+- You configured an IP-based certificate binding, and the app's IP address has changed because of it. [Remap the A record](configure-ssl-bindings.md#remap-records-for-ip-based-ssl) in your DNS entries to the new IP address.

+description: Help secure HTTPS access to your custom domain by creating a TLS/SSL binding with a certificate. Improve your website's security by enforcing HTTPS or TLS 1.2.

+# Provide security for a custom DNS name with a TLS/SSL binding in App Service

+This article shows you how to provide security for the [custom domain](app-service-web-tutorial-custom-domain.md) in your [App Service app](./index.yml) or [function app](../azure-functions/index.yml) by creating a certificate binding. When you're finished, you can access your App Service app at the `https://` endpoint for your custom DNS name (for example, `https://www.contoso.com`).

+

+- [Scale up your App Service app](manage-scale-up.md) to one of the supported pricing tiers: Basic, Standard, Premium.

+## Add the binding

+1. From the left navigation of your app, select **Custom domains**.

+1. Next to the custom domain, select **Add binding**.

+ :::image type="content" source="media/configure-ssl-bindings/secure-domain-launch.png" alt-text="A screenshot showing how to launch the Add TLS/SSL Binding dialog." lightbox="media/configure-ssl-bindings/secure-domain-launch.png":::

+ - **Create App Service Managed Certificate** - Let App Service create a managed certificate for your selected domain. This option is the easiest. For more information, see [Create a free managed certificate](configure-ssl-certificate.md#create-a-free-managed-certificate).

+ - **Import App Service Certificate** - In **App Service Certificate**, select an [App Service certificate](configure-ssl-app-service-certificate.md) you've purchased for your selected domain.

+1. In **TLS/SSL type**, select either **SNI SSL** or **IP based SSL**.

+ - **[SNI SSL](https://en.wikipedia.org/wiki/Server_Name_Indication)**: Multiple SNI SSL bindings can be added. This option allows multiple TLS/SSL certificates to help secure multiple domains on the same IP address. Most modern browsers (including Microsoft Edge, Chrome, Firefox, and Opera) support SNI. (For more information, see [Server Name Indication](https://wikipedia.org/wiki/Server_Name_Indication).)

+ - **IP based SSL**: Only one IP SSL binding can be added. This option allows only one TLS/SSL certificate to help secure a dedicated public IP address. After you configure the binding, follow the steps in [Remap records for IP-based SSL](#remap-records-for-ip-based-ssl).<br/>IP-based SSL is supported only in Standard tier or higher.

+ Once the operation is complete, the custom domain's TLS/SSL state is changed to **Secured**.

+> A **Secured** state in **Custom domains** means that a certificate is providing security, but App Service doesn't check if the certificate is self-signed or expired, for example, which can also cause browsers to show an error or warning.

+## Remap records for IP-based SSL

+This step is needed only for IP-based SSL. For an SNI SSL binding, skip to [Test HTTPS](#test-https).

+There are potentially two changes you need to make:

+- If you have an SNI SSL binding to `<app-name>.azurewebsites.net`, [remap any CNAME mapping](app-service-web-tutorial-custom-domain.md#create-the-dns-records) to point to `sni.<app-name>.azurewebsites.net` instead. (Add the `sni` prefix.)

+## Test HTTPS

+Browse to `https://<your.custom.domain>` in various browsers to verify that your app appears.

+Your application code can inspect the protocol via the `x-appservice-proto` header. The header has a value of `http` or `https`.

+> If that's not the case, you might have left out intermediate certificates when you exported your certificate to the PFX file.

+Your inbound IP address can change when you delete a binding, even if that binding is IP SSL. This is especially important when you renew a certificate that's already in an IP SSL binding. To avoid a change in your app's IP address, follow these steps, in order:

+In App Service, [TLS termination](https://wikipedia.org/wiki/TLS_termination_proxy) happens at the network load balancers, so all HTTPS requests reach your app as unencrypted HTTP requests. If your app logic needs to check if the user requests are encrypted, inspect the `X-Forwarded-Proto` header.

+Language-specific configuration guides, such as the [Linux Node.js configuration](configure-language-nodejs.md#detect-https-session) guide, show how to detect an HTTPS session in your application code.

+#### Azure CLI

+#### PowerShell

+## Related content

+* [Frequently asked questions about creating or deleting resources in Azure App Service](./faq-configuration-and-management.yml)

+ Title: Examining logs using Azure Log Analytics

+# Use Log Analytics to examine Application Gateway Logs

+Once your Application Gateway is operational, you can enable logs to inspect the events that occur for your resource. For example, the Application Gateway Firewall logs give insight to what the Web Application Firewall (WAF) is evaluating, matching, and blocking. With Log Analytics, you can examine the data inside the firewall logs to give even more insights. For more information about log queries, see [Overview of log queries in Azure Monitor](/azure/azure-monitor/logs/log-query-overview).

+In this article, we will look at the Web Application Firewall (WAF) logs. You can set up [other Application Gateway logs](application-gateway-diagnostics.md) in a similar way.

+* An Azure Application Gateway WAK SKU. For more information, see [Azure Web Application Firewall on Azure Application Gateway](../web-application-firewall/ag/ag-overview.md).

+## Sending logs

+To export your firewall logs into Log Analytics, see [Diagnostic logs for Application Gateway](application-gateway-diagnostics.md#firewall-log). When you have the firewall logs in your Log Analytics workspace, you can view data, write queries, create visualizations, and add them to your portal dashboard.

+When using **AzureDiagnostics** table, you can view the raw data in the firewall log by running the following query:

+| limit 10

+When using **Resource-specific** table, you can view the raw data in the firewall log by running the following query. To know about the resource-specific tables, visit [Monitoring data reference](monitor-application-gateway-reference.md#supported-resource-log-categories-for-microsoftnetworkapplicationgateways).

+```

+AGWFirewallLogs

+| limit 10

+```

+You can drill down into the data, and plot graphs or create visualizations from here. Here are some more examples of AzureDiagnostics queries that you can use.

+ - hostPath

+ name: azure-rbac

+- **Supported distributions**: AKS enabled by Azure Arc, Kubernetes using kind.

+The connected registry extension for Azure Arc allows you to synchronize container images between your Azure Container Registry (ACR) and your on-premises Azure Arc-enabled Kubernetes cluster. This extension can be deployed to either a local or remote cluster and utilizes a synchronization schedule and window to ensure seamless syncing of images between the on-premises connected registry and the cloud-based ACR.

+> [!IMPORTANT]

+> In addition to these prerequisites, be sure to meet all [network requirements for Azure Arc-enabled Kubernetes](network-requirements.md).

+* A [kubeconfig file](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) and context pointing to your cluster. To know more about what a kubeconfig file is and how to set context to point to your cluster, please refer to this [article](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/).

+> [!IMPORTANT]

+> In addition to these prerequisites, be sure to meet all [network requirements for Azure Arc-enabled Kubernetes](network-requirements.md)

+#### Version 2.x (Preview)

+The 2.x versions of the core packages change the supported framework assets and bring in support for new .NET APIs from these later versions. When using .NET 9 (Preview) or later, your app needs to reference version 2.0.0-preview1 or later of both packages.

+The 2.0.0-preview1 versions are compatible with code written against version 1.x. However, during the preview period, newer versions may introduce behavior changes that could influence the code you write.

+using Microsoft.Azure.Functions.Worker;

+using Microsoft.Extensions.DependencyInjection;

+The isolated worker model also supports middleware registration, again by using a model similar to what exists in ASP.NET. This model gives you the ability to inject logic into the invocation pipeline, and before and after functions execute.

+using Microsoft.Azure.Functions.Worker;

+using Microsoft.Extensions.DependencyInjection;

+using Microsoft.Extensions.Hosting;

+host.Run();

+using Microsoft.Azure.Functions.Worker;

+using Microsoft.Extensions.DependencyInjection;

+using Microsoft.Extensions.Hosting;

+host.Run();

+using Microsoft.Azure.Functions.Worker;

+using Microsoft.Extensions.DependencyInjection;

+using Microsoft.Extensions.Hosting;

+Use the methods of [`ILogger<T>`][ILogger&lt;T&gt;] and [`ILogger`][ILogger] to write various log levels, such as `LogWarning` or `LogError`. To learn more about log levels, see the [monitoring article](functions-monitoring.md#log-levels-and-categories). You can customize the log levels for components added to your code by registering filters:

+using Microsoft.Azure.Functions.Worker;

+using Microsoft.Extensions.Hosting;

+host.Run();

+using Microsoft.Azure.Functions.Worker;

+using Microsoft.Extensions.DependencyInjection;

+using Microsoft.Extensions.Hosting;

+using Microsoft.Extensions.Logging;

+ In this example, also replace `<framework>` with the appropriate version string, such as `v8.0`, according to your target .NET version.

+Azure Functions currently can be used with the following "Preview" or "Go-live" .NET releases:

+| Operating system | .NET preview version |

+| - | - |

+| Linux | .NET 9 Preview 7¹ |

+¹ To successfully target .NET 9, your project needs to reference the [2.x versions of the core packages](#version-2x-preview). If using Visual Studio, .NET 9 requires version 17.12 or later.

+See [Supported versions][supported-versions] for a list of generally available releases that you can use.

+When you deploy to your function app in Azure, you also need to ensure that the framework is made available to the app. During the preview period, some tools and experiences may not surface the new preview version as an option. If you do not see the preview version included in the Azure Portal, for example, you can use the REST API, Bicep templates, or the Azure CLI to configure the version manually.

+### [Windows](#tab/windows)

+For apps hosted on Windows, use the following Azure CLI command. Replace `<groupName>` with the name of the resource group, and replace `<appName>` with the name of your function app. Replace `<framework>` with the appropriate version string, such as `v8.0`.

+### [Linux](#tab/linux)

+For apps hosted on Linux, use the following Azure CLI command. Replace `<groupName>` with the name of the resource group, and replace `<appName>` with the name of your function app. Replace `<version>` with the appropriate version string, such as `8.0`.

+```azurecli

+az functionapp config set -g <groupName> -n <appName> --linux-fx-version "dotnet-isolated|<version>"

+```

+| **`--target-framework`** | Sets the target framework for the function app project. Valid only with `--worker-runtime dotnet-isolated`. Supported values are: `net9.0` (preview), `net8.0` (default), `net6.0`, and `net48` (.NET Framework 4.8). |

+| 1.x | GA ([support ends September 14, 2026](https://aka.ms/azure-functions-retirements/hostv1)) | Supported only for C# apps that must use .NET Framework. This version is in maintenance mode, with enhancements provided only in later versions. **Support will end for version 1.x on September 14, 2026.** We highly recommend you [migrate your apps to version 4.x](migrate-version-1-version-4.md?pivots=programming-language-csharp), which supports .NET Framework 4.8, .NET 6, .NET 8, and .NET 9.|

+If you are using the [isolated worker model](dotnet-isolated-process-guide.md), you can choose, `net8.0`, `net6.0`, or `net48` as the target framework. You can also choose to use [preview support](./dotnet-isolated-process-guide.md#preview-net-versions) for `net9.0`. If you are using the [in-process model](./functions-dotnet-class-library.md), you can choose `net8.0` or `net6.0`, and you must include the `Microsoft.NET.Sdk.Functions` extension set to at least `4.4.0`.

+This guide doesn't present specific examples for .NET 9 (Preview) or .NET 6. If you need to target these versions, you can adapt the .NET 8 examples.

+ If you are targeting a preview version, consult the [Functions guidance for preview .NET versions](./dotnet-isolated-process-guide.md#preview-net-versions) to ensure that the version is supported. Additional steps may be required for .NET previews.

+1. Update your references to the latest versions of: [Microsoft.Azure.Functions.Worker](https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker/) and [Microsoft.Azure.Functions.Worker.Sdk](https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.Sdk/).

+ Title: Reserved capacity for Azure NetApp Files

+description: Learn how to optimize TCO with capacity reservations in Azure NetApp Files.

+documentationcenter: ''

+editor: ''

+ms.assetid:

+ na

+# Reserved capacity for Azure NetApp Files

+You can save money on the storage costs for Azure NetApp Files with capacity reservations. Azure NetApp Files reserved capacity offers you a discount on capacity for storage costs when you commit to a reservation for one or three years, optimizing your TCO. A reservation provides a fixed amount of storage capacity for the term of the reservation.

+Azure NetApp Files reserved capacity can significantly reduce your capacity costs for storing data in your Azure NetApp Files volumes. How much you save depends on the total capacity you choose to reserve, and the [service level](azure-netapp-files-service-levels.md) chosen.

+For pricing information about reservation capacity for Azure NetApp Files, see [Azure NetApp Files pricing](https://azure.microsoft.com/pricing/details/netapp/).

+## Reservation terms for Azure NetApp Files

+This section describes the terms of an Azure NetApp Files capacity reservation.

+>[!NOTE]

+>Azure NetApp Files reserved capacity covers matching capacity pools in the selected service level and region. When using capacity pools configured with [Standard storage with cool access](manage-cool-access.md), only "hot" tier consumption is covered by the reserved capacity benefit.

+### Reservation capacity

+You can purchase Azure NetApp Files reserved capacity in units of 100 TiB and 1 PiB per month for a one- or three-year term for a particular service level within a region.

+### Reservation scope

+Azure NetApp Files reserved capacity is available for a single subscription and multiple subscriptions (shared scope). When scoped to a single subscription, the reservation discount is applied to the selected subscription only. When scoped to multiple subscriptions, the reservation discount is shared across those subscriptions within the customer's billing context.

+A reservation applies to your usage within the purchased scope and cannot be limited to a specific NetApp account, capacity pools, container, or object within the subscription.

+Any capacity reservation for Azure NetApp Files covers only the capacity pools within the service level selected. Add-on features such as cross-region replication and backup are not included in the reservation. As soon as you buy a reservation, the capacity charges that match the reservation attributes are charged at the discount rates instead of the pay-as-you go rates.

