that uses a private endpoint communicate using the virtual network.

+* Azure Bastion, which allows you to use your browser to securely communicate with the jump box VM inside the virtual network.

+* An Azure Virtual Machine that you can remotely connect to and access resources secured inside the virtual network.

+ :::image type="content" source="./media/tutorial-create-secure-workspace-vnet/create-resource-search-vnet.png" alt-text="Screenshot of the resource search form with virtual network selected.":::

+1. Select __Security__. Select to __Enable Azure Bastion__. [Azure Bastion](../bastion/bastion-overview.md) provides a secure way to access the VM jump box you create inside the virtual network in a later step. Use the following values for the remaining fields:

+ 1. Select the __Default__ subnet and then select the __edit icon__.

+ :::image type="content" source="./media/tutorial-create-secure-workspace-vnet/edit-default-subnet.png" alt-text="Screenshot of selecting the edit icon of default subnet.":::

+ 1. Change the subnet __Name__ to __Training__. Leave the other values at the default settings, then select __Save__ to save the changes.

+ 1. To create a subnet for compute resources used to _score_ your models, select __+ Add subnet__ and set the name and address range:

+ * __Starting address__: 172.16.2.0

+ 1. Select __Add__ to add the subnet.

+1. From the __Networking__ tab, select __Disable public access__ and then select __+ Add private endpoint__.

+ * __Subscription__: The same Azure subscription that contains the previous resources.

+ * __Resource group__: The same Azure resource group that contains the previous resources.

+ * __Location__: The same Azure region that contains the previous resources.

+ Select __Add__ to create the private endpoint.

+1. Once the Storage Account is created, select __Go to resource__:

+ :::image type="content" source="./media/tutorial-create-secure-workspace-vnet/storage-file-private-endpoint-resource.png" alt-text="Screenshot of the resource form when selecting a subresource of 'file'.":::

+1. Select __Next : Virtual Network__, and then use the following values:

+1. Continue through the tabs selecting defaults until you reach __Review + Create__. Verify that the information is correct, and then select __Create__.

+> If you plan to use a [batch endpoint](concept-endpoints.md) or an Azure Machine Learning pipeline that uses a [ParallelRunStep](./tutorial-pipeline-batch-scoring-classification.md), it is also required to configure private endpoints target __queue__ and __table__ sub-resources. ParallelRunStep internally uses queue and table for task scheduling and dispatching.

+1. From the __Networking__ tab, deselect __Enable public access__ and then select __+ create a private endpoint__.

+ * __Subscription__: The same Azure subscription that contains the previous resources.

+ * __Resource group__: The same Azure resource group that contains the previous resources.

+ * __Location__: The same Azure region that contains the previous resources.

+ * __Enable Private DNS integration__: Yes

+ * __Private DNS Zone__: Select the resource group that contains the virtual network and key vault.

+ Select __Add__ to create the private endpoint.

+ * __Subscription__: The same Azure subscription that contains the previous resources.

+ * __Resource group__: The same Azure resource group that contains the previous resources.

+ * __Location__: The same Azure region that contains the previous resources.

+ * __Resource group__: Select the resource group that contains the virtual network and container registry.

+ Select __Add__ to create the private endpoint.

+1. After the container registry is created, select __Go to resource__.

+ * __Name__: A unique name for your workspace.

+1. From the __Networking__ tab, select __Private with Internet Outbound__. In the __Workspace inbound access__ section, select __+ Add__.

+ * __Subscription__: The same Azure subscription that contains the previous resources.

+ * __Resource group__: The same Azure resource group that contains the previous resources.

+ * __Location__: The same Azure region that contains the previous resources.

+1. Once the workspace is created, select __Go to resource__.

+1. From the __Settings__ section on the left, select __Networking__, __Private endpoint connections__, and then select the link in the __Private endpoint__ column:

+1. Once the private endpoint information appears, select __DNS configuration__ from the left of the page. Save the IP address and fully qualified domain name (FQDN) information on this page.

+Azure Machine Learning studio is a web-based application that lets you easily manage your workspace. However, it needs some extra configuration before it can be used with resources secured inside a virtual network. Use the following steps to enable studio:

+1. When using an Azure Storage Account that has a private endpoint, add the service principal for the workspace as a __Reader__ for the storage private endpoints. From the Azure portal, select your storage account and then select __Networking__. Next, select __Private endpoint connections__.

+1. In the [Azure portal](https://portal.azure.com), select __Home__, and then search for __Private link__. Select the __Azure Monitor Private Link Scope__ result and then select __Create__.

+1. Once the Azure Monitor Private Link Scope instance is created, select the instance in the Azure portal. From the __Configure__ section, select __Azure Monitor Resources__ and then select __+ Add__.

+1. Select the same __Subscription__, __Resource Group__, and __Region__ that contains your virtual network. Select __Next: Resource__.

+1. After the private endpoint is created, return to the __Azure Monitor Private Link Scope__ resource in the portal. From the __Configure__ section, select __Access modes__. Select __Private only__ for __Ingestion access mode__ and __Query access mode__, then select __Save__.

+There are several ways that you can connect to the secured workspace. The steps in this article use a __jump box__, which is a virtual machine in the virtual network. You can connect to it using your web browser and Azure Bastion. The following table lists several other ways that you might connect to the secure workspace:

+| [Azure VPN gateway](../vpn-gateway/vpn-gateway-about-vpngateways.md) | Connects on-premises networks to the virtual network over a private connection. Connection is made over the public internet. |

+Use the following steps to create an Azure Virtual Machine to use as a jump box. Azure Bastion enables you to connect to the VM desktop through your browser. From the VM desktop, you can then use the browser on the VM to connect to resources inside the virtual network, such as Azure Machine Learning studio. Or you can install development tools on the VM.

+> The following steps create a Windows 11 enterprise VM. Depending on your requirements, you may want to select a different VM image. The Windows 11 (or 10) enterprise image is useful if you need to join the VM to your organization's domain.

+ * __Username__: The username you use to sign in to the VM.

+1. Once the virtual machine is created, select __Go to resource__.

+1. From the top of the page, select __Connect__ and then __Connect via Bastion__.

+1. Provide your authentication information for the virtual machine, and a connection is established in your browser.

+## Create a compute cluster and instance

+A compute instance provides a Jupyter Notebook experience on a shared compute resource attached to your workspace.

+1. From studio, select Compute, Compute clusters, and then + New.

+1. From the Virtual Machine dialog, select Next to accept the default virtual machine configuration.

+1. From the Configure Settings dialog, enter cpu-cluster as the Compute name. Set the Subnet to Training and then select Create to create the cluster.

+ > Compute clusters dynamically scale the nodes in the cluster as needed. We recommend leaving the minimum number of nodes at 0 to reduce costs when the cluster isn't in use.

+1. From __Required settings__, enter a unique __Computer name__ and select __Next__.

+1. Continue selecting __Next__ until you arrive at __Security__ dialog, select the __Virtual network__ and set the __Subnet__ to __Training__. Select __Review + Create__ and then select __Create__.

+1. To update the workspace to use the compute cluster to build Docker images. Replace `docs-ml-rg` with your resource group. Replace `docs-ml-ws` with your workspace. Replace `cpu-cluster` with the compute cluster name:

+ -n docs-ml-ws \

+ -g docs-ml-rg \

+ -i cpu-cluster

+Once created, select the virtual machine in the Azure portal and then use the __Stop__ button. When you're ready to use it again, use the __Start__ button to start it.

+Now that you have a secure workspace and can access studio, learn how to [deploy a model to an online endpoint with network isolation](how-to-secure-online-endpoint.md).

+Now that you have a secure workspace, learn how to [deploy a model](./v1/how-to-deploy-and-where.md).

+You can install the Network Watcher extension when you create a virtual machine or a scale set. You can also separately install, configure, and troubleshoot the Network Watcher extension for [Linux](network-watcher-agent-linux.md) and [Windows](network-watcher-agent-windows.md).

+> - To install the extension on a Windows virtual machine, see [Network Watcher agent VM extension for Windows](network-watcher-agent-windows.md).

+> - To install the extension on a Linux virtual machine, see [Network Watcher agent VM extension for Linux](network-watcher-agent-linux.md).

+> - To update an already installed extension, see [Update Network Watcher agent VM extension to the latest version](network-watcher-agent-update.md).

+> - To install the extension on a Windows virtual machine, see [Network Watcher agent VM extension for Windows](network-watcher-agent-windows.md).

+> - To install the extension on a Linux virtual machine, see [Network Watcher agent VM extension for Linux](network-watcher-agent-linux.md).

+> - To update an already installed extension, see [Update Network Watcher agent VM extension to the latest version](network-watcher-agent-update.md).

+> - To install the extension on a Windows virtual machine, see [Network Watcher agent VM extension for Windows](network-watcher-agent-windows.md).

+> - To install the extension on a Linux virtual machine, see [Network Watcher agent VM extension for Linux](network-watcher-agent-linux.md).

+> - To update an already installed extension, see [Update Network Watcher agent VM extension to the latest version](network-watcher-agent-update.md).

+> - To install the extension on a Windows virtual machine, see [Network Watcher agent VM extension for Windows](network-watcher-agent-windows.md).

+> - To install the extension on a Linux virtual machine, see [Network Watcher agent VM extension for Linux](network-watcher-agent-linux.md).

+> - To update an already installed extension, see [Update Network Watcher agent VM extension to the latest version](network-watcher-agent-update.md).

+- On-premises agents and firewall settings work as is. No changes are required. Log Analytics agents that are installed on Azure virtual machines need to be replaced with the [Network Watcher extension](network-watcher-agent-windows.md).

+ Title: Manage Network Watcher Agent VM extension - Linux

+description: Learn about the Network Watcher Agent virtual machine extension for Linux virtual machines and how to install and uninstall it.

+#CustomerIntent: As an Azure administrator, I want to install Network Watcher Agent VM extension and manage it so that I can use Network watcher features to diagnose and monitor my Linux virtual machines (VMs).

+# Manage Network Watcher Agent virtual machine extension for Linux

+The Network Watcher Agent virtual machine extension is a requirement for some of Azure Network Watcher features that capture network traffic to diagnose and monitor Azure virtual machines (VMs). For more information, see [What is Azure Network Watcher?](network-watcher-overview.md)

+In this article, you learn how to install and uninstall Network Watcher Agent for Linux. Installation of the agent doesn't disrupt, or require a reboot of the virtual machine. If the virtual machine is deployed by an Azure service, check the documentation of the service to determine whether or not it permits installing extensions in the virtual machine.

+> [!NOTE]

+> Network Watcher Agent extension is not supported on AKS clusters.

+## Prerequisites

+# [**Portal**](#tab/portal)

+- An Azure Linux virtual machine (VM). For more information, see [Supported Linux distributions and versions](#supported-operating-systems).

+- Outbound TCP connectivity to `169.254.169.254` over `port 80` and `168.63.129.16` over `port 8037`. The agent uses these IP addresses to communicate with the Azure platform.

+- Internet connectivity: Network Watcher Agent requires internet connectivity for some features to properly work. For example, it requires connectivity to your storage account to upload packet captures. For more information, see [Packet capture overview](packet-capture-overview.md).

+# [**PowerShell**](#tab/powershell)

+- An Azure Linux virtual machine (VM). For more information, see [Supported Linux distributions and versions](#supported-operating-systems).

+- Outbound TCP connectivity to `169.254.169.254` over `port 80` and `168.63.129.16` over `port 8037`. The agent uses these IP addresses to communicate with the Azure platform.

+- Internet connectivity: Network Watcher Agent requires internet connectivity for some features to properly work. For example, it requires connectivity to your storage account to upload packet captures. For more information, see [Packet capture overview](packet-capture-overview.md).

+- Azure Cloud Shell or Azure PowerShell.

+ The steps in this article run the Azure PowerShell cmdlets interactively in [Azure Cloud Shell](/azure/cloud-shell/overview). To run the commands in the Cloud Shell, select **Open Cloud Shell** at the upper-right corner of a code block. Select **Copy** to copy the code and then paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.

+ You can also [install Azure PowerShell locally](/powershell/azure/install-azure-powershell) to run the cmdlets. If you run PowerShell locally, sign in to Azure using the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet.

+# [**Azure CLI**](#tab/cli)

+- An Azure Linux virtual machine (VM). For more information, see [Supported Linux distributions and versions](#supported-operating-systems).

+- Outbound TCP connectivity to `169.254.169.254` over `port 80` and `168.63.129.16` over `port 8037`. The agent uses these IP addresses to communicate with the Azure platform.

+- Internet connectivity: Network Watcher Agent requires internet connectivity for some features to properly work. For example, it requires connectivity to your storage account to upload packet captures. For more information, see [Packet capture overview](packet-capture-overview.md).

+- Azure Cloud Shell or Azure CLI.

