+|credentials|tenantName| Your Azure AD B2C [domain/tenant name](tenant-management.md#get-your-tenant-name). For example: `contoso.ommicrosoft.com`.|

+ "tenantName": "<your-tenant-name>.ommicrosoft.com",

+- [Add](/graph/api/authentication-post-emailmethods)

+- [List](/graph/api/authentication-list-emailmethods)

+- A computer with at least 3 GB of RAM, to host a provisioning agent. The computer should have Windows Server 2016 or a later version of Windows Server, with connectivity to the target application, and with outbound connectivity to login.microsoftonline.com, other Microsoft Online Services and Azure domains. An example is a Windows Server 2016 virtual machine hosted in Azure IaaS or behind a proxy.

+The following video provides an overview of on-premises provisoning.

+> [!VIDEO https://www.youtube.com/embed/QdfdpaFolys]

+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)

+- [Attributes synchronized to Azure Active Directory](../hybrid/reference-connect-sync-attributes-synchronized.md?context=azure%2factive-directory%2fcloud-provisioning%2fcontext%2fcp-context/hybrid/reference-connect-sync-attributes-synchronized.md)

+

+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)

+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)

+- [Install cloud provisioning](how-to-install.md)

+ Title: Redirect URI (reply URL) restrictions

+## Query parameter support in redirect URIs

+Query parameters are **allowed** in redirect URIs for applications that *only* sign in users with work or school accounts.

+Query parameters are **not allowed** in redirect URIs for any app registration configured to sign in users with personal Microsoft accounts like Outlook.com (Hotmail), Messenger, OneDrive, MSN, Xbox Live, or Microsoft 365.

+| App registration sign-in audience | Supports query parameters in redirect URI |

+||-|

+| Accounts in this organizational directory only (Contoso only - Single tenant) | :::image type="icon" source="media/common/yes.png" border="false"::: |

+| Accounts in any organizational directory (Any Azure AD directory - Multitenant) | :::image type="icon" source="media/common/yes.png" border="false"::: |

+| Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) | :::image type="icon" source="media/common/no.png" border="false"::: |

+| Personal Microsoft accounts only | :::image type="icon" source="media/common/no.png" border="false"::: |

+The Microsoft identity platform supports the OAuth 2.0 implicit grant flow as described in the [OAuth 2.0 Specification](https://tools.ietf.org/html/rfc6749#section-4.2). The defining characteristic of the implicit grant is that tokens (ID tokens or access tokens) are returned directly from the /authorize endpoint instead of the /token endpoint. This is often used as part of the [authorization code flow](v2-oauth2-auth-code-flow.md), in what is called the "hybrid flow" - retrieving the ID token on the /authorize request along with an authorization code.

+With the plans for [removing third party cookies from browsers](reference-third-party-cookies-spas.md), the **implicit grant flow is no longer a suitable authentication method**. The [silent single sign-on (SSO) features](#acquire-access-tokens-silently) of the implicit flow do not work without third party cookies, causing applications to break when they attempt to get a new token. We strongly recommend that all new applications use the [authorization code flow](v2-oauth2-auth-code-flow.md) that now supports single-page apps in place of the implicit flow. Existing single-page apps should also [migrate to the authorization code flow](migrate-spa-implicit-to-auth-code.md).

+The implicit grant is only reliable for the initial, interactive portion of your sign-in flow, where the lack of [third party cookies](reference-third-party-cookies-spas.md) doesn't impact your application. This limitation means you should use it exclusively as part of the hybrid flow, where your application requests a code as well as a token from the authorization endpoint. In a hybrid flow, your application receives a code that can be redeemed for a refresh token, thus ensuring your app's login session remains valid over time.

+The following diagram shows what the entire implicit sign-in flow looks like and the sections that follow describe each step in detail.

+| `domain_hint` | optional |If included, it will skip the email-based discovery process that user goes through on the sign-in page, leading to a slightly more streamlined user experience. This parameter is commonly used for Line of Business apps that operate in a single tenant, where they'll provide a domain name within a given tenant, forwarding the user to the federation provider for that tenant. This hint prevents guests from signing into this application, and limits the use of cloud credentials like FIDO. |

+| `code` | Included if `response_type` includes `code`. It's an authorization code suitable for use in the [authorization code flow](v2-oauth2-auth-code-flow.md). |

+| `scope` |Included if `response_type` includes `token`. Indicates the scope(s) for which the access_token will be valid. May not include all the requested scopes if they weren't applicable to the user. For example, Azure AD-only scopes requested when logging in using a personal account. |

+## Acquire access tokens silently

+> This part of the implicit flow is unlikely to work for your application as it's used across different browsers due to the [removal of third party cookies by default](reference-third-party-cookies-spas.md). While this still currently works in Chromium-based browsers that are not in Incognito, developers should reconsider using this part of the flow. In browsers that do not support third party cookies, you will receive an error indicating that no users are signed in, as the login page's session cookies were removed by the browser.

+Now that you've signed the user into your single-page app, you can silently get access tokens for calling web APIs secured by Microsoft identity platform, such as the [Microsoft Graph](https://developer.microsoft.com/graph). Even if you already received a token using the `token` response_type, you can use this method to acquire tokens to additional resources without redirecting the user to sign in again.

+> Try copy & pasting the request below into a browser tab! (Don't forget to replace the `login_hint` values with the correct value for your user)

+| `scope` | Indicates the scope(s) for which the access_token will be valid. May not include all of the scopes requested, if they weren't applicable to the user (in the case of Azure AD-only scopes being requested when a personal account is used to log in). |

+## Send a sign-out request

+The OpenID Connect `end_session_endpoint` allows your app to send a request to the Microsoft identity platform to end a user's session and clear cookies set by the Microsoft identity platform. To fully sign a user out of a web application, your app should end its own session with the user (usually by clearing a token cache or dropping cookies), and then redirect the browser to:

+* Monitoring and data retention

+* [Manage and customize Active Directory Federation Services using Azure AD Connect](how-to-connect-fed-management.md)

+

+

+- [Disable Azure AD Connect group writeback](how-to-connect-group-writeback-disable.md)

+* [Azure AD Connect Health Version History](reference-connect-health-version-history.md)

+Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).

+- [Disable Azure AD Connect group writeback](how-to-connect-group-writeback-disable.md)

+* [**Troubleshoot**](tshoot-connect-pass-through-authentication.md) - Learn how to resolve common issues with the feature.

+ - [**UserVoice**](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789) - For filing new feature requests.

+Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).

+* [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md)

+Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).

+Learn more about [integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).

+- Learn more about [Azure AD Connect design concepts](plan-connect-design-concepts.md).

+- [Custom installation of Azure AD Connect](how-to-connect-install-custom.md)

+[Design considerations overview](plan-hybrid-identity-design-considerations-overview.md)

+[Design considerations overview](plan-hybrid-identity-design-considerations-overview.md)

+[Design considerations overview](plan-hybrid-identity-design-considerations-overview.md)

+[Design considerations overview](plan-hybrid-identity-design-considerations-overview.md)

+[Design considerations overview](plan-hybrid-identity-design-considerations-overview.md)

+Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).

+Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).

+- [What is Azure AD Connect and Connect Health?](whatis-azure-ad-connect.md)

+- [Single Sign-On](how-to-connect-sso-quick-start.md#step-1-check-the-prerequisites)

+* [Azure AD Connect Health and User Privacy](reference-connect-health-user-privacy.md)

+- [What is hybrid identity?](whatis-hybrid-identity.md).

+- [What is hybrid identity?](whatis-hybrid-identity.md)

+- Learn more about [hybrid identity](whatis-hybrid-identity.md).

+* [Azure AD Troubleshooting](/troubleshoot/azure/active-directory/welcome-azure-ad)

+- [Pass-through authentication](how-to-connect-pta.md)

+- [Password hash synchronization](how-to-connect-password-hash-synchronization.md)|

+- [Federation with PingFederate](how-to-connect-install-custom.md#configuring-federation-with-pingfederate)

+- [What is single-sign on?](how-to-connect-sso.md)

+- [How Password hash synchronization works](how-to-connect-password-hash-synchronization.md)

+| January | | 99.998% |

+| March | 99.568% | 99.998% |

+| July | 99.999% | 99.999% |

+For more information on how to connect to Azure AD using PowerShell, please see the article [Azure AD PowerShell for Graph](/powershell/azure/active-directory/install-adv2).

+**No**, you can't. Azure stores up to seven days of activity data for a free version. This means, when you switch from a free to a premium version, you can only see up to 7 days of data.

+We don't currently support the Microsoft Graph v2 endpoint - make sure to access the activity logs using the Microsoft Graph v1 endpoint.

+### Error: User isn't in the allowed roles

+Follow the steps in the [Prerequisites to access the Azure Active Directory reporting API](howto-configure-prerequisites-for-reporting-api.md) to ensure your application is running with the right set of permissions.

+Follow the steps in the [Prerequisites to access the Azure Active Directory reporting API](howto-configure-prerequisites-for-reporting-api.md) to ensure your application is running with the right set of permissions.

+ * **IBM QRadar**: The DSM and Azure Event Hubs Protocol are available for download at [IBM support](https://www.ibm.com/support). For more information about integration with Azure, go to the [IBM QRadar Security Intelligence Platform 7.3.0](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_microsoft_azure_overview.html?cp=SS42VS_7.3.0) site.

+- Some clients can use both legacy authentication or modern authentication depending on client configuration. If you see ΓÇ£modern mobile/desktop clientΓÇ¥ or ΓÇ£browserΓÇ¥ for a client in the Azure AD logs, it is using modern authentication. If it has a specific client or protocol name, such as ΓÇ£Exchange ActiveSyncΓÇ¥, it is using legacy authentication to connect to Azure AD. The client types in conditional access, and the Azure AD reporting page in the Azure portal demarcate modern authentication clients and legacy authentication clients for you, and only legacy authentication is captured in this workbook.

+2. Go to your **Team Management** section in the [LoginRadius Admin Console](https://www.loginradius.com/docs/api/v2/admin-console/overview/).

+ cd active-directory-verifiable-credentials-dotnet/1-asp-net-core-api-idtokenhint

+* Switzerland North

+> Based on the version of Kubernetes your cluster is running, the OSM add-on installs a different version of OSM:

+> - If your cluster is running Kubernetes version 1.24.0 or greater, the OSM add-on installs version *1.2.0* of OSM.

+> - If your cluster is running a version of Kubernetes between 1.23.5 and 1.24.0, the OSM add-on installs version *1.1.1* of OSM.

+> - If your cluster is running a version of Kubernetes below 1.23.5, the OSM add-on installs version *1.0.0* of OSM.

+> [!IMPORTANT]

+> Based on the version of Kubernetes your cluster is running, the OSM add-on installs a different version of OSM:

+> - If your cluster is running Kubernetes version 1.24.0 or greater, the OSM add-on installs version *1.2.0* of OSM.

+> - If your cluster is running a version of Kubernetes between 1.23.5 and 1.24.0, the OSM add-on installs version *1.1.1* of OSM.

+> - If your cluster is running a version of Kubernetes below 1.23.5, the OSM add-on installs version *1.0.0* of OSM.

+> Based on the version of Kubernetes your cluster is running, the OSM add-on installs a different version of OSM:

+> - If your cluster is running Kubernetes version 1.24.0 or greater, the OSM add-on installs version *1.2.0* of OSM.

+> - If your cluster is running a version of Kubernetes between 1.23.5 and 1.24.0, the OSM add-on installs version *1.1.1* of OSM.

+> - If your cluster is running a version of Kubernetes below 1.23.5, the OSM add-on installs version *1.0.0* of OSM.

+> Based on the version of Kubernetes your cluster is running, the OSM add-on installs a different version of OSM:

+> - If your cluster is running Kubernetes version 1.24.0 or greater, the OSM add-on installs version *1.2.0* of OSM.

+> - If your cluster is running a version of Kubernetes between 1.23.5 and 1.24.0, the OSM add-on installs version *1.1.1* of OSM.

+> - If your cluster is running a version of Kubernetes below 1.23.5, the OSM add-on installs version *1.0.0* of OSM.

+This article requires that you're running the Azure CLI version 2.34.1 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].

+>

+The following example output means that the appservice-kube extension isn't compatible with your Azure CLI version (a minimum of version 2.34.1 is required):

+```console

+The 'appservice-kube' extension is not compatible with this version of the CLI.

+You have CLI core version 2.0.81 and this extension requires a min of 2.34.1.

+Table output unavailable. Use the --query option to specify an appropriate query. Use --debug for more info.

+```

+If you receive this output, you need to update your Azure CLI version. The `az upgrade` command was added in version 2.11.0 and doesn't work with versions prior to 2.11.0. Older versions can be updated by reinstalling Azure CLI as described in [Install the Azure CLI](/cli/azure/install-azure-cli). If your Azure CLI version is 2.11.0 or later, you'll receive a message to run `az upgrade` to upgrade Azure CLI to the latest version.

+If your Azure CLI is updated and you receive the following example output, it means that no upgrades are available:

+If no upgrades are available, create a new cluster with a supported version of Kubernetes and migrate your workloads from the existing cluster to the new cluster. It's not supported to upgrade a cluster to a newer Kubernetes version when `az aks get-upgrades` shows that no upgrades are available.

+ Get-AzAksUpgradeProfile -ResourceGroupName myResourceGroup -ClusterName myAKSCluster |

+>

+If no upgrade is available, create a new cluster with a supported version of Kubernetes and migrate your workloads from the existing cluster to the new cluster. It's not supported to upgrade a cluster to a newer Kubernetes version when `Get-AzAksUpgradeProfile` shows that no upgrades are available.

+> [!IMPORTANT]

+By default, AKS configures upgrades to surge with one extra node. A default value of one for the max surge settings will enable AKS to minimize workload disruption by creating an extra node before the cordon/drain of existing applications to replace an older versioned node. The max surge value may be customized per node pool to enable a trade-off between upgrade speed and upgrade disruption. By increasing the max surge value, the upgrade process completes faster, but setting a large value for max surge may cause disruptions during the upgrade process.

+> [!IMPORTANT]

+With a list of available versions for your AKS cluster, use the [az aks upgrade][az-aks-upgrade] command to upgrade. During the upgrade process, AKS will:

+- Add a new buffer node (or as many nodes as configured in [max surge](#customize-node-surge-upgrade)) to the cluster that runs the specified Kubernetes version.

+- [Cordon and drain][kubernetes-drain] one of the old nodes to minimize disruption to running applications. If you're using max surge, it will [cordon and drain][kubernetes-drain] as many nodes at the same time as the number of buffer nodes specified.

+- When the old node is fully drained, it will be reimaged to receive the new version, and it will become the buffer node for the following node to be upgraded.

+- This process repeats until all nodes in the cluster have been upgraded.

+With a list of available versions for your AKS cluster, use the [Set-AzAksCluster][set-azakscluster] cmdlet to upgrade. During the upgrade process, AKS will:

+- Add a new buffer node (or as many nodes as configured in [max surge](#customize-node-surge-upgrade)) to the cluster that runs the specified Kubernetes version.

+- [Cordon and drain][kubernetes-drain] one of the old nodes to minimize disruption to running applications. If you're using max surge, it will [cordon and drain][kubernetes-drain] as many nodes at the same time as the number of buffer nodes specified.

+- When the old node is fully drained, it will be reimaged to receive the new version, and it will become the buffer node for the following node to be upgraded.

+- This process repeats until all nodes in the cluster have been upgraded.

+When you upgrade your cluster, the following Kubernetes events may occur on each node:

+In addition to manually upgrading a cluster, you can set an auto-upgrade channel on your cluster. For more information, see [Auto-upgrading an AKS cluster][aks-auto-upgrade].

+If you have PVCs backed by Azure LRS Disks, theyΓÇÖll be bound to a particular zone, and they may fail to recover immediately if the surge node doesnΓÇÖt match the zone of the PVC. This could cause downtime on your application when the Upgrade operation continues to drain nodes but the PVs are bound to a zone. To handle this case and maintain high availability, configure a [Pod Disruption Budget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) on your application. This allows Kubernetes to respect your availability requirements during Upgrade's drain operation.

+| `stv2` | Single-tenant v2 | Azure-allocated compute infrastructure that supports availability zones, private endpoints | Developer, Basic, Standard, Premium¹ |

+| `stv1` | Single-tenant v1 | Azure-allocated compute infrastructure | Developer, Basic, Standard, Premium |

+| `mtv1` | Multi-tenant v1 | Shared infrastructure that supports native autoscaling and scaling down to zero in times of no traffic | Consumption |

+ azure-cognitive-service-layout:

+**Form Recognizer REST API v3.0 is now generally available and ready for use in production applications!** Update your applications with [**REST API version 2022-08-31**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument).

+* [What is Form Recognizer?](./overview.md)

+ "configurationProfileName": {

+ "configurationProfile": "[parameters('configurationProfileName')]"

+* "/subscriptions/[sub ID]/resourceGroups/resourceGroupName/providers/Microsoft.Automanage/configurationProfiles/customProfileName (for custom profiles)

+1. Provide the values for machineName, and configurationProfileName when prompted

+|[Machine Configuration](../governance/machine-configuration/overview.md) | Machine Configuration policy is used to monitor the configuration and report on the compliance of the machine. The Automanage service will install the Azure security baseline using the Guest Configuration extension. For Arc machines, the machine configuration service will install the baseline in audit-only mode. You will be able to see where your VM is out of compliance with the baseline, but noncompliance won't be automatically remediated. |Production, Dev/Test |

+|[Machine configuration](../governance/machine-configuration/overview.md) | Machine configuration is used to monitor the configuration and report on the compliance of the machine. The Automanage service will install the Azure Linux baseline using the guest configuration extension. For Linux machines, the machine configuration service will install the baseline in audit-only mode. You will be able to see where your VM is out of compliance with the baseline, but noncompliance won't be automatically remediated. Learn [more](../governance/machine-configuration/overview.md). |Production, Dev/Test |

+# Preview: Azure Automanage machine best practices

+> Automanage can be enabled on Azure virtual machines and Azure Arc-enabled servers. Automanage is not available in US Government Cloud at this time.

+- Machines must be in a [supported region](#supported-regions)

+- User must have correct [permissions](#required-rbac-permissions)

+- Machines must meet the [eligibility requirements](#enabling-automanage-for-vms-in-azure-portal)

+- Automanage does not support [Trusted Launch VMs](../virtual-machines/trusted-launch.md)

+> [!NOTE]

+> If the machine is connected to a log analytics workspace, the log analytics workspace must be located in one of the supported regions listed above.

+- User does not have sufficient permissions to the log analytics workspace or to the machine. Check out the [required permissions](#required-rbac-permissions)

+> [!NOTE]

+> If the machine is powered off, you can still onboard the machine to Automanage. However, Automanage will report the machine as "Unknown" in the Automanage status because Automanage needs the machine to be powered on to assess if the machine is configured to the profile. Once you power on your machine, Automanage will try to onboard the machine to the selected configuration profile.

+A direct link to the policy using the built-in profiles is [here](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff889cab7-da27-4c41-a3b0-de1f6f87c550).

+A direct link to the policy using a custom configuration profile is [here](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb025cfb4-3702-47c2-9110-87fe0cfcc99b).

+- *In progress* - the VM is being configured

+- *Not conformant* - the VM has drifted and Automanage was unable to correct one or more services to the assigned configuration profile

+- *Unknown* - the Automanage service is unable to determine the desired configuration of the machine. This is usually because the VM agent is not installed or the machine is not running. It can also indicate that the Automanage service does not have the necessary permissions that it needs to determine the desired configuration

+- *Error* - the Automanage service encountered an error while attempting to determine if the machine conforms with the desired configuration

+|[Machine configuration](../governance/machine-configuration/overview.md) | Machine configuration policy is used to monitor the configuration and report on the compliance of the machine. The Automanage service will install the [Windows security baselines](/windows/security/threat-protection/windows-security-baselines) using the guest configuration extension. For Windows machines, the machine configuration service will install the baseline in audit-only mode. You will be able to see where your VM is out of compliance with the baseline, but noncompliance won't be automatically remediated. Learn [more](../governance/machine-configuration/overview.md). To modify the audit mode for Windows machines, use a custom profile to choose your audit mode setting. [Learn more](virtual-machines-custom-profile.md) |Production, Dev/Test |

+The failure flyout will contain a link to the deployments in the resource group containing the machine that failed onboarding. Clicking the deployment link will take you to the deployments blade where you can see the Automanage deployments to your machine. If you're deploying across multiple regions, ensure that you click on the deployment in the correct region.

+If you don't see any failures in the resource group deployment, then your next step would be to look at the deployments in your subscription containing the machine that failed onboarding. Click the **Deployments for subscription** link in the failure flyout to see all Automanage related deployments for further troubleshooting.

+Automanage account insufficient permissions error | This error may occur if you've recently moved a subscription containing a new Automanage Account into a new tenant. Steps to resolve this error are located [here](./repair-automanage-account.md).

+Workspace region not matching region mapping requirements | Automanage was unable to onboard your machine because the Log Analytics workspace that the machine is currently linked to isn't mapped to a supported Automation region. Ensure that your existing Log Analytics workspace and Automation account are located in a [supported region mapping](../automation/how-to/region-mappings.md).

+The template deployment failed because of policy violation | Automanage was unable to onboard your machine because it violates an existing policy. If the policy violation is related to tags, you can [deploy a custom configuration profile](./virtual-machines-custom-profile.md#create-a-custom-profile-using-azure-resource-manager-templates) with tags for the following ARM resources: default resource group, automation account, recovery services vault, and log analytics workspace

+"Unable to determine the OS for the VM. Check that the VM Agent is running, the current status is Ready." | Ensure that you're running a [minimum supported agent version](/troubleshoot/azure/virtual-machines/support-extensions-agent-version), the agent is running ([Linux](/troubleshoot/azure/virtual-machines/linux-azure-guest-agent) and [Windows](/troubleshoot/azure/virtual-machines/windows-azure-guest-agent)), and that the agent is up to date ([Linux](../virtual-machines/extensions/update-linux-agent.md) and [Windows](../virtual-machines/extensions/agent-windows.md)).

+ASC workspace: Automanage doesn't currently support the Log Analytics service in _location_. | Check that your VM is located in a [supported region](./automanage-virtual-machines.md#supported-regions).

+"The assignment has failed; there is no additional information available" | Open a case with Microsoft Azure support.

+There are two Automanage built-in policies:

+1. Built-in Automanage profiles (dev/test and production): The Automanage policy definition can be found in the Azure portal by the name of [Configure virtual machines to be onboarded to Azure Automanage](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff889cab7-da27-4c41-a3b0-de1f6f87c550).

+1. Custom configuration profiles: The Automanage policy definition can be found in the Azure portal by the name of [Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb025cfb4-3702-47c2-9110-87fe0cfcc99b0).

+If you click on this link, skip directly to step 8 in [Locate and assign the policy](#locate-and-assign-the-policy) below.

+1. Click on the *Configure virtual machines to be onboarded to Azure Automanage* built-in policy name. Choose the *Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile* policy if you would like to use an Automanage custom profile.

+ > [!NOTE]

+ > If you would like the policy to only apply to resources with a certain tag (key/value pair) you can add this into the "Inclusion Tag Name" and "Inclusion Tag Values". You need to uncheck the "Only show parameters that need input or review" to see this option.

+This article covers replication of Azure App Configuration stores. You'll learn about how to create, use and delete a replica in your configuration store.

+## Use replicas

+Each replica you create has its dedicated endpoint. If your application resides in multiple geolocations, you can update each deployment of your application in a location to connect to the replica closer to that location, which helps minimize the network latency between your application and App Configuration. Since each replica has its separate request quota, this setup also helps the scalability of your application while it grows to a multi-region distributed service.

+When geo-replication is enabled, and if one replica isn't accessible, you can let your application failover to another replica for improved resiliency. App Configuration provider libraries have built-in failover support by accepting multiple replica endpoints. You can provide a list of your replica endpoints in the order of the most preferred to the least preferred endpoint. When the current endpoint isn't accessible, the provider library will fail over to a less preferred endpoint, but it will try to connect to the more preferred endpoints from time to time. When a more preferred endpoint becomes available, it will switch to it for future requests. You can update your application as the sample code below to take advantage of the failover feature.

+> [!NOTE]

+> You can only use Azure AD authentication to connect to replicas. Authentication with access keys is not supported during the preview.

+<!-- ### [.NET](#tab/dotnet) -->

+```csharp

+configurationBuilder.AddAzureAppConfiguration(options =>

+{

+ // Provide an ordered list of replica endpoints

+ var endpoints = new Uri[] {

+ new Uri("https://<first-replica-endpoint>.azconfig.io"),

+ new Uri("https://<second-replica-endpoint>.azconfig.io") };

+

+ // Connect to replica endpoints using AAD authentication

+ options.Connect(endpoints, new DefaultAzureCredential());

+ // Other changes to options

+});

+```

+> [!NOTE]

+> The failover support is available if you use version **5.3.0-preview** or later of any of the following packages.

+> - `Microsoft.Extensions.Configuration.AzureAppConfiguration`

+> - `Microsoft.Azure.AppConfiguration.AspNetCore`

+> - `Microsoft.Azure.AppConfiguration.Functions.Worker`

+<!-- ### [Java Spring](#tab/spring)

+Placeholder for Java Spring instructions

+ -->

+The failover may occur if the App Configuration provider observes the following conditions.

+- Receives responses with service unavailable status (HTTP status code 500 or above).

+- Experiences with network connectivity issues.

+- Requests are throttled (HTTP status code 429).

+The failover won't happen for client errors like authentication failures.

+ Title: Private connectivity for Arc enabled Kubernetes clusters using private link (preview)

+description: With Azure Arc, you can use a Private Link Scope model to allow multiple Kubernetes clusters to use a single private endpoint.

+# Private connectivity for Arc enabled Kubernetes clusters using private link (preview)

+[Azure Private Link](/azure/private-link/private-link-overview) allows you to securely link Azure services to your virtual network using private endpoints. This means you can connect your on-premises Kubernetes clusters with Azure Arc and send all traffic over an Azure ExpressRoute or site-to-site VPN connection instead of using public networks. In Azure Arc, you can use a Private Link Scope model to allow multiple Kubernetes clusters to communicate with their Azure Arc resources using a single private endpoint.

+This document covers when to use and how to set up Azure Arc Private Link (preview).

+> [!IMPORTANT]

+> The Azure Arc Private Link feature is currently in PREVIEW in all regions where Azure Arc enabled Kubernetes is present, except South East Asia.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Advantages

+With Private Link you can:

+* Connect privately to Azure Arc without opening up any public network access.

+* Ensure data from the Arc-enabled Kubernetes cluster is only accessed through authorized private networks.

+* Prevent data exfiltration from your private networks by defining specific Azure Arc-enabled Kubernetes clusters and other Azure services resources, such as Azure Monitor, that connects through your private endpoint.

+* Securely connect your private on-premises network to Azure Arc using ExpressRoute and Private Link.

+* Keep all traffic inside the Microsoft Azure backbone network.

+For more information, see [Key benefits of Azure Private Link](/azure/private-link/private-link-overview#key-benefits).

+## How it works

+Azure Arc Private Link Scope connects private endpoints (and the virtual networks they're contained in) to an Azure resource, in this case Azure Arc-enabled Kubernetes clusters. When you enable any one of the Arc-enabled Kubernetes cluster supported extensions, such as Azure Monitor, then connection to other Azure resources may be required for these scenarios. For example, in the case of Azure Monitor, the logs collected from the cluster are sent to Log Analytics workspace.

+Connectivity to the other Azure resources from an Arc-enabled Kubernetes cluster listed earlier requires configuring Private Link for each service. For an example, see [Private Link for Azure Monitor](/azure/azure-monitor/logs/private-link-security).

+## Current limitations

+Consider these current limitations when planning your Private Link setup.

+* You can associate at most one Azure Arc Private Link Scope with a virtual network.

+* An Azure Arc-enabled Kubernetes cluster can only connect to one Azure Arc Private Link Scope.

+* All on-premises Kubernetes clusters need to use the same private endpoint by resolving the correct private endpoint information (FQDN record name and private IP address) using the same DNS forwarder. For more information, see [Azure Private Endpoint DNS configuration](/azure/private-link/private-endpoint-dns). The Azure Arc-enabled Kubernetes cluster, Azure Arc Private Link Scope, and virtual network must be in the same Azure region. The Private Endpoint and the virtual network must also be in the same Azure region, but this region can be different from that of your Azure Arc Private Link Scope and Arc-enabled Kubernetes cluster.

+* Traffic to Azure Active Directory, Azure Resource Manager and Microsoft Container Registry service tags must be allowed through your on-premises network firewall during the preview.

+* Other Azure services that you will use, for example Azure Monitor, requires their own private endpoints in your virtual network.

+ > [!NOTE]

+ > The [Cluster Connect](conceptual-cluster-connect.md) (and hence the [Custom location](custom-locations.md)) feature is not supported on Azure Arc-enabled Kubernetes clusters with private connectivity enabled. This is planned and will be added later. Network connectivity using private links for Azure Arc services like Azure Arc-enabled data services and Azure Arc-enabled App services that use these features are also not supported yet. Refer to the section below for a list of [cluster extensions or Azure Arc services that support network connectivity through private links](#cluster-extensions-that-support-network-connectivity-through-private-links).

+## Cluster extensions that support network connectivity through private links

+On Azure Arc-enabled Kubernetes clusters configured with private links, the following extensions support end-to-end connectivity through private links. Refer to the guidance linked to each cluster extension for additional configuration steps and details on support for private links.

+* [Azure GitOps](conceptual-gitops-flux2.md)

+* [Azure Monitor](/azure/azure-monitor/logs/private-link-security)

+## Planning your Private Link setup

+To connect your Kubernetes cluster to Azure Arc over a private link, you need to configure your network to accomplish the following:

+1. Establish a connection between your on-premises network and an Azure virtual network using a [site-to-site VPN](/azure/vpn-gateway/tutorial-site-to-site-portal) or [ExpressRoute](/azure/expressroute/expressroute-howto-linkvnet-arm) circuit.

+1. Deploy an Azure Arc Private Link Scope, which controls which Kubernetes clusters can communicate with Azure Arc over private endpoints and associate it with your Azure virtual network using a private endpoint.

+1. Update the DNS configuration on your local network to resolve the private endpoint addresses.

+1. Configure your local firewall to allow access to Azure Active Directory, Azure Resource Manager and Microsoft Container Registry.

+1. Associate the Azure Arc-enabled Kubernetes clusters with the Azure Arc Private Link Scope.

+1. Optionally, deploy private endpoints for other Azure services your Azure Arc enabled Kubernetes cluster is managed by, such as Azure Monitor.

+The rest of this document assumes you have already set up your ExpressRoute circuit or site-to-site VPN connection.

