-|**Pre-requisite**| Windows 10, version 1809 or later<br>Azure Active Directory| Authenticator app<br>Phone (iOS and Android devices running Android 6.0 or above.)|Windows 10, version 1903 or later<br>Azure Active Directory|

-After the installation is complete, it can take several minutes for the datafile to be upgraded. During this time, the User portal may have issues connecting to the MFA Service. **Don't restart the MFA Service, or the MFA Server during this time.** This behavior is normal. Once the upgrade is complete, the primary serverΓÇÖs main service will again be functional.

-You can check \Program Files\Multi-Factor Authentication Server\Logs\MultiFactorAuthSvc.log to make sure the upgrade is complete. You should see **Completed performing tasks to upgrade from 23 to 24**.

-9. [Secure access to Microsoft Teams, OneDrive, and SharePoint](9-secure-access-teams-sharepoint.md)

->Azure Active Directory Premium P1 and Premium P2 are not currently supported in China. For more information about Azure AD pricing, contact the [Azure Active Directory Forum](https://azure.microsoft.com/support/community/?product=active-directory).

-> Connect Health agents are updated automatically when new version is released. Please ensure the auto-upgrade settings is enabled from Azure portal.

-| Unusual addition of credentials to an OAuth app | Offline | This detection is discovered by [Microsoft Defender for Cloud Apps](/defender-cloud-apps/investigate-anomaly-alerts#unusual-addition-of-credentials-to-an-oauth-app). This detection identifies the suspicious addition of privileged credentials to an OAuth app. This can indicate that an attacker has compromised the app, and is using it for malicious activity. |

-| Leaked Credentials (public preview) | Offline | This risk detection indicates that the account's valid credentials have been leaked. This leak can occur when someone checks in the credentials in public code artifact on GitHub, or when the credentials are leaked through a data breach. <br><br> When the Microsoft leaked credentials service acquires credentials from GitHub, the dark web, paste sites, or other sources, they're checked against current valid credentials in Azure AD to find valid matches. |

-Once you determine if the workload identity was compromised, dismiss the accountΓÇÖs risk or confirm the account as compromised in the Risky workload identities (preview) report. You can also select ΓÇ£Disable service principalΓÇ¥ if you want to block the account from further sign-ins.

-Or, if you use app-only authentication, you may follow this [guide](/powershell/microsoftgraph/app-only?view=graph-powershell-1.0&tabs=azure-portal). To register an application with the required application permissions, prepare a certificate and run:

-## Confirm users compromised using Powershell

-## Dimiss risky users using Powershell

-At this time, API Server VNet integration is only supported for private clusters. Unlike standard public clusters, the agent nodes communicate directly with the private IP address of the ILB VIP for communication to the API server without using DNS. External clients needing to communicate with the cluster should follow the same private DNS setup methodology as standard [private clusters](private-clusters.md).

-* Azure CLI with aks-preview extension 0.5.67 or later.

-## Create an AKS Private cluster with API Server VNet Integration using Managed VNet

-AKS clusters with API Server VNet Integration can be configured in either managed VNet or bring-your-own VNet mode.

-### Deploy the cluster

-Where `--enable-private-cluster` is a mandatory flag for a private cluster, and `--enable-apiserver-vnet-integration` configures API Server VNet integration for Managed VNet mode.

-### Create the AKS cluster

-## Limitations

-* Existing AKS clusters cannot be converted to API Server VNet Integration clusters at this time.

-* Only [private clusters](private-clusters.md) are supported at this time.

- --node-size Standard_ND96asr_v4 \

-description: Use the Web Application Routing add-on to securely access applications deployed on Azure Kubernetes Service (AKS).

-The Web Application Routing solution makes it easy to access applications that are deployed to your Azure Kubernetes Service (AKS) cluster. When the solution's enabled, it configures an [Ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) in your AKS cluster, SSL termination, and Open Service Mesh (OSM) for E2E encryption of inter cluster communication. As applications are deployed, the solution also creates publicly accessible DNS names for application endpoints.

-## Web Application Routing solution overview

-The add-on deploys two components: an [nginx ingress controller][nginx], and [External-DNS][external-dns] controller.

-### Install the `osm` CLI

-Since Web Application Routing uses OSM internally to secure intranet communication, we need to set up the `osm` CLI. This command-line tool contains everything needed to configure and manage Open Service Mesh. The latest binaries are available on the [OSM GitHub releases page][osm-release].

-### Import certificate to Azure Keyvault

-# skip Password prompt

-```azurecli

-az keyvault certificate import --vault-name <MY_KEYVAULT> -n <KEYVAULT-CERTIFICATE-NAME> -f aks-ingress-tls.pfx

-## Deploy Web Application Routing with the Azure CLI

-The Web Application Routing routing add-on can be enabled with the Azure CLI when deploying an AKS cluster. To do so, use the [az aks create][az-aks-create] command with the `--enable-addons` argument. However, since Web Application routing depends on the OSM addon to secure intranet communication and the Azure Keyvault Secret Provider to retrieve certificates, we must enable them at the same time.

-```azurecli

-az aks create --resource-group myResourceGroup --name myAKSCluster --enable-addons azure-keyvault-secrets-provider,open-service-mesh,web_application_routing --generate-ssh-keys

-You can also enable Web Application Routing on an existing AKS cluster using the [az aks enable-addons][az-aks-enable-addons] command. To enable Web Application Routing on an existing cluster, add the `--addons` parameter and specify *web_application_routing* as shown in the following example:

-```azurecli

-az aks enable-addons --resource-group myResourceGroup --name myAKSCluster --addons azure-keyvault-secrets-provider,open-service-mesh,web_application_routing

-```azurecli

-To configure `kubectl` to connect to your Kubernetes cluster, use the [az aks get-credentials][az-aks-get-credentials] command. The following example gets credentials for the AKS cluster named *myAKSCluster* in *myResourceGroup*:

-```azurecli

-az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

-## Create the application namespace

-## Grant permissions for Web Application Routing

-Identify the Web Application Routing-associated managed identity within the cluster resource group `webapprouting-<CLUSTER_NAME>`. In this walkthrough, the identity is named `webapprouting-myakscluster`.

-Copy the identity's object ID:

-### Grant access to Azure Key Vault

-Grant `GET` permissions for Web Application Routing to retrieve certificates from Azure Key Vault:

-```azurecli

-az keyvault set-policy --name myapp-contoso --object-id <WEB_APP_ROUTING_MSI_OBJECT_ID> --secret-permissions get --certificate-permissions get

-## Use Web Application Routing

-The Web Application Routing solution may only be triggered on service resources that are annotated as follows:

-annotations:

- kubernetes.azure.com/ingress-host: myapp.contoso.com

- kubernetes.azure.com/tls-cert-keyvault-uri: https://<MY-KEYVAULT>.vault.azure.net/certificates/<KEYVAULT-CERTIFICATE-NAME>/<KEYVAULT-CERTIFICATE-REVISION>

-These annotations in the service manifest would direct Web Application Routing to create an ingress servicing `myapp.contoso.com` connected to the keyvault `<MY-KEYVAULT>` and will retrieve the `<KEYVAULT-CERTIFICATE-NAME>` with `<KEYVAULT-CERTIFICATE-REVISION>`. To obtain the certificate URI within your keyvault run:

-```azurecli

-az keyvault certificate show --vault-name <MY_KEYVAULT> --name <KEYVAULT-CERTIFICATE-NAME> -o jsonc | jq .id

-Create a file named **samples-web-app-routing.yaml** and copy in the following YAML. On line 29-31, update `<MY_HOSTNAME>` with your DNS host name and `<MY_KEYVAULT_CERTIFICATE_URI>` with the ID returned from keyvault.

- annotations:

- kubernetes.azure.com/ingress-host: <MY_HOSTNAME>

- kubernetes.azure.com/tls-cert-keyvault-uri: <MY_KEYVAULT_CERTIFICATE_URI>

-kubectl apply -f samples-web-app-routing.yaml -n hello-web-app-routing

-## Configure external DNS to point to cluster

-Now that Web Application Routing is configured within our cluster and we have the external IP address, we can configure our DNS servers to reflect this. As soon as the DNS updates have propagated, open a web browser to *<MY_HOSTNAME>*, for example *myapp.contoso.com* and verify you see the demo application. The application may take a few minutes to appear.

-The Web Application Routing add-on can be removed using the Azure CLI. To do so run the following command, substituting your AKS cluster and resource group name.

-az aks disable-addons --addons azure-keyvault-secrets-provider,open-service-mesh,web_application_routing --name myAKSCluster --resource-group myResourceGroup

-## Clean up

-Remove the associated Kubernetes objects created in this article using `kubectl delete`.

-```bash

-kubectl delete -f samples-web-app-routing.yaml

-```

-The example output shows Kubernetes objects have been removed.

-```bash

-$ kubectl delete -f samples-web-app-routing.yaml

-deployment "aks-helloworld" deleted

-service "aks-helloworld" deleted

-```

-| * / 25, 587, 25028 | Outbound | TCP | VirtualNetwork / Internet | Connect to SMTP Relay for sending e-mail (optional) | External & Internal |

-| * / 25, 587, 25028 | Outbound | TCP | VirtualNetwork / Internet | Connect to SMTP Relay for sending e-mail (optional) | External & Internal |

-| * / 6381 - 6383 | Inbound & Outbound | TCP | VirtualNetwork / VirtualNetwork | Access Redis Service for [Cache](api-management-caching-policies.md) policies between machines (optional) | External & Internal |

-## SMTP relay

-

-Allow outbound network connectivity for the SMTP relay, which resolves under the host `smtpi-co1.msn.com`, `smtpi-ch1.msn.com`, `smtpi-db3.msn.com`, `smtpi-sin.msn.com`, and `ies.global.microsoft.com`

-> [!NOTE]

-> Only the SMTP relay provided in API Management may be used to send email from your instance.

-By default, persistent storage is disabled on custom containers and the setting is exposed in the app settings. To enable it, set the `WEBSITES_ENABLE_APP_SERVICE_STORAGE` app setting value to `true` via the [Cloud Shell](https://shell.azure.com). In Bash:

-az webapp config appsettings set --resource-group <group-name> --name <app-name> --settings WEBSITES_ENABLE_APP_SERVICE_STORAGE=true

-Set-AzWebApp -ResourceGroupName <group-name> -Name <app-name> -AppSettings @{"WEBSITES_ENABLE_APP_SERVICE_STORAGE"=true}

-### Why are the Health check request not showing in my web server logs?

-The Health check request is sent to your site internally, so the request won't show in [the web server logs](troubleshoot-diagnostic-logs.md#enable-web-server-logging). This also means the request will have an origin of `127.0.0.1` since the request is being sent internally. You can add log statements in your Health check code to keep logs of when your Health check path is pinged.

-| AppServiceAppLogs | ASP.NET & Tomcat ¹ | ASP.NET & Tomcat ¹ | Java SE & Tomcat Blessed Images ² | Java SE & Tomcat Blessed Images ² | Application logs |

-* [Tutorial: Run a load test to identify performance bottlenecks in a web app](../load-testing/tutorial-identify-bottlenecks-azure-portal.md)

-> [Access App Configuration using managed identity](./howto-integrate-azure-managed-service-identity.md)

-In this article, you'll learn how to set up an automatic backup of key-values from a primary Azure App Configuration store to a secondary store. The automatic backup uses the integration of Azure Event Grid with App Configuration.

-After you set up the automatic backup, App Configuration will publish events to Azure Event Grid for any changes made to key-values in a configuration store. Event Grid supports a variety of Azure services from which users can subscribe to the events emitted whenever key-values are created, updated, or deleted.

-In this article, you'll use Azure Queue storage to receive events from Event Grid and use a timer-trigger of Azure Functions to process events in the queue in batches.

-## Prerequisites

-If you plan to continue working with this App Configuration and event subscription, don't clean up the resources created in this article. If you don't plan to continue, use the following command to delete the resources created in this article.

-> * Examine integration test results in your Azure Blob Storage account

- Γöé Γöé Γö£ΓöÇΓöÇ patch.json.tmpl <- To be converted into patch.json, patch for Data Controller control.json

-> The `export VAR="value"` syntax below is not meant to be run locally to source environment variables from your machine - but is there for the launcher. The launcher mounts this `.test.env` file **as-is** as a Kubernetes `secret` using Kustomize's [`secretGenerator`](https://github.com/kubernetes-sigs/kustomize/blob/master/examples/secretGeneratorPlugin.md#secret-values-from-local-files) (Kustomize takes a file, and turns it into a Kubernetes secret). During initialization, the launcher runs bash's [`source`](https://ss64.com/bash/source.html) command, which imports the environment variables from the as-is mounted `.test.env` file into the launcher's environment.

-# Arcdata extension version override - see detailed explanation below [2]

-The launcher image is pre-packaged with the latest arcdata CLI version at the time of each container image release. However, to work with older releases, it may be necessary to provide the launcher with Azure CLI Blob URL download link, to override the pre-packaged version; e.g to instruct the launcher to install version **1.4.3**, fill in:

-The following steps are sourced from [Enable custom locations on your cluster](../kubernetes/custom-locations.md#enable-custom-locations-on-your-cluster) to retrieve the Custom Location OID for your Azure AD tenant.

-The launcher exposes `SKIP_*` variables, to run and skip specific stages.

-For example, a "cleanup only" run. Although the launcher is designed to clean up both in the beginning and the end of each run, it's possible for launch and/or test-failures to leave residue resources behind. To run the launcher in "cleanup only" mode, set the following variables in `.test.env`:

- },

- {

- "op": "add",

- "path": "spec.monitoring",

- "value": {

- "enableOpenTelemetry": true

- }

- }

-> At this point - there are **3** places we specified `imageTag`s, for clarity, here's an explanation of the different uses of each. Typically - when testing a given release, all 3 values would be the same:

-> | # | Filename | Variable name | Why? | Used by? |

-> | | | - | -- | |

-> | 1 | **`.test.env`** | `DOCKER_TAG` | Sourcing the [Bootstrapper image](https://mcr.microsoft.com/v2/arcdata/arc-bootstrapper/tags/list) as part of [extension install](https://mcr.microsoft.com/v2/arcdata/arcdataservices-extension/tags/list) | [`az k8s-extension create`](/cli/azure/k8s-extension?view=azure-cli-latest&preserve-view=true#az-k8s-extension-create) in the launcher |

-> | 2 | **`patch.json`** | `value.imageTag` | Sourcing the [Data Controller image](https://mcr.microsoft.com/v2/arcdata/arc-controller/tags/list) | [`az arcdata dc create`](/cli/azure/arcdata/dc?view=azure-cli-latest&preserve-view=true#az-arcdata-dc-create) in the launcher |

-> | 3 | **`kustomization.yaml`** | `images.newTag` | Sourcing the [launcher's image](https://mcr.microsoft.com/v2/arcdata/arc-ci-launcher/tags/list) | `kubectl apply`ing the launcher |

-This same metadata-discovery and cleanup process is also run upon launcher exit, to leave the cluster in its pre-existing state before the launch.

-7. Once Data Controller is `Ready`, generate a set of Azure CLI ([`az arcdata dc debug`](/cli/azure/arcdata/dc/debug?view=azure-cli-latest&preserve-view=true)) logs and stores locally, labeled as `setup-complete` - as a baseline.

-8. Use the `TESTS_DIRECT/INDIRECT` environment variable from `.test.env` to launch a set of parallelized Sonobuoy test runs based on a space-separated array. These runs execute in a new `sonobuoy` namespace, using `arc-sb-plugin` pod that contains the integration tests.

-9. [Sonobuoy aggregator](https://sonobuoy.io/docs/v0.56.0/plugins/) accumulate the [`junit` test results](https://sonobuoy.io/docs/v0.56.0/results/) and logs per `arc-sb-plugin` test run, which are exported into the launcher

-11. Perform a CRD metadata scan, similar to Step 3, to discover existing Arc and Arc Data Services Custom Resources. It then proceeds to destroy all Arc and Arc Data resources in reverse order from deployment, as well as CRDs, Role/ClusterRoles, PV/PVCs etc.

-12. Attempt to use the SAS token `LOGS_STORAGE_ACCOUNT_SAS` provided to create a new Storage Account container named based on `LOGS_STORAGE_CONTAINER`, in the **pre-existing** Storage Account `LOGS_STORAGE_ACCOUNT`. It uploads all local test results and logs to this storage account as a tarball (see below).

- - Only PostgreSQL version 14 is supported for now. Versions 11 and 12 have been removed. Two new images are introduced: `arc-postgres-14` and `arc-postgresql-agent`. The `arc-postgres-11` and `arc-postgres-12` container images are removed going forward. If you use the container image sync script, get the latest image once this [pull request](https://github.com/microsoft/azure_arc/pull/1340) has merged.

-|Lenovo ThinkAgile MX3520 |AKS on Azure Stack HCI 21H2|1.0.0_2021-07-30 |15.0.2148.140|Not validated|

-description: This article reviews the different methods to deploy the Log Analytics agent on Windows and Linux-based machines registered with Azure Arc-enabled servers in your local datacenter or other cloud environment.

-# Understand deployment options for the Log Analytics agent on Azure Arc-enabled servers

-Azure Monitor supports multiple methods to install the Log Analytics agent and connect your machine or server registered with Azure Arc-enabled servers to the service. Azure Arc-enabled servers support the Azure VM extension framework, which provides post-deployment configuration and automation tasks, enabling you to simplify management of your hybrid machines like you can with Azure VMs.

-The Log Analytics agent is required if you want to:

-* Manage operating system updates by using [Azure Automation Update Management](../../automation/update-management/overview.md).

-* Run Automation runbooks directly on the machine and against resources in the environment by using an [Azure Automation Hybrid Runbook Worker](../../automation/automation-hybrid-runbook-worker.md).

-This article reviews the deployment methods for the Log Analytics agent VM extension, across multiple production physical servers or virtual machines in your environment, to help you determine which works best for your organization. If you are interested in the new Azure Monitor agent and want to see a detailed comparison, see [Azure Monitor agents overview](../../azure-monitor/agents/agents-overview.md).

-You can use Azure Policy to deploy the Log Analytics agent VM extension at-scale to machines in your environment, and maintain configuration compliance. This is accomplished by using either the **Configure Log Analytics extension on Azure Arc enabled Linux servers** / **Configure Log Analytics extension on Azure Arc enabled Windows servers** policy definition, or the **Enable Azure Monitor for VMs** policy initiative.

-* Only supports specifying a single workspace to report to. Requires using PowerShell or the Azure CLI to configure the Log Analytics Windows agent VM extension to report to up to four workspaces.

-* The **Configure Log Analytics extension on Azure Arc enabled** *operating system* **servers** policy only installs the Log Analytics VM extension and configures the agent to report to a specified Log Analytics workspace. If you want VM insights to monitor the operating system performance, and map running processes and dependencies on other resources, apply the policy initiative **Enable Azure Monitor for VMs**. It installs and configures both the Log Analytics VM extension and the Dependency agent VM extension, which are required.

-The process automation operating environment in Azure Automation and its support for PowerShell and Python runbooks can help you automate the deployment of the Log Analytics agent VM extension at scale to machines in your environment.

-* To manage operating system updates using Azure Automation Update Management, see [Enable from an Automation account](../../automation/update-management/enable-from-automation-account.md) and then follow the steps to enable machines reporting to the workspace.