+ The steps in this article run the Azure CLI commands interactively in [Azure Cloud Shell](/azure/cloud-shell/overview). To run the commands in the Cloud Shell, select **Open Cloud Shell** at the upper-right corner of a code block. Select **Copy** to copy the code, and paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.

+ You can also [install Azure CLI locally](/cli/azure/install-azure-cli) to run the commands. If you run Azure CLI locally, sign in to Azure using the [az login](/cli/azure/reference-index#az-login) command.

+# [**Resource Manager**](#tab/arm)

+- An Azure Linux virtual machine (VM). For more information, see [Supported Linux distributions and versions](#supported-operating-systems).

+- Outbound TCP connectivity to `169.254.169.254` over `port 80` and `168.63.129.16` over `port 8037`. The agent uses these IP addresses to communicate with the Azure platform.

+- Internet connectivity: Network Watcher Agent requires internet connectivity for some features to properly work. For example, it requires connectivity to your storage account to upload packet captures. For more information, see [Packet capture overview](packet-capture-overview.md).

+- Azure PowerShell or Azure CLI installed locally to deploy the template.

+ - You can [install Azure PowerShell](/powershell/azure/install-azure-powershell) to run the cmdlets. Use [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet to sign in to Azure.

+ - You can [install Azure CLI](/cli/azure/install-azure-cli) to run the commands. Use [az login](/cli/azure/reference-index#az-login) command to sign in to Azure.

+## Supported operating systems

+Network Watcher Agent extension for Linux can be installed on the following Linux distributions:

+| Distribution | Version |

+|||

+| AlmaLinux | 9.2 |

+| Azure Linux | 2.0 |

+| CentOS ¹ | 6.10 and 7 |

+| Debian | 7 and 8 |

+| OpenSUSE Leap | 42.3+ |

+| Oracle Linux | 6.10 ², 7 and 8+ |

+| Red Hat Enterprise Linux (RHEL) | 6.10 ³, 7, 8 and 9.2 |

+| Rocky Linux | 9.1 |

+| SUSE Linux Enterprise Server (SLES) | 12 and 15 (SP2, SP3, and SP4) |

+| Ubuntu | 16+ |

+¹ CentOS Linux reached its end-of-life (EOL) on June 30, 2024. For more information, see the [CentOS End Of Life guidance](../virtual-machines/workloads/centos/centos-end-of-life.md).

+² [Extended life cycle (ELS) support](https://www.oracle.com/a/ocom/docs/linux/oracle-linux-extended-support-ds.pdf) for Oracle Linux version 6.X ended on [July 1, 2024](https://www.oracle.com/a/ocom/docs/elsp-lifetime-069338.pdf).

+³ [Extended life cycle (ELS) support](https://www.redhat.com/en/resources/els-datasheet) for Red Hat Enterprise Linux 6.X ended on [June 30, 2024]( https://access.redhat.com/product-life-cycles/?product=Red%20Hat%20Enterprise%20Linux,OpenShift%20Container%20Platform%204).

+## Extension schema

+The following JSON shows the schema for the Network Watcher Agent extension. The extension doesn't require, or support, any user-supplied settings. The extension relies on its default configuration.

+```json

+{

+ "name": "[concat(parameters('vmName'), '/AzureNetworkWatcherExtension')]",

+ "type": "Microsoft.Compute/virtualMachines/extensions",

+ "apiVersion": "2023-03-01",

+ "location": "[resourceGroup().location]",

+ "dependsOn": [

+ "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"

+ ],

+ "properties": {

+ "autoUpgradeMinorVersion": true,

+ "publisher": "Microsoft.Azure.NetworkWatcher",

+ "type": "NetworkWatcherAgentLinux",

+ "typeHandlerVersion": "1.4"

+ }

+}

+```

+## List installed extensions

+# [**Portal**](#tab/portal)

+From the virtual machine page in the Azure portal, you can view the installed extension by following these steps:

+1. Under **Settings**, select **Extensions + applications**.

+1. In the **Extensions** tab, you can see all installed extensions on the virtual machine. If the list is long, you can use the search box to filter the list.

+ :::image type="content" source="./media/network-watcher-agent-linux/list-vm-extensions.png" alt-text="Screenshot that shows how to view installed extensions on a VM in the Azure portal." lightbox="./media/network-watcher-agent-linux/list-vm-extensions.png":::

+# [**PowerShell**](#tab/powershell)

+Use [Get-AzVMExtension](/powershell/module/az.compute/get-azvmextension) cmdlet to list all installed extensions on the virtual machine:

+```azurepowershell-interactive

+# List the installed extensions on the virtual machine.

+Get-AzVMExtension -ResourceGroupName 'myResourceGroup' -VMName 'myVM' | format-table Name, Publisher, ExtensionType, AutoUpgradeMinorVersion, EnableAutomaticUpgrade

+```

+The output of the cmdlet lists the installed extensions:

+```output

+Name Publisher ExtensionType AutoUpgradeMinorVersion EnableAutomaticUpgrade

+- - -- -

+AzureNetworkWatcherExtension Microsoft.Azure.NetworkWatcher NetworkWatcherAgentLinux True True

+```

+# [**Azure CLI**](#tab/cli)

+Use [az vm extension list](/cli/azure/vm/extension#az-vm-extension-list) command to list all installed extensions on the virtual machine:

+```azurecli

+# List the installed extensions on the virtual machine.

+az vm extension list --resource-group 'myResourceGroup' --vm-name 'myVM' --out table

+```

+The output of the command lists the installed extensions:

+```output

+Name ProvisioningState Publisher Version AutoUpgradeMinorVersion

+- - -

+AzureNetworkWatcherExtension Succeeded Microsoft.Azure.NetworkWatcher 1.4 True

+```

+# [**Resource Manager**](#tab/arm)

+N/A

+## Install Network Watcher Agent VM extension

+# [**Portal**](#tab/portal)

+From the virtual machine page in the Azure portal, you can install the Network Watcher Agent VM extension by following these steps:

+1. Under **Settings**, select **Extensions + applications**.

+1. Select **+ Add** and search for **Network Watcher Agent** and install it. If the extension is already installed, you can see it in the list of extensions.

+ :::image type="content" source="./media/network-watcher-agent-linux/vm-extensions.png" alt-text="Screenshot that shows the VM's extensions page in the Azure portal." lightbox="./media/network-watcher-agent-linux/vm-extensions.png":::

+1. In the search box of **Install an Extension**, enter *Network Watcher Agent for Linux*. Select the extension from the list and select **Next**.

+ :::image type="content" source="./media/network-watcher-agent-linux/install-extension-linux.png" alt-text="Screenshot that shows how to install Network Watcher Agent for Linux in the Azure portal." lightbox="./media/network-watcher-agent-linux/install-extension-linux.png":::

+1. Select **Review + create** and then select **Create**.

+# [**PowerShell**](#tab/powershell)

+Use [Set-AzVMExtension](/powershell/module/az.compute/set-azvmextension) cmdlet to install Network Watcher Agent VM extension on the virtual machine:

+```azurepowershell-interactive

+# Install Network Watcher Agent for Linux on the virtual machine.

+Set-AzVMExtension -Name 'AzureNetworkWatcherExtension' -Publisher 'Microsoft.Azure.NetworkWatcher' -ExtensionType 'NetworkWatcherAgentLinux' -EnableAutomaticUpgrade 1 -TypeHandlerVersion '1.4' -ResourceGroupName 'myResourceGroup' -VMName 'myVM'

+```

+Once the installation is successfully completed, you see the following output:

+```output

+RequestId IsSuccessStatusCode StatusCode ReasonPhrase

+ - -

+ True OK

+```

+# [**Azure CLI**](#tab/cli)

+Use [az vm extension set](/cli/azure/vm/extension#az-vm-extension-set) command to install Network Watcher Agent VM extension on the virtual machine:

+```azurecli

+# Install Network Watcher Agent for Windows on the virtual machine.

+az vm extension set --name 'NetworkWatcherAgentLinux' --extension-instance-name 'AzureNetworkWatcherExtension' --publisher 'Microsoft.Azure.NetworkWatcher' --enable-auto-upgrade 'true' --version '1.4' --resource-group 'myResourceGroup' --vm-name 'myVM'

+```

+# [**Resource Manager**](#tab/arm)

+Use the following Azure Resource Manager template (ARM template) to install Network Watcher Agent VM extension on a Linux virtual machine:

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "vmName": {

+ "type": "string"

+ }

+ },

+ "variables": {},

+ "resources": [

+ {

+ "name": "[parameters('vmName')]",

+ "type": "Microsoft.Compute/virtualMachines",

+ "apiVersion": "2023-03-01",

+ "location": "[resourceGroup().location]",

+ "properties": {

+ }

+ },

+ {

+ "name": "[concat(parameters('vmName'), '/AzureNetworkWatcherExtension')]",

+ "type": "Microsoft.Compute/virtualMachines/extensions",

+ "apiVersion": "2023-03-01",

+ "location": "[resourceGroup().location]",

+ "dependsOn": [

+ "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"

+ ],

+ "properties": {

+ "autoUpgradeMinorVersion": true,

+ "publisher": "Microsoft.Azure.NetworkWatcher",

+ "type": "NetworkWatcherAgentLinux",

+ "typeHandlerVersion": "1.4"

+ }

+ }

+ ],

+ "outputs": {}

+}

+```

+You can use either Azure PowerShell or Azure CLI to deploy the Resource Manager template:

+```azurepowershell

+# Deploy the JSON template file using Azure PowerShell.

+New-AzResourceGroupDeployment -ResourceGroupName 'myResourceGroup' -TemplateFile 'agent.json'

+```

+```azurecli

+# Deploy the JSON template file using the Azure CLI.

+az deployment group create --resource-group 'myResourceGroup' --template-file 'agent.json'

+```

+## Uninstall Network Watcher Agent VM extension

+# [**Portal**](#tab/portal)

+From the virtual machine page in the Azure portal, you can uninstall the Network Watcher Agent VM extension by following these steps:

+1. Under **Settings**, select **Extensions + applications**.

+1. Select **AzureNetworkWatcherExtension** from the list of extensions, and then select **Uninstall**.

+ :::image type="content" source="./media/network-watcher-agent-linux/uninstall-extension-linux.png" alt-text="Screenshot that shows how to uninstall Network Watcher Agent for Linux in the Azure portal." lightbox="./media/network-watcher-agent-linux/uninstall-extension-linux.png":::

+ > [!NOTE]

+ > You might see Network Watcher Agent VM extension named differently than **AzureNetworkWatcherExtension**.

+# [**PowerShell**](#tab/powershell)

+Use [Remove-AzVMExtension](/powershell/module/az.compute/remove-azvmextension) cmdlet to remove Network Watcher Agent VM extension from the virtual machine:

+```azurepowershell-interactive

+# Uninstall Network Watcher Agent VM extension.

+Remove-AzureVMExtension -Name 'AzureNetworkWatcherExtension' -ResourceGroupName 'myResourceGroup' -VMName 'myVM'

+```

+# [**Azure CLI**](#tab/cli)

+Use [az vm extension delete](/cli/azure/vm/extension#az-vm-extension-delete) command to remove Network Watcher Agent VM extension from the virtual machine:

+```azurecli-interactive

+# Uninstall Network Watcher Agent VM extension.

+az vm extension delete --name 'AzureNetworkWatcherExtension' --resource-group 'myResourceGroup' --vm-name 'myVM'

+```

+# [**Resource Manager**](#tab/arm)

+N/A

+## Frequently asked questions (FAQ)

+To get answers to most frequently asked questions about Network Watcher Agent, see [Network Watcher Agent FAQ](frequently-asked-questions.yml#network-watcher-agent).

+## Related content

+- [Update Azure Network Watcher extension to the latest version](network-watcher-agent-update.md).

+- [Network Watcher documentation](index.yml).

+- [Microsoft Q&A - Network Watcher](/answers/topics/azure-network-watcher.html).

+ Title: Update Network Watcher extension to the latest version

+description: Learn how to update the Azure Network Watcher Agent virtual machine (VM) extension to the latest version.

+# Update Azure Network Watcher extension to the latest version

+[Azure Network Watcher](network-watcher-monitoring-overview.md) is a network performance monitoring, diagnostic, and analytics service that monitors Azure networks. The Network Watcher Agent virtual machine (VM) extension is a requirement for capturing network traffic on demand and using other advanced functionality on Azure VMs. It's used by connection monitor, connection troubleshoot, and packet capture.

+## Prerequisites

+- An Azure account with an active subscription. If you don't have one, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- An Azure virtual machine (VM) that has the Network Watcher extension installed.

+## Latest version

+### Identify latest version

+Use [az vm extension image list](/cli/azure/vm/extension/image#az-vm-extension-image-list) command to identify the latest version of the Network Watcher extension for your VM's operating system.

+# [Linux](#tab/linux)

+```azurecli-interactive

+# Identify latest version of Network Watcher extension for Linux.