+## Network configuration

+Azure Arc-enabled Kubernetes integrates with several Azure services to bring cloud management and governance to your hybrid Kubernetes clusters. Most of these services already offer private endpoints, but you need to configure your firewall and routing rules to allow access to Azure Active Directory and Azure Resource Manager over the internet until these services offer private endpoints. You also need to allow access to Microsoft Container Registry (and Azure Front Door.First Party as a precursor for Microsoft Container Registry) to pull images & Helm charts to enable services like Azure Monitor, as well as for initial setup of Azure Arc agents on the Kubernetes clusters.

+There are two ways you can achieve this:

+* If your network is configured to route all internet-bound traffic through the Azure VPN or ExpressRoute circuit, you can configure the network security group (NSG) associated with your subnet in Azure to allow outbound TCP 443 (HTTPS) access to Azure AD, Azure Resource Manager, Azure Frontdoor and Microsoft Container Registry using [service tags] (/azure/virtual-network/service-tags-overview). The NSG rules should look like the following:

+ | Setting | Azure AD rule | Azure Resource Manager rule | AzureFrontDoorFirstParty rule | Microsoft Container Registry rule |

+ |-||||

+ | Source | Virtual Network | Virtual Network | Virtual Network | Virtual Network

+ | Source Port ranges | * | * | * | *

+ | Destination | Service Tag | Service Tag | Service Tag | Service Tag

+ | Destination service tag | AzureActiveDirectory | AzureResourceManager | FrontDoor.FirstParty | MicrosoftContainerRegistry

+ | Destination port ranges | 443 | 443 | 443 | 443

+ | Protocol | TCP | TCP | TCP | TCP

+ | Action | Allow | Allow | Allow (Both inbound and outbound) | Allow

+ | Priority | 150 (must be lower than any rules that block internet access) | 151 (must be lower than any rules that block internet access) | 152 (must be lower than any rules that block internet access) | 153 (must be lower than any rules that block internet access) |

+ | Name | AllowAADOutboundAccess | AllowAzOutboundAccess | AllowAzureFrontDoorFirstPartyAccess | AllowMCROutboundAccess

+* Configure the firewall on your local network to allow outbound TCP 443 (HTTPS) access to Azure AD, Azure Resource Manager, and Microsoft Container Registry, and inbound & outbound access to Azure FrontDoor.FirstParty using the downloadable service tag files. The JSON file contains all the public IP address ranges used by Azure AD, Azure Resource Manager, Azure FrontDoor.FirstParty, and Microsoft Container Registry and is updated monthly to reflect any changes. Azure Active Directory's service tag is AzureActiveDirectory, Azure Resource Manager's service tag is AzureResourceManager, Microsoft Container Registry's service tag is MicrosoftContainerRegistry, and Azure Front Door's service tag is FrontDoor.FirstParty. Consult with your network administrator and network firewall vendor to learn how to configure your firewall rules.

+## Create an Azure Arc Private Link Scope

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to **Create a resource** in the Azure portal, then search for Azure Arc Private Link Scope. Or you can go directly to the [Azure Arc Private Link Scope page](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.HybridCompute%2FprivateLinkScopes) in the portal.

+1. Select **Create**.

+1. Select a subscription and resource group. During the preview, your virtual network and Azure Arc-enabled Kubernetes clusters must be in the same subscription as the Azure Arc Private Link Scope.

+1. Give the Azure Arc Private Link Scope a name.

+1. You can optionally require every Arc-enabled Kubernetes cluster associated with this Azure Arc Private Link Scope to send data to the service through the private endpoint. If you select **Enable public network access**, Kubernetes clusters associated with this Azure Arc Private Link Scope can communicate with the service over both private or public networks. You can change this setting after creating the scope as needed.

+1. Select **Review + Create**.

+ :::image type="content" source="media/private-link/create-private-link-scope.png" alt-text="Screenshot of the Azure Arc Private Link Scope creation screen in the Azure portal.":::

+1. After the validation completes, select **Create**.

+### Create a private endpoint

+Once your Azure Arc Private Link Scope is created, you need to connect it with one or more virtual networks using a private endpoint. The private endpoint exposes access to the Azure Arc services on a private IP in your virtual network address space.

+The Private Endpoint on your virtual network allows it to reach Azure Arc-enabled Kubernetes cluster endpoints through private IPs from your network's pool, instead of using to the public IPs of these endpoints. That allows you to keep using your Azure Arc-enabled Kubernetes clusters without opening your VNet to unrequested outbound traffic. Traffic from the Private Endpoint to your resources will go through Microsoft Azure, and is not routed to public networks.

+1. In your scope resource, select **Private Endpoint connections** in the left-hand resource menu. Select **Add** to start the endpoint create process. You can also approve connections that were started in the Private Link center by selecting them, then selecting **Approve**.

+ :::image type="content" source="media/private-link/create-private-endpoint.png" alt-text="Screenshot of the Private Endpoint connections screen in the Azure portal.":::

+1. Pick the subscription, resource group, and name of the endpoint, and the region you want to use. This must be the same region as your virtual network.

+1. Select **Next: Resource**.

+1. On the **Resource** page, perform the following:

+ 1. Select the subscription that contains your Azure Arc Private Link Scope resource.

+ 1. For **Resource type**, choose Microsoft.HybridCompute/privateLinkScopes.

+ 1. From the **Resource** drop-down, choose the Azure Arc Private Link Scope that you created earlier.

+ 1. Select **Next: Configuration**.

+1. On the **Configuration** page, perform the following:

+ 1. Choose the virtual network and subnet from which you want to connect to Azure Arc-enabled Kubernetes clusters.

+ 1. For **Integrate with private DNS zone**, select **Yes**. A new Private DNS Zone will be created. The actual DNS zones may be different from what is shown in the screenshot below.

+

+ :::image type="content" source="media/private-link/create-private-endpoint-2.png" alt-text="Screenshot of the Configuration step to create a private endpoint in the Azure portal.":::

+ > [!NOTE]

+ > If you choose **No** and prefer to manage DNS records manually, first complete setting up your Private Link, including this private endpoint and the Private Scope configuration. Next, configure your DNS according to the instructions in [Azure Private Endpoint DNS configuration](/azure/private-link/private-endpoint-dns). Make sure not to create empty records as preparation for your Private Link setup. The DNS records you create can override existing settings and impact your connectivity with Arc-enabled Kubernetes clusters.

+ 1. Select **Review + create**.

+ 1. Let validation pass.

+ 1. Select **Create**.

+

+ :::image type="content" source="media/private-link/create-private-endpoint-2.png" alt-text="Screenshot of the Configuration step to create a private endpoint in the Azure portal.":::

+ > [!NOTE]

+ > If you choose **No** and prefer to manage DNS records manually, first complete setting up your Private Link, including this private endpoint and the Private Scope configuration. Next, configure your DNS according to the instructions in [Azure Private Endpoint DNS configuration](/azure/private-link/private-endpoint-dns). Make sure not to create empty records as preparation for your Private Link setup. The DNS records you create can override existing settings and impact your connectivity with Arc-enabled Kubernetes clusters.

+## Configure on-premises DNS forwarding

+Your on-premises Kubernetes clusters need to be able to resolve the private link DNS records to the private endpoint IP addresses. How you configure this depends on whether you are using Azure private DNS zones to maintain DNS records or using your own DNS server on-premises, along with how many clusters you are configuring.

+### DNS configuration using Azure-integrated private DNS zones

+If you set up private DNS zones for Azure Arc-enabled Kubernetes clusters when creating the private endpoint, your on-premises Kubernetes clusters must be able to forward DNS queries to the built-in Azure DNS servers to resolve the private endpoint addresses correctly. You need a DNS forwarder in Azure (either a purpose-built VM or an Azure Firewall instance with DNS proxy enabled), after which you can configure your on-premises DNS server to forward queries to Azure to resolve private endpoint IP addresses.

+The private endpoint documentation provides guidance for configuring [on-premises workloads using a DNS forwarder](/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder).

+### Manual DNS server configuration

+If you opted out of using Azure private DNS zones during private endpoint creation, you'll need to create the required DNS records in your on-premises DNS server.

+1. Go to the Azure portal.

+1. Navigate to the private endpoint resource associated with your virtual network and Azure Arc Private Link Scope.

+1. From the left-hand pane, select **DNS configuration** to see a list of the DNS records and corresponding IP addresses youΓÇÖll need to set up on your DNS server. The FQDNs and IP addresses will change based on the region you selected for your private endpoint and the available IP addresses in your subnet.

+ :::image type="content" source="media/private-link/update-dns-configuration.png" alt-text="Screenshot showing manual DNS server configuration in the Azure portal.":::

+1. Follow the guidance from your DNS server vendor to add the necessary DNS zones and A records to match the table in the portal. Ensure that you select a DNS server that is appropriately scoped for your network. Every Kubernetes cluster that uses this DNS server now resolves the private endpoint IP addresses and must be associated with the Azure Arc Private Link Scope, or the connection will be refused.

+## Configure private links

+> [!NOTE]

+> Configuring private links for Azure Arc enabled Kubernetes clusters is supported starting from version 1.3.0 of connectedk8s CLI extension. Ensure that you are using connectedk8s CLI extension version greater than or equal to 1.2.9.

+You can configure private links for an existing Azure Arc-enabled Kubernetes cluster or when onboarding a Kubernetes cluster to Azure Arc for the first time using the command below:

+```azurecli

+az connectedk8s connect -g <resource-group-name> -n <connected-cluster-name> -l <location> --enable-private-link true --private-link-scope-resource-id <pls-arm-id>

+```

+| Parameter name | Description |

+| -- | -- |

+| --enable-private-link |Property to enable/disable private links feature. Set it to "True" to enable connectivity with private links. |

+| --private-link-scope-resource-id | ID of the private link scope resource created earlier. For example: /subscriptions//resourceGroups//providers/Microsoft.HybridCompute/privateLinkScopes/ |

+For Azure Arc-enabled Kubernetes clusters that were set up prior to configuring the Azure Arc private link scope, you can configure private links through the Azure portal using the following steps:

+1. In the Azure portal, navigate to your Azure Arc Private Link Scope resource.

+1. From the left pane, select **Azure Arc resources** and then **+ Add**.

+1. Select the Kubernetes clusters in the list that you want to associate with the Private Link Scope, and then choose **Select** to save your changes.

+ > [!NOTE]

+ > The list only shows Azure Arc-enabled Kubernetes clusters that are within the same subscription and region as your Private Link Scope.

+ :::image type="content" source="media/private-link/select-clusters.png" alt-text="Screenshot of the list of Kubernetes clusters for the Azure Arc Private Link Scope." lightbox="media/private-link/select-clusters.png":::

+## Troubleshooting

+If you run into problems, the following suggestions may help:

+* Check your on-premises DNS server(s) to verify it is either forwarding to Azure DNS or is configured with appropriate A records in your private link zone. These lookup commands should return private IP addresses in your Azure virtual network. If they resolve public IP addresses, double check your machine or server and networkΓÇÖs DNS configuration.

+ ```console

+ nslookup gbl.his.arc.azure.com

+ nslookup agentserviceapi.guestconfiguration.azure.com

+ nslookup dp.kubernetesconfiguration.azure.com

+ ```

+* If you are having trouble onboarding your Kubernetes cluster, confirm that youΓÇÖve added the Azure Active Directory, Azure Resource Manager, AzureFrontDoor.FirstParty and Microsoft Container Registry service tags to your local network firewall.

+## Next steps

+* Learn more about [Azure Private Endpoint](/azure/private-link/private-link-overview).

+* Learn how to [troubleshoot Azure Private Endpoint connectivity problems](/azure/private-link/troubleshoot-private-endpoint-connectivity).

+* Learn how to [configure Private Link for Azure Monitor](/azure/azure-monitor/logs/private-link-security).

+> [!NOTE]

+> To translate the `*.servicebus.windows.net` wildcard into specific endpoints, use the command `\GET /urls/allowlist?api-version=2020-01-01&location=<location>`. Within this command, the region must be specified for the `<location>` placeholder.

+| K8s on Azure Stack Edge | Release version: Azure Stack Edge 2207 (2.2.2037.5375); Kubernetes version: [1.22.6](https://github.com/kubernetes/kubernetes/releases/tag/v1.22.6) |

+## Data residency

+Azure Arc resource bridge follows data residency regulations specific to each region. If applicable, data is backed up in a secondary pair region in accordance with data residency regulations. Otherwise, data resides only in that specific region. Data isn't stored or processed across different geographies.

+Azure Arc resource bridge stores resource information in Azure Cosmos DB. As described in [Encryption at rest in Azure Cosmos DB](../../cosmos-db/database-encryption-at-rest.md), all the data is encrypted at rest.

+The [activity log](../../azure-monitor/essentials/activity-log.md) is an Azure platform log that provides insight into subscription-level events. This includes tracking when the Azure Arc resource bridge is modified, deleted, or added. You can [view the activity log](../../azure-monitor/essentials/activity-log.md#view-the-activity-log) in the Azure portal or retrieve entries with PowerShell and Azure CLI. By default, activity log events are [retained for 90 days](../../azure-monitor/essentials/activity-log.md#retention-period) and then deleted.

+> To translate the `*.servicebus.windows.net` wildcard into specific endpoints, use the command `\GET /urls/allowlist?api-version=2020-01-01&location=<location>`. Within this command, the region must be specified for the `<location>` placeholder.

+| **`suspendPostUri`** |The "suspend" URL of the orchestration instance. |

+| **`resumePostUri`** |The "resume" URL of the orchestration instance. |

+ "terminatePostUri": "http://localhost:7071/runtime/webhooks/durabletask/instances/abc123/terminate?reason={text}&code=XXX",

+ "suspendPostUri": "http://localhost:7071/runtime/webhooks/durabletask/instances/abc123/suspend?reason={text}&code=XXX",

+ "resumePostUri": "http://localhost:7071/runtime/webhooks/durabletask/instances/abc123/resume?reason={text}&code=XXX"

+| **`runtimeStatus`** | string | The runtime status of the instance. Values include *Running*, *Pending*, *Failed*, *Canceled*, *Terminated*, *Completed*, *Suspended*. |

+## Suspend instance (preview)

+Suspends a running orchestration instance.

+### Request

+In version 2.x of the Functions runtime, the request is formatted as follows (multiple lines are shown for clarity):

+```http

+POST /runtime/webhooks/durabletask/instances/{instanceId}/suspend

+ ?reason={text}

+ &taskHub={taskHub}

+ &connection={connectionName}

+ &code={systemKey}

+```

+| Field | Parameter Type | Description |

+|-|--|-|

+| **`instanceId`** | URL | The ID of the orchestration instance. |

+| **`reason`** | Query string | Optional. The reason for suspending the orchestration instance. |

+Several possible status code values can be returned.

+* **HTTP 202 (Accepted)**: The suspend request was accepted for processing.

+* **HTTP 404 (Not Found)**: The specified instance was not found.

+* **HTTP 410 (Gone)**: The specified instance has completed, failed, or terminated.

+The responses for this API do not contain any content.

+## Resume instance (preview)

+Resumes a suspended orchestration instance.

+### Request

+In version 2.x of the Functions runtime, the request is formatted as follows (multiple lines are shown for clarity):

+```http

+POST /runtime/webhooks/durabletask/instances/{instanceId}/resume

+ ?reason={text}

+ &taskHub={taskHub}

+ &connection={connectionName}

+ &code={systemKey}

+```

+| Field | Parameter Type | Description |

+|-|--|-|

+| **`instanceId`** | URL | The ID of the orchestration instance. |

+| **`reason`** | Query string | Optional. The reason for resuming the orchestration instance. |

+Several possible status code values can be returned.

+* **HTTP 202 (Accepted)**: The resume request was accepted for processing.

+* **HTTP 404 (Not Found)**: The specified instance was not found.

+* **HTTP 410 (Gone)**: The specified instance has completed, failed, or terminated.

+The responses for this API do not contain any content.

+Orchestrations in Durable Functions are long-running stateful functions that can be started, queried, suspended, resumed, and terminated using built-in management APIs. Several other instance management APIs are also exposed by the Durable Functions [orchestration client binding](durable-functions-bindings.md#orchestration-client), such as sending external events to instances, purging instance history, etc. This article goes into the details of all supported instance management operations.

+* **Output**: The output of the function as a JSON value (if the function has completed). If the orchestrator function failed, this property includes the failure details. If the orchestrator function was suspended or terminated, this property includes the reason for the suspension or termination (if any).

+ * **Suspended**: The instance was suspended and may be resumed at a later point in time.

+## Suspend and Resume instances (preview)

+Suspending an orchestration allows you to stop a running orchestration. Unlike with termination, you have the option to resume a suspended orchestrator at a later point in time.

+The two parameters for the suspend API are an instance ID and a reason string, which are written to logs and to the instance status.

+# [C#](#tab/csharp)

+```csharp

+[FunctionName("SuspendResumeInstance")]

+public static async Task Run(

+ [DurableClient] IDurableOrchestrationClient client,

+ [QueueTrigger("suspend-resume-queue")] string instanceId)

+{

+ string suspendReason = "Need to pause workflow";

+ await client.SuspendAsync(instanceId, suspendReason);

+

+ // ... wait for some period of time since suspending is an async operation...

+

+ string resumeReason = "Continue workflow";

+ await client.ResumeAsync(instanceId, resumeReason);

+}

+```

+# [JavaScript](#tab/javascript)

+> [!NOTE]

+> This feature is currently not supported in JavaScript.

+# [Python](#tab/python)

+> [!NOTE]

+> This feature is currently not supported in Python.

+# [Java](#tab/java)

+> [!NOTE]

+> This feature is currently not supported in Java.

+A suspended instance will eventually transition to the `Suspended` state. However, this transition will not happen immediately. Rather, the suspend operation will be queued in the task hub along with other operations for that instance. You can use the instance query APIs to know when a running instance has actually reached the Suspended state.

+When a suspended orchestrator is resumed, its status will change back to `Running`.

+Call the function with the following line. Use 2 seconds for the timeout and 0.5 second for the retry interval:

+ "terminatePostUri": "http://localhost:7071/runtime/webhooks/durabletask/instances/d3b72dddefce4e758d92f4d411567177/terminate?reason={text}&taskHub={taskHub}&connection={connection}&code={systemKey}",

+ "suspendPostUri": "http://localhost:7071/runtime/webhooks/durabletask/instances/d3b72dddefce4e758d92f4d411567177/suspend?reason={text}&taskHub={taskHub}&connection={connection}&code={systemKey}",

+ "resumePostUri": "http://localhost:7071/runtime/webhooks/durabletask/instances/d3b72dddefce4e758d92f4d411567177/resume?reason={text}&taskHub={taskHub}&connection={connection}&code={systemKey}"

+* **suspendPostUri**: The "suspend" URL of the orchestration instance.

+* **resumePostUri**: The "resume" URL of the orchestration instance.

+The cloud role name is set as follows:

+You can also set the cloud role name using via environment variable or system property,

+see [configuring cloud role name](./java-standalone-config.md#cloud-role-name) for details.

+The Application Insights Java agent collects logs from Log4j, Logback and java.util.logging out of the box.

+See the list of Application Insights Java's

+[autocollected dependencies](java-in-process-agent.md#autocollected-dependencies).

+- Set up custom dependency tracking for [Java](java-in-process-agent.md#add-spans).

+[Application Insights Java](./java-in-process-agent.md) supports automatic correlation of telemetry.

+It automatically populates `operation_id` for all telemetry (like traces, exceptions, and custom events) issued within the scope of a request. It also propagates the correlation headers (described earlier) for service-to-service calls via HTTP, RPC, and messaging. See the list of Application Insights Java's

+[autocollected dependencies which support distributed trace propagation](java-in-process-agent.md#autocollected-dependencies).

+> See [custom telemetry](./java-in-process-agent.md#custom-telemetry) if the auto-instrumentation does not cover all

+> of your needs.

+- For Application Insights Java, set the cloud role name as follows:

+ You can also set the cloud role name using via environment variable or system property,

+ see [configuring cloud role name](./java-standalone-config.md#cloud-role-name) for details.

+- Set up dependency tracking for [Java](./java-in-process-agent.md).

+- [Explore Java trace logs in Application Insights](./java-in-process-agent.md#autocollected-logs).

+* In some web servers, there are also agents that run alongside the app and send telemetry about CPU, memory, and network occupancy. For example, Azure VMs, Docker hosts, and [Java application servers](./java-in-process-agent.md) can have such agents.

+* Capture log traces from your favorite logging framework in [.NET](./asp-net-trace-logs.md) or [Java](./java-in-process-agent.md#autocollected-logs). This means you can search through your log traces and correlate them with page views, exceptions, and other events.

+* [Log4J, Logback, or java.util.logging](./java-in-process-agent.md#autocollected-logs)

+* East Asia

+* Norway East

+In this featured video, we show you how to create a storage account in the Azure portal.

+> [!VIDEO https://www.youtube.com/embed/AhuNgBafmUo]

+[How to create a storage account](https://www.youtube.com/watch?v=AhuNgBafmUo)

+| [How to use search in the Azure portal](https://www.youtube.com/watch?v=PcHF_DzsETA) | [How to check your subscription's secure score](https://www.youtube.com/watch?v=yqb3qvsjqXY) | [How to find and use Translator](https://www.youtube.com/watch?v=6xBHkHkFmZ4) |

+| [](http://www.youtube.com/watch?v=PcHF_DzsETA) | [](https://www.youtube.com/watch?v=yqb3qvsjqXY) | [](http://www.youtube.com/watch?v=6xBHkHkFmZ4) |

+In the [previous tutorial](template-tutorial-add-resource.md), you learned how to add an [Azure storage account](../../storage/common/storage-account-create.md) to the template and deploy it. In this tutorial, you learn how to improve the Azure Resource Manager template (ARM template) by adding parameters. This instruction takes **14 minutes** to complete.

+You need to have [Visual Studio Code](https://code.visualstudio.com/) installed and working with the Azure Resource Manager Tools extension, and either Azure PowerShell or Azure Command-Line Interface (CLI). For more information, see [template tools](template-tutorial-create-first-template.md#get-tools).

+In the [previous tutorial](template-tutorial-create-first-template.md), you learned how to create and deploy your first blank Azure Resource Manager template (ARM template). Now, you're ready to deploy an actual resource to that template. In this case, an [Azure storage account](../../storage/common/storage-account-create.md). This instruction takes **9 minutes** to complete.

+You need to have [Visual Studio Code](https://code.visualstudio.com/) installed and working with the Azure Resource Manager Tools extension, and either Azure PowerShell or Azure Command-Line Interface (CLI). For more information, see [template tools](template-tutorial-create-first-template.md#get-tools).

+This tutorial introduces you to Azure Resource Manager templates (ARM templates). It shows you how to create a starter template and deploy it to Azure. It teaches you about the template structure and the tools you need to work with templates. This instruction takes **12 minutes** to complete, but the actual finish time varies based on how many tools you need to install.

+# Resolve Resource Not Found errors

+## Symptoms

+## Solution 1 - Check resource properties

+## Solution 2 - Set Dependencies

+## Solution 3 - Get external resource

+## Solution 4 - Get managed identity from resource

+## Solution 5 - Check functions

+## Solution 6 - After deleting resource

+It's strongly recommended to have the following three accounts located in the same region:

+Azure Video Indexer trial offering isn't available in the mentioned region. For more information go to Azure Video Indexer Documentation.

+- A trial account. Azure Video Indexer provides up to 600 minutes of free indexing to website users and up to 2,400 minutes of free indexing to API users.

+When creating an Azure Video Indexer account, you can choose a trial account (where you get a certain number of free indexing minutes) or a paid option (where you're not limited by the quota). With a trial, account, Azure Video Indexer provides up to 600 minutes of free indexing to website users and up to 2400 minutes of free indexing to API users. With a paid option, you create an Azure Video Indexer account that's [connected to your Azure subscription and an Azure Media Services account](connect-to-azure.md). You pay for minutes indexed, for more information, see [Media Services pricing](https://azure.microsoft.com/pricing/details/media-services/).

+| Registering to a vault | Invalid vault credentials provided. The file is corrupted or doesn't have the latest credentials associated with the recovery service. | Recommended action: <br> <ul><li> Download the latest credentials file from the vault and try again. <br>(OR)</li> <li> If the previous action didn't work, try downloading the credentials to a different local directory or create a new vault. <br>(OR)</li> <li> Try updating the date and time settings as described in [this article](./backup-azure-mars-troubleshoot.md#invalid-vault-credentials-provided). <br>(OR)</li> <li> Check to see if c:\windows\temp has more than 65000 files. Move stale files to another location or delete the items in the Temp folder. <br>(OR)</li> <li> Check the status of certificates. <br> a. Open **Manage Computer Certificates** (in Control Panel). <br> b. Expand the **Personal** node and its child node **Certificates**.<br> c. Remove the certificate **Windows Azure Tools**. <br> d. Retry the registration in the Azure Backup client. <br> (OR) </li> <li> Check to see if any group policy is in place. </li> <li> To prevent errors during vault registration, ensure that you've the MARS agent version 2.0.9249.0 or above installed. If not, we recommend you to download and install the latest version [from here](https://aka.ms/azurebackup_agent). </li></ul> |

+| Backup | Online recovery point creation failed | **Error Message**: Windows Azure Backup Agent was unable to create a snapshot of the selected volume. <br> **Workaround**: Try increasing the space in replica and recovery point volume.<br> <br> **Error Message**: The Windows Azure Backup Agent can't connect to the OBEngine service <br> **Workaround**: verify that the OBEngine exists in the list of running services on the computer. If the OBEngine service isn't running, use the "net start OBEngine" command to start the OBEngine service. <br> <br> **Error Message**: The encryption passphrase for this server isn't set. Please configure an encryption passphrase. <br> **Workaround**: Try configuring an encryption passphrase. If it fails, take the following steps: <br> <ol><li>Verify that the scratch location exists. This is the location that's mentioned in the registry **HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Azure Backup\Config**, with the name **ScratchLocation** should exist.</li><li> If the scratch location exists, try re-registering by using the old passphrase. *Whenever you configure an encryption passphrase, save it in a secure location.*</li><ol>|

+| Restore | **Error code**: CBPServerRegisteredVaultDontMatchWithCurrent/Vault Credentials Error: 100110 <br/> <br/>**Error message**: The original and external DPM servers must be registered to the same vault | **Cause**: This issue occurs when you're trying to restore files to the alternate server from the original server using the External DPM recovery option, and if the server that's being recovered and the original server from where the data is backed-up aren't associated with the same Recovery Services vault.<br/> <br/>**Workaround**: To resolve this issue, ensure both the original and alternate servers are registered to the same vault.|

+| Backup | Online recovery point creation jobs for VMware VM fail. DPM encountered an error from VMware while trying to get ChangeTracking information. ErrorCode - FileFaultFault (ID 33621) | <ol><li> Reset the CTK on VMware for the affected VMs.</li> <li>Check that independent disk isn't in place on VMware.</li> <li>Stop protection for the affected VMs and reprotect with the **Refresh** button. </li><li>Run a CC for the affected VMs.</li></ol>|

+>[!Note]

+>If you encounter difficulties to register to a vault or other errors, ensure that you've the MARS agent version 2.0.9249.0 or above installed. If not, we recommend you to install the latest version [from here](https://aka.ms/azurebackup_agent).

+ >

+ >[!Important]

+ >If you run into errors in vault registration, ensure that you're using the latest version of the MARS agent, instead of the version packaged with MABS server. You can download the latest version [from here](https://aka.ms/azurebackup_agent) and replace the *MARSAgentInstaller.exe* file in *System Center Microsoft Azure Backup Server v3\MARSAgent* folder before installation and registration on new servers.

+* To prevent errors during vault registration, ensure that the latest MARS agent version is used. If not, we recommend you to download it [from here](https://aka.ms/azurebackup_agent) or [from the Azure portal as mentioned in this section](#download-the-mars-agent).

+ If you are running into issues during vault registration, see the [troubleshooting guide](backup-azure-mars-troubleshoot.md#invalid-vault-credentials-provided).

+ * [Java](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/textanalytics/azure-ai-textanalytics/src/samples/java/com/azure/ai/textanalytics/lro/SingleLabelClassifyDocument.java)

+ * [Java](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/textanalytics/azure-ai-textanalytics/src/samples/java/com/azure/ai/textanalytics/lro/MultiLabelClassifyDocument.java)

+| Java (Runtime) | [Java documentation](/java/api/overview/azure/ai-textanalytics-readme?view=azure-java-preview&preserve-view=true) | [Java Samples - Single label classification](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/textanalytics/azure-ai-textanalytics/src/samples/java/com/azure/ai/textanalytics/lro/SingleLabelClassifyDocument.java) [Java Samples - Multi label classification](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/textanalytics/azure-ai-textanalytics/src/samples/java/com/azure/ai/textanalytics/lro/MultiLabelClassifyDocument.java) |

+Curie is powerful, yet fast. While Davinci is stronger when it comes to analyzing complicated text, Curie is capable for many nuanced tasks like sentiment classification and summarization. Curie is also good at answering questions and performing Q&A and as a general service chatbot.

+Babbage can perform straightforward tasks like simple classification. ItΓÇÖs also capable when it comes to semantic search ranking how well documents match up with search queries.

+TheyΓÇÖre most capable in Python and proficient in over a dozen languages, including C#, JavaScript, Go, Perl, PHP, Ruby, Swift, TypeScript, SQL, and even Shell.

+Davinci is the most capable, but is slower and more expensive than the other models. Ada is the least capable, but is both faster and cheaper.

+Similar to text search embeddings, there are two types: one for embedding code snippets to be retrieved and one for embedding natural language search queries.

+When using our embedding models, keep in mind their limitations and risks.

+We recommend starting with our Davinci model since it will be the best way to understand what the service is capable of. After you have an idea of what you want to accomplish, you can either stay with Davinci if youΓÇÖre not concerned about cost and speed, or you can move onto Curie or another model and try to optimize around its capabilities.

+To obtain an embedding vector for a piece of text, we make a request to the embeddings endpoint as shown in the following code snippets:

+The maximum length of input text for our embedding models is 2048 tokens (equivalent to around 2-3 pages of text). You should verify that your inputs don't exceed this limit before making a request.

+For the search models, you can obtain embeddings in two ways. The `<search_model>-doc` model is used for longer pieces of text (to be searched over) and the `<search_model>-query` model is used for shorter pieces of text, typically queries or class labels in zero shot classification. You can read more about all of the Embeddings models in our [Models](../concepts/models.md) guide.

+Unless you're embedding code, we suggest replacing newlines (\n) in your input with a single space, as we have observed inferior results when newlines are present.

+Our embedding models may be unreliable or pose social risks in certain cases, and may cause harm in the absence of mitigations. Review our Responsible AI content for more information on how to approach their use responsibly.