-* To track changes using Azure Automation Change Tracking and Inventory, see [Enable from an Automation account](../../automation/change-tracking/enable-from-automation-account.md) and then follow the steps to enable machines reporting to the workspace.

-* Use the Hybrid Runbook Worker feature of Azure Automation to run runbooks directly on servers or machines registered with Arc-enabled servers. See the [Deploy Hybrid Runbook Worker VM extension](../../automation/extension-based-hybrid-runbook-worker-install.md) article.

-To connect hybrid machines, you install the [Azure Connected Machine agent](agent-overview.md) on each machine. This agent does not deliver any other functionality, and it doesn't replace the Azure [Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md) / [Azure Monitor Agent](../../azure-monitor/agents/azure-monitor-agent-overview.md). The Log Analytics agent or Azure Monitor Agent for Windows and Linux is required in order to:

-* Ubuntu 16.04, 18.04, 20.04, and 22.04 LTS

-| [Microsoft Defender for Cloud](../../security-center/security-center-introduction.md) | Public preview | <ul><li>Azure Security Agent extension</li><li>SQL Advanced Threat Protection extension</li><li>SQL Vulnerability Assessment extension</li></ul> | [Auto-deployment of Azure Monitor Agent (Preview)](/azure/defender-for-cloud/release-notes#auto-deployment-of-azure-monitor-agent-preview) |

- name: '${vmName}/AzureMonitorWindowsAgent'

- type: 'AzureMonitorWindowsAgent'

- "name": "[format('{0}/AzureMonitorWindowsAgent', parameters('vmName'))]",

- "type": "AzureMonitorWindowsAgent",

- |Automatically resolve alerts (preview) |Select to resolve the alert when the condition isn't met anymore.|

- |Automatically resolve alerts (preview) |Select to resolve the alert when the condition isn't met anymore.|

-|Microsoft.DBforPostgreSQL/flexibleServers | Yes | No | [DB for PostgreSQL (flexible servers)](../essentials/metrics-supported.md#microsoftdbforpostgresqlflexibleservers)|

-* [Oracle Azure Virtual Machines DBMS deployment for SAP workload - Azure Virtual Machines](../virtual-machines/workloads/sap/dbms_guide_oracle.md#oracle-configuration-guidelines-for-sap-installations-in-azure-vms-on-linux)

-3. In the **Search Backups** box, enter the backup name that you want to search for.

-The Azure NetApp Files replication functionality provides data protection through cross-region volume replication. You can asynchronously replicate data from an Azure NetApp Files volume (source) in one region to another Azure NetApp Files volume (destination) in another region. This capability enables you to fail over your critical application if a region-wide outage or disaster happens.

-### Build Bicep file

-The [Bicep configuration file (bicepconfig.json)](./bicep-config.md) can be used to customize your Bicep development experience. You can add `bicepconfig.json` in multiple directories. The configuration file closest to the bicep file in the directory hierarchy is used. When you select this command, the extension opens a dialog for you to select a folder. The default folder is where you store the Bicep file. If a `bicepconfig.json` file already exists in the folder, you have the option to overwrite the existing file.

-You have the option to open the visualizer side-by-side with the Bicep file.

-### Restore Bicep file

-From Visual Studio Code, you can easily open the template reference for the resource type you are working on. To do so, hover your cursor over the resource symbolic name, and then select **View type document**.

-Parameters let you customize the deployment by providing values that tailored for a particular environment. You can pass different values, for example, based on whether you're deploying to a development, testing, or production environment.

-> [Add template functions](template-tutorial-add-functions.md)

-**Cross Region (secondary region)** | Cross Region restore can be used to restore Azure VMs in the secondary region, which is an [Azure paired region](../availability-zones/cross-region-replication-azure.md).<br><br> You can restore all the Azure VMs for the selected recovery point if the backup is done in the secondary region.<br><br> During the backup, snapshots aren't replicated to the secondary region. Only the data stored in the vault is replicated. So secondary region restores are only [vault tier](about-azure-vm-restore.md#concepts) restores. The restore time for the secondary region will be almost the same as the vault tier restore time for the primary region. <br><br> This feature is available for the options below:<br> <li> [Create a VM](#create-a-vm) <br> <li> [Restore Disks](#restore-disks) <br><br> We don't currently support the [Replace existing disks](#replace-existing-disks) option.<br><br> Permissions<br> The restore operation on secondary region can be performed by Backup Admins and App admins.

->To receive alerts/notifications when a restore operation fails, use [Azure Monitor alerts for Azure Backup](backup-azure-monitoring-built-in-monitor.md#azure-monitor-alerts-for-azure-backup-preview). This helps you to monitor such failures and take necessary actions to remediate the issues.

- - When restoring non-premium VMs, premium storage accounts aren't supported.

- - When restoring managed VMs, premium storage accounts configured with network rules aren't supported.

-You're provided with an option to restore [unmanaged disks](../storage/common/storage-disaster-recovery-guidance.md#azure-unmanaged-disks) as [managed disks](../virtual-machines/managed-disks-overview.md) during restore. By default, the unmanaged VMs / disks are restored as unmanaged VMs / disks. However, if you choose to restore as managed VMs / disks, it's now possible to do so. These restores aren't triggered from the snapshot phase but only from the vault phase. This feature isn't available for unmanaged encrypted VMs.

-**Restore VM in any availability set** | When restoring a VM from the portal, there's no option to choose an availability set. A restored VM doesn't have an availability set. If you use the restore disk option, then you can [specify an availability set](../virtual-machines/windows/tutorial-availability-sets.md) when you create a VM from the disk using the provided template or PowerShell.

-## Azure Monitor alerts for Azure Backup (preview)

-The following table summarizes the different backup alerts currently available (in preview) via Azure Monitor and the supported workload/vault types:

-| Security | Delete Backup Data | - Microsoft Azure Virtual Machine <br><br> - SQL in Azure VM (non-AG scenarios) <br><br> - SAP HANA in Azure VM <br><br> - Azure Backup Agent <br><br> - DPM <br><br> - Azure Backup Server <br><br> - Azure Database for PostgreSQL Server <br><br> - Azure Blobs <br><br> - Azure Managed Disks | This alert is fired when you stop backup and deletes backup data. <br><br> **Note** <br> If you disable the soft-delete feature for the vault, Delete Backup Data alert is not received. |

-| Security | Upcoming Purge | - Azure Virtual Machine <br><br> - SQL in Azure VM (non-AG scenarios) <br><br> - SAP HANA in Azure VM | For all workloads that support soft-delete, this alert is fired when the backup data for an item is 2 days away from being permanently purged by the Azure Backup service. |

-| Security | Purge Complete | - Azure Virtual Machine <br><br> - SQL in Azure VM (non-AG scenarios) <br><br> - SAP HANA in Azure VM | Delete Backup Data |

- By selecting this option, you are consenting to receive backup alerts only via Azure Monitor and you will stop receiving alerts from the older classic alerts solution. [Review the key differences between classic alerts and built-in Azure Monitor alerts](./move-to-azure-monitor-alerts.md).

-Once an alert is fired for a vault, you can go to Backup center to view the alert in the Azure portal. On the **Overview** tab, you can see a summary of active alerts split by severity. There're two types of alerts displayed:

-Each of the above types of alerts is further split into **Security** and **Configured** alerts. Currently, Security alerts include the scenarios of deleting backup data, or disabling soft-delete for vault (for the applicable workloads as detailed in the above section). Configured alerts include backup failure and restore failure because these alerts are only fired after registering the feature in the preview portal.

-1. Select **Alerts (Preview)** from the menu and select **Alert processing rules (preview)**.

-There're a few exceptions when an alert isn't raised on a failure. They are:

->To receive alerts/notifications when a user in the organization disables soft-delete for a vault, use [Azure Monitor alerts for Azure Backup](backup-azure-monitoring-built-in-monitor.md#azure-monitor-alerts-for-azure-backup-preview). As the disable of soft-delete is a potential destructive operation, we recommend you to use alert system for this scenario to monitor all such operations and take actions on any unintended operations.

-No, it's built-in and enabled by default for all the Recovery Services vaults.

-### Can I delete my vault if there are soft deleted items in the vault?

-No. You can't force delete the soft-deleted items. They're automatically deleted after 14 days. This security feature is enabled to safeguard the backed-up data from accidental or malicious deletes. You should wait for 14 days before performing any other action on the item. Soft-deleted items won't be charged. If you need to reprotect the items marked for soft-delete within 14 days in a new vault, then contact Microsoft support.

-### ExtensionStuckInDeletionState - Extension state is not supportive to backup operation

-* Ability to view out-of-the-box metrics related to backup and restore health of your backup items along with associated trends.

-* **Default Azure Monitor alerts for Azure Backup (preview)**: This includes the built-in security alerts and configured alerts that Azure Backup provides via Azure Monitor. [Learn more about the alert scenarios supported by this solution](backup-azure-monitoring-built-in-monitor.md#azure-monitor-alerts-for-azure-backup-preview).

-For more details about Azure Monitor alerts, see [Overview of alerts in Azure](../azure-monitor/alerts/alerts-overview.md).

-| Monitoring | View Azure Monitor alerts at scale | Azure Virtual Machine <br><br> Azure Database for PostgreSQL server <br><br> SQL in Azure VM <br><br> SAP HANA in Azure VM <br><br> Azure Files<br/><br/> Azure Blobs<br/><br/> Azure Managed Disks | Refer [Alerts](./backup-azure-monitoring-built-in-monitor.md#azure-monitor-alerts-for-azure-backup-preview) documentation |

-Backup Linux Azure VMs with docker mount points | Currently, Azure Backup doesnΓÇÖt support exclusion of docker mount points as these are mounted at different paths every time.

-Maximum backup frequency to vault (Azure VM extension) | Once a day.

-Maximum backup frequency to vault (MARS agent) | Three backups per day.

-Maximum backup frequency to DPM/MABS | Every 15 minutes for SQL Server.<br/><br/> Once an hour for other workloads.

-Restore across subscription/region/zone. | Not supported.

-Because log backups occur every 15 minutes, monitoring backup jobs can be tedious. Azure Backup eases monitoring by sending email alerts. Email alerts are:

-To monitor database backup alerts:

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. On the vault dashboard, select **Backup Alerts**.

- 

-## Resume protection for a SQL database

-To resume protection for a SQL database:

-Same | Same | Same | Same | **What will happen to backups of _old_ VM?** <br><br> YouΓÇÖll receive an alert that backups will be stopped on the _old_ VM. The backup data will be retained as per the last active policy. You can choose to stop protection and delete data and unregister the old VM once all backup data is cleaned up as per policy. <br><br> **How to get backup data from _old_ VM to _new_ VM?** <br><br> No SQL backups will be triggered automatically on the _new_ virtual machine. You must re-register the VM to the same vault. Then itΓÇÖll appear as a valid target, and SQL data can be restored to the latest available point-in-time via the alternate location recovery capability. After restoring SQL data, SQL backups will continue on this machine. VM backup will continue as-is, if previously configured.

-Same | Same | Different | Same | **What will happen to backups of _old_ VM?** <br><br> YouΓÇÖll receive an alert that backups will be stopped on the _old_ VM. The backup data will be retained as per the last active policy. You can choose to stop protection and delete data and unregister the old VM once all backup data is cleaned up as per policy. <br><br>**How to get backup data from _old_ VM to _new_ VM?** <br><br> As the new virtual machine is in a different resource group, itΓÇÖll be treated as a new machine and you have to explicitly configure SQL backups (and VM backup too, if previously configured) to the same vault. Then proceed to restore the SQL backup item of the old VM to latest available point-in-time via the _alternate location recovery_ to the new VM. The SQL backups will now continue.

-Same | Same | Same or different | Different | **What will happen to backups of _old_ VM?** <br><br> YouΓÇÖll receive an alert that backups will be stopped on the _old_ VM. The backup data will be retained as per the last active policy. You can choose to stop protection and delete data and unregister the old VM once all backup data is cleaned up as per policy. <br><br> **How to get backup data from _old_ VM to _new_ VM? <br><br> As the new virtual machine is in a different region, youΓÇÖve to configure SQL backups to a vault in the new region. <br><br> If the new region is a paired region, you can choose to restore SQL data to latest available point-in-time via the ΓÇÿcross region restoreΓÇÖ capability from the SQL backup item of the _old_ VM. <br><br> If the new region is a non-paired region, direct restore from the previous SQL backup item is not supported. However, you can choose restore as files option, from the SQL backup item of the ΓÇÿoldΓÇÖ VM, to get the data to a mounted share in a VM of the old region, and then mount it to the new VM.

-Different | Same or different | Same or different | Same or different | **What will happen to backups of _old_ VM?** <br><br> YouΓÇÖll receive an alert that backups will be stopped on the _old_ VM. The backup data will be retained as per the last active policy. You can choose to stop protection + delete data and unregister the old VM once all backup data is cleaned up as per policy. <br><br> **How to get backup data from _old_ VM to _new_ VM?** <br><br> As the new virtual machine is in a different subscription, youΓÇÖve to configure SQL backups to a vault in the new subscription. If it is a new vault in different subscription, direct restore from the previous SQL backup item is not supported. However, you can choose restore as files option, from the SQL backup item of the _old_ VM, to get the data to a mounted share in a VM of the old subscription, and then mount it to the new VM.

-| Monitor backup jobs and backup instances | <ul><li>**Built-in monitoring**: You can monitor backup jobs and backup instances in real time via the [Backup center](./backup-center-overview.md) dashboard.</li><li>**Customized monitoring dashboards**: Azure Backup allows you to use non-portal clients, such as [PowerShell](./backup-azure-vms-automation.md), [CLI](./create-manage-azure-services-using-azure-command-line-interface.md), and [REST API](./backup-azure-arm-userestapi-managejobs.md), to query backup monitoring data for use in your custom dashboards. <br><br> In addition, you can query your backups at scale (across vaults, subscriptions, regions, and Lighthouse tenants) using [Azure Resource Graph (ARG)](./query-backups-using-azure-resource-graph.md). <br><br> [Backup Explorer](./monitor-azure-backup-with-backup-explorer.md) is one sample monitoring workbook, which uses data in ARG that you can use as a reference to create your own dashboards. </li></ul> |

-| Monitor overall backup health | <ul><li>**Resource Health**: You can monitor the health of your Recovery Services vault and troubleshoot events causing the resource health issues. [Learn more](../service-health/resource-health-overview.md). <br><br> You can view the health history and identify events affecting the health of your resource. You can also trigger alerts related to the resource health events. </li><li>**Azure Monitor Metrics**: Azure Backup also offers the above health metrics via Azure Monitor, which provides you more granular details about the health of your backups. This also allows you to configure alerts and notifications on these metrics. [Learn more](./metrics-overview.md)</li></ul> |

-| Get alerted to critical backup incidents | <ul><li>**Built-in alerts using Azure Monitor (preview)**: Azure Backup provides an [alerting solution based on Azure Monitor](./backup-azure-monitoring-built-in-monitor.md#azure-monitor-alerts-for-azure-backup-preview) for scenarios such as deletion of backup data, disabling of soft-delete, backup failures, and restore failures. <br><br> You can view these alerts and manage via Backup center. To [configure notifications](./backup-azure-monitoring-built-in-monitor.md#configuring-notifications-for-alerts) for these alerts (for example, emails), you can use Azure Monitor's [Action rules](../azure-monitor/alerts/alerts-action-rules.md?tabs=portal) and [Action groups](../azure-monitor/alerts/action-groups.md) to route alerts to a wide range of notification channels. </li> <li> **Azure Backup Metric Alerts using Azure Monitor (preview)**: You can write custom alert rules using Azure Monitor metrics to monitor the health of your backup items across different KPIs. [Learn more](./metrics-overview.md) </li> <li>**Classic Alerts**: This is the older alerting solution [accessed using the Backup Alerts tab](./backup-azure-monitoring-built-in-monitor.md#backup-alerts-in-recovery-services-vault) in the Recovery Services vault blade. These alerts canΓÇÖt be viewed in Backup center. If youΓÇÖre using classic alerts, we recommend to start using one or more of the Azure Monitor based alert solutions (described above) as itΓÇÖs the forward-looking solution for alerting. </li><li>**Custom log alerts**: If you've scenarios where an alert needs to be generated based on custom logic, you can make use of [Log Analytics based alerts](./backup-azure-monitoring-use-azuremonitor.md#create-alerts-by-using-log-analytics) for such scenarios, provided youΓÇÖve configured your vaults to send diagnostics data to a Log Analytics (LA) workspace. Due to the current [frequency at which data in an LA workspace is updated](./backup-azure-monitoring-use-azuremonitor.md#diagnostic-data-update-frequency), this solution is typically used for scenarios where itΓÇÖs acceptable to have a small time lag between the occurrence of the actual incident and the generation of the alert. </li></ul> |

-| Analyze historical trends | <ul><li>**Built-in reports**: You can use [Backup Reports](./configure-reports.md) (based on Azure Monitor Logs) to analyze historical trends related to job success and backup usage, and discover optimization opportunities for your backups. You can also [configure periodic emails](./backup-reports-email.md) of these reports. </li><li>**Customized reporting dashboards**: You can also query the data in Azure Monitor Logs (LA) using the documented [system functions](./backup-reports-system-functions.md) to create your own dashboards to analyze historical information related to your backups.</li></ul> |

-| **Pricing** | There're no additional charges for this solution. | Alerts for critical operations/failures generate by default (that you can view in the Azure portal or via non-portal interfaces) at no additional charge. However, to route these alerts to a notification channel (such as email), it incurs a minor charge for notifications beyond the *free tier* (of 1000 emails per month). Learn more about [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/). |

-Azure Backup now provides a guided experience via Backup center that allows you to switch to built-in Azure Monitor alerts and notifications with just a few selects.

- On the next screen, there're two recommended actions:

- - **Create rule**: This action creates an alert processing rule attached to an action group to enable you to receive notifications for Azure Monitor alerts. After selecting, it leads you to a template deployment experience.

- :::image type="content" source="./media/move-to-azure-monitor-alerts/alert-processing-rule-parameters.png" alt-text="Screenshot showing template parameters to setup notification rules for Azure Monitor alerts.":::

-1. Go to **Backup center** -> **Alerts**, and select **Alert processing rules**.

- :::image type="content" source="./media/move-to-azure-monitor-alerts/alert-processing-rule-blade.png" alt-text="Screenshot showing alert processing rules blade in portal.":::

-Low RPO (Recovery Point Objective) is a key requirement for Azure Files that contains the frequently updated, business-critical data. To ensure minimal data loss in the event of a disaster or unwanted changes to file share content, you may prefer to take backups more frequently than once a day.

-Low RPO (Recovery Point Objective) is a key requirement for Azure Files that contains the frequently updated, business-critical data. To ensure minimal data loss in the event of a disaster or unwanted changes to file share content, you may prefer to take backups more frequently than once a day.