+az vm extension image list --name 'NetworkWatcherAgentLinux' --publisher 'Microsoft.Azure.NetworkWatcher' --latest --location 'eastus'

+```

+# [Windows](#tab/windows)

+```azurecli-interactive

+# Identify latest version of Network Watcher extension for Windows.

+az vm extension image list --name 'NetworkWatcherAgentWindows' --publisher 'Microsoft.Azure.NetworkWatcher' --latest --location 'eastus'

+```

+## Update your extension using a PowerShell script

+If you have large deployments, use a PowerShell script to update multiple VMs at once. The following PowerShell script updates Network Watcher extension of all Windows VMs in a subscription:

+```powershell

+<#

+ .SYNOPSIS

+ This script will scan all VMs in the provided subscription and upgrade any out of date AzureNetworkWatcherExtensions

+ .DESCRIPTION

+ This script should be no-op if AzureNetworkWatcherExtensions are up to date

+ Requires Azure PowerShell 4.2 or higher to be installed (e.g. Install-Module AzureRM).

+ .EXAMPLE

+ .\UpdateVMAgentsInSub.ps1 -SubID F4BC4873-5DAB-491E-B713-1358EF4992F2 -NoUpdate

+#>

+

+[CmdletBinding()]

+param(

+ [Parameter(Mandatory=$true)]

+ [string] $SubID,

+ [Parameter(Mandatory=$false)]

+ [Switch] $NoUpdate = $false,

+ [Parameter(Mandatory=$false)]

+ [string] $MinVersion = "1.4.2573.1"

+)

+function NeedsUpdate($version)

+{

+ if ([Version]$version -lt [Version]$MinVersion)

+ {

+ $lessThan = $true

+ }else{

+ $lessThan = $false

+ }

+ return $lessThan

+}

+Write-Host "Scanning all VMs in the subscription: $($SubID)"

+Set-AzContext -SubscriptionId $SubID

+$vms = Get-AzVM

+$foundVMs = $false

+Write-Host "Starting VM search, this may take a while"

+foreach ($vmName in $vms)

+{

+ # Get Detailed VM info

+ $vm = Get-AzVM -ResourceGroupName $vmName.ResourceGroupName -Name $vmName.name -Status

+ $isitWindows = $vm.OsName -like "*Windows*"

+

+ foreach ($extension in $vm.Extensions)

+ {

+ if ($extension.Name -eq "AzureNetworkWatcherExtension")

+ {

+ if (NeedsUpdate($extension.TypeHandlerVersion))

+ {

+ $foundVMs = $true

+ if (-not ($NoUpdate))

+ {

+ Write-Host "Found VM that needs to be updated: subscriptions/$($SubID)/resourceGroups/$($vm.ResourceGroupName)/providers/Microsoft.Compute/virtualMachines/$($vm.Name) -> Updating " -NoNewline

+ Remove-AzVMExtension -ResourceGroupName $vm.ResourceGroupName -VMName $vm.Name -Name "AzureNetworkWatcherExtension" -Force

+ Write-Host "... " -NoNewline

+ $type = if ($isitWindows) { "NetworkWatcherAgentWindows" } else { "NetworkWatcherAgentLinux" }

+ Set-AzVMExtension -ResourceGroupName $vm.ResourceGroupName -Location $vmName.Location -VMName $vm.Name -Name "AzureNetworkWatcherExtension" -Publisher "Microsoft.Azure.NetworkWatcher" -Type $type -typeHandlerVersion $MinVersion

+ Write-Host "Done"

+ }

+ else

+ {

+ Write-Host "Found $(if ($isitWindows) {"Windows"} else {"Linux"}) VM that needs to be updated: subscriptions/$($SubID)/resourceGroups/$($vm.ResourceGroupName)/providers/Microsoft.Compute/virtualMachines/$($vm.Name)"

+ }

+ }

+ }

+ }

+}

+

+if ($foundVMs)

+{

+ Write-Host "Finished $(if ($NoUpdate) {"searching"} else {"updating"}) out of date AzureNetworkWatcherExtension on VMs"

+}

+else

+{

+ Write-Host "All AzureNetworkWatcherExtensions up to date"

+}

+```

+## Update your extension manually

+To update your extension, you need to know your extension version.

+### Check your extension version

+You can check your extension version by using the Azure portal, the Azure CLI, or PowerShell.

+#### Use the Azure portal

+1. Go to the **Extensions** pane of your VM in the Azure portal.

+1. Select the **AzureNetworkWatcher** extension to see the details pane.

+1. Locate the version number in the **Version** field.  

+#### Use the Azure CLI

+Run the following command from an Azure CLI prompt:

+```azurecli

+az vm get-instance-view --resource-group "SampleRG" --name "Sample-VM"

+```

+Locate **"AzureNetworkWatcherExtension"** in the output and identify the version number from the *“TypeHandlerVersion”* field in the output. 

+Information about the extension appears multiple times in the JSON output. The full version number of the extension is available under the Extensions block.

+You should see something like the below:

+

+#### Use PowerShell

+Run the following commands from a PowerShell prompt:

+```powershell

+Get-AzVM -ResourceGroupName "SampleRG" -Name "Sample-VM" -Status

+```

+Locate the Azure Network Watcher extension in the output and identify the version number from the *“TypeHandlerVersion”* field in the output.  

+You should see something like the below:

+

+### Update your extension

+If your version is below the latest version mentioned above, update your extension by using any of the following options.

+#### Option 1: Use PowerShell

+Run the following commands:

+```powershell

+#Linux command

+Set-AzVMExtension -ResourceGroupName "myResourceGroup1" -Location "WestUS" -VMName "myVM1" -Name "AzureNetworkWatcherExtension" -Publisher "Microsoft.Azure.NetworkWatcher" -Type "NetworkWatcherAgentLinux"

+#Windows command

+Set-AzVMExtension -ResourceGroupName "myResourceGroup1" -Location "WestUS" -VMName "myVM1" -Name " AzureNetworkWatcherExtension" -Publisher "Microsoft.Azure.NetworkWatcher" -Type "NetworkWatcherAgentWindows" -ForceRerun "True"

+```

+If that doesn't work. Remove and install the extension again, using the steps below, to install latest version.

+Removing the extension

+```powershell

+#Same command for Linux and Windows

+Remove-AzVMExtension -ResourceGroupName "SampleRG" -VMName "Sample-VM" -Name "AzureNetworkWatcherExtension"

+```

+Installing the extension again

+```powershell

+#Linux command

+Set-AzVMExtension -ResourceGroupName "SampleRG" -Location "centralus" -VMName "Sample-VM" -Name "AzureNetworkWatcherExtension" -Publisher "Microsoft.Azure.NetworkWatcher" -Type "NetworkWatcherAgentLinux" -typeHandlerVersion "1.4"

+#Windows command

+Set-AzVMExtension -ResourceGroupName "SampleRG" -Location "centralus" -VMName "Sample-VM" -Name "AzureNetworkWatcherExtension" -Publisher "Microsoft.Azure.NetworkWatcher" -Type "NetworkWatcherAgentWindows" -typeHandlerVersion "1.4"

+```

+#### Option 2: Use the Azure CLI

+Force an upgrade.

+```azurecli

+#Linux command

+az vm extension set --resource-group "myResourceGroup1" --vm-name "myVM1" --name "NetworkWatcherAgentLinux" --publisher "Microsoft.Azure.NetworkWatcher" --force-update

+#Windows command

+az vm extension set --resource-group "myResourceGroup1" --vm-name "myVM1" --name "NetworkWatcherAgentWindows" --publisher "Microsoft.Azure.NetworkWatcher" --force-update

+```

+If that doesn't work, remove and install the extension again, and follow these steps to automatically add the latest version.

+Remove the extension.

+```azurecli

+#Same for Linux and Windows

+az vm extension delete --resource-group "myResourceGroup1" --vm-name "myVM1" -n "AzureNetworkWatcherExtension"

+```

+Install the extension again.

+```azurecli

+#Linux command

+az vm extension set --resource-group "DALANDEMO" --vm-name "Linux-01" --name "NetworkWatcherAgentLinux" --publisher "Microsoft.Azure.NetworkWatcher"

+#Windows command

+az vm extension set --resource-group "DALANDEMO" --vm-name "Linux-01" --name "NetworkWatcherAgentWindows" --publisher "Microsoft.Azure.NetworkWatcher"

+```

+#### Option 3: Reboot your VMs

+If you have auto-upgrade set to true for the Network Watcher extension, reboot your VM installation to the latest extension.

+## Support

+If you need more help at any point in this article, see the Network Watcher extension documentation for [Linux](network-watcher-agent-linux.md) or [Windows](network-watcher-agent-windows.md). You can also contact the Azure experts on the [MSDN Azure and Stack Overflow forums](https://azure.microsoft.com/support/forums/). Alternatively, file an Azure support incident. Go to the [Azure support site](https://azure.microsoft.com/support/options/), and select **Get support**. For information about using Azure Support, read the [Microsoft Azure support FAQ](https://azure.microsoft.com/support/faq/).

+ Title: Manage Network Watcher Agent VM extension - Windows

+description: Learn about the Network Watcher Agent virtual machine extension on Windows virtual machines and how to deploy it.

+#CustomerIntent: As an Azure administrator, I want to learn about Network Watcher Agent VM extension so that I can use Network watcher features to diagnose and monitor my virtual machines (VMs).

+# Manage Network Watcher Agent virtual machine extension for Windows

+The Network Watcher Agent virtual machine extension is a requirement for some of Azure Network Watcher features that capture network traffic to diagnose and monitor Azure virtual machines (VMs). For more information, see [What is Azure Network Watcher?](network-watcher-overview.md)

+In this article, you learn how to install and uninstall Network Watcher Agent for Windows. Installation of the agent doesn't disrupt, or require a reboot of the virtual machine. If the virtual machine is deployed by an Azure service, check the documentation of the service to determine whether or not it permits installing extensions in the virtual machine.

+## Prerequisites

+# [**Portal**](#tab/portal)

+- An Azure Windows virtual machine (VM). For more information, see [Supported Windows versions](#supported-operating-systems).

+- Outbound TCP connectivity to `169.254.169.254` over `port 80` and `168.63.129.16` over `port 8037`. The agent uses these IP addresses to communicate with the Azure platform.

+- Internet connectivity: Network Watcher Agent requires internet connectivity for some features to properly work. For example, it requires connectivity to your storage account to upload packet captures. For more information, see [Packet capture overview](packet-capture-overview.md).

+# [**PowerShell**](#tab/powershell)

+- An Azure Windows virtual machine (VM). For more information, see [Supported Windows versions](#supported-operating-systems).

+- Outbound TCP connectivity to `169.254.169.254` over `port 80` and `168.63.129.16` over `port 8037`. The agent uses these IP addresses to communicate with the Azure platform.

+- Internet connectivity: Network Watcher Agent requires internet connectivity for some features to properly work. For example, it requires connectivity to your storage account to upload packet captures. For more information, see [Packet capture overview](packet-capture-overview.md).

+- Azure Cloud Shell or Azure PowerShell.

+ The steps in this article run the Azure PowerShell cmdlets interactively in [Azure Cloud Shell](/azure/cloud-shell/overview). To run the commands in the Cloud Shell, select **Open Cloud Shell** at the upper-right corner of a code block. Select **Copy** to copy the code and then paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.

+ You can also [install Azure PowerShell locally](/powershell/azure/install-azure-powershell) to run the cmdlets. If you run PowerShell locally, sign in to Azure using the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet.

+# [**Azure CLI**](#tab/cli)

+- An Azure Windows virtual machine (VM). For more information, see [Supported Windows versions](#supported-operating-systems).

+- Outbound TCP connectivity to `169.254.169.254` over `port 80` and `168.63.129.16` over `port 8037`. The agent uses these IP addresses to communicate with the Azure platform.

+- Internet connectivity: Network Watcher Agent requires internet connectivity for some features to properly work. For example, it requires connectivity to your storage account to upload packet captures. For more information, see [Packet capture overview](packet-capture-overview.md).

+- Azure Cloud Shell or Azure CLI.

+ The steps in this article run the Azure CLI commands interactively in [Azure Cloud Shell](/azure/cloud-shell/overview). To run the commands in the Cloud Shell, select **Open Cloud Shell** at the upper-right corner of a code block. Select **Copy** to copy the code, and paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.

+ You can also [install Azure CLI locally](/cli/azure/install-azure-cli) to run the commands. If you run Azure CLI locally, sign in to Azure using the [az login](/cli/azure/reference-index#az-login) command.

+# [**Resource Manager**](#tab/arm)

+- An Azure Windows virtual machine (VM). For more information, see [Supported Windows versions](#supported-operating-systems).

+- Outbound TCP connectivity to `169.254.169.254` over `port 80` and `168.63.129.16` over `port 8037`. The agent uses these IP addresses to communicate with the Azure platform.

+- Internet connectivity: Network Watcher Agent requires internet connectivity for some features to properly work. For example, it requires connectivity to your storage account to upload packet captures. For more information, see [Packet capture overview](packet-capture-overview.md).

