-This article describes how [Azure App Service](overview.md) runs Python apps, how you can migrate existing apps to Azure, and how you can customize the behavior of App Service when needed. Python apps must be deployed with all the required [pip](https://pypi.org/project/pip/) modules.

-The App Service deployment engine automatically activates a virtual environment and runs `pip install -r requirements.txt` for you when you deploy a [Git repository](deploy-local-git.md), or a [zip package](deploy-zip.md) [with build automation enabled](deploy-zip.md#enable-build-automation-for-zip-deploy).

-App Service's build system, called Oryx, performs the following steps when you deploy your app if the app setting `SCM_DO_BUILD_DURING_DEPLOYMENT` is set to `1`:

-1. Run a custom pre-build script if specified by the `PRE_BUILD_COMMAND` setting. (The script can itself run other Python and Node.js scripts, pip and npm commands, and Node-based tools like yarn, for example, `yarn install` and `yarn build`.)

-1. Run custom post-build script if specified by the `POST_BUILD_COMMAND` setting. (Again, the script can run other Python and Node.js scripts, pip and npm commands, and Node-based tools.)

-> A setting named `SCM_DO_BUILD_DURING_DEPLOYMENT`, if it contains `true` or 1, triggers an Oryx build happens during deployment. The setting is true when deploying using git, the Azure CLI command `az webapp up`, and Visual Studio Code.

-1. **App service resources**: Create a resource group, App Service Plan, and App Service web app to host your application. You can do it easily by running the Azure CLI command [`az webapp up`](/cli/azure/webapp?az-webapp-up). Or, you can create and deploy resources as shown in [Tutorial: Deploy a Python (Django or Flask) web app with PostgreSQL](tutorial-python-postgresql-app.md). Replace the names of the resource group, App Service Plan, and the web app to be more suitable for your application.

-1. **Environment variables**: If your application requires any environment variables, create equivalent [App Service application settings](configure-common.md#configure-app-settings). These App Service settings appear to your code as environment variables, as described on [Access environment variables](#access-app-settings-as-environment-variables).

-1. **App startup**: Review the section, [Container startup process](#container-startup-process) later in this article to understand how App Service attempts to run your app. App Service uses the Gunicorn web server by default, which must be able to find your app object or *wsgi.py* folder. If needed, you can [Customize the startup command](#customize-startup-command).

-For a production environment like Azure App Service, Django apps should follow Django's [Deployment checklist](https://docs.djangoproject.com/en/4.1/howto/deployment/checklist/) (djangoproject.com).

-| `SECRET_KEY` | Store the value in an App Service setting as described on [Access app settings as environment variables](#access-app-settings-as-environment-variables). You can alternately [store the value as a "secret" in Azure Key Vault](/azure/key-vault/secrets/quick-create-python). |

-| `ALLOWED_HOSTS` | In production, Django requires that you include app's URL in the `ALLOWED_HOSTS` array of *settings.py*. You can retrieve this URL at runtime with the code, `os.environ['WEBSITE_HOSTNAME']`. App Service automatically sets the `WEBSITE_HOSTNAME` environment variable to the app's URL. |

-| `DATABASES` | Define settings in App Service for the database connection and load them as environment variables to populate the [`DATABASES`](https://docs.djangoproject.com/en/4.1/ref/settings/#std:setting-DATABASES) dictionary. You can alternately store the values (especially the username and password) as [Azure Key Vault secrets](/azure/key-vault/secrets/quick-create-python). |

-If your Django web app includes static front-end files, first follow the instructions on [Managing static files](https://docs.djangoproject.com/en/4.1/howto/static-files/) in the Django documentation.

- Here, `FRONTEND_DIR`, to build a path to where a build tool like yarn is run. You can again use an environment variable and App Setting as desired.

-1. Add `whitenoise` to your *requirements.txt* file. [Whitenoise](http://whitenoise.evans.io/en/stable/) (whitenoise.evans.io) is a Python package that makes it simple for a production Django app to serve its own static files. Whitenoise specifically serves those files that are found in the folder specified by the Django `STATIC_ROOT` variable.

-1. In your *settings.py* file, add the following line for Whitenoise:

-1. Also modify the `MIDDLEWARE` and `INSTALLED_APPS` lists to include Whitenoise:

-If your Flask web app includes static front-end files, first follow the instructions on [managing static files](https://flask.palletsprojects.com/en/2.2.x/tutorial/static/) in the Flask documentation. For an example of serving static files in a Flask application, see the [quickstart sample Flask application](https://github.com/Azure-Samples/msdocs-python-flask-webapp-quickstart) on GitHub.

- - To protect your web app from accidental or deliberate DDOS attacks, Gunicorn is run behind an Nginx reverse proxy as described on [Deploying Gunicorn](https://docs.gunicorn.org/en/latest/deploy.html) (docs.gunicorn.org).

-1. Use a [custom startup command](#customize-startup-command), if provided.

-2. Check for the existence of a [Django app](#django-app), and launch Gunicorn for it if detected.

-3. Check for the existence of a [Flask app](#flask-app), and launch Gunicorn for it if detected.

-4. If no other app is found, start a default app that's built into the container.

-To enable production logging, add the `--access-logfile` and `--error-logfile` parameters as shown in the examples for [custom startup commands](#customize-startup-command).

-If your main app module is contained in a different file, use a different name for the app object, or you want to provide other arguments to Gunicorn, use a [custom startup command](#customize-startup-command).

-Again, if you expect to see a deployed app instead of the default app, see [Troubleshooting - App doesn't appear](#app-doesnt-appear).

-App Service ignores any errors that occur when processing a custom startup command or file, then continues its startup process by looking for Django and Flask apps. If you don't see the behavior you expect, check that your startup command or file is error-free, and that a startup command file is deployed to App Service along with your app code. You can also check the [Diagnostic logs](#access-diagnostic-logs) for more information. Also check the app's **Diagnose and solve problems** page on the [Azure portal](https://portal.azure.com).

- For more information, see [Running Gunicorn](https://docs.gunicorn.org/en/stable/run.html) (docs.gunicorn.org). If you're using auto-scale rules to scale your web app up and down, you should also dynamically set the number of gunicorn workers using the `NUM_CORES` environment variable in your startup command, for example: `--workers $((($NUM_CORES*2)+1))`. For more information on setting the recommended number of gunicorn workers, see [the Gunicorn FAQ](https://docs.gunicorn.org/en/stable/design.html#how-many-workers)

- For more information, see [Gunicorn logging](https://docs.gunicorn.org/en/stable/settings.html#logging) (docs.gunicorn.org).

-App settings are values stored in the cloud specifically for your app as described on [Configure app settings](configure-common.md#configure-app-settings). These settings are available to your app code as environment variables and accessed using the standard [os.environ](https://docs.python.org/3/library/os.html#os.environ) pattern.

-For example, if you've created app setting called `DATABASE_SERVER`, the following code retrieves that setting's value:

-In App Service, [TLS/SSL termination](https://wikipedia.org/wiki/TLS_termination_proxy) (wikipedia.org) happens at the network load balancers, so all HTTPS requests reach your app as unencrypted HTTP requests. If your app logic needs to check if the user requests are encrypted or not, inspect the `X-Forwarded-Proto` header.

-Popular web frameworks let you access the `X-Forwarded-*` information in your standard app pattern. For example in Django, you can use the [SECURE_PROXY_SSL_HEADER](https://docs.djangoproject.com/en/4.1/ref/settings/#secure-proxy-ssl-header) to tell Django to use the `X-Forwarded-Proto` header.

-1. On the **Log details** page that appears, select the **Show Logs...** link that appears next to "Running oryx build...".

-Build issues such as incorrect dependencies in *requirements.txt* and errors in pre- or post-build scripts will appear in these logs. Errors also appear if your requirements file isn't exactly named *requirements.txt* or doesn't appear in the root folder of your project.

-When you're successfully connected to the SSH session, you should see the message "SSH CONNECTION ESTABLISHED" at the bottom of the window. If you see errors such as "SSH_CONNECTION_CLOSED" or a message that the container is restarting, an error may be preventing the app container from starting. See [Troubleshooting](#troubleshooting) for steps to investigate possible issues.

-When deploying Python applications on Azure App Service for Linux, you may need to handle URL rewrites within your application. This is particularly useful for ensuring specific URL patterns are redirected to the correct endpoints without relying on external web server configurations. For Flask applications, [URL processors](https://flask.palletsprojects.com/patterns/urlprocessors/) and custom middleware can be used to achieve this. In Django applications, the robust [URL dispatcher](https://docs.djangoproject.com/en/5.0/topics/http/urls/) allows for efficient management of URL rewrites.

-In general, the first step in troubleshooting is to use App Service Diagnostics:

- - Refresh the browser, especially if you're using the lowest pricing tiers in your App Service Plan. The app may take longer to start up when using free tiers, for example, and becomes responsive after you refresh the browser.

- - Connect to the web app's container via [SSH](#open-ssh-session-in-browser) and verify that *requirements.txt* is named correctly and exists directly under *site/wwwroot*. If it doesn't exist, make site the file exists in your repository and is included in your deployment. If it exists in a separate folder, move it to the root.

-If you see an error like `ModuleNotFoundError: No module named 'example'`, then Python couldn't find one or more of your modules when the application started. This error most often occurs if you deploy your virtual environment with your code. Virtual environments aren't portable, so a virtual environment shouldn't be deployed with your application code. Instead, let Oryx create a virtual environment and install your packages on the web app by creating an app setting, `SCM_DO_BUILD_DURING_DEPLOYMENT`, and setting it to `1`. This setting will force Oryx to install your packages whenever you deploy to App Service. For more information, please see [this article on virtual environment portability](https://azure.github.io/AppService/2020/12/11/cicd-for-python-apps.html).

-When attempting to run database migrations with a Django app, you may see "sqlite3. OperationalError: database is locked." The error indicates that your application is using a SQLite database for which Django is configured by default rather than using a cloud database such as PostgreSQL for Azure.

-## More resources

->

-There are many networking features that enable apps in a multi-tenant App Service to reach network-isolated resources or become network-isolated themselves. These features are enabled at the application level. With an App Service Environment, no added configuration is required for the apps to be on a virtual network. The apps are deployed into a network-isolated environment that's already on a virtual network. If you really need a complete isolation story, you can also deploy your App Service Environment onto dedicated hardware.

-An App Service Environment is a single-tenant deployment of Azure App Service that runs on your virtual network.

-The multi-tenant version of Azure App Service contains numerous features to enable your apps to connect to your various networks. With those networking features, your apps can act as though they're deployed on a virtual network. The apps in an App Service Environment v3 don't need any added configuration to be on the virtual network.

-A benefit of using an App Service Environment instead of a multi-tenant service is that any network access controls for the App Service Environment-hosted apps are external to the application configuration. With the apps in the multi-tenant service, you must enable the features on an app-by-app basis and use role-based access control or a policy to prevent any configuration changes.

->

-### Azure Public:

-| Region | Single zone support | Availability zone support | Single zone support |

-| -- | :--: | :-: | :-: |

-| | App Service Environment v3 | App Service Environment v3 | App Service Environment v1/v2 |

-| Australia Central | ✅ | | ✅ |

-| Australia Central 2 | ✅* | | ✅ |

-| Australia East | ✅ | ✅ | ✅ |

-| Australia Southeast | ✅ | | ✅ |

-| Brazil South | ✅ | ✅ | ✅ |

-| Brazil Southeast | ✅ | | ✅ |

-| Canada Central | ✅ | ✅ | ✅ |

-| Canada East | ✅ | | ✅ |

-| Central India | ✅ | ✅ | ✅ |

-| Central US | ✅ | ✅ | ✅ |

-| East Asia | ✅ | ✅ | ✅ |

-| East US | ✅ | ✅ | ✅ |

-| East US 2 | ✅ | ✅ | ✅ |

-| France Central | ✅ | ✅ | ✅ |

-| France South | ✅ | | ✅ |

-| Germany North | ✅ | | ✅ |

-| Germany West Central | ✅ | ✅ | ✅ |

-| Israel Central | ✅ | ✅ | |

-| Italy North | ✅ | ✅** | |

-| Japan East | ✅ | ✅ | ✅ |

-| Japan West | ✅ | | ✅ |

-| Jio India Central | ✅** | | |

-| Jio India West | ✅** | | ✅ |

-| Korea Central | ✅ | ✅ | ✅ |

-| Korea South | ✅ | | ✅ |

-| Mexico Central | ✅ | ✅** | |

-| North Central US | ✅ | | ✅ |

-| North Europe | ✅ | ✅ | ✅ |

-| Norway East | ✅ | ✅ | ✅ |

-| Norway West | ✅ | | ✅ |

-| Poland Central | ✅ | ✅ | |

-| Qatar Central | ✅** | ✅** | |

-| South Africa North | ✅ | ✅ | ✅ |

-| South Africa West | ✅ | | ✅ |

-| South Central US | ✅ | ✅ | ✅ |

-| South India | ✅ | | ✅ |

-| Southeast Asia | ✅ | ✅ | ✅ |

-| Spain Central | ✅ | ✅** | |

-| Sweden Central | ✅ | ✅ | |

-| Switzerland North | ✅ | ✅ | ✅ |

-| Switzerland West | ✅ | | ✅ |

-| UAE Central | ✅ | | ✅ |

-| UAE North | ✅ | ✅ | ✅ |

-| UK South | ✅ | ✅ | ✅ |

-| UK West | ✅ | | ✅ |

-| West Central US | ✅ | | ✅ |

-| West Europe | ✅ | ✅ | ✅ |

-| West India | ✅* | | ✅ |

-| West US | ✅ | | ✅ |

-| West US 2 | ✅ | ✅ | ✅ |

-| West US 3 | ✅ | ✅ | ✅ |

-### Azure Government:

-| Region | Single zone support | Availability zone support | Single zone support |

-| -- | :--: | :-: | :-: |

-| | App Service Environment v3 | App Service Environment v3 | App Service Environment v1/v2 |

-| US DoD Central | ✅ | | ✅ |

-| US DoD East | ✅ | | ✅ |

-| US Gov Arizona | ✅ | | ✅ |

-| US Gov Iowa | | | |

-| US Gov Texas | ✅ | | ✅ |

-| US Gov Virginia | ✅ |✅ | ✅ |

-### Microsoft Azure operated by 21Vianet:

-| Region | Single zone support | Availability zone support | Single zone support |

-| -- | :--: | :-: | :-: |

-| | App Service Environment v3 | App Service Environment v3 | App Service Environment v1/v2 |

-| China East 2 | | | ✅ |

-| China East 3 | ✅ | | |

-| China North 2 | | | ✅ |

-| China North 3 | ✅ | ✅ | |

-In a multi-tenant App Service, scaling is immediate, because a pool of shared resources is readily available to support it. App Service Environment is a single-tenant service, so there's no shared buffer, and resources are allocated based on need.