- token="Bearer $(curl http://localhost:50342/oauth2/token --data "resource=https://management.azure.com/" -H Metadata:true -s | jq -r ".access_token")"

- curl https://management.azure.com/providers/Microsoft.Portal/usersettings/cloudconsole?api-version=2017-12-01-preview -H Authorization:"$token" -s | jq

- token=(az account get-access-token --resource "https://management.azure.com/" | jq -r ".access_token")

- curl -X DELETE https://management.azure.com/providers/Microsoft.Portal/usersettings/cloudconsole?api-version=2017-12-01-preview -H Authorization:"$token"

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Speech-studio&Pillar=Speech&Product=Custom-speech&Page=Create-a-project&Section=Create-a-project" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=CLI&Pillar=Speech&Product=Custom-speech&Page=Create-a-project&Section=Create-a-project" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=REST&Pillar=Speech&Product=Custom-speech&Page=Create-a-project&Section=Create-a-project" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Speech-studio&Pillar=Speech&Product=Custom-speech&Page=Deploy-a-model&Section=Add-a-deployment-endpoint" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=CLI&Pillar=Speech&Product=Custom-speech&Page=Deploy-a-model&Section=Add-a-deployment-endpoint" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=REST&Pillar=Speech&Product=Custom-speech&Page=Deploy-a-model&Section=Add-a-deployment-endpoint" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Speech-studio&Pillar=Speech&Product=Custom-speech&Page=Deploy-a-model&Section=Change-model-and-redeploy-endpoint" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=CLI&Pillar=Speech&Product=Custom-speech&Page=Deploy-a-model&Section=Change-model-and-redeploy-endpoint" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=REST&Pillar=Speech&Product=Custom-speech&Page=Deploy-a-model&Section=Change-model-and-redeploy-endpoint" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Speech-studio&Pillar=Speech&Product=Custom-speech&Page=Test-model-quantitatively&Section=Create-a-test" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=CLI&Pillar=Speech&Product=Custom-speech&Page=Test-model-quantitatively&Section=Create-a-test" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=REST&Pillar=Speech&Product=Custom-speech&Page=Test-model-quantitatively&Section=Create-a-test" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Speech-studio&Pillar=Speech&Product=Custom-speech&Page=Test-model-quantitatively&Section=Get-test-results" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=CLI&Pillar=Speech&Product=Custom-speech&Page=Test-model-quantitatively&Section=Get-test-results" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=REST&Pillar=Speech&Product=Custom-speech&Page=Test-model-quantitatively&Section=Get-test-results" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Speech-studio&Pillar=Speech&Product=Custom-speech&Page=Test-recognition-quality&Section=Create-a-test" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=CLI&Pillar=Speech&Product=Custom-speech&Page=Test-recognition-quality&Section=Create-a-test" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=REST&Pillar=Speech&Product=Custom-speech&Page=Test-recognition-quality&Section=Create-a-test" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Speech-studio&Pillar=Speech&Product=Custom-speech&Page=Test-recognition-quality&Section=Get-test-results" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=CLI&Pillar=Speech&Product=Custom-speech&Page=Test-recognition-quality&Section=Get-test-results" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=REST&Pillar=Speech&Product=Custom-speech&Page=Test-recognition-quality&Section=Get-test-results" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Speech-studio&Pillar=Speech&Product=Custom-speech&Page=Train-a-model&Section=Create-a-model" target="_target">I ran into an issue</a>

-> In this example, the `baseModel` isn't set, so the default base model for the locale is used. The base model URI is returned in the response.

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=CLI&Pillar=Speech&Product=Custom-speech&Page=Train-a-model&Section=Create-a-model" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=REST&Pillar=Speech&Product=Custom-speech&Page=Train-a-model&Section=Create-a-model" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Speech-studio&Pillar=Speech&Product=Custom-speech&Page=Train-a-model&Section=Copy-a-model" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=REST&Pillar=Speech&Product=Custom-speech&Page=Train-a-model&Section=Copy-a-model" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Speech-studio&Pillar=Speech&Product=Custom-speech&Page=Upload-training-and-testing-datasets&Section=Upload-datasets" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=CLI&Pillar=Speech&Product=Custom-speech&Page=Upload-training-and-testing-datasets&Section=Upload-datasets" target="_target">I ran into an issue</a>

-> [!div class="nextstepaction"]

-> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=REST&Pillar=Speech&Product=Custom-speech&Page=Upload-training-and-testing-datasets&Section=Upload-datasets" target="_target">I ran into an issue</a>

-This is a list of supported audio formats that are sent in each request as the `X-Microsoft-OutputFormat` header. Each format incorporates a bit rate and encoding type. The Speech service supports 48-kHz, 24-kHz, 16-kHz, and 8-kHz audio outputs. Prebuilt neural voices are created from samples that use a 24-khz sample rate. All voices can upsample or downsample to other sample rates when synthesizing.

-| Streaming | Non-Streaming |

-| - | |

-| audio-16khz-16bit-32kbps-mono-opus | riff-8khz-8bit-mono-alaw |

-| audio-16khz-32kbitrate-mono-mp3 | riff-8khz-8bit-mono-mulaw |

-| audio-16khz-64kbitrate-mono-mp3 | riff-8khz-16bit-mono-pcm |

-| audio-16khz-128kbitrate-mono-mp3 | riff-22050hz-16bit-mono-pcm |

-| audio-24khz-16bit-24kbps-mono-opus | riff-24khz-16bit-mono-pcm |

-| audio-24khz-16bit-48kbps-mono-opus | riff-44100hz-16bit-mono-pcm |

-| audio-24khz-48kbitrate-mono-mp3 | riff-48khz-16bit-mono-pcm |

-| audio-24khz-96kbitrate-mono-mp3 | |

-| audio-24khz-160kbitrate-mono-mp3 | |

-| audio-48khz-96kbitrate-mono-mp3 | |

-| audio-48khz-192kbitrate-mono-mp3 | |

-| ogg-16khz-16bit-mono-opus | |

-| ogg-24khz-16bit-mono-opus | |

-| ogg-48khz-16bit-mono-opus | |

-| raw-8khz-8bit-mono-alaw | |

-| raw-8khz-8bit-mono-mulaw | |

-| raw-8khz-16bit-mono-pcm | |

-| raw-16khz-16bit-mono-pcm | |

-| raw-16khz-16bit-mono-truesilk | |

-| raw-22050hz-16bit-mono-pcm | |

-| raw-24khz-16bit-mono-pcm | |

-| raw-24khz-16bit-mono-truesilk | |

-| raw-44100hz-16bit-mono-pcm | |

-| raw-48khz-16bit-mono-pcm | |

-| webm-16khz-16bit-mono-opus | |

-| webm-24khz-16bit-24kbps-mono-opus | |

-| webm-24khz-16bit-mono-opus | |

-> Currently sending chat push notifications with Notification Hub is generally available in Android version 1.1.0 and in public preview for iOS version 1.3.0-beta.1.

->[!IMPORTANT]

->This Push Notification feature is currently in public preview. Preview APIs and SDKs are provided without a service-level agreement, and aren't recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-* Item 3: Implementation of PushNotificationKeyHandler Protocol

-Third, `PushNotificationKeyHandler` is required for advanced version. As the SDK user, you could use the default `AppGroupPushNotificationKeyHandler` class provided by chat SDK to generate a key handler. If you donΓÇÖt use `App Group` as the key storage or would like to customize key handling methods, create your own class which conforms to PushNotificationKeyHandler protocol.

-For PushNotificationKeyHandler, it defines two methods: `onPersistKey(encryptionKey:expiryTime)` and `onRetrieveKeys() -> [String]`.

- Connect to FTP or FTPS servers you can access from the internet so that you can work with your files and folders.

- **SFTP-SSH**<br>(*Standard workflow only*)

- ![Azure Service Bus icon][azure-service-bus-icon]

- **Azure Service Bus**<br>(*Standard workflow only*)

- ![IBM DB2 icon][ibm-db2-icon]

- **DB2**<br>(*Standard workflow only*)

- Connect to IBM DB2 in the cloud or on-premises. Update a row, get a table, and more.

- :::column:::

- :::column-end:::

- :::column:::

- :::column-end:::

-# Azure Data Box hardware additional terms

-## Availability of Data Box devices

-## Possession and return of the Data Box device

-## Shipment and title; fees

-### Title and risk of loss

-|Data Box device type | Lost or materially damaged time period and amounts|

-### Shipment and return of Data Box device

-### Transit risks

-### Self-managed shipment

-## Responsibilities if Customer moves a Data Box device between locations

-| **File integrity monitoring (FIM)** | [FIM](file-integrity-monitoring-overview.md) (change monitoring) examines files and registries for changes that might indicate an attack. A comparison method is used to determine whether suspicious modifications have been made to files. | | :::image type="icon" source="./media/icons/yes-icon.png"::: |

-description: Learn how to configure file integrity monitoring (FIM) in Microsoft Defender for Cloud using this walkthrough.

-# File integrity monitoring in Microsoft Defender for Cloud

-Learn how to configure file integrity monitoring (FIM) in Microsoft Defender for Cloud using this walkthrough.

-## Availability

-|Aspect|Details|

-|-|:-|

-|Release state:|General availability (GA)|

-|Pricing:|Requires [Microsoft Defender for Servers Plan 2](defender-for-servers-introduction.md#defender-for-servers-plans).<br>Using the Log Analytics agent, FIM uploads data to the Log Analytics workspace. Data charges apply, based on the amount of data you upload. See [Log Analytics pricing](https://azure.microsoft.com/pricing/details/log-analytics/) to learn more.|

-|Required roles and permissions:|**Workspace owner** can enable/disable FIM (for more information, see [Azure Roles for Log Analytics](/services-hub/health/azure-roles#azure-roles)).<br>**Reader** can view results.|

-|Clouds:|:::image type="icon" source="./medi).<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Connected AWS accounts|

-## What is FIM in Defender for Cloud?

-File integrity monitoring (FIM), also known as change monitoring, examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack.

-In this tutorial you'll learn how to:

-> [!div class="checklist"]

-> * Review the list of suggested entities to monitor with FIM

-> * Define your own, custom FIM rules

-> * Audit changes to your monitored entities

-> * Use wildcards to simplify tracking across directories

-## How does FIM work?

-The Log Analytics agent uploads data to the Log Analytics workspace. By comparing the current state of these items with the state during the previous scan, FIM notifies you if suspicious modifications have been made.

-FIM uses the Azure Change Tracking solution to track and identify changes in your environment. When file integrity monitoring is enabled, you have a **Change Tracking** resource of type **Solution**. For data collection frequency details, see [Change Tracking data collection details](../automation/change-tracking/overview.md#change-tracking-and-inventory-data-collection).

-> [!NOTE]

-> If you remove the **Change Tracking** resource, you will also disable the file integrity monitoring feature in Defender for Cloud.

-When choosing which files to monitor, consider the files that are critical for your system and applications. Monitor files that you donΓÇÖt expect to change without planning. If you choose files that are frequently changed by applications or operating system (such as log files and text files) it'll create a lot of noise, making it difficult to identify an attack.

-## Enable file integrity monitoring

-FIM is only available from Defender for Cloud's pages in the Azure portal. There is currently no REST API for working with FIM.

-1. From the **Workload protections** dashboard's **Advanced protection** area, select **File integrity monitoring**.

- :::image type="content" source="./media/file-integrity-monitoring-overview/open-file-integrity-monitoring.png" alt-text="Launching FIM." lightbox="./media/file-integrity-monitoring-overview/open-file-integrity-monitoring.png":::

- The **File integrity monitoring** configuration page opens.

- The following information is provided for each workspace:

- - Total number of changes that occurred in the last week (you may see a dash "-ΓÇ£ if FIM is not enabled on the workspace)

- - Total number of computers and VMs reporting to the workspace

- - Geographic location of the workspace

- - Azure subscription that the workspace is under

-1. Use this page to:

- - Access and view the status and settings of each workspace

- - ![Upgrade plan icon.][4] Upgrade the workspace to use enhanced security features. This icon Indicates that the workspace or subscription isn't protected with Microsoft Defender for Servers. To use the FIM features, your subscription must be protected with this plan. For more information, see [Microsoft Defender for Cloud's enhanced security features](enhanced-security-features-overview.md).

- - ![Enable icon][3] Enable FIM on all machines under the workspace and configure the FIM options. This icon indicates that FIM is not enabled for the workspace.

- :::image type="content" source="./media/file-integrity-monitoring-overview/workspace-list-fim.png" alt-text="Enabling FIM for a specific workspace.":::

- > [!TIP]

- > If there's no enable or upgrade button, and the space is blank, it means that FIM is already enabled on the workspace.

-1. Select **ENABLE**. The details of the workspace including the number of Windows and Linux machines under the workspace is shown.

- :::image type="content" source="./media/file-integrity-monitoring-overview/workspace-fim-status.png" alt-text="FIM workspace details page.":::

- The recommended settings for Windows and Linux are also listed. Expand **Windows files**, **Registry**, and **Linux files** to see the full list of recommended items.

-1. Clear the checkboxes for any recommended entities you do not want to be monitored by FIM.

-1. Select **Apply file integrity monitoring** to enable FIM.

-> [!NOTE]

-> You can change the settings at any time. See [Edit monitored entities](#edit-monitored-entities) below to learn more.

-## Audit monitored workspaces

-The **File integrity monitoring** dashboard displays for workspaces where FIM is enabled. The FIM dashboard opens after you enable FIM on a workspace or when you select a workspace in the **file integrity monitoring** window that already has FIM enabled.

-The FIM dashboard for a workspace displays the following details:

-Select **Filter** at the top of the dashboard to change the time period for which changes are shown.

-The **Servers** tab lists the machines reporting to this workspace. For each machine, the dashboard lists:

-When you select a machine, the query appears along with the results that identify the changes made during the selected time period for the machine. You can expand a change for more information.

-The **Changes** tab (shown below) lists all changes for the workspace during the selected time period. For each entity that was changed, the dashboard lists the:

-**Change details** opens when you enter a change in the search field or select an entity listed under the **Changes** tab.

-## Edit monitored entities

-1. From the **File integrity monitoring dashboard** for a workspace, select **Settings** from the toolbar.

- :::image type="content" source="./media/file-integrity-monitoring-overview/file-integrity-monitoring-dashboard-settings.png" alt-text="Accessing the file integrity monitoring settings for a workspace." lightbox="./media/file-integrity-monitoring-overview/file-integrity-monitoring-dashboard-settings.png":::

- **Workspace Configuration** opens with tabs for each type of element that can be monitored:

- - Windows registry

- - Windows files

- - Linux Files

- - File content

- - Windows services

- Each tab lists the entities that you can edit in that category. For each entity listed, Defender for Cloud identifies whether FIM is enabled (true) or not enabled (false). Edit the entity to enable or disable FIM.

- :::image type="content" source="./media/file-integrity-monitoring-overview/file-integrity-monitoring-workspace-configuration.png" alt-text="Workspace configuration for file integrity monitoring in Microsoft Defender for Cloud.":::

-1. Select an entry from one of the tabs and edit any of the available fields in the **Edit for Change Tracking** pane. Options include:

- - Enable (True) or disable (False) file integrity monitoring

- - Provide or change the entity name

- - Provide or change the value or path

- - Delete the entity

-1. Discard or save your changes.

-## Add a new entity to monitor

-1. From the **File integrity monitoring dashboard** for a workspace, select **Settings** from the toolbar.

- The **Workspace Configuration** opens.

-1. One the **Workspace Configuration**:

- 1. Select the tab for the type of entity that you want to add: Windows registry, Windows files, Linux Files, file content, or Windows services.

- 1. Select **Add**.

- In this example, we selected **Linux Files**.

- :::image type="content" source="./media/file-integrity-monitoring-overview/file-integrity-monitoring-add-element.png" alt-text="Adding an element to monitor in Microsoft Defender for Cloud's file integrity monitoring" lightbox="./media/file-integrity-monitoring-overview/file-integrity-monitoring-add-element.png":::

-1. Select **Add**. **Add for Change Tracking** opens.

-1. Enter the necessary information and select **Save**.

-## Folder and path monitoring using wildcards

-Use wildcards to simplify tracking across directories. The following rules apply when you configure folder monitoring using wildcards:

-## Disable FIM

-You can disable FIM. FIM uses the Azure Change Tracking solution to track and identify changes in your environment. By disabling FIM, you remove the Change Tracking solution from selected workspace.

-To disable FIM:

-1. From the **File integrity monitoring dashboard** for a workspace, select **Disable**.

- :::image type="content" source="./media/file-integrity-monitoring-overview/disable-file-integrity-monitoring.png" alt-text="Disable file integrity monitoring from the settings page.":::

-1. Select **Remove**.

-In this article, you learned to use file integrity monitoring (FIM) in Defender for Cloud. To learn more about Defender for Cloud, see the following pages:

-* [Setting security policies](tutorial-security-policy.md) -- Learn how to configure security policies for your Azure subscriptions and resource groups.

-* [Managing security recommendations](review-security-recommendations.md) -- Learn how recommendations help you protect your Azure resources.

-* [Azure Security blog](/archive/blogs/azuresecurity/)--Get the latest Azure security news and information.

-<!--Image references-->

-[3]: ./media/file-integrity-monitoring-overview/enable.png

-[4]: ./media/file-integrity-monitoring-overview/upgrade-plan.png

-description: Learn how to compare baselines with File Integrity Monitoring in Microsoft Defender for Cloud.

-# Compare baselines using File Integrity Monitoring (FIM)

-File Integrity Monitoring (FIM) informs you when changes occur to sensitive areas in your resources, so you can investigate and address unauthorized activity. FIM monitors Windows files, Windows registries, and Linux files.

-This topic explains how to enable FIM on the files and registries. For more information about FIM, see [File Integrity Monitoring in Microsoft Defender for Cloud](file-integrity-monitoring-overview.md).

-## Why use FIM?

-Operating system, applications, and associated configurations control the behavior and security state of your resources. Therefore, attackers target the files that control your resources, in order to overtake a resource's operating system and/or execute activities without being detected.

-In fact, many regulatory compliance standards such as PCI-DSS & ISO 17799 require implementing FIM controls.

-## Enable built-in recursive registry checks

-The FIM registry hive defaults provide a convenient way to monitor recursive changes within common security areas. For example, an adversary may configure a script to execute in LOCAL_SYSTEM context by configuring an execution at startup or shutdown. To monitor changes of this type, enable the built-in check.

-

->[!NOTE]

-> Recursive checks apply only to recommended security hives and not to custom registry paths.

-## Add a custom registry check

-FIM baselines start by identifying characteristics of a known-good state for the operating system and supporting application. For this example, we will focus on the password policy configurations for Windows Server 2008 and higher.

-|Policy Name | Registry Setting|

-|-|--|

-|Domain controller: Refuse machine account password changes| MACHINE\System\CurrentControlSet\Services \Netlogon\Parameters\RefusePasswordChange|

-|Domain member: Digitally encrypt or sign secure channel data (always)|MACHINE\System\CurrentControlSet\Services \Netlogon\Parameters\RequireSignOrSeal|

-|Domain member: Digitally encrypt secure channel data (when possible)|MACHINE\System\CurrentControlSet\Services \Netlogon\Parameters\SealSecureChannel|

-|Domain member: Digitally sign secure channel data (when possible)|MACHINE\System\CurrentControlSet\Services \Netlogon\Parameters\SignSecureChannel|

-|Domain member: Disable machine account password changes|MACHINE\System\CurrentControlSet\Services \Netlogon\Parameters\DisablePasswordChange|

-|Domain member: Maximum machine account password age|MACHINE\System\CurrentControlSet\Services \Netlogon\Parameters\MaximumPasswordAge|

-|Domain member: Require strong (Windows 2000 or later) session key|MACHINE\System\CurrentControlSet\Services \Netlogon\Parameters\RequireStrongKey|

-|Network security: Restrict NTLM: NTLM authentication in this domain|MACHINE\System\CurrentControlSet\Services \Netlogon\Parameters\RestrictNTLMInDomain|

-|Network security: Restrict NTLM: Add server exceptions in this domain|MACHINE\System\CurrentControlSet\Services \Netlogon\Parameters\DCAllowedNTLMServers|

-|Network security: Restrict NTLM: Audit NTLM authentication in this domain|MACHINE\System\CurrentControlSet\Services \Netlogon\Parameters\AuditNTLMInDomain|

-> [!NOTE]

-> To learn more about registry settings supported by various operating system versions, refer to the [Group Policy Settings reference spreadsheet](https://www.microsoft.com/download/confirmation.aspx?id=25250).