+For more information on Azure reservations, see [What are Azure Reservations](../cost-management-billing/reservations/save-compute-costs-reservations.md).

+### Supported service level options

+Azure NetApp Files reserved capacity is available for Standard, Premium, and Ultra service levels in units of 100 TiB and 1 PiB.

+### Requirements for purchase

+To purchase reserved capacity:

+* You must be in the **Owner** role for at least one Enterprise or individual subscription with pay-as-you-go rates.

+* For Enterprise subscriptions, **Add Reserved Instances** must be enabled in the EA portal. Or, if that setting is disabled, you must be an EA Admin on the subscription.

+* For the Cloud Solution Provider (CSP) program, only admin agents or sales agents can buy Azure NetApp Files reserved capacity.

+## Determine required capacity before purchase

+When you purchase an Azure NetApp Files reservation, you must choose the region and tier for the reservation. Your reservation is valid only for data stored in that region and tier. For example, suppose you purchase a reservation for Azure NetApp Files *Premium* service level in US East. That reservation applies to neither *Premium* capacity pools for that subscription in US West nor capacity pools for other service levels (for example, *Ultra* service level in US East). Additional reservations can be purchased.

+Reservations are available for 100-TiB or 1-PiB increments, with higher discounts for 1-PiB increments. When you purchase a reservation in the Azure portal, Microsoft might provide you with recommendations based on your previous usage to help determine which reservation you should purchase.

+Purchasing an Azure NetApp Files reserved capacity does not automatically increase your regional capacity. Azure reservations for Azure NetApp Files are not an on-demand capacity guarantee. If your capacity reservation requires a quota increase, it's recommended you complete that before making the reservation. For more information, see [Regional capacity in Azure NetApp Files](regional-capacity-quota.md).

+## Purchase Azure NetApp Files reserved capacity

+You can purchase Azure NetApp Files reserved capacity through the [Azure portal](https://portal.azure.com/). You can pay for the reservation up front or with monthly payments. For more information about purchasing with monthly payments, see [Purchase Azure reservations with up front or monthly payments](../cost-management-billing/reservations/prepare-buy-reservation.md).

+To purchase reserved capacity:

+1. Navigate to the [**Purchase reservations**](https://portal.azure.com/#blade/Microsoft_Azure_Reservations/CreateBlade/referrer/Browse_AddCommand) blade in the Azure portal.

+2. Select **Azure NetApp Files** to buy a new reservation.

+3. Fill in the required fields as described in the table that appears.

+4. After you select the parameters for your reservation, the Azure portal displays the cost. The portal also shows the discount percentage over pay-as-you-go billing.

+5. In the **Purchase reservations** blade, review the total cost of the reservation. You can also provide a name for the reservation.

+After you purchase a reservation, it is automatically applied to any existing [Azure NetApp Files capacity pools](azure-netapp-files-set-up-capacity-pool.md) that match the terms of the reservation. If you haven't created any Azure NetApp Files capacity pools, the reservation applies when you create a resource that matches the terms of the reservation. In either case, the term of the reservation begins immediately after a successful purchase.

+## Exchange or refund a reservation

+You can exchange or refund a reservation, with certain limitations. For more information about Azure Reservations policies, see [Self-service exchanges and refunds for Azure Reservations](../cost-management-billing/reservations/exchange-and-refund-azure-reservations.md).

+<!--

+### Exchange a reservation

+Exchanging a reservation enables you to receive a prorated refund based on the unused portion of the reservation. You can then apply the refund to the purchase price of a new Azure NetApp Files reservation.

+There's no limit on the number of exchanges you can make. Also, there's no fee associated with an exchange. The new reservation that you purchase must be of equal or greater value than the prorated credit from the original reservation. An Azure NetApp Files reservation can be exchanged only for another Azure NetApp Files reservation, and not for a reservation for any other Azure service.

+### Refund a reservation

+You can cancel an Azure NetApp Files reservation at any time. When you cancel, you'll receive a prorated refund based on the remaining term of the reservation, minus a 12% early termination fee. The maximum refund per year is $50,000.

+Cancelling a reservation immediately terminates the reservation and returns the remaining months to Microsoft. The remaining prorated balance, minus the fee, will be refunded to your original form of purchase. -->

+## Expiration of a reservation

+When a reservation expires, any Azure NetApp Files capacity that you are using under that reservation is billed at the pay-as-you go rate. Reservations don't renew automatically.

+An email notification is sent 30 days prior to the expiration of the reservation, and again on the expiration date. To continue taking advantage of the cost savings that a reservation provides, renew it no later than the expiration date.

+## Need help? Contact us

+If you have questions or need help, [create a support request](https://go.microsoft.com/fwlink/?linkid=2083458).

+## Next steps

+* [What are Azure Reservations?](../cost-management-billing/reservations/save-compute-costs-reservations.md)

+* [Understand how reservation discounts are applied to Azure storage services](../cost-management-billing/reservations/understand-storage-charges.md)

+## September 2024

+* [Reserved capacity](reserved-capacity.md) is now generally available (GA)

+ Pay-as-you-go pricing is the most convenient way to purchase cloud storage when your workloads are dynamic or changing over time. However, some workloads are more predictable with stable capacity usage over an extended period. These workloads can benefit from savings in exchange for a longer-term commitment. With a one-year or three-year commitment of Azure NetApp Files reserved capacity, you can save up to 34% on sustained usage of Azure NetApp Files. Reserved capacity is available in stackable increments of 100 TiB and 1 PiB on Standard, Premium and Ultra service levels in a given region. Reserved capacity can be used in a single subscription (single-subscription scope), or across multiple subscriptions (shared scope) in the same Azure tenant. Azure NetApp Files reserved capacity benefits are automatically applied to existing Azure NetApp Files capacity pools in the matching region and service level. Azure NetApp Files reserved capacity not only provides cost savings but also improves financial predictability and stability, allowing for more effective budgeting. Additional usage is conveniently billed at the regular pay-as-you-go rate.

+ For more detail, see the [Azure NetApp Files reserved capacity](reserved-capacity.md) or see reservations in the Azure portal.

+

+| [VMSA-2024-0006](https://www.vmware.com/security/advisories/VMSA-2024-0006.html) ESXi Use-after-free and Out-of-bounds write vulnerability | March 2024 | For ESXi 7.0, Microsoft worked with Broadcom on an AVS specific hotfix as part of the [ESXi 7.0U3o](https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3o-release-notes/https://docsupdatetracker.net/index.html) rollout. For the 8.0 rollout, Azure VMware Solution is deploying [vCenter Server 8.0 U2b & ESXi 8.0 U2b](architecture-private-clouds.md#vmware-software-versions) which is not vulnerable. | Auguest 2024 - Resolved in [ESXi 7.0U3o](https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3o-release-notes/https://docsupdatetracker.net/index.html) and [vCenter Server 8.0 U2b & ESXi 8.0 U2b](architecture-private-clouds.md#vmware-software-versions) |

+description: In this article, learn about symptoms, causes, and resolutions of Azure Backup failures related to the Azure Blob backups and restore.

+**Recommendation**: This error may occur if one or more containers included in the scope of protection no longer exist in the protected storage account. We recommend you to re-trigger the operation after modifying the protected container list using the edit backup instance option.

+## Common errors for Azure Blob vaulted backup

+### UserErrorInvalidParameterInRequest

+**Error code**: `UserErrorInvalidParameterInRequest`

+**Error message**: Request parameter is invalid.

+**Recommended action**: Retry the operation with valid inputs.

+### UserErrorRequestDisallowedByAzurePolicy

+**Error code**: `UserErrorRequestDisallowedByAzurePolicy`

+**Error message**: An Azure Policy is configured on the resource which is preventing the operation.

+**Recommended action**: Correct the policy and retry the operation.

+### LongRunningRestoreTrackingFailure

+**Error code**: `LongRunningRestoreTrackingFailure`

+**Error message**: Failed to track the long-running restore operation. The operation is still running and is expected to complete the restore of data.

+**Recommended action**: Track further progress of this operation using the storage account's activity log for Restore blob ranges operation.

+### LongRunningBackupTrackingFailure

+**Error code**: `LongRunningBackupTrackingFailure`

+**Error message**: Failed to track the long-running backup operation. The operation is still running and is expected to complete the backup of data.

+**Recommended action**: Track further progress of this operation using the storage account's activity log or check the blob replication status.

+### LongRunningOperationTrackingFailure

+**Error code**: `LongRunningOperationTrackingFailure`

+**Error message**: Failed to track the long-running operation. The operation is still running and is expected to complete.

+**Recommended action**: Track further progress on the operation in storage account activity log.

+### UserErrorVaultedBackupFeatureNotEnabled

+**Error code**: `UserErrorVaultedBackupFeatureNotEnabled`

+**Error message**: The subscription must be registered for the required features to use vaulted backup for blobs.

+**Recommended action**: Register your subscription for Microsoft.Storage/HardenBackup and Microsoft.DataProtection/BlobVaultedBackup.

+### ObjectReplicationPolicyCreationFailure

+**Error code**: `ObjectReplicationPolicyCreationFailure`

+**Error message**: Failed to create object replication policy on the storage account.

+**Recommended action**: Failed to create object replication policy. Wait for a few minutes and then try the operation again. If the issue persists, please contact Microsoft support.

+### UserErrorRequiredStorageFeaturesDisabled

+**Error code**: `UserErrorRequiredStorageFeaturesDisabled`

+**Error message**: The operation failed due to required storage feature(s) being disabled on the storage account.

+**Recommended action**: Enable required features for Azure backup on source Storage account.

+### UserErrorSelectedContainerPartOfAnotherORPolicy

+**Error code**: `UserErrorSelectedContainerPartOfAnotherORPolicy`

+**Error message**: The selected container is present in another Object replication policy. A given container can be part of only one OR policy at a time.

+**Recommended action**: The container from other OR policy. Or change protection intent.

+### UserErrorTooManyRestoreCriteriaGivenForBlobRestore

+**Error code**: `UserErrorTooManyRestoreCriteriaGivenForBlobRestore`

+**Error message**: The count of containers passed in the restore request exceeds the supported limit.

+**Recommended action**: Reduce the number of containers in item level restore request to adhere to the limit.

+

+### UserErrorTooManyPrefixesGivenForBlobRestore

+**Error code**: `UserErrorTooManyPrefixesGivenForBlobRestore `

+**Error message**: Restore operation failed as too many blob prefixes were given for a container

+**Recommended action**: Limit the number of blob prefixes to lower it on a per-container basis.

+### UserErrorStopProtectionNotSupportedForBlobOperationalBackup

+**Error code**: `UserErrorStopProtectionNotSupportedForBlobOperationalBackup`

+**Error message**: Stop protection is not supported for operational tier blob backups

+**Recommended action**: Operational tier blob backups cannot be stopped.up

+### UserErrorAzureStorageAccountManagementOperationLimitReached

+**Error code**: `UserErrorAzureStorageAccountManagementOperationLimitReached`

+**Error message**: Requested operation failed due to throttling by the Azure service. Azure Storage account management list operations limit reached.

+**Recommended action&&: Wait for a few minutes and then try the operation again.

+### UserErrorBlobVersionDeletedDuringBackup

+**Error code**: `UserErrorBlobVersionDeletedDuringBackup`

+**Error message**: The backup failed due to one or more blob versions getting deleted in the backup job duration.

+**Recommended action**: We recommend you to avoid tampering with blob versions while a backup job is in progress. Ensure the minimum retention configured for versions in the life cycle management policy is 7 days.

+### UserErrorBlobVersionArchivedDuringBackup

+**Error code**: `UserErrorBlobVersionArchivedDuringBackup`

+**Error message**: The backup failed due to one or more blob versions moving to the archive tier in the backup job duration.

+**Recommended action**: We recommend you to avoid tampering with blob versions while a backup job is in progress. Ensure the minimum retention configured for versions in the life cycle management policy is *7 days*.

+### UserErrorBlobVersionArchivedAndDeletedDuringBackup

+**Error code**: `UserErrorBlobVersionArchivedAndDeletedDuringBackup`

+**Error message**: The backup failed due to one or more blob versions moving to the archive tier or getting deleted in the backup job duration.

+**Recommended action**: We recommend you to avoid tampering with blob versions while a backup job is in progress. Ensure the minimum retention configured for versions in the life cycle management policy is 7 days.

+### UserErrorContainerHasImmutabilityPolicyDuringRestore

+**Error code**: `UserErrorContainerHasImmutabilityPolicyDuringRestore`

+**Error message**: One or more containers selected for the restore has an immutability policy.

+**Recommended action**: Remove the immutability policy from the container and retry the operation.

+### UserErrorArchivedRecoveryPointsRequestedForRestore

+**Error code**: `UserErrorArchivedRecoveryPointsRequestedForRestore`

+**Error message**: One or more containers selected for the restore have archived recovery points.

+**Recommended action**: Re-hydrate archived recovery points or remove containers with archived recovery points from request and retry the operation.

+### UserErrorObjectReplicationPolicyDeletionFailureOnRestoreTarget

+**Error code**: `UserErrorObjectReplicationPolicyDeletionFailureOnRestoreTarget`

+**Error message**: Failed to delete object replication policy on the restore target storage account.

+**Recommended action**: Check if a resource lock is preventing deletion. The restore has succeeded but the object replication policy created during restore operation was not cleaned up after restore completion. You must delete the policy to prevent issues in future restores.

+### UserErrorRestoreFailurePreviousObjectReplicationPolicyNotDeleted

+**Error code**: `UserErrorRestoreFailurePreviousObjectReplicationPolicyNotDeleted`

+**Error message**: Failed to restore the backup instance because an object replication policy from a previous restore is still on the restore target storage account

+**Recommended action**: Remove the old object replication policy from the restore target and retry.