-![Screenshot that shows the App Service Environment configuration portal.][5]

-* [Scale up](https://en.wikipedia.org/wiki/Scalability#Horizontal_and_vertical_scaling): Get more CPU, memory, disk space, and extra features

- Basic, Standard and Premium service plans scale out to as many as 3, 10 and 30 instances respectively. [App Service Environments](environment/intro.md)

- in **Isolated** tier further increases your scale-out count to 100 instances. For more information about scaling out, see

-> [App Service now offers an automatic scale-out option to handle varying incoming HTTP requests.](./manage-automatic-scaling.md)

-> Before you switch an App Service plan from the **Free** tier, you must first remove the [spending limits](https://azure.microsoft.com/pricing/spending-limits/) in place for your Azure subscription. To view or change options for your Microsoft Azure App Service subscription, see [Microsoft Azure Subscriptions][azuresubscriptions].

- 

-2. In the **Summary** part of the **Resource group** page, select a resource that you want to scale. The following screenshot

- To scale up the related resource, see the documentation for the specific resource type. For example, to scale up a single SQL Database, see [Scale single database resources in Azure SQL Database](/azure/azure-sql/database/single-database-scale). To scale up an Azure Database for MySQL resource, see [Scale MySQL resources](/azure/mysql/concepts-pricing-tiers#scale-resources).

-For detailed information, such as VM sizes for each pricing tier, see [App Service Pricing Details](https://azure.microsoft.com/pricing/details/app-service).

-## More resources

-* [Scale instance count manually or automatically](/azure/azure-monitor/autoscale/autoscale-get-started)

-[azuresubscriptions]:https://account.windowsazure.com/subscriptions

-description: Deploy your first Node.js Hello World to Azure App Service in minutes.

-This quickstart configures an App Service app in the **Free** tier and incurs no cost for your Azure subscription.

-1. Create a Node.js application using the [Express Generator](https://expressjs.com/starter/generator.html), which is installed by default with Node.js and NPM.

-1. Change to the application's directory and install the NPM packages.

- 

-> For your Node.js application to run in Azure, it needs to listen on the port provided by the `PORT` environment variable. In your generated Express app, this environment variable is already used in the startup script *bin/www* (search for `process.env.PORT`).

-1. In the terminal, ensure you're in the *myExpressApp* directory, then start Visual Studio Code with the following command:

-1. In Visual Studio Code, in the [Activity Bar](https://code.visualstudio.com/docs/getstarted/userinterface), select the **Azure** logo.

-1. In the **App Service** explorer, select **Sign in to Azure...** and follow the instructions.

- In Visual Studio Code, you should see your Azure email address in the Status Bar and your subscription in the **AZURE APP SERVICE** explorer.

- 

-2. Right-click on App Services and select **Create new Web App**. A Linux container is used by default.

-1. Type a globally unique name for your web app and press **Enter**. The name must be unique across all of Azure and use only alphanumeric characters ('A-Z', 'a-z', and '0-9') and hyphens ('-'). See [note at top](#dnl-note).

-1. In Select a runtime stack, select the Node.js version you want. An **LTS** version is recommended.

-1. In Select a pricing tier, select **Free (F1)** and wait for the resources to be created in Azure.

-1. In the popup **Always deploy the workspace "myExpressApp" to \<app-name>"**, select **Yes**. This way, as long as you're in the same workspace, Visual Studio Code deploys to the same App Service app each time.

-2. Right-click on App Services and select **Create new Web App... Advanced**.

-1. Type a globally unique name for your web app and press **Enter**. The name must be unique across all of Azure and use only alphanumeric characters ('A-Z', 'a-z', and '0-9') and hyphens ('-'). See [note at top](#dnl-note).

-1. Select **Create a new resource group**, then enter a name for the resource group, such as *AppServiceQS-rg*.

-1. Select the Node.js version you want. An **LTS** version is recommended.

-1. Select the location you want to serve your app from. For example, *West Europe*.

-1. Select **Create new App Service plan**, then enter a name for the plan (such as *AppServiceQS-plan*), then select **F1 Free** for the pricing tier.

-1. For **Select an Application Insights resource for your app**, select **Skip for now** and wait the resources to be created in Azure.

-1. In the popup **Always deploy the workspace "myExpressApp" to \<app-name>"**, select **Yes**. This way, as long as you're in the same workspace, Visual Studio Code deploys to the same App Service app each time.

- > When deployment completes, your Azure app doesn't run yet because your project root doesn't have a *web.config*. Follow the remaining steps to generate it automatically. For more information, see [You do not have permission to view this directory or page](configure-language-nodejs.md#you-do-not-have-permission-to-view-this-directory-or-page).

-1. In the **App Service** explorer in Visual Studio code, expand the node for the new app, right-click **Application Settings**, and select **Add New Setting**:

- 

-1. In the **App Service** explorer, select the **Deploy to Web App** icon again, confirm by clicking **Deploy** again.

-1. Wait for deployment to complete, then select **Browse Website** in the notification popup. The browser should display the Express default page.

-The command may take a few minutes to complete. While running, it provides messages about creating the resource group, the App Service plan, and the app resource, configuring logging, and doing ZIP deployment. It then gives the message, "You can launch the app at http://&lt;app-name&gt;.azurewebsites.net", which is the app's URL on Azure (see [note at top](#dnl-note)).

-1. In the **Basics** tab, under **Project details**, ensure the correct subscription is selected and then select to **Create new** resource group. Type *myResourceGroup* for the name.

- :::image type="content" source="./media/quickstart-nodejs/project-details.png" alt-text="Screenshot of the Project details section showing where you select the Azure subscription and the resource group for the web app":::

-1. Under **Instance details**, type a globally unique name for your web app and select **Code** (see [note at top](#dnl-note)). Select *Node 18 LTS* **Runtime stack**, an **Operating System**, and a **Region** you want to serve your app from.

- :::image type="content" source="./media/quickstart-nodejs/instance-details.png" alt-text="Screenshot of the Instance details section where you provide a name for the virtual machine and select its region, image and size":::

-1. Under **App Service Plan**, select **Create new** App Service Plan. Type *myAppServicePlan* for the name. To change to the Free tier, select **Change size**, select **Dev/Test** tab, select **F1**, and select the **Apply** button at the bottom of the page.

- :::image type="content" source="./media/quickstart-nodejs/app-service-plan-details.png" alt-text="Screenshot of the Administrator account section where you provide the administrator username and password":::

- :::image type="content" source="./media/quickstart-nodejs/next-steps.png" alt-text="Screenshot showing the next step of going to the resource":::

-Azure App Service supports [**two types of credentials**](deploy-configure-credentials.md) for FTP/S deployment. These credentials aren't the same as your Azure subscription credentials. In this section, you get the *application-scope credentials* to use with FileZilla.

-1. From the App Service app page, select **Deployment Center** in the left-hand menu and select **FTPS credentials** tab.

- :::image type="content" source="./media/quickstart-nodejs/ftps-deployment-credentials.png" alt-text="FTPS deployment credentials":::

-1. Open **FileZilla** and create a new site.

-1. From the **FTPS credentials** tab, under **Application scope**, copy **FTPS endpoint**, **FTPS Username**, and **Password** into FileZilla.

- :::image type="content" source="./media/quickstart-nodejs/filezilla-ftps-connection.png" alt-text="FTPS connection details":::

-1. Copy all files and directories files to the [**/site/wwwroot** directory](https://github.com/projectkudu/kudu/wiki/File-structure-on-azure) in Azure.

- :::image type="content" source="./media/quickstart-nodejs/filezilla-deploy-files.png" alt-text="FileZilla deploy files":::

-You can deploy changes to this app by making edits in Visual Studio Code, saving your files, and then redeploy to your Azure app. For example:

-2. In the **App Service** explorer, select the **Deploy to Web App** icon again, confirm by clicking **Deploy** again.

-1. Wait for deployment to complete, then select **Browse Website** in the notification popup. You should see that the `Welcome to Express` message has been changed to `Welcome to Azure!`.

-1. Once deployment is complete, refresh the webpage `http://<app-name>.azurewebsites.net` (see [note at top](#dnl-note)). You should see that the `Welcome to Express` message has been changed to `Welcome to Azure!`.

-1. Once deployment is complete, refresh the webpage `http://<app-name>.azurewebsites.net` (see [note at top](#dnl-note)). You should see that the `Welcome to Express` message has been changed to `Welcome to Azure!`.

-## Stream Logs

-You can also include the `--logs` parameter with then [az webapp up](/cli/azure/webapp#az-webapp-up) command to automatically open the log stream on deployment.

-To stop log streaming at any time, press **Ctrl**+**C** in the terminal.

-1. In the same **App Service** page for your app, use the left menu to scroll to the *Monitoring* section and select **Log stream**.

-In the preceding steps, you created Azure resources in a resource group. The create steps in this quickstart put all the resources in this resource group. To clean up, you just need to remove the resource group.

-In the preceding steps, you created Azure resources in a resource group. The resource group has a name like "appsvc_rg_Linux_CentralUS" depending on your location.

-When no longer needed, you can delete the resource group, App service, and all related resources.

- :::image type="content" source="./media/quickstart-nodejs/delete-resource-group.png" alt-text="Delete resource group":::

-> [Tutorial: Node.js app with MongoDB](tutorial-nodejs-mongodb-app.md)

-> [Configure Node.js app](configure-language-nodejs.md)

-> [Secure with custom domain and certificate](tutorial-secure-domain-certificate.md)

-| Functionality - basic | HTTP/HTTP2/HTTPS<br>Websocket<br>Public/Private IP<br>Cookie Affinity<br>Path-based affinity<br>Wildcard<br>Multisite<br>KeyVault<br>Zone<br>Header rewrite | &#x2713;<br>&#x2713;<br>&#x2713;<br>&#x2713;<br>&#x2713;<br>&#x2713;<br>&#x2713;<br>&#x2713;<br>&#x2713;<br>&#x2713;<br>&#x2713; | &#x2713;<br>&#x2713;<br>&#x2713;<br>&#x2713;<br>&#x2713;<br>&#x2713;<br>&#x2713;<br>&#x2713;<br>&#x2713;<br>&#x2713;<br>&#x2713;|

-|[Create](/rest/api/hybridcompute/machine-run-commands/create-or-update?tabs=HTTP) |The operation to create a run command. This runs the run command. |

-|[Delete](/rest/api/hybridcompute/machine-run-commands/delete?tabs=HTTP) |The operation to delete a run command. If it's running, delete will also stop the run command. |

-|[Get](/rest/api/hybridcompute/machine-run-commands/get?tabs=HTTP) |The operation to get a run command. |

-|[List](/rest/api/hybridcompute/machine-run-commands/list?tabs=HTTP) |The operation to get all the run commands of an Azure Arc-enabled server. |

-|[Update](/rest/api/hybridcompute/machine-run-commands/update?tabs=HTTP) |The operation to update the run command. This stops the previous run command. |

-

-

-[Azure Maps Route Service]: https://github.com/Azure/azure-rest-api-specs/blob/koyasu221b-maps-Route-2023-10-01-preview/specification/maps/data-plane/Route/preview/2023-10-01-preview/route.json

-* SMB volumes are supported along with NFS volumes. Replication of SMB volumes requires an Active Directory connection in the source and destination NetApp accounts. The destination AD connection must have access to the DNS servers or AD DS Domain Controllers that are reachable from the delegated subnet in the destination region. For more information, see [Requirements for Active Directory connections](create-active-directory-connections.md#requirements-for-active-directory-connections).

-To deploy Zerto on Azure VMware Solution, follow these [instructions](

-/azure/azure-vmware/deploy-zerto-disaster-recovery#install-zerto-on-azure-vmware-solution

-### Microsoft Entra authentication

-The Azure platform provides role-based access (Azure RBAC) to control access to the resources. Azure RBAC security principal represents a user, group, service principal, or managed identity that is requesting access to Azure resources. Microsoft Entra authentication provides superior security and ease of use over other authorization options. For example, by using managed identity, you avoid having to store your account access key within your code, as you do with Access Key authorization. While you can continue to use Access Key authorization with communication services applications, Microsoft recommends moving to Microsoft Entra ID where possible.

-Communication services supports Microsoft Entra authentication for Communication services resources. You can find more details, about the managed identity support in the [Microsoft Entra documentation](/entra/identity/managed-identities-azure-resources/managed-identities-status).

-With EventProcessor, we can easily wait CallConnected event until the call is established. If the call was never established (that is, callee never picked up the phone), it throws Timeout Exception.