-To configure FIM to monitor registry baselines:

- ```

- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

- ```

- :::image type="content" source="./media/file-integrity-monitoring-usage/baselines-add-registry.png" alt-text="Enable FIM on a registry.":::

-## Track changes to Windows files

-1. In the **Add Windows File for Change Tracking** window, in the **Enter path** text box, enter the folder which contains the files that you want to track.

-In the example in the following figure,

-**Contoso Web App** resides in the D:\ drive within the **ContosWebApp** folder structure.

-1. Create a custom Windows file entry by providing a name of the setting class, enabling recursion, and specifying the top folder with a wildcard (*) suffix.

- :::image type="content" source="./media/file-integrity-monitoring-usage/baselines-add-file.png" alt-text="Enable FIM on a file.":::

-## Retrieve change data

-File Integrity Monitoring data resides within the Azure Log Analytics / ConfigurationChange table set.

- 1. Set a time range to retrieve a summary of changes by resource.

- In the following example, we are retrieving all changes in the last fourteen days in the categories of registry and files:

- ```

- ConfigurationChange

- | where TimeGenerated > ago(14d)

- | where ConfigChangeType in ('Registry', 'Files')

- | summarize count() by Computer, ConfigChangeType

- ```

-1. To view details of the registry changes:

- 1. Remove **Files** from the **where** clause,

- 1. Remove the summarization line and replace it with an ordering clause:

- ```

- ConfigurationChange

- | where TimeGenerated > ago(14d)

- | where ConfigChangeType in ('Registry')

- | order by Computer, RegistryKey

- ```

-Reports can be exported to CSV for archival and/or channeled to a Power BI report.

-

-| LAMDBA | `lambda:GetPolicy` <br> `lambda:List*` |

-## Azure Monitor Agent integration now in preview

-| [File integrity monitoring](file-integrity-monitoring-overview.md) | Γ£ö | Γ£ö | Γ£ö | Yes |

-| [File integrity monitoring](file-integrity-monitoring-overview.md) | Γ£ö | Γ£ö | Γ£ö | Yes |

-| [File integrity monitoring](file-integrity-monitoring-overview.md) | Γ£ö | Γ£ö |

-| - [File integrity monitoring](./file-integrity-monitoring-overview.md) | GA | GA | GA |

-$DefaultAppRuleCollectionGroupName = "ApplicationRuleCollectionGroup"

-$DefaultNetRuleCollectionGroupName = "NetworkRuleCollectionGroup"

-$DefaultNatRuleCollectionGroupName = "NatRuleCollectionGroup"

-$ApplicationRuleGroupPriority = 300

-$NetworkRuleGroupPriority = 200

-$NatRuleGroupPriority = 100

- $cmd = $cmd + " -Name " + "'" + $($ApplicationRule.Name) + "'"

-$fwDnsSetting = New-AzFirewallPolicyDnsSetting -EnableProxy

-$fwp = New-AzFirewallPolicy -Name $FirewallPolicyName -ResourceGroupName $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation -ThreatIntelMode $azfw.ThreatIntelMode -DnsSetting $fwDnsSetting -Force

- $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols

- $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols

- $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols

- $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceIpGroup $rule.SourceIpGroups -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols

- $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceIpGroup $rule.SourceIpGroups -DestinationIpGroup $rule.DestinationIpGroups -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols

- $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $rule.Name -SourceIpGroup $rule.SourceIpGroups -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols

-Write-Host "creating " $azfw.NatRuleCollections.Count " network rule collections"

- ForEach ($rule in $rc.Rules)

- {

- $firewallPolicyNatRule = New-AzFirewallPolicyNatRule -Name $rule.Name -SourceAddress $rule.SourceAddresses -TranslatedAddress $rule.TranslatedAddress -TranslatedPort $rule.TranslatedPort -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols

- Write-Host "Created nat rule " $firewallPolicyNatRule.Name

- $natRuleCollectionName = $rc.Name + $rule.Name

- Write-Host "Created NatRuleCollection " $fwpNatRuleCollection.Name

- Write-Host "Created NatRuleCollectionGroup " $natRuleGroup.Name

-Learn more about Azure Firewall Manager deployment: [Azure Firewall Manager deployment overview](deployment-overview.md).

-To create a support request, you must be an [Owner](../role-based-access-control/built-in-roles.md), [Contributor](../role-based-access-control/built-in-roles.md), or be assigned to the [Support Request Contributor](../role-based-access-control/built-in-roles.md) role at the subscription level. For information about creating support requests in general, see how to create a [How to create an Azure support request](../azure-portal/supportability/how-to-create-azure-support-request.md).

-The admin can follow these steps to request a limit increase:

-1. Open your [lab plan](how-to-manage-lab-plans.md) or [lab account](how-to-manage-lab-accounts.md).

-1. On the **Overview** page of the lab plan, select the **Request core limit increase** button from the menu bar at the top.

-1. On the **Basics** page of **New support request** wizard, enter a short summary that will help you remember the support request in the **Summary** textbox. The issue type, subscription, and quota type information are automatically filled out for you. Select **Next: Solutions**.

- :::image type="content" source="./media/capacity-limits/new-support-request.png" alt-text="Screenshot of new support request to request more core capacity.":::

-1. The **New support request** wizard will automatically advance from the **Solutions** page to the **Details** page.

-1. One the **Details** page, enter the following information in the **Description** page.

- - VM size. For size details, see [VM sizing](administrator-guide.md#vm-sizing).

- - Number of VMs.

- - Location. Location will be a [geography](https://azure.microsoft.com/global-infrastructure/geographies/#geographies) or region, if using the [August 2022 Update](lab-services-whats-new.md).

-1. Under **Advanced diagnostic information**, select **No**.

-1. Under **Support method** section, select your preferred contact method. Verify contact information is correct.

-1. Select **Next: Review + create**

-1. On the **Review + create** page, select **Create** to submit the support request.

-Once you submit the support request, we'll review the request. If necessary, we'll contact you to get more details.

-In this quickstart, you created a resource group and a lab plan. To learn more about advanced options for lab plans, see [Tutorial: Create a lab plan with Azure Lab Services](tutorial-setup-lab-plan.md).

- | Region | Select **West US** |

- | Region | Select **West US**. |

- | Region | Select **West US**. |

- | Region | Select **(US) West US)** |

- | [Run configuration](#run-configuration) | A **typical way to train models** is to use a training script and job configuration. The job configuration provides the information needed to configure the training environment used to train your model. You can specify your training script, compute target, and Azure ML environment in your job configuration and run a training job. |

- | [Machine learning pipeline](#machine-learning-pipeline) | Pipelines are not a different training method, but a **way of defining a workflow using modular, reusable steps**, that can include training as part of the workflow. Machine learning pipelines support using automated machine learning and run configuration to train models. Since pipelines are not focused specifically on training, the reasons for using a pipeline are more varied than the other training methods. Generally, you might use a pipeline when:<br>* You want to **schedule unattended processes** such as long running training jobs or data preparation.<br>* Use **multiple steps** that are coordinated across heterogeneous compute resources and storage locations.<br>* Use the pipeline as a **reusable template** for specific scenarios, such as retraining or batch scoring.<br>* **Track and version data sources, inputs, and outputs** for your workflow.<br>* Your workflow is **implemented by different teams that work on specific steps independently**. Steps can then be joined together in a pipeline to implement the workflow. |

-Each of these training methods can use different types of compute resources for training. Collectively, these resources are referred to as [__compute targets__](v1/concept-azure-machine-learning-architecture.md#compute-targets). A compute target can be a local machine or a cloud resource, such as an Azure Machine Learning Compute, Azure HDInsight, or a remote virtual machine.

-* [What is the Azure Machine Learning SDK for Python](/python/api/overview/azure/ml/intro)

-* [Install/update the SDK](/python/api/overview/azure/ml/install)

-### Run configuration

-A generic training job with Azure Machine Learning can be defined using the [ScriptRunConfig](/python/api/azureml-core/azureml.core.scriptrunconfig). The script run configuration is then used, along with your training script(s) to train a model on a compute target.

-You may start with a run configuration for your local computer, and then switch to one for a cloud-based compute target as needed. When changing the compute target, you only change the run configuration you use. A run also logs information about the training job, such as the inputs, outputs, and logs.

-* [What is a run configuration?](v1/concept-azure-machine-learning-architecture.md#run-configurations)

-* [How to: Configure a training run](v1/how-to-set-up-training-targets.md)

-* [Examples: Jupyter Notebook examples for automated machine learning](https://github.com/Azure/MachineLearningNotebooks/tree/master/how-to-use-azureml/automated-machine-learning)

-* [How to: Autotrain a time-series forecast model](how-to-auto-train-forecast.md)

-Machine learning pipelines can use the previously mentioned training methods. Pipelines are more about creating a workflow, so they encompass more than just the training of models. In a pipeline, you can train a model using automated machine learning or run configurations.

-* [Create and run machine learning pipelines with Azure Machine Learning SDK](v1/how-to-create-machine-learning-pipelines.md)

-* [Tutorial: Use Azure Machine Learning Pipelines for batch scoring](tutorial-pipeline-batch-scoring-classification.md)

-* [Examples: Jupyter Notebook examples for machine learning pipelines](https://github.com/Azure/MachineLearningNotebooks/tree/master/how-to-use-azureml/machine-learning-pipelines)

-* [Examples: Pipeline with automated machine learning](https://aka.ms/pl-automl)

- - The conda definition YAML (see [Create & use software environments in Azure Machine Learning](./how-to-use-environments.md))

-If you choose to train on your local machine ("configure as local run"), you do not need to use Docker. You may use Docker locally if you choose (see the section [Configure ML pipeline](v1/how-to-debug-pipelines.md) for an example).

-Learn how to [Configure a training run](v1/how-to-set-up-training-targets.md).

- * Assign the computer to another user. For more about assigning to other users, see [Create on behalf of](#create-on-behalf-of-preview).inel

-* You must have an Azure resource group, in which you (or the service principal you use) need to have `Contributor` access. You'll have such a resource group if you configured your ML extension per the above article.

-* You must have an Azure Machine Learning workspace. You'll have such a workspace if you configured your ML extension per the above article.

-# [Azure CLI](#tab/cli)

-* Install and configure the Azure CLI and ML extension. For more information, see [Install, set up, and use the CLI (v2)](how-to-configure-cli.md).

-* If you've not already set the defaults for Azure CLI, you should save your default settings. To avoid having to repeatedly pass in the values, run:

- ```azurecli

- az account set --subscription <subscription id>

- az configure --defaults workspace=<azureml workspace name> group=<resource group>

- ```

-# [Python SDK](#tab/python)

-* If you haven't installed Python SDK v2, please install with this command:

- ```azurecli

- pip install --pre azure-ai-ml

- ```

- For more information, see [Install the Azure Machine Learning SDK v2 for Python](/python/api/overview/azure/ml/installv2).

-* If you don't have an Azure subscription, create a free account before you begin. Try the [free or paid version of Azure Machine Learning](https://azure.microsoft.com/free/) today.

-* The [Azure Machine Learning SDK v2 for Python](/python/api/overview/azure/ml/installv2).

-* You must have an Azure resource group, and you (or the service principal you use) must have Contributor access to it.

-* You must have an Azure Machine Learning workspace.

-Make note of the token, as you'll use it to authenticate all additional administrative requests. You'll do so by setting an Authorization header in all requests:

-By default, metadata for the workspace is stored in an Azure Cosmos DB instance that Microsoft maintains. This data is encrypted using Microsoft-managed keys. Instead of using the Microsoft-managed key, you can also provide your own key. Doing so creates an [additional set of resources](./concept-data-encryption.md#azure-cosmos-db) in your Azure subscription to store your data.

-To create a workspaces that uses your keys for encryption, you need to meet the following prerequisites:

-* The Azure Key Vault must exist in the same Azure region where you will create the Azure Machine Learning workspace.

-* The Azure Key Vault must have soft delete and purge protection enabled to protect against data loss in case of accidental deletion.

-To create a workspaces that uses a user-assigned managed identity and customer-managed keys for encryption, use the below request body. When using an user-assigned managed identity for the workspace, also set the `userAssignedIdentity` property to the resource ID of the managed identity.

-* An Azure Machine learning workspace. If you don't have one, see [Create a workspace](quickstart-create-resources.md).

-* The [Azure Machine Learning SDK for Python](/python/api/overview/azure/ml).

-from azureml.core import Workspace

-ws = Workspace.from_config()

-diag_param = {

- "value": {

- }

- }

-resp = ws.diagnose_workspace(diag_param)

-For more information, see the [Workspace.diagnose_workspace()](/python/api/azureml-core/azureml.core.workspace(class)#diagnose-workspace-diagnose-parameters-) reference.

-* [Workspace.diagnose_workspace()](/python/api/azureml-core/azureml.core.workspace(class)#diagnose-workspace-diagnose-parameters-)

-1. From the Cloud Shell, use the following command to install the 1.0 CLI for Azure Machine Learning:

-* Installing, uninstalling and upgrading plugins from the Grafana Catalog aren't allowed.

-Follow this article to learn how to add multiple server credentials on the appliance configuration manager to perform software inventory (discover installed applications), agentless dependency analysis and discover web apps, and SQL Server instances and databases.

-> Currently the discovery of web apps and SQL Server instances and databases is only available in appliance used for discovery and assessment of servers running in VMware environment.

-If you want to use these features, you can provide server credentials by following the steps below. In case of servers running on vCenter Server(s) and Hyper-V host(s)/cluster(s), the appliance will attempt to automatically map the credentials to the servers to perform the discovery features.

-**Domain credentials** | You can add **Domain credentials** by selecting the option from the drop-down in the **Add credentials** modal. <br/><br/> To provide domain credentials, you need to specify the **Domain name** which must be provided in the FQDN format (for example, prod.corp.contoso.com). <br/><br/> You also need to specify a friendly name for credentials, username, and password. It is recommended to provide the credentials in the UPN format, for example, user1@contoso.com. <br/><br/> The domain credentials added will be automatically validated for authenticity against the Active Directory of the domain. This is to prevent any account lockouts when the appliance attempts to map the domain credentials against discovered servers. <br/><br/>For the appliance to validate the domain credentials with the domain controller, it should be able to resolve the domain name. Ensure that you have provided the correct domain name while adding the credentials else the validation will fail.<br/><br/> The appliance will not attempt to map the domain credentials that have failed validation. You need to have at least one successfully validated domain credential or at least one non-domain credential to start the discovery.<br/><br/>The domain credentials mapped automatically against the Windows servers will be used to perform software inventory and can also be used to discover web apps, and SQL Server instances and databases _(if you have configured Windows authentication mode on your SQL Servers)_.<br/> [Learn more](/dotnet/framework/data/adonet/sql/authentication-in-sql-server) about the types of authentication modes supported on SQL Servers.

-**SQL Server Authentication credentials** | You can add **SQL Server Authentication** credentials by selecting the option from the drop-down in the **Add credentials** modal. <br/><br/> You need to specify a friendly name for credentials, username, and password. <br/><br/> You can add this type of credentials to discover SQL Server instances and databases running in your VMware environment, if you have configured SQL Server authentication mode on your SQL Servers.<br/> [Learn more](/dotnet/framework/data/adonet/sql/authentication-in-sql-server) about the types of authentication modes supported on SQL Servers.<br/><br/> You need to provide at least one successfully validated domain credential or at least one Windows (Non-domain) credential so that the appliance can complete the software inventory to discover SQL installed on the servers before it uses the SQL Server authentication credentials to discover the SQL Server instances and databases.

-> Currently the SQL Server authentication credentials can only be provided in appliance used for discovery and assessment of servers running in VMware environment.

- You can provide domain/, Windows(non-domain)/, Linux(non-domain)/, and SQL Server authentication credentials. Learn how to [provide credentials](add-server-credentials.md) and how we handle them.

-* NC464as T4 v3

-|NC4asT4v3|Standard_NC4as_T4_v3|4|28|

-|NC8asT4v3|Standard_NC8as_T4_v3|8|56|

-|NC16asT4v3|Standard_NC16as_T4_v3|16|110|

-|NC64asT4v3|Standard_NC64as_T4_v3|64|440|

-\*Does not support Premium_LRS OS Disk, StandardSSD_LRS is used instead

-Each major version of PostgreSQL will be supported by Azure Database for PostgreSQL from the date on which Azure begins supporting the version until the version is retired by the PostgreSQL community, as provided in the [PostgreSQL community versioning policy](https://www.postgresql.org/support/versioning/).

-| Version | What's New | Azure support start date | Retirement date|

-| [PostgreSQL 11](https://www.postgresql.org/about/news/postgresql-11-released-1894/) | [Features](https://www.postgresql.org/docs/11/release-11.html) | July 24, 2019 | November 9, 2023

-You may continue to run the retired version in Azure Database for PostgreSQL. However, please note the following restrictions after the retirement date for each PostgreSQL database version:

- | The Domain Name System (DNS) server addresses to be provided to the UEs connected to this data network. You identified this in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md#allocate-subnets-and-ip-addresses). We recommend that you collect these addresses to allow the UEs to resolve domain names. </br></br>This value may be an empty list if you don't want to configure a DNS server for the data network (for example, if you want to use this data network for local [UE-to-UE traffic](private-5g-core-overview.md#ue-to-ue-traffic) only). | **DNS Addresses** |

- | **Dns Addresses** | Enter the DNS server addresses. You can omit this if you don't want to configure a DNS server for the UEs in this data network. |

- | **Dns Addresses** | Enter the DNS server addresses. You can omit this if you don't want to configure a DNS server for the UEs in this data network. |

-For example, the original unique event ID may be sent as an integer, but ASIM requires the value to be a string, to ensure broad compatibility among data sources. Therefore, when assigning the source field use `extned` and `tostring` instead of `project-rename`:

-| \*.azure.io:443 *or* [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - AzureContainerRegistry:443 | TCP:443 | Azure Container Registry. | Can be replaced by enabling *Azure Container Registry* [service endpoint in virtual network](../virtual-network/virtual-network-service-endpoints-overview.md). |

-The following are terms you'll encounter as your set up a custom domain.

-# Prevent object replication across Azure Active Directory tenants (preview)

-By default, an authorized user is permitted to configure an object replication policy where the source account is in one Azure Active Directory (Azure AD) tenant, and the destination account is in a different tenant. If your security policies require that you restrict object replication to storage accounts that reside within the same tenant only, you can disallow the creation of policies where the source and destination accounts are in different tenants (preview). By default, cross-tenant object replication is enabled for a storage account unless you explicitly disallow it.