+ curl ${endpoint%/}/openai/deployment/YOUR_DEPLOYMENT_NAME/completions?api-version=2022-06-01-preview \

+ -d '{ "prompt": "Once upon a time" }'

+description: Walkthrough on how to get started with Azure OpenAI and make your first completions call.

+# Call Recording overview

+Call Recording provides a set of APIs to start, stop, pause and resume recording. These APIs can be accessed from server-side business logic or via events triggered by user actions. Recorded media output is in MP4 Audio+Video format, which is the same format that Teams uses to record media. Notifications related to media and metadata are emitted via Event Grid. Recordings are stored for 48 hours on built-in temporary storage for retrieval and movement to a long-term storage solution of choice. Call Recording supports all Azure Communication Services data regions.

+Call recording currently supports mixed audio+video MP4 and mixed audio MP3/WAV output formats in Public Preview. The mixed audio+video output media matches meeting recordings produced via Microsoft Teams recording.

+| audio + video | mp4 | mixed | 1920x1080 8 FPS video of all participants in default tile arrangement | 16kHz mp4a mixed audio of all participants |

+| audio| mp3/wav | mixed | N/A | 16kHz mp3/wav mixed audio of all participants |

+| audio| wav | unmixed | N/A | 16kHz wav, 0-5 channels, 1 for each participant |

+> **Unmixed audio** is in **Private Preview**.

+| Channel type | Content format | Output | Scenario | Release Stage |

+||--|||-|

+| Mixed audio+video | Mp4 | Single file, single channel | Keeping records and meeting notes Coaching and Training | Public Preview |

+| Mixed audio | Mp3 (lossy)/ wav (lossless) | Single file, single channel | Compliance & Adherence Coaching and Training | Public Preview |

+| **Unmixed audio** | wav | Single file, up to 5 wav channels | Quality Assurance Analytics | **Private Preview** |

+> [!NOTE]

+## Metadata Schema

+```typescript

+{

+ "resourceId": <string>, // stable resource id of the ACS resource recording

+ "callId": <string>, // group id of the call

+ "chunkDocumentId": <string>, // object identifier for the chunk this metadata corresponds to

+ "chunkIndex": <number>, // index of this chunk with respect to all chunks in the recording

+ "chunkStartTime": <string>, // ISO 8601 datetime for the start time of the chunk this metadata corresponds to

+ "chunkDuration": <number>, // duration of the chunk this metadata corresponds to in milliseconds

+ "pauseResumeIntervals": [

+ "startTime": <string>, // ISO 8601 datetime for the time at which the recording was paused

+ "duration": <number> // duration of the pause in the recording in milliseconds

+ ],

+ "recordingInfo": {

+ "contentType": <string>, // content type of recording, e.g. audio/audioVideo

+ "channelType": <string>, // channel type of recording, e.g. mixed/unmixed

+ "format": <string>, // format of the recording, e.g. mp4/mp3/wav

+ "audioConfiguration": {

+ "sampleRate": <number>, // sample rate for audio recording

+ "bitRate": <number>, // bitrate for audio recording

+ "channels": <number> // number of audio channels in output recording

+ }

+ },

+ "participants": [

+ {

+ "participantId": <string>, // participant identifier of a participant captured in the recording

+ "channel": <number> // channel the participant was assigned to if the recording is unmixed

+ }

+ ]

+}

+```

+## Available Languages

+> Chat push notifications are supported for Android SDK in versions starting from 1.1.0-beta.4 and 1.1.0. It is recommended that you use version 2.0.0 or newer, as older versions have a known issue with the registration renewal. Steps from 8 to 12 are only needed for versions equal to or greater than 2.0.0.

+ Title: Azure Logic Apps connectors overview

+description: Overview about connectors for workflows in Azure Logic Apps.

+This overview provides a high-level introduction to connectors and how they generally work.

+## What are connectors?

+Technically, many connectors provide a proxy or a wrapper around an API that the underlying service uses to communicate with Azure Logic Apps. This connector provides operations that you use in your workflows to perform tasks. An operation is available either as a *trigger* or *action* with properties you can configure. Some triggers and actions also require that you first [create and configure a connection](#connection-configuration) to the underlying service or system, for example, so that you can authenticate access to a user account. For more overview information, review [Connectors overview for Azure Logic Apps, Microsoft Power Automate, and Microsoft Power Apps](/connectors).

+ For information about the more popular and commonly used connectors in Azure Logic Apps, review the following documentation:

+An *action* is an operation that follows the trigger and performs some kind of task in your workflow. You can use multiple actions in your workflow. For example, you might start the workflow with a SQL trigger that detects new customer data in an SQL database. Following the trigger, your workflow can have a SQL action that gets the customer data. Following the SQL action, your workflow can have a different action that processes the data.

+For recurring connection-based triggers, such as Office 365 Outlook, the schedule isn't the only driver that controls execution. The time zone only determines the initial start time. Subsequent runs depend on the recurrence schedule, the last trigger execution, and other factors that might cause run times to drift or produce unexpected behavior, for example:

+Service provider-based built-in connectors are available alongside their [managed connector versions](managed.md).

+To have your logic app wait an amount of time before running the next action, you can add the built-in **Delay** action before an action in your logic app's workflow. Or, you can add the built-in **Delay until** action to wait until a specific date and time before running the next action. For more information about the built-in Schedule actions and triggers, see [Schedule and run recurring automated, tasks, and workflows with Azure Logic Apps](../logic-apps/concepts-schedule-automated-recurring-tasks-workflows.md).

+[Azure Spring Apps](../spring-apps/overview.md) is a platform as a service (PaaS) for Spring developers. If you want to run Spring Boot, Spring Cloud or any other Spring applications on Azure, Azure Spring Apps is an ideal option. The service manages the infrastructure of Spring applications so developers can focus on their code. Azure Spring Apps provides lifecycle management using comprehensive monitoring and diagnostics, configuration management, service discovery, CI/CD integration, blue-green deployments, and more.

+You can configure the Azure Cosmos account to allow access only from a specific subnet of a virtual network (VNET). Enable [service endpoint](../virtual-network/virtual-network-service-endpoints-overview.md) on a subnet within a virtual network to control access to Azure Cosmos DB. The traffic from that subnet is sent to Azure Cosmos DB with the identity of the subnet and Virtual Network. Once the Azure Cosmos DB service endpoint is enabled, you can limit access to the subnet by adding it to your Azure Cosmos account.

+By default, an Azure Cosmos account is accessible from any source if the request is accompanied by a valid authorization token. When you add one or more subnets within VNets, only requests originating from those subnets will get a valid response. Requests originating from any other source will receive a 403 (Forbidden) response.

+1. Enable the service endpoint for Azure Cosmos DB to send the subnet and virtual network identity to Azure Cosmos DB.

+1. From the **All resources** pane, find the Azure Cosmos DB account that you want to secure.

+1. Select **Networking** from the settings menu

+ :::image type="content" source="./media/how-to-configure-vnet-service-endpoint/networking-pane.png" alt-text="Screenshot of the networking menu option.":::

+1. Choose to allow access from **Selected networks**.

+ :::image type="content" source="./media/how-to-configure-vnet-service-endpoint/choose-subnet-and-vnet.png" alt-text="Screenshot of the dialog to select an existing Azure Virtual Network and subnet with an Azure Cosmos DB service endpoint.":::

+ :::image type="content" source="./media/how-to-configure-vnet-service-endpoint/vnet-and-subnet-configured-successfully.png" alt-text="Screenshot of an Azure Virtual Network and subnet configured successfully in the list.":::

+>

+> - Subscription with virtual network: Network contributor

+> - Subscription with Azure Cosmos DB account: DocumentDB account contributor

+> - If your virtual network and Azure Cosmos DB account are in different subscriptions, make sure that the subscription that has virtual network also has `Microsoft.DocumentDB` resource provider registered. To register a resource provider, see [Azure resource providers and types](../azure-resource-manager/management/resource-providers-and-types.md) article.

+>

+1. From the **All resources** pane, find the Azure Cosmos DB account that you want to secure.

+1. Select **Networking** from the settings menu, and choose to allow access from **Selected networks**.

+ :::image type="content" source="./media/how-to-configure-vnet-service-endpoint/choose-subnet-and-vnet-new-vnet.png" alt-text="Screenshot of the dialog to create a new Azure Virtual Network, configure a subnet, and then enable the Azure Cosmos DB service endpoint.":::

+1. From the **All resources** pane, find the Azure Cosmos DB account for which you assigned service endpoints.

+1. Select **Networking** from the settings menu.

+ :::image type="content" source="./media/how-to-configure-vnet-service-endpoint/remove-a-vnet.png" alt-text="Screenshot of the menu option to remove an associated Azure Virtual Network.":::

+1. Update Azure Cosmos DB account properties with the new Virtual Network endpoint configuration:

+Azure Cosmos accounts can be configured for service endpoints when they're created or updated at a later time if the subnet is already configured for them. Service endpoints can also be enabled on the Cosmos account where the subnet isn't yet configured. Then the service endpoint will begin to work when the subnet is configured later. This flexibility allows for administrators who don't have access to both the Cosmos account and virtual network resources to make their configurations independent of each other.

+In this example, the virtual network and subnet are created with service endpoints enabled for both when they're created.

+This sample is intended to show how to connect an Azure Cosmos account to an existing or new virtual network. In this example, the subnet isn't yet configured for service endpoints. Configure the service endpoint by using the `--ignore-missing-vnet-service-endpoint` parameter. This configuration allows the Cosmos DB account to complete without error before the configuration to the virtual network's subnet is complete. Once the subnet configuration is complete, the Cosmos account will then be accessible through the configured subnet.

+After an Azure Cosmos DB account is configured for a service endpoint for a subnet, each request from that subnet is sent differently to Azure Cosmos DB. The requests are sent with virtual network and subnet source information instead of a source public IP address. These requests will no longer match an IP filter configured on the Azure Cosmos DB account, which is why the following steps are necessary to avoid downtime.

+At the moment the [Mongo shell](https://devblogs.microsoft.com/cosmosdb/preview-native-mongo-shell/) and [Cassandra shell](https://devblogs.microsoft.com/cosmosdb/announcing-native-cassandra-shell-preview/) integrations in the Cosmos DB Data Explorer, and the [Jupyter Notebooks service](./cosmosdb-jupyter-notebooks.md), aren't supported with VNET access. This integration is currently in active development.

+### Can I specify both virtual network service endpoint and IP access control policy on an Azure Cosmos account?

+You can enable both the virtual network service endpoint and an IP access control policy (also known as firewall) on your Azure Cosmos account. These two features are complementary and collectively ensure isolation and security of your Azure Cosmos account. Using IP firewall ensures that static IPs can access your account.

+### How do I limit access to subnet within a virtual network?

+There are two steps required to limit access to Azure Cosmos account from a subnet. First, you allow traffic from subnet to carry its subnet and virtual network identity to Azure Cosmos DB. Changing the identity of the traffic is done by enabling service endpoint for Azure Cosmos DB on the subnet. Next is adding a rule in the Azure Cosmos account specifying this subnet as a source from which account can be accessed.

+### Will virtual network ACLs and IP Firewall reject requests or connections?

+When IP firewall or virtual network access rules are added, only requests from allowed sources get valid responses. Other requests are rejected with a 403 (Forbidden). It's important to distinguish Azure Cosmos account's firewall from a connection level firewall. The source can still connect to the service and the connections themselves aren't rejected.

+Once service endpoint for Azure Cosmos DB is enabled on a subnet, the source of the traffic reaching the account switches from public IP to virtual network and subnet. If your Azure Cosmos account has IP-based firewall only, traffic from service enabled subnet would no longer match the IP firewall rules, and therefore be rejected. Go over the steps to seamlessly migrate from IP-based firewall to virtual network-based access control.

+### Are extra Azure role-based access control permissions needed for Azure Cosmos accounts with VNET service endpoints?

+The authorization validates permission for VNet resource action even if the user doesn't specify the VNET ACLs using Azure CLI. Currently, the Azure Cosmos account's control plane supports setting the complete state of the Azure Cosmos account. One of the parameters to the control plane calls is `virtualNetworkRules`. If this parameter isn't specified, the Azure CLI makes a get database call to retrieve the `virtualNetworkRules` and uses this value in the update call.

+### Do the peered virtual networks also have access to Azure Cosmos account?

+Only virtual network and their subnets added to Azure Cosmos account have access. Their peered VNets can't access the account until the subnets within peered virtual networks are added to the account.

+### What is the maximum number of subnets allowed to access a single Cosmos account?

+### Can I enable access from VPN and Express Route?

+For accessing Azure Cosmos account over Express route from on premises, you would need to enable Microsoft peering. Once you put IP firewall or virtual network access rules, you can add the public IP addresses used for Microsoft peering on your Azure Cosmos account IP firewall to allow on premises services access to Azure Cosmos account.

+### Do I need to update the Network Security Groups (NSG) rules?

+NSG rules are used to limit connectivity to and from a subnet with virtual network. When you add service endpoint for Azure Cosmos DB to the subnet, there's no need to open outbound connectivity in NSG for your Azure Cosmos account.

+### When should I accept connections from within global Azure datacenters for an Azure Cosmos DB account?

+- [Azure Data Factory Managed Virtual Network](../data-factory/managed-virtual-network-private-endpoint.md)

+- [Azure Cognitive Search Indexer access to protected resources](../search/search-indexer-securing-resources.md)

+- To configure a firewall for Azure Cosmos DB, see the [Firewall support](how-to-configure-firewall.md) article.

+> The Azure Marketplace price list feature in the EA portal is retired. Currently, EA customers can't get a Marketplace price sheet.

+> [!NOTE]

+> In order to have full SSL verification via the ODBC connection when using the Self Hosted Integration Runtime you must use an ODBC type connection instead of the PostgreSQL connector explicitly, and complete the following configuration:

+>

+> 1. Set up the DSN on any SHIR servers.

+> 1. Put the proper certificate for PostgreSQL in C:\Users\DIAHostService\AppData\Roaming\postgresql\root.crt on the SHIR servers. This is where the ODBC driver looks > for the SSL cert to verify when it connects to the database.

+> 1. In your data factory connection, use an ODBC type connection, with your connection string pointing to the DSN you created on your SHIR servers.

+ >[!Note]

+ >The integration runtime sharing is only available for self-hosted integration runtimes. Azure-SSIS integration runtimes don't support sharing.

+You can set parallel copy (`parallelCopies` property in the JSON definition of the Copy activity, or `Degree of parallelism` setting in the **Settings** tab of the Copy activity properties in the user interface) on copy activity to indicate the parallelism that you want the copy activity to use. You can think of this property as the maximum number of threads within the copy activity that read from your source or write to your sink data stores in parallel.

+- [Migrate data from Amazon S3 to Azure Storage](data-migration-guidance-s3-azure-storage.md)

+ > [!NOTE]

+ > The action group must be created within the same resource group as the data factory instance in order to be available for use from the data factory.

+[Configure diagnostics settings and workspace](monitor-configure-diagnostics.md)

+Azure Monitor provides base-level infrastructure metrics and logs for most Azure services. Azure diagnostic logs are emitted by a resource and provide rich, frequent data about the operation of that resource. Azure Data Factory (ADF) can write diagnostic logs in Azure Monitor.

+ Title: 'Tutorial: View and configure DDoS protection telemetry for Azure DDoS Protection Standard'

+# Tutorial: View and configure DDoS protection telemetry

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+Telemetry for an attack is provided through Azure Monitor in real time. While [mitigation triggers](#view-ddos-mitigation-policies) for TCP SYN, TCP & UDP are available during peace-time, other telemetry is available only when a public IP address has been under mitigation.

+> [!NOTE]

+> While multiple options for **Aggregation** are displayed on Azure portal, only the aggregation types listed in the table below are supported for each metric. We apologize for this confusion and we are working to resolve it.

+### View metrics from DDoS protection plan

+1. Sign in to the [Azure portal](https://portal.azure.com/) and select your DDoS protection plan.

+1. On the Azure portal menu, select or search for and select **DDoS protection plans** then select your DDoS protection plan.

+1. Under **Monitoring**, select **Metrics**.

+1. Click **Add metric** then click **Scope**.

+1. In the **Select a scope** menu select the **Subscription** that contains the public IP address you want to log.

+1. Select **Public IP Address** for **Resource type** then select the specific public IP address you want to log metrics for, and then select **Apply**.

+1. For **Metric** select **Under DDoS attack or not**.

+1. Select the **Aggregation** type as **Max**.

+### View metrics from virtual network

+1. Under **Monitoring**, select **Metrics**.

+1. Click **Add metric** then click **Scope**.

+1. In the **Select a scope** menu select the **Subscription** that contains the public IP address you want to log.

+1. Select **Public IP Address** for **Resource type** then select the specific public IP address you want to log metrics for, and then select **Apply**.

+1. Under **Metric** select your chosen metric then under **Aggregation** select type as **Max**.

+>[!NOTE]

+>To filter IP Addresses select **Add filter**. Under **Property**, select **Protected IP Address**, and the operator should be set to **=**. Under **Values**, you will see a dropdown of public IP addresses, associated with the virtual network, that are protected by DDoS protection.

+### View metrics from Public IP address

+1. On the Azure portal menu, select or search for and select **Public IP addresses** then select your public IP address.

+1. Under **Monitoring**, select **Metrics**.

+1. Click **Add metric** then click **Scope**.

+1. In the **Select a scope** menu select the **Subscription** that contains the public IP address you want to log.

+1. Select **Public IP Address** for **Resource type** then select the specific public IP address you want to log metrics for, and then select **Apply**.

+1. Under **Metric** select your chosen metric then under **Aggregation** select type as **Max**.

+> Event Hubs Premium supports TLS 1.2 or greater.

+You can purchase 1, 2, 4, 8 and 16 processing units for each namespace. As the premium tier is a capacity-based offering, the achievable throughput isn't set by a throttle as it is in the standard tier, but depends on the work you ask Event Hubs to do, similar to the dedicated tier. The effective ingest and stream throughput per PU will depend on various factors, including:

+For the complete templates, select the following GitHub links:

+With this template, you deploy an Event Hubs namespace with an event hub, and also enable [Event Hubs Capture](event-hubs-capture-overview.md). Event Hubs Capture enables you to automatically deliver the streaming data in Event Hubs to Azure Blob storage or Azure Data Lake Store, within a specified time or size interval of your choosing. Select the following button to enable Event Hubs Capture into Azure Storage:

+Select the following button to enable Event Hubs Capture into Azure Data Lake Store:

+With Azure Resource Manager, you define parameters for values you want to specify when the template is deployed. The template includes a section called `Parameters` that contains all the parameter values. You should define a parameter for those values that vary based on the project you're deploying or based on the environment you're deploying to. Don't define parameters for values that always stay the same. Each parameter value is used in the template to define the resources that are deployed.

+## Azure Storage or Azure Data Lake Storage Gen 2 as destination

+Creates a namespace of type **EventHub**, with one event hub, and also enables Capture to Azure Blob Storage or Azure Data Lake Storage Gen2.

+## Azure Data Lake Storage Gen1 as destination

+Creates a namespace of type **EventHub**, with one event hub, and also enables Capture to Azure Data Lake Storage Gen1. If you're using Gen2 of Data Lake Storage, see the previous section.

+ 1. Enter a **name for the network interface**.

+ 1. Select a **region** for the private endpoint. Your private endpoint must be in the same region as your virtual network, but can be in a different region from the private link resource that you are connecting to.

+ 1. Select **Next: Resource >** button at the bottom of the page.

+ :::image type="content" source="./media/private-link-service/create-private-endpoint-basics-page.png" alt-text="Screenshot showing the Basics page of the Create private endpoint wizard.":::

+8. On the **Resource** page, review settings, and select **Next: Virtual Network**.

+ :::image type="content" source="./media/private-link-service/create-private-endpoint-resource-page.png" alt-text="Screenshot showing the Resource page of the Create private endpoint wizard.":::

+9. On the **Virtual Network** page, you select the subnet in a virtual network to where you want to deploy the private endpoint.

+ 1. Notice that the **network policy for private endpoints** is disabled. If you want to enable it, select **edit**, update the setting, and select **Save**.

+ 1. For **Private IP configuration**, by default, **Dynamically allocate IP address** option is selected. If you want to assign a static IP address, select **Statically allocate IP address***.

+ 1. For **Application security group**, select an existing application security group or create one that's to be associated with the private endpoint.

+ 1. Select **Next: DNS >** button at the bottom of the page.

+ :::image type="content" source="./media/private-link-service/create-private-endpoint-configuration-page.png" alt-text="Screenshot showing the Virtual Network page of the Create private endpoint wizard.":::

+10. On the **DNS** page, select whether you want the private endpoint to be integrated with a private DNS zone, and then select **Next: Tags**.

+1. On the **Tags** page, create any tags (names and values) that you want to associate with the private endpoint resource. Then, select **Review + create** button at the bottom of the page.

+1. On the **Review + create**, review all the settings, and select **Create** to create the private endpoint.

+3. You should see the status changed to **Disconnected**. Then, the endpoint will disappear from the list.

+1. Sign in to Azure and select the ExpressRoute Direct subscription.

+ ```powershell

+ Connect-AzAccount

+ Select-AzSubscription -Subscription "<SubscriptionID or SubscriptionName>"

+ ```

+1. . Get ExpressRoute Direct details

+ ```powershell

+ Get-AzExpressRoutePort

+ $ERPort = Get-AzExpressRoutePort -Name $Name -ResourceGroupName $ResourceGroupName

+ ```

+ Add-AzExpressRoutePortAuthorization -Name $AuthName -ExpressRoutePort $ERPort

+ $ERDirectAuthorization = Get-AzExpressRoutePortAuthorization -ExpressRoutePortObject $ERPort -Name $AuthName

+ Select-AzSubscription -Subscription "<SubscriptionID or SubscriptionName>"

+

+ New-AzExpressRouteCircuit -Name $Name -ResourceGroupName $RGName -Location $Location -SkuTier $SkuTier -SkuFamily $SkuFamily -BandwidthInGbps $BandwidthInGbps -AuthorizationKey $ERDirectAuthorization.AuthorizationKey

+- [**Microsoft.Storage/storageAccounts**](/azure/templates/microsoft.storage/storageAccounts?pivots=deployment-language-arm-template)

+- [**Microsoft.Network/routeTables**](/azure/templates/microsoft.network/routeTables?pivots=deployment-language-arm-template)

+- [**Microsoft.Network/networkSecurityGroups**](/azure/templates/microsoft.network/networksecuritygroups?pivots=deployment-language-arm-template)

+- [**Microsoft.Network/virtualNetworks**](/azure/templates/microsoft.network/virtualnetworks?pivots=deployment-language-arm-template)

+- [**Microsoft.Network/publicIPAddresses**](/azure/templates/microsoft.network/publicipaddresses?pivots=deployment-language-arm-template)

+- [**Microsoft.Network/networkInterfaces**](/azure/templates/microsoft.network/networkinterfaces?pivots=deployment-language-arm-template)

+- [**Microsoft.Compute/virtualMachines**](/azure/templates/microsoft.compute/virtualmachines?pivots=deployment-language-arm-template)

+- [**Microsoft.Network/azureFirewalls**](/azure/templates/microsoft.network/azureFirewalls?pivots=deployment-language-arm-template)

+ Title: 'Quickstart: Create an Azure Firewall and IP Groups - Bicep'

+description: In this quickstart, you learn how to use a Bicep file to create an Azure Firewall and IP Groups.

+# Quickstart: Create an Azure Firewall and IP Groups - Bicep

+In this quickstart, you use a Bicep file to deploy an Azure Firewall with sample IP Groups used in a network rule and application rule. An IP Group is a top-level resource that allows you to define and group IP addresses, ranges, and subnets into a single object. IP Group is useful for managing IP addresses in Azure Firewall rules. You can either manually enter IP addresses or import them from a file.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+## Review the Bicep file

+This Bicep file creates an Azure Firewall and IP Groups, along with the necessary resources to support the Azure Firewall.

+The Bicep file used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/azurefirewall-create-with-ipgroups-and-linux-jumpbox).

+Multiple Azure resources are defined in the Bicep file:

+- [**Microsoft.Network/ipGroups**](/azure/templates/microsoft.network/ipGroups?pivots=deployment-language-bicep)

+- [**Microsoft.Storage/storageAccounts**](/azure/templates/microsoft.storage/storageAccounts?pivots=deployment-language-bicep)

+- [**Microsoft.Network/routeTables**](/azure/templates/microsoft.network/routeTables?pivots=deployment-language-bicep)

+- [**Microsoft.Network/networkSecurityGroups**](/azure/templates/microsoft.network/networksecuritygroups?pivots=deployment-language-bicep)

+- [**Microsoft.Network/virtualNetworks**](/azure/templates/microsoft.network/virtualnetworks?pivots=deployment-language-bicep)

+- [**Microsoft.Network/publicIPAddresses**](/azure/templates/microsoft.network/publicipaddresses?pivots=deployment-language-bicep)

+- [**Microsoft.Network/networkInterfaces**](/azure/templates/microsoft.network/networkinterfaces?pivots=deployment-language-bicep)

+- [**Microsoft.Compute/virtualMachines**](/azure/templates/microsoft.compute/virtualmachines?pivots=deployment-language-bicep)

+- [**Microsoft.Network/azureFirewalls**](/azure/templates/microsoft.network/azureFirewalls?pivots=deployment-language-bicep)

+## Deploy the Bicep file

+1. Save the Bicep file as **main.bicep** to your local computer.

+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

+ # [CLI](#tab/CLI)

+ ```azurecli

+ az group create --name exampleRG --location eastus

+ az deployment group create --resource-group exampleRG --template-file main.bicep

+ ```

+ # [PowerShell](#tab/PowerShell)

+ ```azurepowershell

+ New-AzResourceGroup -Name exampleRG -Location eastus

+ New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep

+ ```

+

+You'll be prompted to enter the following values:

+- **Admin Username**: Type username for the administrator user account

+- **Admin Password**: Type an administrator password or key

+When the deployment finishes, you should see a message indicating the deployment succeeded.

+## Review deployed resources

+Use the Azure portal, Azure CLI, or Azure PowerShell to validate the deployment and review the deployed resources.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az resource list --resource-group exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Get-AzResource -ResourceGroupName exampleRG

+```

+To learn about the Bicep syntax and properties for a firewall in a Bicep file, see [Microsoft.Network azureFirewalls template reference](/azure/templates/microsoft.network/azurefirewalls?pivots=deployment-language-bicep).

+## Clean up resources

+When you no longer need them, use the Azure portal, Azure CLI, or Azure PowerShell to remove the resource group, firewall, and all related resources.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az group delete --name exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name exampleRG

+```

+## Next steps

+> [!div class="nextstepaction"]

+> [Tutorial: Deploy and configure Azure Firewall in a hybrid network using the Azure portal](tutorial-hybrid-portal.md)

+- [**Microsoft.Network/ipGroups**](/azure/templates/microsoft.network/ipGroups?pivots=deployment-language-arm-template)

+- [**Microsoft.Storage/storageAccounts**](/azure/templates/microsoft.storage/storageAccounts?pivots=deployment-language-arm-template)

+- [**Microsoft.Network/routeTables**](/azure/templates/microsoft.network/routeTables?pivots=deployment-language-arm-template)

+- [**Microsoft.Network/networkSecurityGroups**](/azure/templates/microsoft.network/networksecuritygroups?pivots=deployment-language-arm-template)

+- [**Microsoft.Network/virtualNetworks**](/azure/templates/microsoft.network/virtualnetworks?pivots=deployment-language-arm-template)

+- [**Microsoft.Network/publicIPAddresses**](/azure/templates/microsoft.network/publicipaddresses?pivots=deployment-language-arm-template)

+- [**Microsoft.Network/networkInterfaces**](/azure/templates/microsoft.network/networkinterfaces?pivots=deployment-language-arm-template)

+- [**Microsoft.Compute/virtualMachines**](/azure/templates/microsoft.compute/virtualmachines?pivots=deployment-language-arm-template)

+- [**Microsoft.Network/azureFirewalls**](/azure/templates/microsoft.network/azureFirewalls?pivots=deployment-language-arm-template)

+description: In this quickstart, you learn how to use an Azure Resource Manager template (ARM template) to create an Azure Firewall with multiple public IP addresses.

+- [**Microsoft.Network/networkSecurityGroups**](/azure/templates/microsoft.network/networksecuritygroups?pivots=deployment-language-arm-template)

+- [**Microsoft.Network/publicIPPrefix**](/azure/templates/microsoft.network/publicipprefixes?pivots=deployment-language-arm-template)

+- [**Microsoft.Network/publicIPAddresses**](/azure/templates/microsoft.network/publicipaddresses?pivots=deployment-language-arm-template)

+- [**Microsoft.Network/virtualNetworks**](/azure/templates/microsoft.network/virtualnetworks?pivots=deployment-language-arm-template)

+- [**Microsoft.Compute/virtualMachines**](/azure/templates/microsoft.compute/virtualmachines?pivots=deployment-language-arm-template)

+- [**Microsoft.Storage/storageAccounts**](/azure/templates/microsoft.storage/storageAccounts?pivots=deployment-language-arm-template)

+- [**Microsoft.Network/networkInterfaces**](/azure/templates/microsoft.network/networkinterfaces?pivots=deployment-language-arm-template)

+- [**Microsoft.Network/azureFirewalls**](/azure/templates/microsoft.network/azureFirewalls?pivots=deployment-language-arm-template)

+- [**Microsoft.Network/routeTables**](/azure/templates/microsoft.network/routeTables?pivots=deployment-language-arm-template)

+Use Remote Desktop Connection to connect to the firewall public IP addresses. Successful connections demonstrate firewall NAT rules that allow the connection to the backend servers.

+When you no longer need the resources that you created with the firewall, delete the resource group. Deleting the resource group removes the firewall and all the related resources.

+ Title: Understand Azure Front Door billing

+description: Learn how you're billed when you use Azure Front Door.

+# Understand Azure Front Door billing

+Azure Front Door provides a rich set of features for your internet-facing workloads. Front Door helps you to accelerate your application's performance, improves your security, and provides you with tools to inspect and modify your HTTP traffic.

+Front Door's billing model includes several components. Front Door charges a base fee for each profile that you deploy. You're also charged for requests and data transfer based on your usage. *Billing meters* collect information about your Front Door usage. Your monthly Azure bill aggregates the billing information across the month and applies the pricing to determine the amount you need to pay.

+This article explains how Front Door pricing works so that you can understand and predict your monthly Azure Front Door bill.

+For Azure Front Door pricing information, see [Azure Front Door pricing](https://azure.microsoft.com/pricing/details/frontdoor/).

+> [!TIP]

+> The Azure pricing calculator helps you to calculate a pricing estimate for your requirements. Use the [pre-created pricing calculator estimate](https://azure.com/e/bdc0d6531fbb4760bf5cdd520af1e4cc?azure-portal=true) as a starting point, and customize it for your own solution.