-| | Web | Web UI | iOS | iOS UI | Android | Android UI | Windows |

-|-|--|--|--|--|-|--||

-|Is Supported | ✔️ | | | | | | |

-description: Use Azure Communication Services SDKs to get capabilities of the local user in a call.

-Do I have permission to turn on video, do I have permission to turn on mic, do I have permission to share screen? Those are some examples of participant capabilities that you can learn from the capabilities API. Learning the capabilities can help build a user interface that only shows the buttons related to the actions the local user has permissions to.

-## Supported Calltype

- auth: [

- {

- secretRef: 'sb-root-connectionstring'

- triggerParameter: 'connection'

- }

- ]

-For example, if 150 messages are waiting, KEDA scales the app out to five instances. The `maxReplicas` property is set to `10`, meaning even with a large number of messages in the topic, the scaler never creates more than `10` instances of this application. This setting ensures you don't scale up too much and accrue too much cost.

-Work is underway to retire Enterprise Agreement (EA) reporting APIs. We recommend that EA customers migrate to the Cost Management [Cost Details](/rest/api/cost-management/generate-cost-details-report) API. The older EA reporting APIs are only available to customers with an Enterprise Agreement.

-Visual authoring with GitHub integration supports source control and collaboration for work on your data factory pipelines. You can associate a data factory with a GitHub account repository for source control, collaboration, versioning. A single GitHub account can have multiple repositories, but a GitHub repository can be associated with only one data factory. If you don't have a GitHub account or repository, follow [these instructions](https://github.com/join) to create your resources.

-[aggregation functions](/azure/data-explorer/kusto/query/any-aggfunction). Specific

- $dcrAssociationName = "dcrAssociationName {yourDcrAssociation} "

-Azure API for FHIR will be retired on September 30, 2026.

-SMART on FHIR proxy is retiring. Organizations need to transition to the SMART on FHIR (Enhanced), which uses Azure Health Data and AI OSS samples by **September 21, 2026**. After September 21, 2026, applications relying on SMART on FHIR proxy will report errors when accessing the FHIR service.

-SMART on FHIR (Enhanced) provides more capabilities than SMART on FHIR proxy and meets requirements in the SMART on FHIR Implementation Guide (v 1.0.0) and §170.315(g)(10) Standardized API for patient and population services criterion.

-Azure Health Data Services FHIR service is the next-generation platform for health data integration. It offers managed, enterprise-grade FHIR, DICOM, and MedTech services for diverse health data exchange.

-To migrate your data, follow these steps:

-|**Data storage Volume**|More than 4 TB|Current support is 4 TB (Open an [Azure support request](../../azure-portal/supportability/how-to-create-azure-support-request.md) if you need more than 4 TB)|

-|**Data ingress**|Tools available in OSS|$import operation|

-|**Search parameters**|Bundle type supported: Batch <br> ΓÇó Include and revinclude, iterate modifier not supported <br> ΓÇó Sorting supported by first name, last name, birthdate and clinical date|Bundle type supported: Batch and transaction <br> ΓÇó Selectable search parameters <br> ΓÇó Include, revinclude, and iterate modifier is supported <br>ΓÇó Sorting supported by string and dateTime fields|

-First, create a migration plan. We recommend the migration patterns described in the table. Depending on your organizationΓÇÖs tolerance for downtime, you may decide to use certain patterns and tools to help facilitate your migration.

-|**Lift and shift**|The simplest pattern. Ideal if your data pipeline can afford longer downtime.|Choose the option that works best for your organization: <br> ΓÇó Configure a workflow to [\$export](../azure-api-for-fhir/export-data.md) your data on Azure API for FHIR, and then [\$import](configure-import-data.md) into Azure Health Data Services FHIR service. <br> ΓÇó The [GitHub repo](https://github.com/Azure/apiforfhir-migration-tool/blob/main/lift-and-shift-resources/Liftandshiftresources_README.md) provides tips on running these commands, and a script to help automate creating the \$import payload. <br> ΓÇó Or create your own tool to migrate the data using \$export and \$import.|

-|**Incremental copy**|Continuous version of lift and shift, with less downtime. Ideal for large amounts of data that take longer to copy, or if you want to continue running Azure API for FHIR during the migration.|Choose the option that works best for your organization. <br> ΓÇó We created an [OSS migration tool](https://github.com/Azure/apiforfhir-migration-tool/tree/main/FHIR-data-migration-tool-docs) to help with this migration pattern. <br> ΓÇó Or create your own tool to migrate the data incrementally.|

-After youΓÇÖre confident that your Azure Health Data Services FHIR Service server is stable, you can begin using Azure Health Data Services FHIR service to satisfy your business scenarios. Turn off any remaining pipelines that are running on Azure API for FHIR, delete data from the intermediate storage account that was used in the migration tool if necessary, delete data from your Azure API for FHIR server, and decommission your Azure API for FHIR account.

-The Fast Healthcare Interoperability Resources (FHIR&#174;) specification defines an API for querying resources in a FHIR server database. This article guides you through some key aspects of querying data in FHIR. For complete details about the FHIR search API, refer to the HL7 [FHIR Search](https://www.hl7.org/fhir/search.html) documentation.

-Throughout this article, we'll demonstrate FHIR search syntax in example API calls with the `{{FHIR_URL}}` placeholder to represent the FHIR server URL. In the case of the FHIR service in Azure Health Data Services, this URL would be `https://<WORKSPACE-NAME>-<FHIR-SERVICE-NAME>.fhir.azurehealthcareapis.com`.

-FHIR searches can be against a specific resource type, a specified [compartment](https://www.hl7.org/fhir/compartmentdefinition.html), or all resources in the FHIR server database. The simplest way to execute a search in FHIR is to use a `GET` request. For example, if you want to pull all `Patient` resources in the database, you could use the following request:

-With either `POST` or `GET`, if the search request is successful, you'll receive a FHIR `searchset` bundle containing the resource instance(s) returned from the search. If the search fails, youΓÇÖll find the error details in an `OperationOutcome` response.

-In the following sections, we'll cover the various aspects of querying resources in FHIR. Once youΓÇÖve reviewed these topics, refer to the [FHIR search samples page](search-samples.md), which features examples of different FHIR search methods.

-When you do a search in FHIR, you're searching the database for resources that match certain search criteria. The FHIR API specifies a rich set of search parameters for fine-tuning search criteria. Each resource in FHIR carries information as a set of elements, and search parameters work to query the information in these elements. In a FHIR search API call, if a positive match is found between the request's search parameters and the corresponding element values stored in a resource instance, then the FHIR server returns a bundle containing the resource instance(s) whose elements satisfied the search criteria.

-For each search parameter, the FHIR specification defines the [data type(s)](https://www.hl7.org/fhir/search.html#ptypes) that can be used. Support in the FHIR service for the various data types is outlined below.

-| number | Yes | Yes |

-| date | Yes | Yes |

-| string | Yes | Yes |

-| token | Yes | Yes |

-| reference | Yes | Yes |

-| composite | Partial | Partial | The list of supported composite types is given later in this article. |

-| quantity | Yes | Yes |

-| uri | Yes | Yes |

-| special | No | No |

-There are [common search parameters](https://www.hl7.org/fhir/search.html#all) that apply to all resources in FHIR. These are listed below, along with their support in the FHIR service:

-| `_id ` | Yes | Yes

-| `_lastUpdated` | Yes | Yes |

-| `_tag` | Yes | Yes |

-| `_type` | Yes | Yes |

-| `_security` | Yes | Yes |

-| `_profile` | Yes | Yes |

-| `_has` | Yes | Yes |

-| `_query` | No | No |

-| `_filter` | No | No |

-| `_list` | No | No |

-| `_text` | No | No |

-| `_content` | No | No |

-> The FHIR service in Azure Health Data Services does not automatically index search parameters that aren't defined in the base FHIR specification. However, the FHIR service does support [custom search parameters](how-to-do-custom-search.md).

-Composite searches in FHIR allow you to search against element pairs as logically connected units. For example, if you were searching for observations where the height of the patient was over 60 inches, you would want to make sure that a single property of the observation contained the height code *and* a value greater than 60 inches (the value should only pertain to height). You wouldn't want to return a positive match on an observation with the height code *and* an arm to arm length over 60 inches, for example. Composite search parameters prevent this problem by searching against pre-specified pairs of elements whose values must both meet the search criteria for a positive match to occur.

-The FHIR service in Azure Health Data Services supports the following search parameter type pairings for composite searches:

-[Modifiers](https://www.hl7.org/fhir/search.html#modifiers) allow you to qualify search parameters with additional conditions. Below is a list of FHIR modifiers and their support in the FHIR service:

-| `:missing` | Yes | Yes |

-| `:exact` | Yes | Yes |

-| `:contains` | Yes | Yes |

-| `:text` | Yes | Yes |

-| `:type` (reference) | Yes | Yes |

-| `:not` | Yes | Yes |

-| `:below` (uri) | Yes | Yes |

-| `:above` (uri) | Yes | Yes |

-| `:in` (token) | No | No |

-| `:below` (token) | No | No |

-| `:above` (token) | No | No |

-| `:not-in` (token) | No | No |

-| `:identifier` |No | No |

-FHIR specifies a set of search result parameters to help manage the information returned from a search. For detailed information on how to use search result parameters in FHIR, refer to the [HL7](https://www.hl7.org/fhir/search.html#return) website. Below is a list of FHIR search result parameters and their support in the FHIR service.

-| `_elements` | Yes | Yes |

-| `_revinclude` | Yes | Yes |Items retrieved with `_revinclude` are limited to 100. `_revinclude` on PaaS and OSS on Azure Cosmos DB doesn't support `:iterate` [(#2137)](https://github.com/microsoft/fhir-server/issues/2137). There's also an incorrect status code for a bad request [#1319](https://github.com/microsoft/fhir-server/issues/1319). |

-| `_summary` | Yes | Yes |

-| `_contained` | No | No |

-| `_containedType` | No | No |

-| `_score` | No | No |

-1. FHIR service supports wild card searches with revinclude. Adding "*.*" query parameter in revinclude query, it directs FHIR service to reference all the resources mapped to the source resource.

-The `.` in the above request steers the path of the chained search to the target parameter (`name` in this case).

-As mentioned above, the results from a FHIR search is available in paginated form at a link provided in the `searchset` bundle. By default, the FHIR service displays 10 search results per page, but this can be increased (or decreased) by setting the `_count` parameter. If there are more matches than fit on one page, the bundle includes a `next` link. Repeatedly fetching from the `next` link yields the subsequent pages of results. Note that the `_count` parameter value can't exceed 1000.

-FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

-The FHIR&reg; service in Azure Health Data Services enables rapid exchange of health data using the Fast Healthcare Interoperability Resources (FHIR®) data standard. As part of a managed Platform-as-a-Service (PaaS), the FHIR service makes it easy for anyone working with health data to securely store and exchange Protected Health Information ([PHI](https://www.hhs.gov/answers/hipaa/what-is-phi/https://docsupdatetracker.net/index.html)) in the cloud.

-The FHIR service in Azure Health Data Services makes FHIR data available to clients through a RESTful API. This API is an implementation of the HL7 FHIR API specification. As a managed PaaS offering in Azure, the FHIR service gives organizations a scalable and secure environment for the storage and exchange of Protected Health Information (PHI) in the native FHIR format.

-Although you can build and maintain your own FHIR server, with the FHIR service in Azure Health Data Services Microsoft handles setting up server components, ensuring all compliance requirements are met so you can focus on building innovative solutions.

-FHIR servers are essential for interoperability of health data. The FHIR service is designed as a managed FHIR server with a RESTful API for connecting to a broad range of client systems and applications. Some of the key use cases for the FHIR service are:

-The [Patient-everything](https://www.hl7.org/fhir/patient-operation-everything.html) operation is used to provide a view of all resources related to a patient. This operation can be useful to give patients' access to their entire record or for a provider or other user to perform a bulk data download related to a patient. According to the Fast Healthcare Interoperability Resources (FHIR&#174;) specification, Patient-everything returns all the information related to one or more patients described in the resource or context on which this operation is invoked. In the FHIR service in Azure Health Data Services(hereby called FHIR service), Patient-everything is available to pull data related to a specific patient.

-FHIR service validates that it can find the patient matching the provided patient ID. If a result is found, the response will be a bundle of type `searchset` with the following information:

-* If there are `seealso` link reference(s) to other patient(s), the results will include Patient-everything operation against the `seealso` patient(s) listed.

-> If the patient has more than 100 devices linked to them, only 100 will be returned.

-FHIR service supports the following query parameters. All of these parameters are optional:

-| end | Specifying the end date will pull in resources where their clinical date is before the specified end date. If no end date is provided, all records after the start date are in scope. |

-The FHIR specification has a detailed overview of the different types of [patient links](https://www.hl7.org/fhir/valueset-link-type.html#expansion), but we've include a high-level summary:

-As described, [seealso](https://www.hl7.org/fhir/codesystem-link-type.html#link-type-seealso) links reference another patient that's considered equally valid to the original. After the Patient-everything operation is run, if the patient has `seealso` links to other patients, the operation runs Patient-everything on each `seealso` link. This means if a patient links to five other patients with a type `seealso` link, we'll run Patient-everything on each of those five patients.

-The final link type is [replaced-by](https://www.hl7.org/fhir/codesystem-link-type.html#link-type-replaced-by). In this case, the original patient resource is no longer being used and the `replaced-by` link points to the patient that should be used. This implementation of `Patient-everything` will include by default an operation outcome at the start of the bundle with a warning that the patient is no longer valid. This will also be the behavior when the `Prefer` header is set to `handling=lenient`.