-> SFTP support is currently in PREVIEW and is available on general-purpose v2 and premium block blob accounts. Complete [this form](https://forms.office.com/r/gZguN0j65Y) BEFORE using the feature in preview. Registration via 'preview features' is NOT required and confirmation email will NOT be sent after filling out the form. You can IMMEDIATELY access the feature.

-> After testing your end-to-end scenarios with SFTP, please share your experience via [this form](https://forms.office.com/r/MgjezFV1NR).

->

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-> SFTP support is currently in PREVIEW and is available on general-purpose v2 and premium block blob accounts. Complete [this form](https://forms.office.com/r/gZguN0j65Y) BEFORE using the feature in preview. Registration via 'preview features' is NOT required and confirmation email will NOT be sent after filling out the form. You can IMMEDIATELY access the feature.

-> After testing your end-to-end scenarios with SFTP, please share your experience via [this form](https://forms.office.com/r/MgjezFV1NR).

->

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-> SFTP support is currently in PREVIEW and is available on general-purpose v2 and premium block blob accounts. Complete [this form](https://forms.office.com/r/gZguN0j65Y) BEFORE using the feature in preview. Registration via 'preview features' is NOT required and confirmation email will NOT be sent after filling out the form. You can IMMEDIATELY access the feature.

-> After testing your end-to-end scenarios with SFTP, please share your experience via [this form](https://forms.office.com/r/MgjezFV1NR).

->

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-> SFTP support is currently in PREVIEW and is available on general-purpose v2 and premium block blob accounts. Complete [this form](https://forms.office.com/r/gZguN0j65Y) BEFORE using the feature in preview. Registration via 'preview features' is NOT required and confirmation email will NOT be sent after filling out the form. You can IMMEDIATELY access the feature.

-> After testing your end-to-end scenarios with SFTP, please share your experience via [this form](https://forms.office.com/r/MgjezFV1NR).

->

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-SFTP is a platform level service, so port 22 will be open even if the account option is disabled. If SFTP access is not configured then all requests will receive a disconnect from the service. When using SFTP, may want to limit public access through configuration of a firewall, virtual network, or private endpoint. These settings are enforced at the application layer, which means they are not specific to SFTP and will impact connectivity to all Azure Storage Endpoints. For more information on firewalls and network configuration, see [Configure Azure Storage firewalls and virtual networks](../common/storage-network-security.md).

-Blob storage now supports the SSH File Transfer Protocol (SFTP). This support provides the ability to securely connect to Blob Storage accounts via an SFTP endpoint, allowing you to use SFTP for file access, file transfer, and file management.

-> SFTP support is currently in PREVIEW and is available on general-purpose v2 and premium block blob accounts. Complete [this form](https://forms.office.com/r/gZguN0j65Y) BEFORE using the feature in preview. Registration via 'preview features' is NOT required and confirmation email will NOT be sent after filling out the form. You can IMMEDIATELY access the feature.

-> After testing your end-to-end scenarios with SFTP, please share your experience via [this form](https://forms.office.com/r/MgjezFV1NR).

->

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-description: Shows you how to use Resource Manager templates to upgrade from Azure Blob storage to Data Lake Storage.

-To learn how to configure customer-managed keys for a new storage account, see [Configure customer-managed keys in an Azure key vault for an existing storage account](customer-managed-keys-configure-existing-account.md).

-This article focuses on how to configure networking for when your use case calls for using Azure File Sync to cache files on-premises rather than directly mounting the Azure file share over SMB. For more information about networking considerations for an Azure Files deployment, see [Azure Files networking considerations](../files/storage-files-networking-overview.md?toc=%2fazure%2fstorage%2ffilesync%2ftoc.json).

-Networking configuration for Azure File Sync spans two different Azure objects: a Storage Sync Service and an Azure storage account. A storage account is a management construct that represents a shared pool of storage in which you can deploy multiple file shares, as well as other storage resources, such as blob containers or queues. A Storage Sync Service is a management construct that represents registered servers, which are Windows file servers with an established trust relationship with Azure File Sync, and sync groups, which define the topology of the sync relationship.

-> Azure File Sync does not support internet routing. The default network routing option, Microsoft routing, is supported by Azure File Sync.

-Because Azure Files offers direct SMB protocol access on Azure file shares, customers often wonder if they need to configure special networking to mount the Azure file shares with SMB for the Azure File Sync agent to access. This is not only not required, but is also discouraged, except for administrator scenarios, due to the lack of quick change detection on changes made directly to the Azure file share (changes may not be discovered for more than 24 hours depending on the size and number of items in the Azure file share). If you desire to use the Azure file share directly, i.e. not use Azure File Sync to cache on-premises, you can learn more about the networking considerations for direct access by consulting [Azure Files networking overview](../files/storage-files-networking-overview.md?toc=%2fazure%2fstorage%2ffilesync%2ftoc.json).

-Many organizations use a proxy server as an intermediary between resources inside their on-premises network and resources outside their network, such as in Azure. Proxy servers are useful for many applications such as network isolation and security, and monitoring and logging. Azure File Sync can interoperate fully with a proxy server, however you must manually configure the proxy endpoint settings for your environment with Azure File Sync. This must be done via PowerShell using the Azure File Sync server cmdlets.

-You may isolate your file servers from most internet location for security purposes. To use Azure File Sync in your environment, you need to adjust your firewall to open it up to select Azure services. You can do this by retrieving the IP address ranges for the services you required through a mechanism called [service tags](../../virtual-network/service-tags-overview.md).

-If you are using Azure File Sync within Azure, even if its a different region, you can use the name of the service tag directly in your network security group to allow traffic to that service. To learn more about how to do this, see [Network security groups](../../virtual-network/network-security-groups-overview.md).

-If you are using Azure File Sync on-premises, you can use the service tag API to get specific IP address ranges for your firewall's allow list. There are two methods for getting this information:

-To learn more about how to use the service tag API to retrieve the addresses of your services, see [Allow list for Azure File Sync IP addresses](file-sync-firewall-and-proxy.md#allow-list-for-azure-file-sync-ip-addresses).

-Some organizations require communication with Azure to go over a network tunnel, such as a virtual private private network (VPN) or ExpressRoute, for an additional layer of security or to ensure communication with Azure follows a deterministic route.

-When you establish a network tunnel between your on-premises network and Azure, you are peering your on-premises network with one or more virtual networks in Azure. A [virtual network](../../virtual-network/virtual-networks-overview.md), or VNet, is similar to a traditional network that you'd operate on-premises. Like an Azure storage account or an Azure VM, a VNet is an Azure resource that is deployed in a resource group.

-Azure Files and File Sync support the following mechanisms to tunnel traffic between your on-premises servers and Azure:

-In addition to the default public endpoints Azure Files and File Sync provide through the storage account and Storage Sync Service, Azure Files and File Sync provides the option to have one or more private endpoints per resource. When you create a private endpoint for an Azure resource, it gets a private IP address from within the address space of your virtual network, much like how your on-premises Windows file server has an IP address within the dedicated address space of your on-premises network.

-When you create a private endpoint, by default we also create a (or update an existing) private DNS zone corresponding to the `privatelink` subdomain. For public cloud regions, these DNS zones are `privatelink.file.core.windows.net` for Azure Files and `privatelink.afs.azure.net` for Azure File Sync.

-> This article uses the storage account DNS suffix for the Azure Public regions, `core.windows.net`. This commentary also applies to Azure Sovereign clouds such as the Azure US Government cloud and the Azure China cloud - just substitute the the appropriate suffixes for your environment.

-When you create private endpoints for a storage account and a Storage Sync Service, we create A records for them in their respective private DNS zones. We also update the public DNS entry such that the regular fully qualified domain names are CNAMEs for the relevant privatelink name. This enables the fully qualified domain names to point at the private endpoint IP address(es) when the requester is inside of the virtual network and to point at the public endpoint IP address(es) when the requester is outside of the virtual network.

-For Azure Files, each private endpoint has a single fully qualified domain name, following the pattern `storageaccount.privatelink.file.core.windows.net`, mapped to one private IP address for the private endpoint. For Azure File Sync, each private endpoint has four fully qualified domain names, for the four different endpoints that Azure File Sync exposes: management, sync (primary), sync (secondary), and monitoring. The fully qualified domain names for these endpoints will normally follow the the name of the Storage Sync Service unless the name contains non-ASCII characters. For example, if your Storage Sync Service name is `mysyncservice` in the West US 2 region, the equivalent endpoints would be `mysyncservicemanagement.westus2.afs.azure.net`, `mysyncservicesyncp.westus2.afs.azure.net`, `mysyncservicesyncs.westus2.afs.azure.net`, and `mysyncservicemonitoring.westus2.afs.azure.net`. Each private endpoint for a Storage Sync Service will contain 4 distinct IP addresses.

-## Encryption in-transit

-Connections made from the Azure File Sync agent to your Azure file share or Storage Sync Service are always encrypted. Although Azure storage accounts have a setting to disable requiring encryption in transit for communications to Azure Files (and the other Azure storage services that are managed out of the storage account), disabling this setting will not affect Azure File Sync's encryption when communicating with the Azure Files. By default, all Azure storage accounts have encryption in transit enabled.

-| [Complex type](https://github.com/apache/parquet-format/blob/master/LogicalTypes.md | MAP | varchar(max) |

->- You may experience the following error if types are mismatched between Parquet and SQL or if you have unsupported Parquet data types:

->**"HdfsBridge::recordReaderFillBuffer - Unexpected error encountered filling record reader buffer: ClassCastException: ..."**

-description: Explanation and examples of the CREATE TABLE AS SELECT (CTAS) statement in Synapse SQL for developing solutions.

-This article explains the CREATE TABLE AS SELECT (CTAS) T-SQL statement in Synapse SQL for developing solutions. The article also provides code examples.

-Let's say you created this table by using the default distribution type of `ROUND_ROBIN`, not specifying a distribution column in the `CREATE TABLE`.

- CustomerPONumber nvarchar(25));

-## Use CTAS to work around unsupported features

-You can also use CTAS to work around a number of the unsupported features listed below. This method can often prove helpful, because not only will your code be compliant, but it will often run faster on Synapse SQL. This performance is a result of its fully parallelized design. Scenarios include:

-* ANSI JOINS on UPDATEs

-* ANSI JOINs on DELETEs

-* MERGE statement

-> [!TIP]

-> Try to think "CTAS first." Solving a problem by using CTAS is generally a good approach, even if you're writing more data as a result.

-## ANSI join replacement for update statements

-You might find that you have a complex update. The update joins more than two tables together by using ANSI join syntax to perform the UPDATE or DELETE.

-Imagine you had to update this table:

-```sql

-CREATE TABLE [dbo].[AnnualCategorySales]

-( [EnglishProductCategoryName] NVARCHAR(50) NOT NULL

-, [CalendarYear] SMALLINT NOT NULL

-, [TotalSalesAmount] MONEY NOT NULL

-)

-WITH

-(

- DISTRIBUTION = ROUND_ROBIN

-);

-```

-The original query might have looked something like this example:

-```sql

-UPDATE acs

-SET [TotalSalesAmount] = [fis].[TotalSalesAmount]

-FROM [dbo].[AnnualCategorySales] AS acs

-JOIN (

- SELECT [EnglishProductCategoryName]

- , [CalendarYear]

- , SUM([SalesAmount]) AS [TotalSalesAmount]

- FROM [dbo].[FactInternetSales] AS s

- JOIN [dbo].[DimDate] AS d ON s.[OrderDateKey] = d.[DateKey]

- JOIN [dbo].[DimProduct] AS p ON s.[ProductKey] = p.[ProductKey]

- JOIN [dbo].[DimProductSubCategory] AS u ON p.[ProductSubcategoryKey] = u.[ProductSubcategoryKey]

- JOIN [dbo].[DimProductCategory] AS c ON u.[ProductCategoryKey] = c.[ProductCategoryKey]

- WHERE [CalendarYear] = 2004

- GROUP BY

- [EnglishProductCategoryName]

- , [CalendarYear]

- ) AS fis

-ON [acs].[EnglishProductCategoryName] = [fis].[EnglishProductCategoryName]

-AND [acs].[CalendarYear] = [fis].[CalendarYear];

-```

-Synapse SQL doesn't support ANSI joins in the `FROM` clause of an `UPDATE` statement, so you can't use the previous example without modifying it.

-You can use a combination of a CTAS and an implicit join to replace the previous example:

-```sql

-CREATE TABLE CTAS_acs

-WITH (DISTRIBUTION = ROUND_ROBIN)

-AS

-SELECT ISNULL(CAST([EnglishProductCategoryName] AS NVARCHAR(50)),0) AS [EnglishProductCategoryName]

-, ISNULL(CAST([CalendarYear] AS SMALLINT),0) AS [CalendarYear]

-, ISNULL(CAST(SUM([SalesAmount]) AS MONEY),0) AS [TotalSalesAmount]

-FROM [dbo].[FactInternetSales] AS s

-JOIN [dbo].[DimDate] AS d ON s.[OrderDateKey] = d.[DateKey]

-JOIN [dbo].[DimProduct] AS p ON s.[ProductKey] = p.[ProductKey]

-JOIN [dbo].[DimProductSubCategory] AS u ON p.[ProductSubcategoryKey] = u.[ProductSubcategoryKey]

-JOIN [dbo].[DimProductCategory] AS c ON u.[ProductCategoryKey] = c.[ProductCategoryKey]

-WHERE [CalendarYear] = 2004

-GROUP BY [EnglishProductCategoryName]

-, [CalendarYear];

-UPDATE AnnualCategorySales

-SET AnnualCategorySales.TotalSalesAmount = CTAS_ACS.TotalSalesAmount

-FROM CTAS_acs

-WHERE CTAS_acs.[EnglishProductCategoryName] = AnnualCategorySales.[EnglishProductCategoryName]

-AND CTAS_acs.[CalendarYear] = AnnualCategorySales.[CalendarYear] ;

-DROP TABLE CTAS_acs;

-```

-## ANSI join replacement for MERGE

-In Azure Synapse Analytics, [MERGE](/sql/t-sql/statements/merge-transact-sql?view=azure-sqldw-latest&preserve-view=true) (preview) with NOT MATCHED BY TARGET requires the target to be a HASH distributed table. Users can use the ANSI JOIN with [UPDATE](/sql/t-sql/queries/update-transact-sql?view=azure-sqldw-latest&preserve-view=true) or [DELETE](/sql/t-sql/statements/delete-transact-sql?view=azure-sqldw-latest&preserve-view=true) as a workaround to modify target table data based on the result from joining with another table. Here is an example.

-```sql

-CREATE TABLE dbo.Table1

- (ColA INT NOT NULL, ColB DECIMAL(10,3) NOT NULL);

-GO

-CREATE TABLE dbo.Table2

- (ColA INT NOT NULL, ColB DECIMAL(10,3) NOT NULL);

-GO

-INSERT INTO dbo.Table1 VALUES(1, 10.0);

-INSERT INTO dbo.Table2 VALUES(1, 0.0);

-GO

-UPDATE dbo.Table2

-SET dbo.Table2.ColB = dbo.Table2.ColB + dbo.Table1.ColB

-FROM dbo.Table2

- INNER JOIN dbo.Table1

- ON (dbo.Table2.ColA = dbo.Table1.ColA);

-GO

-SELECT ColA, ColB

-FROM dbo.Table2;

-```

-For more development tips, see the [development overview](sql-data-warehouse-overview-develop.md).

-Navigate to the browse blade for Log Analytics workspaces and create a workspace

-

-

-

-For more details on workspaces, visit the following [documentation](../../azure-monitor/logs/quick-create-workspace.md?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.jsond#create-a-workspace).

-

-Logs can be emitted to Azure Storage, Stream Analytics, or Log Analytics. For this tutorial, select Log Analytics.

-

-Navigate to your Log Analytics workspace where you can do the following:

-For details on the capabilities of log queries, visit the following [documentation](/azure/data-explorer/kusto/query/?bc=%2fazure%2fsynapse-analytics%2fsql-data-warehouse%2fbreadcrumb%2ftoc.json&toc=%2fazure%2fsynapse-analytics%2fsql-data-warehouse%2ftoc.json).

-

-

-| where Type_s == "UserConcurrencyResourceType"

-Now that you have set up and configured Azure monitor logs, [customize Azure dashboards](../../azure-portal/azure-portal-dashboards.md?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json) to share across your team.

-Following clients currently support screen capture protection:

-* Windows Desktop client supports screen capture protection for full desktops only.

-* macOS client version 10.7.0 or later supports screen capture protection for both RemoteApp and full desktops.

-Suppose the user attempts to use an unsupported client to connect to the protected session host. In that case, the connection will fail with error 0x1151.

-1. To configure screen capture protection, you need to install administrative templates that add rules and settings for Azure Virtual Desktop.

-2. Download the [Azure Virtual Desktop policy templates file](https://aka.ms/avdgpo) (AVDGPTemplate.cab) and extract the contents of the cab file and zip archive.

-3. Copy the **terminalserver-avd.admx** file to **%windir%\PolicyDefinitions** folder.

-4. Copy the **en-us\terminalserver-avd.adml** file to **%windir%\PolicyDefinitions\en-us** folder.

-5. To confirm the files copied correctly, open the Group Policy Editor and navigate to **Computer Configuration** -> **Administrative Templates** -> **Windows Components** -> **Remote Desktop Services** -> **Remote Desktop Session Host** -> **Azure Virtual Desktop**

-6. You should see one or more Azure Virtual Desktop policies, as shown below.

- > For more information about Central Store for Group Policy Administrative Templates, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).

-7. Open the **"Enable screen capture protection"** policy and set it to **"Enabled"**.

-* This feature protects the Remote Desktop window from being captured through a specific set of public operating system features and APIs. However, there's no guarantee that this feature will strictly protect content, for example, where someone takes photography of the screen.

-* Customers should use the feature together with disabling clipboard, drive, and printer redirection. Disabling redirection will help to prevent the user from copying the captured screen content from the remote session.

-* Users can't share the Remote Desktop window using local collaboration software, such as Microsoft Teams, when the feature is enabled. If Microsoft Teams is used, both the local Teams app and Teams running with media optimizations can't share the protected content.

-* To learn about Azure Virtual Desktop security best practices, see [Azure Virtual Desktop security best practices](security-guide.md).