+> [!NOTE]

+> This article explains how billing works for Azure Front Door Standard and Premium SKUs. For information about Azure Front Door (classic), see [Azure Front Door pricing](https://azure.microsoft.com/pricing/details/frontdoor/).

+## Base fees

+Each Front Door profile incurs an hourly fee. You're billed for each hour, or partial hour, that your profile is deployed. The rate you're charged depends on the Front Door SKU that you deploy.

+A single Front Door profile can contain multiple [endpoints](endpoint.md). You're not billed extra for each endpoint.

+You don't pay extra fees to use features like [traffic acceleration](front-door-traffic-acceleration.md), [response caching](front-door-caching.md), [response compression](front-door-caching.md#file-compression), the [rules engine](front-door-rules-engine.md), [Front Door's inherent DDoS protection](front-door-ddos.md), and [custom web application firewall (WAF) rules](web-application-firewall.md#custom-rules). If you use Front Door Premium, you also don't pay extra fees to use [managed WAF rule sets](web-application-firewall.md#managed-rules) or [Private Link origins](private-link.md).

+## Request processing and traffic fees

+Each request that goes through Front Door incur request processing and traffic fees:

+Each part of the request process is billed separately:

+1. Number of requests from client to Front Door

+1. Data transfer from Front Door edge to origin

+1. Data transfer from origin to Front Door (non-billable)

+1. Data transfer from Front Door to client

+The following sections describe each of these request components in more detail.

+### Number of requests from client to Front Door

+Front Door charges a fee for the number of requests that are received at a Front Door edge location for your profile. Front Door identifies requests by using the `Host` header on the HTTP request. If the `Host` header matches one from your Front Door profile, it counts as a request to your profile.

+The price is different depending on the geographical region of the Front Door edge location that serves the request. The price is also different for the Standard and Premium SKUs.

+### Data transfer from Front Door edge to origin

+Front Door charges for the bytes that are sent from the Front Door edge location to your origin server. The price is different depending on the geographical region of the Front Door edge location that serves the request. The location of the origin doesn't affect the price.

+The price per gigabyte is lower when you have higher volumes of traffic.

+If the request can be served from the Front Door edge location's cache, Front Door doesn't send any request to the origin server, and you aren't billed for this component.

+### Data transfer from origin to Front Door

+When your origin server processes a request, it sends data back to Front Door so that it can be returned to the client. This traffic not billed by Front Door, even if the origin is in a different region to the Front Door edge location for the request.

+If your origin is within Azure, the data egress from the Azure origin to Front Door isn't charged. However, you should determine whether those Azure services might bill you to process your requests.

+If your origin is outside of Azure, you might incur charges from other network providers.

+### Data transfer from Front Door to client

+Front Door charges for the bytes that are sent from the Front Door edge location back to the client. The price is different depending on the geographical region of the Front Door edge location that serves the request.

+If a response is compressed, Front Door only charges for the compressed data.

+## Private Link origins

+When you use the Premium SKU, Front Door can [connect to your origin by using Private Link](private-link.md).

+Front Door Premium has a higher base fee and request processing fee. You don't pay extra for Private Link traffic compared to traffic that uses an origin's public endpoint.

+When you configure a Private Link origin, you select a region for the private endpoint to use. A [subset of Azure regions support Private Link traffic for Front Door](private-link.md#region-availability). If the region you select is different to the region the origin is deployed to, you won't be charged extra for cross-region traffic. However, the request latency will likely be greater.

+## Cross-region traffic

+Some of the Front Door billing meters have different rates depending on the location of the Front Door edge location that processes a request. Usually, [the Front Door edge location that processes a request is the one that's closest to the client](front-door-traffic-acceleration.md#select-the-front-door-edge-location-for-the-request-anycast), which helps to reduce latency and maximize performance.

+Front Door charges for traffic from the edge location to the origin. Traffic is charged at different rates depending on the location of the Front Door edge location. If your origin is in a different Azure region, you aren't billed extra for inter-region traffic.

+## Example scenarios

+### Example 1: Azure origin without caching

+Contoso hosts their website on Azure App Service, which runs in the West US region. Contoso has deployed Front Door with the standard SKU. They have disabled caching.

+Suppose a request from a client in California is sent to the Contoso website, sending a 1 KB request and receiving a 100 KB response:

+The following billing meters are incremented:

+| Meter | Incremented by | Billing region |

+|-|-|-|

+| Number of requests from client to Front Door | 1 | North America |

+| Data transfer from Front Door edge to origin | 1 KB | North America |

+| Data transfer from Front Door to client | 100 KB | North America |

+Azure App Service might charge other fees.

+### Example 2: Azure origin with compression enabled

+Suppose Contoso updates their Front Door configuration to enable [content compression](front-door-caching.md#file-compression). Now, the same response as in example 1 might be able to be compressed down to 30 KB:

+The following billing meters are incremented:

+| Meter | Incremented by | Billing region |

+|-|-|-|

+| Number of requests from client to Front Door | 1 | North America |

+| Data transfer from Front Door edge to origin | 1 KB | North America |

+| Data transfer from Front Door to client | 30 KB | North America |

+Azure App Service might charge other fees.

+### Example 3: Request served from cache

+Suppose a second request arrives at the same Front Door edge location and a valid cached response is available:

+The following billing meters are incremented:

+| Meter | Incremented by | Billing region |

+|-|-|-|

+| Number of requests from client to Front Door | 1 | North America |

+| Data transfer from Front Door edge to origin | *none when request is served from cache* | |

+| Data transfer from Front Door to client | 30 KB | North America |

+### Example 4: Cross-region traffic

+Suppose a request to Contoso's website comes from a client in Australia, and can't be served from cache:

+The following billing meters are incremented:

+| Meter | Incremented by | Billing region |

+|-|-|-|

+| Number of requests from client to Front Door | 1 | Australia |

+| Data transfer from Front Door edge to origin | 1 KB | Australia |

+| Data transfer from Front Door to client | 30 KB | Australia |

+### Example 5: Non-Azure origin

+Fabrikam runs an eCommerce site on another cloud provider. Their site is hosted in Europe. They Azure Front Door to serve the traffic. They haven't enabled caching or compression.

+Suppose a request from a client is sent to the Fabrikam website from a client in New York. The client sends a 2 KB request and receives a 350 KB response:

+The following billing meters are incremented:

+| Meter | Incremented by | Billing region |

+|-|-|-|

+| Number of requests from client to Front Door | 1 | North America |

+| Data transfer from Front Door edge to origin | 2 KB | North America |

+| Data transfer from Front Door to client | 350 KB | North America |

+The external cloud provider might charge other fees.

+### Example 6: Request blocked by web application firewall

+When a request is blocked by the web application firewall (WAF), it isn't sent to the origin. However, Front Door charges the request, and also charges to send a response.

+Suppose a Front Door profile includes a custom WAF rule to block requests from a specific IP address in South America. The WAF is configured with a custom error response page, which is 1 KB in size. If a client from the blocked IP address sends a 1 KB request:

+The following billing meters are incremented:

+| Meter | Incremented by | Billing region |

+|-|-|-|

+| Number of requests from client to Front Door | 1 | South America |

+| Data transfer from Front Door edge to origin | *none* | South America |

+| Data transfer from Front Door to client | 1 KB | South America |

+## Next steps

+Learn how to [create an Front Door profile](create-front-door-portal.md).

+Starting June 1, 2022, we have started rolling out a new version of HDInsight 5.0, this version is backward compatible with HDInsight 4.0. All new open-source releases will be added as incremental releases on HDInsight 5.0.

+|Apache Spark | 3.1.2 | 2.4.4|

+|Apache Kafka | 2.4.1 | 2.1.1|

+|Apache Tez |0.9.1 | 0.9.1 |

+|Apache Pig | 0.16.1 | 0.16.1 |

+**Known Issue ΓÇô** Current ARM template supports only 4.0 even though it shows 5.0 image in portal Cluster creation may fail with the following error message if you select version 5.0 in the UI.

+HDInsight team is working on upgrading other open-source components.

+1. HBase 2.4.11

+az ad user show --id myuser@contoso.com --query id --out tsv

+az ad sp show --id XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX --query id --out tsv

+az ad group show --group "mygroup" --query id --out tsv

+| `inputDataType` | Type of data input. | ```Hl7v2```, ``Ccda``, ``Json`` |

+Throughout this article, we'll demonstrate FHIR search syntax in example API calls with the `{{FHIR_URL}}` placeholder to represent the FHIR server URL. In the case of the FHIR service in Azure Health Data Services, this URL would be `https://<WORKSPACE-NAME>-<FHIR-SERVICE-NAME>.fhir.azurehealthcareapis.com`.

+The FHIR service in Azure Health Data Services enables rapid exchange of health data using the Fast Healthcare Interoperability Resources (FHIR®) data standard. Offered as a managed Platform-as-a-Service (PaaS), the FHIR service makes it easy for anyone working with health data to securely store and exchange Protected Health Information ([PHI](https://www.hhs.gov/answers/hipaa/what-is-phi/https://docsupdatetracker.net/index.html)) in the cloud.

+- Audit log tracking for access, creation, and modification within the FHIR service data store

+The healthcare industry is rapidly adopting [FHIR®](https://hl7.org/fhir) as the industry-wide standard for health data storage, querying, and exchange. FHIR provides a robust, extensible data model with standardized semantics that all FHIR-compliant systems can use interchangeably. With FHIR, organizations can unify disparate electronic health record systems (EHRs) and other health data repositories – allowing all data to be persisted and exchanged in a single, universal format. With the addition of SMART on FHIR, user-facing mobile and web-based applications can securely interact with FHIR data – opening a new range of possibilities for patient and provider access to PHI. Most of all, FHIR simplifies the process of assembling large health datasets for research – enabling researchers and clinicians to apply machine learning and analytics at scale for gaining new health insights.

+The FHIR service in Azure Health Data Services makes FHIR data available to clients through a RESTful API. This API is an implementation of the HL7 FHIR API specification. As a managed PaaS offering in Azure, the FHIR service gives organizations a scalable and secure environment for the storage and exchange of Protected Health Information (PHI) in the native FHIR format.

+You could invest resources building and maintaining your own FHIR server, but with the FHIR service in Azure Health Data Services, Microsoft handles setting up the server's components, ensuring all compliance requirements are met so you can focus on building innovative solutions.

+As part of the Azure family of services, the FHIR service protects your organization's PHI with an unparalleled level of security. In Azure Health Data Services, your FHIR data is isolated to a unique database per FHIR service instance and protected with multi-region failover. On top of this, FHIR service implements a layered, in-depth defense and advanced threat detection for your data ΓÇô giving you peace of mind that your organization's PHI is guarded by Azure's industry-leading security.

+- **Startup App Development:** Customers developing a patient- or provider-centric app (mobile or web) can leverage FHIR service as a fully managed backend for health data transactions. The FHIR service enables secure transfer of PHI, and with SMART on FHIR, app developers can take advantage of the robust identities management in Azure AD for authorization of FHIR RESTful API actions.

+- **Research:** Health researchers have embraced the FHIR standard as it gives the community a shared data model and removes barriers to assembling large datasets for machine learning and analytics. With the FHIR service's data conversion and PHI de-identification capabilities, researchers can prepare HIPAA-compliant data for secondary use before sending the data to Azure machine learning and analytics pipelines. The FHIR service's audit logging and alert mechanisms also play an important role in research workflows.

+* The **FHIR service** is a managed platform as a service (PaaS) that operates as part of Azure Health Data Services. In addition to the FHIR service, Azure Health Data Services includes managed services for other types of health data such as the DICOM service for medical imaging data and the MedTech service for medical IoT data. All services (FHIR service, DICOM service, and MedTech service) can be connected and administered within an Azure Health Data Services workspace.

+For use cases that require customizing a FHIR server with admin access to the underlying services (e.g., access to the database without going through the FHIR API), developers should choose the open-source FHIR Server for Azure. For implementation of a turnkey, production-ready FHIR API with a provisioned database backend (i.e., data can only be accessed through the FHIR API - not the database directly), developers should choose the FHIR service.

+After the PaaS deployment is completed, high-velocity and low-velocity patient medical data can be collected from a wide range of JSON-compatible IoMT devices, systems, and formats.

+1. Select the **Contoso devices** device group you created. Then add both the **Temperature** and **Humidity** telemetry types.

+1. Select **Analyze** to view the average telemetry values.

+1. From the left pane of Azure IoT Central, select **Device**.

+1. Navigate to the [Azure IoT Central Build](https://aka.ms/iotcentral) site. Then sign in with a Microsoft personal, work, or school account. Select **Build** from the left-hand navigation bar and then select the **Government** tab.

+1. Navigate to the [Azure IoT Central Build](https://aka.ms/iotcentral) site. Then sign in with a Microsoft personal, work, or school account. Select **Build** from the left-hand navigation bar and then select the **Government** tab.

+1. Navigate to the [Azure IoT Central Build](https://aka.ms/iotcentral) site. Then sign in with a Microsoft personal, work, or school account. Select **Build** from the left-hand navigation bar and then select the **Healthcare** tab.

+1. Navigate to the [Azure IoT Central Build](https://aka.ms/iotcentral) site. Then sign in with a Microsoft personal, work, or school account. Select **Build** from the left-hand navigation bar and then select the **Retail** tab.

+1. Select **Save**.

+1. Select **Edit** on the image tile that displays the Northwind brand image.

+1. Select **Combine**. A new tile appears to display combined humidity and temperature telemetry for the selected sensor.

+The data export may take a few minutes to start sending telemetry to your event hub. You can see the status of the export on the **Data exports** page.

+1. Navigate to the [Azure IoT Central Build](https://aka.ms/iotcentral) site. Then sign in with a Microsoft personal, work, or school account. Select **Build** from the left-hand navigation bar and then select the **Retail** tab.

+1. Navigate to the [Azure IoT Central Build](https://aka.ms/iotcentral) site. Then sign in with a Microsoft personal, work, or school account. Select **Build** from the left-hand navigation bar and then select the **Retail** tab.

+1. Navigate to the [Azure IoT Central Build](https://aka.ms/iotcentral) site. Then sign in with a Microsoft personal, work, or school account. Select **Build** from the left-hand navigation bar and then select the **Retail** tab.

+1. Navigate to the [Azure IoT Central Build](https://aka.ms/iotcentral) site. Then sign in with a Microsoft personal, work, or school account. Select **Build** from the navigation bar and then select the **Retail** tab.

+| **Python** | [pip](https://pypi.org/project/azure-iot-device/) | [GitHub](https://github.com/Azure/azure-iot-sdk-python) | [IoT Hub](quickstart-send-telemetry-iot-hub.md?pivots=programming-language-python) / [IoT Central](quickstart-send-telemetry-central.md?pivots=programming-language-python) | [Samples](https://github.com/Azure/azure-iot-sdk-python/tree/main/samples) | [Reference](/python/api/azure-iot-device) |

+This article lists the steps to deploy an Ubuntu 18.04 LTS virtual machine with the Azure IoT Edge runtime installed and configured using a pre-supplied device connection string. The deployment is accomplished using a [cloud-init](../virtual-machines/linux/using-cloud-init.md) based [Azure Resource Manager template](../azure-resource-manager/templates/overview.md) maintained in the [iotedge-vm-deploy](https://github.com/Azure/iotedge-vm-deploy/tree/1.1) project repository.

+On first boot, the virtual machine [installs the latest version of the Azure IoT Edge runtime via cloud-init](https://github.com/Azure/iotedge-vm-deploy/blob/1.1/cloud-init.txt). It also sets a supplied connection string before the runtime starts, allowing you to easily configure and connect the IoT Edge device without the need to start an SSH or remote desktop session.

+On first boot, the virtual machine [installs the latest version of the Azure IoT Edge runtime via cloud-init](https://github.com/Azure/iotedge-vm-deploy/blob/1.3/cloud-init.txt). It also sets a supplied connection string before the runtime starts, allowing you to easily configure and connect the IoT Edge device without the need to start an SSH or remote desktop session.

+ [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fazure%2Fiotedge-vm-deploy%2F1.1%2FedgeDeploy.json)

+ --template-uri "https://raw.githubusercontent.com/Azure/iotedge-vm-deploy/1.1/edgeDeploy.json" \

+ --template-uri "https://raw.githubusercontent.com/Azure/iotedge-vm-deploy/1.1/edgeDeploy.json" \

+Use the following CLI command to create your IoT Edge device based on the prebuilt [iotedge-vm-deploy](https://github.com/Azure/iotedge-vm-deploy/tree/1.1) template.

+ --template-uri "https://raw.githubusercontent.com/Azure/iotedge-vm-deploy/1.1/edgeDeploy.json" \

+ --template-uri "https://raw.githubusercontent.com/Azure/iotedge-vm-deploy/1.1/edgeDeploy.json" `

+We use an Ubuntu 18.04 LTS virtual machine with the Azure IoT Edge runtime installed and configured. The deployment uses an [Azure Resource Manager template](../azure-resource-manager/templates/overview.md) maintained in the [iotedge-vm-deploy](https://github.com/Azure/iotedge-vm-deploy/tree/1.1) project repository. It provisions the IoT Edge device your registered in the previous step using the connection string you supply in the template.

+ [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fazure%2Fiotedge-vm-deploy%2F1.1%2FedgeDeploy.json)

+2. From **Devices** or **IoT Edge** on the left navigation pane find your IoT device and navigate to the Device Twin, or the Device Update Module and then its Module Twin (this will be available if Device Update agent is set up as a Module Identity).

+3. Select the **Updates** option under **Device Management** from the left-hand navigation bar.

+4. Select the **Groups and Deployments** tab at the top of the page.

+5. Select **Add group** to create a new group.

+6. Select an IoT Hub tag and Device Class from the list and then select **Create group**.

+1. On the left pane, select **Devices**. Find your IoT device and go to the device twin.

+Device Update for IoT Hub communicates with the IoT Hub for deployments and manage updates at scale. In order to enable Device Update to do this, users need to set IoT Hub Data Contributor Contributor access for Azure Device Update Service Principal in the IoT Hub permissions.

+3. Under Role tab, select **IoT Hub Data Contributor**

+1. On the left pane, select **Devices**. Then select **New**.

+1. On the left pane, select **Devices**.

+1. On the left pane, under **Devices** or **IoT Edge**, find your IoT device and go to the device twin or module twin.

+1. On the left pane, go to **Devices**. Then select **New**.

+1. From **Devices** or **IoT Edge** on the left pane, find your IoT device and go to the device twin or module twin.

+ Title: Azure Policies for Lab Services

+description: This article describes the policies available for Azure Lab Services.

+# WhatΓÇÖs new with Azure Policy for Lab Services?

+Azure Policy helps you manage and prevent IT issues by applying policy definitions that enforce rules and effects for your resource. Azure Lab Services has added four built-in Azure policies. This article summarizes the new policies available in the August 2022 Update for Azure Lab Services.

+1. Lab Services should enable all options for auto shutdown

+1. Lab Services should not allow template virtual machines for labs

+1. Lab Services should require non-admin user for labs

+1. Lab Services should restrict allowed virtual machine SKU sizes

+For a full list of built-in policies, including policies for Lab Services, see [Azure Policy built-in policy definitions](/azure/governance/policy/samples/built-in-policies#lab-services).

+## Lab Services should enable all options for auto shutdown

+This policy enforces that all [shutdown options](how-to-configure-auto-shutdown-lab-plans.md) are enabled while creating the lab. During policy assignment, lab administrators can choose the following effects.

+|**Effect**|**Behavior**|

+|--|--|

+|**Audit**|Labs will show on the [compliance dashboard](/azure/governance/policy/assign-policy-portal#identify-non-compliant-resources) as non-compliant when all shutdown options are not enabled for a lab. |

+|**Deny**|Lab creation will fail if all shutdown options are not enabled. |

+## Lab Services should not allow template virtual machines for labs

+This policy can be used to restrict [customization of lab templates](tutorial-setup-lab.md). When you create a new lab, you can select to *Create a template virtual machine* or *Use virtual machine image without customization*. If this policy is enabled, only *Use virtual machine image without customization* is allowed. During policy assignment, lab administrators can choose the following effects.

+|**Effect**|**Behavior**|

+|--|--|

+|**Audit**|Labs will show on the [compliance dashboard](/azure/governance/policy/assign-policy-portal#identify-non-compliant-resources) as non-compliant when a template virtual machine is used for a lab.|

+|**Deny**|Lab creation to fail if ΓÇ£create a template virtual machineΓÇ¥ option is used for a lab.|

+## Lab Services require non-admin user for labs

+This policy is used to enforce using non-admin accounts while creating a lab. With the August 2022 Update, you can choose to add a non-admin account to the VM image. This new feature allows you to keep separate credentials for VM admin and non-admin users. For more information to create a lab with a non-admin user, see [Tutorial: Create and publish a lab](tutorial-setup-lab.md#create-a-lab), which shows how to give a student non-administrator account rather than default administrator account on the ΓÇ£Virtual machine credentialsΓÇ¥ page of the new lab wizard.

+During the policy assignment, the lab administrator can choose the following effects.

+|**Effect**|**Behavior**|

+|--|--|

+|**Audit**|Labs show on the [compliance dashboard](/azure/governance/policy/assign-policy-portal#identify-non-compliant-resources) as non-compliant when non-admin accounts is not used while creating the lab.|

+|**Deny**|Lab creation will fail if ΓÇ£Give lab users a non-admin account on their virtual machinesΓÇ¥ is not checked while creating a lab.|

+## Lab Services should restrict allowed virtual machine SKU sizes

+This policy is used to enforce which SKUs can be used while creating the lab. For example, a lab administrator might want to prevent educators from creating labs with GPU SKUs since they are not needed for any classes being taught. This policy would allow lab administrators to enforce which SKUs can be used while creating the lab.

+During the policy assignment, the Lab Administrator can choose the following effects.

+|**Effect**|**Behavior**|

+|--|--|

+|**Audit**|Labs show on the [compliance dashboard](/azure/governance/policy/assign-policy-portal#identify-non-compliant-resources) as non-compliant when a non-allowed SKU is used while creating the lab.|

+|**Deny**|Lab creation will fail if SKU chosen while creating a lab is not allowed as per the policy assignment.|

+## Next steps

+See the following articles:

+- [How to use the Lab Services should restrict allowed virtual machine SKU sizes Azure policy](how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy.md)

+- [Built-in Policies](/azure/governance/policy/samples/built-in-policies#lab-services)

+- [What is Azure policy?](/azure/governance/policy/overview)

+ Title: How to restrict the virtual machine sizes allowed for labs

+description: Learn how to use the Lab Services should restrict allowed virtual machine SKU sizes Azure Policy to restrict educators to specified virtual machine sizes for their labs.

+# How to restrict the virtual machine sizes allowed for labs

+In this how to, you'll learn how to use the *Lab Services should restrict allowed virtual machine SKU sizes* Azure policy to control the SKUs available to educators when they're creating labs. In this example, you'll see how a lab administrator can allow only non-GPU SKUs, so educators can create only non-GPU SKU labs.

+## Configure the policy

+1. In the [Azure portal](https://portal.azure.com), go to your subscription.

+1. From the left menu, under **Settings**, select **Policies**.

+1. Under **Authoring**, select **Assignments**.

+1. Select **Assign Policy**.

+ :::image type="content" source="./media/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy/assign-policy.png" alt-text="Screenshot showing the Policy Compliance dashboard with Assign policy highlighted.":::

+1. Select the **Scope** which you would like to assign the policy to, and then select **Select**.

+ You can also select a resource group if you need the policy to apply more granularly.

+ :::image type="content" source="./media/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy/assign-policy-basics-scope.png" alt-text="Screenshot showing the Scope pane with subscription highlighted.":::

+1. Select Policy Definition. In Available definitions, search for *Lab Services*, select **Lab Services should restrict allowed virtual machine SKU sizes** and then select **Select**.

+ :::image type="content" source="./media/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy/assign-policy-basics-definitions.png" alt-text="Screenshot showing the Available definitions pane with Lab Services should restrict allowed virtual machine SKU sizes highlighted. ":::

+1. On the Basics tab, select **Next**.

+1. On the Parameters tab, clear **Only show parameters that need input or review** to show all parameters.

+ :::image type="content" source="./media/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy/assign-policy-parameters.png" alt-text="Screenshot showing the Parameters tab with Only show parameters that need input or review highlighted. ":::

+1. The **Allowed SKU names** parameter shows the SKUs allowed when the policy is applied. By default all the available SKUs are allowed. You must clear the check boxes for any SKU that you don't wish to allow educators to use to create labs. In this example, only the following non-GPU SKUs are allowed:

+ - CLASSIC_FSV2_2_4GB_128_S_SSD

+ - CLASSIC_FSV2_4_8GB_128_S_SSD

+ - CLASSIC_FSV2_8_16GB_128_S_SSD

+ - CLASSIC_DSV4_4_16GB_128_P_SSD

+ - CLASSIC_DSV4_8_32GB_128_P_SSD

+ :::image type="content" source="./media/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy/assign-policy-parameters-vms.png" alt-text="Screenshot showing the Allowed SKUs.":::

+ Use the table below to determine which SKU names to apply.

+ |SKU Name|VM Size|VM Size Details|

+ |--|--|--|

+ |CLASSIC_FSV2_2_4GB_128_S_SSD| Small |2vCPUs, 4 GB RAM, 128 GB, Standard SSD

+ |CLASSIC_FSV2_4_8GB_128_S_SSD| Medium |4vCPUs, 8 GB RAM, 128 GB, Standard SSD

+ |CLASSIC_FSV2_8_16GB_128_S_SSD| Large |8vCPUs, 16 GB RAM, 128 GB, Standard SSD

+ |CLASSIC_DSV4_4_16GB_128_P_SSD| Medium (Nested virtualization) |4 vCPUs, 16 GB RAM, 128 GB, Premium SSD

+ |CLASSIC_DSV4_8_32GB_128_P_SSD| Large (Nested virtualization) |8vCPUs, 32 GB RAM, 128 GB, Premium SSD

+ |CLASSIC_NCSV3_6_112GB_128_S_SSD| Small GPU (Compute) |6vCPUs, 112 GB RAM, 128 GB, Standard SSD

+ |CLASSIC_NVV4_8_28GB_128_S_SSD| Small GPU (Visualization) |8vCPUs, 28 GB RAM, 128 GB, Standard SSD

+ |CLASSIC_NVV3_12_112GB_128_S_SSD| Medium GPU (Visualization) |12vCPUs, 112 GB RAM, 128 GB, Standard SSD

+1. In **Effect**, select **Deny**. Selecting deny will prevent a lab from being created if an educator tries to use a GPU SKU.

+ :::image type="content" source="./media/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy/assign-policy-parameters-effect.png" alt-text="Screenshot showing the effect list.":::

+1. Select **Next**.

+

+1. On the Remediation tab, select **Next**.

+ :::image type="content" source="./media/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy/assign-policy-remediation.png" alt-text="Screenshot showing the Remediation tab with Next highlighted.":::

+

+1. On the Non-compliance tab, in **Non-compliance messages**, enter a non-compliance message of your choice like ΓÇ£Selected SKU is not allowedΓÇ¥, and then select **Next**.

+ :::image type="content" source="./media/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy/assign-policy-message.png" alt-text="Screenshot showing the Non-compliance tab with an example non-compliance message.":::

+1. On the Review + Create tab, select **Create** to create the policy assignment.

+ :::image type="content" source="./media/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy/assign-policy-review-create.png" alt-text="Screenshot showing the Review and Create tab.":::

+You've created a policy assignment for *Lab Services should restrict allowed virtual machine SKU sizes* and allowed only the use of non-GPU SKUs for labs. Attempting to create a lab with any other SKU will fail.

+> [!NOTE]

+> New policy assignments can take up to 30 minutes to take effect.

+## Exclude resources

+When applying a built-in policy, you can choose to exclude certain resources, with the exception of lab plans. For example, if the scope of your policy assignment is a subscription, you can exclude resources in a specified resource group. Exclusions are configured using the Exclusions property on the Basics tab when creating a policy definition.

+## Exclude a lab plan

+Lab plans cannot be excluded using the Exclusions property on the Basics tab. To exclude a lab plan from a policy assignment, you first need to get the lab plan resource ID, and then use it to specify the lab pan you want to exclude on the Parameters tab.

+### Locate and copy lab plan resource ID

+Use the following steps to locate and copy the resource ID so that you can paste it into the exclusion configuration.

+1. In the [Azure portal](https://portal.azure.com), go to the lab plan you want to exclude.

+1. Under Settings, select Properties, and then copy the **Resource ID**.

+ :::image type="content" source="./media/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy/resource-id.png" alt-text="Screenshot showing the lab plan properties with resource ID highlighted.":::

+### Enter the lab plan to exclude in the policy

+Now you have a lab plan resource ID, you can use it to exclude the lab plan as you assign the policy.

+1. On the Parameters tab, clear **Only show parameters that need input or review**.

+1. For **Lab Plan ID to exclude**, enter the lab plan resource ID you copied earlier.

+ :::image type="content" source="./media/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy/assign-policy-exclude-lab-plan-id.png" alt-text="Screenshot showing the Parameter tab with Lab Plan ID to exclude highlighted.":::

+## Next steps

+See the following articles:

+- [WhatΓÇÖs new with Azure Policy for Lab Services?](azure-polices-for-lab-services.md)

+- [Built-in Policies](/azure/governance/policy/samples/built-in-policies#lab-services)

+- [What is Azure policy?](/azure/governance/policy/overview)

+> [!NOTE]

+> Onboarding a customer to Azure Lighthouse requires a deployment by a non-guest account in the customer's tenant who has a role with the `Microsoft.Authorization/roleAssignments/write` permission, such as [Owner](../../role-based-access-control/built-in-roles.md#owner), for the subscription being onboarded (or which contains the resource groups that are being onboarded).

+ Title: "Quickstart: Create a public load balancer - Bicep"

+description: This quickstart shows how to create a load balancer by using a Bicep file.

+documentationcenter: na

+ na

+#Customer intent: I want to create a load balancer by using a Bicep file so that I can load balance internet traffic to VMs.

+# Quickstart: Create a public load balancer to load balance VMs by using a Bicep file

+Load balancing provides a higher level of availability and scale by spreading incoming requests across multiple virtual machines (VMs).

+This quickstart shows you how to deploy a standard load balancer to load balance virtual machines.

+Using a Bicep file takes fewer steps comparing to other deployment methods.

+## Prerequisites

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+## Review the Bicep file

+The Bicep file used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/load-balancer-standard-create/).

+Load balancer and public IP SKUs must match. When you create a standard load balancer, you must also create a new standard public IP address that is configured as the frontend for the standard load balancer. If you want to create a basic load balancer, use [this template](https://azure.microsoft.com/resources/templates/2-vms-loadbalancer-natrules/). Microsoft recommends using standard SKU for production workloads.