+### UserErrorKeyVaultKeyWasNotFound

+**Error code**: `UserErrorKeyVaultKeyWasNotFound`

+**Error message**: Operation failed because key vault key is not found to unwrap the encryption key.

+**Recommended action**: Check the key vault settings.

+### UserErrorInvalidResourceUriInRequest

+**Error code**: `UserErrorInvalidResourceUriInRequest`

+**Error message**: Operation failed due to invalid Resource Uri in the request.

+**Recommended action**: Fix the Resource Uri format in the request object and trigger the operation again.

+### UserErrorDatasourceAndBackupVaultLocationMismatch

+**Error code**: `UserErrorDatasourceAndBackupVaultLocationMismatch`

+**Error message**: Operation failed because the datasource location is different from the Backup Vault location.

+**Recommended action**: Ensure that the datasource and the Backup Vault are in the same location.

+### LinkedAuthorizationFailed

+*Error code**: `LinkedAuthorizationFailed`

+**Error message**: The client [user name] with object ID has permissions to perform the required action [operation name] on scope [vault name], however, it does not have the required permissions to perform action(s) [operation name] on the linked scope [datasource name].

+**Recommended action**: Ensure that you have read access on the datasource associated with this backup instance to be able to trigger the restore operation. Once the required permissions are provided, retry the operation.

+description: Learn about the latest additions to Azure Communication Services.

+Use this article to stay updated on new features and other useful information related to Azure Communication Services.

+### Data retention with chat threads

+Developers can now create chat threads with a retention policy of 30 to 90 days. This feature is in preview.

+Setting a retention policy is optional. Developers can choose to create a chat thread with infinite retention (the default) or set a retention policy of 30 to 90 days. If you need to keep the thread for longer than 90 days, you can extend the time by using the Update Chat Thread Properties API. The policy is geared toward data management in organizations that need to move data into their archives for historical purposes or delete the data within a particular period.

+The policy doesn't affect existing chat threads.

+Now in general availability, PowerPoint Live gives both the presenter and the audience an engaging experience. PowerPoint Live combines presenting in PowerPoint with the connection and collaboration of a Microsoft Teams meeting.

+Meeting participants can now view PowerPoint Live sessions initiated by a Teams client by using the Azure Communication Services Web UI Library. Participants can follow along with a presentation and view presenter annotations. Developers can use this function through composites such as `CallComposite` and `CallWithChatComposite`, and through components such as `VideoGallery`.

+For more information, see [Introducing PowerPoint Live in Microsoft Teams (blog post)](https://techcommunity.microsoft.com/t5/microsoft-365-blog/introducing-powerpoint-live-in-microsoft-teams/ba-p/2140980) and [Present from PowerPoint Live in Microsoft Teams](https://support.microsoft.com/en-us/office/present-from-powerpoint-live-in-microsoft-teams-28b20e74-7165-499c-9bd4-0ad975d448ad).

+### Live reactions

+Now generally available, the updated UI library composites and components include reactions during live calls. The UI Library supports these reactions: &#128077; like, &#129505; love, &#128079; applause, &#128514; laugh, &#128558; surprise.

+Call reactions are associated with the participant who sends it and are visible to all types of participants (in-tenant, guest, federated, anonymous). Call reactions are supported in all types of calls such as rooms, groups, and meetings (scheduled, private, channel) of all sizes (small, large, extra large).

+Adding this feature encourages greater engagement within calls, because people can react in real time without needing to speak or interrupt. Developers can use this feature by adding:

+- The ability to have live call reactions to `CallComposite` and `CallwithChatComposite` composites on the web.

+- Call reactions at the component level.

+### Closed captions

+For more information, see [Closed captions overview](./concepts/voice-video-calling/closed-captions.md).

+AI can help app developers across every step of the development lifecycle: designing, building, and operating. Developers can use [Microsoft Copilot in Azure (preview)](/azure/copilot/overview) within Call Diagnostics to understand and resolve many calling issues. For example, developers can ask Copilot these questions:

+- How do I fix common causes of poor media streams in Azure Communication Services calls?

+Call Diagnostics can help developers understand call quality and reliability, so they can deliver a great calling experience to customers. Many issues can affect the quality of your calls, such as poor internet connectivity, software incompatibilities, and technical difficulties with devices.

+Getting to the root cause of these issues can alleviate potentially frustrating situations for all call participants, whether they're patients checking in for a doctor's call or students taking a lesson with a teacher. Call Diagnostics enables developers to drill down into the data to identify root problems and find a solution. You can use the built-in visualizations in the Azure portal or connect underlying usage and quality data to your own systems.

+### Business-to-consumer extensibility with Microsoft Teams for calling

+Developers can take advantage of calling interoperability for Microsoft Teams users in Azure Communication Services calling workflows. This feature is now in general availability.

+Developers can use [Call Automation APIs](./concepts/call-automation/call-automation.md) to bring Teams users into business-to-consumer (B2C) calling workflows and interactions, which helps you deliver advanced customer service solutions. This interoperability is offered over VoIP to reduce telephony infrastructure overhead. Developers can add Teams users to Azure Communication Services calls by using the participants' Microsoft Entra object IDs (OIDs).

+#### Use cases

+- **Teams as an extension of an agent desktop**: Connect your contact center as a service (CCaaS) solution to Teams and enable your agents to handle customer calls on Teams. Having Teams as the single-pane-of-glass solution for both internal and B2C communication can increase agents' productivity and empower them to deliver first-class service to customers.

+- **Expert consultation**: Businesses can use Teams to invite subject matter experts into their customer service workflows for expedient issue resolution and to improve the rate of first-call resolution.

+Azure Communication Services B2C extensibility with Microsoft Teams helps customers reach sales and support teams and helps businesses deliver effective customer experiences.

+For more information, see [Call Automation workflow interoperability with Microsoft Teams](./concepts/call-automation/call-automation-teams-interop.md).

+### Image sharing in Microsoft Teams meetings

+Microsoft Teams users can share images with Azure Communication Services users in the context of a Teams meeting. This feature is now generally available. Image sharing enhances collaboration in real time for meetings. Image overlay is also supported for users to look at it in detail.

+Image sharing is helpful in many scenarios, such as a business that shares photos to showcase its work or doctors who share images with patients for aftercare instructions.

+Try out this feature by using either the UI Library or the Chat SDK. The SDK is available in C# (.NET), JavaScript, Python, and Java. For more information, see:

+- [Enable an inline image by using the UI Library in Teams meetings](./tutorials/inline-image-tutorial-interop-chat.md)

+- [GitHub sample: Adding image sharing](https://azure.github.io/communication-ui-library/?path=/docs/composites-call-with-chat-jointeamsmeeting--join-teams-meeting#adding-image-sharing)

+### Deep noise suppression

+Deep noise suppression is currently in preview. Noise suppression improves VoIP and video calls by eliminating background noise, so it's easier to talk and listen. For example, if you're taking an Azure Communication Services WebJS call in a coffee shop, turning on noise suppression can improve the calling experience by eliminating background sounds from the shop.

+### Calling SDKs for Android, iOS, and Windows

+We updated the native Calling SDKs to improve the customer experience. This release includes:

+- Android TelecomManager integration

+- Unidirectional communication in Data Channel

+- Time-to-live lifespan for push notifications

+Custom background for video calls is generally available. This feature enables customers to remove distractions behind them. Customers can upload their own personalized images for use as a background.

+For example, business owners can use the Calling SDK to show custom backgrounds in place of the actual background. You can, for example, upload an image of a modern and spacious office and set it as the background for video calls. Anyone who joins the call sees the customized background, which looks realistic and natural. You can also use custom branding images as a background to show fresh images to your customers.

+For more information, see [Quickstart: Add video effects to your video calls](./quickstarts/voice-video-calling/get-started-video-effects.md).

+Proxy configuration is now generally available. Some environments, such as industries that are highly regulated or that deal with confidential information, require proxies to help secure and control network traffic. You can use the Calling SDK to configure the HTTP and media proxies for your Azure Communication Services calls. This way, you can ensure that your communications are compliant with network policies and regulations. You can use the native SDK methods to set the proxy configuration for your app.

+For more information, see [Proxy your calling traffic](./tutorials/proxy-calling-support-tutorial.md?pivots=platform-android).

+#### Android TelecomManager integration

+Android TelecomManager manages audio and video calls on Android devices. Use Android TelecomManager to provide a consistent user experience across various Android apps and devices, such as showing incoming and outgoing calls in the system UI, routing audio to devices, and handling call interruptions.

+Now you can integrate your app with Android TelecomManager to take advantage of its features for your custom calling scenarios. For more information, see [Integrate with TelecomManager](./how-tos/calling-sdk/telecommanager-integration.md).

+#### Unidirectional communication in Data Channel

+The Data Channel API is generally available. Data Channel includes unidirectional communication, which enables real-time messaging during audio and video calls. By using this API, you can integrate data exchange functions into the applications to help provide a seamless communication experience for users.

+The Data Channel API enables users to instantly send and receive messages during an ongoing audio or video call, promoting smooth and efficient communication. In a group call, a participant can send messages to a single participant, a specific set of participants, or all participants within the call. This flexibility enhances communication and collaboration among users during group interactions.

+#### Time-to-live lifespan for push notifications

+The time to live (TTL) for push notifications is now generally available. TTL is the duration for which a push notification token is valid. Using a longer-duration TTL can help your app reduce the number of new token requests from your users and improve the experience.

+For example, suppose you created an app that enables patients to book virtual medical appointments. The app uses push notifications to display an incoming call UI when the app isn't in the foreground. Previously, the app had to request a new push notification token from the user every 24 hours, which could be annoying and disruptive. With the extended TTL feature, you can now configure the push notification token to last for up to six months, depending on your business needs. This way, the app can avoid frequent token requests and provide a smoother calling experience for your customers.

+For more information, see [Enable push notifications for calls](./how-tos/calling-sdk/push-notifications.md#ttl-token).

+By using the Azure Communication Services Calling SDK native UI Library, you can now generate encrypted logs for troubleshooting and provide customers with an optional audio-only mode for joining calls.

+Now in general availability, you can encrypt logs when troubleshooting on the Calling SDK native UI Library for Android and iOS. You can easily generate encrypted logs to share with Azure support. Ideally, calls just work, or developers self-remediate issues. But customers always have Azure support as a last line of defense. And we strive to make those engagements as easy and fast as possible.

+#### Audio-only mode in the UI Library

+The audio-only mode in the Calling SDK UI Library is now generally available. It enables participants to join calls by using only their audio, without sharing or receiving video. Participants can use this feature to conserve bandwidth and maximize privacy.

+When audio-only mode is activated, it automatically disables the video function for both sending and receiving streams. It adjusts the UI to reflect this change by removing video-related controls.

+For more information, see [Enable audio-only mode in the UI Library](./how-tos/ui-library-sdk/audio-only-mode.md).

+### Calling to Microsoft Teams call queues and auto attendants

+Calling to Teams call queues and auto attendants is now generally available in Azure Communication Services, along with click-to-call for Teams Phone.

+Organizations can enable customers to quickly reach their sales and support members on Microsoft Teams. When you add a [click-to-call widget](./tutorials/calling-widget/calling-widget-tutorial.md) onto a website, such as a **Sales** button that points to a sales department or a **Purchase** button that points to procurement, customers are just one click away from a direct connection to a Teams call queue or auto attendant.

+Learn more about joining your calling app to a Teams [call queue](./quickstarts/voice-video-calling/get-started-teams-call-queue.md) or [auto attendant](./quickstarts/voice-video-calling/get-started-teams-auto-attendant.md), and about [building contact center applications](./tutorials/contact-center.md).

+### Email updates

+Updates to the Azure Communication Services email service include SMTP support, opt-out management, Azure PowerShell cmdlets, and Azure CLI extensions.

+SMTP support in Azure Communication Services email is now generally available. Developers can use it to easily send emails, improve security features, and have more control over outgoing communications.

+The SMTP relay service acts as a link between email clients and mail servers to help deliver emails more effectively. It sets up a specialized relay infrastructure that not only handles higher throughput needs and successful email delivery, but also improves authentication to help protect communication. This service also offers businesses a centralized platform that lets them manage outgoing emails for all B2C communications and get insights into email traffic.

+With this capability, customers can switch from on-premises SMTP solutions or link their line-of-business applications to a cloud-based solution platform with Azure Communication Services email. SMTP support enables:

+- A reliable SMTP endpoint with TLS 1.2 encryption.

+- Authentication with a Microsoft Entra application ID for sending emails via SMTP.

+- High-volume sending support for B2C communications via SMTP and REST APIs.

+- Compliance with data-handling and privacy requirements for customers.

+For more information, see [Email SMTP support](./concepts/email/email-smtp-overview.md).

+#### Opt-out management

+Email opt-out management, now in preview, offers a centralized unsubscribe list and opt-out preferences saved to a data store. This feature helps developers meet guidelines of email providers who require one-click list-unsubscribe implementation in the emails sent from their platforms.

+Opt-out management helps you identify and avoid delivery problems. You can maintain compliance by adding suppression list features to help improve reputation and enable customers to easily manage opt-outs.

+#### Azure PowerShell cmdlets and Azure CLI extensions

+To enhance the developer experience, Azure Communication Services is introducing more Azure PowerShell cmdlets and Azure CLI extensions for working with email.

+##### Azure PowerShell cmdlets

+With the addition of the new cmdlets, developers can use Azure PowerShell cmdlets for all CRUD (create, read, update, delete) operations for the email service, including:

+- Create a communication service resource (existing)

+- Create an email service resource (new)

+- Create a resource for an Azure-managed or custom domain (new)

+- Initiate or cancel custom domain verification (new)

+- Link a domain resource to a communication service resource (existing)

+Learn more in the [Azure PowerShell reference](/powershell/module/az.communication/).