- "displayName" : "Aggregate CPU %idle time",

-`PercentIdleTime` | `cpu/usage_idle` | Percentage of time during the aggregation window that processors ran the kernel idle loop

-`PercentProcessorTime` | `cpu/usage_active` | Percentage of time running a non-idle thread

-`PercentIOWaitTime` | `cpu/usage_iowait` | Percentage of time waiting for IO operations to finish

-`PercentInterruptTime` | `cpu/usage_irq` | Percentage of time running hardware or software interrupts and DPCs (deferred procedure calls)

-`PercentUserTime` | `cpu/usage_user` | Of non-idle time during the aggregation window, the percentage of time spent in user mode at normal priority

-`PercentNiceTime` | `cpu/usage_nice` | Of non-idle time, the percentage spent at lowered (nice) priority

-`PercentPrivilegedTime` | `cpu/usage_system` | Of non-idle time, the percentage spent in privileged (kernel) mode

-`AvailableMemory` | `mem/available` | Available physical memory in MiB

-`PercentAvailableMemory` | `mem/available_percent` | Available physical memory as a percentage of total memory

-`UsedMemory` | `mem/used` | In-use physical memory (MiB)

-`PercentUsedMemory` | `mem/used_percent` | In-use physical memory as a percentage of total memory

-`PagesPerSec` | `kernel_vmstat/total_pages` | Total paging (read/write)

-`PagesReadPerSec` | `kernel_vmstat/pgpgin` | Pages read from the backing store, such as swap file, program file, and mapped file

-`PagesWrittenPerSec` | `kernel_vmstat/pgpgout` | Pages written to the backing store, such as swap file and mapped file

-`AvailableSwap` | `swap/free` | Unused swap space (MiB)

-`PercentAvailableSwap` | `swap/free_percent` | Unused swap space as a percentage of the total swap

-`UsedSwap` | `swap/used` | In-use swap space (MiB)

-`PercentUsedSwap` | `swap/used_percent` | In-use swap space as a percentage of the total swap

-`BytesTransmitted` | `net/bytes_sent` | Total bytes sent since startup

-`BytesReceived` | `net/bytes_recv` | Total bytes received since startup

-`BytesTotal` | `net/bytes_total` | Total bytes sent or received since startup

-`PacketsTransmitted` | `net/packets_sent` | Total packets sent since startup

-`PacketsReceived` | `net/packets_recv` | Total packets received since startup

-`TotalRxErrors` | `net/err_in` | Number of receive errors since startup

-`TotalTxErrors` | `net/err_out` | Number of transmit errors since startup

-`TotalCollisions` | `net/drop_total` | Number of collisions reported by the network ports since startup

-`FreeSpace` | `disk/free` | Available disk space in bytes

-`UsedSpace` | `disk/used` | Used disk space in bytes

-`PercentFreeSpace` | `disk/free_percent` | Percentage of free space

-`PercentUsedSpace` | `disk/used_percent` | Percentage of used space

-`PercentFreeInodes` | `disk/inodes_free_percent` | Percentage of unused index nodes (inodes)

-`PercentUsedInodes` | `disk/inodes_used_percent` | Percentage of allocated (in use) inodes summed across all file systems

-`BytesReadPerSecond` | `diskio/read_bytes_filesystem` | Bytes read per second

-`BytesWrittenPerSecond` | `diskio/write_bytes_filesystem` | Bytes written per second

-`BytesPerSecond` | `diskio/total_bytes_filesystem` | Bytes read or written per second

-`ReadsPerSecond` | `diskio/reads_filesystem` | Read operations per second

-`WritesPerSecond` | `diskio/writes_filesystem` | Write operations per second

-`TransfersPerSecond` | `diskio/total_transfers_filesystem` | Read or write operations per second

-`ReadsPerSecond` | `diskio/reads` | Read operations per second

-`WritesPerSecond` | `diskio/writes` | Write operations per second

-`TransfersPerSecond` | `diskio/total_transfers` | Total operations per second

-`AverageReadTime` | `diskio/read_time` | Average seconds per read operation

-`AverageWriteTime` | `diskio/write_time` | Average seconds per write operation

-`AverageTransferTime` | `diskio/io_time` | Average seconds per operation

-`AverageDiskQueueLength` | `diskio/iops_in_progress` | Average number of queued disk operations

-`ReadBytesPerSecond` | `diskio/read_bytes` | Number of bytes read per second

-`WriteBytesPerSecond` | `diskio/write_bytes` | Number of bytes written per second

-`BytesPerSecond` | `diskio/total_bytes` | Number of bytes read or written per second

- "displayName": "Aggregate CPU %utilization"

- "displayName": "Used disk space on /"

-az group create --name myPPGGroup --location westus

- -l westus \

- --size Standard_D1_v2 \

- -l westus

-Learn more about the [Azure CLI](/cli/azure/ppg) commands for proximity placement groups.

-Get-AzProximityPlacementGroup

-The [deployer](automation-deployment-framework.md#deployment-components) is the execution engine of the [SAP automation framework](automation-deployment-framework.md). It's a pre-configured virtual machine (VM) that is used for executing Terraform and Ansible commands.

-> | -- | | - |

-> | `tfstate_resource_id` | Azure resource identifier for the storage account in the SAP Library that contains the Terraform state files | Required |

-> | Variable | Description | Type |

-> | -- | -- | - |

-> | `resource_group_arm_id` | Azure resource identifier for an existing resource group | Optional |

-> | `resourcegroup_tags` | Tags to be associated with the resource group | Optional |

-The recommended CIDR of the virtual network address space is /27, which allows space for 32 IP addresses. A CIDR value of /28 only allows 16 IP addresses. If you want to include Azure Firewall, use a CIDR value of /25, because Azure Firewall requires a range of /26.

-> | `management_subnet_nsg_allowed_ips` | Range of allowed IP addresses to add to Azure Firewall | Optional | |

-> | `management_firewall_subnet_address_prefix` | The address range for the subnet | Mandatory | For green field deployments. |

-> | `webapp_subnet_address_prefix` | The address range for the subnet | Mandatory | For green field deployments using the web app |

-

-The table below contains the parameters related to the deployer virtual machine.

-The Virtual Machine image is defined using the following structure:

-```python

-{

- os_type=""

- source_image_id=""

- publisher="Canonical"

- offer="0001-com-ubuntu-server-focal"

- sku="20_04-lts"

- version="latest"

-> | Variable | Description | Type |

-> | | | |

-> | Variable | Description | Type |

-> | | | - |

-> | `bastion_deployment` | Boolean flag controlling if Azure Bastion host is to be deployed | Optional | |

-The [SAP Library](automation-deployment-framework.md#deployment-components) provides the persistent storage of the Terraform state files and the downloaded SAP installation media for the control plane.

-> | Variable | Description | Type |

-> | -- | - | - |

-> | `deployer_tfstate_key` | The state file name for the deployer | Required |

-> | Variable | Description | Type |

-> | -- | -- | - |

-> | `resource_group_arm_id` | Azure resource identifier for an existing resource group | Optional |

-> | `resourcegroup_tags` | Tags to be associated with the resource group | Optional |

-### Deployer Parameters

-The table below contains the parameters that define the resource group and the resource naming.

-> [!div class="mx-tdCol2BreakAll "]

-> | Variable | Description | Type | Notes |

-> | | - | | - |

-> | `deployer_environment` | Identifier for the control plane (max 5 chars) | Mandatory | For example, `PROD` for a production environment and `NP` for a non-production environment. |

-> | `deployer_location` | The Azure region in which to deploy. | Mandatory | |

-> | `deployer_vnet` | The logical name for the deployer VNet | Mandatory | |

-> | Variable | Description | Type |

-> | - | | - |

-> | Variable | Description | Type |

-> | -- | -- | - |

-> | Variable | Description | Type |

-> | - | -- | -- |

-> | `dns_label` | DNS name of the private DNS zone | Optional |

-> | `use_private_endpoint` | Use private endpoints | Optional |

-$TF_VAR_app_registration_app_id=(az ad app create --display-name MGMT-webapp-registration --enable-id-token-issuance true --sign-in-audience AzureADMyOrg --required-resource-access ./manifest.json --query "appId").Replace('"',"")

-rm ./manifest.json

-## SAP web app deployment pipeline

-Create the SAP web app deployment pipeline by choosing _New Pipeline_ from the Pipelines section, select 'Azure Repos Git' as the source for your code. Configure your Pipeline to use an existing Azure Pipeline YAML File. Specify the pipeline with the following settings:

-| Setting | Value |

-| - | |

-| Branch | main |

-| Path | `deploy/pipelines/21-deploy-web-app.yaml` |

-| Name | Web app deployment |

-Save the Pipeline, to see the Save option select the chevron next to the Run button. Navigate to the Pipelines section and select the pipeline. Rename the pipeline to 'Web app deployment' by choosing 'Rename/Move' from the three-dot menu on the right.

-> [!NOTE]

-> In order for the web app to function correctly, the SAP workload zone deployment and SAP system deployment pipelines must be named as specified.

-| `tf_version` | 1.2.6 | The Terraform version to use, see [Terraform download](https://www.terraform.io/downloads) |

-az pipelines variable-group create --name SDAF-General --variables ANSIBLE_HOST_KEY_CHECKING=false Deployment_Configuration_Path=WORKSPACES Branch=main S-Username=$s-user S-Password=$s-password --output yaml

-| FENCING_SPN_ID | Enter the service principal application ID for the fencing agent. | Required for highly available deployments. |

-| FENCING_SPN_PWD | Enter the service principal password for the fencing agent. | Required for highly available deployments. |

-| FENCING_SPN_TENANT | Enter the service principal tenant ID for the fencing agent. | Required for highly available deployments. |

-Wait for the deployment to finish. Once the deployment is complete, navigate to the Extensions tab and follow the instructions to finalize the configuration and update the reply-url values for the app registration.

-As a result of running the SAP workload zone deployment pipeline, part of the web app URL needed will be stored in a variable named "WEBAPP_URL_BASE" in your environment-specific variable group. Copy this value, and use it in the following command:

-After updating the reply-urls, run the pipeline.

-By default there will be no inbound public internet access to the web app apart from the deployer virtual network. To allow additional access to the web app, navigate to the Azure portal. In the deployer resource group, navigate to the app service resource. Then under settings on the left hand side, click on networking. From here, click Access restriction. Add any allow or deny rules you would like. For more information on configuring access restrictions, see [Set up Azure App Service access restrictions](../../../app-service/app-service-ip-restrictions.md).

-> [DevOps hands on lab](automation-devops-tutorial.md)

-> [Configure SAP Workload Zone](automation-configure-workload-zone.md)

-[767598]:https://launchpad.support.sap.com/#/notes/767598

-[773830]:https://launchpad.support.sap.com/#/notes/773830

-[826037]:https://launchpad.support.sap.com/#/notes/826037

-[965908]:https://launchpad.support.sap.com/#/notes/965908

-[1031096]:https://launchpad.support.sap.com/#/notes/1031096

-[1114181]:https://launchpad.support.sap.com/#/notes/1114181

-[1139904]:https://launchpad.support.sap.com/#/notes/1139904

-[1173395]:https://launchpad.support.sap.com/#/notes/1173395

-[1245200]:https://launchpad.support.sap.com/#/notes/1245200

-[1409604]:https://launchpad.support.sap.com/#/notes/1409604

-[1558958]:https://launchpad.support.sap.com/#/notes/1558958

-[1585981]:https://launchpad.support.sap.com/#/notes/1585981

-[1588316]:https://launchpad.support.sap.com/#/notes/1588316

-[1590719]:https://launchpad.support.sap.com/#/notes/1590719

-[1597355]:https://launchpad.support.sap.com/#/notes/1597355

-[1605680]:https://launchpad.support.sap.com/#/notes/1605680

-[1619720]:https://launchpad.support.sap.com/#/notes/1619720

-[1619726]:https://launchpad.support.sap.com/#/notes/1619726

-[1619967]:https://launchpad.support.sap.com/#/notes/1619967

-[1750510]:https://launchpad.support.sap.com/#/notes/1750510

-[1752266]:https://launchpad.support.sap.com/#/notes/1752266

-[1757924]:https://launchpad.support.sap.com/#/notes/1757924

-[1757928]:https://launchpad.support.sap.com/#/notes/1757928

-[1758182]:https://launchpad.support.sap.com/#/notes/1758182

-[1758496]:https://launchpad.support.sap.com/#/notes/1758496

-[1772688]:https://launchpad.support.sap.com/#/notes/1772688

-[1814258]:https://launchpad.support.sap.com/#/notes/1814258

-[1882376]:https://launchpad.support.sap.com/#/notes/1882376

-[1909114]:https://launchpad.support.sap.com/#/notes/1909114

-[1922555]:https://launchpad.support.sap.com/#/notes/1922555

-[1928533]:https://launchpad.support.sap.com/#/notes/1928533

-[1941500]:https://launchpad.support.sap.com/#/notes/1941500

-[1956005]:https://launchpad.support.sap.com/#/notes/1956005

-[1973241]:https://launchpad.support.sap.com/#/notes/1973241

-[1984787]:https://launchpad.support.sap.com/#/notes/1984787

-[1999351]:https://launchpad.support.sap.com/#/notes/1999351

-[2002167]:https://launchpad.support.sap.com/#/notes/2002167

-[2015553]:https://launchpad.support.sap.com/#/notes/2015553

-[2039619]:https://launchpad.support.sap.com/#/notes/2039619

-[2069760]:https://launchpad.support.sap.com/#/notes/2069760

-[2121797]:https://launchpad.support.sap.com/#/notes/2121797

-[2134316]:https://launchpad.support.sap.com/#/notes/2134316

-[2171857]:https://launchpad.support.sap.com/#/notes/2171857

-[2178632]:https://launchpad.support.sap.com/#/notes/2178632

-[2191498]:https://launchpad.support.sap.com/#/notes/2191498

-[2233094]:https://launchpad.support.sap.com/#/notes/2233094

-[2243692]:https://launchpad.support.sap.com/#/notes/2243692

-[azure-cli]:../../../cli-install-nodejs.md

-[azure-portal]:https://portal.azure.com

-[azure-ps]:/powershell/azure/

-[azure-quickstart-templates-github]:https://github.com/Azure/azure-quickstart-templates

-[azure-script-ps]:https://go.microsoft.com/fwlink/p/?LinkID=395017

-[azure-resource-manager/management/azure-subscription-service-limits]:../../../azure-resource-manager/management/azure-subscription-service-limits.md

-[azure-resource-manager/management/azure-subscription-service-limits-subscription]:../../../azure-resource-manager/management/azure-subscription-service-limits.md#subscription-limits

-[dbms-guide]:dbms-guide.md

-[dbms-guide-2.1]:dbms-guide.md#c7abf1f0-c927-4a7c-9c1d-c7b5b3b7212f

-[dbms-guide-2.2]:dbms-guide.md#c8e566f9-21b7-4457-9f7f-126036971a91

-[dbms-guide-2.3]:dbms-guide.md#10b041ef-c177-498a-93ed-44b3441ab152

-[dbms-guide-2]:dbms-guide.md#65fa79d6-a85f-47ee-890b-22e794f51a64

-[dbms-guide-3]:dbms-guide.md#871dfc27-e509-4222-9370-ab1de77021c3

-[dbms-guide-5.5.1]:dbms-guide.md#0fef0e79-d3fe-4ae2-85af-73666a6f7268

-[dbms-guide-5.5.2]:dbms-guide.md#f9071eff-9d72-4f47-9da4-1852d782087b

-[dbms-guide-5.6]:dbms-guide.md#1b353e38-21b3-4310-aeb6-a77e7c8e81c8

-[dbms-guide-5.8]:dbms-guide.md#9053f720-6f3b-4483-904d-15dc54141e30

-[dbms-guide-5]:dbms-guide.md#3264829e-075e-4d25-966e-a49dad878737

-[dbms-guide-8.4.1]:dbms-guide.md#b48cfe3b-48e9-4f5b-a783-1d29155bd573

-[dbms-guide-8.4.2]:dbms-guide.md#23c78d3b-ca5a-4e72-8a24-645d141a3f5d

-[dbms-guide-8.4.3]:dbms-guide.md#77cd2fbb-307e-4cbf-a65f-745553f72d2c

-[dbms-guide-8.4.4]:dbms-guide.md#f77c1436-9ad8-44fb-a331-8671342de818

-[dbms-guide-900-sap-cache-server-on-premises]:dbms-guide.md#642f746c-e4d4-489d-bf63-73e80177a0a8

-[dbms-guide-managed-disks]:dbms-guide.md#f42c6cb5-d563-484d-9667-b07ae51bce29

-[dbms-guide-figure-100]:media/virtual-machines-shared-sap-dbms-guide/100_storage_account_types.png

-[dbms-guide-figure-200]:media/virtual-machines-shared-sap-dbms-guide/200-ha-set-for-dbms-ha.png

-[dbms-guide-figure-300]:media/virtual-machines-shared-sap-dbms-guide/300-reference-config-iaas.png

-[dbms-guide-figure-400]:media/virtual-machines-shared-sap-dbms-guide/400-sql-2012-backup-to-blob-storage.png

-[dbms-guide-figure-500]:media/virtual-machines-shared-sap-dbms-guide/500-sql-2012-backup-to-blob-storage-different-containers.png

-[dbms-guide-figure-600]:media/virtual-machines-shared-sap-dbms-guide/600-iaas-maxdb.png

-[dbms-guide-figure-700]:media/virtual-machines-shared-sap-dbms-guide/700-livecach-prod.png

-[dbms-guide-figure-800]:media/virtual-machines-shared-sap-dbms-guide/800-azure-vm-sap-content-server.png

-[dbms-guide-figure-900]:media/virtual-machines-shared-sap-dbms-guide/900-sap-cache-server-on-premises.png

-[deployment-guide]:deployment-guide.md

-[deployment-guide-2.2]:deployment-guide.md#42ee2bdb-1efc-4ec7-ab31-fe4c22769b94

-[deployment-guide-3.1.2]:deployment-guide.md#3688666f-281f-425b-a312-a77e7db2dfab

-[deployment-guide-3.2]:deployment-guide.md#db477013-9060-4602-9ad4-b0316f8bb281

-[deployment-guide-3.3]:deployment-guide.md#54a1fc6d-24fd-4feb-9c57-ac588a55dff2

-[deployment-guide-3.4]:deployment-guide.md#a9a60133-a763-4de8-8986-ac0fa33aa8c1

-[deployment-guide-3]:deployment-guide.md#b3253ee3-d63b-4d74-a49b-185e76c4088e

-[deployment-guide-4.1]:deployment-guide.md#604bcec2-8b6e-48d2-a944-61b0f5dee2f7

-[deployment-guide-4.2]:deployment-guide.md#7ccf6c3e-97ae-4a7a-9c75-e82c37beb18e

-[deployment-guide-4.3]:deployment-guide.md#31d9ecd6-b136-4c73-b61e-da4a29bbc9cc

-[deployment-guide-4.4.2]:deployment-guide.md#6889ff12-eaaf-4f3c-97e1-7c9edc7f7542

-[deployment-guide-4.4]:deployment-guide.md#c7cbb0dc-52a4-49db-8e03-83e7edc2927d

-[deployment-guide-4.5.1]:deployment-guide.md#987cf279-d713-4b4c-8143-6b11589bb9d4

-[deployment-guide-4.5.2]:deployment-guide.md#408f3779-f422-4413-82f8-c57a23b4fc2f

-[deployment-guide-4.5]:deployment-guide.md#d98edcd3-f2a1-49f7-b26a-07448ceb60ca

-[deployment-guide-5.1]:deployment-guide.md#bb61ce92-8c5c-461f-8c53-39f5e5ed91f2

-[deployment-guide-5.2]:deployment-guide.md#e2d592ff-b4ea-4a53-a91a-e5521edb6cd1

-[deployment-guide-5.3]:deployment-guide.md#fe25a7da-4e4e-4388-8907-8abc2d33cfd8

-[deployment-guide-configure-monitoring-scenario-1]:deployment-guide.md#ec323ac3-1de9-4c3a-b770-4ff701def65b

-[deployment-guide-configure-proxy]:deployment-guide.md#baccae00-6f79-4307-ade4-40292ce4e02d