+Multiple Azure resources have been defined in the bicep file:

+- [**Microsoft.Network/loadBalancers**](/azure/templates/microsoft.network/loadbalancers)

+- [**Microsoft.Network/publicIPAddresses**](/azure/templates/microsoft.network/publicipaddresses): for the load balancer, bastion host, and for each of the three virtual machines.

+- [**Microsoft.Network/bastionHosts**](/azure/templates/microsoft.network/bastionhosts)

+- [**Microsoft.Network/networkSecurityGroups**](/azure/templates/microsoft.network/networksecuritygroups)

+- [**Microsoft.Network/virtualNetworks**](/azure/templates/microsoft.network/virtualnetworks)

+- [**Microsoft.Compute/virtualMachines**](/azure/templates/microsoft.compute/virtualmachines) (3).

+- [**Microsoft.Network/networkInterfaces**](/azure/templates/microsoft.network/networkinterfaces) (3).

+- [**Microsoft.Compute/virtualMachine/extensions**](/azure/templates/microsoft.compute/virtualmachines/extensions) (3): use to configure the Internet Information Server (IIS), and the web pages.

+To find more Bicep files or ARM templates that are related to Azure Load Balancer, see [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/?resourceType=Microsoft.Network&pageNumber=1&sort=Popular).

+## Deploy the Bicep file

+1. Save the Bicep file as **main.bicep** to your local computer.

+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

+ # [CLI](#tab/CLI)

+ ```azurecli

+ az group create --name exampleRG --location centralus

+ az deployment group create --resource-group exampleRG --template-file main.bicep

+ ```

+ # [PowerShell](#tab/PowerShell)

+ ```azurepowershell

+ New-AzResourceGroup -Name exampleRG -Location centralus

+ New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep

+ ```

+

+ > [!NOTE]

+ > The Bicep file deployment creates three availability zones. Availability zones are supported only in [certain regions](../availability-zones/az-overview.md). Use one of the supported regions. If you aren't sure, enter **centralus**.

+ You will be prompted to enter the following values:

+ - **projectName**: used for generating resource names.

+ - **adminUsername**: virtual machine administrator username.

+ - **adminPassword**: virtual machine administrator password.

+It takes about 10 minutes to deploy the Bicep file.

+## Review deployed resources

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Select **Resource groups** from the left pane.

+1. Select the resource group that you created in the previous section. The default resource group name is **exampleRG**.

+1. Select the load balancer. Its default name is the project name with **-lb** appended.

+1. Copy only the IP address part of the public IP address, and then paste it into the address bar of your browser.

+ :::image type="content" source="./media/quickstart-load-balancer-standard-public-template/azure-standard-load-balancer-resource-manager-template-deployment-public-ip.png" alt-text="Screenshot of Azure standard load balancer Resource Manager template public IP.":::

+ The browser displays the default page of the Internet Information Services (IIS) web server.

+ :::image type="content" source="./media/quickstart-load-balancer-standard-public-template/load-balancer-test-web-page.png" alt-text="Screenshot of IIS web server.":::

+To see the load balancer distribute traffic across all three VMs, you can force a refresh of your web browser from the client machine.

+## Clean up resources

+When you no longer need them, delete the:

+- Resource group

+- Load balancer

+- Related resources

+Go to the Azure portal, select the resource group that contains the load balancer, and then select **Delete resource group**.

+## Next steps

+In this quickstart, you:

+- Created a virtual network for the load balancer and virtual machines.

+- Created an Azure Bastion host for management.

+- Created a standard load balancer and attached VMs to it.

+- Configured the load-balancer traffic rule, and the health probe.

+- Tested the load balancer.

+To learn more, continue to the tutorials for Azure Load Balancer.

+> [!div class="nextstepaction"]

+> [Azure Load Balancer tutorials](./quickstart-load-balancer-standard-public-portal.md)

+## Data exfiltration prevention (preview)

+Azure Machine Learning has several inbound and outbound network dependencies. Some of these dependencies can expose a data exfiltration risk by malicious agents within your organization. These risks are associated with the outbound requirements to Azure Storage, Azure Front Door, and Azure Monitor. For recommendations on mitigating this risk, see the [Azure Machine Learning data exfiltration prevention](how-to-prevent-data-loss-exfiltration.md) article.

+* [Track Azure Synapse Analytics ML experiments](how-to-use-mlflow-azure-synapse.md) with MLflow in Azure Machine Learning.

+- Machine Learning [integrates with Git](concept-train-model-git-integration.md) to track information on which repository, branch, and commit your code came from.

+* [How to: Configure a training run](v1/how-to-set-up-training-targets.md)

+Learn how to [Configure a training run](v1/how-to-set-up-training-targets.md).

+* [Use compute targets for model training](v1/how-to-set-up-training-targets.md)

+| AutoML NLP | automlresources-prod.azureedge.net | TCP | 443 |

+| AutoML NLP | aka.ms | TCP | 443 |

+> [!NOTE]

+> AutoML NLP is currently only supported in Azure public regions.

+- [Train models with Python SDK](how-to-train-sdk.md)

+* [Submit a training run](v1/how-to-set-up-training-targets.md)

+* Use the compute resource to [submit a training run](how-to-train-sdk.md).

+* [Submit a training job](v1/how-to-set-up-training-targets.md)

+The following example contains the parameters and regular dependencies needed to run `ScriptRunConfig`, such as compute, environment, etc. For more information on how to use ScriptRunConfig, see [Configure and submit training runs](v1/how-to-set-up-training-targets.md).

+* [Train a model](v1/how-to-set-up-training-targets.md).

+When prototyping and running training jobs that are small enough to run on your local computer, consider training locally. Using the Python SDK, setting your compute target to `local` executes your script locally.

+* [Configure and submit training jobs](v1/how-to-set-up-training-targets.md)

+* [Configure and submit training jobs](v1/how-to-set-up-training-targets.md)

+ Title: Configure data exfiltration prevention

+description: 'How to configure data exfiltration prevention for your storage accounts.'

+# Azure Machine Learning data exfiltration prevention (Preview)

+<!-- Learn how to use a [Service Endpoint policy](/azure/virtual-network/virtual-network-service-endpoint-policies-overview) to prevent data exfiltration from storage accounts in your Azure Virtual Network that are used by Azure Machine Learning. -->

+Azure Machine Learning has several inbound and outbound dependencies. Some of these dependencies can expose a data exfiltration risk by malicious agents within your organization. This document explains how to minimize data exfiltration risk by limiting inbound and outbound requirements.

+* __Inbound__: Azure Machine Learning compute instance and compute cluster have two inbound requirements: the `batchnodemanagement` (ports 29876-29877) and `azuremachinelearning` (port 44224) service tags. You can control this inbound traffic by using a network security group. It's difficult to disguise Azure service IPs, so there's low data exfiltration risk. You can also configure the compute to not use a public IP, which removes inbound requirements.

+* __Outbound__: If malicious agents don't have write access to outbound destination resources, they can't use that outbound for data exfiltration. Azure Active Directory, Azure Resource Manager, Azure Machine Learning, and Microsoft Container Registry belong to this category. On the other hand, Storage and AzureFrontDoor.frontend can be used for data exfiltration.

+ * __Storage Outbound__: This requirement comes from compute instance and compute cluster. A malicious agent can use this outbound rule to exfiltrate data by provisioning and saving data in their own storage account. You can remove data exfiltration risk by using an Azure Service Endpoint Policy and Azure Batch's simplified node communication architecture.

+ * __AzureFrontDoor.frontend outbound__: Azure Front Door is required by the Azure Machine Learning studio UI and AutoML. To narrow down the list of possible outbound destinations to just those required by Azure ML, allowlist the following fully qualified domain names (FQDN) on your firewall.

+ - `ml.azure.com`

+ - `automlresources-prod.azureedge.net`

+## Prerequisites

+* An Azure subscription

+* An Azure Virtual Network (VNet)

+* An Azure Machine Learning workspace with a private endpoint that connects to the VNet.

+ * The storage account used by the workspace must also connect to the VNet using a private endpoint.

+## Limitations

+* Data exfiltration prevention isn't supported with an Azure Machine Learning compute cluster or compute instance configured for __no public IP__.

+## 1. Opt in to the preview

+> [!IMPORTANT]

+> Before opting in to this preview, you must have created a workspace and a compute instance on the subscription you plan to use. You can delete the compute instance and/or workspace after creating them.

+Use the form at [https://forms.office.com/r/1TraBek7LV](https://forms.office.com/r/1TraBek7LV) to opt in to this Azure Machine Learning preview. Microsoft will contact you once your subscription has been allowlisted to the preview.

+> [!TIP]

+> It may take one to two weeks to allowlist your subscription.

+## 2. Allow inbound & outbound network traffic

+### Inbound

+> [!IMPORTANT]

+> The following information __modifies__ the guidance provided in the [Inbound traffic](how-to-secure-training-vnet.md#inbound-traffic) section of the "Secure training environment with virtual networks" article.

+__Inbound__ traffic from the service tag `BatchNodeManagement.<region>` or equivalent IP addresses is __not required__.

+### Outbound

+> [!IMPORTANT]

+> The following information is __in addition__ to the guidance provided in the [Secure training environment with virtual networks](how-to-secure-training-vnet.md) and [Configure inbound and outbound network traffic](how-to-access-azureml-behind-firewall.md) articles.

+Select the configuration that you're using:

+# [Network security group](#tab/nsg)

+__Allow__ outbound traffic over __TCP port 443__ to the following service tags. Replace `<region>` with the Azure region that contains your compute cluster or instance:

+* `BatchNodeManagement.<region>`

+* `Storage.<region>` - A Service Endpoint Policy will be applied in a later step to limit outbound traffic.

+# [Firewall](#tab/firewall)

+__Allow__ outbound traffic over __TCP port 443__ to the following FQDNs. Replace instances of `<region>` with the Azure region that contains your compute cluster or instance:

+* `<region>.batch.azure.com`

+* `<region>.service.batch.com`

+* `*.blob.core.windows.net` - A Service Endpoint Policy will be applied in a later step to limit outbound traffic.

+* `*.queue.core.windows.net` - A Service Endpoint Policy will be applied in a later step to limit outbound traffic.

+* `*.table.core.windows.net` - A Service Endpoint Policy will be applied in a later step to limit outbound traffic.

+> [!IMPORTANT]

+> If you use one firewall for multiple Azure services, having outbound storage rules impacts other services. In this case, limit thee source IP of the outbound storage rule to the address space of the subnet that contains your compute instance and compute cluster resources. This limits the rule to the compute resources in the subnet.

+## 3. Enable storage endpoint for the subnet

+1. From the [Azure portal](https://portal.azure.com), select the __Azure Virtual Network__ for your Azure ML workspace.

+1. From the left of the page, select __Subnets__ and then select the subnet that contains your compute cluster/instance resources.

+1. In the form that appears, expand the __Services__ dropdown and then __enable Microsoft.Storage__. Select __Save__ to save these changes.

+## 4. Create the service endpoint policy

+1. From the [Azure portal](https://portal.azure.com), add a new __Service Endpoint Policy__. On the __Basics__ tab, provide the required information and then select __Next__.

+1. On the __Policy definitions__ tab, perform the following actions:

+ 1. Select __+ Add a resource__, and then provide the following information:

+

+ > [!TIP]

+ > * At least one storage account resource must be listed in the policy.

+ > * If you are adding multiple storage accounts, and the _default storage account_ for your workspace is configured with a private endpoint, you do not need to include it in the policy.

+ * __Service__: Microsoft.Storage

+ * __Scope__: Select the scope. For example, select __Single account__ if you want to limit the network traffic to one storage account.

+ * __Subscription__: The Azure subscription that contains the storage account.

+ * __Resource group__: The resource group that contains the storage account.

+ * __Resource__: The storage account.

+

+ Select __Add__ to add the resource information.

+ 1. Select __+ Add an alias__, and then select `/services/Azure/MachineLearning` as the __Server Alias__ value. Select __Add__ to add thee alias.

+1. Select __Review + Create__, and then select __Create__.

+## 5. Curated environments

+When using Azure ML curated environments, make sure to use the latest environment version. The container registry for the environment must also be `mcr.microsoft.com`. To check the container registry, use the following steps:

+1. From [Azure ML studio](https://ml.azure.com), select your workspace and then select __Environments__.

+1. Verify that the __Azure container registry__ begins with a value of `mcr.microsoft.com`.

+ > [!IMPORTANT]

+ > If the container registry is `viennaglobal.azurecr.io` you cannot use the curated environment with the data exfiltration preview. Try upgrading to the latest version of the curated environment.

+1. When using `mcr.microsoft.com`, you must also allow outbound configuration to the following resources. Select the configuration option that you're using:

+ # [Network security group](#tab/nsg)

+ __Allow__ outbound traffic over __TCP port 443__ to the following service tags. Replace `<region>` with the Azure region that contains your compute cluster or instance.

+ * `MicrosoftContainerRegistry.<region>`

+ * `AzureFrontDoor.FirstParty`

+ # [Firewall](#tab/firewall)

+ __Allow__ outbound traffic over __TCP port 443__ to the following FQDNs. Replace instances of `<region>` with the Azure region that contains your compute cluster or instance:

+ * `mcr.microsoft.com`

+ * `*.data.mcr.microsoft.com`

+

+## Next steps

+For more information, see the following articles:

+* [How to configure inbound and outbound network traffic](how-to-access-azureml-behind-firewall.md)

+* [Azure Batch simplified node communication](/azure/batch/simplified-compute-node-communication)

+* An Azure Machine Learning workspace requires outbound access to `storage.<region>/*.blob.core.windows.net` on the public internet, where `<region>` is the Azure region of the workspace. This outbound access is required by Azure Machine Learning compute cluster and compute instance. Both are based on Azure Batch, and need to access a storage account provided by Azure Batch on the public network.

+ By using a Service Endpoint Policy, you can mitigate this vulnerability. This feature is currently in preview. For more information, see the [Azure Machine Learning data exfiltration prevention](how-to-prevent-data-loss-exfiltration.md) article.

+When the creation process finishes, you train your model by using the cluster in an experiment.

+Attach the VM or HDInsight cluster to your Azure Machine Learning workspace. For more information, see [Manage compute resources for model training and deployment in studio](how-to-create-attach-compute-studio.md).

+For more information on configuring jobs with ScriptRunConfig, see [Configure and submit training runs](v1/how-to-set-up-training-targets.md).

+For more information on configuring jobs with ScriptRunConfig, see [Configure and submit training runs](v1/how-to-set-up-training-targets.md).

+For more information on configuring jobs with ScriptRunConfig, see [Configure and submit training runs](v1/how-to-set-up-training-targets.md).

+Create a `ScriptRunConfig` resource to configure your job for running on the desired [compute target](v1/how-to-set-up-training-targets.md).

+> [!WARNING]

+> Dual-tracking in a [private link enabled Azure Machine Learning workspace](how-to-configure-private-link.md) is not supported by the moment. Configure [exclusive tracking with your Azure Machine Learning workspace](#tracking-exclusively-on-azure-machine-learning-workspace) instead.

+>

+> [!WARNING]

+> Dual-tracking in not supported in Azure China by the moment. Configure [exclusive tracking with your Azure Machine Learning workspace](#tracking-exclusively-on-azure-machine-learning-workspace) instead.

+Remote runs (jobs) let you train your models in a more robust and repetitive way. They can also leverage more powerful computes, such as Machine Learning Compute clusters. See [What are compute targets in Azure Machine Learning?](concept-compute-target.md) to learn about different compute options.

+1. **Configure the compute target for model training**, such as your [local computer, Azure Machine Learning Computes, remote VMs, or Azure Databricks with SDK v1](how-to-set-up-training-targets.md).

+For example run configurations, see [Configure a training run](how-to-set-up-training-targets.md).

+- Azure ML [integrates with Git](../concept-train-model-git-integration.md) to track information on which repository / branch / commit your code came from.

+* [Train a model](how-to-set-up-training-targets.md)

+When you use your local computer for **training**, there is no need to create a compute target. Just [submit the training run](how-to-set-up-training-targets.md) from your local machine.

+* Use the compute resource to [configure and submit a training run](how-to-set-up-training-targets.md).

+* [Train a model](how-to-set-up-training-targets.md).

+* [Submit a training run](how-to-set-up-training-targets.md)

+* [Submit a training run](how-to-set-up-training-targets.md)

+* [Train a model](how-to-set-up-training-targets.md).

+This folder contains the logs generated by Azure Machine Learning and it will be closed by default. The logs generated by the system are grouped into different folders, based on the stage of the job in the runtime.

+ Title: Configure a training job

+description: Train your machine learning model on various training environments (compute targets). You can easily switch between training environments.

+# Configure and submit training jobs

+In this article, you learn how to configure and submit Azure Machine Learning jobs to train your models. Snippets of code explain the key parts of configuration and submission of a training script. Then use one of the [example notebooks](#notebook-examples) to find the full end-to-end working examples.

+When training, it is common to start on your local computer, and then later scale out to a cloud-based cluster. With Azure Machine Learning, you can run your script on various compute targets without having to change your training script.

+All you need to do is define the environment for each compute target within a **script job configuration**. Then, when you want to run your training experiment on a different compute target, specify the job configuration for that compute.

+## Prerequisites

+* If you don't have an Azure subscription, create a free account before you begin. Try the [free or paid version of Azure Machine Learning](https://azure.microsoft.com/free/) today

+* The [Azure Machine Learning SDK for Python](/python/api/overview/azure/ml/install) (>= 1.13.0)

+* An [Azure Machine Learning workspace](../how-to-manage-workspace.md), `ws`

+* A compute target, `my_compute_target`. [Create a compute target](../how-to-create-attach-compute-studio.md)

+## What's a script run configuration?

+A [ScriptRunConfig](/python/api/azureml-core/azureml.core.scriptrunconfig) is used to configure the information necessary for submitting a training job as part of an experiment.

+You submit your training experiment with a ScriptRunConfig object. This object includes the:

+* **source_directory**: The source directory that contains your training script

+* **script**: The training script to run

+* **compute_target**: The compute target to run on

+* **environment**: The environment to use when running the script

+* and some additional configurable options (see the [reference documentation](/python/api/azureml-core/azureml.core.scriptrunconfig) for more information)

+## Train your model

+The code pattern to submit a training job is the same for all types of compute targets:

+1. Create an experiment to run

+1. Create an environment where the script will run

+1. Create a ScriptRunConfig, which specifies the compute target and environment

+1. Submit the job

+1. Wait for the job to complete

+Or you can:

+* Submit a HyperDrive run for [hyperparameter tuning](../how-to-tune-hyperparameters.md).

+* Submit an experiment via the [VS Code extension](../tutorial-train-deploy-image-classification-model-vscode.md#train-the-model).

+## Create an experiment

+Create an [experiment](concept-azure-machine-learning-architecture.md#experiments) in your workspace. An experiment is a light-weight container that helps to organize job submissions and keep track of code.

+```python

+from azureml.core import Experiment

+experiment_name = 'my_experiment'

+experiment = Experiment(workspace=ws, name=experiment_name)

+```

+## Select a compute target

+Select the compute target where your training script will run on. If no compute target is specified in the ScriptRunConfig, or if `compute_target='local'`, Azure ML will execute your script locally.

+The example code in this article assumes that you have already created a compute target `my_compute_target` from the "Prerequisites" section.

+>[!Note]

+>Azure Databricks is not supported as a compute target for model training. You can use Azure Databricks for data preparation and deployment tasks.

+## Create an environment

+Azure Machine Learning [environments](../concept-environments.md) are an encapsulation of the environment where your machine learning training happens. They specify the Python packages, Docker image, environment variables, and software settings around your training and scoring scripts. They also specify runtimes (Python, Spark, or Docker).

+You can either define your own environment, or use an Azure ML curated environment. [Curated environments](../how-to-use-environments.md#use-a-curated-environment) are predefined environments that are available in your workspace by default. These environments are backed by cached Docker images which reduces the job preparation cost. See [Azure Machine Learning Curated Environments](../resource-curated-environments.md) for the full list of available curated environments.

+For a remote compute target, you can use one of these popular curated environments to start with:

+```python

+from azureml.core import Workspace, Environment

+ws = Workspace.from_config()

+myenv = Environment.get(workspace=ws, name="AzureML-Minimal")

+```

+For more information and details about environments, see [Create & use software environments in Azure Machine Learning](how-to-use-environments.md).

+

+### Local compute target

+If your compute target is your **local machine**, you are responsible for ensuring that all the necessary packages are available in the Python environment where the script runs. Use `python.user_managed_dependencies` to use your current Python environment (or the Python on the path you specify).

+```python

+from azureml.core import Environment

+myenv = Environment("user-managed-env")

+myenv.python.user_managed_dependencies = True

+# You can choose a specific Python environment by pointing to a Python path

+# myenv.python.interpreter_path = '/home/johndoe/miniconda3/envs/myenv/bin/python'

+```

+## Create the script job configuration

+Now that you have a compute target (`my_compute_target`, see [Prerequisites](#prerequisites) and environment (`myenv`, see [Create an environment](#create-an-environment)), create a script job configuration that runs your training script (`train.py`) located in your `project_folder` directory:

+```python

+from azureml.core import ScriptRunConfig

+src = ScriptRunConfig(source_directory=project_folder,

+ script='train.py',

+ compute_target=my_compute_target,

+ environment=myenv)

+# Set compute target

+# Skip this if you are running on your local computer

+script_run_config.run_config.target = my_compute_target

+```

+If you do not specify an environment, a default environment will be created for you.

+If you have command-line arguments you want to pass to your training script, you can specify them via the **`arguments`** parameter of the ScriptRunConfig constructor, e.g. `arguments=['--arg1', arg1_val, '--arg2', arg2_val]`.

+If you want to override the default maximum time allowed for the job, you can do so via the **`max_run_duration_seconds`** parameter. The system will attempt to automatically cancel the job if it takes longer than this value.

+### Specify a distributed job configuration

+If you want to run a [distributed training](../how-to-train-distributed-gpu.md) job, provide the distributed job-specific config to the **`distributed_job_config`** parameter. Supported config types include [MpiConfiguration](/python/api/azureml-core/azureml.core.runconfig.mpiconfiguration), [TensorflowConfiguration](/python/api/azureml-core/azureml.core.runconfig.tensorflowconfiguration), and [PyTorchConfiguration](/python/api/azureml-core/azureml.core.runconfig.pytorchconfiguration).

+For more information and examples on running distributed Horovod, TensorFlow and PyTorch jobs, see:

+* [Train TensorFlow models](../how-to-train-tensorflow.md#distributed-training)

+* [Train PyTorch models](../how-to-train-pytorch.md#distributed-training)

+## Submit the experiment

+```python

+run = experiment.submit(config=src)

+run.wait_for_completion(show_output=True)

+```

+> [!IMPORTANT]

+> When you submit the training job, a snapshot of the directory that contains your training scripts is created and sent to the compute target. It is also stored as part of the experiment in your workspace. If you change files and submit the job again, only the changed files will be uploaded.

+>

+> [!INCLUDE [amlinclude-info](../../../includes/machine-learning-amlignore-gitignore.md)]

+>

+> For more information about snapshots, see [Snapshots](concept-azure-machine-learning-architecture.md#snapshots).

+> [!IMPORTANT]

+> **Special Folders**

+> Two folders, *outputs* and *logs*, receive special treatment by Azure Machine Learning. During training, when you write files to folders named *outputs* and *logs* that are relative to the root directory (`./outputs` and `./logs`, respectively), the files will automatically upload to your job history so that you have access to them once your job is finished.

+>

+> To create artifacts during training (such as model files, checkpoints, data files, or plotted images) write these to the `./outputs` folder.

+>

+> Similarly, you can write any logs from your training job to the `./logs` folder. To utilize Azure Machine Learning's [TensorBoard integration](https://github.com/Azure/MachineLearningNotebooks/blob/master/how-to-use-azureml/track-and-monitor-experiments/tensorboard/export-run-history-to-tensorboard/export-run-history-to-tensorboard.ipynb) make sure you write your TensorBoard logs to this folder. While your job is in progress, you will be able to launch TensorBoard and stream these logs. Later, you will also be able to restore the logs from any of your previous jobs.

+>

+> For example, to download a file written to the *outputs* folder to your local machine after your remote training job:

+> `run.download_file(name='outputs/my_output_file', output_file_path='my_destination_path')`

+## Git tracking and integration

+When you start a training job where the source directory is a local Git repository, information about the repository is stored in the job history. For more information, see [Git integration for Azure Machine Learning](../concept-train-model-git-integration.md).

+## Notebook examples

+See these notebooks for examples of configuring jobs for various training scenarios:

+* [Training on various compute targets](https://github.com/Azure/MachineLearningNotebooks/blob/master/how-to-use-azureml/training)

+* [Training with ML frameworks](https://github.com/Azure/MachineLearningNotebooks/blob/master/how-to-use-azureml/ml-frameworks)

+* [tutorials/img-classification-part1-training.ipynb](https://github.com/Azure/MachineLearningNotebooks/blob/master/tutorials/image-classification-mnist-data/img-classification-part1-training.ipynb)

+## Troubleshooting

+* **AttributeError: 'RoundTripLoader' object has no attribute 'comment_handling'**: This error comes from the new version (v0.17.5) of `ruamel-yaml`, an `azureml-core` dependency, that introduces a breaking change to `azureml-core`. In order to fix this error, please uninstall `ruamel-yaml` by running `pip uninstall ruamel-yaml` and installing a different version of `ruamel-yaml`; the supported versions are v0.15.35 to v0.17.4 (inclusive). You can do this by running `pip install "ruamel-yaml>=0.15.35,<0.17.5"`.

+* **Job fails with `jwt.exceptions.DecodeError`**: Exact error message: `jwt.exceptions.DecodeError: It is required that you pass in a value for the "algorithms" argument when calling decode()`.

+

+ Consider upgrading to the latest version of azureml-core: `pip install -U azureml-core`.

+

+ If you are running into this issue for local jobs, check the version of PyJWT installed in your environment where you are starting jobs. The supported versions of PyJWT are < 2.0.0. Uninstall PyJWT from the environment if the version is >= 2.0.0. You may check the version of PyJWT, uninstall and install the right version as follows:

+ 1. Start a command shell, activate conda environment where azureml-core is installed.

+ 2. Enter `pip freeze` and look for `PyJWT`, if found, the version listed should be < 2.0.0

+ 3. If the listed version is not a supported version, `pip uninstall PyJWT` in the command shell and enter y for confirmation.

+ 4. Install using `pip install 'PyJWT<2.0.0'`

+

+ If you are submitting a user-created environment with your job, consider using the latest version of azureml-core in that environment. Versions >= 1.18.0 of azureml-core already pin PyJWT < 2.0.0. If you need to use a version of azureml-core < 1.18.0 in the environment you submit, make sure to specify PyJWT < 2.0.0 in your pip dependencies.

+ * **ModuleErrors (No module named)**: If you are running into ModuleErrors while submitting experiments in Azure ML, the training script is expecting a package to be installed but it isn't added. Once you provide the package name, Azure ML installs the package in the environment used for your training job.

+ If you are using Estimators to submit experiments, you can specify a package name via `pip_packages` or `conda_packages` parameter in the estimator based on from which source you want to install the package. You can also specify a yml file with all your dependencies using `conda_dependencies_file`or list all your pip requirements in a txt file using `pip_requirements_file` parameter. If you have your own Azure ML Environment object that you want to override the default image used by the estimator, you can specify that environment via the `environment` parameter of the estimator constructor.

+

+ Azure ML maintained docker images and their contents can be seen in [AzureML Containers](https://github.com/Azure/AzureML-Containers).

+ Framework-specific dependencies are listed in the respective framework documentation:

+ * [Chainer](/python/api/azureml-train-core/azureml.train.dnn.chainer#remarks)

+ * [PyTorch](/python/api/azureml-train-core/azureml.train.dnn.pytorch#remarks)

+ * [TensorFlow](/python/api/azureml-train-core/azureml.train.dnn.tensorflow#remarks)

+ * [SKLearn](/python/api/azureml-train-core/azureml.train.sklearn.sklearn#remarks)

+

+ > [!Note]

+ > If you think a particular package is common enough to be added in Azure ML maintained images and environments please raise a GitHub issue in [AzureML Containers](https://github.com/Azure/AzureML-Containers).

+

+* **NameError (Name not defined), AttributeError (Object has no attribute)**: This exception should come from your training scripts. You can look at the log files from Azure portal to get more information about the specific name not defined or attribute error. From the SDK, you can use `run.get_details()` to look at the error message. This will also list all the log files generated for your job. Please make sure to take a look at your training script and fix the error before resubmitting your job.

+* **Job or experiment deletion**: Experiments can be archived by using the [Experiment.archive](/python/api/azureml-core/azureml.core.experiment%28class%29#archive--)

+method, or from the Experiment tab view in Azure Machine Learning studio client via the "Archive experiment" button. This action hides the experiment from list queries and views, but does not delete it.

+ Permanent deletion of individual experiments or jobs is not currently supported. For more information on deleting Workspace assets, see [Export or delete your Machine Learning service workspace data](how-to-export-delete-data.md).

+* **Metric Document is too large**: Azure Machine Learning has internal limits on the size of metric objects that can be logged at once from a training job. If you encounter a "Metric Document is too large" error when logging a list-valued metric, try splitting the list into smaller chunks, for example:

+ ```python

+ run.log_list("my metric name", my_metric[:N])

+ run.log_list("my metric name", my_metric[N:])

+ ```

+ Internally, Azure ML concatenates the blocks with the same metric name into a contiguous list.

+* **Compute target takes a long time to start**: The Docker images for compute targets are loaded from Azure Container Registry (ACR). By default, Azure Machine Learning creates an ACR that uses the *basic* service tier. Changing the ACR for your workspace to standard or premium tier may reduce the time it takes to build and load images. For more information, see [Azure Container Registry service tiers](../../container-registry/container-registry-skus.md).

+## Next steps

+* [Tutorial: Train and deploy a model](tutorial-1st-experiment-sdk-train.md) uses a managed compute target to train a model.

+* See how to train models with specific ML frameworks, such as [Scikit-learn](../how-to-train-scikit-learn.md), [TensorFlow](../how-to-train-tensorflow.md), and [PyTorch](../how-to-train-pytorch.md).

+* Learn how to [efficiently tune hyperparameters](../how-to-tune-hyperparameters.md) to build better models.

+* Once you have a trained model, learn [how and where to deploy models](../how-to-deploy-managed-online-endpoints.md).

+* View the [ScriptRunConfig class](/python/api/azureml-core/azureml.core.scriptrunconfig) SDK reference.

+* [Use Azure Machine Learning with Azure Virtual Networks](../how-to-network-security-overview.md)

+>The compute target used in `script_run_config` must have enough resources to satisfy your concurrency level. For more information on ScriptRunConfig, see [Configure training runs](how-to-set-up-training-targets.md).