+##### Azure CLI extensions

+Developers can use Azure CLI extensions for their end-to-end flow for sending email, including:

+- Create a communication service resource (existing)

+- Create an email service resource (new)

+- Create a resource for an Azure-managed or custom domain (new)

+- Link a domain resource to a communication service resource (existing)

+- Send an email (existing)

+Learn more in the [Azure CLI reference](/cli/azure/communication/email).

+### Limited-access user tokens

+Limited-access user tokens are now in general availability. Limited-access user tokens enable customers to exercise finer control over user capabilities such as starting a new call/chat or participating in an ongoing call/chat.

+When a customer creates an Azure Communication Services user identity, the user is granted the capability to participate in chats or calls through access tokens. For example, a user must have a chat token to participate in chat threads or a VoIP token to participate in VoIP calls. A user can have multiple tokens simultaneously.

+With the limited-access tokens, Azure Communication Services supports controlling full access versus limited access within chats and calls. Customers can control users' ability to initiate a new call or chat, as opposed to participating in existing calls or chats.

+These tokens solve the cold-call or cold-chat issue. For example, without limited-access tokens, a user who has a VoIP token can initiate calls and participate in calls. So theoretically, a defendant could call a judge directly or a patient could call a doctor directly. This situation is undesirable for most businesses. Developers can now give a limited-access token to a patient who then can join a call but can't initiate a direct call to anyone.

+Try Phone Calling, now in preview, is a tool in the Azure portal that helps customers confirm the setup of a telephony connection by making a phone call. It applies to both voice calling (PSTN) and direct routing. Try Phone Calling enables developers to quickly test Azure Communication Services calling capabilities, without an existing app or code on their end.

+For more information, see [Try Phone Calling](./concepts/telephony/try-phone-calling.md).

+### Native UI Library updates

+Updates to the native UI Library including moving User Facing Diagnostics to general availability and releasing one-to-one calling and iOS CallKit integration.

+#### User Facing Diagnostics

+User Facing Diagnostics is now in general availability. This feature enhances the user experience by providing a set of events that can be triggered when some signal of the call is triggered. For example, an event can be triggered when a participant is talking but the microphone is muted, or if the device isn't connected to a network. You can subscribe to triggers such as weak network signals or muted microphones, so you're always aware of any factors that affect calls.

+Bringing User Facing Diagnostics into the UI Library helps customers implement events for a more fluid experience. Customers can use User Facing Diagnostics to notify users in real time if they face connectivity and quality problems during the call, such as network problems. Users receive a pop-up notification about these problems during the call. This feature also sends telemetry to help you track any event and review the call status.

+#### One-to-one calling

+One-to-one calling for Android and iOS is now available in preview version 1.6.0. With this latest preview release, starting a call is as simple as a tap. Recipients are promptly alerted with a push notification to answer or decline the call.

+If the iOS-native application requires direct calling between two entities, developers can use the one-to-one calling function to make it happen. An example scenario is a client who needs to call a financial advisor to make account changes.

+#### iOS CallKit integration

+Azure Communication Services integrates CallKit, in preview, for a native iOS call experience. Now, calls made through the Native UI SDK have the same iOS calling features, such as notification, call history, and call on hold. These iOS features blend seamlessly with the existing native experience.

+This update enables UI Library developers to avoid spending time on integration. CallKit provides an out-of-the-box experience, meaning that integrated apps use the same interfaces as regular cellular calls. For users, incoming VoIP calls display the familiar iOS call screen for a consistent and intuitive experience.

+Azure Communication Services continues to expand Direct Offers to new geographies. PSTN Direct Offers is in general availability for 42 countries:

+> Argentina, Australia, Austria, Belgium, Brazil, Canada, Chile, China, Colombia, Denmark, Finland, France, Germany, Hong Kong, Indonesia, Ireland, Israel, Italy, Japan, Luxembourg, Malaysia, Mexico, Netherlands, New Zealand, Norway, Philippines, Poland, Portugal, Puerto Rico, Saudi Arabia, Singapore, Slovakia, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, Thailand, UAE (United Arab Emirates), United Kingdom, United States

+In addition to getting all current offers into general availability, we've introduced more than 400 new cross-country offers.

+### Dial-out to a PSTN number

+Virtual Rooms support VoIP audio and video calling. Now you can also dial out PSTN numbers and include the PSTN participants in an ongoing call.

+Virtual Rooms empower developers to exercise control over PSTN dial-out capability in two ways. Developers can not only enable/disable PSTN dial-out capability for specific Virtual Rooms but also control which users in Virtual Rooms can initiate PSTN dial-out. Only users who have the Presenter role can initiate a PSTN dial-out, to help ensure secure and structured communication.

+### Remote mute of call participants

+Participants can now mute other participants in Virtual Rooms calls. Previously, participants in Virtual Rooms calls could only mute/unmute themselves. There are times when participants want to mute other people due to background noise or if someone's microphone is left unmuted.

+### Call recording in Virtual Rooms

+Developers can now start, pause, and stop call recording in calls conducted in Virtual Rooms. Call recording is a service-side capability. Developers start, pause, and stop recording by using server-side API calls. This feature enables invited participants who might not make the original session to view the recording and stay up to date asynchronously.

+### Closed captions in Virtual Rooms

+Closed captioning is the conversion of an audio track for a voice or video call into written words that appear in real time. Closed captions are a useful tool for participants who prefer to read the audio text in order to engage more actively in conversations and meetings. Closed captions also help in scenarios where participants might be in noisy environments or have audio equipment problems.

+Closed captions are never saved and are visible only to the user who enabled them.

+For more information, see [Closed captions overview](./concepts/voice-video-calling/closed-captions.md).

+Azure Communication Services Call Diagnostics is available in preview. Call Diagnostics helps developers troubleshoot and improve their applications for voice and video calling.

+Call Diagnostics is an Azure Monitor experience that offers specialized telemetry and diagnostic pages in the Azure portal. With Call Diagnostics, you can access and analyze data, visualizations, and insights for each call. Then you can identify and resolve issues that affect the user experience.

+Call Diagnostics works with other Azure Communication Services features, such as noise suppression and pre-call troubleshooting, to deliver reliable video-calling experiences that are easy to develop and operate.

+### WebJS Calling updates

+The following APIs for WebJS Calling features moved to general availability: Media Quality Statistics, Video Constraints, and Data Channel.

+Developers can use the Media Quality Statistics API to better understand their video-calling quality and reliability experience in real time from within the Calling SDK. When developers understand from the client side what their customers are experiencing, they can delve deeper into understanding and mitigating any problems that arise for users.

+For more information, see [Media quality statistics](./concepts/voice-video-calling/media-quality-sdk.md).

+Developers can use the Video Constraints API to better manage the overall quality of calls. For example, if a developer knows that a participant has a poor internet connection, the developer can limit video resolution size on the sender side to use less bandwidth. The result is an improved calling experience for the participant.

+For more information about improving the calling experience by using the Video Constraints API, see [Quickstart: Set video constraints in your calling app](./quickstarts/voice-video-calling/get-started-video-constraints.md).

+The Data Channel API enables real-time messaging during audio and video calls. This function enables developers to manage their own data pipeline and send their own unique messages to remote participants on a call. A data channel enhances communication capabilities by enabling local participants to connect directly to remote participants when the scenario requires it.

+## Related content

+- For a complete list of new features and bug fixes, see the [releases page](https://github.com/Azure/Communication/releases) on GitHub.

+- For more blog posts, see the [Azure Communication Services blog](https://techcommunity.microsoft.com/t5/azure-communication-services/bg-p/AzureCommunicationServicesBlog).

+To make the collection of Java metrics available to your app, configure your container app with some specific settings.

+# [create](#tab/create)

+# [update](#tab/update)

+1. Go to your container app in the [Azure portal](https://portal.azure.com).

+1. In the *Overview* section, under *Essentials*, find *Development stack* and select **manage**.

+1. In the *Development stack* drop down, select **Java**.

+1. Select **Apply**.

+| [Launch Your First Java app](java-get-started.md?pivots=war) |A monolithic Java application called PetClinic built with Spring Framework. PetClinic is a well-known sample application provided by the Spring Framework community. |

+- [Microsoft Sentinel - Pre-Purchase](../../sentinel/billing-pre-purchase-plan.md?toc=/azure/cost-management-billing/reservations/toc.json)

+- **Azure NetApp Files** - A capacity reservation covers matching capacity pools in the selected service level and region. When using capacity pools configured with [Standard storage with cool access](../../azure-netapp-files/manage-cool-access.md), only "hot" tier consumption is covered by the reserved capacity benefit.

+If you have questions or need help, [create a support request](https://go.microsoft.com/fwlink/?linkid=2083458).

+

+> [!NOTE]

+> The Export functionality will not include Access Control List (ACL) or metadata regarding the files and folders. If you are exporting Azure Files data, you may consider using a tool such as Robocopy to apply ACLs to the target folders prior to import.

+### Shut down an appliance

+## Traffic capture filters

+To reduce alert fatigue and focus your network monitoring on high priority traffic, you may decide to filter the traffic that streams into Defender for IoT at the source. Capture filters allow you to block high-bandwidth traffic at the hardware layer, optimizing both appliance performance and resource usage.

+Use include an/or exclude lists to create and configure capture filters on your OT network sensors, making sure that you don't block any of the traffic that you want to monitor.

+The basic use case for capture filters uses the same filter for all Defender for IoT components. However, for advanced use cases, you may want to configure separate filters for each of the following Defender for IoT components:

+- `horizon`: Captures deep packet inspection (DPI) data

+- `collector`: Captures PCAP data

+- `traffic-monitor`: Captures communication statistics

+> [!NOTE]

+> - Capture filters don't apply to [Defender for IoT malware alerts](../alert-engine-messages.md#malware-engine-alerts), which are triggered on all detected network traffic.

+>

+> - The capture filter command has a character length limit that's based on the complexity of the capture filter definition and the available network interface card capabilities. If your requested filter commmand fails, try grouping subnets into larger scopes and using a shorter capture filter command.

+### Create a basic filter for all components

+The method used to configure a basic capture filter differs, depending on the user performing the command:

+- **cyberx** user: Run the specified command with specific attributes to configure your capture filter.

+- **admin** user: Run the specified command, and then enter values as [prompted by the CLI](#create-a-basic-capture-filter-using-the-admin-user), editing your include and exclude lists in a nano editor.

+Use the following commands to create a new capture filter:

+|User |Command |Full command syntax |

+||||

+| **admin** | `network capture-filter` | No attributes.|

+| **cyberx**, or **admin** with [root access](references-work-with-defender-for-iot-cli-commands.md#access-the-system-root-as-an-admin-user) | `cyberx-xsense-capture-filter` | `cyberx-xsense-capture-filter [-h] [-i INCLUDE] [-x EXCLUDE] [-etp EXCLUDE_TCP_PORT] [-eup EXCLUDE_UDP_PORT] [-itp INCLUDE_TCP_PORT] [-iup INCLUDE_UDP_PORT] [-vlan INCLUDE_VLAN_IDS] -m MODE [-S]` |

+Supported attributes for the *cyberx* user are defined as follows:

+|Attribute |Description |

+|||

+|`-h`, `--help` | Shows the help message and exits. |

+|`-i <INCLUDE>`, `--include <INCLUDE>` | The path to a file that contains the devices and subnet masks you want to include, where `<INCLUDE>` is the path to the file. For example, see [Sample include or exclude file](#txt). |

+|`-x EXCLUDE`, `--exclude EXCLUDE` | The path to a file that contains the devices and subnet masks you want to exclude, where `<EXCLUDE>` is the path to the file. For example, see [Sample include or exclude file](#txt). |

+|- `-etp <EXCLUDE_TCP_PORT>`, `--exclude-tcp-port <EXCLUDE_TCP_PORT>` | Excludes TCP traffic on any specified ports, where the `<EXCLUDE_TCP_PORT>` defines the port or ports you want to exclude. Delimitate multiple ports by commas, with no spaces. |

+|`-eup <EXCLUDE_UDP_PORT>`, `--exclude-udp-port <EXCLUDE_UDP_PORT>` | Excludes UDP traffic on any specified ports, where the `<EXCLUDE_UDP_PORT>` defines the port or ports you want to exclude. Delimitate multiple ports by commas, with no spaces. |

+|`-itp <INCLUDE_TCP_PORT>`, `--include-tcp-port <INCLUDE_TCP_PORT>` | Includes TCP traffic on any specified ports, where the `<INCLUDE_TCP_PORT>` defines the port or ports you want to include. Delimitate multiple ports by commas, with no spaces. |

+|`-iup <INCLUDE_UDP_PORT>`, `--include-udp-port <INCLUDE_UDP_PORT>` | Includes UDP traffic on any specified ports, where the `<INCLUDE_UDP_PORT>` defines the port or ports you want to include. Delimitate multiple ports by commas, with no spaces. |

+|`-vlan <INCLUDE_VLAN_IDS>`, `--include-vlan-ids <INCLUDE_VLAN_IDS>` | Includes VLAN traffic by specified VLAN IDs, `<INCLUDE_VLAN_IDS>` defines the VLAN ID or IDs you want to include. Delimitate multiple VLAN IDs by commas, with no spaces. |

+|`-p <PROGRAM>`, `--program <PROGRAM>` | Defines the component for which you want to configure a capture filter. Use `all` for basic use cases, to create a single capture filter for all components. <br><br>For advanced use cases, create separate capture filters for each component. For more information, see [Create an advanced filter for specific components](#create-an-advanced-filter-for-specific-components).|

+|`-m <MODE>`, `--mode <MODE>` | Defines an include list mode, and is relevant only when an include list is used. Use one of the following values: <br><br>- `internal`: Includes all communication between the specified source and destination <br>- `all-connected`: Includes all communication between either of the specified endpoints and external endpoints. <br><br>For example, for endpoints A and B, if you use the `internal` mode, included traffic will only include communications between endpoints **A** and **B**. <br>However, if you use the `all-connected` mode, included traffic will include all communications between A *or* B and other, external endpoints. |

+<a name="txt"></a>**Sample include or exclude file**

+For example, an include or exclude **.txt** file might include the following entries:

+```txt

+192.168.50.10

+172.20.248.1

+```

+#### Create a basic capture filter using the admin user

+If you're creating a basic capture filter as the *admin* user, no attributes are passed in the [original command](#create-a-basic-filter-for-all-components). Instead, a series of prompts is displayed to help you create the capture filter interactively.