+- Azure PowerShell or Azure CLI installed locally to deploy the template.

+ - You can [install Azure PowerShell](/powershell/azure/install-azure-powershell) to run the cmdlets. Use [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet to sign in to Azure.

+ - You can [install Azure CLI](/cli/azure/install-azure-cli) to run the commands. Use [az login](/cli/azure/reference-index#az-login) command to sign in to Azure.

+## Supported operating systems

+Network Watcher Agent extension for Windows can be installed on:

+- Windows Server 2012, 2012 R2, 2016, 2019 and 2022 releases.

+- Windows 10 and 11 releases.

+> [!NOTE]

+> Currently, Nano Server isn't supported.

+## Extension schema

+The following JSON shows the schema for the Network Watcher Agent extension. The extension doesn't require, or support, any user-supplied settings, and relies on its default configuration.

+```json

+{

+ "name": "[concat(parameters('vmName'), '/AzureNetworkWatcherExtension')]",

+ "type": "Microsoft.Compute/virtualMachines/extensions",

+ "apiVersion": "2023-03-01",

+ "location": "[resourceGroup().location]",

+ "dependsOn": [

+ "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"

+ ],

+ "properties": {

+ "autoUpgradeMinorVersion": true,

+ "publisher": "Microsoft.Azure.NetworkWatcher",

+ "type": "NetworkWatcherAgentWindows",

+ "typeHandlerVersion": "1.4"

+ }

+}

+```

+## List installed extensions

+# [**Portal**](#tab/portal)

+From the virtual machine page in the Azure portal, you can view the installed extension by following these steps:

+1. Under **Settings**, select **Extensions + applications**.

+1. In the **Extensions** tab, you can see all installed extensions on the virtual machine. If the list is long, you can use the search box to filter the list.

+ :::image type="content" source="./media/network-watcher-agent-windows/list-vm-extensions.png" alt-text="Screenshot that shows how to view installed extensions on a VM in the Azure portal." lightbox="./media/network-watcher-agent-windows/list-vm-extensions.png":::

+# [**PowerShell**](#tab/powershell)

+Use [Get-AzVMExtension](/powershell/module/az.compute/get-azvmextension) cmdlet to list all installed extensions on the virtual machine:

+```azurepowershell-interactive

+# List the installed extensions on the virtual machine.

+Get-AzVMExtension -ResourceGroupName 'myResourceGroup' -VMName 'myVM' | format-table Name, Publisher, ExtensionType, AutoUpgradeMinorVersion, EnableAutomaticUpgrade

+```

+The output of the cmdlet lists the installed extensions:

+```output

+Name Publisher ExtensionType AutoUpgradeMinorVersion EnableAutomaticUpgrade

+- - -- -

+AzureNetworkWatcherExtension Microsoft.Azure.NetworkWatcher NetworkWatcherAgentWindows True True

+```

+# [**Azure CLI**](#tab/cli)

+Use [az vm extension list](/cli/azure/vm/extension#az-vm-extension-list) command to list all installed extensions on the virtual machine:

+```azurecli

+# List the installed extensions on the virtual machine.

+az vm extension list --resource-group 'myResourceGroup' --vm-name 'myVM' --out table

+```

+The output of the command lists the installed extensions:

+```output

+Name ProvisioningState Publisher Version AutoUpgradeMinorVersion

+- - -

+AzureNetworkWatcherExtension Succeeded Microsoft.Azure.NetworkWatcher 1.4 True

+```

+# [**Resource Manager**](#tab/arm)

+N/A

+## Install Network Watcher Agent VM extension

+# [**Portal**](#tab/portal)

+From the virtual machine page in the Azure portal, you can install the Network Watcher Agent VM extension by following these steps:

+1. Under **Settings**, select **Extensions + applications**.

+1. Select **+ Add** and search for **Network Watcher Agent** and install it. If the extension is already installed, you can see it in the list of extensions.

+ :::image type="content" source="./media/network-watcher-agent-windows/vm-extensions.png" alt-text="Screenshot that shows the VM's extensions page in the Azure portal." lightbox="./media/network-watcher-agent-windows/vm-extensions.png":::

+1. In the search box of **Install an Extension**, enter *Network Watcher Agent for Windows*. Select the extension from the list and select **Next**.

+ :::image type="content" source="./media/network-watcher-agent-windows/install-extension-windows.png" alt-text="Screenshot that shows how to install Network Watcher Agent for Windows in the Azure portal." lightbox="./media/network-watcher-agent-windows/install-extension-windows.png":::

+1. Select **Review + create** and then select **Create**.

+# [**PowerShell**](#tab/powershell)

+Use [Set-AzVMExtension](/powershell/module/az.compute/set-azvmextension) cmdlet to install Network Watcher Agent VM extension on the virtual machine:

+```azurepowershell-interactive

+# Install Network Watcher Agent for Windows on the virtual machine.

+Set-AzVMExtension -Name 'AzureNetworkWatcherExtension' -Publisher 'Microsoft.Azure.NetworkWatcher' -ExtensionType 'NetworkWatcherAgentWindows' -EnableAutomaticUpgrade 1 -TypeHandlerVersion '1.4' -ResourceGroupName 'myResourceGroup' -VMName 'myVM'

+```

+Once the installation is successfully completed, you see the following output:

+```output

+RequestId IsSuccessStatusCode StatusCode ReasonPhrase

+ - -

+ True OK

+```

+# [**Azure CLI**](#tab/cli)

+Use [az vm extension set](/cli/azure/vm/extension#az-vm-extension-set) command to install Network Watcher Agent VM extension on the virtual machine:

+```azurecli

+# Install Network Watcher Agent for Windows on the virtual machine.

+az vm extension set --name 'NetworkWatcherAgentWindows' --extension-instance-name 'AzureNetworkWatcherExtension' --publisher 'Microsoft.Azure.NetworkWatcher' --enable-auto-upgrade 'true' --version '1.4' --resource-group 'myResourceGroup' --vm-name 'myVM'

+```

+# [**Resource Manager**](#tab/arm)

+Use the following Azure Resource Manager template (ARM template) to install Network Watcher Agent VM extension on a Windows virtual machine:

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "vmName": {

+ "type": "string"

+ }

+ },

+ "variables": {},

+ "resources": [

+ {

+ "name": "[parameters('vmName')]",

+ "type": "Microsoft.Compute/virtualMachines",

+ "apiVersion": "2023-03-01",

+ "location": "[resourceGroup().location]",

+ "properties": {

+ }

+ },

+ {

+ "name": "[concat(parameters('vmName'), '/AzureNetworkWatcherExtension')]",

+ "type": "Microsoft.Compute/virtualMachines/extensions",

+ "apiVersion": "2023-03-01",

+ "location": "[resourceGroup().location]",

+ "dependsOn": [

+ "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"

+ ],

+ "properties": {

+ "autoUpgradeMinorVersion": true,

+ "publisher": "Microsoft.Azure.NetworkWatcher",

+ "type": "NetworkWatcherAgentWindows",

+ "typeHandlerVersion": "1.4"

+ }

+ }

+ ],

+ "outputs": {}

+}

+```

+You can use either Azure PowerShell or Azure CLI to deploy the Resource Manager template:

+```azurepowershell

+# Deploy the JSON template file using Azure PowerShell.

+New-AzResourceGroupDeployment -ResourceGroupName 'myResourceGroup' -TemplateFile 'agent.json'

+```

+```azurecli

+# Deploy the JSON template file using the Azure CLI.

+az deployment group create --resource-group 'myResourceGroup' --template-file 'agent.json'

+```

+## Uninstall Network Watcher Agent VM extension

+# [**Portal**](#tab/portal)

+From the virtual machine page in the Azure portal, you can uninstall the Network Watcher Agent VM extension by following these steps:

+1. Under **Settings**, select **Extensions + applications**.

+1. Select **AzureNetworkWatcherExtension** from the list of extensions, and then select **Uninstall**.

+ :::image type="content" source="./media/network-watcher-agent-windows/uninstall-extension-windows.png" alt-text="Screenshot that shows how to uninstall Network Watcher Agent for Windows in the Azure portal." lightbox="./media/network-watcher-agent-windows/uninstall-extension-windows.png":::

+ > [!NOTE]

+ > You might see Network Watcher Agent VM extension named differently than **AzureNetworkWatcherExtension**.

+# [**PowerShell**](#tab/powershell)

+Use [Remove-AzVMExtension](/powershell/module/az.compute/remove-azvmextension) cmdlet to remove Network Watcher Agent VM extension from the virtual machine:

+```azurepowershell-interactive

+# Uninstall Network Watcher Agent VM extension.

+Remove-AzVMExtension -Name 'AzureNetworkWatcherExtension' -ResourceGroupName 'myResourceGroup' -VMName 'myVM'

+```

+# [**Azure CLI**](#tab/cli)

+Use [az vm extension delete](/cli/azure/vm/extension#az-vm-extension-delete) command to remove Network Watcher Agent VM extension from the virtual machine:

+```azurecli-interactive

+# Uninstall Network Watcher Agent VM extension.

+az vm extension delete --name 'AzureNetworkWatcherExtension' --resource-group 'myResourceGroup' --vm-name 'myVM'

+```

+# [**Resource Manager**](#tab/arm)

+N/A

+## Frequently asked questions (FAQ)

+To get answers to most frequently asked questions about Network Watcher Agent, see [Network Watcher Agent FAQ](frequently-asked-questions.yml#network-watcher-agent).

+## Related content

+- [Update Azure Network Watcher extension to the latest version](network-watcher-agent-update.md).

+- [Network Watcher documentation](index.yml).

+- [Microsoft Q&A - Network Watcher](/answers/topics/azure-network-watcher.html).

+- An existing virtual machine in the same region as Network Watcher with the [Windows extension](network-watcher-agent-windows.md) or [Linux virtual machine extension](network-watcher-agent-linux.md).

+> Packet capture requires a virtual machine scale set extension `AzureNetworkWatcherExtension`. For installing the extension on a Windows VM visit [Azure Network Watcher Agent virtual machine extension for Windows](network-watcher-agent-windows.md) and for Linux VM visit [Azure Network Watcher Agent virtual machine extension for Linux](network-watcher-agent-linux.md).

+> - [Network Watcher Agent VM extension for Windows](network-watcher-agent-windows.md).

+> - [Network Watcher Agent VM extension for Linux](network-watcher-agent-linux.md).

+> - [Update Network Watcher extension to the latest version](network-watcher-agent-update.md).

+> - Network Watcher packet capture requires Network Watcher agent VM extension to be installed on the target virtual machine. Whenever you use Network Watcher packet capture in the Azure portal, the agent is automatically installed on the target VM or scale set if it wasn't previously installed. To update an already installed agent, see [Update Azure Network Watcher extension to the latest version](network-watcher-agent-update.md). To manually install the agent, see [Network Watcher Agent virtual machine extension for Linux](network-watcher-agent-linux.md) or [Network Watcher Agent virtual machine extension for Windows](network-watcher-agent-windows.md).