+Remote runs (jobs) let you train your models in a more robust and repetitive way. They can also leverage more powerful computes, such as Machine Learning Compute clusters. See [Use compute targets for model training](how-to-set-up-training-targets.md) to learn about different compute options.

+A hidden plan is not visible on Azure Marketplace and can only be deployed through another Solution Template, Managed Application, Azure CLI or Azure PowerShell. Hiding a plan is useful when trying to limit exposure to customers that would normally be searching or browsing for it directly via Azure Marketplace. By selecting this checkbox all virtual machine images associated to your plan will be hidden from Azure Marketplace storefront.

+> [!NOTE]

+> A hidden plan is different from a private plan. When a plan is publicly available but hidden, it is still available for any Azure customer to deploy via Solution Template, Managed Application, Azure CLI or Azure PowerShell. However, a plan can be both hidden and private in which case only the customers configured in the private audience can deploy via these methods. If you wish to make the plan available to a limited set of customers, then set the plan to **Private**.

+> [!IMPORTANT]

+> Hidden plans don't generate preview links. However, you can test them by [following these steps](/azure/marketplace/azure-vm-faq).

+### Hidden plans

+A hidden plan is not visible on Azure Marketplace and can only be deployed through a Solution Template, Managed Application, Azure CLI or Azure PowerShell. Hiding a plan is useful when trying to limit exposure to customers that would normally be searching or browsing for it directly via Azure Marketplace.

+> [!NOTE]

+> A hidden plan is different from a private plan. When a plan is publicly available but hidden, it is still available for any Azure customer to deploy via Solution Template, Managed Application, Azure CLI or Azure PowerShell. However, a plan can be both hidden and private, in which case only the customers configured in the private audience can deploy via these methods.

+If you have already set prices for your plan in United States Dollars (USD) and add another market location, the price for the new market will be calculated according to the current exchange rates. After saving your changes, you will see an **Export prices (xlsx)** link that you can use to review and change the price for each market before publishing.

+> [!TIP]

+> The price shown to customers in the online stores doesn't change unless you update the price in Partner Center and then republish your offer. The rate will be updated when the scheduled price change is live according to [Changing prices in active commercial marketplace offers](price-changes.md).

+Azure Storage firewalls for virtual networks | Supported | If you are using firewall enabled replication storage account or target storage account, ensure you [Allow trusted Microsoft services](/azure/storage/common/storage-network-security#exceptions). Also, ensure that you allow access to at least one subnet of source VNet. **You should allow access from All networks for public endpoint connectivity.**

+| China East 3 | :heavy_check_mark: | :x: | :x:|

+| China North 3 | :heavy_check_mark: | :x: | :x:|

+| France South | :heavy_check_mark: | :x: | :heavy_check_mark: |

+| Korea Central | :heavy_check_mark: | :heavy_check_mark: ** | :heavy_check_mark: |

+| Korea South | :heavy_check_mark: | :x: | :heavy_check_mark: |

+| South Africa North | :heavy_check_mark: | :heavy_check_mark: | :x: |

+| West Central US | :heavy_check_mark: | :x: | :heavy_check_mark: |

+| West US 2 | :x: $$ | :x: $ | :heavy_check_mark:|

+Each service has top-level settings that determine its name and the QoS characteristics, if any, that it will offer.

+### Collect Quality of service (QoS) setting values

+You can specify a QoS for this service, or inherit the parent SIM Policy's QoS. If you want to specify a QoS for this service, collect each of the values in the table below.

+| Value | Azure portal field name | Included in example ARM template |

+|--|--|--|

+| The default 5G QoS Indicator (5QI) or QoS class identifier (QCI) value for this service. The 5QI (for 5G networks) or QCI (for 4G networks) value identifies a set of QoS characteristics that control QoS forwarding treatment for QoS flows or EPS bearers. </br></br>We recommend you choose a 5QI or QCI value that corresponds to a non-GBR QoS flow or EPS bearer. These values are in the following ranges: 5-9; 69-70; 79-80. For more details, see 3GPP TS 23.501 for 5QI or 3GPP TS 23.203 for QCI.</br></br>You can also choose a non-standardized 5QI or QCI value.</p><p>Azure Private 5G Core doesn't support 5QI or QCI values corresponding to GBR or delay-critical GBR QoS flows or EPS bearers. Don't use a value in any of the following ranges: 1-4; 65-67; 71-76; 82-85. | **5QI/QCI** |No. Defaults to 9.|

+|The default 5QI (for 5G) or QCI (for 4G) value for this data network. These values identify a set of QoS characteristics that control QoS forwarding treatment for QoS flows or EPS bearers.</br></br>We recommend you choose a 5QI or QCI value that corresponds to a non-GBR QoS flow or EPS bearer. These values are in the following ranges: 5-9; 69-70; 79-80. For more details, see 3GPP TS 23.501 for 5QI or 3GPP TS 23.203 for QCI.</br></br>You can also choose a non-standardized 5QI or QCI value. </br></br>Azure Private 5G Core Preview doesn't support 5QI or QCI values corresponding to GBR or delay-critical GBR QoS flows or EPS bearers. Don't use a value in any of the following ranges: 1-4; 65-67; 71-76; 82-85. | **5QI/QCI** | No. Defaults to 9. |

+|The default PDU session type for SIMs using this data network. Azure Private 5G Core will use this type by default if the SIM doesn't request a specific type.| **Default session type** | No. Defaults to **IPv4**.|

+1. On the **Basics** configuration tab, use the information you collected in [Collect top-level setting values](collect-required-information-for-service.md#collect-top-level-setting-values) to fill out each of the fields.

+If you do not want to specify a QoS for this service, turn off the **Configured** toggle. If the toggle is off, the service will inherit the QoS of the parent SIM Policy.

+*SIM policies* allow you to define different sets of policies and interoperability settings that can each be assigned to a group of SIMs. The SIM policy also defines the default Quality of Service settings for any services that use the policy. You'll need to assign a SIM policy to a SIM before the user equipment (UE) using that SIM can access the private mobile network. In this how-to-guide, you'll learn how to configure a SIM policy.

+1. Under **Add a network scope** on the right, fill out each of the fields using the information you collected from [Collect information for the network scope](collect-required-information-for-sim-policy.md#collect-information-for-the-network-scope).

+SIM policies also define the default QoS settings for any services that use the policy. You can override the default SIM policy QoS settings on a per-service basis - see [Configure basic settings for the service](configure-service-azure-portal.md#configure-basic-settings-for-the-service).

+- [Learn more about policy control](policy-control.md)

+|The default 5G QoS identifier (5QI) or QoS class identifier (QCI) value for this data network. The 5QI or QCI identifies a set of 5G or 4G QoS characteristics that control QoS forwarding treatment for QoS Flows, such as limits for Packet Error Rate. | *9* |

+- One or more *data flow policy rules*, which identify the SDFs to which the service should be applied. You can configure each rule with the following to determine when it's applied and the effect it will have:

+ - One or more *data flow templates*, which provide the packet filters that identify the SDFs on which to match. You can match on an SDF's direction, protocol, target IP address, and target port. The target IP address and port refer to the component on the data network's end of the connection.

+ - A traffic control setting, which determines whether the packet core instance should allow or block traffic matching the SDF(s).

+ - A precedence value, which the packet core instance can use to rank data flow policy rules by importance.

+- Optionally, a set of QoS characteristics that should be applied on SDFs matching the service. The packet core instance will use these characteristics to create a QoS flow or EPS bearer to bind to matching SDFs. If you don't configure QoS characteristics, the default characteristics of the parent SIM policy will be used instead.

+You can specify the following QoS settings on a service:

+ |**5QI/QCI** | `9` |

+ |**5QI/QCI** | `9` |

+ |**5QI/QCI** | `9` |

+ |**5QI/QCI** | `9` |

+ |**5QI/QCI** | `9` |

+| Azure Cognitive Search | Microsoft.Search/searchServices | searchService |

+>[!TIP]

+> The **applicableEntityTypes** property tells which data types the metadata will be applied to.

+

+1. Open the set of Azure resources you want to check access for, such as **Management groups**, **Subscriptions**, **Resource groups**, or a particular resource.

+ 

+ 

+1. On the **Check access** tab, click the **Check access** button.

+1. In the **Check access** pane, click **User, group, or service principal**.

+ 

+1. Click the user to open the **assignments** pane.

+ On this pane, you can see the access for the selected user at this scope and inherited to this scope. Assignments at child scopes are not listed. You see the following assignments:

+ 

+ 

+

+ 

+ 

+ 

+ 

+1. On the **Check access** tab, click the **Check access** button.

+1. In the **Check access** pane, click **User, group, or service principal** or **Managed identity**.

+ 

+ 

+ 

+ 

+ 

+

+

+ 

+ 

+

+

+In this Python tutorial, you'll learn how to:

+This tutorial uses Python and the [Search REST APIs](/rest/api/searchservice/) to create a data source, index, indexer, and skillset.

+The indexer retrieves sample data in a blob container that's specified in the data source object, and sends all enriched content to a search index.

+* [Visual Studio Code](https://code.visualstudio.com/download) with the [Python extension](https://marketplace.visualstudio.com/items?itemName=ms-python.python) and Python 3.7 or later

+> You can use the free search service for this tutorial. A free search service limits you to three indexes, three indexers, and three data sources. This tutorial creates one of each. Before starting, make sure you have room on your service to accept the new resources.

+The sample data consists of 14 files of mixed content type that you'll upload to Azure Blob Storage in a later step.

+1. Open this [OneDrive folder](https://1drv.ms/f/s!As7Oy81M_gVPa-LCb5lC_3hbS-4) and on the top-left corner, select **Download** to copy the files to your computer.

+1. Right-click the zip file and select **Extract All**. There are 14 files of various types.

+This tutorial uses Azure Cognitive Search for indexing and queries, Cognitive Services on the backend for AI enrichment, and Azure Blob Storage to provide the data. This tutorial stays under the Cognitive Search free allocation of 20 transactions per indexer per day on Cognitive Services, so the only services you need to create are search and storage.

+1. [Sign in to the Azure portal](https://portal.azure.com/) and select **+ Create Resource**.

+1. Select **Review + Create** to create the service.

+1. Once it's created, select **Go to the resource** to open the Overview page.

+1. Select **Blobs** service.

+1. Select **+ Container** to create a container and name it *cog-search-demo*.

+1. Select *cog-search-demo* and then select **Upload** to open the folder where you saved the download files. Select all of the non-image files. You should have 14 files. Select **OK** to upload.

+Since this tutorial only uses 14 transactions, you can skip resource provisioning because Azure Cognitive Search can connect to Cognitive Services for 20 free transactions per indexer run. For larger projects, plan on provisioning Cognitive Services at the pay-as-you-go S0 tier. For more information, see [Attach Cognitive Services](cognitive-search-attach-cognitive-services.md).

+You can use the Free tier to complete this tutorial.

+To send requests to your Azure Cognitive Search service, you'll need the service URL and an access key.

+1. [Sign in to the Azure portal](https://portal.azure.com/), and in your search service **Overview** page, get the name of your search service. You can confirm your service name by reviewing the endpoint URL. If your endpoint URL is `https://mydemo.search.windows.net`, your service name would be `mydemo`.

+Use Visual Studio Code with the Python extension to create a new notebook. Press F1 to open the command palette and then search for "Create: New Jupyter Notebook".

+Alternatively, if you downloaded the notebook from [Azure-Search-python-samples repo](https://github.com/Azure-Samples/azure-search-python-samples/tree/master/Tutorial-AI-Enrichment), you can open it in Visual Studio Code.

+In your notebook, create a new cell and add this script. It loads the libraries used for working with JSON and formulating HTTP requests.

+In the next cell, define the names for the data source, index, indexer, and skillset. Run this script to set up the names for this tutorial.

+In a third cell, paste the following script, replacing the placeholders for your search service (YOUR-SEARCH-SERVICE-NAME) and admin API key (YOUR-ADMIN-API-KEY), and then run it to set up the search service endpoint.

+In Azure Cognitive Search, AI processing occurs during indexing (or data ingestion). This part of the tutorial creates four objects: data source, index definition, skillset, indexer.

+In the following script, replace the placeholder YOUR-BLOB-RESOURCE-CONNECTION-STRING with the connection string for the blob you created in the previous step. Replace the placeholder YOUR-BLOB-CONTAINER-NAME with the name of your container. Then, run the script to create a data source named `cogsrch-py-datasource`.

+In the Azure portal, on the search service dashboard page, verify that the cogsrch-py-datasource appears in the **Data sources** list. Select **Refresh** to update the page.

+In this step, you'll define a set of enrichment steps using [built-in cognitive skills](cognitive-search-predefined-skills.md) from Microsoft:

+In this section, you define the index schema by specifying the fields to include in the searchable index, and setting the search attributes for each field. Fields have a type and can take attributes that determine how the field is used (searchable, sortable, and so forth). Field names in an index aren't required to identically match the field names in the source. In a later step, you add field mappings in an indexer to connect source-destination fields. For this step, define the index using field naming conventions pertinent to your search application.

+To learn more about defining an index, see [Create Index (REST API)](/rest/api/searchservice/create-index).

+An [Indexer](/rest/api/searchservice/create-indexer) drives the pipeline. The three components you've created thus far (data source, skillset, index) are inputs to an indexer. Creating the indexer on Azure Cognitive Search is the event that puts the entire pipeline into motion.

+Warnings are common with some source file and skill combinations and don't always indicate a problem. Many warnings are benign. For example, if you index a JPEG file that doesn't have text, you'll see the warning in this screenshot.

+After indexing is finished, run queries that return the contents of the index or individual fields.

+First, get the index definition showing all of the fields. Visual Studio Code limits the output to 30 lines by default, but provides an option to open the output in a text editor. Use that option to view the full output. The output is the index schema, with the name, type, and attributes of each field.

+Next, submit a second query for `"*"` to return all contents of a single field, such as `organizations`. See [Search Documents (REST API)](/rest/api/searchservice/search-documents) for more information about the request.

+If you'd like to continue testing from this notebook, repeat the above commands using other fields: `content`, `languageCode`, `keyPhrases`, and `organizations` in this exercise.

+> [!TIP]

+> A better search experience might be switching to [Search Explorer](search-explorer.md) in the Azure portal or [creating a demo search app](search-create-app-portal.md) from the index you just created.

+In the early stages of development, it's practical to delete the objects from Azure Cognitive Search and allow your code to rebuild them. Resource names are unique. Deleting an object lets you recreate it using the same name.

+You can also delete them using a script. The following script deletes a skillset.

+Finally, you learned how to test the results and reset the system for further iterations. You learned that issuing queries against the index returns the output created by the enriched indexing pipeline. In this release, there's a mechanism for viewing internal constructs (enriched documents created by the system). You also learned how to check the indexer status and what objects must be deleted before rerunning a pipeline.

+Indexers have built-in thread management, but when you're using the push APIs, your application code will have to manage threads. Make sure there are sufficient threads to make full use of the available capacity, especially if you've recently increased partitions or have upgraded to a higher tier search service.

+1. [Increase the number of concurrent threads](tutorial-optimize-indexing-push-api.md#use-multiple-threadsworkers) in your client code.

+1. As you ramp up the requests hitting the search service, you might encounter [HTTP status codes](/rest/api/searchservice/http-status-codes) indicating the request didn't fully succeed. During indexing, two common HTTP status codes are:

+Indexer scheduling is an important mechanism for processing large data sets and for accommodating slow-running processes like image analysis in an enrichment pipeline. Indexer processing operates within a 24-hour window. If processing fails to finish within 24 hours, the behaviors of indexer scheduling can work to your advantage.

+In practical terms, for index loads spanning several days, you can put the indexer on a 24-hour schedule. When indexing resumes for the next 24-hour cycle, it restarts at the last known good document. In this way, an indexer can work its way through a document backlog over a series of days until all unprocessed documents are processed. For more information about setting schedules, see [Create Indexer REST API](/rest/api/searchservice/Create-Indexer) or see [How to schedule indexers for Azure Cognitive Search](search-howto-schedule-indexers.md).

+> [!NOTE]

+> Looking for strategies on high volume indexing? See [Index large data sets in Azure Cognitive Search](search-howto-large-index.md).

+Queries run faster on smaller indexes. This is partly a function of having fewer fields to scan, but it's also due to how the system caches content for future queries. After the first query, some content remains in memory where it's searched more efficiently. Because index size tends to grow over time, one best practice is to periodically revisit index composition, both schema and documents, to look for content reduction opportunities. However, if the index is right-sized, the only other calibration you can make is to increase capacity: either by [adding replicas](search-capacity-planning.md#adjust-capacity) or upgrading the service tier. The section ["Tip: Upgrade to a Standard S2 tier"](#tip-upgrade-to-a-standard-s2-tier) discusses the scale up versus scale out decision.

+Schema complexity can also adversely affect indexing and query performance. Excessive field attribution builds in limitations and processing requirements. [Complex types](search-howto-complex-data-types.md) take longer to index and query. The next few sections explore each condition.

+A common mistake that administrators and developers make when creating a search index is selecting all available properties for the fields, as opposed to only selecting just the properties that are needed. For example, if a field doesn't need to be full text searchable, skip that field when setting the searchable attribute.

+## Query design

+Query composition and complexity are one of the most important factors for performance, and query optimization can drastically improve performance. When designing queries, think about the following points:

+In this case, the filter expressions are used to check whether a single field in each document is equal to one of many possible values of a user identity. You're most likely to find this pattern in applications that implement [security trimming](search-security-trimming-for-azure-search.md) (checking a field containing one or more principal IDs against a list of principal IDs representing the user issuing the query).

+When query performance is slowing down in general, adding more replicas frequently solves the issue. But what if the problem is a single query that takes too long to complete? In this scenario, adding replicas won't help, but more partitions might. A partition splits data across extra computing resources. Two partitions split data in half, a third partition splits it into thirds, and so forth.

+One positive side-effect of adding partitions is that slower queries sometimes perform faster due to parallel computing. We've noted parallelization on low selectivity queries, such as queries that match many documents, or facets providing counts over a large number of documents. Since significant computation is required to score the relevancy of the documents, or to count the numbers of documents, adding extra partitions helps queries complete faster.

+The tier of your search service and the number of replicas/partitions also have a large impact on performance. Each progressively higher tier provides faster CPUs and more memory, both of which have a positive impact on performance.

+Review these other articles related to service performance:

+## Content sources for Microsoft Sentinel content and solutions

+Each piece of content or solution has one of the following content sources:

+|**Repositories** | Content or solutions from a repository connected to your workspace |

+ 1. Enter a **name for the network interface**.

+ 1. Select a **region** for the private endpoint. Your private endpoint must be in the same region as your virtual network, but can be in a different region from the private link resource that you are connecting to.

+ 1. Select **Next: Resource >** button at the bottom of the page.

+ :::image type="content" source="./media/private-link-service/create-private-endpoint-basics-page.png" alt-text="Screenshot showing the Basics page of the Create private endpoint wizard.":::

+8. On the **Resource** page, review settings, and select **Next: Virtual Network** at the bottom of the page.

+ :::image type="content" source="./media/private-link-service/create-private-endpoint-resource-page.png" alt-text="Screenshot showing the Resource page of the Create private endpoint wizard.":::

+9. On the **Virtual Network** page, you select the subnet in a virtual network to where you want to deploy the private endpoint.

+ 1. Notice that the **network policy for private endpoints** is disabled. If you want to enable it, select **edit**, update the setting, and select **Save**.

+ 1. For **Private IP configuration**, by default, **Dynamically allocate IP address** option is selected. If you want to assign a static IP address, select **Statically allocate IP address***.

+ 1. For **Application security group**, select an existing application security group or create one that's to be associated with the private endpoint.

+ 1. Select **Next: DNS >** button at the bottom of the page.

+ :::image type="content" source="./media/private-link-service/create-private-endpoint-configuration-page.png" alt-text="Screenshot showing the Virtual Network page of the Create private endpoint wizard.":::

+10. On the **DNS** page, select whether you want the private endpoint to be integrated with a private DNS zone, and then select **Next: Tags**.

+ :::image type="content" source="./media/private-link-service/create-private-endpoint-dns-page.png" alt-text="Screenshot showing the DNS page of the Create private endpoint wizard.":::

+1. On the **Tags** page, create any tags (names and values) that you want to associate with the private endpoint resource. Then, select **Review + create** button at the bottom of the page.

+1. On the **Review + create**, review all the settings, and select **Create** to create the private endpoint.

+ :::image type="content" source="./media/private-link-service/create-private-endpoint-review-create-page.png" alt-text="Screenshot showing the Review and Create page of the Create private endpoint wizard.":::

+3. You should see the status changed to **Disconnected**. Then, the endpoint will disappear from the list.

+>[!Note]

+>The following approach is used to assign IP address to the target VM, irrespective of the NIC settings.

+Target network isn't the failover VNet | - Target IP address will be static with the same IP address, only if it is available in the target virtual network. <br/><br/> - If the same IP address is already assigned, then the IP address is the next one available at the end of the subnet range.<br/><br/> For example: If the source static IP address is 10.0.0.19 and failover is on an network that isn't the failover network, with the range 10.0.0.0/24, then the target static IP address will be 10.0.0.19 if available, and otherwise it will be 10.0.0.254.

+> [Create named preview environments](./named-environments.md)

+If you rehydrate a blob by changing its tier, this rule will move the blob back to the archive tier if the last modified time, creation time, or last access time is beyond the threshold set for the policy.

+> [!NOTE]

+> A lifecycle management policy can't change the tier of a blob that uses an encryption scope.

+The SDK offers [high-level APIs](https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/storage/azblob/zt_highlevel_test.go) that are built on top of the low-level REST APIs. As an example, ***UploadBufferToBlockBlob*** function uses StageBlock (PutBlock) operations to concurrently upload a file in chunks to optimize the throughput. If the file is less than 256 MB, it uses Upload (PutBlob) instead to complete the transfer in a single transaction.

+In this quickstart, you learned how to transfer files between a local disk and Azure blob storage using Go. For more information about the Azure Storage Blob SDK, view the [Source Code](https://github.com/Azure/azure-sdk-for-go/tree/main/sdk/storage/azblob) and [API Reference](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob).

+ Title: Configure customer-managed keys for an existing storage account

+description: Learn how to configure Azure Storage encryption with customer-managed keys for an existing storage account by using the Azure portal, PowerShell, or Azure CLI. Customer-managed keys are stored in an Azure key vault.

+# Configure customer-managed keys in an Azure key vault for an existing storage account

+Azure Storage encrypts all data in a storage account at rest. By default, data is encrypted with Microsoft-managed keys. For additional control over encryption keys, you can manage your own keys. Customer-managed keys must be stored in Azure Key Vault or Key Vault Managed Hardware Security Model (HSM).

+This article shows how to configure encryption with customer-managed keys for an existing storage account. The customer-managed keys are stored in a key vault.

+To learn how to configure customer-managed keys for a new storage account, see [Configure customer-managed keys in an Azure key vault for an existing storage account](customer-managed-keys-configure-existing-account.md).

+To learn how to configure encryption with customer-managed keys stored in a managed HSM, see [Configure encryption with customer-managed keys stored in Azure Key Vault Managed HSM](customer-managed-keys-configure-key-vault-hsm.md).

+> [!NOTE]

+> Azure Key Vault and Azure Key Vault Managed HSM support the same APIs and management interfaces for configuration.

+## Choose a managed identity to authorize access to the key vault

+When you enable customer-managed keys for an existing storage account, you must specify a managed identity that will be used to authorize access to the key vault that contains the key. The managed identity must have permissions to access the key in the key vault.

+The managed identity that authorizes access to the key vault may be either a user-assigned or system-assigned managed identity. To learn more about system-assigned versus user-assigned managed identities, see [Managed identity types](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types).

+### Use a user-assigned managed identity to authorize access

+A user-assigned is a standalone Azure resource. You must create the user-assigned identity before you configure customer-managed keys. To learn how to create and manage a user-assigned managed identity, see [Manage user-assigned managed identities](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md).

+#### [Azure portal](#tab/portal)

+When you configure customer-managed keys with the Azure portal, you can select an existing user-assigned identity through the portal user interface. For details, see [Configure customer-managed keys for an existing account](#configure-customer-managed-keys-for-an-existing-account).

+#### [PowerShell](#tab/powershell)

+To authorize access to the key vault with a user-assigned managed identity, you will need the resource ID and principal ID of the user-assigned managed identity. Call [Get-AzUserAssignedIdentity](/powershell/module/az.managedserviceidentity/get-azuserassignedidentity) to get the user-assigned managed identity and assign it to a variable that you will reference in subsequent steps:

+```azurepowershell

+$userIdentity = Get-AzUserAssignedIdentity -Name <user-assigned-identity> -ResourceGroupName <resource-group>

+$principalId = $userIdentity.PrincipalId

+```

+#### [Azure CLI](#tab/azure-cli)

+To authorize access to the key vault with a user-assigned managed identity, you will need the resource ID and principal ID of the user-assigned managed identity. Call [az identity show](/cli/azure/identity#az-identity-show) command to get the user-assigned managed identity, then save the resource ID and principal ID to variables. You will need these values in subsequent steps:

+```azurecli

+userIdentityId=$(az identity show --name sample-user-assigned-identity --resource-group storagesamples-rg --query id)

+principalId=$(az identity show --name sample-user-assigned-identity --resource-group storagesamples-rg --query principalId)

+```

+### Use a system-assigned managed identity to authorize access

+A system-assigned managed identity is associated with an instance of an Azure service, in this case an Azure Storage account. You must explicitly assign a system-assigned managed identity to a storage account before you can use the system-assigned managed identity to authorize access to the key vault that contains your customer-managed key.

+Only existing storage accounts can use a system-assigned identity to authorize access to the key vault. New storage accounts must use a user-assigned identity, if customer-managed keys are configured on account creation.

+#### [Azure portal](#tab/portal)

+When you configure customer-managed keys with the Azure portal with a system-assigned managed identity, the system-assigned managed identity is assigned to the storage account for you under the covers. For details, see [Configure customer-managed keys for an existing account](#configure-customer-managed-keys-for-an-existing-account).

+#### [PowerShell](#tab/powershell)

+To assign a system-assigned managed identity to your storage account, call [Set-AzStorageAccount](/powershell/module/az.storage/set-azstorageaccount):

+```azurepowershell

+$storageAccount = Set-AzStorageAccount -ResourceGroupName <resource_group> `

+ -Name <storage-account> `

+ -AssignIdentity

+```

+Next, get the principal ID for the system-assigned managed identity, and save it to a variable. You will need this value in the next step to create the key vault access policy:

+```azurepowershell

+$principalId = $storageAccount.Identity.PrincipalId

+```

+#### [Azure CLI](#tab/azure-cli)

+To authenticate access to the key vault with a system-assigned managed identity, assign the system-assigned managed identity to the storage account by calling [az storage account update](/cli/azure/storage/account#az-storage-account-update):

+```azurecli

+az storage account update \

+ --name <storage-account> \

+ --resource-group <resource_group> \

+ --assign-identity

+```

+Next, get the principal ID for the system-assigned managed identity, and save it to a variable. You will need this value in the next step to create the key vault access policy:

+```azurecli

+principalId = $(az storage account show --name <storage-account> --resource-group <resource_group> --query identity.principalId)

+```

+## Configure the key vault access policy

+The next step is to configure the key vault access policy. The key vault access policy grants permissions to the managed identity that will be used to authorize access to the key vault. To learn more about key vault access policies, see [Azure Key Vault Overview](../../key-vault/general/overview.md#securely-store-secrets-and-keys) and [Azure Key Vault security overview](../../key-vault/general/security-features.md#key-vault-authentication-options).

+### [Azure portal](#tab/portal)

+To learn how to configure the key vault access policy with the Azure portal, see [Assign an Azure Key Vault access policy](../../key-vault/general/assign-access-policy.md).

+### [PowerShell](#tab/powershell)

+To configure the key vault access policy with PowerShell, call [Set-AzKeyVaultAccessPolicy](/powershell/module/az.keyvault/set-azkeyvaultaccesspolicy), providing the variable for the principal ID that you previously retrieved for the managed identity.

+```azurepowershell

+Set-AzKeyVaultAccessPolicy `

+ -VaultName $keyVault.VaultName `

+ -ObjectId $principalId `

+ -PermissionsToKeys wrapkey,unwrapkey,get

+```

+To learn more about assigning the key vault access policy with PowerShell, see [Assign an Azure Key Vault access policy](../../key-vault/general/assign-access-policy.md).

+### [Azure CLI](#tab/azure-cli)

+To configure the key vault access policy with PowerShell, call [az keyvault set-policy](/cli/azure/keyvault#az-keyvault-set-policy), providing the variable for the principal ID that you previously retrieved for the managed identity.

+```azurecli

+az keyvault set-policy \

+ --name <key-vault> \

+ --resource-group <resource_group>

+ --object-id $principalId \

+ --key-permissions get unwrapKey wrapKey

+```

+To learn more about assigning the key vault access policy with Azure CLI, see [Assign an Azure Key Vault access policy](../../key-vault/general/assign-access-policy.md).

+## Configure customer-managed keys for an existing account

+When you configure encryption with customer-managed keys for an existing storage account, you can choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated key vault. Alternately, you can explicitly specify a key version to be used for encryption until the key version is manually updated.

+You can use either a system-assigned or user-assigned managed identity to authorize access to the key vault when you configure customer-managed keys for an existing storage account.

+> [!NOTE]

+> To rotate a key, create a new version of the key in Azure Key Vault. Azure Storage does not handle key rotation, so you will need to manage rotation of the key in the key vault. You can [configure key auto-rotation in Azure Key Vault](../../key-vault/keys/how-to-configure-key-rotation.md) or rotate your key manually.

+### Configure encryption for automatic updating of key versions

+Azure Storage can automatically update the customer-managed key that is used for encryption to use the latest key version from the key vault. Azure Storage checks the key vault daily for a new version of the key. When a new version becomes available, then Azure Storage automatically begins using the latest version of the key for encryption.

+> [!IMPORTANT]

+> Azure Storage checks the key vault for a new key version only once daily. When you rotate a key, be sure to wait 24 hours before disabling the older version.

+### [Azure portal](#tab/portal)

+To configure customer-managed keys for an existing account with automatic updating of the key version in the Azure portal, follow these steps:

+1. Navigate to your storage account.

+1. On the **Settings** blade for the storage account, click **Encryption**. By default, key management is set to **Microsoft Managed Keys**, as shown in the following image.

+ :::image type="content" source="media/customer-managed-keys-configure-existing-account/portal-configure-encryption-keys.png" alt-text="Screenshot showing encryption options in Azure portal." lightbox="media/customer-managed-keys-configure-existing-account/portal-configure-encryption-keys.png":::

+1. Select the **Customer Managed Keys** option.