-In addition, you can set the `Prefer` header to `handling=strict` to throw an error instead. In this case, a return of error code 301 `MovedPermanently` indicates that the current patient is out of date and returns the ID for the correct patient that's included in the link. The `ContentLocation` header of the returned error will point to the correct and up-to-date request.

-1. Phase 1 returns the `Patient` resource itself in addition to any `generalPractitioner` and `managingOrganization` resources ir references.

-1. Phase 4 will return any devices that reference the patient.

-Each phase will return results in a bundle. If the results span multiple pages, the next link in the bundle will point to the next page of results for that phase. After all results from a phase are returned, the next link in the bundle will point to the call to initiate the next phase.

-Here are some examples of using the Patient-everything operation. In addition to these examples, we have a [sample REST file](https://github.com/microsoft/fhir-server/blob/main/docs/rest/PatientEverythingLinks.http) that illustrates how the `seealso` and `replaced-by` behavior works.

-To use Patient-everything to query a patient's "everything" between 2010 and 2020, use the following call:

-To use Patient-everything to query a patient's Observation and Encounter, use the following call:

-To use Patient-everything to query a patient's "everything" since 2021-05-27T05:00:00Z, use the following call:

-If a patient is found for each of these calls, you'll get back a 200 response with a `Bundle` of the corresponding resources.

-FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

-Since `$purge-history` is a resource level operation versus a type level or system level operation, you'll need to run the operation for every resource that you want remove the history from.

- | Image | Select **Ubuntu Server 18.04 LTS** |

- | Authentication type | Select **Password** |

- | Username | Enter your admin username |

- | Password | Enter your admin password |

- | Confirm password | Reenter your admin password |

- :::image type="content" source="media/vm-scale-sets/create-virtual-machine-scale-set-thumb.png" alt-text="Screenshot of Create a Virtual Machine Scale Set page." lightbox="media/vm-scale-sets/create-virtual-machine-scale-set.png":::

-4. Select the **Networking** tab.

-5. Enter or select this information in the **Networking** tab:

- | **Load balancing** | |

- | Use a load balancer | Select **Yes** |

- | **Load balancing settings** | |

- | Select a backend pool | Select **myBackendPool** or your existing backend pool. |

- :::image type="content" source="media/vm-scale-sets/create-virtual-machine-scale-set-network-thumb.png" alt-text="Screenshot shows the Create Virtual Machine Scale Set Networking tab." lightbox="media/vm-scale-sets/create-virtual-machine-scale-set-network.png":::

-6. Select the **Management** tab.

-7. In the **Management** tab, set **Boot diagnostics** to **Off**.

-8. Select the blue **Review + create** button.

-9. Review the settings and select the **Create** button.

- --image Canonical:UbuntuServer:18.04-LTS:latest \

-$loc = "East US 2"

-$vnt = "myVnet"

-$sub = "mySubnet"

-New-AzVmss -ResourceGroupName $rsg -Location $loc -VMScaleSetName $vms -VirtualNetworkName $vnt -SubnetName $sub -LoadBalancerName $lb -UpgradePolicyMode $pol -BackendPoolName $bep

-description: This article shows how to deploy IPv6 addresses to an existing application in Azure virtual network using Azure CLI.

-[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|Deleted ICookie from the high priority thread pool list

-[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|IKE diagnostic event:

-[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|Event Header:

-[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36| Timestamp: 1601-01-01T00:00:00.000Z

-[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36| Flags: 0x00000106

-[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36| Local address field set

-[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36| Remote address field set

-[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36| IP version field set

-[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36| IP version: IPv4

-[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36| IP protocol: 0

-[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36| Local address: 13.78.238.92

-[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36| Remote address: 52.161.24.36

-[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36| Local Port: 0

-[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36| Remote Port: 0

-[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36| Application ID:

-[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36| User SID: <invalid>

-[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|Failure type: IKE/Authip Main Mode Failure

-[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|Type specific info:

-[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36| Failure error code:0x000035e9

-[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36| IKE authentication credentials are unacceptable

-[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36|

-[0]0368.03A4::02/02/2017-17:36:01.496 [ikeext] 3038|52.161.24.36| Failure point: Remote

-| Southeast Asia | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | | | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | |

-|Sweden Central|||:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg":::|:::image type="icon" source="media/yes-icon.svg"::: |:::image type="icon" source="media/yes-icon.svg":::|

-This section refers to all of the Azure Monitor Logs Kusto tables relevant to Azure Monitor for SAP solutions and available for query by Log Analytics. Azure Monitor for SAP solutions uses custom logs. The schemas for some tables are defined by third-party providers, such as SAP. Here are the current custom logs for Azure Monitor for SAP solutions with links to sources for more information.

-The Insights capability in Azure Monitor for SAP Solutions helps you troubleshoot Availability and Performance issues on your SAP workloads. It helps you correlate key SAP components issues with SAP logs, Azure platform metrics and health events.

-7. If the VMs belong to a different subscription than AMS, set the list of subscriptions in which VMs of the SAP system are present (use subscription IDs):

-1. If you completed all [the steps mentioned](#steps-to-enable-insights-in-azure-monitor-for-sap-solutions), you should see the above screen asking for context to be set up. You can set the Time range, SID and the provider (optional, All selected by default).

- * SAP Application: Process availability and contextual insights on the process like error messages (SM21), Lock entries (SM12) and Canceled jobs (SM37) which can help you find issues that might exist in parallel in the system, at the point in time.

-* Availability insights let you detect and troubleshoot unavailability of Netweaver system, instance and HANA DB.

-Certificates must be signed by a trusted root authority. Self-signed certificates are not supported.

-1. Click on the "Alerts" tab to explore the enhanced alert management capabilities.

-1. Data is then collected in the system by ha_cluster_exporter. You can export the data via URL `http://<ip address of the server>:9664/metrics`.

-To check if the metrics are fetched via URL on the server where the ha_cluster_exporter is installed, Run below command on the server.

-1. Install and enable the HA cluster PMDA. Replace `$PCP_PMDAS_DIR` with the path where `hacluster` is installed. Use the `find` command in Linux to find the path of "hacluster" bits. usually hacluster will be in path "/var/lib/pcp/pmdas".

-Example : cd /var/lib/pcp/pmdas/hacluster

-1. Data is then collected in the system by PCP. You can export the data by using `pmproxy` via URL `http://<ipaddress of the serrver>:44322/metrics?names=ha_cluster`.

-To check if the metrics are fetched via URL on the server where the hacluster is installed, Run below command on the server.

-1. On the resource's menu, under **Settings**, select **Providers**.

-1. Enter the SID - SAP system ID, Hostname - SAP hostname of the Virtual machine (Command `hostname -s` for SUSE and RHEL based servers will give hostname detail.), Cluster - Provide any custom name that is easy to identify the SAP system cluster - this Name will be visible in the workbook for metrics (need not have to be the cluster name configured on the server).

-1. Click on "Start test" under "Prerequisite check (Preview) - highly recommended" - This test will help validate the connectivity from AMS subnet to the SAP source system and list out if any error's found - which need to be addressed before provider creation otherwise the provider creation will fail with error.

-1. Create provider for each of the servers in the cluster to be able to see the metrics in the workbook

-For example - If the Cluster has three servers configured, Create three providers for each of the three servers with all of the above steps followed.

-1. On the resource's menu, under **Settings**, select **Providers**.

-Right click on the relevant node exporter version for linux from https://prometheus.io/download/#node_exporter and copy the link address which will be used in the below command.

-For example - https://github.com/prometheus/node_exporter/releases/download/v1.6.1/node_exporter-1.6.1.linux-amd64.tar.gz

- 1. Run `nohup ./node_exporter &` command to enable node_exporter. Adding nohup and & to above command decouples the node_exporter from linux machine commandline. If not included node_exporter would stop when the commandline is closed.

-In this how-to guide, you'll learn to configure the SAP NetWeaver provider for use with *Azure Monitor for SAP solutions*.

-You can collect the below metric using SAP NetWeaver Provider

-To configure the NetWeaver provider for the current Azure Monitor for SAP solutions version, you'll need to:

-RFC metrics are only supported for **AS ABAP applications** and do not apply to SAP JAVA systems. This step is **mandatory** when the connection type selected is **SOAP+RFC**.

-Below steps need to be performed as a pre-requisite to enable RFC

- 1. Activate the services **wsdl**, **wsdl11** and **RFC**.

-It's also recommended to check that you enabled the ICF ports.

-4. **SMON** - Enable **SMON** to monitor the system performance.Make sure the version of **ST-PI** is **SAPK-74005INSTPI**.

- You'll see empty visualization as part of the workbook when it isn't configured.

- 4. If you notice empty visualization as part of the workbook tab "System Performance - CPU and Memory (/SDF/SMON)", please apply the below SAP note:

- 1. Release 740 SAPKB74006-SAPKB74025 - Release 755 Until SAPK-75502INSAPBASIS. For specific support package versions please refer to the SAP NOTE.- [SAP Note 2246160](https://launchpad.support.sap.com/#/notes/2246160).

- 2. If the metric collection does not work with the above note then please try - [SAP Note 3268727](https://launchpad.support.sap.com/#/notes/3268727)

- To [enable TLS 1.2 or higher](enable-tls-azure-monitor-sap-solutions.md) with SAP NetWeaver provider please execute steps mentioned on this [SAP document](https://help.sap.com/docs/ABAP_PLATFORM_NEW/e73bba71770e4c0ca5fb2a3c17e8e229/4923501ebf5a1902e10000000a42189c.html?version=201909.002)

- 2. Open DEFAULT profile, select Extended Maintenance and click change.

- 3. Below configuration is for TLS1.2 the bit mask will be 544: PFS. If TLS version is higher, then bit mask will be greater than 544.

- 6. For **Connection type** - select either [SOAP](#prerequisite-unprotect-methods-for-metrics) + [RFC](#prerequisite-to-enable-rfc-metrics) or [SOAP](#prerequisite-unprotect-methods-for-metrics) based on the metric collected (refer above section for details)

- To determine all SAP hostnames associated with the SID, Sign in to the SAP system using the `sidadm` user. Then, run the following command (or) you can leverage the script below to generate the hostfile entries.

- **Scripts to generate hostfile entries**

- We highly recommend following the detailed instructions in the [link](https://github.com/Azure/Azure-Monitor-for-SAP-solutions-preview/tree/main/Provider_Pre_Requisites/SAP_NetWeaver_Pre_Requisites/GenerateHostfileMappings) for generating hostfile entries. These entries are crucial for the successful creation of the Netweaver provider for your SAP system.

- 2. Follow the instruction for determining the [hostfile entries](#adding-netweaver-provider) Host file entries section.

- 3. Ensure the NSG/firewall is not blocking the port ΓÇô 5XX13 or 5XX14. (XX - SAP Instance Number)

- If you notice empty visualization as part of the workbook tab "Application Performance -Batch Jobs (SM37)", please apply the below SAP note

- After you apply this OSS note you need to execute the RFC function module - BAPI_XMI_LOGON_WS with the following parameters:

- To ensure a successful retrieval of the SWNC metrics, it is essential to confirm that both the SAP system and the operating system (OS) have synchronized times.

- - SAP client ID, HTTP port, SAP username and password for login.

-You can configure one or more providers of the provider type *high-availability cluster* to enable data collection from the Pacemaker cluster within the SAP landscape. The high-availability cluster provider connects to Pacemaker by using the [ha_cluster_exporter](https://github.com/ClusterLabs/ha_cluster_exporter) for **SUSE**-based clusters and by using [Performance co-pilot](https://access.redhat.com/articles/6139852) for **RHEL**-based clusters. Azure Monitor for SAP solutions then pulls data from the cluster and pushes it to the Log Analytics workspace in your subscription. The high-availability cluster provider collects data every 60 seconds from Pacemaker.

- 5. **Service region** is where your proxy resource is created. The proxy resource manages monitoring resources deployed in the workload region. The service region is automatically selected based on your **Workload region** selection.

- 8. For **Log analytics**, you can use an existing Log Analytics workspace or create a new one. If you create a new workspace, it's created inside the managed resource group along with other monitoring resources.

- 9. For **Managed resource group name**, enter a unique name. This name is used to create a resource group that will contain all the monitoring resources. You can't change this name after the resource is created.

-6. On the **Review + create** tab, review the details and select **Create**.

-In the following code, `hostname` is the host name or IP address for SAP Web Dispatcher or the application server. `SapHostFileEntry` is the IP address, fully qualified domain name, or host name of every instance that's listed in [GetSystemInstanceList](./provider-netweaver.md#adding-netweaver-provider) point 6 (xi).

-This security baseline applies guidance from the Microsoft cloud security benchmarks version 1.0. The Microsoft cloud security benchmark provides recommendations on how you can secure your cloud solutions on Azure.

-You can monitor this security baseline and its recommendations using Microsoft Defender for Cloud. Azure Policy definitions is listed in the Regulatory Compliance section of the Microsoft Defender for Cloud dashboard.

-When a feature has relevant Azure Policy Definitions, they are listed in this baseline to help you measure compliance with the Microsoft cloud security benchmark controls and recommendations. Some recommendations may require a paid Microsoft Defender plan to enable certain security scenarios.

-This managed resource group contains services such as Azure Log Analytics, Azure Functions, Azure Storage and Azure Key Vault.

-## Security baseline for relevant servicea

- 1. On the NSG's menu, under **Settings**, select **Outbound security rules**.

-In addition to the capabilities to run SAP IaaS and SaaS workloads on Azure, Microsoft offers a variety of capabilities, scenarios, best-practice guides, and tutorials to integrate SAP workloads running anywhere with other Microsoft products and services. Among them are popular services such as Microsoft Entra ID, Exchange Online, Power Platform and Power BI, Azure Integration Services, Excel, SAP Business Technology Platform, SAP Analytics Cloud, SAP Data Warehouse Cloud, and SAP Success Factors to name a few.