+- The `mysql` CLI. For example, you can install the CLI by using the following commands on Ubuntu or Debian-based systems:

+ ```bash

+```bash

+ ```azurecli

+ ```azurecli

+ ```azurecli

+ ```bash

+ ```azurecli

+ ```bash

+ ```azurecli

+ ```bash

+ ```bash

+ ```bash

+ ```bash

+ ```bash

+ ```bash

+ ```bash

+1. Open your local terminal, paste the value from the **cmdToGetKubeadminCredentials** field, and execute it. You see the admin account and credential for signing in to the OpenShift cluster console portal. The following example shows an admin account:

+ - Sign in to the Azure CLI by using the [az login](/cli/azure/reference-index#az-login) command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see [Sign into Azure with Azure CLI](/cli/azure/authenticate-azure-cli#sign-into-azure-with-azure-cli).

+ - When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see [Use and manage extensions with the Azure CLI](/cli/azure/azure-cli-extensions-overview).

+ - Run [az version](/cli/azure/reference-index?#az-version) to find the version and dependent libraries that are installed. To upgrade to the latest version, run [az upgrade](/cli/azure/reference-index?#az-upgrade). This article requires at least version 2.31.0 of Azure CLI.

+ Title: How to Install Microsoft Defender for Containers on a Nexus Kubernetes Cluster #Required; page title is displayed in search results. Include the brand.

+description: Learn how to install Microsoft Defender for Containers on a Nexus Kubernetes Cluster. #Required; article description that is displayed in search results.

+# Install Microsoft Defender for Containers on Azure Operator Nexus Kubernetes Cluster

+This article describes how to install Microsoft Defender for Containers inside a Nexus Kubernetes Cluster. [Microsoft Defender](/azure/defender-for-cloud/defender-for-cloud-introduction) can be used to monitor Kubernetes API Server audit logs and trigger alerts when appropriate. The audit logs are sent to the Defender backend and aren't directly accessible. They can't be queried through Kusto or in the Log Analytics Workspace associated with the installed Defender extension. Visit [Alerts for containers - Kubernetes clusters](/azure/defender-for-cloud/alerts-containers) for a list of alerts that are currently defined for Kubernetes Clusters.

+## Prerequisites

+Before proceeding with this how-to guide, it's recommended that you:

+* Refer to the Operator Nexus Kubernetes cluster [QuickStart guide](./quickstarts-kubernetes-cluster-deployment-bicep.md) for a comprehensive overview and steps involved.

+* Ensure that you meet the outlined prerequisites in the quickstart to ensure smooth implementation of the guide.

+> [!NOTE]

+> This guide assumes that you already have an existing Operator Nexus Kubernetes cluster that was created using the quickstart guide, and that you have access to the Azure CLI. Additionally, along with the networkcloud Azure CLI extension, the k8s-extension Azure CLI extension needs to be installed:

+```

+az extension add --name k8s-extension

+```

+## Installing Microsoft Defender for Containers in Nexus Kubernetes Cluster using Azure CLI

+Reference the Microsoft Defender for Containers documentation to [install Defender](/azure/defender-for-cloud/defender-for-containers-enable?tabs=aks-deploy-portal%2Ck8s-deploy-cli%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api&pivots=defender-for-container-arc#use-azure-cli-to-deploy-the-defender-sensor) on a Nexus Kubernetes Cluster.

+Refer to the Azure CLI command to install the extension in the provided link:

+```azurecli

+az k8s-extension create --name microsoft.azuredefender.kubernetes --cluster-type connectedClusters --cluster-name <cluster-name> --resource-group <resource-group> --extension-type microsoft.azuredefender.kubernetes

+```

+In the Azure CLI command, the cluster-name refers to the ARC connected cluster, of type Kubernetes - Azure ARC, representing the Nexus Kubernetes Cluster. As mentioned in the Microsoft Defender for Containers documentation, by default the Kubernetes API Server audit logs should exist in ```/var/log/kube-apiserver/audit.log``` otherwise the path to the audit log must be specified when installing Defender for Containers using the ```--auditLogPath``` flag. Reference the Microsoft Defender for Containers documentation previously linked for more detailed installation information and alternative methods of installation.

+## Microsoft Defender for Containers Security Alert Simulation

+Reference the documentation here on how to [simulate security alerts](/azure/defender-for-cloud/alert-validation#simulate-alerts-on-kubernetes-) for Microsoft Defender for Containers. This simulation has been performed on a Nexus Kubernetes Cluster and the corresponding alert appeared in the Microsoft Defender for Cloud Dashboard in the Azure portal:

+[ ](media/defender-for-cloud-alerts.png#lightbox)

+### In my VM's network interface's effective routes, why do I have a user-defined route (UDR) with next hop type set to **None**?

+If you advertise a route from your NVA to Route Server that is an exact prefix match as another user-defined route, then the advertised route's next hop must be valid. If the advertised next hop is a load balancer without a configured backend pool, then this invalid route will take precedence over the user-defined route. In your network interface's effective routes, the invalid advertised route will be displayed as a user-defined route with next hop type set to **None**.

+> [Create and configure Azure Route Server](quickstart-configure-route-server-portal.md)

+| [Build your own copilot solution accelerator](https://github.com/microsoft/Build-your-own-copilot-Solution-Accelerator) | Code and docs to build your own copilot to harness the power of generative AI across both structured and unstructured data for Client Advisor and Research Assistant business use case scenarios. | [https://github.com/microsoft/Build-your-own-copilot-Solution-Accelerator](https://github.com/microsoft/Build-your-own-copilot-Solution-Accelerator) |

+| [Semantic ranking for retail](https://brave-meadow-0f59c9b1e.1.azurestaticapps.net/) | Web app for a fictitious online retailer, "Terra" | Not available |

+### Example code for a RAG workflow

+# This prompt provides instructions to the model.

+# The prompt includes the query and the source, which are specified further down in the code.

+# The query is sent to the search engine, but it's also passed in the prompt

+ model="gpt-35"

+

+ + ["Build your own copilot" solution accelerator](https://github.com/microsoft/Build-your-own-copilot-Solution-Accelerator), leverages Azure Open AI Service, Azure AI Search and Microsoft Fabric, to create custom copilot solutions.

+ + [Client Advisor](https://github.com/microsoft/Build-your-own-copilot-Solution-Accelerator/blob/main/ClientAdvisor/README.md) all-in-one custom copilot empowers Client Advisor to harness the power of generative AI across both structured and unstructured data. Help our customers to optimize daily tasks and foster better interactions with more clients

+ + [Research Assistant](https://github.com/microsoft/Build-your-own-copilot-Solution-Accelerator/blob/main/ResearchAssistant/README.md) helps build your own AI Assistant to identify relevant documents, summarize and categorize vast amounts of unstructured information, and accelerate the overall document review and content generation.

+You're setting up two clients, so you need permissions on both resources.

+Azure AI Search is receiving the query request from your local system. Assign yourself the **Search Index Data Reader** role assignment for that task. If you're also creating and loading the hotel sample index, add **Search Service Contributor** and **Search Index Data Contributor** roles as well.

+Azure OpenAI is receiving the (query) "Can you recommend a few hotels" from your local system, plus its receiving the search results (source) from the search service. Assign yourself and the search service the **Cognitive Services OpenAI User** role.

+1. Configure Azure AI Search to use a system-assigned managed identity so that you can you give it role assignments:

+ 1. In the Azure portal, [find your search service](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Search%2FsearchServices).

+ 1. On the left menu, select **Settings** > **Identity**.

+ 1. On Azure AI Search, make sure you have permissions to create, load, and query a search index:

+ - **Search Index Data Contributor**

+ 1. On Azure OpenAI, select **Access control (IAM)** to assign yourself and the search service identity permissions on Azure OpenAI. The code for this quickstart runs locally. Requests to Azure OpenAI originate from your system. Also, search results from the search engine are passed to Azure OpenAI. For these reasons, both you and the search service need permissions on Azure OpenAI.

+1. In the Azure portal, [find your search service](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Search%2FsearchServices).

+ ! pip intall aiohttp --quiet

+1. Run the following code to set query parameters. The query is a keyword search using semantic ranking. In a keyword search, the search engine returns up to 50 matches, but only the top 5 are provided to the model. If you can't [enable semantic ranking](semantic-how-to-enable-disable.md) on your search service, set the value to false.

+1. Set up clients, the prompt, query, and response.

+ ```python

+ # Set up the query for generating responses

+ from azure.identity import DefaultAzureCredential

+ from azure.identity import get_bearer_token_provider

+ from azure.search.documents import SearchClient

+ from openai import AzureOpenAI

+ credential = DefaultAzureCredential()

+ token_provider = get_bearer_token_provider(credential, "https://cognitiveservices.azure.com/.default")

+ openai_client = AzureOpenAI(

+ api_version="2024-06-01",

+ azure_endpoint=AZURE_OPENAI_ACCOUNT,

+ azure_ad_token_provider=token_provider

+ )

+ search_client = SearchClient(

+ endpoint=AZURE_SEARCH_SERVICE,

+ index_name="hotels-sample-index",

+ credential=credential

+ )

+ # Query is the question being asked. It's sent to the search engine and the LLM.

+ query="Can you recommend a few hotels near the ocean with beach access and good views"

+ # Set up the search results and the chat thread.

+ # Retrieve the selected fields from the search index related to the question.

+ search_results = search_client.search(

+ search_text=query,

+ top=5,

+ select="Description,HotelName,Tags"

+ )

+ sources_formatted = "\n".join([f'{document["HotelName"]}:{document["Description"]}:{document["Tags"]}' for document in search_results])

+ response = openai_client.chat.completions.create(

+ messages=[

+ {

+ "role": "user",

+ "content": GROUNDED_PROMPT.format(query=query, sources=sources_formatted)

+ }

+ ],

+ model=AZURE_DEPLOYMENT_MODEL

+ )

+ print(response.choices[0].message.content)

+ If you get an authorization error message, wait a few minutes and try again. It can take several minutes for role assignments to become operational.

+ To experiment further, change the query and rerun the last step to better understand how the model works with the grounding data.

+ You might also try the query without semantic ranking by setting `use_semantic_reranker=False` in the query parameters step. Semantic ranking can noticably improve the relevance of query results and the ability of the LLM to return useful information. Experimentation can help you decide whether it makes a difference for your content.

+As a next step, we recommend that you review the demo code for [Python](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-python), [C#](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-dotnet), or [JavaScript](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-javascript) on the azure-search-vector-samples repository.

+ - devx-track-ts

+## [**TypeScript**](#tab/typescript)

+ + [Client Advisor](https://github.com/microsoft/Build-your-own-copilot-Solution-Accelerator/blob/main/ClientAdvisor/README.md) all-in-one custom copilot empowers Client Advisor to harness the power of generative AI across both structured and unstructured data. Help our customers to optimize daily tasks and foster better interactions with more clients

+ + [Research Assistant](https://github.com/microsoft/Build-your-own-copilot-Solution-Accelerator/blob/main/ResearchAssistant/README.md) helps build your own AI Assistant to identify relevant documents, summarize and categorize vast amounts of unstructured information, and accelerate the overall document review and content generation.

+| [Chat with your data](https://github.com/Azure-Samples/chat-with-your-data-solution-accelerator) | Accelerator| A solution accelerator for the RAG pattern running in Azure, using Azure AI Search for retrieval and Azure OpenAI large language models to create conversational search experiences. The code with sample data is available for use case scenarios such as financial advisor and contract review and summarization.|

+| [Conversational Knowledge Mining](https://github.com/microsoft/Customer-Service-Conversational-Insights-with-Azure-OpenAI-Services) | Accelerator| A solution accelerator built on top of Azure AI Search, Azure Speech and Azure OpenAI services that allows customers to extract actionable insights from post-contact center conversations. |

+| [Build your own copilot](https://github.com/microsoft/Build-your-own-AI-Assistant-Solution-Accelerator) | Accelerator| Create your own custom copilot solution that empowers [Client Advisor](https://github.com/microsoft/Build-your-own-copilot-Solution-Accelerator/blob/main/ClientAdvisor/README.md) to harness the power of generative AI across both structured and unstructured data. Help our customers to optimize daily tasks and foster better interactions with more clients. |

+>

+> Playbooks in Microsoft Sentinel are based on workflows built in [Azure Logic Apps](/azure/logic-apps/logic-apps-overview), which means that you get all the power, customizability, and built-in templates of logic apps. Additional charges may apply. For pricing information, visit the [Azure Logic Apps pricing page](https://azure.microsoft.com/pricing/details/logic-apps/).

+- An Azure account and subscription. If you don't have a subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- To create and manage playbooks, you need access to Microsoft Sentinel with one of the following Azure roles:

+ | Logic app | Azure roles | Description |

+ |--|-|-|

+ | Consumption | **Logic App Contributor** | Edit and manage logic apps. |

+ | Consumption | **Logic App Operator** | Read, enable, and disable logic apps. |

+ | Standard | **Logic Apps Standard Operator** | Enable, resubmit, and disable workflows. |

+ | Standard | **Logic Apps Standard Developer** | Create and edit workflows. |

+ | Standard | **Logic Apps Standard Contributor** | Manage all aspects of a workflow. |

+ For more information, see the following documentation:

+ - [Access to logic app operations](/azure/logic-apps/logic-apps-securing-a-logic-app#access-to-logic-app-operations)

+ - [Microsoft Sentinel playbook prerequisites](automate-responses-with-playbooks.md#prerequisites).

+- Before you create your playbook, we recommend that you read [Azure Logic Apps for Microsoft Sentinel playbooks](../automation/logic-apps-playbooks.md).

+1. In the [Azure portal](https://portal.azure.com) or in the [Defender portal](https://security.microsoft.com/), go to your Microsoft Sentinel workspace. On the workspace menu, under **Configuration**, select **Automation**.

+ #### [Azure portal](#tab/azure-portal)

+ :::image type="content" source="../media/create-playbooks/add-new-playbook.png" alt-text="Screenshot shows Azure portal and Microsoft Sentinel Automation page with Create selected." lightbox="../media/create-playbooks/add-new-playbook.png":::

+ #### [Defender portal](#tab/defender-portal)

+ :::image type="content" source="../media/create-playbooks/add-new-playbook-defender.png" alt-text="Screenshot shows Defender portal and Microsoft Sentinel Automation page with Create selected." lightbox="../media/create-playbooks/add-new-playbook-defender.png":::

+

+ - If you're creating a **Consumption** playbook, select one of the following options, depending on the trigger you want to use, and then follow the [steps for a **Consumption** logic app](create-playbooks.md?tabs=consumption#prepare-playbook-logic-app):

+ - **Playbook with incident trigger**

+ - **Playbook with alert trigger**

+ - **Playbook with entity trigger**

+ This guide continues with the **Playbook with entity trigger**.