+1. Choose the **Select from Key Vault** option.

+1. Select **Select a key vault and key**.

+1. Select the key vault containing the key you want to use. You can also create a new key vault.

+1. Select the key from the key vault. You can also create a new key.

+ :::image type="content" source="media/customer-managed-keys-configure-existing-account/portal-select-key-from-key-vault.png" alt-text="Screenshot showing how to select key vault and key in Azure portal.":::

+1. Select the type of identity to use to authenticate access to the key vault. The options include **System-assigned** (the default) or **User-assigned**. To learn more about each type of managed identity, see [Managed identity types](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types).

+ 1. If you select **System-assigned**, the system-assigned managed identity for the storage account is created under the covers, if it does not already exist.

+ 1. If you select **User-assigned**, then you must select an existing user-assigned identity that has permissions to access the key vault. To learn how to create a user-assigned identity, see [Manage user-assigned managed identities](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md).

+ :::image type="content" source="media/customer-managed-keys-configure-existing-account/select-user-assigned-managed-identity-portal.png" alt-text="Screenshot showing how to select a user-assigned managed identity for key vault authentication.":::

+1. Save your changes.

+After you've specified the key, the Azure portal indicates that automatic updating of the key version is enabled and displays the key version currently in use for encryption. The portal also displays the type of managed identity used to authorize access to the key vault and the principal ID for the managed identity.

+### [PowerShell](#tab/powershell)

+To configure customer-managed keys for an existing account with automatic updating of the key version with PowerShell, install the [Az.Storage](https://www.powershellgallery.com/packages/Az.Storage) module, version 2.0.0 or later.

+Next, call [Set-AzStorageAccount](/powershell/module/az.storage/set-azstorageaccount) to update the storage account's encryption settings, omitting the key version. Include the **-KeyvaultEncryption** option to enable customer-managed keys for the storage account.

+```azurepowershell

+Set-AzStorageAccount -ResourceGroupName <resource-group> `

+ -AccountName <storage-account> `

+ -KeyvaultEncryption `

+ -KeyName $key.Name `

+ -KeyVaultUri $keyVault.VaultUri

+```

+### [Azure CLI](#tab/azure-cli)

+To configure customer-managed keys for an existing account with automatic updating of the key version with Azure CLI, install [Azure CLI version 2.4.0](/cli/azure/release-notes-azure-cli#april-21-2020) or later. For more information, see [Install the Azure CLI](/cli/azure/install-azure-cli).

+Next, call [az storage account update](/cli/azure/storage/account#az-storage-account-update) to update the storage account's encryption settings, omitting the key version. Include the `--encryption-key-source` parameter and set it to `Microsoft.Keyvault` to enable customer-managed keys for the account.

+```azurecli

+key_vault_uri=$(az keyvault show \

+ --name <key-vault> \

+ --resource-group <resource_group> \

+ --query properties.vaultUri \

+ --output tsv)

+az storage account update

+ --name <storage-account> \

+ --resource-group <resource_group> \

+ --encryption-key-name <key> \

+ --encryption-key-source Microsoft.Keyvault \

+ --encryption-key-vault $key_vault_uri

+```

+### Configure encryption for manual updating of key versions

+If you prefer to manually update the key version, then explicitly specify the version at the time that you configure encryption with customer-managed keys. In this case, Azure Storage will not automatically update the key version when a new version is created in the key vault. To use a new key version, you must manually update the version used for Azure Storage encryption.

+# [Azure portal](#tab/portal)

+To configure customer-managed keys with manual updating of the key version in the Azure portal, specify the key URI, including the version. To specify a key as a URI, follow these steps:

+1. To locate the key URI in the Azure portal, navigate to your key vault, and select the **Keys** setting. Select the desired key, then click the key to view its versions. Select a key version to view the settings for that version.

+1. Copy the value of the **Key Identifier** field, which provides the URI.

+ :::image type="content" source="media/customer-managed-keys-configure-existing-account/portal-copy-key-identifier.png" alt-text="Screenshot showing key vault key URI in Azure portal.":::

+1. In the **Encryption key** settings for your storage account, choose the **Enter key URI** option.

+1. Paste the URI that you copied into the **Key URI** field. Omit the key version from the URI to enable automatic updating of the key version.

+ :::image type="content" source="media/customer-managed-keys-configure-existing-account/portal-specify-key-uri.png" alt-text="Screenshot showing how to enter key URI in Azure portal.":::

+1. Specify the subscription that contains the key vault.

+1. Specify either a system-assigned or user-assigned managed identity.

+1. Save your changes.

+# [PowerShell](#tab/powershell)

+To configure customer-managed keys with manual updating of the key version, explicitly provide the key version when you configure encryption for the storage account. Call [Set-AzStorageAccount](/powershell/module/az.storage/set-azstorageaccount) to update the storage account's encryption settings, as shown in the following example, and include the **-KeyvaultEncryption** option to enable customer-managed keys for the storage account.

+Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.

+```azurepowershell

+Set-AzStorageAccount -ResourceGroupName <resource-group> `

+ -AccountName <storage-account> `

+ -KeyvaultEncryption `

+ -KeyName $key.Name `

+ -KeyVersion $key.Version `

+ -KeyVaultUri $keyVault.VaultUri

+```

+When you manually update the key version, you will need to update the storage account's encryption settings to use the new version. First, call [Get-AzKeyVaultKey](/powershell/module/az.keyvault/get-azkeyvaultkey) to get the latest version of the key. Then call [Set-AzStorageAccount](/powershell/module/az.storage/set-azstorageaccount) to update the storage account's encryption settings to use the new version of the key, as shown in the previous example.

+# [Azure CLI](#tab/azure-cli)

+To configure customer-managed keys with manual updating of the key version, explicitly provide the key version when you configure encryption for the storage account. Call [az storage account update](/cli/azure/storage/account#az-storage-account-update) to update the storage account's encryption settings, as shown in the following example. Include the `--encryption-key-source` parameter and set it to `Microsoft.Keyvault` to enable customer-managed keys for the account.

+Remember to replace the placeholder values in brackets with your own values.

+```azurecli

+key_vault_uri=$(az keyvault show \

+ --name <key-vault> \

+ --resource-group <resource_group> \

+ --query properties.vaultUri \

+ --output tsv)

+key_version=$(az keyvault key list-versions \

+ --name <key> \

+ --vault-name <key-vault> \

+ --query [-1].kid \

+ --output tsv | cut -d '/' -f 6)

+az storage account update

+ --name <storage-account> \

+ --resource-group <resource_group> \

+ --encryption-key-name <key> \

+ --encryption-key-version $key_version \

+ --encryption-key-source Microsoft.Keyvault \

+ --encryption-key-vault $key_vault_uri

+```

+When you manually update the key version, you will need to update the storage account's encryption settings to use the new version. First, query for the key vault URI by calling [az keyvault show](/cli/azure/keyvault#az-keyvault-show), and for the key version by calling [az keyvault key list-versions](/cli/azure/keyvault/key#az-keyvault-key-list-versions). Then call [az storage account update](/cli/azure/storage/account#az-storage-account-update) to update the storage account's encryption settings to use the new version of the key, as shown in the previous example.

+## Next steps

+- [Azure Storage encryption for data at rest](storage-service-encryption.md)

+- [Customer-managed keys for Azure Storage encryption](customer-managed-keys-overview.md)

+- [Configure customer-managed keys in an Azure key vault for a new storage account](customer-managed-keys-configure-new-account.md)

+ Title: Configure customer-managed keys for a new storage account

+description: Learn how to configure Azure Storage encryption with customer-managed keys for a new storage account by using the Azure portal, PowerShell, or Azure CLI. Customer-managed keys are stored in an Azure key vault.

+# Configure customer-managed keys in an Azure key vault for a new storage account

+Azure Storage encrypts all data in a storage account at rest. By default, data is encrypted with Microsoft-managed keys. For additional control over encryption keys, you can manage your own keys. Customer-managed keys must be stored in an Azure Key Vault or in an Azure Key Vault Managed Hardware Security Model (HSM).

+This article shows how to configure encryption with customer-managed keys at the time that you create a new storage account. The customer-managed keys are stored in a key vault.

+To learn how to configure customer-managed keys for an existing storage account, see [Configure customer-managed keys in an Azure key vault for an existing storage account](customer-managed-keys-configure-existing-account.md).

+To learn how to configure encryption with customer-managed keys stored in a managed HSM, see [Configure encryption with customer-managed keys stored in Azure Key Vault Managed HSM](customer-managed-keys-configure-key-vault-hsm.md).

+> [!NOTE]

+> Azure Key Vault and Azure Key Vault Managed HSM support the same APIs and management interfaces for configuration.

+## Use a user-assigned managed identity to authorize access to the key vault

+When you enable customer-managed keys for a new storage account, you must specify a user-assigned managed identity. The user-assigned managed identity will be used to authorize access to the key vault that contains the key. The user-assigned managed identity must have permissions to access the key in the key vault.

+A user-assigned is a standalone Azure resource. To learn more about user-assigned managed identities, see [Managed identity types](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types). To learn how to create and manage a user-assigned managed identity, see [Manage user-assigned managed identities](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md).

+Both new and existing storage accounts can use a user-assigned identity to authorize access to the key vault. You must create the user-assigned identity before you configure customer-managed keys.

+### [Azure portal](#tab/portal)

+When you configure customer-managed keys with the Azure portal, you can select an existing user-assigned identity through the portal user interface. For details, see [Configure customer-managed keys for a new storage account](#configure-customer-managed-keys-for-a-new-storage-account).

+### [PowerShell](#tab/powershell)

+To authorize access to the key vault with a user-assigned managed identity, you will need the resource ID and principal ID of the user-assigned managed identity. Call [Get-AzUserAssignedIdentity](/powershell/module/az.managedserviceidentity/get-azuserassignedidentity) to get the user-assigned managed identity and assign it to a variable that you will reference in subsequent steps:

+```azurepowershell

+$userIdentity = Get-AzUserAssignedIdentity -Name <user-assigned-identity> -ResourceGroupName <resource-group>

+```

+### [Azure CLI](#tab/azure-cli)

+To authorize access to the key vault with a user-assigned managed identity, you will need the resource ID and principal ID of the user-assigned managed identity. Call [az identity show](/cli/azure/identity#az-identity-show) command to get the user-assigned managed identity, then save the resource ID and principal ID to variables. You will need these values in subsequent steps:

+```azurecli

+userIdentityId=$(az identity show --name sample-user-assigned-identity --resource-group storagesamples-rg --query id)

+principalId=$(az identity show --name sample-user-assigned-identity --resource-group storagesamples-rg --query principalId)

+```

+## Configure the key vault access policy

+The next step is to configure the key vault access policy. The key vault access policy grants permissions to the user-assigned managed identity that will be used to authorize access to the key vault. To learn more about key vault access policies, see [Azure Key Vault Overview](../../key-vault/general/overview.md#securely-store-secrets-and-keys) and [Azure Key Vault security overview](../../key-vault/general/security-features.md#key-vault-authentication-options).

+### [Azure portal](#tab/portal)

+To learn how to configure the key vault access policy with the Azure portal, see [Assign an Azure Key Vault access policy](../../key-vault/general/assign-access-policy.md).

+### [PowerShell](#tab/powershell)

+To configure the key vault access policy with PowerShell, call [Set-AzKeyVaultAccessPolicy](/powershell/module/az.keyvault/set-azkeyvaultaccesspolicy), providing the variable for the principal ID that you previously retrieved for the user-assigned managed identity.

+```azurepowershell

+Set-AzKeyVaultAccessPolicy `

+ -VaultName $keyVault.VaultName `

+ -ObjectId $userIdentity.PrincipalId `

+ -PermissionsToKeys wrapkey,unwrapkey,get

+```

+To learn more about assigning the key vault access policy with PowerShell, see [Assign an Azure Key Vault access policy](../../key-vault/general/assign-access-policy.md).

+### [Azure CLI](#tab/azure-cli)

+To configure the key vault access policy with PowerShell, call [az keyvault set-policy](/cli/azure/keyvault#az-keyvault-set-policy), providing the variable for the principal ID that you previously retrieved for the user-assigned managed identity.

+```azurecli

+az keyvault set-policy \

+ --name <key-vault> \

+ --resource-group <resource_group>

+ --object-id $principalId \

+ --key-permissions get unwrapKey wrapKey

+```

+To learn more about assigning the key vault access policy with Azure CLI, see [Assign an Azure Key Vault access policy](../../key-vault/general/assign-access-policy.md).

+## Configure customer-managed keys for a new storage account

+When you configure encryption with customer-managed keys for a new storage account, you can choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated key vault. Alternately, you can explicitly specify a key version to be used for encryption until the key version is manually updated.

+You must use an existing user-assigned managed identity to authorize access to the key vault when you configure customer-managed keys while creating the storage account. The user-assigned managed identity must have appropriate permissions to access the key vault. For more information, see [Authenticate to Azure Key Vault](../../key-vault/general/authentication.md).

+### Configure encryption for automatic updating of key versions

+Azure Storage can automatically update the customer-managed key that is used for encryption to use the latest key version from the key vault. Azure Storage checks the key vault daily for a new version of the key. When a new version becomes available, then Azure Storage automatically begins using the latest version of the key for encryption.

+> [!IMPORTANT]

+> Azure Storage checks the key vault for a new key version only once daily. When you rotate a key, be sure to wait 24 hours before disabling the older version.

+### [Azure portal](#tab/portal)

+To configure customer-managed keys for a new storage account with automatic updating of the key version, follow these steps:

+1. In the Azure portal, navigate to the **Storage accounts** page, and select the **Create** button to create a new account.

+1. Follow the steps outlined in [Create a storage account](storage-account-create.md) to fill out the fields on the **Basics**, **Advanced**, **Networking**, and **Data Protection** tabs.

+1. On the **Encryption** tab, indicate for which services you want to enable support for customer-managed keys in the **Enable support for customer-managed keys** field.

+1. In the **Encryption type** field, select **Customer-managed keys (CMK)**.

+1. In the **Encryption key** field, choose **Select a key vault and key**, and specify the key vault and key.

+1. For the **User-assigned identity** field, select an existing user-assigned managed identity.

+ :::image type="content" source="media/customer-managed-keys-configure-new-account/portal-new-account-configure-cmk.png" alt-text="Screenshot showing how to configure customer-managed keys for a new storage account in Azure portal.":::

+1. Select the **Review** button to validate and create the account.

+You can also configure customer-managed keys with manual updating of the key version when you create a new storage account. Follow the steps described in [Configure encryption for manual updating of key versions](#configure-encryption-for-manual-updating-of-key-versions).

+### [PowerShell](#tab/powershell)

+To configure customer-managed keys for a new storage account with automatic updating of the key version, call [New-AzStorageAccount](/powershell/module/az.storage/new-azstorageaccount), as shown in the following example. Use the variable you created previously for the resource ID for the user-assigned managed identity. You will also need the key vault URI and key name:

+```azurepowershell

+New-AzStorageAccount -ResourceGroupName <resource-group> `

+ -Name <storage-account> `

+ -Kind StorageV2 `

+ -SkuName Standard_LRS `

+ -Location $location `

+ -IdentityType SystemAssignedUserAssigned `

+ -UserAssignedIdentityId $userIdentity.Id `

+ -KeyVaultUri $keyVault.VaultUri `

+ -KeyName $key.Name `

+ -KeyVaultUserAssignedIdentityId $userIdentity.Id

+```

+### [Azure CLI](#tab/azure-cli)

+To configure customer-managed keys for a new storage account with automatic updating of the key version, call [az storage account create](/cli/azure/storage/account#az-storage-account-create), as shown in the following example. Use the variable you created previously for the resource ID for the user-assigned managed identity. You will also need the key vault URI and key name:

+```azurecli

+az storage account create \

+ --name <storage-account> \

+ --resource-group <resource-group> \

+ --location <location> \

+ --sku Standard_LRS \

+ --kind StorageV2 \

+ --identity-type SystemAssigned,UserAssigned \

+ --user-identity-id <user-assigned-managed-identity> \

+ --encryption-key-vault <key-vault-uri> \

+ --encryption-key-name <key-name> \

+ --encryption-key-source Microsoft.Keyvault \

+ --key-vault-user-identity-id <user-assigned-managed-identity>

+```

+### Configure encryption for manual updating of key versions

+If you prefer to manually update the key version, then explicitly specify the version when you configure encryption with customer-managed keys while creating the storage account. In this case, Azure Storage will not automatically update the key version when a new version is created in the key vault. To use a new key version, you must manually update the version used for Azure Storage encryption.

+You must use an existing user-assigned managed identity to authorize access to the key vault when you configure customer-managed keys while creating the storage account. The user-assigned managed identity must have appropriate permissions to access the key vault. For more information, see [Authenticate to Azure Key Vault](../../key-vault/general/authentication.md).

+# [Azure portal](#tab/portal)

+To configure customer-managed keys with manual updating of the key version in the Azure portal, specify the key URI, including the version, while creating the storage account. To specify a key as a URI, follow these steps:

+1. In the Azure portal, navigate to the **Storage accounts** page, and select the **Create** button to create a new account.

+1. Follow the steps outlined in [Create a storage account](storage-account-create.md) to fill out the fields on the **Basics**, **Advanced**, **Networking**, and **Data Protection** tabs.

+1. On the **Encryption** tab, indicate for which services you want to enable support for customer-managed keys in the **Enable support for customer-managed keys** field.

+1. In the **Encryption type** field, select **Customer-managed keys (CMK)**.

+1. To locate the key URI in the Azure portal, navigate to your key vault, and select the **Keys** setting. Select the desired key, then click the key to view its versions. Select a key version to view the settings for that version.

+1. Copy the value of the **Key Identifier** field, which provides the URI.

+ :::image type="content" source="media/customer-managed-keys-configure-new-account/portal-copy-key-identifier.png" alt-text="Screenshot showing key vault key URI in Azure portal.":::

+1. In the **Encryption key** settings for your storage account, choose the **Enter key URI** option.

+1. Paste the URI that you copied into the **Key URI** field. Include the key version on the URI to configure manual updating of the key version.

+1. Specify a user-assigned managed identity by choosing the **Select an identity** link.

+ :::image type="content" source="media/customer-managed-keys-configure-new-account/portal-specify-key-uri.png" alt-text="Screenshot showing how to enter key URI in Azure portal.":::

+1. Select the **Review** button to validate and create the account.

+# [PowerShell](#tab/powershell)

+To configure customer-managed keys with manual updating of the key version, explicitly provide the key version when you configure encryption while creating the storage account. Call [Set-AzStorageAccount](/powershell/module/az.storage/set-azstorageaccount) to update the storage account's encryption settings, as shown in the following example, and include the **-KeyvaultEncryption** option to enable customer-managed keys for the storage account.

+Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples.

+```azurepowershell

+New-AzStorageAccount -ResourceGroupName <resource-group> `

+ -Name <storage-account> `

+ -Kind StorageV2 `

+ -SkuName Standard_LRS `

+ -Location $location `

+ -IdentityType SystemAssignedUserAssigned `

+ -UserAssignedIdentityId $userIdentity.Id `

+ -KeyVaultUri $keyVault.VaultUri `

+ -KeyName $key.Name `

+ -KeyVersion $key.Version `

+ -KeyVaultUserAssignedIdentityId $userIdentity.Id

+```

+When you manually update the key version, you will need to update the storage account's encryption settings to use the new version. First, call [Get-AzKeyVaultKey](/powershell/module/az.keyvault/get-azkeyvaultkey) to get the latest version of the key. Then call [Set-AzStorageAccount](/powershell/module/az.storage/set-azstorageaccount) to update the storage account's encryption settings to use the new version of the key, as shown in the previous example.

+# [Azure CLI](#tab/azure-cli)

+To configure customer-managed keys with manual updating of the key version, explicitly provide the key version when you configure encryption while creating the storage account. Call [az storage account update](/cli/azure/storage/account#az-storage-account-update) to update the storage account's encryption settings, as shown in the following example. Include the `--encryption-key-source` parameter and set it to `Microsoft.Keyvault` to enable customer-managed keys for the account.

+Remember to replace the placeholder values in brackets with your own values.

+```azurecli

+key_vault_uri=$(az keyvault show \

+ --name <key-vault> \

+ --resource-group <resource_group> \

+ --query properties.vaultUri \

+ --output tsv)

+key_version=$(az keyvault key list-versions \

+ --name <key> \

+ --vault-name <key-vault> \

+ --query [-1].kid \

+ --output tsv | cut -d '/' -f 6)

+az storage account create \

+ --name <storage-account> \

+ --resource-group <resource-group> \

+ --location <location> \

+ --sku Standard_LRS \

+ --kind StorageV2 \

+ --identity-type SystemAssigned,UserAssigned \

+ --user-identity-id <user-assigned-managed-identity> \

+ --encryption-key-vault $key_vault_uri \

+ --encryption-key-name <key-name> \

+ --encryption-key-source Microsoft.Keyvault \

+ --encryption-key-version $key_version \

+ --key-vault-user-identity-id <user-assigned-managed-identity>

+```

+When you manually update the key version, you will need to update the storage account's encryption settings to use the new version. First, query for the key vault URI by calling [az keyvault show](/cli/azure/keyvault#az-keyvault-show), and for the key version by calling [az keyvault key list-versions](/cli/azure/keyvault/key#az-keyvault-key-list-versions). Then call [az storage account update](/cli/azure/storage/account#az-storage-account-update) to update the storage account's encryption settings to use the new version of the key, as shown in the previous example.

+## Next steps

+- [Azure Storage encryption for data at rest](storage-service-encryption.md)

+- [Customer-managed keys for Azure Storage encryption](customer-managed-keys-overview.md)

+- [Configure customer-managed keys in an Azure key vault for an existing storage account](customer-managed-keys-configure-existing-account.md)

+- Add a handler for the [**Retrying**](/dotnet/api/microsoft.azure.cosmos.table.operationcontext.retrying) event on the [**OperationContext**](/java/api/com.microsoft.azure.storage.operationcontext) object you pass to your storage requests ΓÇô this is the method displayed in this article and used in the accompanying sample. These events fire whenever the client retries a request, enabling you to track how often the client encounters retryable errors on a primary endpoint.

+Storage Explorer logs various things to its own application logs. You can easily get to these logs by selecting **Help** > **Open Logs Directory**. By default, Storage Explorer logs at a low level of verbosity. To change the verbosity level, go to **Settings** (the **gear** symbol on the left) > **Application** > **Logging** > **Log Level**. You can then set the log level as needed. For troubleshooting, it is recommended to use the `debug` log level.

+For some issues, you'll need to provide logs of the network calls made by Storage Explorer. On Windows, you can do this by using Fiddler.

+1. Go to **Settings** (the **gear** symbol on the left) > **Application** > **Proxy**

+1. Change the proxy source dropdown to be **Use system proxy (preview)**.

+1. Optional/recommended: Let Fiddler set for a few minutes. If you see network calls appear that aren't related to Storage Explorer, right-click them and select **Filter Now** > **Hide \<process name\>**.

+1. Start/restart Storage Explorer.

+ Title: How to Migrate ASA projects to Visual Studio Code

+description: This article provides guidance for Visual Studio users migrating ASA projects to Visual Studio Code.

+# How to Migrate ASA projects to Visual Studio Code

+This article provides guidance for Visual Studio users migrating Azure Stream Analytics (ASA) projects to Visual Studio Code (VSCode). Please note that the ASA Tools extension for Visual Studio is no longer maintained. We recommend that you use the ASA tools extension in VSCode for local testing before you submit and start an ASA job.

+If you have a local ASA project in Visual Studio, follow [these steps](#faqs) to submit your ASA project to Azure portal.

+## Install VSCode and ASA Tools extension

+1. Install [Visual Studio Code](https://code.visualstudio.com/)

+2. Open Visual Studio Code, select **Extensions** on the left pane, search for **Stream Analytics** and select **Install** on the **Azure Stream Analytics Tools** extension.

+ 

+3. After the extension is installed, verify that **Azure Stream Analytics Tools** is visible in **Enabled Extensions**.

+4. Select the Azure icon on the Visual Studio Code activity bar. Under Stream Analytics on the side bar, select **Sign in to Azure**.

+ 

+5. When you're signed in, your Azure account name appears on the status bar in the lower-left corner of the Visual Studio Code window.

+## Export an ASA Job and open in VSCode

+If you've created an ASA job in the Azure portal, you can export the ASA job to VSCode in your local machine. Two ways to export an ASA job:

+### Option 1 ΓÇô Export from the Azure portal

+1. Sign in to Azure portal and open your ASA job. Under **Query** page, select **Open in VS Code** to export job.

+ :::image type="content" source="./media/stream-analytics-migrate-to-vscode/portal-open-in-vscode.png" alt-text="Screenshot of the Azure portal using the Open in VSCode to launch VSCode in the local machine." lightbox= "./media/stream-analytics-migrate-to-vscode/portal-open-in-vscode.png" :::

+2. Select a folder where you want to export the ASA project.

+3. Then it will automatically create an ASA project and add it to your workspace in VSCode. You should see a folder with the same name as your ASA job.

+ 

+4. A Stream Analytics project consists of three folders: **Inputs**, **Outputs**, and **Functions**. It also has the query script **(\*.asaql)**, a **JobConfig.json** file, and an **asaproj.json** configuration file. If you have configured multiple Input and Output sources for the job, it will create JSON files for each source under the folders respectively.

+ 

+### Option 2 - Export an ASA job in VSCode

+1. Select the **Azure** icon on the VSCode activity bar. Find the **Subscription** where your ASA job is created, select **Export** to export the ASA job.

+ 

+2. Once the export is completed, you'll see an ASA project created in your workspace.

+ 

+3. If your ASA job has configured multiple input and output sources, it will create JSON files for each source under the **Inputs** and **Outputs** folders respectively.

+## Run an ASA job in VSCode

+After an ASA job is exported, you can run your query on the local machine. For input, data can be ingested from local files or live sources. Output results are either sent as files to a local folder, or to the live sinks. For more detail, visit [Run jobs locally with VS Code](./visual-studio-code-local-run-all.md).

+Follow these steps to run your job with live input and save output results locally:

+1. Before you begin, install [.NET core SDK](https://dotnet.microsoft.com/download) and restart Visual Studio Code.

+2. Go to. **\*.asaql** file, select **Run Locally**.

+

+ :::image type="content" source="media/stream-analytics-migrate-to-vscode/run-locally-vscode.png" alt-text="Screenshot of the Visual Studio Coding using Run Locally to run an ASA job." lightbox= "media/stream-analytics-migrate-to-vscode/run-locally-vscode.png" :::

+3. Then select **Use Live Input and Local Output** under the Command Palette.

+

+ 

+4. If your job started successfully, you can view the output results, job diagram, and metrics for your ASA job.

+

+ :::image type="content" source="./media/stream-analytics-migrate-to-vscode/vscode-job-diagram-metrics.png" alt-text="Screenshot of the Visual Studio Code using Job Diagram and Metric features. " lightbox= "./media/stream-analytics-migrate-to-vscode/vscode-job-diagram-metrics.png" :::

+For more details about debugging, visit [Debug ASA queries locally using job diagram](./debug-locally-using-job-diagram-vs-code.md)

+## FAQs

+### How to migrate a local ASA project from Visual Studio to VSCode?

+If you have a local ASA project in Visual Studio and not yet submitted, follow these steps to submit your ASA project to Azure.

+1. Open your ASA project in Visual Studio, you should see the **Functions**, **Inputs** and **Outputs** folders in the **Solution Explorer**.

+ 

+2. Open the script **(\*.asaql)**, select **Submit to Azure** in the editor.

+ 

+3. Select **Create a New Azure Stream Analytics job** and enter a **Job Name**. Choose the **Subscription**, **Resource Group**, and **Location** for the ASA project.

+ 

+4. Then you can go to the Azure portal and find the ASA job under your **Resource Group**.

+5. To learn how to export an ASA job in VSCode, see [here](#export-an-asa-job-and-open-in-vscode).

+### Do I need to configure the input and output sources after an ASA job is exported?

+No, if your ASA job has configured multiple Inputs and Outputs sources in the Azure portal, it will create JSON files for each source under the folders respectively.

+### How to add a new input source in VSCode?

+1. Right-click the Inputs folder in your Stream Analytics project. Then select **ASA: Add Input** from the context menu.

+ 

+2. Choose the input type and follow the instructions to edit your input JSON files.

+

+ 

+3. Then you can preview data and verify if the new input source is added.

+ :::image type="content" source="./media/stream-analytics-migrate-to-vscode/preview-data.png" alt-text="Screenshot of the Visual Studio Code using Preview Data." lightbox= "./media/stream-analytics-migrate-to-vscode/preview-data.png" :::

+## Next steps

+To learn about Azure Stream Analytics Tools for Visual Studio Code, continue to the following articles:

+* [Test Stream Analytics queries locally with sample data using Visual Studio Code](visual-studio-code-local-run.md)

+* [Test Azure Stream Analytics jobs locally against live input with Visual Studio Code](visual-studio-code-local-run-live-input.md)

+* [Use Visual Studio Code to view Azure Stream Analytics jobs](visual-studio-code-explore-jobs.md)

+* [Set up CI/CD pipelines by using the npm package](./cicd-overview.md)

+ > This workspace deployment extension in is not backward compatible. Please make sure that the latest version is installed and used. You can read the release note in [overview](https://marketplace.visualstudio.com/items?itemName=AzureSynapseWorkspace.synapsecicd-deploy&ssr=false#overview)in Azure DevOps and the [latest version](https://github.com/marketplace/actions/synapse-workspace-deployment) in GitHub action.

+ - Open a PowerShell prompt on your local device. Run the `Connect-AzAccount` cmdlet to sign in to your Azure account. For more information, see [Sign in with Azure PowerShell](/powershell/azure/authenticate-azureps).

+Learn more about sandboxes and how to use them to test Windows environments at [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview).

+- Global replication.¹

+¹ The Azure Compute Gallery service is not a global resource. For disaster recovery scenarios, it is a best practice is to have at least two galleries, in different regions.

+ Title: Overview of the Dplsv5 and Dpldsv5-series sizes

+description: Overview of Dplsv5 and Dpldsv5 series of ARM64-based Azure Virtual Machines featuring the 80 core, 3.0 GHz Ampere Altra processor.

+# Dplsv5 and Dpldsv5-series

+**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs :heavy_check_mark: Flexible scale sets :heavy_check_mark: Uniform scale sets

+The Dplsv5-series and Dpldsv5-series virtual machines are based on the Arm architecture, delivering outstanding price-performance for general-purpose workloads. These virtual machines feature the Ampere® Altra® Arm-based processor operating at 3.0 GHz, which provides an entire physical core for each virtual machine vCPU. These virtual machines offer a range of vCPU sizes, up to 2 GiB of memory per vCPU, and temporary storage options able to meet the requirements of most non-memory-intensive and scale-out workloads such as microservices, small databases, caches, gaming servers, and more.