-The SAP on Azure deployment automation framework is an open-source orchestration tool for deploying, installing and maintaining SAP environments.

- To configure an SBD device, you need to attach at least one [Azure shared disk](https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/virtual-machines/disks-shared.md) to all virtual machines that are part of Pacemaker cluster. The advantage of SBD device using an Azure shared disk is that you don't need to deploy additional virtual machines.

-#customerIntent: As a SOC engineer, I want to understand my options when authenticating from playbooks to Microsoft Sentinel.

-#customerIntent: As a SOC engineer, I want to understand how Microsoft Sentinel playbooks can help make my SOC team more efficient.

-#customerIntent: As a SOC engineer, I want to understand how automation in Microsoft Sentinel can help my SOC team be more efficient and remediate threats quicker.

-#customer-intent: As a SOC engineer, I want to understand how to create playbooks in Microsoft Sentinel so that my team can automate threat responses in our environment.

-#customerIntent: As a SOC analyst, I want to understand how to use playbooks to manage complex analysis processes in Microsoft Sentinel.

-#customerIntent: As a SOC engineer who's using Standard-plan playbooks, I want to understand how to define an access restriction policy, ensure that only Microsoft Sentinel has access to my Standard logic app with my playbook workflows.

-#customer intent: As a SOC engineer, I want to understand more about how Azure Logic Apps works with Microsoft Sentinel playbooks to help me automate threat prevention and response.

-#customerIntent: As a SOC engineer, I want to understand how to migrate alert-trigger playbooks to automation rules, and why I might want to do so.

-#customerIntent: As a SOC engineer, I want to understand the sorts of use cases where playbooks are recommended, as well as recommended templates, and samples.

-#customerIntent: As a SOC engineer, I want to understand the types of triggers and actions available for use in Microsoft Sentinel playbooks.

-#customer-intent: As a SOC engineer, I want to understand how to automate and run playbooks in Microsoft Sentinel so that my team can remediate security threats in our environment more efficiently.

-#customerIntent: As a SOC engineer, I'd like to understand a sample scenario of how I might use a playbook and automation rule to help make my SOC team more efficient.

-#CustomerIntent: As a security engineer, I want to ingest Power Platform activity logs into Microsoft Sentinel for security monitoring, detect related threats, and respond to incidents.

-#CustomerIntent: As a security engineer, I want to learn how to troubleshoot common issues with the Power Platform inventory connector for Microsoft Sentinel.

-#Customer intent: As a security operator setting up Microsoft Sentinel, I want to understand where data is stored, so I can meet compliance guidelines.

-#customerIntent: As a security analyst, I want to learn how to get an initial view into Microsoft Sentinel data generated for my environment.

-# Compare playbooks, workbooks, and notebooks

-This article describes the differences between playbooks, workbooks, and notebooks in Microsoft Sentinel.

-|**Playbooks** | <ul><li>SOC engineers</li><li>Analysts of all tiers</li></ul> |

-|**Workbooks** | <ul><li> SOC engineers</li><li>Analysts of all tiers</li></ul> |

-|**Notebooks** | <ul><li>Threat hunters and Tier-2/Tier-3 analysts</li><li>Incident investigators</li><li>Data scientists</li><li>Security researchers</li></ul> |

-|**Playbooks** | Automation of simple, repeatable tasks:<ul><li>Ingesting external data </li><li>Data enrichment with TI, GeoIP lookups, and more </li><li> Investigation </li><li>Remediation </li></ul> |

-|**Workbooks** | <ul><li>Visualization</li></ul> |

-|**Notebooks** | <ul><li>Querying Microsoft Sentinel data and external data </li><li>Data enrichment with TI, GeoIP lookups, and WhoIs lookups, and more </li><li> Investigation </li><li> Visualization </li><li> Hunting </li><li>Machine learning and big data analytics </li></ul> |

-|**Playbooks** | <ul><li> Best for single, repeatable tasks </li><li>No coding knowledge required </li></ul> | <ul><li>Not suitable for ad-hoc and complex chains of tasks </li><li>Not ideal for documenting and sharing evidence</li></ul> |

-|**Workbooks** | <ul><li>Best for a high-level view of Microsoft Sentinel data </li><li>No coding knowledge required</li></ul> | <ul><li>Can't integrate with external data </li></ul> |

-|**Notebooks** | <ul><li>Best for complex chains of repeatable tasks </li><li>Ad-hoc, more procedural control</li><li>Easier to pivot with interactive functionality </li><li>Rich Python libraries for data manipulation and visualization </li><li>Machine learning and custom analysis </li><li>Easy to document and share analysis evidence </li></ul> | <ul><li> High learning curve and requires coding knowledge </li></ul> |

-## Related content

-For more information, see:

-#Customer.intent: As a security operator, I want to monitor the SAP audit logs and easily manage the logs, so I can reduce noise without compromising security value.

-# CustomerIntent: As an SAP admin and Microsoft Sentinel user, I want to know how to use SNC to deploy the Microsoft Sentinel for SAP data connector over a secure connection.

-# customer intent: As a security admin or SAP admin, I want to know how to use the Microsoft Sentinel solution for SAP applications in multiple workspaces so that I can plan a deployment.

-# customer intent: As an SAP admin, I want to know how to deploy the Microsoft Sentinel solution for SAP BTP so that I can plan a deployment.

-# customer intent: As an SAP admin, I want to know how to deploy the Microsoft Sentinel solution for SAP applications from the content hub so that I can plan a deployment.

-#customerIntent: As a security engineer, I want to deploy automatic attack disruption for SAP with the unified security operations platform.

-# customer intent: As a business user or decision maker, I want to get an overview of how to deploy the Microsoft Sentinel solution for SAP applications so that I know the scope of the information I need and how to access it.

-#customerIntent: As a SOC admin or SOC engineer, I want to learn about about how to optimize my security operations center with SOC optimization recommendations.

-#customerIntent: As a SOC engineer, I want to learn about about how to interact with SOC optimziation recommendations programmatically via API.

-#customerIntent: As a SOC admin or SOC engineer, I want to learn about the SOC optimization recommendations available to help me optimize my security operations.

-## May 2024

-### Incident and entity triggers in playbooks are now Generally Available (GA)

-The ability to use incident and entity triggers is playbooks is now supported as GA.

-For more information, see [Create a playbook](tutorial-respond-threats-playbook.md#create-a-playbook).

-### Optimize your security operations with SOC optimizations (preview)

-Microsoft Sentinel now provides SOC optimizations, which are high-fidelity and actionable recommendations that help you identify areas where you can reduce costs, without affecting SOC needs or coverage, or where you can add security controls and data where its found to be missing.

-Use SOC optimization recommendations to help you close coverage gaps against specific threats and tighten your ingestion rates against data that doesn't provide security value. SOC optimizations help you optimize your Microsoft Sentinel workspace, without having your SOC teams spend time on manual analysis and research.

-If your workspace is onboarded to the unified security operations platform, SOC optimizations are also available in the Microsoft Defender portal.

-For more information, see:

-## April 2024

-### Unified security operations platform in the Microsoft Defender portal (preview)

-The unified security operations platform in the Microsoft Defender portal is now available. This release brings together the full capabilities of Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Copilot in Microsoft Defender. For more information, see the following resources:

-### Microsoft Sentinel now generally available (GA) in Azure China 21Vianet

-Microsoft Sentinel is now generally available (GA) in Azure China 21Vianet. Individual features might still be in public preview, as listed on [Microsoft Sentinel feature support for Azure commercial/other clouds](feature-availability.md).

-For more information, see also [Geographical availability and data residency in Microsoft Sentinel](geographical-availability-data-residency.md).

-### Two anomaly detections discontinued

-The following anomaly detections are discontinued as of March 26, 2024, due to low quality of results:

-For the complete list of anomaly detections, see the [anomalies reference page](anomalies-reference.md).

-### Microsoft Sentinel is now available in Italy North region

-Microsoft Sentinel is now available in Italy North Azure region with the same feature set as all other Azure Commercial regions as listed on [Microsoft Sentinel feature support for Azure commercial/other clouds](feature-availability.md).

-For more information, see also [Geographical availability and data residency in Microsoft Sentinel](geographical-availability-data-residency.md).

-## March 2024

-### SIEM migration experience now generally available (GA)

-At the beginning of the month, we announced the SIEM migration preview. Now at the end of the month, it's already GA! The new Microsoft Sentinel Migration experience helps customers and partners automate the process of migrating their security monitoring use cases hosted in non-Microsoft products into Microsoft Sentinel.

-For more information, see [Migrate to Microsoft Sentinel with the SIEM migration experience](siem-migration.md)

-Join our Security Community for a [webinar](https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR_0A4IaJRDNBnp8pjCkWnwhUM1dFNFpVQlZJREdEQjkwQzRaV0RZRldEWC4u) showcasing the SIEM migration experience on May 2nd, 2024.

-### Amazon Web Services S3 connector now generally available (GA)

-Microsoft Sentinel has released the AWS S3 data connector to general availability (GA). You can use this connector to ingest logs from several AWS services to Microsoft Sentinel using an S3 bucket and AWS's simple message queuing service.

-Concurrent with this release, this connector's configuration has changed slightly for Azure Commercial Cloud customers. User authentication to AWS is now done using an OpenID Connect (OIDC) web identity provider, instead of through the Microsoft Sentinel application ID in combination with the customer workspace ID. Existing customers can continue using their current configuration for the time being, and will be notified well in advance of the need to make any changes.

-To learn more about the AWS S3 connector, see [Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data](connect-aws.md)

-### Codeless connector builder (preview)

-We now have a workbook to help navigate the complex JSON involved in deploying an ARM template for codeless connector platform (CCP) data connectors. Use the friendly interface of the **codeless connector builder** to simplify your development.

-See our blog post for more details, [Create Codeless Connectors with the Codeless Connector Builder (Preview)](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/create-codeless-connectors-with-the-codeless-connector-builder/ba-p/4082050).

-For more information on the CCP, see [Create a codeless connector for Microsoft Sentinel (Public preview)](create-codeless-connector.md).

-### Data connectors for Syslog and CEF based on Azure Monitor Agent now generally available (GA)

-Microsoft Sentinel has released two more data connectors based on the Azure Monitor Agent (AMA) to general availability. You can now use these connectors to deploy Data Collection Rules (DCRs) to Azure Monitor Agent-installed machines to collect Syslog messages, including those in Common Event Format (CEF).

-To learn more about the Syslog and CEF connectors, see [Ingest Syslog and CEF logs with the Azure Monitor Agent](connect-cef-syslog-ama.md).

-## February 2024

-### Install domain solutions with dependencies

-Some Microsoft Sentinel content hub solutions, including many [domain solutions](sentinel-solutions-catalog.md#domain-solutions) and solutions that use the unified AMA connectors for [CEF, Syslog](cef-syslog-ama-overview.md), or [custom logs](connect-custom-logs-ama.md), don't necessarily include a data connector of their own. Instead, they rely on data connectors from other solutions to provide visibility in a specific area across data connectors. The data connectors they use are prerequisites for the domain solution to work properly.

-When installing a domain solution, you can now select **Install with dependencies** to ensure that the data connectors required by the domain solution are also installed:

-For more information, see [Install with dependencies](sentinel-solutions-deploy.md#install-with-dependencies) and [Domain solutions](sentinel-solutions-catalog.md#domain-solutions).

-### Microsoft Sentinel solution for Microsoft Power Platform preview available

-The Microsoft Sentinel solution for Power Platform (preview) allows you to monitor and detect suspicious or malicious activities in your Power Platform environment. The solution collects activity logs from different Power Platform components and inventory data. It analyzes those activity logs to detect threats and suspicious activities like the following activities:

-Find this solution in the Microsoft Sentinel content hub.

-For more information, see:

-### New Google Pub/Sub-based connector for ingesting Security Command Center findings (Preview)

-You can now ingest logs from Google Security Command Center, using the new Google Cloud Platform (GCP) Pub/Sub-based connector (now in PREVIEW).

-The Google Cloud Platform (GCP) Security Command Center is a robust security and risk management platform for Google Cloud. It provides features such as asset inventory and discovery, detection of vulnerabilities and threats, and risk mitigation and remediation. These capabilities help you gain insights into and control over your organization's security posture and data attack surface, and enhance your ability to efficiently handle tasks related to findings and assets.

-The integration with Microsoft Sentinel allows you to have visibility and control over your entire multicloud environment from a "single pane of glass."

-### Incident tasks now generally available (GA)

-Incident tasks, which help you standardize your incident investigation and response practices so you can more effectively manage incident workflow, are now generally available (GA) in Microsoft Sentinel.

- - [Use tasks to manage incidents in Microsoft Sentinel](incident-tasks.md)

- - [Work with incident tasks in Microsoft Sentinel](work-with-tasks.md)

- - [Audit and track changes to incident tasks in Microsoft Sentinel](audit-track-tasks.md)

- - A repository of incident tasks.

- - A mechanism that automatically attaches tasks to newly created incidents, according to the incident title, and assigns them to the proper personnel.

-### AWS and GCP data connectors now support Azure Government clouds

-Microsoft Sentinel data connectors for Amazon Web Services (AWS) and Google Cloud Platform (GCP) now include supporting configurations to ingest data into workspaces in Azure Government clouds.

-The configurations for these connectors for Azure Government customers differ slightly from the public cloud configuration. See the relevant documentation for details:

-### Windows DNS Events via AMA connector now generally available (GA)

-Windows DNS events can now be ingested to Microsoft Sentinel using the Azure Monitor Agent with the now generally available data connector. This connector allows you to define Data Collection Rules (DCRs) and powerful, complex filters so that you ingest only the specific DNS records and fields you need.