+Reply to the prompts displayed as follows:

+1. `Would you like to supply devices and subnet masks you wish to include in the capture filter? [Y/N]:`

+ Select `Y` to open a new include file, where you can add a device, channel, and/or subnet that you want to include in monitored traffic. Any other traffic, not listed in your include file, isn't ingested to Defender for IoT.

+ The include file is opened in the [Nano](https://www.nano-editor.org/dist/latest/cheatsheet.html) text editor. In the include file, define devices, channels, and subnets as follows:

+ |Type |Description |Example |

+ ||||

+ |**Device** | Define a device by its IP address. | `1.1.1.1` includes all traffic for this device. |

+ |**Channel** | Define a channel by the IP addresses of its source and destination devices, separated by a comma. | `1.1.1.1,2.2.2.2` includes all of the traffic for this channel. |

+ |**Subnet** | Define a subnet by its network address. | `1.1.1` includes all traffic for this subnet. |

+ List multiple arguments in separate rows.

+1. `Would you like to supply devices and subnet masks you wish to exclude from the capture filter? [Y/N]:`

+ Select `Y` to open a new exclude file where you can add a device, channel, and/or subnet that you want to exclude from monitored traffic. Any other traffic, not listed in your exclude file, is ingested to Defender for IoT.

+ The exclude file is opened in the [Nano](https://www.nano-editor.org/dist/latest/cheatsheet.html) text editor. In the exclude file, define devices, channels, and subnets as follows:

+ |Type |Description |Example |

+ ||||

+ | **Device** | Define a device by its IP address. | `1.1.1.1` excludes all traffic for this device. |

+ | **Channel** | Define a channel by the IP addresses of its source and destination devices, separated by a comma. | `1.1.1.1,2.2.2.2` excludes all of the traffic between these devices. |

+ | **Channel by port** | Define a channel by the IP addresses of its source and destination devices, and the traffic port. | `1.1.1.1,2.2.2.2,443` excludes all of the traffic between these devices and using the specified port.|

+ | **Subnet** | Define a subnet by its network address. | `1.1.1` excludes all traffic for this subnet. |

+ | **Subnet channel** | Define subnet channel network addresses for the source and destination subnets. | `1.1.1,2.2.2` excludes all of the traffic between these subnets. |

+ List multiple arguments in separate rows.

+1. Reply to the following prompts to define any TCP or UDP ports to include or exclude. Separate multiple ports by comma, and press ENTER to skip any specific prompt.

+ - `Enter tcp ports to include (delimited by comma or Enter to skip):`

+ - `Enter udp ports to include (delimited by comma or Enter to skip):`

+ - `Enter tcp ports to exclude (delimited by comma or Enter to skip):`

+ - `Enter udp ports to exclude (delimited by comma or Enter to skip):`

+ - `Enter VLAN ids to include (delimited by comma or Enter to skip):`

+ For example, enter multiple ports as follows: `502,443`

+1. `In which component do you wish to apply this capture filter?`

+ Enter `all` for a basic capture filter. For [advanced use cases](#create-an-advanced-capture-filter-using-the-admin-user), create capture filters for each Defender for IoT component separately.

+1. `Type Y for "internal" otherwise N for "all-connected" (custom operation mode enabled) [Y/N]:`

+ This prompt allows you to configure which traffic is in scope. Define whether you want to collect traffic where both endpoints are in scope, or only one of them is in the specified subnet. Supported values include:

+ - `internal`: Includes all communication between the specified source and destination

+ - `all-connected`: Includes all communication between either of the specified endpoints and external endpoints.

+ For example, for endpoints A and B, if you use the `internal` mode, included traffic will only include communications between endpoints **A** and **B**. <br>However, if you use the `all-connected` mode, included traffic will include all communications between A *or* B and other, external endpoints.

+ The default mode is `internal`. To use the `all-connected` mode, select `Y` at the prompt, and then enter `all-connected`.

+The following example shows a series of prompts that creates a capture filter to exclude subnet `192.168.x.x` and port `9000:`

+```bash

+root@xsense: network capture-filter

+Would you like to supply devices and subnet masks you wish to include in the capture filter? [y/N]: n

+Would you like to supply devices and subnet masks you wish to exclude from the capture filter? [y/N]: y

+You've exited the editor. Would you like to apply your modifications? [y/N]: y

+Enter tcp ports to include (delimited by comma or Enter to skip):

+Enter udp ports to include (delimited by comma or Enter to skip):

+Enter tcp ports to exclude (delimited by comma or Enter to skip):9000

+Enter udp ports to exclude (delimited by comma or Enter to skip):9000

+Enter VLAN ids to include (delimited by comma or Enter to skip):

+In which component do you wish to apply this capture filter?all

+Would you like to supply a custom base capture filter for the collector component? [y/N]: n

+Would you like to supply a custom base capture filter for the traffic_monitor component? [y/N]: n

+Would you like to supply a custom base capture filter for the horizon component? [y/N]: n

+type Y for "internal" otherwise N for "all-connected" (custom operation mode enabled) [Y/n]: internal

+Please respond with 'yes' or 'no' (or 'y' or 'n').

+type Y for "internal" otherwise N for "all-connected" (custom operation mode enabled) [Y/n]: y

+starting "/usr/local/bin/cyberx-xsense-capture-filter --exclude /var/cyberx/media/capture-filter/exclude --exclude-tcp-port 9000 --exclude-udp-port 9000 --program all --mode internal --from-shell"

+No include file given

+Loaded 1 unique channels

+(000) ret #262144

+(000) ldh [12]

+......

+......

+......

+debug: set new filter for horizon '(((not (net 192.168))) and (not (tcp port 9000)) and (not (udp port 9000))) or (vlan and ((not (net 192.168))) and (not (tcp port 9000)) and (not (udp port 9000)))'

+root@xsense:

+```

+### Create an advanced filter for specific components

+When configuring advanced capture filters for specific components, you can use your initial include and exclude files as a base, or template, capture filter. Then, configure extra filters for each component on top of the base as needed.

+To create a capture filter for *each* component, make sure to repeat the entire process for each component.

+> [!NOTE]

+> If you've created different capture filters for different components, the mode selection is used for all components. Defining the capture filter for one component as `internal` and the capture filter for another component as `all-connected` isn't supported.

+|User |Command |Full command syntax |

+||||

+| **admin** | `network capture-filter` | No attributes.|

+| **cyberx**, or **admin** with [root access](references-work-with-defender-for-iot-cli-commands.md#access-the-system-root-as-an-admin-user) | `cyberx-xsense-capture-filter` | `cyberx-xsense-capture-filter [-h] [-i INCLUDE] [-x EXCLUDE] [-etp EXCLUDE_TCP_PORT] [-eup EXCLUDE_UDP_PORT] [-itp INCLUDE_TCP_PORT] [-iup INCLUDE_UDP_PORT] [-vlan INCLUDE_VLAN_IDS] -p PROGRAM [-o BASE_HORIZON] [-s BASE_TRAFFIC_MONITOR] [-c BASE_COLLECTOR] -m MODE [-S]` |

+The following extra attributes are used for the *cyberx* user to create capture filters for each component separately:

+|Attribute |Description |

+|||

+|`-p <PROGRAM>`, `--program <PROGRAM>` | Defines the component for which you want to configure a capture filter, where `<PROGRAM>` has the following supported values: <br>- `traffic-monitor` <br>- `collector` <br>- `horizon` <br>- `all`: Creates a single capture filter for all components. For more information, see [Create a basic filter for all components](#create-a-basic-filter-for-all-components).|

+|`-o <BASE_HORIZON>`, `--base-horizon <BASE_HORIZON>` | Defines a base capture filter for the `horizon` component, where `<BASE_HORIZON>` is the filter you want to use. <br> Default value = `""` |

+|`-s BASE_TRAFFIC_MONITOR`, `--base-traffic-monitor BASE_TRAFFIC_MONITOR` | Defines a base capture filter for the `traffic-monitor` component. <br> Default value = `""` |

+|`-c BASE_COLLECTOR`, `--base-collector BASE_COLLECTOR` | Defines a base capture filter for the `collector` component. <br> Default value = `""` |

+Other attribute values have the same descriptions as in the basic use case, described [earlier](#create-a-basic-filter-for-all-components).

+#### Create an advanced capture filter using the admin user

+If you're creating a capture filter for each component separately as the *admin* user, no attributes are passed in the [original command](#create-an-advanced-filter-for-specific-components). Instead, a series of prompts is displayed to help you create the capture filter interactively.

+Most of the prompts are identical to [basic use case](#create-a-basic-capture-filter-using-the-admin-user). Reply to the following extra prompts as follows:

+1. `In which component do you wish to apply this capture filter?`

+ Enter one of the following values, depending on the component you want to filter:

+ - `horizon`

+ - `traffic-monitor`

+ - `collector`

+1. You're prompted to configure a custom base capture filter for the selected component. This option uses the capture filter you configured in the previous steps as a base, or template, where you can add extra configurations on top of the base.

+ For example, if you'd selected to configure a capture filter for the `collector` component in the previous step, you're prompted: `Would you like to supply a custom base capture filter for the collector component? [Y/N]:`

+ Enter `Y` to customize the template for the specified component, or `N` to use the capture filter you'd configured earlier as it is.

+Continue with the remaining prompts as in the [basic use case](#create-a-basic-capture-filter-using-the-admin-user).

+### List current capture filters for specific components

+Use the following commands to show details about the current capture filters configured for your sensor.

+|User |Command |Full command syntax |

+||||

+| **admin** | Use the following commands to view the capture filters for each component: <br><br>- **horizon**: `edit-config horizon_parser/horizon.properties` <br>- **traffic-monitor**: `edit-config traffic_monitor/traffic-monitor` <br>- **collector**: `edit-config dumpark.properties` | No attributes |

+| **cyberx**, or **admin** with [root access](references-work-with-defender-for-iot-cli-commands.md#access-the-system-root-as-an-admin-user) | Use the following commands to view the capture filters for each component: <br><br>-**horizon**: `nano /var/cyberx/properties/horizon_parser/horizon.properties` <br>- **traffic-monitor**: `nano /var/cyberx/properties/traffic_monitor/traffic-monitor.properties` <br>- **collector**: `nano /var/cyberx/properties/dumpark.properties` | No attributes |

+These commands open the following files, which list the capture filters configured for each component:

+|Name |File |Property |

+||||

+|**horizon** | `/var/cyberx/properties/horizon.properties` | `horizon.processor.filter` |

+|**traffic-monitor** | `/var/cyberx/properties/traffic-monitor.properties` | `horizon.processor.filter` |

+|**collector** | `/var/cyberx/properties/dumpark.properties` | `dumpark.network.filter` |

+For example with the **admin** user, with a capture filter defined for the *collector* component that excludes subnet 192.168.x.x and port 9000:

+```bash

+root@xsense: edit-config dumpark.properties

+ GNU nano 2.9.3 /tmp/tmpevt4igo7/tmpevt4igo7

+dumpark.network.filter=(((not (net 192.168))) and (not (tcp port 9000)) and (not

+dumpark.network.snaplen=4096

+dumpark.packet.filter.data.transfer=false

+dumpark.infinite=true

+dumpark.output.session=false

+dumpark.output.single=false

+dumpark.output.raw=true

+dumpark.output.rotate=true

+dumpark.output.rotate.history=300

+dumpark.output.size=20M

+dumpark.output.time=30S

+```

+### Reset all capture filters

+Use the following command to reset your sensor to the default capture configuration with the *cyberx* user, removing all capture filters.

+|User |Command |Full command syntax |

+||||

+| **cyberx**, or **admin** with [root access](references-work-with-defender-for-iot-cli-commands.md#access-the-system-root-as-an-admin-user) | `cyberx-xsense-capture-filter -p all -m all-connected` | No attributes |

+If you want to modify the existing capture filters, run the [earlier](#create-a-basic-filter-for-all-components) command again, with new attribute values.

+To reset all capture filters using the *admin* user, run the [earlier](#create-a-basic-filter-for-all-components) command again, and respond `N` to all [prompts](#create-a-basic-capture-filter-using-the-admin-user) to reset all capture filters.

+The following example shows the command syntax and response for the *cyberx* user:

+```bash

+root@xsense:/# cyberx-xsense-capture-filter -p all -m all-connected

+starting "/usr/local/bin/cyberx-xsense-capture-filter -p all -m all-connected"

+No include file given

+No exclude file given

+(000) ret #262144

+(000) ret #262144

+debug: set new filter for dumpark ''

+No include file given

+No exclude file given

+(000) ret #262144

+(000) ret #262144

+debug: set new filter for traffic-monitor ''

+No include file given

+No exclude file given

+(000) ret #262144

+(000) ret #262144

+debug: set new filter for horizon ''

+root@xsense:/#

+```

+1. A Billing Admin permissions (Entra ID role on the tenant)

+- Access to the Microsoft Defender Portal as a [Security administrator](../../active-directory/roles/permissions-reference.md#security-administrator)

+|Reboot and shutdown | *admin*, *cyberx*, *cyberx_host* | [Restart an appliance](cli-ot-sensor.md#restart-an-appliance)<br>[Shut down an appliance](cli-ot-sensor.md#shut-down-an-appliance) |

+### Traffic capture filter commands

+|Service area |Users |Actions |

+||||

+| Capture filter management | *admin*, *cyberx* | [Create a basic filter for all components](cli-ot-sensor.md#create-a-basic-filter-for-all-components)<br>[Create an advanced filter for specific components](cli-ot-sensor.md#create-an-advanced-filter-for-specific-components) <br>[List current capture filters for specific components](cli-ot-sensor.md#list-current-capture-filters-for-specific-components) <br> [Reset all capture filters](cli-ot-sensor.md#reset-all-capture-filters) |

+You should see the AKS voting app. In this example, the Firewall public IP was `203.0.113.32`.