+## Dplsv5-series

+Dplsv5-series virtual machines feature the Ampere® Altra® Arm-based processor operating at 3.0 GHz, which provides an entire physical core for each virtual machine vCPU. These virtual machines offer up to 64 vCPU and 128 GiB of RAM and offer a better value proposition for non-memory-intensive scale-out workloads. Dplsv5-series virtual machines support Standard SSD, Standard HDD, and Premium SSD disk types with no local-SSD support. You can also attach Ultra Disk storage based on its regional availability. Disk storage is billed separately from virtual machines. [See pricing for disks](https://azure.microsoft.com/pricing/details/managed-disks/).

+- [Premium Storage](premium-storage-performance.md): Supported

+- [Premium Storage caching](premium-storage-performance.md): Supported

+- [Live Migration](maintenance-and-updates.md): Supported

+- [Memory Preserving Updates](maintenance-and-updates.md): Supported

+- [VM Generation Support](generation-2.md): Generation 2

+- [Accelerated Networking](../virtual-network/create-vm-accelerated-networking-cli.md): Supported

+- [Ephemeral OS Disks](ephemeral-os-disks.md): Supported

+- [Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Not supported

+| Size | vCPU | Memory: GiB | Temp storage (SSD) GiB | Max data disks | Max uncached disk throughput: IOPS/MBps | Max burst uncached disk throughput: IOPS/MBps | Max NICs | Max network bandwidth (Mbps) |

+||||||||

+| Standard_D2pls_v5 | 2 | 4 | Remote Storage Only | 4 | 3750/85 | 10000/1200 | 2 | 12500 |

+| Standard_D4pls_v5 | 4 | 8 | Remote Storage Only | 8 | 6400/145 | 20000/1200 | 2 | 12500 |

+| Standard_D8pls_v5 | 8 | 16 | Remote Storage Only | 16 | 12800/290 | 20000/1200 | 4 | 12500 |

+| Standard_D16pls_v5 | 16 | 32 | Remote Storage Only | 32 | 25600/600 | 40000/1200 | 4 | 12500 |

+| Standard_D32pls_v5 | 32 | 64 | Remote Storage Only | 32 | 51200/865 | 80000/2000 | 8 | 16000 |

+| Standard_D48pls_v5 | 48 | 96 | Remote Storage Only | 32 | 76800/1315 | 80000/3000 | 8 | 24000 |

+| Standard_D64pls_v5 | 64 | 128 | Remote Storage Only | 32 | 80000/1735 | 80000/3000 | 8 | 40000 |

+> [!NOTE]

+> Accelerated networking is required and turned on by default on all Dplsv5 machines.

+## Dpldsv5-series

+Dpldsv5-series virtual machines feature the Ampere® Altra® Arm-based processor operating at 3.0 GHz, which provides an entire physical core for each virtual machine vCPU. These virtual machines offer up to 64 vCPU, 128 GiB of RAM, and fast local SSD storage up to 2,400 GiB built for scale-out, non-memory-intensive workloads that require local disk. Dpldsv5-series virtual machines support Standard SSD, Standard HDD, and Premium SSD disk types. You can also attach Ultra Disk storage based on its regional availability. Disk storage is billed separately from virtual machines. [See pricing for disks](https://azure.microsoft.com/pricing/details/managed-disks/).

+- [Premium Storage](premium-storage-performance.md): Supported

+- [Premium Storage caching](premium-storage-performance.md): Supported

+- [Live Migration](maintenance-and-updates.md): Supported

+- [Memory Preserving Updates](maintenance-and-updates.md): Supported

+- [VM Generation Support](generation-2.md): Generation 2

+- [Accelerated Networking](../virtual-network/create-vm-accelerated-networking-cli.md): Supported

+- [Ephemeral OS Disks](ephemeral-os-disks.md): Supported

+- [Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Not supported

+| Size | vCPU | Memory: GiB | Temp storage (SSD) GiB | Max data disks | Max temp storage throughput: IOPS/MBps | Max uncached disk throughput: IOPS/MBps | Max burst uncached disk throughput: IOPS/MBps | Max NICs | Max network bandwidth (Mbps) |

+||||||||

+| Standard_D2plds_v5 | 2 | 4 | 75 | 4 | 9375/125 | 3750/85 | 10000/1200 | 2 | 12500 |

+| Standard_D4plds_v5 | 4 | 8 | 150 | 8 | 19000/250 | 6400/145 | 20000/1200 | 2 | 12500 |

+| Standard_D8plds_v5 | 8 | 16 | 300 | 16 | 38000/500 | 12800/290 | 20000/1200 | 4 | 12500 |

+| Standard_D16plds_v5 | 16 | 32 | 600 | 32 | 75000/1000 | 25600/600 | 40000/1200 | 4 | 12500 |

+| Standard_D32plds_v5 | 32 | 64 | 1200 | 32 | 150000/2000 | 51200/865 | 80000/2000 | 8 | 16000 |

+| Standard_D48plds_v5 | 48 | 96 | 1800 | 32 | 225000/3000 | 76800/1315 | 80000/3000 | 8 | 24000 |

+| Standard_D64plds_v5 | 64 | 128 | 2400 | 32 | 300000/4000 | 80000/1735 | 80000/3000 | 8 | 40000 |

+> [!NOTE]

+> Accelerated networking is required and turned on by default on all Dplsv5 machines.

+## Other sizes and information

+- [General purpose](sizes-general.md)

+- [Memory optimized](sizes-memory.md)

+- [Storage optimized](sizes-storage.md)

+- [GPU optimized](sizes-gpu.md)

+- [High performance compute](sizes-hpc.md)

+- [Previous generations](sizes-previous-gen.md)

+Pricing Calculator: [Pricing Calculator](https://azure.microsoft.com/pricing/calculator/)

+## Next steps

+Learn more about how [Azure compute units (ACU)](acu.md) can help you compare compute performance across Azure SKUs.

+ Title: Overview of the Dpsv5 and Dpdsv5-series sizes

+description: Overview of the Dpsv5 and Dpdsv5 series of ARM64-based Azure Virtual Machines featuring the 80 core, 3.0 GHz Ampere Altra processor.

+# Dpsv5 and Dpdsv5-series

+**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs :heavy_check_mark: Flexible scale sets :heavy_check_mark: Uniform scale sets

+The Dpsv5-series and Dpdsv5-series virtual machines are based on the Arm architecture, delivering outstanding price-performance for general-purpose workloads. These virtual machines feature the Ampere® Altra® Arm-based processor operating at 3.0 GHz, which provides an entire physical core for each virtual machine vCPU. These virtual machines offer a range of vCPU sizes, up to 4 GiB of memory per vCPU, and temporary storage options able to meet the requirements of scale-out and most enterprise workloads such as web and application servers, small to medium databases, caches, and more.

+## Dpsv5-series

+Dpsv5-series virtual machines feature the Ampere® Altra® Arm-based processor operating at 3.0 GHz, which provides an entire physical core for each virtual machine vCPU. These virtual machines offer up to 64 vCPU and 208 GiB of RAM and are optimized for scale-out and most enterprise workloads. Dpsv5-series virtual machines support Standard SSD, Standard HDD, and Premium SSD disk types with no local-SSD support. You can also attach Ultra Disk storage based on its regional availability. Disk storage is billed separately from virtual machines. [See pricing for disks](https://azure.microsoft.com/pricing/details/managed-disks/).

+- [Premium Storage](premium-storage-performance.md): Supported

+- [Premium Storage caching](premium-storage-performance.md): Supported

+- [Live Migration](maintenance-and-updates.md): Supported

+- [Memory Preserving Updates](maintenance-and-updates.md): Supported

+- [VM Generation Support](generation-2.md): Generation 2

+- [Accelerated Networking](../virtual-network/create-vm-accelerated-networking-cli.md): Supported

+- [Ephemeral OS Disks](ephemeral-os-disks.md): Supported

+- [Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Not supported

+| Size | vCPU | Memory: GiB | Temp storage (SSD) GiB | Max data disks | Max uncached disk throughput: IOPS/MBps | Max burst uncached disk throughput: IOPS/MBps | Max NICs | Max network bandwidth (Mbps) |

+||||||||

+| Standard_D2ps_v5 | 2 | 8 | Remote Storage Only | 4 | 3750/85 | 10000/1200 | 2 | 12500 |

+| Standard_D4ps_v5 | 4 | 16 | Remote Storage Only | 8 | 6400/145 | 20000/1200 | 2 | 12500 |

+| Standard_D8ps_v5 | 8 | 32 | Remote Storage Only | 16 | 12800/290 | 20000/1200 | 4 | 12500 |

+| Standard_D16ps_v5 | 16 | 64 | Remote Storage Only | 32 | 25600/600 | 40000/1200 | 4 | 12500 |

+| Standard_D32ps_v5 | 32 | 128 | Remote Storage Only | 32 | 51200/865 | 80000/2000 | 8 | 16000 |

+| Standard_D48ps_v5 | 48 | 192 | Remote Storage Only | 32 | 76800/1315 | 80000/3000 | 8 | 24000 |

+| Standard_D64ps_v5 | 64 | 208 | Remote Storage Only | 32 | 80000/1735 | 80000/3000 | 8 | 40000 |

+> [!NOTE]

+> Accelerated networking is required and turned on by default on all Dpsv5 machines.

+## Dpdsv5-series

+Dpdsv5-series virtual machines feature the Ampere® Altra® Arm-based processor operating at 3.0 GHz, which provides an entire physical core for each virtual machine vCPU. These virtual machines offer up to 64 vCPU, 208 GiB of RAM, and fast local SSD storage with up to 2,400 GiB in capacity and are optimized for scale-out and most enterprise workloads. Dpdsv5-series virtual machines support Standard SSD, Standard HDD, and Premium SSD disk types. You can also attach Ultra Disk storage based on its regional availability. Disk storage is billed separately from virtual machines. [See pricing for disks](https://azure.microsoft.com/pricing/details/managed-disks/).

+- [Premium Storage](premium-storage-performance.md): Supported

+- [Premium Storage caching](premium-storage-performance.md): Supported

+- [Live Migration](maintenance-and-updates.md): Supported

+- [Memory Preserving Updates](maintenance-and-updates.md): Supported

+- [VM Generation Support](generation-2.md): Generation 2

+- [Accelerated Networking](../virtual-network/create-vm-accelerated-networking-cli.md): Supported

+- [Ephemeral OS Disks](ephemeral-os-disks.md): Supported

+- [Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Not supported

+| Size | vCPU | Memory: GiB | Temp storage (SSD) GiB | Max data disks | Max temp storage throughput: IOPS/MBps | Max uncached disk throughput: IOPS/MBps | Max burst uncached disk throughput: IOPS/MBps | Max NICs | Max network bandwidth (Mbps) |

+||||||||

+| Standard_D2pds_v5 | 2 | 8 | 75 | 4 | 9375/125 | 3750/85 | 10000/1200 | 2 | 12500 |

+| Standard_D4pds_v5 | 4 | 16 | 150 | 8 | 19000/250 | 6400/145 | 20000/1200 | 2 | 12500 |

+| Standard_D8pds_v5 | 8 | 32 | 300 | 16 | 38000/500 | 12800/290 | 20000/1200 | 4 | 12500 |

+| Standard_D16pds_v5 | 16 | 64 | 600 | 32 | 75000/1000 | 25600/600 | 40000/1200 | 4 | 12500 |

+| Standard_D32pds_v5 | 32 | 128 | 1200 | 32 | 150000/2000 | 51200/865 | 80000/2000 | 8 | 16000 |

+| Standard_D48pds_v5 | 48 | 192 | 1800 | 32 | 225000/3000 | 76800/1315 | 80000/3000 | 8 | 24000 |

+| Standard_D64pds_v5 | 64 | 208 | 2400 | 32 | 300000/4000 | 80000/1735 |80000/3000 | 8 | 40000 |

+> [!NOTE]

+> Accelerated networking is required and turned on by default on all Dpsv5 machines.

+## Other sizes and information

+- [General purpose](sizes-general.md)

+- [Memory optimized](sizes-memory.md)

+- [Storage optimized](sizes-storage.md)

+- [GPU optimized](sizes-gpu.md)

+- [High performance compute](sizes-hpc.md)

+- [Previous generations](sizes-previous-gen.md)

+Pricing Calculator: [Pricing Calculator](https://azure.microsoft.com/pricing/calculator/)

+## Next steps

+Learn more about how [Azure compute units (ACU)](acu.md) can help you compare compute performance across Azure SKUs.

+ Title: Overview of the Epsv5 and Epdsv5-series sizes

+description: Overview of memory-optimized Epsv5 and Epdsv5-series of ARM64-based Azure Virtual Machines featuring the 80 core, 3.0 GHz Ampere Altra processor.

+# Epsv5 and Epdsv5-series

+**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Flexible scale sets :heavy_check_mark: Uniform scale sets

+The Epsv5-series and Epdsv5-series virtual machines are based on the Arm architecture, delivering outstanding price-performance for memory-intensive workloads. These virtual machines feature the Ampere® Altra® Arm-based processor operating at 3.0 GHz, which provides an entire physical core for each virtual machine vCPU. These virtual machines offer a range of vCPU sizes, up to 8 GiB of memory per vCPU, and are best suited for memory-intensive scale-out and enterprise workloads, such as relational database servers, large databases, data analytics engines, in-memory caches, and more.

+## Epsv5-series

+Epsv5-series virtual machines feature the Ampere® Altra® Arm-based processor operating at 3.0 GHz, which provides an entire physical core for each virtual machine vCPU. These virtual machines offer up to 32 vCPU and 208 GiB of RAM and are ideal for memory-intensive scale-out and most Enterprise workloads. Epsv5-series virtual machines support Standard SSD, Standard HDD, and Premium SSD disk types with no local-SSD support. You can also attach Ultra Disk storage based on its regional availability. Disk storage is billed separately from virtual machines. [See pricing for disks](https://azure.microsoft.com/pricing/details/managed-disks/).

+- [Premium Storage](premium-storage-performance.md): Supported

+- [Premium Storage caching](premium-storage-performance.md): Supported

+- [Live Migration](maintenance-and-updates.md): Supported

+- [Memory Preserving Updates](maintenance-and-updates.md): Supported

+- [VM Generation Support](generation-2.md): Generation 2

+- [Accelerated Networking](../virtual-network/create-vm-accelerated-networking-cli.md): Supported

+- [Ephemeral OS Disks](ephemeral-os-disks.md): Supported

+- [Nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Not supported

+| Size | vCPU | Memory: GiB | Temp storage (SSD) GiB | Max data disks | Max uncached disk throughput: IOPS/MBps | Max burst uncached disk throughput: IOPS/MBps | Max NICs | Max network bandwidth (Mbps) |

+||||||||

+| Standard_E2ps_v5 | 2 | 16 | Remote Storage Only | 4 | 3750/85 | 10000/1200 | 2 | 12500 |

+| Standard_E4ps_v5 | 4 | 32 | Remote Storage Only | 8 | 6400/145 | 10000/1200 | 2 | 12500 |

+| Standard_E8ps_v5 | 8 | 64 | Remote Storage Only | 16 | 12800/290 | 20000/1200 | 4 | 12500 |

+| Standard_E16ps_v5 | 16 | 128 | Remote Storage Only | 32 | 25600/600 | 40000/1200 | 4 | 12500 |

+| Standard_E20ps_v5 | 20 | 160 | Remote Storage Only | 32 | 32000/750 | 64000/1600 | 8 | 12500 |

+| Standard_E32ps_v5 | 32 | 208 | Remote Storage Only | 32 | 51200/865 | 80000/2000 | 8 | 16000 |

+> [!NOTE]

+> Accelerated networking is required and turned on by default on all Epsv5 machines.

+## Epdsv5-series

+Epdsv5-series virtual machines feature the Ampere® Altra® Arm-based processor operating at 3.0 GHz, which provides an entire physical core for each virtual machine vCPU. These virtual machines offer up to 32 vCPU, 208 GiB of RAM, and fast local SSD storage up to 1,200 GiB and are ideal for memory-intensive scale-out and most Enterprise workloads. Epdsv5-series virtual machines support Standard SSD, Standard HDD, and premium SSD disk types. You can also attach Ultra Disk storage based on its regional availability. Disk storage is billed separately from virtual machines. [See pricing for disks](https://azure.microsoft.com/pricing/details/managed-disks/).

+- [Premium Storage](premium-storage-performance.md): Supported

+- [Premium Storage caching](premium-storage-performance.md): Supported

+- [Live Migration](maintenance-and-updates.md): Supported

+- [Memory Preserving Updates](maintenance-and-updates.md): Supported

+- [VM Generation Support](generation-2.md): Generation 2

+- [Accelerated Networking](../virtual-network/create-vm-accelerated-networking-cli.md): Supported

+- [Ephemeral OS Disks](ephemeral-os-disks.md): Supported

+- [Nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Not supported

+| Size | vCPU | Memory: GiB | Temp storage (SSD) GiB | Max data disks | Max temp storage throughput: IOPS/MBps | Max uncached disk throughput: IOPS/MBps | Max burst uncached disk throughput: IOPS/MBps | Max NICs | Max network bandwidth (Mbps) |

+||||||||

+| Standard_E2pds_v5 | 2 | 16 | 75 | 4 | 9375/125 | 3750/85 | 10000/1200 | 2 | 12500 |

+| Standard_E4pds_v5 | 4 | 32 | 150 | 8 | 19000/250 | 6400/145 | 20000/1200 | 2 | 12500 |

+| Standard_E8pds_v5 | 8 | 64 | 300 | 16 | 38000/500 | 12800/290 | 20000/1200 | 4 | 12500 |

+| Standard_E16pds_v5 | 16 | 128 | 600 | 32 | 75000/1000 | 25600/600 | 40000/1200 | 4 | 12500 |

+| Standard_E20pds_v5 | 20 | 160 | 750 | 32 | 95000/1250 | 32000/750 | 64000/1600 | 8 | 12500 |

+| Standard_E32pds_v5 | 32 | 208 | 1200 | 32 | 150000/2000 | 51200/865 | 80000/2000 | 8 | 16000 |

+> [!NOTE]

+> Accelerated networking is required and turned on by default on all Epsv5 machines.

+## Other sizes and information

+- [General purpose](sizes-general.md)

+- [Memory optimized](sizes-memory.md)

+- [Storage optimized](sizes-storage.md)

+- [GPU optimized](sizes-gpu.md)

+- [High performance compute](sizes-hpc.md)

+- [Previous generations](sizes-previous-gen.md)

+Pricing Calculator: [Pricing Calculator](https://azure.microsoft.com/pricing/calculator/)

+## Next steps

+Learn more about how [Azure compute units (ACU)](acu.md) can help you compare compute performance across Azure SKUs.

+|[Dpsv5-series](dpsv5-dpdsv5-series.md) | :x: | :heavy_check_mark: |

+|[Dpdsv5-series](dpsv5-dpdsv5-series.md) | :x: | :heavy_check_mark: |

+|[Epsv5-series](epsv5-epdsv5-series.md) | :x: | :heavy_check_mark: |

+|[Epdsv5-series](epsv5-epdsv5-series.md) | :x: | :heavy_check_mark: |

+- For consuming direct shared images in target subscription, Direct shared images can be found from VM/VMSS creation blade only.

+General purpose VM sizes provide balanced CPU-to-memory ratio. Ideal for testing and development, small to medium databases, and low to medium traffic web servers. This article provides information about the offerings for general purpose computing.

+- The [Av2-series](av2-series.md) VMs can be deployed on various hardware types and processors. A-series VMs have CPU performance and memory configurations best suited for entry level workloads like development and test. This size is throttled, based on the hardware. The size offers consistent processor performance for the running instance, regardless of the hardware it's deployed on. To determine the physical hardware on which this size is deployed, query the virtual hardware from within the Virtual Machine. Example use cases include development and test servers, low traffic web servers, small to medium databases, proof-of-concepts, and code repositories.

+- [B-series burstable](sizes-b-series-burstable.md) VMs are ideal for workloads that don't need the full performance of the CPU continuously, like web servers, small databases and development and test environments. These workloads typically have burstable performance requirements. The B-Series provides these customers the ability to purchase a VM size with a price conscious baseline performance that allows the VM instance to build up credits when the VM is utilizing less than its base performance. When the VM has accumulated credit, the VM can burst above the VMΓÇÖs baseline using up to 100% of the CPU when your application requires the higher CPU performance.

+- The [DCv2-series](dcv2-series.md) can help protect the confidentiality and integrity of your data and code while itΓÇÖs processed in the public cloud. These machines are backed by the latest generation of Intel XEON E-2288G Processor with SGX technology. With the Intel Turbo Boost Technology, these machines can go up to 5.0 GHz. DCv2 series instances enable customers to build secure enclave-based applications to protect their code and data while itΓÇÖs in use.

+- The [Dpsv5 and Dpdsv5-series](dpsv5-dpdsv5-series.md) and [Dplsv5 and Dpldsv5-series](dplsv5-dpldsv5-series.md) are ARM64-based VMs featuring the 80 core, 3.0 GHz Ampere Altra processor. These series are designed for common enterprise workloads. They're optimized for database, in-memory caching, analytics, gaming, web, and application servers running on Linux.

+- [Dv2 and Dsv2-series](dv2-dsv2-series.md) VMs, a follow-on to the original D-series, features a more powerful CPU and optimal CPU-to-memory configuration making them suitable for most production workloads. The Dv2-series is about 35% faster than the D-series. Dv2-series run on 2nd Generation Intel® Xeon® Platinum 8272CL (Cascade Lake), Intel® Xeon® 8171M 2.1 GHz (Skylake), Intel® Xeon® E5-2673 v4 2.3 GHz (Broadwell), or the Intel® Xeon® E5-2673 v3 2.4 GHz (Haswell) processors with the Intel Turbo Boost Technology 2.0. The Dv2-series has the same memory and disk configurations as the D-series.

+- The [Dv3 and Dsv3-series](dv3-dsv3-series.md) runs on 2nd Generation Intel® Xeon® Platinum 8272CL (Cascade Lake), Intel® Xeon® 8171M 2.1 GHz (Skylake), Intel® Xeon® E5-2673 v4 2.3 GHz (Broadwell), or the Intel® Xeon® E5-2673 v3 2.4 GHz (Haswell) processors. These series run in a hyper-threaded configuration, providing a better value proposition for most general purpose workloads. Memory has been expanded (from ~3.5 GiB/vCPU to 4 GiB/vCPU) while disk and network limits have been adjusted on a per core basis to align with the move to hyperthreading. The Dv3-series no longer has the high memory VM sizes of the D/Dv2-series. Those sizes have been moved to the memory optimized [Ev3 and Esv3-series](ev3-esv3-series.md).

+- [Dav4 and Dasv4-series](dav4-dasv4-series.md) are new sizes utilizing AMDΓÇÖs 2.35Ghz EPYC^TM 7452 processor in a multi-threaded configuration with up to 256 MB L3 cache dedicating 8 MB of that L3 cache to every eight cores increasing customer options for running their general purpose workloads. The Dav4-series and Dasv4-series have the same memory and disk configurations as the D & Dsv3-series.

+- The [Ddv4 and Ddsv4-series](ddv4-ddsv4-series.md) runs on the Intel&reg; Xeon&reg; Platinum 8272CL (Cascade Lake) processors in a hyper-threaded configuration, providing a better value proposition for most general-purpose workloads. It features an all core Turbo clock speed of 3.4 GHz, [Intel&reg; Turbo Boost Technology 2.0](https://www.intel.com/content/www/us/en/architecture-and-technology/turbo-boost/turbo-boost-technology.html), [Intel&reg; Hyper-Threading Technology](https://www.intel.com/content/www/us/en/architecture-and-technology/hyper-threading/hyper-threading-technology.html) and [Intel&reg; Advanced Vector Extensions 512 (Intel&reg; AVX-512)](https://www.intel.com/content/www/us/en/architecture-and-technology/avx-512-overview.html). They also support [Intel&reg; Deep Learning Boost](https://software.intel.com/content/www/us/en/develop/topics/ai/deep-learning-boost.html). These new VM sizes will have 50% larger local storage, and better local disk IOPS for both read and write compared to the [Dv3/Dsv3](./dv3-dsv3-series.md) sizes with [Gen2 VMs](./generation-2.md).

+- The [Dasv5 and Dadsv5-series](dasv5-dadsv5-series.md) utilize AMD's 3rd Generation EPYC^TM 7763v processor in a multi-threaded configuration with up to 256 MB L3 cache, increasing customer options for running their general purpose workloads. These virtual machines offer a combination of vCPUs and memory to meet the requirements associated with most enterprise workloads. For example, you can use these series with small-to-medium databases, low-to-medium traffic web servers, application servers, and more.

+- The [Dv5 and Dsv5-series](dv5-dsv5-series.md) run on the 3rd Generation Intel® Xeon® Platinum 8370C (Ice Lake) processor in a hyper-threaded configuration. The Dv5 and Dsv5 virtual machine sizes don't have any temporary storage thus lowering the price of entry. The Dv5 VM sizes offer a combination of vCPUs and memory to meet the requirements associated with most enterprise workloads. For example, you can use these series with small-to-medium databases, low-to-medium traffic web servers, application servers, and more.

+Memory optimized VM sizes offer a high memory-to-CPU ratio that is great for relational database servers, medium to large caches, and in-memory analytics. This article provides information about the number of vCPUs, data disks and NICs. You can also learn about storage throughput and network bandwidth for each size in this grouping.

+- The [Eav4 and Easv4-series](eav4-easv4-series.md) utilize AMD's 2.35Ghz EPYC^TM 7452 processor in a multi-threaded configuration with up to 256 MB L3 cache, increasing options for running most memory optimized workloads. The Eav4-series and Easv4-series have the same memory and disk configurations as the Ev3 & Esv3-series.

+- The [Ev3 and Esv3-series](ev3-esv3-series.md) feature the Intel&reg; Xeon&reg; 8171M 2.1 GHz (Skylake) or the Intel&reg; Xeon&reg; E5-2673 v4 2.3 GHz (Broadwell) processor in a hyper-threaded configuration. This configuration provides a better value proposition for most general purpose workloads, and brings the Ev3 into alignment with the general purpose VMs of most other clouds. Memory has been expanded (from 7 GiB/vCPU to 8 GiB/vCPU) while disk and network limits have been adjusted on a per core basis to align with the move to hyper-threading. The Ev3 is the follow up to the high memory VM sizes of the D/Dv2 families.

+- The [Ev4 and Esv4-series](ev4-esv4-series.md) runs on 2nd Generation Intel&reg; Xeon&reg; Platinum 8272CL (Cascade Lake) processors in a hyper-threaded configuration, are ideal for various memory-intensive enterprise applications and feature up to 504 GiB of RAM. It features the [Intel&reg; Turbo Boost Technology 2.0](https://www.intel.com/content/www/us/en/architecture-and-technology/turbo-boost/turbo-boost-technology.html), [Intel&reg; Hyper-Threading Technology](https://www.intel.com/content/www/us/en/architecture-and-technology/hyper-threading/hyper-threading-technology.html) and [Intel&reg; Advanced Vector Extensions 512 (Intel AVX-512)](https://www.intel.com/content/www/us/en/architecture-and-technology/avx-512-overview.html). The Ev4 and Esv4-series don't include a local temp disk. For more information, see [Azure VM sizes with no local temp disk](azure-vms-no-temp-disk.yml).

+- The [Edv5 and Edsv5-series](edv5-edsv5-series.md) run on the 3rd Generation Intel&reg; Xeon&reg; Platinum 8370C (Ice Lake) processors in a hyper-threaded configuration. These series are ideal for various memory-intensive enterprise applications. They feature up to 672 GiB of RAM, [Intel&reg; Turbo Boost Technology 2.0](https://www.intel.com/content/www/us/en/architecture-and-technology/turbo-boost/turbo-boost-technology.html), [Intel&reg; Hyper-Threading Technology](https://www.intel.com/content/www/us/en/architecture-and-technology/hyper-threading/hyper-threading-technology.html) and [Intel&reg; Advanced Vector Extensions 512 (Intel&reg; AVX-512)](https://www.intel.com/content/www/us/en/architecture-and-technology/avx-512-overview.html). The series also support [Intel&reg; Deep Learning Boost](https://software.intel.com/content/www/us/en/develop/topics/ai/deep-learning-boost.html). These new VM sizes have 50% larger local storage, and better local disk IOPS for both read and write compared to the [Ev3/Esv3](./ev3-esv3-series.md) sizes with [Gen2 VMs](./generation-2.md). It features an all core Turbo clock speed of 3.4 GHz.

+- The [Epsv5 and Epdsv5-series](epsv5-epdsv5-series.md) are ARM64-based VMs featuring the 80 core, 3.0 GHz Ampere Altra processor. These series are designed for common enterprise workloads. They're optimized for database, in-memory caching, analytics, gaming, web, and application servers running on Linux.

+This article describes the available sizes and options for the Azure virtual machines you can use to run your apps and workloads. It also provides deployment considerations to be aware of when you're planning to use these resources.

+| [General purpose](sizes-general.md) | B, Dsv3, Dv3, Dasv4, Dav4, DSv2, Dv2, Av2, DC, DCv2, Dpdsv5, Dpldsv5, Dpsv5, Dplsv5, Dv4, Dsv4, Ddv4, Ddsv4, Dv5, Dsv5, Ddv5, Ddsv5, Dasv5, Dadsv5 | Balanced CPU-to-memory ratio. Ideal for testing and development, small to medium databases, and low to medium traffic web servers. |

+| [Memory optimized](sizes-memory.md) | Esv3, Ev3, Easv4, Eav4, Epdsv5, Epsv5, Ev4, Esv4, Edv4, Edsv4, Ev5, Esv5, Edv5, Edsv5, Easv5, Eadsv5, Mv2, M, DSv2, Dv2 | High memory-to-CPU ratio. Great for relational database servers, medium to large caches, and in-memory analytics. |

+> | `use_private_endpoint` | Are private endpoints created for storage accounts and key vaults. | Optional | |

+> | `use_service_endpoint` | Are service endpoints defined for the subnets. | Optional | |

+> | `enable_purge_control_for_keyvaults` | Is purge control is enabled on the Key Vault. | Optional | Use only for test deployments |

+> | `use_private_endpoint` | Are private endpoints created for storage accounts and key vaults. | Optional | |

+> | `use_service_endpoint` | Are service endpoints defined for the subnets. | Optional | |

+> | `diagnostics_storage_account_arm_id` | The Azure resource identifier for the diagnostics storage account | Required | For brown field deployments. |

+> | `witness_storage_account_arm_id` | The Azure resource identifier for the witness storage account | Required | For brown field deployments. |