-## January 2024

-[Reduce false positives for SAP systems with analytics rules](#reduce-false-positives-for-sap-systems-with-analytics-rules)

-### Reduce false positives for SAP systems with analytics rules

-Use analytics rules together with the [Microsoft Sentinel solution for SAP applications](sap/solution-overview.md) to lower the number of false positives triggered from your SAP systems. The Microsoft Sentinel solution for SAP applications now includes the following enhancements:

-For more information, see [Microsoft Sentinel solution for SAP applications data reference](sap/sap-solution-log-reference.md) and [Handle false positives in Microsoft Sentinel](false-positives.md).

-To increase the size of your volumes, increase the size of your Elastic SAN first. To decrease the size of your SAN, make sure your volumes aren't using the extra size, or decrease the size of your volumes first.

-1. Sign in to the Azure portal.

-1. Sign in to the Azure portal.

-You can create a new notebook or import an existing notebook to a Synapse workspace from **Object Explorer**. Select **Develop**, right-click **Notebooks**, and then select **New notebook** or **Import**. Synapse notebooks recognize standard Jupyter Notebook IPYNB files.

-To copy a cell, create a new cell, select all the text in your original cell, copy the text, and paste the text into the new cell. When your cell is in edit mode, traditional keyboard shortcuts to select all text are limited to the cell.

-* The referenced notebooks must be published. You need to publish the notebooks to reference them, unless you select the [option to enable an unpublished notebook reference](#reference-unpublished-notebook). Synapse Studio does not recognize the unpublished notebooks from the Git repo.

-On the **Configure session** pane, you can specify the timeout duration, the number of executors, and the size of executors to give to the current Spark session. Restart the Spark session for configuration changes to take effect. All cached notebook variables are cleared.

-OPENROWSET function in Synapse SQL reads the content of the file(s) from a data source. The data source is an Azure storage account and it can be explicitly referenced in the `OPENROWSET` function or can be dynamically inferred from URL of the files that you want to read.

-This is a quick and easy way to read the content of the files without pre-configuration. This option enables you to use the basic authentication option to access the storage (Microsoft Entra passthrough for Microsoft Entra logins and SAS token for SQL logins).

- > `OPENROWSET` without `DATA_SOURCE` provides quick and easy way to access the storage files but offers limited authentication options. As an example, Microsoft Entra principals can access files only using their [Microsoft Entra identity](develop-storage-files-storage-access-control.md?tabs=user-identity) or publicly available files. If you need more powerful authentication options, use `DATA_SOURCE` option and define credential that you want to use to access storage.

-Values with blank spaces are not valid, e.g. 'CSV ' is not a valid value.

-The unstructured_data_path that establishes a path to the data may be an absolute or relative path:

-Specifies a path within your storage that points to the folder or file you want to read. If the path points to a container or folder, all files will be read from that particular container or folder. Files in subfolders won't be included.

-column_name = Name for the output column. If provided, this name overrides the column name in the source file and column name provided in JSON path if there is one. If json_path is not provided, it will be automatically added as '$.column_name'. Check json_path argument for behavior.

-Specifies the row terminator to be used. If row terminator is not specified, one of default terminators will be used. Default terminators for PARSER_VERSION = '1.0' are \r\n, \n and \r. Default terminators for PARSER_VERSION = '2.0' are \r\n and \n.

-CSV parser version 1.0 is default and feature rich. Version 2.0 is built for performance and does not support all options and encodings.

-This option will disable the file modification check during the query execution, and read the files that are updated while the query is running. This is useful option when you need to read append-only files that are appended while the query is running. In the appendable files, the existing content is not updated, and only new rows are added. Therefore, the probability of wrong results is minimized compared to the updateable files. This option might enable you to read the frequently appended files without handling the errors. See more information in [querying appendable CSV files](query-single-csv-file.md#querying-appendable-files) section.

-Have in mind that if you are reading number of files at once, the schema will be inferred from the first file service gets from the storage. This can mean that some of the columns expected are omitted, all because the file used by the service to define the schema did not contain these columns. In that case, please use OPENROWSET WITH clause.

-> There are cases when appropriate data type cannot be inferred due to lack of information and larger data type will be used instead. This brings performance overhead and is particularly important for character columns which will be inferred as varchar(8000). For optimal performance, please [check inferred data types](./best-practices-serverless-sql-pool.md#check-inferred-data-types) and [use appropriate data types](./best-practices-serverless-sql-pool.md#use-appropriate-data-types).

-| |cis-rhel-8-l1 | | | |

-|microsoftsqlserver | * | * | |**Offers**: sql2019-sles* </br> sql2019-rhel7 </br> sql2017-rhel 7 </br></br> Example </br> Publisher: </br> microsoftsqlserver </br> Offer: sql2019-sles12sp5 </br> sku:webARM </br></br> Publisher: microsoftsqlserver </br> Offer: sql2019-rhel7 </br> sku: web-ARM |

-|microsoftsqlserver | * | *||**Offers**: sql2019-sles*</br> sql2019-rhel7 </br> sql2017-rhel7 |

-|redhat |rhel-byos |rhel-lvm88 </br> rhel-lvm88-gent2 </br> rhel-lvm92 </br>rhel-lvm92-gen2 || |

-To protect your deployment from known malicious software, we recommend enabling endpoint protection on all session hosts. You can use either Windows Defender Antivirus or a third-party program. To learn more, see [Deployment guide for Windows Defender Antivirus in a VDI environment](/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus).

-For profile solutions like FSLogix or other solutions that mount virtual hard disk files, we recommend excluding those file extensions.

-This article has the latest updates for multimedia redirection (MMR) for Azure Virtual Desktop.

-| Public | 1.0.2024.4003 | [MMR extension](https://aka.ms/avdmmr/msi) |

-## Updates for version 1.0.2024.4003

-Learn more about MMR at [Understanding multimedia direction for Azure Virtual Desktop](multimedia-redirection-intro.md) and [Use multimedia redirection for Azure Virtual Desktop](multimedia-redirection.md).

-description: Learn about Azure Virtual WAN logs and metrics using Azure Monitor.

-# Monitoring Virtual WAN - Data reference

-This article provides a reference of log and metric data collected to analyze the performance and availability of Virtual WAN. See [Monitoring Virtual WAN](monitor-virtual-wan.md) for instructions and additional context on monitoring data for Virtual WAN.

-## <a name="metrics"></a>Metrics

-### <a name="hub-router-metrics"></a>Virtual hub router metrics

-The following metric is available for virtual hub router within a virtual hub:

-| Metric | Description|

-| | |

-| **Virtual Hub Data Processed** | Data on how much traffic traverses the virtual hub router in a given time period. Only the following flows use the virtual hub router: VNet to VNet (same hub and interhub) and VPN/ExpressRoute branch to VNet (interhub). If a virtual hub is secured with routing intent, then these flows traverse the firewall instead of the hub router. |

-| **Routing Infrastructure Units** | The virtual hub's routing infrastructure units (RIU). The virtual hub's RIU determines how much bandwidth the virtual hub router can process for flows traversing the virtual hub router. The hub's RIU also determines how many VMs in spoke VNets the virtual hub router can support. For more details on routing infrastructure units, see [Virtual Hub Capacity](hub-settings.md#capacity).

-| **Spoke VM Utilization** | The approximate number of deployed spoke VMs as a percentage of the total number of spoke VMs that the hub's routing infrastructure units can support. For example, if the hub's RIU is set to 2 (which supports 2000 spoke VMs), and 1000 VMs are deployed across spoke VNets, then this metric's value will be approximately 50%. |

-### <a name="s2s-metrics"></a>Site-to-site VPN gateway metrics

-The following metrics are available for Virtual WAN site-to-site VPN gateways:

-| Metric | Description|

-| | |

-| Metric | Description|

-| | |

-| **VNET Address Prefix Count** | Number of VNet address prefixes that are used/advertised by the gateway.|

-| Metric | Description|

-| | |

-| **Gateway Bandwidth** | Average site-to-site aggregate bandwidth of a gateway in bytes per second.|

-| **Tunnel Ingress Packet** | Incoming packet count of a tunnel.|

-| **Tunnel Flow Count** | Number of distinct 3-tuple (protocol, local IP address, remote IP address) flows created per link connection.|

-### <a name="p2s-metrics"></a>Point-to-site VPN gateway metrics

-The following metrics are available for Virtual WAN point-to-site VPN gateways:

-| Metric | Description|

-| | |

-### <a name="er-metrics"></a>Azure ExpressRoute gateway metrics

-The following metrics are available for Azure ExpressRoute gateways:

-| Metric | Description|

-| | |

-| **Packets per second** | Total Packets received on ExpressRoute gateway per second.|

-| **Frequency of routes changed** | Frequency of Route changes in ExpressRoute gateway.|

-## <a name="diagnostic"></a>Diagnostic logs

-The following diagnostic logs are available, unless otherwise specified.

-### <a name="s2s-diagnostic"></a>Site-to-site VPN gateway diagnostics

-The following diagnostics are available for Virtual WAN site-to-site VPN gateways:

-| Metric | Description|

-| | |

-| **Gateway Diagnostic Logs** | Gateway-specific diagnostics such as health, configuration, service updates, and additional diagnostics.|

-| **Tunnel Diagnostic Logs** | These are IPsec tunnel-related logs such as connect and disconnect events for a site-to-site IPsec tunnel, negotiated SAs, disconnect reasons, and additional diagnostics. For connect and disconnect events, these logs also display the remote IP address of the corresponding on-premises VPN device.|

-| **Route Diagnostic Logs** | These are logs related to events for static routes, BGP, route updates, and additional diagnostics. |

-| **IKE Diagnostic Logs** | IKE-specific diagnostics for IPsec connections. |

-### <a name="p2s-diagnostic"></a>Point-to-site VPN gateway diagnostics

-The following diagnostics are available for Virtual WAN point-to-site VPN gateways:

-| Metric | Description|

-| | |

-| **P2S Diagnostic Logs** | These are User VPN P2S (Point-to-site) configuration and client events. They include client connect/disconnect, VPN client address allocation, and other diagnostics.|

-### ExpressRoute gateway diagnostics

-In Azure Virtual WAN, ExpressRoute gateway metrics can be exported as logs via a diagnostic setting.

-Replace the following values, after the **= =**, as needed based on the tables reported in the previous section of this article.

-* "GatewayDiagnosticLog"

-* "IKEDiagnosticLog"

-* "P2SDiagnosticLogΓÇ¥

-* "TunnelDiagnosticLog"

-* "RouteDiagnosticLog"

-In order to execute the query, you have to open the Log Analytics resource you configured to receive the diagnostic logs, and then select **Logs** under the **General** tab on the left side of the pane:

-## <a name="activity-logs"></a>Activity logs

-[**Activity log**](/azure/azure-monitor/essentials/activity-log) entries are collected by default and can be viewed in the Azure portal. You can use Azure activity logs (formerly known as *operational logs* and *audit logs*) to view all operations submitted to your Azure subscription.

-You can view activity logs independently or route it to Azure Monitor Logs, where you can do much more complex queries using Log Analytics.

-For more information on the schema of Activity Log entries, see [Activity Log schema](/azure/azure-monitor/essentials/activity-log-schema).

-## <a name="schemas"></a>Schemas

-For detailed description of the top-level diagnostic logs schema, see [Supported services, schemas, and categories for Azure Diagnostic Logs](/azure/azure-monitor/essentials/resource-logs-schema).

-When reviewing any metrics through Log Analytics, the output contains the following columns:

-|**Column**|**Type**|**Description**|

-| | | |

-|TimeGrain|string|PT1M (metric values are pushed every minute)|

-|Count|real|Usually equal to 2 (each MSEE pushes a single metric value every minute)|

-|Minimum|real|The minimum of the two metric values pushed by the two MSEEs|

-|Maximum|real|The maximum of the two metric values pushed by the two MSEEs|

-|Average|real|Equal to (Minimum + Maximum)/2|

-|Total|real|Sum of the two metric values from both MSEEs (the main value to focus on for the metric queried)|

-## <a name="azure-firewall"></a>Monitoring secured hub (Azure Firewall)

-If you chose to secure your virtual hub using Azure Firewall, relevant logs and metrics are available here: [Azure Firewall logs and metrics](../firewall/logs-and-metrics.md).

-You can monitor the Secured Hub using Azure Firewall logs and metrics. You can also use activity logs to audit operations on Azure Firewall resources.

-For every Azure Virtual WAN you secure and convert to a Secured Hub, an explicit firewall resource object is created in the resource group where the hub is located.

-## Next steps

-* To learn how to monitor Azure Firewall logs and metrics, see [Tutorial: Monitor Azure Firewall logs](../firewall/firewall-diagnostics.md).

-* For more information about Virtual WAN monitoring, see [Monitoring Azure Virtual WAN](monitor-virtual-wan.md).

-* To learn more about metrics in Azure Monitor, see [Metrics in Azure Monitor](/azure/azure-monitor/essentials/data-platform-metrics).

-description: Start here to learn how to monitor Virtual WAN.

-# Monitoring Azure Virtual WAN

-When you have critical applications and business processes relying on Azure resources, you want to monitor those resources for their availability and performance.

-This article describes the monitoring data generated by Azure Virtual WAN. Virtual WAN uses [Azure Monitor](/azure/azure-monitor/overview). If you're unfamiliar with the features of Azure Monitor common to all Azure services that use it, read [Monitoring Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource).