+ - Sample query: [List Azure Security Center recommendations](../samples/samples-by-category.md)

+ - Sample query: [Show Azure Defender pricing tier per subscription](../samples/samples-by-category.md)

+ Title: List of sample Azure Resource Graph queries by category

+description: List sample queries for Azure Resource-Graph. Categories include Tags, Azure Advisor, Key Vault, Kubernetes, Guest Configuration, and more.

+# Azure Resource Graph sample queries by category

+This page is a collection of Azure Resource Graph sample queries grouped by general and service

+categories. To jump to a specific **category**, use the links on the top of the page.

+Otherwise, use <kbd>Ctrl</kbd>-<kbd>F</kbd> to use your browser's search feature.

+## Azure Advisor

+## Azure App Service

+## Azure Arc

+## Azure Arc-enabled Kubernetes

+## Azure Arc-enabled servers

+## Azure Center for SAP solutions

+## Azure Container Registry

+## Azure Cosmos DB

+## Azure Key Vault

+## Azure Monitor

+## Azure Orbital Ground Station

+## Azure Policy

+## Azure Policy guest configuration

+## Azure RBAC

+## Azure Service Health

+## Azure SQL

+## Azure Storage

+## Azure Virtual Machines

+## General

+## IoT Defender

+## Management groups

+## Microsoft Defender

+## Networking

+## Resource health

+## Tags

+## Virtual Machine Scale Sets

+## Next steps

+- Learn more about the [query language](../concepts/query-language.md).

+- Learn more about how to [explore resources](../concepts/explore-resources.md).

+### Release date: Aug 05, 2024

+**This release applies to the following**

+- Cluster Pool Version: 1.2

+- Cluster Version: 1.2.1

+- AKS version: 1.27

+### New Features

+**MSI based SQL authentication**

+Users can now authenticate external Azure SQL DB Metastore with MSI instead of User ID password authentication. This feature helps to further secure the cluster connection with Metastore.

+**Configurable VM SKUs for Head node, SSH node**

+This functionality allows users to choose specific SKUs for head nodes, worker nodes, and SSH nodes, offering the flexibility to select according to the use case and the potential to lower total cost of ownership (TCO).

+**Multiple MSI in cluster**

+Users can configure multiple MSI for cluster admins operations and for job related resource access. This feature allows users to demarcate and control the access to the cluster and data lying in the storage account.

+For example, one MSI for access to data in storage account and dedicated MSI for cluster operations.

+### Updated

+**Script action**

+Script Action now can be added with Sudo user permission. Users can now install multiple dependencies including custom jars to customize the clusters as required.

+**Library Management**

+Maven repository shortcut feature added to the Library Management in this release. User can now install Maven dependencies directly from the open-source repositories.

+**Spark 3.4**

+Spark 3.4 update brings a range of new features includes

+* API enhancements

+* Structured streaming improvements

+* Improved usability and developer experience

+> [!IMPORTANT]

+> To take benefit of all these **latest features**, you are required to create a new cluster pool with 1.2 and cluster version 1.2.1

+### Known issues

+- **Workload identity limitation:**

+ - There's a known [limitation](/azure/aks/workload-identity-overview#limitations) when transitioning to workload identity. This limitation is due to the permission-sensitive nature of FIC operations. Users can't perform deletion of a cluster by deleting the resource group. Cluster deletion requests must be triggered by the application/user/principal with FIC/delete permissions. In case, the FIC deletion fails, the high-level cluster deletion also fails.

+ - **User Assigned Managed Identities (UAMI)** support ΓÇô There's a limit of 20 FICs per UAMI. You can only create 20 Federated Credentials on an identity. In HDInsight on AKS cluster, FIC (Federated Identity Credential) and SA have one-to-one mapping and only 20 SAs can be created against an MSI. If you want to create more clusters, then you are required to provide different MSIs to overcome the limitation.

+ - Creation of federated identity credentials is currently not supported on user-assigned managed identities created in [these regions](/entra/workload-id/workload-identity-federation-considerations#unsupported-regions-user-assigned-managed-identities)

+

+### Operating System version

+- Mariner OS 2.0

+**Workload versions**

+|Workload|Version|

+| -- | -- |

+|Trino | 440 |

+|Flink | 1.17.0 |

+|Apache Spark | 3.4 |

+**Supported Java and Scala versions**

+|Workload |Java|Scala|

+| -- | -- | -- |

+|Trino |Open JDK 21.0.2  |- |

+|Flink |Open JDK 11.0.21 |2.12.7 |

+|Spark |Open JDK 1.8.0_345  |2.12.15 |

+The preview is available in the following [regions](../overview.md#region-availability-public-preview).

+If you have any more questions, contact [Azure Support](https://ms.portal.azure.com/#view/Microsoft_Azure_Support/HelpAndSupportBlade/~/overview) or refer to the [Support options](../hdinsight-aks-support-help.md) page. If you have product specific feedback, write us on [aka.ms/askhdinsight](https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR6HHTBN7UDpEhLm8BJmDhGJURDhLWEhBVE5QN0FQRUpHWDg4ODlZSDA4RCQlQCN0PWcu).

+### Release date: Sep 05, 2024

+The latest API version release is as follows.

+https://github.com/Azure/azure-rest-api-specs/blob/main/specification/hdinsight/resource-manager/Microsoft.HDInsight/HDInsightOnAks/preview/2024-05-01-preview/hdinsight.json.

+ [ ](media/diagnostic-logs/fhir-diagnostic-settings-screen.png#lightbox)

+ [ ](media/diagnostic-logs/fhir-diagnostic-settings-add.png#lightbox)

+[](media/rest-config.png#lightbox)

+[](media/rest-patient.png#lightbox)

+[](media/rest-powershell.png#lightbox)

+[](media/rest-cli.png#lightbox)

+Attach the external disk to the file share and run WAImportExport.exe file. This step generates a journal file. The journal file stores basic information such as drive serial number, encryption key, and storage account details.

+ audience: aio-mq

+ mode: Enabled

+ systemAssignedManagedIdentitySettings:

+ audience: <your Event Hubs namespace>.servicebus.windows.net

+ host: <your Event Hubs namespace>.servicebus.windows.net:9093

+ mode: Enabled

+## Version 4.15 - September 2024

+We're pleased to announce the launch of OpenShift 4.15 for Azure Red Hat OpenShift. This release enables [OpenShift Container Platform 4.15](https://docs.openshift.com/container-platform/4.15/welcome/https://docsupdatetracker.net/index.html) as an installable version. You can check the end of support date on the [support lifecycle page](/azure/openshift/support-lifecycle) for previous versions.

+In addition to making version 4.15 available as an installable version, this release also makes the following features generally available:

+- CLI for multiple public IP addresses for larger clusters up to 250 nodes

+* By default, OpenShift uses self-signed certificates for all of the routes created on custom domains `*.apps.example.com`. If you choose to use custom DNS after connecting to the cluster, you will need to follow the OpenShift documentation to [configure a custom CA for your ingress controller](https://docs.openshift.com/container-platform/latest/security/certificates/replacing-default-ingress-certificate.html) and a [custom CA for your API server](https://docs.openshift.com/container-platform/latest/security/certificates/api-server.html).

+<!--

+-->

+> [!NOTE]

+> The maximum number of worker nodes definable at creation time is 50. You can scale out up to 250 nodes after the cluster is created.

+After executing the `az aro create` command, it normally takes about 45 minutes to create a cluster.

+#### Large scale ARO clusters

+If you are looking to deploy an Azure Red Hat OpenShift cluster with more than 100 worker nodes please see the [Deploy a large Azure Red Hat OpenShift cluster](howto-large-clusters.md)

+This article provides the steps and best practices for deploying large scale Azure Red Hat OpenShift clusters up to 250 worker nodes. For clusters of that size, there are some recommendations regarding control plane nodes and infrastructure nodes.

+> Before deleting a cluster with more than 120 nodes, scale down the cluster to 120 nodes or less.

+## Recommendations

+### Control plane nodes

+For clusters with over 100 worker nodes, the following [virtual machine instance types](support-policies-v4.md#supported-virtual-machine-sizes) (or similar, newer generation instance types) are recommended for control plane nodes:

+### Infrastructure nodes

+For clusters with over 100 worker nodes, infrastructure nodes are required to separate cluster workloads (such as Prometheus) to minimize contention with other workloads. You should deploy three (3) infrastructure nodes per cluster for redundancy and scalability needs.

+For instructions on configuring infrastructure nodes, see [Deploy infrastructure nodes in an Azure Red Hat OpenShift cluster](howto-infrastructure-nodes.md). This will be configured after cluster deployment.

+### Add IP addresses to the load balancer

+Azure Red Hat OpenShift public clusters are created with a public load balancer that's used for outbound connectivity from inside the cluster. By default, one public IP address is configured on that public load balancer, and that limits the maximum node count of your cluster to 62. To be able to scale your cluster to the maximum supported number of 250 nodes, you need to assign multiple additional public IP addresses to the load balancer. You can configure up to 20 IP addresses per cluster. The outbound rules and frontend IP configurations are adjusted to accommodate the number of IP addresses.

+For example, a cluster with 180 worker nodes needs at least (3) three IP addresses (180 nodes / 62 nodes per IP).

+This can be accomplished as part of the cluster creation process or later, after the cluster is created.

+## Deploy a cluster

+When deploying a large cluster, you must start with at most 50 worker nodes at creation time, then scale the cluster out to the desired number of worker nodes, up to 250 worker nodes.

+> [!NOTE]

+> While you can define up to 50 worker nodes at creation time, it's best to start with a small cluster (e.g, three (3) worker nodes) and then scale out to the desired number of worker nodes after the cluster is installed.

+>

+Follow the steps provided in [Create an Azure Red Hat OpenShift cluster](https://learn.microsoft.com/azure/openshift/create-cluster?tabs=azure-cli) until the "Create the cluster" steps, then continue as instructed:

+The sample command below using the Azure CLI can be used to deploy a cluster with Standard_D32s_v5 as the control plane nodes, requesting three public IP addresses, and defining nine worker nodes:

+```azurecli

+az aro create \

+ --resource-group $RESOURCEGROUP \

+ --name $CLUSTER \

+ --vnet aro-vnet \

+ --master-subnet master-subnet \

+ --worker-subnet worker-subnet \

+ --master-vm-size Standard_D32s_v5 \

+ --worker-count 9 \

+ --lb-ip-count 3

+```

+To add IP addresses to the load balancer using the Azure CLI after the cluster is created, run the following command:

+```azurecli

+az aro update

+ --name <CLUSTER_NAME>

+ ΓÇô-resource-group <RESOURCE_GROUP>

+ --lb-ip-count <PUBLIC_IP_COUNT>`

+You can then configure the corresponding OpenShift MachineSets to obtain the number of worker nodes desired. See [Manually scaling a compute machine set](https://docs.openshift.com/container-platform/latest/machine_management/manually-scaling-machineset.html) for more details.

+Once the cluster is successfully installed, proceed to deploying infrastructure nodes as defined in the [Infrastructure nodes](#infrastructure-nodes) section.

+ Title: Configure multiple IP addresses for Azure Red Hat OpenShift cluster load balancers

+# Configure multiple IP addresses per Azure Red Hat OpenShift cluster load balancer

+Azure Red Hat OpenShift public clusters are created with a public load balancer that's used for outbound connectivity from inside the cluster. By default, one public IP address is configured on that public load balancer, and that limits the maximum node count of your cluster to 62. To be able to scale your cluster to the maximum supported number of 250 nodes, you need to assign multiple additional public IP addresses to the load balancer.

+> Before deleting a cluster with more than 120 nodes, scale down the cluster to 120 nodes or less.

+If you're unsure if your cluster was created before OCP version 4.5, use the following commands to check.

+Get the cluster managed resource group:

+To create a new ARO cluster with multiple managed IPs on the public load balancer, use the following command with the desired number of IPs in the `--load-balancer-managed-outbound-ip-count` parameter. In the example below, seven (7) IP addresses are created:

+az aro create \

+ --resource-group aroResourceGroup \

+ --name aroCluster \

+ --load-balancer-managed-outbound-ip-count 7

+See [Deploy a large Azure Red Hat OpenShift cluster](howto-large-clusters.md) for more information about deploying a large cluster.

+az aro update \

+ --resource-group aroResourceGroup \

+ --name aroCluster \

+ --load-balancer-managed-outbound-ip-count 4

+You can use this update method to either increase or decrease the number of IPs on a cluster to be between 1 and 20. Scaling down the number of clusters can interrupt the outbound network traffic from the cluster.

+|4.15|February 2024| September 4 2024|June 27 2025|

+|4.16|June 2024| Coming soon|November 2 2025|

+* Release Notes for Version 2.0.2804-137

+## Release 2.0.2804-137

+Document Revision 1.1

+### Release Summary

+Azure Operator Service Manager is a cloud orchestration service that enables automation of operator network-intensive workloads, and mission critical applications hosted on Azure Operator Nexus. Azure Operator Service Manager unifies infrastructure, software, and configuration management with a common model into a single interface, both based on trusted Azure industry standards. This August 30, 2024 Azure Operator Service Manager release includes updating the NFO version to 2.0.2804-137, the details of which are further outlined in the remainder of this document.