+ - If you're creating a **Standard** playbook, select **Blank playbook** and then [follow the steps for the **Standard** logic app type](create-playbooks.md?tabs=standard#prepare-playbook-logic-app).

+ For more information, see [Supported logic app types](../automation/logic-apps-playbooks.md#supported-logic-app-types) and [Supported triggers and actions in Microsoft Sentinel playbooks](playbook-triggers-actions.md).

+<a name="prepare-playbook-logic-app"></a>

+## Prepare your playbook's logic app

+Select one of the following tabs for details about how to create a logic app for your playbook, depending on whether you're using a Consumption or Standard logic app. For more information, see [Supported logic app types](../automation/logic-apps-playbooks.md#supported-logic-app-types).

+> [!TIP]

+>

+> If your playbooks need access to protected resources that are inside or connected to an Azure virtual network,

+> [create a Standard logic app workflow](/azure/logic-apps/create-single-tenant-workflows-azure-portal).

+>

+> Standard workflows run in single-tenant Azure Logic Apps and support using private endpoints for inbound

+> traffic so that your workflows can communicate privately and securely with virtual networks. Standard

+> workflows also support virtual network integration for outbound traffic. For more information, see

+> [Secure traffic between virtual networks and single-tenant Azure Logic Apps using private endpoints](/azure/logic-apps/secure-single-tenant-workflow-virtual-network-private-endpoint).

+After you select the trigger, which includes an incident, alert, or entity trigger, the **Create playbook** wizard appears, for example:

+Follow these steps to create your playbook:

+1. On the **Basics** tab, provide the following information:

+ 1. For **Subscription** and **Resource group**, select the values you want from their respective lists.

+ The **Region** value is set to the same region as the associated Log Analytics workspace.

+ 1. For **Playbook name**, enter a name for your playbook.

+ 1. To monitor this playbook's activity for diagnostic purposes, select **Enable diagnostics logs in Log Analytics**, and then select a **Log Analytics workspace** unless you already selected a workspace.

+1. Select **Next : Connections >**.

+1. On the **Connections** tab, we recommend leaving the default values, which configure a logic app to connect to Microsoft Sentinel with a managed identity.

+ For more information, see [Authenticate playbooks to Microsoft Sentinel](authenticate-playbooks-to-sentinel.md).

+1. To continue, select **Next : Review and create >**.

+1. On the **Review and create** tab, review your configuration choices, and select **Create playbook**.

+ Azure takes a few minutes to create and deploy your playbook. After deployment completes, your playbook opens in the Consumption workflow designer for [Azure Logic Apps](/azure/logic-apps/logic-apps-overview). The trigger that you selected earlier automatically appears as the first step in your workflow, so now you can continue building the workflow from here.

+ :::image type="content" source="../media/create-playbooks/designer-consumption.png" alt-text="Screenshot shows Consumption workflow designer with selected trigger." lightbox="../media/create-playbooks/designer-consumption.png":::

+1. On the designer, select the Microsoft Sentinel trigger, if not already selected.

+1. On the **Create connection** pane, follow these steps to provide the required information to connect to Microsoft Sentinel.

+ 1. For **Authentication**, select from the following methods, which affect subsequent connection parameters:

+ | Method | Description |

+ |--|-|

+ | **OAuth** | Open Authorization (OAuth) is a technology standard that lets you authorize an app or service to sign in to another without exposing private information, such as passwords. OAuth 2.0 is the industry protocol for authorization and grants limited access to protected resources. For more information, see the following resources: <br><br>- [What is OAuth](https://www.microsoft.com/security/business/security-101/what-is-oauth)? <br>- [OAuth 2.0 authorization with Microsoft Entra ID](/entra/architecture/auth-oauth2) |

+ | **Service principal** | A service principal represents an entity that requires access to resources that are secured by a Microsoft Entra tenant. For more information, see [Service principal object](/entra/identity-platform/app-objects-and-service-principals). |

+ | **Managed identity** | An identity that is automatically managed in Microsoft Entra ID. Apps can use this identity to access resources that support Microsoft Entra authentication and to obtain Microsoft Entra tokens without having to manage any credentials. <br><br>For optimal security, Microsoft recommends using a managed identity for authentication when possible. This option provides superior security and helps keep authentication information secure so that you don't have to manage this sensitive information. For more information, see the following resources: <br><br>- [What are managed identities for Azure resources](/entra/identity/managed-identities-azure-resources/overview)? <br>- [Authenticate access and connections to Azure resources with managed identities in Azure Logic Apps](/azure/logic-apps/authenticate-with-managed-identity). |

+ For more information, see [Authentication prompts](#authentication-prompts).

+ 1. Based on your selected authentication option, provide the necessary parameter values for the corresponding option.

+ For more information about these parameters, see [Microsoft Sentinel connector reference](/connectors/azuresentinel/).

+ 1. For **Tenant ID**, select your [Microsoft Entra tenant ID](/entra/fundamentals/how-to-find-tenant).

+ 1. When you finish, select **Sign in**.

+1. If you previously chose **Playbook with entity trigger**, select the type of entity you want this playbook to receive as an input.

+ :::image type="content" source="../media/create-playbooks/entity-trigger-types.png" alt-text="Screenshot shows Consumption workflow playbook with entity trigger, and available entity types to select for setting the playbook schema." lightbox="../media/create-playbooks/entity-trigger-types.png":::

+Playbooks based on a Standard workflow don't support playbook templates, so you need to first create a Standard logic app, then create your playbook, and finally choose the trigger for your playbook.

+After you select **Blank playbook**, a new browser tab opens, and **Create Logic App** wizard appears. The wizard shows the available hosting options where **Standard - Workflow Service Plan** is already selected, for example:

+Follow these steps to create your Standard logic app:

+#### Create Standard logic app

+1. On the **Create Logic App** page, confirm your hosting plan selection, and then select **Select**.

+1. On the **Basics** tab, provide the following information:

+ 1. For **Subscription** and **Resource Group**, select the values you want from their respective lists.

+ 1. For **Logic App name**, enter a name for your logic app.

+ 1. For **Region**, select the Azure region for your logic app.

+ 1. For **Windows Plan (*selected-region*)**, create or select an existing plan.

+ 1. For **Pricing plan**, select the compute resources and their pricing for your logic app.

+ 1. Under **Zone redundancy**, you can enable this capability if you selected an Azure region that supports availability zone redundancy.

+ For this example, leave the option disabled. For more information, see [Protect logic apps from region failures with zone redundancy and availability zones](/azure/logic-apps/set-up-zone-redundancy-availability-zones).

+ 1. Select **Next : Storage >**.

+ :::image type="content" source="../media/create-playbooks/create-logic-app-basics-standard.png" alt-text="Screenshot shows Create Logic App wizard and Basics tab for a Standard logic app." lightbox="../media/create-playbooks/create-logic-app-basics-standard.png":::

+1. On the **Storage** tab, provide the following information:

+ 1. For **Storage type**, select **Azure Storage**, and create or select a storage account.

+ 1. For **Blob service diagnostic settings**, leave the default setting.

+1. On the **Networking** tab, you can leave the default options for this example.

+ For your specific, real-world, production scenarios, make sure to review and select the appropriate options. You can also change this configuration after you deploy your logic app resource. For more information, see the following documentation:

+ - [Create example Standard workflow - Azure portal](/azure/logic-apps/create-single-tenant-workflows-azure-portal)

+ - [Secure traffic between Standard logic apps and Azure virtual networks using private endpoints](/azure/logic-apps/secure-single-tenant-workflow-virtual-network-private-endpoint).

+1. On the **Monitoring** tab, follow these steps:

+ 1. Under **Application Insights**, set **Enable Application Insights** to **No**.

+ This setting disables or enables performance monitoring with Application Insights in Azure Monitor. However, for Microsoft Sentinel, this capability isn't required and costs extra.

+ 1. To apply tags to this logic app for resource categorization and billing purposes, select **Next : Tags >**. Otherwise, select **Review + create**.

+1. On the **Review + create** tab, review your configuration choices, and select **Create**.

+ Azure takes a few minutes to create and deploy your logic app.

+1. After deployment completes, select **Go to resource**, which opens your logic app resource.

+ Unlike with classic Consumption playbooks, you're not done yet. Now you must create a workflow.

+1. On your logic app menu, under **Workflows**, select **Workflows**.

+1. On the **Workflows** page toolbar, select **Add**.

+1. In the **New workflow** pane, provide the following information:

+ | Property | Description |

+ |-|-|

+ | **Workflow Name** | A meaningful name for your workflow. |

+ | **State type** | Select **Stateful**. Microsoft Sentinel doesn't support the use of stateless workflows as playbooks. |

+1. When you finish, select **Create**.

+ After Azure saves your workflow, the **Workflows** page shows your workflow.

+1. Select the workflow to open the workflow **Overview** page.

+ This page shows all the information about your workflow, including the history of all the times that the workflow runs.

+1. On the workflow menu, under **Developer**, select **Designer**.

+ The workflow designer opens for you to start building your workflow by adding a trigger.

+#### Add the workflow trigger

+1. On the designer, select **Add a trigger** to open the **Add a trigger** pane, for example:

+ :::image type="content" source="../media/create-playbooks/designer-standard.png" alt-text="Screenshot shows designer in Standard logic app workflow." lightbox="../media/create-playbooks/designer-standard.png":::

+1. [Follow these general steps to find the **Microsoft Sentinel** triggers](../../logic-apps/create-workflow-with-trigger-or-action.md?tabs=standard#add-trigger), which include these triggers:

+ - **Microsoft Sentinel entity**

+ - **Microsoft Sentinel alert**

+ - **Microsoft Sentinel incident**

+ :::image type="content" source="../media/create-playbooks/sentinel-triggers.png" alt-text="Screenshot shows how to select a trigger for your playbook." lightbox="../media/create-playbooks/sentinel-triggers.png":::

+1. Select the trigger that you want to use for your playbook.

+ This example continues with the **Microsoft Sentinel entity** trigger.

+1. On the designer, select the trigger, if not already selected.

+1. On the **Create connection** pane, provide the required information to connect to Microsoft Sentinel.

+ 1. For **Authentication**, select from the following methods, which affect subsequent connection parameters:

+ | Method | Description |

+ |--|-|

+ | **OAuth** | Open Authorization (OAuth) is a technology standard that lets you authorize an app or service to sign in to another without exposing private information, such as passwords. OAuth 2.0 is the industry protocol for authorization and grants limited access to protected resources. For more information, see the following resources: <br><br>- [What is OAuth](https://www.microsoft.com/security/business/security-101/what-is-oauth)? <br>- [OAuth 2.0 authorization with Microsoft Entra ID](/entra/architecture/auth-oauth2) |

+ | **Service principal** | A service principal represents an entity that requires access to resources that are secured by a Microsoft Entra tenant. For more information, see [Service principal object](/entra/identity-platform/app-objects-and-service-principals). |

+ | **Managed identity** | An identity that is automatically managed in Microsoft Entra ID. Apps can use this identity to access resources that support Microsoft Entra authentication and to obtain Microsoft Entra tokens without having to manage any credentials. <br><br>For optimal security, Microsoft recommends using a managed identity for authentication when possible. This option provides superior security and helps keep authentication information secure so that you don't have to manage this sensitive information. For more information, see the following resources: <br><br>- [What are managed identities for Azure resources](/entra/identity/managed-identities-azure-resources/overview)? <br>- [Authenticate access and connections to Azure resources with managed identities in Azure Logic Apps](/azure/logic-apps/authenticate-with-managed-identity). |

+ For more information, see [Authentication prompts](#authentication-prompts).

+ 1. Based on your selected authentication option, provide the necessary parameter values for the corresponding option.

+ For more information about these parameters, see [Microsoft Sentinel connector reference](/connectors/azuresentinel/).

+ 1. For **Tenant ID**, select your [Microsoft Entra tenant ID](/entra/fundamentals/how-to-find-tenant).

+ 1. When you finish, select **Sign in**.

+1. If you chose **Playbook with entity trigger**, select the type of entity you want this playbook to receive as an input.

+ :::image type="content" source="../media/create-playbooks/entity-trigger-types.png" alt-text="Screenshot shows Standard workflow playbook with entity trigger, and available entity types to select for setting the playbook schema." lightbox="../media/create-playbooks/entity-trigger-types.png":::

+<a name="authentication-prompts"></a>

+When you add a trigger or subsequent action that requires authentication, you might be prompted to choose from the available authentication types supported by the corresponding resource provider. In this example, a Microsoft Sentinel trigger is the first operation that you add to your workflow. So, the resource provider is Microsoft Sentinel, which supports several authentication options. For more information, see the following documentation:

+### Add actions to your playbook

+Now that you have a workflow for your playbook, define what happens when you call the playbook. Add actions, logical conditions, loops, or switch case conditions, all by selecting the plus sign (**+**) on the designer. For more information, see [Create a workflow with a trigger or action](../../logic-apps/create-workflow-with-trigger-or-action.md).