-## Prerequisites

-You have a virtual WAN deployed and configured. For help with deploying a virtual WAN:

-* [Creating a site-to-site connection](virtual-wan-site-to-site-portal.md)

-* [Creating a User VPN (point-to-site) connection](virtual-wan-point-to-site-portal.md)

-* [Creating an ExpressRoute connection](virtual-wan-expressroute-portal.md)

-* [Creating an NVA in a virtual hub](how-to-nva-hub.md)

-* [Installing Azure Firewall in a Virtual hub](howto-firewall.md)

-## Analyzing metrics

-Metrics in Azure Monitor are numerical values that describe some aspect of a system at a particular time. Metrics are collected every minute, and are useful for alerting because they can be sampled frequently. An alert can be fired quickly with relatively simple logic.

-For a list of the platform metrics collected for Virtual WAN, see [Monitoring Virtual WAN data reference metrics](monitor-virtual-wan-reference.md#metrics).

-### <a name="metrics-steps"></a>View metrics for Virtual WAN

-The following steps help you locate and view metrics:

-1. In the portal, navigate to the virtual hub.

-1. Select **VPN (Site to site)** to locate a site-to-site gateway, **ExpressRoute** to locate an ExpressRoute gateway, or **User VPN (Point to site)** to locate a point-to-site gateway.

-1. Select **Monitor Gateway** and then **Metrics**. You can also click **Metrics** at the bottom to view a dashboard of the most important metrics for site-to-site and point-to-site VPN.

-1. On the **Metrics** page, you can view the metrics that you're interested in.

- :::image type="content" source="./media/monitor-virtual-wan-reference/hub-metrics.png" alt-text="Screenshot that shows the virtual hub page with the metrics button." lightbox="./media/monitor-virtual-wan-reference/hub-metrics.png":::

-#### PowerShell steps

-To query, use the following example PowerShell commands. The necessary fields are explained below the example.

-**Step 1:**

-```

-**Step 2:**

-```azurepowershell-interactive

-* **Resource ID** - Your virtual hub's Resource ID can be found on the Azure portal. Navigate to the virtual hub page within vWAN and select **JSON View** under Essentials.

-* **Metric Name** - Refers to the name of the metric you're querying, which in this case is called 'VirtualHubDataProcessed'. This metric shows all the data that the virtual hub router has processed in the selected time period of the hub.

-* **Time Grain** - Refers to the frequency at which you want to see the aggregation. In the current command, you'll see a selected aggregated unit per 5 mins. You can select ΓÇô 5M/15M/30M/1H/6H/12H and 1D.

-* **Start Time and End Time** - This time is based on UTC. Ensure that you're entering UTC values when inputting these parameters. If these parameters aren't used, the past one hour's worth of data is shown by default.

-* **Sum Aggregation Type** - The **sum** aggregation type shows you the total number of bytes that traversed the virtual hub router during a selected time period. For example, if you set the Time granularity to 5 minutes, each data point will correspond to the number of bytes sent in that 5 minute interval. To convert this to Gbps, you can divide this number by 37500000000. Based on the virtual hub's [capacity](hub-settings.md#capacity), the hub router can support between 3 Gbps and 50 Gbps. The **Max** and **Min** aggregation types aren't meaningful at this time.

-## Analyzing logs

-Data in Azure Monitor Logs is stored in tables where each table has its own set of unique properties. Resource Logs aren't collected and stored until you create a diagnostic setting and route them to one or more locations.

-For a list of supported logs in Virtual WAN, see [Monitoring Virtual WAN data reference logs](monitor-virtual-wan-reference.md#diagnostic). All resource logs in Azure Monitor have the same fields followed by service-specific fields. The common schema is outlined in [Azure Monitor resource log schema](/azure/azure-monitor/essentials/resource-logs-schema).

-1. On the right part of the page, click on **Monitor Gateway** and then **Logs**.

- :::image type="content" source="./media/monitor-virtual-wan-reference/select-gateway-settings.png" alt-text="Screenshot for Select Diagnostic Log settings." lightbox="./media/monitor-virtual-wan-reference/select-gateway-settings.png":::

- :::image type="content" source="./media/monitor-virtual-wan-reference/firewall-diagnostic-settings.png" alt-text="Screenshot shows Firewall diagnostic settings." lightbox="./media/monitor-virtual-wan-reference/firewall-diagnostic-settings.png" :::

-## Alerts

-Azure Monitor alerts proactively notify you when important conditions are found in your monitoring data. They allow you to identify and address issues in your system before your customers notice them. You can set alerts on [metrics](/azure/azure-monitor/alerts/alerts-types#metric-alerts), [logs](/azure/azure-monitor/alerts/alerts-types#log-alerts), and the [activity log](/azure/azure-monitor/alerts/alerts-types#activity-log-alerts). Different types of alerts have benefits and drawbacks.

-To see a list of monitoring best practices when configuring alerts, see [Monitoring - best practices](monitoring-best-practices.md).

-## Virtual WAN Insights

-Some services in Azure have a special focused prebuilt monitoring dashboard in the Azure portal that provides a starting point for monitoring your service. These special dashboards are called "Insights".

-Virtual WAN uses Network Insights to provide users and operators with the ability to view the state and status of a virtual WAN, presented via an autodiscovered topological map. Resource state and status overlays on the map give you a snapshot view of the overall health of the virtual WAN. You can navigate resources on the map via one-click access to the resource configuration pages of the Virtual WAN portal. For more information, see [Azure Monitor Network Insights for Virtual WAN](azure-monitor-insights.md).

-## Next steps

-* See [Monitoring Virtual WAN - Data reference](monitor-virtual-wan-reference.md) for a data reference of the metrics, logs, and other important values created by Virtual WAN.

-* See [Monitoring Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource) for details on monitoring Azure resources.

-* See [Analyze metrics with Azure Monitor metrics explorer](/azure/azure-monitor/essentials/analyze-metrics) for more details on **Azure Monitor Metrics**.

-* See [All resource metrics supported in Azure Monitor](/azure/azure-monitor/essentials/metrics-supported) for a list of all supported metrics.

-* See [Create diagnostic settings in Azure Monitor](/azure/azure-monitor/essentials/diagnostic-settings) for more information and troubleshooting for creating diagnostic settings via Azure portal, CLI, PowerShell, etc.

-description: This article helps you learn Monitoring best practices for Virtual WAN.

-# Monitoring Azure Virtual WAN - Best practices

-This article provides configuration best practices for monitoring Virtual WAN and the different components that can be deployed with it. The recommendations presented in this article are mostly based on existing Azure Monitor metrics and logs generated by Azure Virtual WAN. For a list of metrics and logs collected for Virtual WAN, see the [Monitoring Virtual WAN data reference](monitor-virtual-wan-reference.md).

-Most of the recommendations in this article suggest creating Azure Monitor alerts. Azure Monitor alerts are meant to proactively notify you when there is an important event in the monitoring data to help you address the root cause quicker and ultimately reduce downtime. To learn how to create a metric alert, see [Tutorial: Create a metric alert for an Azure resource](/azure/azure-monitor/alerts/tutorial-metric-alert). To learn how to create a log query alert, see [Tutorial: Create a log query alert for an Azure resource](/azure/azure-monitor/alerts/tutorial-log-alert).

-## Virtual WAN gateways

-### Site-to-site VPN gateway

-**Design checklist ΓÇô metric alerts**

-* Create alert rule for increase in Tunnel Egress and/or Ingress packet count drop.

-* Create alert rule to monitor BGP peer status.

-* Create alert rule to monitor number of BGP routes advertised and learned.

-* Create alert rule for VPN gateway overutilization.

-* Create alert rule for tunnel overutilization.

-|Recommendation | Description|

-|||

-|Create alert rule for increase in Tunnel Egress and/or Ingress packet drop count.| An increase in tunnel egress and/or ingress packet drop count might indicate an issue with the Azure VPN gateway, or with the remote VPN device. Select the **Tunnel Egress/Ingress Packet drop count** metric when creating the alert rule(s). Define a **static Threshold value** greater than **0** and the **Total** aggregation type when configuring the alert logic.<br><br>You can choose to monitor the **Connection** as a whole, or split the alert rule by **Instance** and **Remote IP** to be alerted for issues involving individual tunnels. To learn the difference between the concept of **VPN connection**, **link**, and **tunnel** in Virtual WAN, see the [Virtual WAN FAQ](virtual-wan-faq.md).|

-|Create alert rule to monitor BGP peer status.|When using BGP in your site-to-site connections, it's important to monitor the health of the BGP peerings between the gateway instances and the remote devices, as recurrent failures can disrupt connectivity.<br><br>Select the **BGP Peer Status** metric when creating the alert rule. Using a **static** threshold, choose the **Average** aggregation type and configure the alert to be triggered whenever the value is **less than 1**.<br><br>We recommend that you split the alert by **Instance** and **BGP Peer Address** to detect issues with individual peerings. Avoid selecting the gateway instance IPs as **BGP Peer Address** because this metric monitors the BGP status for every possible combination, including with the instance itself (which is always 0).|

-|Create alert rule to monitor number of BGP routes advertised and learned.|**BGP Routes Advertised** and **BGP Routes Learned** monitor the number of routes advertised to and learned from peers by the VPN gateway, respectively. If these metrics drop to zero unexpectedly, it could be because thereΓÇÖs an issue with the gateway or with on-premises.<br><br>We recommend that you configure an alert for both these metrics to be triggered whenever their value is **zero**. Choose the **Total** aggregation type. Split by **Instance** to monitor individual gateway instances.|

-|Create alert rule for VPN gateway overutilization.|A VPN gatewayΓÇÖs aggregate throughput is determined by the number of scale units per instance. Note that all tunnels that terminate in the same gateway instance will share its aggregate throughput. It's likely that tunnel stability will be affected if an instance is working at its capacity for a long period of time.<br><br>Select **Gateway S2S Bandwidth** when creating the alert rule. Configure the alert to be triggered whenever the **Average** throughput is **greater than** a value that is close to the maximum aggregate throughput of **both instances**. Alternatively, split the alert **by instance** and use the maximum throughput **per instance** as a reference.<br><br>It's good practice to determine the throughput needs per tunnel in advance in order to choose the appropriate number of scale units. To learn more about the supported scale unit values for site-to-site VPN gateways, see the [Virtual WAN FAQ](virtual-wan-faq.md).

-|Create alert rule for tunnel overutilization.|The maximum throughput allowed per tunnel is determined by the scale units of the gateway instance where it terminates.<br><br>You might want to be alerted if a tunnel is at risk of nearing its maximum throughput, which can lead to performance and connectivity issues, and act proactively on it by investigating the root cause of the increased tunnel utilization or by increasing the gatewayΓÇÖs scale units.<br><br>Select **Tunnel Bandwidth** when creating the alert rule. Split by **Instance** and **Remote IP** to monitor all individual tunnels or choose specific tunnel(s) instead. Configure the alert to be triggered whenever the **Average** throughput is **greater than** a value that is close to the maximum throughput allowed per tunnel.<br><br>To learn more about how a tunnelΓÇÖs maximum throughput is impacted by the gatewayΓÇÖs scale units, see the [Virtual WAN FAQ](virtual-wan-faq.md).|

-**Design checklist - log query alerts**

-To configure log-based alerts, you must first create a diagnostic setting for your site-to-site/point-to-site VPN gateway. A diagnostic setting is where you define what logs and/or metrics you want to collect and how you want to store that data to be analyzed later. Unlike gateway metrics, gateway logs won't be available if there's no diagnostic setting configured. To learn how to create a diagnostic setting, see [Create diagnostic setting to view logs](monitor-virtual-wan.md#create-diagnostic).

-* Create tunnel disconnect alert rule.

-* Create BGP disconnect alert rule.

-|Recommendation | Description|

-|||

-|Create tunnel disconnect alert rule.|**Use Tunnel Diagnostic Logs** to track disconnect events in your site-to-site connections. A disconnect event can be due to a failure to negotiate SAs, unresponsiveness of the remote VPN device, among other causes. Tunnel Diagnostic Logs also provide the disconnect reason. See the **Create tunnel disconnect alert rule - log query** below this table to select disconnect events when creating the alert rule.<br><br>Configure the alert to be triggered whenever the number of rows resulting from running the query above is **greater than 0**. For this alert to be effective, select **Aggregation Granularity** to be between 1 and 5 minutes and the **Frequency of evaluation** to also be between 1 and 5 minutes. This way, after the **Aggregation Granularity** interval has passed, the number of rows is 0 again for a new interval.<br><br>For troubleshooting tips when analyzing Tunnel Diagnostic Logs, see [Troubleshoot Azure VPN gateway](../vpn-gateway/troubleshoot-vpn-with-azure-diagnostics.md#TunnelDiagnosticLog) using diagnostic logs. Additionally, use **IKE Diagnostic Logs** to complement your troubleshooting, as these logs contain detailed IKE-specific diagnostics.|

-|Create BGP disconnect alert rule. |Use **Route Diagnostic Logs** to track route updates and issues with BGP sessions. Repeated BGP disconnect events can affect connectivity and cause downtime. See the **Create BGP disconnect rule alert- log query** below this table to select disconnect events when creating the alert rule.<br><br>Configure the alert to be triggered whenever the number of rows resulting from running the query above is **greater than 0**. For this alert to be effective, select **Aggregation Granularity** to be between 1 and 5 minutes and the **Frequency of evaluation** to also be between 1 and 5 minutes. This way, after the **Aggregation Granularity** interval has passed, the number of rows is 0 again for a new interval if the BGP sessions have been restored.<br><br>For more information about the data collected by Route Diagnostic Logs, see [Troubleshooting Azure VPN Gateway using diagnostic logs](../vpn-gateway/troubleshoot-vpn-with-azure-diagnostics.md#RouteDiagnosticLog). |

-**Log queries**

-* **Create tunnel disconnect alert rule - log query**: The following log query can be used to select tunnel disconnect events when creating the alert rule:

- ```text

- AzureDiagnostics

- | where Category == "TunnelDiagnosticLog"

- | where OperationName == "TunnelDisconnected"

- ```

-* **Create BGP disconnect rule alert- log query**: The following log query can be used to select BGP disconnect events when creating the alert rule:

- ```text

- AzureDiagnostics

- | where Category == "RouteDiagnosticLog"

- | where OperationName == "BgpDisconnectedEvent"

- ```

-### Point-to-site VPN gateway

-The following section details the configuration of metric-based alerts only. However, Virtual WAN point-to-site gateways also support diagnostic logs. To learn more about the available diagnostic logs for point-to-site gateways, see [Virtual WAN point-to-site VPN gateway diagnostics](monitor-virtual-wan-reference.md#p2s-diagnostic).