+### Release Details

+* Release Version: Version 2.0.2804-137

+* Release Date: August 30, 2024

+* Is NFO update required: YES, Update only

+* Dependency Versions: Go/1.22.4 - Helm/3.15.2

+### Release Installation

+This release can be installed with as an update on top of release 2.0.2788-135.

+### Release Highlights

+#### High availability for cluster registry and webhook.

+This version restores the high availability features first introduced with release 2.0.2783-134. When enabled, the singleton pod, used in earlier releases, is replaced with a replica set and optionally allows for horizontal auto scaling.

+#### Enhanced internal certificate management and rotation.

+This version implements internal certificate management using a new method which does not take dependency on cert-manager. Instead, a private internal service is used to handle requirements for certificate management and rotation within the AOSM namespace.

+#### Safe Upgrades NF Level Rollback

+This version introduces new user options to control behavior when a failure occurs during an upgrade. While pause on failure remains the default, a user can now optionally enable rollback on failure. If a failure occure, with rollback on failure any prior completed NfApps will be reverted to prior state using helm rollback command. See [learn documentation](safe-upgrades-nf-level-rollback.md) for more details on usage.

+### Issues Resolved in This Release

+#### Bugfix Related Updates

+The following bug fixes, or other defect resolutions, are delivered with this release, for either Network Function Operator (NFO) or resource provider (RP) components.

+* NFO - Enhance cluster registry performance by preventing unnecessary or repeated image downloads.

+

+#### Security Related Updates

+* CVE - A total of one CVE is addressed in this release.

+import { getServiceConfig, ServiceOS } from '@azure/microsoft-playwright-testing';

+/* Learn more about service configuration at https://aka.ms/mpt/config */

+export default defineConfig(

+ config,

+ getServiceConfig(config, {

+ exposeNetwork: '<loopback>',

+ timeout: 30000,

+ os: ServiceOS.LINUX

+ }),

+ {

+ /*

+ Playwright Testing service reporter is added by default.

+ This will override any reporter options specified in the base playwright config.

+ If you are using more reporters, please update your configuration accordingly.

+ */

+ reporter: [["list"], ['@azure/microsoft-playwright-testing/reporter']],

+ ignoreSnapshots: false,

+ // Enable screenshot testing and configure directory with expectations.ΓÇâ

+ snapshotPathTemplate: `{testDir}/__screenshots__/{testFilePath}/${ServiceOS.LINUX}/{arg}{ext}`,

+);

+- Learn more about [managing authentication to the workspace](./how-to-manage-authentication.md)

+ Title: Microsoft Playwright Testing authentication

+description: Learn how to manage authentication and authorization for Microsoft Playwright Testing preview

+# Manage authentication and authorization for Microsoft Playwright Testing preview

+In this article, you learn how to manage authentication and authorization for Microsoft Playwright Testing preview. Authentication is required to run Playwright tests on cloud-hosted browsers and to publish test results and artifacts to the service.

+By default, [Microsoft Entra ID](/entra/identity/) is used for authentication. This method is more secure and is the recommended authentication method. You can't disable authentication using Microsoft Entra ID. However, you can also use access tokens to authenticate and authorize.

+> [!IMPORTANT]

+> Microsoft Playwright Testing is currently in preview. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+## Background

+Microsoft Playwright Testing Preview is built on the Playwright open-source framework. It runs Playwright tests on cloud-hosted browsers and publishes reports and artifacts back to the service.

+To use the service, the client must authenticate with the service to access the browsers. Similarly, publishing results and artifacts requires authenticated API interactions. The service offers two authentication methods: Microsoft Entra ID and access tokens.

+Microsoft Entra ID uses your Azure credentials, requiring a sign-in to your Azure account for secure access. Alternatively, you can generate an access token from your Playwright workspace and use it in your setup. However, we strongly recommend Microsoft Entra ID for authentication due to its enhanced security. Access tokens, while convenient, function like long-lived passwords and are more susceptible to being compromised.

+## Enable authentication using access-tokens

+Microsoft Playwright Testing service also supports authentication using access tokens. This authentication method is less secure. We recommend using Microsoft Entra ID to authenticate to the service.

+> [!CAUTION]

+> Your workspace access tokens are similar to a password for your Microsoft Playwright Testing workspace. Always be careful to protect your access tokens. Avoid distributing access tokens to other users, hard-coding them, or saving them anywhere in plain text that is accessible to others.

+Revoke and recreate your tokens if you believe they are compromised.

+To enable authentication using access tokens:

+1. Sign in to the [Playwright portal](https://aka.ms/mpt/portal) with your Azure account and select your workspace.

+1. Select the settings icon on the home page to go to the workspace settings.

+1. Select the **Authentication** page and turn on **Enable authentication using Access tokens**

+ :::image type="content" source="./media/how-to-manage-authentication/playwright-testing-enable-access-token.png" alt-text="Screenshot that shows the access tokens settings page in the Playwright portal." lightbox="./media/how-to-manage-authentication/playwright-testing-enable-access-token.png":::

+> [!CAUTION]

+> Authentication using access tokens is less secure. [Learn how to manage access tokens](./how-to-manage-access-tokens.md)

+## Set up authentication using access-tokens

+1. While running the tests, enable access token auth in the `playwright.service.config.ts` file in your setup.

+ ```typescript

+ /* Learn more about service configuration at https://aka.ms/mpt/config */

+ export default defineConfig(config, getServiceConfig( config {

+ serviceAuthType:'ACCESS_TOKEN'

+ }));

+ ```

+1. Create access token

+ Follow the steps to [create an access token](./how-to-manage-access-tokens.md#generate-a-workspace-access-token)

+1. Set up your environment

+ To set up your environment, you have to configure the `PLAYWRIGHT_SERVICE_ACCESS_TOKEN` environment variable with the value you obtained in the previous steps.

+ We recommend that you use the `dotenv` module to manage your environment. With `dotenv`, you define your environment variables in the `.env` file.

+ 1. Add the `dotenv` module to your project:

+ ```shell

+ npm i --save-dev dotenv

+ ```

+ 1. Create a `.env` file alongside the `playwright.config.ts` file in your Playwright project:

+

+ ```

+ PLAYWRIGHT_SERVICE_ACCESS_TOKEN={MY-ACCESS-TOKEN}

+ ```

+ Make sure to replace the `{MY-ACCESS-TOKEN}` text placeholder with the value you copied earlier.

+## Run tests on the service and publish results

+Run Playwright tests against cloud-hosted browsers and publish the results to the service using the configuration you created above.

+```typescript

+npx playwright test --config=playwright.service.config.ts --workers=20

+```

+## Related content

+- Learn more about [managing access tokens](./how-to-manage-access-tokens.md).

+import { getServiceConfig, ServiceOS } from "@azure/microsoft-playwright-testing";

+import { defineConfig } from "@playwright/test";

+import { AzureCliCredential } from "@azure/identity";

+import config from "./playwright.config";

+export default defineConfig(

+ config,

+ getServiceConfig(config, {

+ exposeNetwork: '<loopback>', // Allow service to access the localhost.

+ }),

+);

+Microsoft Playwright Testing Preview is a fully managed service for end-to-end testing built on top of Playwright. With the free trial, you can try Microsoft Playwright Testing for free for 30 days, 100 test minutes, and 1,000 test results. In this article, you learn about the limits of the free trial, how to get started, and how to track your free trial usage.

+| Total test results┬╣ | 1,000 results |

+┬╣ If your usage exceeds either the free test minute limit or the free test result limit, only the overage counts toward the pay-as-you-go billing model. The two features are billed separately. See [Microsoft Playwright Testing preview pricing](https://aka.ms/mpt/pricing)

+All test runs, test results, and other artifacts linked to your workspace remain available.

+ Title: Microsoft Playwright Testing service configuration file options

+description: Learn how to use options available in configuration file with Microsoft Playwright Testing preview

+# Use options available in configuration file with Microsoft Playwright Testing preview

+This article shows you how to use the options available in the `playwright.service.config.ts` file that was generated for you.

+If you don't have this file in your code, follow the QuickStart guide, see [Quickstart: Run end-to-end tests at scale with Microsoft Playwright Testing Preview](./quickstart-run-end-to-end-tests.md)

+> [!IMPORTANT]

+> Microsoft Playwright Testing is currently in preview. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+## Prerequisites

+* Follow the Quickstart guide and set up a project to run with Microsoft Playwright Testing service. See, [Quickstart: Run end-to-end tests at scale with Microsoft Playwright Testing Preview](./quickstart-run-end-to-end-tests.md)

+Here's version of the `playwright.service.config.ts` file with all the available options:

+```typescript

+import { getServiceConfig, ServiceOS } from "@azure/microsoft-playwright-testing";

+import { defineConfig } from "@playwright/test";

+import { AzureCliCredential } from "@azure/identity";

+import config from "./playwright.config";

+export default defineConfig(

+ config,

+ getServiceConfig(config, {

+ serviceAuthType:'ACCESS_TOKEN' // Use this option when you want to authenticate using access tokens. This mode of auth should be enabled for the workspace.

+ os: ServiceOS.WINDOWS, // Select the operating system where you want to run tests.

+ runId: new Date().toISOString(), // Set a unique ID for every test run to distinguish them in the service portal.

+ credential: new AzureCliCredential(), // Select the authentication method you want to use with Entra.

+ useCloudHostedBrowsers: true, // Select if you want to use cloud-hosted browsers to run your Playwright tests.

+ exposeNetwork: '<loopback>', // Use this option to connect to local resources from your Playwright test code without having to configure additional firewall settings.

+ timeout: 30000 // Set the timeout for your tests.

+ }),

+ {

+ reporter: [

+ ["list"],

+ [

+ "@azure/microsoft-playwright-testing/reporter",

+ {

+ enableGitHubSummary: true, // Enable/disable GitHub summary in GitHub Actions workflow.

+ },

+ ],

+ ],

+ },

+);

+```

+## Settings in `playwright.service.config.ts` file

+* **`serviceAuthType`**:

+ - **Description**: This setting allows you to choose the authentication method you want to use for your test run.

+ - **Available Options**:

+ - `ACCESS_TOKEN` to use access tokens. You need to enable authentication using access tokens if you want to use this option, see [manage authentication](./how-to-manage-authentication.md).

+ - `ENTRA_ID` to use Microsoft Entra ID for authentication. It's the default mode.

+ - **Default Value**: `ENTRA_ID`

+ - **Example**:

+ ```typescript

+ serviceAuthType:'ENTRA_ID'

+ ```

+* **`os`**:

+ - **Description**: This setting allows you to choose the operating system where the browsers running Playwright tests are hosted.

+ - **Available Options**:

+ - `ServiceOS.WINDOWS` for Windows OS.

+ - `ServiceOS.LINUX` for Linux OS.

+ - **Default Value**: `ServiceOS.LINUX`

+ - **Example**:

+ ```typescript

+ os: ServiceOS.WINDOWS

+ ```

+* **`runId`**:

+ - **Description**: This setting allows you to set a unique ID for every test run to distinguish them in the service portal.

+ - **Example**:

+ ```typescript

+ runId: new Date().toISOString()

+ ```

+* **`credential`**:

+ - **Description**: This setting allows you to select the authentication method you want to use with Microsoft Entra ID.

+ - **Example**:

+ ```typescript

+ credential: new AzureCliCredential()

+ ```

+* **`useCloudHostedBrowsers`**

+ - **Description**: This setting allows you to choose whether to use cloud-hosted browsers or the browsers on your client machine to run your Playwright tests. If you disable this option, your tests run on the browsers of your client machine instead of cloud-hosted browsers, and you don't incur any charges.

+ - **Default Value**: true

+ - **Example**:

+ ```typescript

+ useCloudHostedBrowsers: true

+ ```

+* **`exposeNetwork`**

+ - **Description**: This setting allows you to connect to local resources from your Playwright test code without having to configure another firewall settings. To learn more, see [how to test local applications](./how-to-test-local-applications.md)

+ - **Example**:

+ ```typescript

+ exposeNetwork: '<loopback>'

+ ```

+* **`timeout`**

+ - **Description**: This setting allows you to set timeout for your tests connecting to the cloud-hosted browsers.

+ - **Example**:

+ ```typescript

+ timeout: 30000,

+ ```

+* **`reporter`**

+ - **Description**: The `playwright.service.config.ts` file extends the playwright config file of your setup. This option overrides the existing reporters and sets Microsoft Playwright Testing reporter. You can add or modify this list to include the reporters that you want to use. You're billed for Microsoft Playwright Testing reporting if you add `@azure/microsoft-playwright-testing/reporter`.

+ - **Default Value**: ["@azure/microsoft-playwright-testing/reporter"]

+ - **Example**:

+ ```typescript

+ reporter: [

+ ["list"],

+ ["@azure/microsoft-playwright-testing/reporter"],

+ ```

+* **`enableGitHubSummary`**:

+ - **Description**: This setting allows you to configure the Microsoft Playwright Testing service reporter. You can choose whether to include the test run summary in the GitHub summary when running in GitHub Actions.

+ - **Default Value**: true

+ - **Example**:

+ ```typescript

+ reporter: [

+ ["list"],

+ [

+ "@azure/microsoft-playwright-testing/reporter",

+ {

+ enableGitHubSummary: true,

+ },

+ ],

+ ]

+ ```

+ Title: Microsoft Playwright Testing features

+description: Learn how to use different features offered by Microsoft Playwright Testing service

+# Use features of Microsoft Playwright Testing preview

+In this article, you learn how to use the features provided by Microsoft Playwright Testing preview.

+> [!IMPORTANT]

+> Microsoft Playwright Testing is currently in preview. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- A Microsoft Playwright Testing workspace. To create a workspace, see [Quickstart: Run Playwright tests at scale](./quickstart-run-end-to-end-tests.md).