+This selection opens the **Add an action** pane where you can browse or search for services, applications, systems, control flow actions, and more. After you enter your search terms or select the resource that you want, the results list shows you the available actions.

+In each action, when you select inside a field, you get the following options:

+- **Dynamic content** (lightning icon): Choose from a list of available outputs from the preceding actions in the workflow, including the Microsoft Sentinel trigger. For example, these outputs can include the attributes of an alert or incident that was passed to the playbook, including the values and attributes of all the [mapped entities](../map-data-fields-to-entities.md) and [custom details](../surface-custom-details-in-alerts.md) in the alert or incident. You can add references to the current action by selecting these outputs.

+ For examples that show using dynamic content, see the following sections:

+ - [Use entity playbooks with no incident ID](#dynamic-content-entity-playbooks-with-no-incident-id)

+ - [Work with custom details](#dynamic-content-work-with-custom-details)

+- **Expression editor** (function icon): Choose from a large library of functions to add more logic to your workflow.

+For more information, see [Supported triggers and actions in Microsoft Sentinel playbooks](playbook-triggers-actions.md).

+### Dynamic content: Entity playbooks with no incident ID

+Playbooks created with the **Microsoft Sentinel entity** trigger often use the **Incident ARM ID** field, for example, to update an incident after taking action on the entity. If such a playbook is triggered in a scenario that's unconnected to an incident, such as when threat hunting, there's no incident ID to populate this field. Instead, the field is populated with a null value. As a result, the playbook might fail to run to completion.

+To prevent this failure, we recommend that you create a condition that checks for a value in the incident ID field before the workflow takes any other actions. You can prescribe a different set of actions to take if the field has a null value, due to the playbook not being run from an incident.

+1. In your workflow, preceding the first action that refers to the **Incident ARM ID** field, [follow these general steps to add a **Condition** action](../../logic-apps/create-workflow-with-trigger-or-action.md).

+1. In the **Condition** pane, on the condition row, select the left **Choose a value** field, and then select the dynamic content option (lightning icon).

+1. From the dynamic content list, under **Microsoft Sentinel incident**, use the search box to find and select **Incident ARM ID**.

+ > [!TIP]

+ >

+ > If the output doesn't appear in the list, next to the trigger name, select **See more**.

+1. In the middle field, from the operator list, select **is not equal to**.

+1. In the right **Choose a value** field, and select the expression editor option (function icon).

+1. In the editor, enter **null**, and select **Add**.

+When you finish, your condition looks similar to the following example:

+In the **Microsoft Sentinel incident** trigger, the **Alert custom details** output is an array of JSON objects where each represents a [custom detail from an alert](../surface-custom-details-in-alerts.md). Custom details are key-value pairs that let you surface information from events in the alert so they can be represented, tracked, and analyzed as part of the incident.

+This field in the alert is customizable, so its schema depends on the type of event that is surfaced. To generate the schema that determines how to parse the custom details output, provide the data from an instance of this event:

+1. On the Microsoft Sentinel workspace menu, under **Configuration**, select **Analytics**.

+1. Follow the steps to create or open an existing [scheduled query rule](../create-analytics-rules.md?tabs=azure-portal) or [NRT query rule](../create-nrt-rules.md?tabs=azure-portal).

+1. On the **Set rule logic** tab, [expand the **Custom details** section](../surface-custom-details-in-alerts.md?tabs=azure), for example:

+ :::image type="content" source="../media/create-playbooks/custom-details-values.png" alt-text="Screenshot shows custom details defined in an analytics rule." lightbox="../media/create-playbooks/custom-details-values.png":::

+ The following table provides more information about these key-value pairs:

+ | Item | Location | Description |

+ ||-|-|

+ | **Key** | Left column | Represents the custom fields that you create. |

+ | **Value** | Right column | Represents the fields from the event data that populate the custom fields. |

+1. To generate the schema, provide the following example JSON code:

+ ```json

+ { "FirstCustomField": [ "1", "2" ], "SecondCustomField": [ "a", "b" ] }

+ ```

+ The code shows the key names as arrays, and the values as items in the arrays. Values are shown as the actual values, not the column that contains the values.

+To use custom fields for incident triggers, follow these steps for your workflow:

+1. In the workflow designer, under the **Microsoft Sentinel incident** trigger, add the built-in action named **Parse JSON**.

+1. Select inside the action's **Content** parameter, and select the dynamic content list option (lightning icon).

+1. From the list, in the incident trigger section, find and select **Alert Custom Details**, for example:

+ :::image type="content" source="../media/create-playbooks/custom-details-dynamic-field.png" alt-text="Screenshot shows selected Alert Custom Details in dynamic content list." lightbox="../media/create-playbooks/custom-details-dynamic-field.png":::

+ This selection automatically adds a **For each** loop around **Parse JSON** because an incident contains an array of alerts.

+1. In the **Parse JSON** information pane, select **Use sample payload to generate schema**, for example:

+ :::image type="content" source="../media/create-playbooks/generate-schema-link.png" alt-text="Screenshot shows selection for Use sample payload to generate schema link." lightbox="../media/create-playbooks/generate-schema-link.png":::

+1. In the **Enter or paste a sample JSON payload** box, provide a sample payload, and select **Done**.

+ For example, you can find a sample payload by looking in Log Analytics for another instance of this alert, and then copying the custom details object, which you can find under **Extended Properties**. To access Log Analytics data, go either to the **Logs** page in the Azure portal or the **Advanced hunting** page in the Defender portal.

+ The following example shows the earlier sample JSON code:

+ :::image type="content" source="../media/create-playbooks/sample-payload.png" alt-text="Screenshot shows sample JSON payload." lightbox="../media/create-playbooks/sample-payload.png":::

+ When you finish, the **Schema** box now contains the generated schema based on the sample that you provided. The **Parse JSON** action creates custom fields that you can now use as dynamic fields with **Array** type in your workflow's subsequent actions.

+ The following example shows an array and its items, both in the schema and in the dynamic content list for a subsequent action named **Compose**:

+ :::image type="content" source="../media/create-playbooks/custom-fields-ready-to-use.png" alt-text="Screenshot shows ready to use dynamic fields from the schema." lightbox="../media/create-playbooks/custom-fields-ready-to-use.png":::

+After you onboard to the unified security operations platform, by default the **Active playbooks** tab shows a predefined filter with onboarded workspace's subscription. **In the Azure portal**, edit the subscriptions you're showing from the **Directory + subscription** menu in the global Azure page header.

+|**Plan** | Indicates whether the playbook uses the *Standard* or *Consumption* Azure Logic Apps resource type. <br><br>Playbooks of the *Standard* type use the `LogicApp/Workflow` naming convention, which reflects how a Standard playbook represents a workflow that exists alongside other workflows in a single logic app. <br><br>For more information, see [Azure Logic Apps for Microsoft Sentinel playbooks](../automation/logic-apps-playbooks.md). |

+|**Trigger kind** | Indicates the trigger in Azure Logic Apps that starts this playbook: <br><br>- **Microsoft Sentinel Incident/Alert/Entity**: The playbook is started with one of the Sentinel triggers, including incident, alert, or entity <br>- **Using Microsoft Sentinel Action**: The playbook is started with a non-Microsoft Sentinel trigger but uses a Microsoft Sentinel action <br>- **Other**: The playbook doesn't include any Microsoft Sentinel components <br>- **Not initialized**: The playbook was created, but contains no components, neither triggers no actions. |

+After you create your playbook, attach it to rules to be triggered by events in your environment, or run your playbooks manually on specific incidents, alerts, or entities.

+Microsoft Sentinel supports both Consumption and Standard logic apps:

+- **Consumption**: Runs in multitenant Azure Logic Apps, and uses the classic, original Azure Logic Apps engine.

+- **Standard**: Runs in single-tenant Azure Logic Apps, and uses a more recently designed Azure Logic Apps engine.

+ Standard resources offer higher performance, fixed pricing, multiple workflow capability, easier API connections management, built-in network capabilities and CI/CD features, and more. However, the following playbook functionality differs for Standard logic apps in Microsoft Sentinel:

+ | Feature | Description |

+ ||-|

+ | **Creating playbooks** | Playbook templates aren't currently supported for Standard workflows, which means that you can't use a template to create your playbook directly in Microsoft Sentinel. <br><br>Instead, create your workflow manually in Azure Logic Apps to use it as a playbook in Microsoft Sentinel. |

+ | **Private endpoints** | If you're using Standard workflows with private endpoints, Microsoft Sentinel requires you to [define an access restriction policy in Logic apps](../define-playbook-access-restrictions.md) to support those private endpoints in any playbooks based on Standard workflows. <br><br>Without an access restriction policy, workflows with private endpoints might still be visible and selectable in Microsoft Sentinel, but running them will fail. |

+ | **Stateless workflows** | While Standard workflows support both *stateful* and *stateless* in Azure Logic Apps, Microsoft Sentinel doesn't support stateless workflows. <br><br>For more information, see [Stateful and stateless workflows](/azure/logic-apps/single-tenant-overview-compare#stateful-and-stateless-workflows). |

+Azure Logic Apps must connect separately and authenticate independently to each resource, of each type, that it interacts with, including to Microsoft Sentinel itself. Azure Logic Apps uses [specialized connectors](/connectors/connector-reference/) for this purpose, with each resource type having its own connector.

+- [Microsoft Sentinel connector for Azure Logic Apps](/connectors/azuresentinel/) in the Azure Logic Apps documentation

+| **Post a message in a Microsoft Teams channel** | [Post-Message-Teams](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SentinelSOARessentials/Playbooks/Post-Message-Teams) | [Sentinel SOAR Essentials Solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-sentinelsoaressentials?tab=Overview) |

+| **Send an Outlook email notification** | [Send-basic-email](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SentinelSOARessentials/Playbooks/Send-basic-email) | [Sentinel SOAR Essentials Solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-sentinelsoaressentials?tab=Overview) |

+| **Post a message in a Slack channel** | [Post-Message-Slack](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SentinelSOARessentials/Playbooks/Post-Message-Slack) | [Sentinel SOAR Essentials Solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-sentinelsoaressentials?tab=Overview) |

+| **Send Microsoft Teams adaptive card on incident creation** | [Send-Teams-adaptive-card-on-incident-creation](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Teams/Playbooks/Send-Teams-adaptive-card-on-incident-creation) |[Sentinel SOAR Essentials Solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-sentinelsoaressentials?tab=Overview) |

+| **Create a Service Now incident** | [Create-SNOW-record](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Servicenow/Playbooks/Create-SNOW-record) | [ServiceNow solution](https://azuremarketplace.microsoft.com/en-US/marketplace/apps/azuresentinel.azure-sentinel-solution-servicenow?tab=Overview) |

+

+

+

+

+

+

+ :::image type="content" source="../media/run-playbooks/manage-permissions.png" alt-text="Screenshot that shows the actions section with run playbook selected.":::

+ :::image type="content" source="../media/run-playbooks/add-new-rule.png" alt-text="Screenshot showing how to add a new automation rule.":::

+ :::image type="content" source="../media/run-playbooks/create-automation-rule-onboarded.png" alt-text="Screenshot showing the automation rule creation wizard.":::

+ :::image type="content" source="../media/run-playbooks/create-automation-rule.png" alt-text="Screenshot showing the automation rule creation wizard.":::

+ :::image type="content" source="../media/run-playbooks/manage-permissions.png" alt-text="Screenshot that shows the actions section with run playbook selected.":::

+In this article you'll learn how to define the triggers and conditions that determine when your automation rule runs, the various actions that you can have the rule perform, and the remaining features and functionalities.

+Before you create your automation rule, we recommend that you determine its scope and design, including the trigger, conditions, and actions that make up your rule.

+The first step in designing and defining your automation rule is figuring out which incidents or alerts you want it to apply to. This determination directly impacts how you create the rule.

+The following table shows the different possible scenarios that cause an automation rule to run.

+- Rules you create for when an alert is created support only the **If Analytic rule name** property in your condition. Select whether you want the rule to be inclusive (**Contains**) or exclusive (**Does not contain**), and then select the analytic rule name from the drop-down list.

+ If you selected one of the incident triggers and you want the automation rule to take effect only on incidents created in Microsoft Sentinel, or alternatively, only on those imported from Microsoft Defender XDR, specify the source in the **If Incident provider equals** condition. (This condition is displayed only if an incident trigger is selected.)

+ - **Analytic rule name**: For all trigger types, if you want the automation rule to take effect only on certain analytics rules, specify which ones by modifying the **If Analytics rule name contains** condition. (This condition isn't displayed if Microsoft Defender XDR is selected as the incident provider.)

+ Automation rules that are based on the alert trigger only run on alerts created by Microsoft Sentinel.

+If you add a **Run playbook** action, you're prompted to choose from the drop-down list of available playbooks.