-[deployment-guide-figure-100]:media/virtual-machines-shared-sap-deployment-guide/100-deploy-vm-image.png

-[deployment-guide-figure-1000]:media/virtual-machines-shared-sap-deployment-guide/1000-service-properties.png

-[deployment-guide-figure-11]:deployment-guide.md#figure-11

-[deployment-guide-figure-1100]:media/virtual-machines-shared-sap-deployment-guide/1100-azperflib.png

-[deployment-guide-figure-1200]:medi-test-login.png

-[deployment-guide-figure-1300]:medi-test-executed.png

-[deployment-guide-figure-14]:deployment-guide.md#figure-14

-[deployment-guide-figure-1400]:media/virtual-machines-shared-sap-deployment-guide/1400-azperflib-error-servicenotstarted.png

-[deployment-guide-figure-300]:media/virtual-machines-shared-sap-deployment-guide/300-deploy-private-image.png

-[deployment-guide-figure-400]:media/virtual-machines-shared-sap-deployment-guide/400-deploy-using-disk.png

-[deployment-guide-figure-5]:deployment-guide.md#figure-5

-[deployment-guide-figure-50]:media/virtual-machines-shared-sap-deployment-guide/50-forced-tunneling-suse.png

-[deployment-guide-figure-500]:media/virtual-machines-shared-sap-deployment-guide/500-install-powershell.png

-[deployment-guide-figure-6]:deployment-guide.md#figure-6

-[deployment-guide-figure-600]:media/virtual-machines-shared-sap-deployment-guide/600-powershell-version.png

-[deployment-guide-figure-7]:deployment-guide.md#figure-7

-[deployment-guide-figure-700]:media/virtual-machines-shared-sap-deployment-guide/700-install-powershell-installed.png

-[deployment-guide-figure-760]:media/virtual-machines-shared-sap-deployment-guide/760-azure-cli-version.png

-[deployment-guide-figure-900]:medi-update-executed.png

-[deployment-guide-figure-azure-cli-installed]:deployment-guide.md#402488e5-f9bb-4b29-8063-1c5f52a892d0

-[deployment-guide-figure-azure-cli-version]:deployment-guide.md#0ad010e6-f9b5-4c21-9c09-bb2e5efb3fda

-[deployment-guide-install-vm-agent-windows]:deployment-guide.md#b2db5c9a-a076-42c6-9835-16945868e866

-[deployment-guide-troubleshooting-chapter]:deployment-guide.md#564adb4f-5c95-4041-9616-6635e83a810b

-[deploy-template-cli]:../../../resource-group-template-deploy-cli.md

-[deploy-template-portal]:../../../resource-group-template-deploy-portal.md

-[deploy-template-powershell]:../../../resource-group-template-deploy.md

-[dr-guide-classic]:https://go.microsoft.com/fwlink/?LinkID=521971

-[getting-started]:get-started.md

-[getting-started-dbms]:get-started.md#1343ffe1-8021-4ce6-a08d-3a1553a4db82

-[getting-started-deployment]:get-started.md#6aadadd2-76b5-46d8-8713-e8d63630e955

-[getting-started-planning]:get-started.md#3da0389e-708b-4e82-b2a2-e92f132df89c

-[getting-started-windows-classic]:../../virtual-machines-windows-classic-sap-get-started.md

-[getting-started-windows-classic-dbms]:../../virtual-machines-windows-classic-sap-get-started.md#c5b77a14-f6b4-44e9-acab-4d28ff72a930

-[getting-started-windows-classic-deployment]:../../virtual-machines-windows-classic-sap-get-started.md#f84ea6ce-bbb4-41f7-9965-34d31b0098ea

-[getting-started-windows-classic-dr]:../../virtual-machines-windows-classic-sap-get-started.md#cff10b4a-01a5-4dc3-94b6-afb8e55757d3

-[getting-started-windows-classic-ha-sios]:../../virtual-machines-windows-classic-sap-get-started.md#4bb7512c-0fa0-4227-9853-4004281b1037

-[getting-started-windows-classic-planning]:../../virtual-machines-windows-classic-sap-get-started.md#f2a5e9d8-49e4-419e-9900-af783173481c

-[ha-guide-classic]:https://go.microsoft.com/fwlink/?LinkId=613056

-[install-extension-cli]:virtual-machines-linux-enable-aem.md

-[Logo_Linux]:media/virtual-machines-shared-sap-shared/Linux.png

-[Logo_Windows]:media/virtual-machines-shared-sap-shared/Windows.png

-[msdn-set-azurermvmaemextension]:https://msdn.microsoft.com/library/azure/mt670598.aspx

-[planning-guide]:planning-guide.md

-[planning-guide-1.2]:planning-guide.md#e55d1e22-c2c8-460b-9897-64622a34fdff

-[planning-guide-11]:planning-guide.md#7cf991a1-badd-40a9-944e-7baae842a058

-[planning-guide-11.4.1]:planning-guide.md#5d9d36f9-9058-435d-8367-5ad05f00de77

-[planning-guide-11.5]:planning-guide.md#4e165b58-74ca-474f-a7f4-5e695a93204f

-[planning-guide-2.1]:planning-guide.md#1625df66-4cc6-4d60-9202-de8a0b77f803

-[planning-guide-2.2]:planning-guide.md#f5b3b18c-302c-4bd8-9ab2-c388f1ab3d10

-[planning-guide-3.1]:planning-guide.md#be80d1b9-a463-4845-bd35-f4cebdb5424a

-[planning-guide-3.2.1]:planning-guide.md#df49dc09-141b-4f34-a4a2-990913b30358

-[planning-guide-3.2.2]:planning-guide.md#fc1ac8b2-e54a-487c-8581-d3cc6625e560

-[planning-guide-3.2.3]:planning-guide.md#18810088-f9be-4c97-958a-27996255c665

-[planning-guide-3.2]:planning-guide.md#8d8ad4b8-6093-4b91-ac36-ea56d80dbf77

-[planning-guide-3.3.2]:planning-guide.md#ff5ad0f9-f7f4-4022-9102-af07aef3bc92

-[planning-guide-5.1.1]:planning-guide.md#4d175f1b-7353-4137-9d2f-817683c26e53

-[planning-guide-5.1.2]:planning-guide.md#e18f7839-c0e2-4385-b1e6-4538453a285c

-[planning-guide-5.2.1]:planning-guide.md#1b287330-944b-495d-9ea7-94b83aff73ef

-[planning-guide-5.2.2]:planning-guide.md#57f32b1c-0cba-4e57-ab6e-c39fe22b6ec3

-[planning-guide-5.2]:planning-guide.md#6ffb9f41-a292-40bf-9e70-8204448559e7

-[planning-guide-5.3.1]:planning-guide.md#6e835de8-40b1-4b71-9f18-d45b20959b79

-[planning-guide-5.3.2]:planning-guide.md#a43e40e6-1acc-4633-9816-8f095d5a7b6a

-[planning-guide-5.4.2]:planning-guide.md#9789b076-2011-4afa-b2fe-b07a8aba58a1

-[planning-guide-5.5.1]:planning-guide.md#4efec401-91e0-40c0-8e64-f2dceadff646

-[planning-guide-5.5.3]:planning-guide.md#17e0d543-7e8c-4160-a7da-dd7117a1ad9d

-[planning-guide-7.1]:planning-guide.md#3e9c3690-da67-421a-bc3f-12c520d99a30

-[planning-guide-7]:planning-guide.md#96a77628-a05e-475d-9df3-fb82217e8f14

-[planning-guide-9.1]:planning-guide.md#6f0a47f3-a289-4090-a053-2521618a28c3

-[planning-guide-azure-premium-storage]:planning-guide.md#ff5ad0f9-f7f4-4022-9102-af07aef3bc92

-[planning-guide-figure-100]:media/virtual-machines-shared-sap-planning-guide/100-single-vm-in-azure.png

-[planning-guide-figure-1300]:media/virtual-machines-shared-sap-planning-guide/1300-ref-config-iaas-for-sap.png

-[planning-guide-figure-1400]:media/virtual-machines-shared-sap-planning-guide/1400-attach-detach-disks.png

-[planning-guide-figure-1600]:media/virtual-machines-shared-sap-planning-guide/1600-firewall-port-rule.png

-[planning-guide-figure-1700]:media/virtual-machines-shared-sap-planning-guide/1700-single-vm-demo.png

-[planning-guide-figure-1900]:media/virtual-machines-shared-sap-planning-guide/1900-vm-set-vnet.png

-[planning-guide-figure-200]:media/virtual-machines-shared-sap-planning-guide/200-multiple-vms-in-azure.png

-[planning-guide-figure-2100]:media/virtual-machines-shared-sap-planning-guide/2100-s2s.png

-[planning-guide-figure-2200]:media/virtual-machines-shared-sap-planning-guide/2200-network-printing.png

-[planning-guide-figure-2300]:media/virtual-machines-shared-sap-planning-guide/2300-sapgui-stms.png

-[planning-guide-figure-2400]:media/virtual-machines-shared-sap-planning-guide/2400-vm-extension-overview.png

-[planning-guide-figure-2500]:media/virtual-machines-shared-sap-planning-guide/2500-vm-extension-details.png

-[planning-guide-figure-2600]:media/virtual-machines-shared-sap-planning-guide/2600-sap-router-connection.png

-[planning-guide-figure-2700]:media/virtual-machines-shared-sap-planning-guide/2700-exposed-sap-portal.png

-[planning-guide-figure-2800]:media/virtual-machines-shared-sap-planning-guide/2800-endpoint-config.png

-[planning-guide-figure-2900]:media/virtual-machines-shared-sap-planning-guide/2900-azure-ha-sap-ha.png

-[planning-guide-figure-300]:media/virtual-machines-shared-sap-planning-guide/300-vpn-s2s.png

-[planning-guide-figure-3000]:media/virtual-machines-shared-sap-planning-guide/3000-sap-ha-on-azure.png

-[planning-guide-figure-3200]:media/virtual-machines-shared-sap-planning-guide/3200-sap-ha-with-sql.png

-[planning-guide-figure-400]:media/virtual-machines-shared-sap-planning-guide/400-vm-services.png

-[planning-guide-figure-600]:media/virtual-machines-shared-sap-planning-guide/600-s2s-details.png

-[planning-guide-figure-700]:media/virtual-machines-shared-sap-planning-guide/700-decision-tree-deploy-to-azure.png

-[planning-guide-figure-800]:media/virtual-machines-shared-sap-planning-guide/800-portal-vm-overview.png

-[planning-guide-microsoft-azure-networking]:planning-guide.md#61678387-8868-435d-9f8c-450b2424f5bd

-[planning-guide-storage-microsoft-azure-storage-and-data-disks]:planning-guide.md#a72afa26-4bf4-4a25-8cf7-855d6032157f

-[resource-group-authoring-templates]:../../../resource-group-authoring-templates.md

-[resource-group-overview]:../../../azure-resource-manager/management/overview.md

-[resource-groups-networking]:../../../networking/networking-overview.md

-[sap-pam]:https://support.sap.com/pam

-[sap-templates-2-tier-marketplace-image]:https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fapplication-workloads%2Fsap%2Fsap-2-tier-marketplace-image%2Fazuredeploy.json

-[sap-templates-2-tier-os-disk]:https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fsap-2-tier-user-disk%2Fazuredeploy.json

-[sap-templates-2-tier-user-image]:https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fsap-2-tier-user-image%2Fazuredeploy.json

-[sap-templates-3-tier-marketplace-image]:https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fsap-3-tier-marketplace-image%2Fazuredeploy.json

-[sap-templates-3-tier-user-image]:https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fsap-3-tier-user-image%2Fazuredeploy.json

-[storage-azure-cli]:../../../storage/common/storage-azure-cli.md

-[storage-azure-cli-copy-blobs]:../../../storage/common/storage-azure-cli.md#copy-blobs

-[storage-introduction]:../../../storage/common/storage-introduction.md

-[storage-powershell-guide-full-copy-vhd]:../../../storage/common/storage-powershell-guide-full.md#how-to-copy-blobs-from-one-storage-container-to-another

-[storage-premium-storage-preview-portal]:../../disks-types.md

-[storage-redundancy]:../../../storage/common/storage-redundancy.md

-[storage-scalability-targets]:../../../storage/common/scalability-targets-standard-accounts.md

-[storage-use-azcopy]:../../../storage/common/storage-use-azcopy.md

-[template-201-vm-from-specialized-vhd]:https://github.com/Azure/azure-quickstart-templates/tree/master/201-vm-from-specialized-vhd

-[templates-101-simple-windows-vm]:https://github.com/Azure/azure-quickstart-templates/tree/master/101-simple-windows-vm

-[templates-101-vm-from-user-image]:https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.compute/vm-from-user-image

-[virtual-machines-linux-attach-disk-portal]:../../linux/attach-disk-portal.md

-[virtual-machines-azure-resource-manager-architecture]:../../../resource-manager-deployment-model.md

-[virtual-machines-azurerm-versus-azuresm]:../../../resource-manager-deployment-model.md

-[virtual-machines-windows-classic-configure-oracle-data-guard]:../../virtual-machines-windows-classic-configure-oracle-data-guard.md

-[virtual-machines-linux-cli-deploy-templates]:../../linux/cli-deploy-templates.md

-[virtual-machines-deploy-rmtemplates-powershell]:../../virtual-machines-windows-ps-manage.md

-[virtual-machines-linux-agent-user-guide]:../../linux/agent-user-guide.md

-[virtual-machines-linux-agent-user-guide-command-line-options]:../../linux/agent-user-guide.md#command-line-options

-[virtual-machines-linux-capture-image]:../../linux/capture-image.md

-[virtual-machines-linux-capture-image-resource-manager]:../../linux/capture-image.md

-[virtual-machines-linux-capture-image-resource-manager-capture]:../../linux/capture-image.md#step-2-capture-the-vm

-[virtual-machines-linux-configure-raid]:../../linux/configure-raid.md

-[virtual-machines-linux-configure-lvm]:../../linux/configure-lvm.md

-[virtual-machines-linux-classic-create-upload-vhd-step-1]:../../virtual-machines-linux-classic-create-upload-vhd.md#step-1-prepare-the-image-to-be-uploaded

-[virtual-machines-linux-create-upload-vhd-suse]:../../linux/suse-create-upload-vhd.md

-[virtual-machines-linux-redhat-create-upload-vhd]:../../linux/redhat-create-upload-vhd.md

-[virtual-machines-linux-how-to-attach-disk]:../../linux/add-disk.md

-[virtual-machines-linux-how-to-attach-disk-how-to-initialize-a-new-data-disk-in-linux]:../../linux/add-disk.md#connect-to-the-linux-vm-to-mount-the-new-disk

-[virtual-machines-linux-tutorial]:../../linux/quick-create-cli.md

-[virtual-machines-linux-update-agent]:../../linux/update-agent.md

-[virtual-machines-manage-availability-linux]:../../linux/manage-availability.md

-[virtual-machines-manage-availability-windows]:../../windows/manage-availability.md

-[virtual-machines-ps-create-preconfigure-windows-resource-manager-vms]:virtual-machines-windows-create-powershell.md

-[virtual-machines-sizes-linux]:../../linux/sizes.md

-[virtual-machines-sizes-windows]:../../windows/sizes.md

-[virtual-machines-windows-classic-ps-sql-alwayson-availability-groups]:./../../windows/sqlclassic/virtual-machines-windows-classic-ps-sql-alwayson-availability-groups.md

-[virtual-machines-windows-classic-ps-sql-int-listener]:./../../windows/sqlclassic/virtual-machines-windows-classic-ps-sql-int-listener.md

-[virtual-machines-sql-server-high-availability-and-disaster-recovery-solutions]:/azure/azure-sql/virtual-machines/windows/business-continuity-high-availability-disaster-recovery-hadr-overview

-[virtual-machines-sql-server-infrastructure-services]:/azure/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview

-[virtual-machines-sql-server-performance-best-practices]:/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices

-[virtual-machines-upload-image-windows-resource-manager]:../../virtual-machines-windows-upload-image.md

-[virtual-machines-windows-tutorial]:../../virtual-machines-windows-hero-tutorial.md

-[virtual-machines-workload-template-sql-alwayson]:https://azure.microsoft.com/resources/templates/sql-server-2014-alwayson-existing-vnet-and-ad/

-[virtual-network-deploy-multinic-arm-cli]:../linux/multiple-nics.md

-[virtual-network-deploy-multinic-arm-ps]:../windows/multiple-nics.md

-[virtual-network-deploy-multinic-arm-template]:../../../virtual-network/template-samples.md

-[virtual-networks-configure-vnet-to-vnet-connection]:../../../vpn-gateway/vpn-gateway-vnet-vnet-rm-ps.md

-[virtual-networks-create-vnet-arm-pportal]:../../../virtual-network/manage-virtual-network.md#create-a-virtual-network

-[virtual-networks-manage-dns-in-vnet]:../../../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md

-[virtual-networks-multiple-nics]:../../../virtual-network/virtual-network-deploy-multinic-classic-ps.md

-[virtual-networks-nsg]:../../../virtual-network/security-overview.md

-[virtual-networks-reserved-private-ip]:../../../virtual-network/virtual-networks-static-private-ip-arm-ps.md

-[virtual-networks-static-private-ip-arm-pportal]:../../../virtual-network/virtual-networks-static-private-ip-arm-pportal.md

-[virtual-networks-udr-overview]:../../../virtual-network/virtual-networks-udr-overview.md

-[vpn-gateway-about-vpn-devices]:../../../vpn-gateway/vpn-gateway-about-vpn-devices.md

-[vpn-gateway-create-site-to-site-rm-powershell]:../../../vpn-gateway/vpn-gateway-create-site-to-site-rm-powershell.md

-[vpn-gateway-cross-premises-options]:../../../vpn-gateway/vpn-gateway-plan-design.md

-[vpn-gateway-site-to-site-create]:../../../vpn-gateway/vpn-gateway-site-to-site-create.md

-[vpn-gateway-vpn-faq]:../../../vpn-gateway/vpn-gateway-vpn-faq.md

-[xplat-cli]:../../../cli-install-nodejs.md

-[xplat-cli-azure-resource-manager]:../../../xplat-cli-azure-resource-manager.md

-This document covers several different areas to consider when you're deploying Oracle Database for SAP workload in Azure IaaS. Before you read this document, we recommend you read [Considerations for Azure Virtual Machines DBMS deployment for SAP workload](dbms_guide_general.md). We also recommend that you read other guides in the [SAP workload on Azure documentation](./get-started.md).

-You can find information about Oracle versions and corresponding OS versions that are supported for running SAP on Oracle on Azure in SAP Note [2039619].

-General information about running SAP Business Suite on Oracle can be found at [SAP on Oracle](https://www.sap.com/community/topic/oracle.html).

-Oracle software is supported by Oracle to run on Microsoft Azure. For more information about general support for Windows Hyper-V and Azure, check the [Oracle and Microsoft Azure FAQ](https://www.oracle.com/technetwork/topics/cloud/faq-1963009.html).

-## SAP Notes relevant for Oracle, SAP, and Azure

-The following SAP Notes are related to SAP on Azure.