-**Design checklist - metric alerts**

-* Create alert rule for gateway overutilization.

-* Create alert for P2S connection count nearing limit.

-* Create alert for User VPN route count nearing limit.

-|Recommendation | Description|

-|||

-|Create alert rule for gateway overutilization.|The bandwidth of a point-to-site gateway is determined by the number of scale units configured. To learn more about point-to-site gateway scale units, see Point-to-site (User VPN).<br><br>**Use the Gateway P2S Bandwidth** metric to monitor the gatewayΓÇÖs utilization and configure an alert rule that is triggered whenever the gatewayΓÇÖs bandwidth is **greater than** a value near its aggregate throughput ΓÇô for example, if the gateway was configured with 2 scale units, it will have an aggregate throughput of 1 Gbps. In this case, you could define a threshold value of 950 Mbps.<br><br>Use this alert to proactively investigate the root cause of the increased utilization, and ultimately increase the number of scale units, if needed. Select the **Average** aggregation type when configuring the alert rule.|

-|Create alert for P2S connection count nearing limit |The maximum number of point-to-site connections allowed is also determined by the number of scale units configured on the gateway. To learn more about point-to-site gateway scale units, see the FAQ for [Point-to-site (User VPN)](virtual-wan-faq.md#p2s-concurrent).<br><br>Use the **P2S Connection Count** metric to monitor the number of connections. Select this metric to configure an alert rule that is triggered whenever the number of connections is nearing the maximum allowed. For example, a 1-scale unit gateway supports up to 500 concurrent connections. In this case, you could configure the alert to be triggered whenever the number of connections is **greater than** 450.<br><br>Use this alert to determine whether an increase in the number of scale units is required or not. Choose the **Total** aggregation type when configuring the alert rule.|

-|Create alert rule for User VPN routes count nearing limit.|The maximum number of User VPN routes is determined by the protocol used. IKEv2 has a protocol-level limit of 255 routes, whereas OpenVPN has a limit of 1000 routes. To learn more about this, see [VPN server configuration concepts](point-to-site-concepts.md#vpn-server-configuration-concepts).<br><br>You might want to be alerted if youΓÇÖre close to hitting the maximum number of User VPN routes and act proactively to avoid any downtime. Use the **User VPN Route Count** to monitor this and configure an alert rule that is triggered whenever the number of routes surpasses a value close to the limit. For example, if the limit is 255 routes, an appropriate **Threshold** value could be 230. Choose the **Total** aggregation type when configuring the alert rule.|

-### ExpressRoute gateway

-The following section focuses on metric-based alerts. In addition to the alerts described below, which focus on the gateway component, we recommend that you use the available metrics, logs, and tools to monitor the ExpressRoute circuit. To learn more about ExpressRoute monitoring, see [ExpressRoute monitoring, metrics, and alerts](../expressroute/expressroute-monitoring-metrics-alerts.md). To learn about how you can use the ExpressRoute Traffic Collector tool, see [Configure ExpressRoute Traffic Collector for ExpressRoute Direct](../expressroute/how-to-configure-traffic-collector.md).

-**Design checklist - metric alerts**

-* Create alert rule for bits received per second.

-* Create alert rule for CPU overutilization.

-* Create alert rule for packets per second.

-* Create alert rule for number of routes advertised to peer.

-* Count alert rule for number of routes learned from peer.

-* Create alert rule for high frequency in route changes.

-|Recommendation | Description|

-|||

-|Create alert rule for Bits Received Per Second.|**Bits Received per Second** monitors the total amount of traffic received by the gateway from the MSEEs.<br><br>You might want to be alerted if the amount of traffic received by the gateway is at risk of hitting its maximum throughput, as this can lead to performance and connectivity issues. This allows you to act proactively by investigating the root cause of the increased gateway utilization or increasing the gatewayΓÇÖs maximum allowed throughput.<br><br>Choose the **Average** aggregation type and a **Threshold** value close to the maximum throughput provisioned for the gateway when configuring the alert rule.<br><br>Additionally, we recommend that you set an alert when the number of **Bits Received per Second** is near zero, as it might indicate an issue with the gateway or the MSEEs.<br><br>The maximum throughput of an ExpressRoute gateway is determined by number of scale units provisioned. To learn more about ExpressRoute gateway performance, see [About ExpressRoute connections in Azure Virtual WAN](virtual-wan-expressroute-about.md).|

-|Create alert rule for CPU overutilization.|When using ExpressRoute gateways, it's important to monitor the CPU utilization. Prolonged high utilization can affect performance and connectivity.<br><br>Use the **CPU utilization** metric to monitor this and create an alert for whenever the CPU utilization is **greater than** 80%, so you can investigate the root cause and ultimately increase the number of scale units, if needed. Choose the **Average** aggregation type when configuring the alert rule.<br><br>To learn more about ExpressRoute gateway performance, see [About ExpressRoute connections in Azure Virtual WAN](virtual-wan-expressroute-about.md).|

-|Create alert rule for packets received per second.|**Packets per second** monitors the number of inbound packets traversing the Virtual WAN ExpressRoute gateway.<br><br>You might want to be alerted if the number of **packets per second** is nearing the limit allowed for the number of scale units configured on the gateway.<br><br>Choose the Average aggregation type when configuring the alert rule. Choose a **Threshold** value close to the maximum number of **packets per second** allowed based on the number of scale units of the gateway. To learn more about ExpressRoute performance, see [About ExpressRoute connections in Azure Virtual WAN](virtual-wan-expressroute-about.md).<br><br>Additionally, we recommend that you set an alert when the number of **Packets per second** is near zero, as it might indicate an issue with the gateway or MSEEs.|

-|Create alert rule for number of routes advertised to peer. |**Count of Routes Advertised to Peers** monitors the number of routes advertised from the ExpressRoute gateway to the virtual hub router and to the Microsoft Enterprise Edge Devices.<br><br>We recommend that you **add a filter** to **only** select the two BGP peers displayed as **ExpressRoute Device** and create an alert to identify when the count of advertised routes approaches the documented limit of **1000**. For example, configure the alert to be triggered when the number of routes advertised is **greater than 950**.<br><br>We also recommend that you configure an alert when the number of routes advertised to the Microsoft Edge Devices is **zero** in order to proactively detect any connectivity issues.<br><br>To add these alerts, select the **Count of Routes Advertised to Peers** metric, and then select the **Add filter** option and the **ExpressRoute** devices.|

-|Create alert rule for number of routes learned from peer.|**Count of Routes Learned from Peers** monitors the number of routes the ExpressRoute gateway learns from the virtual hub router and from the Microsoft Enterprise Edge Device.<br><br>We recommend that you add a filter to **only** select the two BGP peers displayed as **ExpressRoute Device** and create an alert to identify when the count of learned routes approaches the [documented limit](../expressroute/expressroute-faqs.md#are-there-limits-on-the-number-of-routes-i-can-advertise) of 4000 for Standard SKU and 10,000 for Premium SKU circuits.<br><br>We also recommend that you configure an alert when the number of routes advertised to the Microsoft Edge Devices is **zero**. This can help in detecting when your on-premises has stopped advertising routes.

-|Create alert rule for high frequency in route changes.|**Frequency of Routes changes** shows the change frequency of routes being learned and advertised from and to peers, including other types of branches such as site-to-site and point-to-site VPN. This metric provides visibility when a new branch or more circuits are being connected/disconnected.<br><br>This metric is a useful tool when identifying issues with BGP advertisements, such as flaplings. We recommend that you to set an alert **if** the environment is **static** and BGP changes aren't expected. Select a **threshold value** that is **greater than 1** and an **Aggregation Granularity** of 15 minutes to monitor BGP behavior consistently.<br><br>If the environment is dynamic and BGP changes are frequently expected, you might choose not to set an alert otherwise in order to avoid false positives. However, you can still consider this metric for observability of your network.|

-## Virtual hub

-The following section focuses on metrics-based alerts for virtual hubs.

-**Design checklist - metric alerts**

-* Create alert rule for BGP peer status

-|Recommendation | Description|

-|||

-|Create alert rule to monitor BGP peer status.| Select the **BGP Peer Status** metric when creating the alert rule. Using a **static** threshold, choose the **Average** aggregation type and configure the alert to be triggered whenever the value is **less than 1**.<br><br> This will allow you to identify when the virtual hub router is having connectivity issues with ExpressRoute, Site-to-Site VPN, and Point-to-Site VPN gateways deployed in the hub.|

-## Azure Firewall

-This section of the article focuses on metric-based alerts. Azure Firewall offers a comprehensive list of [metrics and logs](../firewall/firewall-diagnostics.md) for monitoring purposes. In addition to configuring the alerts described in the following section, explore how [Azure Firewall Workbook](../firewall/firewall-workbook.md) can help monitor your Azure Firewall, or the benefits of connecting Azure Firewall logs to Microsoft Sentinel using [Azure Firewall connector for Microsoft Sentinel](../sentinel/data-connectors/azure-firewall.md).

-**Design checklist - metric alerts**

-* Create alert rule for risk of SNAT port exhaustion.

-* Create alert rule for firewall overutilization.

-|Recommendation | Description|

-|||

-|Create alert rule for risk of SNAT port exhaustion.|Azure Firewall provides 2,496 SNAT ports per public IP address configured per backend virtual machine scale instance. ItΓÇÖs important to estimate in advance the number of SNAT ports that will fulfill your organizational requirements for outbound traffic to the Internet. Not doing so increases the risk of exhausting the number of available SNAT ports on the Azure Firewall, potentially causing outbound connectivity failures.<br><br>Use the **SNAT port utilization** metric to monitor the percentage of outbound SNAT ports currently in use. Create an alert rule for this metric to be triggered whenever this percentage surpasses **95%** (due to an unforeseen traffic increase, for example) so you can act accordingly by configuring an additional public IP address on the Azure Firewall, or by using an [Azure NAT Gateway](../nat-gateway/nat-overview.md) instead. Use the **Maximum** aggregation type when configuring the alert rule.<br><br>To learn more about how to interpret the **SNAT port utilization** metric, see [Overview of Azure Firewall logs and metrics](../firewall/logs-and-metrics.md#metrics). To learn more about how to scale SNAT ports in Azure Firewall, see [Scale SNAT ports with Azure NAT Gateway](../firewall/integrate-with-nat-gateway.md).|

-|Create alert rule for firewall overutilization.|Azure Firewall maximum throughput differs depending on the SKU and features enabled. To learn more about Azure Firewall performance, see [Azure Firewall performance](../firewall/firewall-performance.md).<br><br>You might want to be alerted if your firewall is nearing its maximum throughput and troubleshoot the underlying cause, as this can have an impact in the firewallΓÇÖs performance.<br><br> Create an alert rule to be triggered whenever the **Throughput** metric surpasses a value nearing the firewallΓÇÖs maximum throughput ΓÇô if the maximum throughput is 30Gbps, configure 25Gbps as the **Threshold** value, for example. The **Throughput** metric unit is **bits/sec**. Choose the **Average** aggregation type when creating the alert rule.

-## Resource Health Alerts

-You can also configure [Resource Health Alerts](/azure/service-health/resource-health-alert-monitor-guide) via Service Health for the below resources. This ensures you are informed of the availability of your Virtual WAN environment, and this allows you to troubleshoot if networking issues are due to your Azure resources entering an unhealthy state, as opposed to issues from your on-premises environment. It is recommended to configure alerts when the resource status becomes degraded or unavailable. If the resource status does become degraded/unavailable, you can analyze if there are any recent spikes in the amount of traffic processed by these resources, the routes advertised to these resources, or the number of branch/VNet connections created. Please see [Azure Virtual WAN limits](../azure-resource-manager/management/azure-subscription-service-limits.md#virtual-wan-limits) for additional info on limits supported in Virtual WAN.

-* Microsoft.Network/vpnGateways

-* Microsoft.Network/expressRouteGateways

-* Microsoft.Network/azureFirewalls

-* Microsoft.Network/virtualHubs

-* Microsoft.Network/p2sVpnGateways

-## Next steps

-* See [Monitoring Virtual WAN data reference](monitor-virtual-wan-reference.md) for a data reference of the metrics, logs, and other important values created by Virtual WAN.

-* See [Monitoring Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource) for details on monitoring Azure resources.

-* See [Analyze metrics with Azure Monitor metrics explorer](/azure/azure-monitor/essentials/analyze-metrics) for more details about **Azure Monitor Metrics**.

-* See [All resource metrics supported in Azure Monitor](/azure/azure-monitor/essentials/metrics-supported) for a list of all supported metrics.

-* See [Create diagnostic settings in Azure Monitor](/azure/azure-monitor/essentials/diagnostic-settings) for more information and troubleshooting when creating diagnostic settings via the Azure portal, CLI, PowerShell, etc.