+- Only playbooks that start with the **incident trigger** can be run from automation rules using one of the incident triggers, so only they appear in the list. Likewise, only playbooks that start with the **alert trigger** are available in automation rules using the alert trigger.

+- <a name="explicit-permissions"></a>Microsoft Sentinel must be granted explicit permissions in order to run playbooks. If a playbook appears unavailable in the drop-down list, it means that Sentinel doesn't have permissions to access that playbook's resource group. To assign permissions, select the **Manage playbook permissions** link.

+ :::image type="content" source="./media/create-manage-use-automation-rules/manage-permissions.png" alt-text="Manage permissions":::

+- If you don't yet have a playbook that takes the action that you want, [create a new playbook](tutorial-respond-threats-playbook.md). You have to exit the automation rule creation process and restart it after you create your playbook.

+1. Under **Rule expiration**, if you want your automation rule to expire, set an expiration date, and optionally, a time. Otherwise, leave it as *Indefinite*.

+1. The **Order** field is prepopulated with the next available number for your rule's trigger type. This number determines where in the sequence of automation rules (of the same trigger type) that this rule runs. You can change the number if you want this rule to run before an existing rule.

+ For more information, see [Notes on execution order and priority](automate-incident-handling-with-automation-rules.md#notes-on-execution-order-and-priority).

+Automation rules run sequentially, according to the order that you determine. Each automation rule executes after the previous one finishes its run. Within an automation rule, all actions run sequentially in the order that they're defined. See [Notes on execution order and priority](automate-incident-handling-with-automation-rules.md#notes-on-execution-order-and-priority) for more information.

+ - In Azure portal on Certificate Profiles page, make sure **Status: All** to view all certificate profiles to help you delete all relevant certificate profiles to meet the criteria to downgrade.

+

+ :::image type="content" source="media/trusted-signing-certificate-profile-deletion-changesku.png" alt-text="Screenshot that shows adding a diagnostic setting." lightbox="media/trusted-signing-certificate-profile-deletion-changesku.png":::

+3. Select Cost Management from the menu on the left. Learn more about using [Cost Management](https://learn.microsoft.com/azure/cost-management-billing/costs/).

+3. Select Billing from the menu on the left. Learn more about [Billing](https://learn.microsoft.com/azure/cost-management-billing/manage/).

+ - For more availability, you can use [Availability Zones](../availability-zones/az-overview.md) to automatically distribute VM instances in a scale set within a single datacenter or across multiple datacenters. Deploying VMs across Availability Zones can protect you against data center failure. Note that a scale set can't protect you against data center failures.

+| Mirantis | Windows_with_Mirantis_Container_Runtime_2019 | win_2019_mcr_23_0 |

+| Mirantis | Windows_with_Mirantis_Container_Runtime_2019 | win_2019_mcr_23_0_gen2 |

+The [OFED drivers for Linux](https://www.mellanox.com/products/infiniband-drivers/linux/mlnx_ofed) can be installed with the example below. Though the example here is for RHEL, but the steps are general and can be used for any compatible Linux operating system such as Ubuntu (18.04, 19.04, 20.04) and SLES (12 SP4+ and 15). More examples for other distros are on the [azhpc-images repo](https://github.com/Azure/azhpc-images/blob/master/ubuntu/ubuntu-20.x/ubuntu-20.04-hpc/install_prerequisites.sh). The inbox drivers also work as well, but the Mellanox OFED drivers provide more features.

+> [!NOTE]

+> In most cases, scheduled maintenance cannot be delayed. If you need a scheduled maintenance to be delayed, contact support and Azure will make a best-effort to postpone.

+ Title: Create a virtual network with encryption - Azure portal

+description: Learn how to create an encrypted virtual network using the Azure portal. A virtual network lets Azure resources communicate with each other and with the internet.

+# Create a virtual network with encryption using the Azure portal

+Azure Virtual Network encryption is a feature of Azure Virtual Network. Virtual network encryption allows you to seamlessly encrypt and decrypt internal network traffic over the wire, with minimal effect to performance and scale. Azure Virtual Network encryption protects data traversing your virtual network virtual machine to virtual machine and virtual machine to on-premises.

+## Prerequisites

+### [Portal](#tab/portal)

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio).

+### [PowerShell](#tab/powershell)

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- Azure PowerShell installed locally or Azure Cloud Shell.

+- Sign in to Azure PowerShell and select the subscription with which you want to use this feature. For more information, see [Sign in with Azure PowerShell](/powershell/azure/authenticate-azureps).

+- Ensure your `Az.Network` module is 4.3.0 or later. To verify the installed module, use the command Get-InstalledModule -Name `Az.Network`. If the module requires an update, use the command Update-Module -Name `Az.Network` if necessary.

+If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. Run `Get-Module -ListAvailable Az` to find the installed version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-Az-ps). If you're running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure.

+### [CLI](#tab/cli)

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio).

+- The how-to article requires version 2.31.0 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

+### [Portal](#tab/portal)

+### [PowerShell](#tab/powershell)

+Create a resource group with [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup) named **test-rg** in the **eastus2** location.

+```azurepowershell-interactive

+$rg =@{

+ Name = 'test-rg'

+ Location = 'eastus2'

+}

+New-AzResourceGroup @rg

+```

+Use [New-AzVirtualNetwork](/powershell/module/az.network/new-azvirtualnetwork) and [New-AzVirtualNetworkSubnetConfig](/powershell/module/az.network/new-azvirtualnetworksubnetconfig) to create a virtual network.

+```azurepowershell-interactive

+## Create backend subnet config ##

+$subnet = @{

+ Name = 'subnet-1'

+ AddressPrefix = '10.0.0.0/24'

+}

+$subnetConfig = New-AzVirtualNetworkSubnetConfig @subnet

+## Create the virtual network ##

+$net = @{

+ Name = 'vnet-1'

+ ResourceGroupName = 'test-rg'

+ Location = 'eastus2'

+ AddressPrefix = '10.0.0.0/16'

+ Subnet = $subnetConfig

+ EnableEncryption = 'true'

+ EncryptionEnforcementPolicy = 'AllowUnencrypted'

+}

+New-AzVirtualNetwork @net

+```

+### [CLI](#tab/cli)

+Create a resource group with [az group create](/cli/azure/group#az-group-create) named **test-rg** in the **eastus2** location.

+```azurecli-interactive

+ az group create \

+ --name test-rg \

+ --location eastus2

+```

+Use [az network vnet create](/cli/azure/network/vnet#az-network-vnet-create) to create a virtual network.

+```azurecli-interactive

+ az network vnet create \

+ --resource-group test-rg \

+ --location eastus2 \

+ --name vnet-1 \

+ --enable-encryption true \

+ --encryption-enforcement-policy allowUnencrypted \

+ --address-prefixes 10.0.0.0/16 \

+ --subnet-name subnet-1 \

+ --subnet-prefixes 10.0.0.0/24

+```

+> [!IMPORTANT]

+> Azure Virtual Network encryption requires supported virtual machine SKUs in the virtual network for traffic to be encrypted. The setting **dropUnencrypted** will drop traffic between unsupported virtual machine SKUs if they are deployed in the virtual network. For more information, see [Azure Virtual Network encryption requirements](virtual-network-encryption-overview.md#requirements).

+## Enable encryption on a virtual network

+### [Portal](#tab/portal)

+Use the following steps to enable encryption for a virtual network.

+1. In the search box at the top of the portal, begin typing **Virtual networks**. When **Virtual networks** appears in the search results, select it.

+1. Select **vnet-1**.

+1. In the **Overview** of **vnet-1**, select the **Properties** tab.

+1. Select **Disabled** next to **Encryption**:

+ :::image type="content" source="./media/how-to-create-encryption-portal/virtual-network-properties.png" alt-text="Screenshot of properties of the virtual network.":::

+1. Select the box next to **Virtual network encryption**.

+1. Select **Save**.

+### [PowerShell](#tab/powershell)

+You can also enable encryption on an existing virtual network using [Set-AzVirtualNetwork](/powershell/module/az.network/set-azvirtualnetwork). **This step isn't necessary if you created the virtual network with encryption enabled in the previous steps.**

+```azurepowershell-interactive

+## Place the virtual network configuration into a variable. ##

+$net = @{

+ Name = 'vnet-1'

+ ResourceGroupName = 'test-rg'

+}

+$vnet = Get-AzVirtualNetwork @net

+## Enable encryption on the virtual network ##

+$vnet.Encryption = @{

+ Enabled = 'true'

+ Enforcement = 'allowUnencrypted'

+}

+$vnet | Set-AzVirtualNetwork

+```

+### [CLI](#tab/cli)

+You can also enable encryption on an existing virtual network using [az network vnet update](/cli/azure/network/vnet#az-network-vnet-update). **This step isn't necessary if you created the virtual network with encryption enabled in the previous steps.**

+```azurecli-interactive

+ az network vnet update \

+ --resource-group test-rg \

+ --name vnet-1 \

+ --enable-encryption true \

+ --encryption-enforcement-policy allowUnencrypted

+```

+## Verify encryption enabled

+### [Portal](#tab/portal)

+1. In the search box at the top of the portal, begin typing **Virtual networks**. When **Virtual networks** appears in the search results, select it.

+1. Select **vnet-1**.

+1. In the **Overview** of **vnet-1**, select the **Properties** tab.

+1. Verify that **Encryption** is set to **Enabled**.

+ :::image type="content" source="./media/how-to-create-encryption-portal/virtual-network-properties-encryption-enabled.png" alt-text="Screenshot of properties of the virtual network with encryption enabled.":::

+### [PowerShell](#tab/powershell)

+Use [Get-AzVirtualNetwork](/powershell/module/az.network/get-azvirtualnetwork) to view the encryption parameter for the virtual network you created previously.

+```azurepowershell-interactive

+## Place the virtual network configuration into a variable. ##

+$net = @{

+ Name = 'vnet-1'

+ ResourceGroupName = 'test-rg'

+}

+$vnet = Get-AzVirtualNetwork @net

+```

+To view the parameter for encryption, enter the following information.

+```azurepowershell-interactive

+$vnet.Encryption

+```

+```output

+Enabled Enforcement

+- --

+True allowUnencrypted

+```

+### [CLI](#tab/cli)

+Use [az network vnet show](/cli/azure/network/vnet#az-network-vnet-show) to view the encryption parameter for the virtual network you created previously.

+```azurecli-interactive

+ az network vnet show \

+ --resource-group test-rg \

+ --name vnet-1 \

+ --query encryption \

+ --output tsv

+```

+```output

+user@Azure:~$ az network vnet show \

+ --resource-group test-rg \

+ --name vnet-1 \

+ --query encryption \

+ --output tsv

+True AllowUnencrypted

+```

+### [Portal](#tab/portal)

+### [PowerShell](#tab/powershell)

+When no longer needed, you can use [Remove-AzResourceGroup](/powershell/module/az.resources/remove-azresourcegroup) to remove the resource group and all of the resources it contains:

+```azurepowershell-interactive

+$cleanup = @{

+ Name = "test-rg"

+}

+Remove-AzResourceGroup @cleanup -Force

+```

+### [CLI](#tab/cli)

+When you're done with the virtual network, use [az group delete](/cli/azure/group#az-group-delete) to remove the resource group and all its resources.

+```azurecli-interactive

+az group delete \

+ --name test-rg \

+ --yes

+```

+## Next steps

+- For more information about Azure Virtual Networks, see [What is Azure Virtual Network?](/azure/virtual-network/virtual-networks-overview)

+- For more information about Azure Virtual Network encryption, see [What is Azure Virtual Network encryption?](virtual-network-encryption-overview.md)

+* The next hop IP address on the routes being advertised from the NVA to the virtual HUB route server has to be the same as the IP address of the NVA, the IP address configured on the BGP peer. Having a different IP address advertised as next hop IS NOT supported for Virtual WAN at the moment.

+* Azure VPN Client versions

+| P2S VPN | P2S | [Azure VPN Client for Linux](#linux)| [Certificate](point-to-site-certificate-client-linux-azure-vpn-client.md) authentication, [Microsoft Entra ID ](point-to-site-entra-vpn-client-linux.md) authentication.| May 2024 | N/A|

+| P2S VPN | P2S | [Azure VPN Client for macOS](#macos) | Microsoft Entra ID authentication updates, additional features. | May 2024 | N/A|

+| P2S VPN | P2S | [Azure VPN Client for Windows](#windows) | Microsoft Entra ID authentication updates, additional features. | May 2024 | N/A|

+|P2S VPN| P2S| [Feedback Hub support for Azure VPN Client connections](feedback-hub-azure-vpn-client.md) | Customers can use Feedback Hub to file a bug/allow feedback triage for Azure VPN Client connections. | May 2024| Windows 10, Windows 11 only|

+### <a name="windows"></a>Azure VPN Client - Windows

+### <a name="linux"></a>Azure VPN Client - Linux

+### <a name="macos"></a>Azure VPN Client - macOS