-| Note number | Title |

-| [1928533] |SAP Applications on Azure: Supported products and Azure VM types |

-| [2015553] |SAP on Microsoft Azure: Support prerequisites |

-| [1999351] |Troubleshooting enhanced Azure monitoring for SAP |

-| [2178632] |Key monitoring metrics for SAP on Microsoft Azure |

-| [2191498] |SAP on Linux with Azure: Enhanced monitoring |

-| [2039619] |SAP applications on Microsoft Azure using the Oracle database: Supported products and versions |

-| [2243692] |Linux on Microsoft Azure (IaaS) VM: SAP license issues |

-| [2069760] |Oracle Linux 7.x SAP installation and upgrade |

-| [1597355] |Swap-space recommendation for Linux |

-| [2171857] |Oracle Database 12c - file system support on Linux |

-| [1114181] |Oracle Database 11g - file system support on Linux |

-The exact configurations and functionality that are supported by Oracle and SAP on Azure are documented in SAP Note [#2039619](https://launchpad.support.sap.com/#/notes/2039619).

-Windows and Oracle Linux are the only operating systems that are supported by Oracle and SAP on Azure. The widely used SLES and RHEL Linux distributions aren't supported for deploying Oracle components in Azure. Oracle components include the Oracle Database client, which is used by SAP applications to connect against the Oracle DBMS.

-Exceptions, according to SAP Note [#2039619](https://launchpad.support.sap.com/#/notes/2039619), are SAP components that don't use the Oracle Database client. Such SAP components are SAP's stand-alone enqueue, message server, Enqueue replication services, WebDispatcher, and SAP Gateway.

-Even if you're running your Oracle DBMS and SAP application instances on Oracle Linux, you can run your SAP Central Services on SLES or RHEL and protect it with a Pacemaker-based cluster. Pacemaker as an high-availability framework has not been approved for support on Oracle Linux by SAP and Oracle.

-## Specifics for Oracle Database on Windows

-### Oracle Configuration guidelines for SAP installations in Azure VMs on Windows

-In accordance with the SAP installation manual, Oracle-related files shouldn't be installed or located in the OS disk of the VM (drive c:). Virtual machines of varying sizes can support a varying number of attached disks. Smaller virtual machine types can support a smaller number of attached disks.

-If you have smaller VMs and would hit the limit of the number of disks you can attach to the VM, you can install/locate Oracle home, stage, `saptrace`, `saparch`, `sapbackup`, `sapcheck`, or `sapreorg` into the OS disk. These parts of Oracle DBMS components aren't too intense on I/O and I/O throughput. This means that the OS disk can handle the I/O requirements. The default size of the OS disk should be 127 GB.

-Oracle Database and redo log files need to be stored on separate data disks. There's an exception for the Oracle temporary tablespace. `Tempfiles` can be created on D:/ (non-persistent drive). The non-persistent D:\ drive also offers better I/O latency and throughput (with the exception of A-Series VMs).

-To determine the right amount of space for the `tempfiles`, you can check the sizes of the `tempfiles` on existing systems.

-### Storage configuration

-Only single-instance Oracle using NTFS formatted disks is supported. All database files must be stored on the NTFS file system on Managed Disks (recommended) or on VHDs. These disks are mounted to the Azure VM and are based on [Azure page blob storage](/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs) or [Azure Managed Disks](../../managed-disks-overview.md).

-Check out the article [Azure Storage types for SAP workload](./planning-guide-storage.md) to get more details of the specific Azure block storage types suitable for DBMS workload.

-We strongly recommend using [Azure Managed Disks](../../managed-disks-overview.md). We also strongly recommend using [Azure premium storage or Azure Ultra disk](../../disks-types.md) for your Oracle Database deployments.

-Network drives or remote shares like Azure file services aren't supported for Oracle Database files. For more information, see:

-If you're using disks that are based on Azure page blob storage or Managed Disks, the statements in [Considerations for Azure Virtual Machines DBMS deployment for SAP workload](dbms_guide_general.md) apply to deployments with Oracle Database as well.

-Quotas on IOPS throughput for Azure disks exist. This concept is explained in [Considerations for Azure Virtual Machines DBMS deployment for SAP workload](dbms_guide_general.md). The exact quotas depend on the VM type that you use. A list of VM types with their quotas can be found at [Sizes for Windows virtual machines in Azure][virtual-machines-sizes-windows].

-To identify the supported Azure VM types, see SAP Note [1928533].

-The minimum configuration is as follows:

-| Component | Disk | Caching | Storage pool |

-| | | | |

-| \oracle\<SID>\origlogaA & mirrlogB | Premium or Ultra disk | None | Not needed |

-| \oracle\<SID>\origlogaB & mirrlogA | Premium or Ultra disk | None | Not needed |

-| \oracle\<SID>\sapdata1...n | Premium or Ultra disk | Read-only | Can be used for Premium |

-| \oracle\<SID>\oraarch | Standard | None | Not needed |

-| Oracle Home, `saptrace`, ... | OS disk (Premium) | | Not needed |

-Disks selection for hosting online redo logs should be driven by IOPS requirements. It's possible to store all sapdata1...n (tablespaces) on one single mounted disk as long as the size, IOPS, and throughput satisfy the requirements.

-The performance configuration is as follows:

-| Component | Disk | Caching | Storage pool |

-| | | | |

-| \oracle\<SID>\origlogaA | Premium or Ultra disk | None | Can be used for Premium |

-| \oracle\<SID>\origlogaB | Premium or Ultra disk | None | Can be used for Premium |

-| \oracle\<SID>\mirrlogAB | Premium or Ultra disk | None | Can be used for Premium |

-| \oracle\<SID>\mirrlogBA | Premium or Ultra disk | None | Can be used for Premium |

-| \oracle\<SID>\sapdata1...n | Premium or Ultra disk | Read-only | Recommended for premium |

-| \oracle\SID\sapdata(n+1)* | Premium or Ultra disk | None | Can be used for Premium |

-| \oracle\<SID>\oraarch* | Premium or Ultra disk | None | Not needed |

-| Oracle Home, `saptrace`, ... | OS disk (Premium) | Not needed |

-*(n+1): hosting SYSTEM, TEMP, and UNDO tablespaces. The I/O pattern of System and Undo tablespaces are different from other tablespaces hosting application data. No caching is the best option for performance of the System and Undo tablespaces.

-*oraarch: storage pool isn't necessary from a performance point of view. It can be used to get more space.

-If more IOPS are required in case of Azure premium storage, we recommend using Windows Storage Pools (only available in Windows Server 2012 and later) to create one large logical device over multiple mounted disks. This approach simplifies the administration overhead for managing the disk space, and helps you avoid the effort of manually distributing files across multiple mounted disks.

-#### Write Accelerator

-For Azure M-Series VMs, the latency writing into the online redo logs can be reduced by factors when compared to Azure premium storage. Enable Azure Write Accelerator for the disks (VHDs) based on Azure Premium Storage that are used for online redo log files. For more information, see [Write Accelerator](../../how-to-enable-write-accelerator.md). Or use Azure Ultra disk for the online redo log volume.

-### Backup/restore

-For backup/restore functionality, the SAP BR*Tools for Oracle are supported in the same way as they are on standard Windows Server operating systems. Oracle Recovery Manager (RMAN) is also supported for backups to disk and restores from disk.

-You can also use Azure Backup to run an application-consistent VM backup. The article [Plan your VM backup infrastructure in Azure](../../../backup/backup-azure-vms-introduction.md) explains how Azure Backup uses the Windows VSS functionality for executing application-consistent backups. The Oracle DBMS releases that are supported on Azure by SAP can leverage the VSS functionality for backups. For more information, see the Oracle documentation [Basic concepts of database backup and recovery with VSS](https://docs.oracle.com/en/database/oracle/oracle-database/12.2/ntqrf/basic-concepts-of-database-backup-and-recovery-with-vss.html#GUID-C085101B-237F-4773-A2BF-1C8FD040C701).

-### High availability

-Oracle Data Guard is supported for high availability and disaster recovery purposes. To achieve automatic failover in Data Guard, your need to use Fast-Start Failover (FSFA). The Observer (FSFA) triggers the failover. If you don't use FSFA, you can only use a manual failover configuration.

-For more information about disaster recovery for Oracle databases in Azure, see [Disaster recovery for an Oracle Database 12c database in an Azure environment](../oracle/oracle-disaster-recovery.md).

-### Accelerated networking

-For Oracle deployments on Windows, we strongly recommend accelerated networking as described in [Azure accelerated networking](https://azure.microsoft.com/blog/maximize-your-vm-s-performance-with-accelerated-networking-now-generally-available-for-both-windows-and-linux/). Also consider the recommendations that are made in [Considerations for Azure Virtual Machines DBMS deployment for SAP workload](dbms_guide_general.md).

-### Other

-[Considerations for Azure Virtual Machines DBMS deployment for SAP workload](dbms_guide_general.md) describes other important concepts related to deployments of VMs with Oracle Database, including Azure availability sets and SAP monitoring.

-## Specifics for Oracle Database on Oracle Linux

-Oracle software is supported by Oracle to run on Microsoft Azure with Oracle Linux as the guest OS. For more information about general support for Windows Hyper-V and Azure, see the [Azure and Oracle FAQ](https://www.oracle.com/technetwork/topics/cloud/faq-1963009.html).

-The specific scenario of SAP applications leveraging Oracle Databases is supported as well. Details are discussed in the next part of the document.

-### Oracle version support

-For information about which Oracle versions and corresponding OS versions are supported for running SAP on Oracle on Azure Virtual Machines, see SAP Note [2039619].

-General information about running SAP Business Suite on Oracle can be found in the [SAP on Oracle community page](https://www.sap.com/community/topic/oracle.html).

-### Oracle configuration guidelines for SAP installations in Azure VMs on Linux

-In accordance with SAP installation manuals, Oracle-related files shouldn't be installed or located into system drivers for a VM's boot disk. Varying sizes of virtual machines support a varying number of attached disks. Smaller virtual machine types can support a smaller number of attached disks.

-In this case, we recommend installing/locating Oracle home, stage, `saptrace`, `saparch`, `sapbackup`, `sapcheck`, or `sapreorg` to boot disk. These parts of Oracle DBMS components aren't intense on I/O and I/O throughput. This means that the OS disk can handle the I/O requirements. The default size of the OS disk is 30 GB. You can expand the boot disk by using the Azure portal, PowerShell, or CLI. After the boot disk has been expanded, you can add an additional partition for Oracle binaries.

-### Storage configuration

-The filesystems of ext4, xfs, NFSv4.1 (only on Azure NetApp Files (ANF)) or Oracle ASM (see SAP Note [#2039619](https://launchpad.support.sap.com/#/notes/2039619) for release/version requirements) are supported for Oracle Database files on Azure. All database files must be stored on these file systems based on VHDs, Managed Disks, or ANF. These disks are mounted to the Azure VM and are based on [Azure page blob storage](/rest/api/storageservices/Understanding-Block-Blobs--Append-Blobs--and-Page-Blobs), [Azure Managed Disks](../../managed-disks-overview.md), or [Azure NetApp Files](https://azure.microsoft.com/services/netapp/).

-Minimum requirements list like:

-Checkout the article [Azure Storage types for SAP workload](./planning-guide-storage.md) to get more details of the specific Azure block storage types suitable for DBMS workload.

-Using Azure block storage, it is highly recommended to use [Azure managed disks](../../managed-disks-overview.md) and [Azure premium SSDs](../../disks-types.md) for your Oracle Database deployments.

-Except for Azure NetApp Files, other shared disks, network drives, or remote shares like Azure File Services (AFS) aren't supported for Oracle Database files. For more information, see the following:

-If you're using disks based on Azure page blob storage or Managed Disks, the statements made in [Considerations for Azure Virtual Machines DBMS deployment for SAP workload](dbms_guide_general.md) apply to deployments with Oracle Database as well.

-Quotas on IOPS throughput for Azure disks exist. This concept is explained in [Considerations for Azure Virtual Machines DBMS deployment for SAP workload](dbms_guide_general.md).The exact quotas depend on the VM type that's used. For a list of VM types with their quotas, see [Sizes for Linux virtual machines in Azure][virtual-machines-sizes-linux].

-To identify the supported Azure VM types, see SAP Note [1928533].

-Minimum configuration:

-| Component | Disk | Caching | Stripping* |

-| | | | |

-| /oracle/\<SID>/origlogaA & mirrlogB | Premium, Ultra disk, or ANF | None | Not needed |

-| /oracle/\<SID>/origlogaB & mirrlogA | Premium, Ultra disk, or ANF | None | Not needed |

-| /oracle/\<SID>/sapdata1...n | Premium, Ultra disk, or ANF | Read-only | Can be used for Premium |

-| /oracle/\<SID>/oraarch | Standard or ANF | None | Not needed |

-| Oracle Home, `saptrace`, ... | OS disk (Premium) | | Not needed |

-*Stripping: LVM stripe or MDADM using RAID0

-The disk selection for hosting Oracle's online redo logs should be driven by IOPS requirements. It's possible to store all sapdata1...n (tablespaces) on a single mounted disk as long as the volume, IOPS, and throughput satisfy the requirements.

-Performance configuration:

-| Component | Disk | Caching | Stripping* |

-| | | | |

-| /oracle/\<SID>/origlogaA | Premium, Ultra disk, or ANF | None | Can be used for Premium |

-| /oracle/\<SID>/origlogaB | Premium, Ultra disk, or ANF | None | Can be used for Premium |

-| /oracle/\<SID>/mirrlogAB | Premium, Ultra disk, or ANF | None | Can be used for Premium |

-| /oracle/\<SID>/mirrlogBA | Premium, Ultra disk, or ANF | None | Can be used for Premium |

-| /oracle/\<SID>/sapdata1...n | Premium, Ultra disk, or ANF | Read-only | Recommended for Premium |

-| /oracle/\<SID>/sapdata(n+1)* | Premium, Ultra disk, or ANF | None | Can be used for Premium |

-| /oracle/\<SID>/oraarch* | Premium, Ultra disk, or ANF | None | Not needed |

-| Oracle Home, `saptrace`, ... | OS disk (Premium) | Not needed |

-*Stripping: LVM stripe or MDADM using RAID0

-*(n+1):hosting SYSTEM, TEMP, and UNDO tablespaces: The I/O pattern of System and Undo tablespaces are different from other tablespaces hosting application data. No caching is the best option for performance of the System and Undo tablespaces.

-*oraarch: storage pool isn't necessary from a performance point of view.

-If more IOPS are required when using Azure premium storage, we recommend using LVM (Logical Volume Manager) or MDADM to create one large logical volume over multiple mounted disks. For more information, see [Considerations for Azure Virtual Machines DBMS deployment for SAP workload](dbms_guide_general.md) regarding guidelines and pointers on how to leverage LVM or MDADM. This approach simplifies the administration overhead of managing the disk space and helps you avoid the effort of manually distributing files across multiple mounted disks.

-If you plan to use Azure NetApp Files make sure the dNFS client is configured properly. Using dNFS is mandatory to have a supported environment. The configuration of dNFS is documented in the article [Creating an Oracle Database on Direct NFS](https://docs.oracle.com/en/database/oracle/oracle-database/19/ntdbi/creating-an-oracle-database-on-direct-nfs.html#GUID-2A0CCBAB-9335-45A8-B8E3-7E8C4B889DEA).

-An example demonstrating the usage of Azure NetApp Files based NFS for Oracle databases is presented in the blog [Deploy SAP AnyDB (Oracle 19c) with Azure NetApp Files](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/deploy-sap-anydb-oracle-19c-with-azure-netapp-files/ba-p/2064043).

-#### Write Accelerator

-For Azure M-Series VMs, when you use Azure Write Accelerator, the latency writing into the online redo logs can be reduced by factors when using Azure premium storage. Enable Azure Write Accelerator for the disks (VHDs) based on Azure Premium Storage that are used for online redo log files. For more information, see [Write Accelerator](../../how-to-enable-write-accelerator.md). Or use Azure Ultra disk for the online redo log volume.

-### Backup/restore

-For backup/restore functionality, the SAP BR*Tools for Oracle are supported in the same way as they are on bare metal and Hyper-V. Oracle Recovery Manager (RMAN) is also supported for backups to disk and restores from disk.

-For more information about how you can use Azure Backup and Recovery services for backing up and recovering Oracle databases, see [Back up and recover an Oracle Database 12c database on an Azure Linux virtual machine](../oracle/oracle-overview.md).

-[Azure Backup service](../../../backup/backup-overview.md) is also supporting Oracle backups as described in the article [Back up and recover an Oracle Database 19c database on an Azure Linux VM using Azure Backup](../oracle/oracle-database-backup-azure-backup.md).

-### High availability

-Oracle Data Guard is supported for high availability and disaster recovery purposes. To achieve automatic failover in Data Guard, you need to use Fast-Start Failover (FSFA). The Observer functionality (FSFA) triggers the failover. If you don't use FSFA, you can only use a manual failover configuration. For more information, see [Implement Oracle Data Guard on an Azure Linux virtual machine](../oracle/configure-oracle-dataguard.md).

-Disaster Recovery aspects for Oracle databases in Azure are presented in the article [Disaster recovery for an Oracle Database 12c database in an Azure environment](../oracle/oracle-disaster-recovery.md).

-### Accelerated networking

-Support for Azure Accelerated Networking in Oracle Linux is provided with Oracle Linux 7 Update 5 (Oracle Linux 7.5). If you can't upgrade to the latest Oracle Linux 7.5 release, there might be a workaround by using the RedHat Compatible Kernel (RHCK) instead of the Oracle UEK kernel.

-Using the RHEL kernel within Oracle Linux is supported according to SAP Note [#1565179](https://launchpad.support.sap.com/#/notes/1565179). For Azure Accelerated Networking, the minimum RHCKL kernel release needs to be 3.10.0-862.13.1.el7. If you're using the UEK kernel in Oracle Linux in conjunction with [Azure Accelerated Networking](https://azure.microsoft.com/blog/maximize-your-vm-s-performance-with-accelerated-networking-now-generally-available-for-both-windows-and-linux/), you need to use Oracle UEK kernel version 5.

-If you're deploying VMs from an image that's not based on Azure Marketplace, then you need to copy additional configuration files to the VM by running the following code:

-<pre><code># Copy settings from GitHub to the correct place in the VM

-sudo curl -so /etc/udev/rules.d/68-azure-sriov-nm-unmanaged.rules https://raw.githubusercontent.com/LIS/lis-next/master/hv-rhel7.x/hv/tools/68-azure-sriov-nm-unmanaged.rules

-</code></pre>

-## Next steps

-Customers can deploy select Network Virtual Appliances (NVAs) directly into a Virtual WAN hub in a solution that is jointly managed by Microsoft Azure and third-party Network Virtual Appliance vendors. Not all Network Virtual Appliances in Azure Marketplace can be deployed into a Virtual WAN hub. For a full list of available partners, see the [Partners](#partner) section of this article.

-## <a name ="partner"></a> Partners

-Partners that support these traffic flows are listed as **dual-role SD-WAN connectivity and security (Next-Generation Firewall) Network Virtual Appliances** in the [Partners section](#partner).

-By default, all managed resource groups have an deny-all Azure Active Directory assignment. Deny-all assignments prevent customers from calling write operations on any resources in the managed resource group, including Network Virtual Appliance resources.

-Permissions on resources in existing managed resource groups are not dynamically updated as new permitted actions are added by partners and require a manual refresh.