+- To manage features, your Azure account needs to have the [Contributor](/azure/role-based-access-control/built-in-roles#owner) or [Owner](/azure/role-based-access-control/built-in-roles#contributor) role at the workspace level. Learn more about [managing access to a workspace](./how-to-manage-workspace-access.md).

+## Background

+Microsoft Playwright Testing preview allows you to:

+- Run your Playwright tests on cloud-hosted browsers.

+- Publish test reports and artifacts to the service and view them in the service portal.

+These features have their own pricing plans and are billed separately. You can choose to use either feature or both. These features can be enabled or disabled for the workspace or for any specific run. To know more about pricing, see [Microsoft Playwright Testing preview pricing](https://aka.ms/mpt/pricing)

+## Manage feature for the workspace

+1. Sign in to the [Playwright portal](https://aka.ms/mpt/portal) with your Azure account.

+1. Select the workspace settings icon, and then go to the **General** page to view the workspace settings.

+1. Navigate to **Feature management** section.

+ :::image type="content" source="./media/how-to-use-service-features/playwright-testing-enable-reporting-for-workspace.png" alt-text="Screenshot that shows the workspace settings page in the Playwright Testing portal for Feature Management." lightbox="./media/how-to-use-service-features/playwright-testing-enable-reporting-for-workspace.png":::

+1. Choose the features you want to enable for your workspace.

+ Currently, you can choose to enable or disable only reporting feature of the service. By default, reporting is enabled for the workspace.

+## Manage features while running tests

+You can also choose to use either feature or both for a test run.

+> [!IMPORTANT]

+> You can only use a feature in a test run if it is enabled for the workspace.

+1. In your Playwright setup, go to `playwright.service.config.ts` file and use these settings for feature management.

+```typescript

+import { getServiceConfig, ServiceOS } from "@azure/microsoft-playwright-testing";

+import { defineConfig } from "@playwright/test";

+import { AzureCliCredential } from "@azure/identity";

+import config from "./playwright.config";

+export default defineConfig(

+ config,

+ getServiceConfig(config, {

+ useCloudHostedBrowsers: true, // Select if you want to use cloud-hosted browsers to run your Playwright tests.

+ }),

+ {

+ reporter: [

+ ["list"],

+ ["@azure/microsoft-playwright-testing/reporter"], //Microsoft Playwright Testing reporter

+ ],

+ },

+);

+```

+- **`useCloudHostedBrowsers`**:

+ - **Description**: This setting allows you to choose whether to use cloud-hosted browsers or the browsers on your client machine to run your Playwright tests. If you disable this option, your tests run on the browsers of your client machine instead of cloud-hosted browsers, and you do not incur any charges. You can still configure reporting options.

+ - **Default Value**: true

+ - **Example**:

+ ```typescript

+ useCloudHostedBrowsers: true

+ ```

+- **`reporter`**

+ - **Description**: The `playwright.service.config.ts` file extends the Playwright configuration file of your setup. This option overrides the existing reporters and sets the Microsoft Playwright Testing reporter. You can add or modify this list to include the reporters you want to use. You are billed for Microsoft Playwright Testing reporting if you add `@azure/microsoft-playwright-testing/reporter`. This feature can be used independently of cloud-hosted browsers, meaning you donΓÇÖt have to run tests on service-managed browsers to get reports and artifacts on the Playwright portal.

+ - **Default Value**: ["@azure/microsoft-playwright-testing/reporter"]

+ - **Example**:

+ ```typescript

+ reporter: [

+ ["list"],

+ ["@azure/microsoft-playwright-testing/reporter"]],

+ ```

+## Related content

+- Learn more about [Microsoft Playwright Testing preview pricing](https://aka.ms/mpt/pricing).

+Microsoft Playwright Testing Preview is a fully managed service for end-to-end testing built on top of Playwright. With Playwright, you can automate end-to-end tests to ensure your web applications work the way you expect it to, across different web browsers and operating systems. The service abstracts the complexity and infrastructure for running Playwright tests and managing results and artifacts. The service runs tests with high parallelization and stores test results and artifacts to help you ship features faster and troubleshoot easily.

+## Troubleshoot tests easily using reporting and artifacts

+As applications grow, maintaining quality is crucial. Use the reporting feature of the service to troubleshoot test results with rich artifacts.

+- Publish test results and artifacts to the service and view them in the service portal for faster troubleshooting.

+- Integrate reporting with CI pipelines to get rich, consolidated reports.

+After a test run completes, the test results, trace files, and other test run files are available on the client machine. These are then published to the service from the client machine and can be viewed in the service portal.

+To run existing tests with Microsoft Playwright Testing requires no changes to your test code, install the Microsoft Playwright Testing service package and specify the service endpoint for your workspace.

+Microsoft Playwright Testing automatically encrypts all data stored in your workspace with keys managed by Microsoft (service-managed keys). For example, this data includes workspace details, Playwright test run meta data like test start and end time, test minutes, who ran the test, and test results and artifacts generated by Playwright which are published to the service.

+> Microsoft Playwright Testing is currently in preview. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+## Prerequisites

+* An Azure account with an active subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+* Set up continuous end-to-end testing. Complete the [Quickstart: Set up continuous end-to-end testing with Microsoft Playwright Testing Preview](./quickstart-automate-end-to-end-testing.md) to set up continuous integration (CI) pipeline.

+ push:

+ pull_request:

+ workflow_dispatch:

+permissions:

+ id-token: write

+ contents: read

+jobs:

+ test:

+ timeout-minutes: 60

+ runs-on: ubuntu-latest

+ - uses: actions/checkout@v3

+ - uses: actions/setup-node@v3

+ with:

+ # This step is to sign-in to Azure to run tests from GitHub Action workflow.

+ # You can choose how set up Authentication to Azure from GitHub Actions, this is one example.

+ - name: Login to Azure with AzPowershell (enableAzPSSession true)

+ uses: azure/login@v2

+ with:

+ client-id: ${{ secrets.AZURE_CLIENT_ID }}

+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}

+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

+ enable-AzPSSession: true

+ run: npm ci

+ env:

+ # Regional endpoint for Microsoft Playwright Testing

+ PLAYWRIGHT_SERVICE_RUN_ID: ${{ github.run_id }}-${{ github.run_attempt }}-${{ github.sha } #This Run_ID will be unique and will remain same across all shards

+ run: npx playwright test --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }}

+In this quickstart, you set up continuous end-to-end testing with Microsoft Playwright Testing Preview to validate that your web app runs correctly across different browsers and operating systems with every code commit and troubleshoot tests easily using the service dashboard. Learn how to add your Playwright tests to a continuous integration (CI) workflow, such as GitHub Actions, Azure Pipelines, or other CI platforms.

+After you complete this quickstart, you have a CI workflow that runs your Playwright test suite at scale and helps you troubleshoot tests easily with Microsoft Playwright Testing.

+- Set up authentication from GitHub Actions to Azure. See [Use GitHub Actions to connect to Azure](/azure/developer/github/connect-from-azure)

+- Azure Resource Manager Service connection to securely authenticate to the service from Azure Pipelines, see [Azure Resource Manager service connection](/azure/devops/pipelines/library/connect-to-azure)

+## Update package.json file

+Update the `package.json` file in your repository to add details about Microsoft Playwright Testing service package in `devDependencies` section.

+```json

+"devDependencies": {

+ "@azure/microsoft-playwright-testing": "^1.0.0-beta.3"

+}

+```

+

+ # This step is to sign-in to Azure to run tests from GitHub Action workflow.

+ # You can choose how set up Authentication to Azure from GitHub Actions, this is one example.

+ - name: Login to Azure with AzPowershell (enableAzPSSession true)

+ uses: azure/login@v2

+ with:

+ client-id: ${{ secrets.AZURE_CLIENT_ID }}

+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}

+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

+ enable-AzPSSession: true

+ working-directory: path/to/playwright/folder # update accordingly

+ working-directory: path/to/playwright/folder # update accordingly

+ # Regional endpoint for Microsoft Playwright Testing

+

+ - task: AzureCLI@2

+ displayName: Run Playwright Test

+ env:

+ PLAYWRIGHT_SERVICE_RUN_ID: ${{ parameters.runIdPrefix }}$(Build.DefinitionName) - $(Build.BuildNumber) - $(System.JobAttempt)

+ azureSubscription: My_Service_Connection # Service connection used to authenticate this pipeline with Azure to use the service

+ scriptType: 'pscore'

+ scriptLocation: 'inlineScript'

+ inlineScript: |

+ npx playwright test -c playwright.service.config.ts --workers=20

+ addSpnToEnvironment: true

+ workingDirectory: path/to/playwright/folder # update accordingly

+ When the CI workflow is triggered, your Playwright tests run in your Microsoft Playwright Testing workspace on cloud-hosted browsers, across 20 parallel workers.

+> [!NOTE]

+> Reporting feature is enabled by default for existing workspaces. This is being rolled out in stages and will take a few days. To avoid failures, confirm that `Rich diagnostics using reporting` setting is ON for your workspace before proceeding. See, [Enable reporting for workspace](./how-to-use-service-features.md#manage-feature-for-the-workspace).

+> With Microsoft Playwright Testing, you get charged based on the number of total test minutes and test result published. If you're a first-time user or [getting started with a free trial](./how-to-try-playwright-testing-free.md), you might start with running a single test at scale instead of your full test suite to avoid exhausting your free test minutes and test results.

+> [!TIP]

+> You can use Microsoft Playwright Testing service features independently. You can publish test results to the portal without using the cloud-hosted browsers feature and you can also use only cloud-hosted browsers to expedite your test suite without publishing test results.

+In this quickstart, you learn how to run your Playwright tests with highly parallel cloud browsers and troubleshoot failed tests easily using Microsoft Playwright Testing Preview. Use cloud infrastructure to validate your application across multiple browsers, devices, and operating systems. Publish the results and artifacts generated by Playwright to the service and view them in the service portal.

+After you complete this quickstart, you have a Microsoft Playwright Testing workspace to run your Playwright tests at scale and view test results and artifacts in the service portal.

+* Azure CLI. If you don't have Azure CLI, see [Install Azure CLI](/cli/azure/install-azure-cli).

+## Install Microsoft Playwright Testing package

+To use the service, install Microsoft Playwright Testing package.

+```npm

+npm init @azure/microsoft-playwright-testing

+```

+This generates `playwright.service.config.ts` file which serves to:

+- Direct and authenticate Playwright to the Microsoft Playwright Testing service.

+- Adds a reporter to publish test results and artifacts.

+If you already have this file, the package asks you to override it.

+In your setup, you have to provide the region-specific service endpoint. The endpoint depends on the Azure region you selected when creating the workspace.

+To set up your environment, you have to configure the `PLAYWRIGHT_SERVICE_URL` environment variable with the value you obtained in the previous steps.

+ Make sure to replace the `{MY-REGION-ENDPOINT}` text placeholder with the value you copied earlier.

+## Set up Authentication

+To run your Playwright tests in your Microsoft Playwright Testing workspace, you need to authenticate the Playwright client where you're running the tests with the service. This could be your local dev machine or CI machine.

+The service offers two authentication methods: Microsoft Entra ID and Access Tokens.

+Microsoft Entra ID uses your Azure credentials, requiring a sign-in to your Azure account for secure access. Alternatively, you can generate an access token from your Playwright workspace and use it in your setup.

+##### Set up authentication using Microsoft Entra ID

+Microsoft Entra ID is the default and recommended authentication for the service. From your local dev machine, you can use [Azure CLI](/cli/azure/install-azure-cli) to sign-in

+```CLI

+az login

+```

+> [!NOTE]

+> If you're a part of multiple Microsoft Entra tenants, make sure you sign in to the tenant where your workspace belongs. You can get the tenant ID from Azure portal. See [Find your Microsoft Entra Tenant](/azure/azure-portal/get-subscription-tenant-id#find-your-microsoft-entra-tenant). Once you get the ID, sign-in using the command `az login --tenant <TenantID>`

+##### Set up authentication using access tokens

+You can generate an access token from your Playwright Testing workspace and use it in your setup. However, we strongly recommend Microsoft Entra ID for authentication due to its enhanced security. Access tokens, while convenient, function like long-lived passwords and are more susceptible to being compromised.

+1. Authentication using access tokens is disabled by default. To use, [Enable access-token based authentication](./how-to-manage-authentication.md#enable-authentication-using-access-tokens)

+2. [Set up authentication using access tokens](./how-to-manage-authentication.md#set-up-authentication-using-access-tokens)

+> [!CAUTION]

+> We strongly recommend using Microsoft Entra ID for authentication to the service. If you are using access tokens, see [How to Manage Access Tokens](./how-to-manage-access-tokens.md)

+With Microsoft Playwright Testing, you get charged based on the number of total test minutes and number of test results published. If you're a first-time user or [getting started with a free trial](./how-to-try-playwright-testing-free.md), you might start with running a single test at scale instead of your full test suite to avoid exhausting your free trial limits.

+> [!NOTE]

+> Reporting feature is enabled by default for existing workspaces. This is being rolled out in stages and will take a few days. To avoid failures, confirm that `Rich diagnostics using reporting` setting is ON for your workspace before proceeding. See, [Enable reporting for workspace](./how-to-use-service-features.md#manage-feature-for-the-workspace).

+> Depending on the size of your test suite, you might incur additional charges for the test minutes beyond your allotted free test minutes and free test results.

+## View test runs and results in the Playwright portal

+Go to the [Playwright portal](https://aka.ms/mpt/portal) to view the test runs and test results for your workspace.

+ :::image type="content" source="./media/quickstart-run-end-to-end-tests/playwright-testing-test-run-page.png" alt-text="Screenshot that shows the test runs for a workspace in the Playwright Testing portal." lightbox="./media/quickstart-run-end-to-end-tests/playwright-testing-test-run-page.png":::

+The test run contains the CI information, test run status, workers used, duration, and billable minutes. If you open a test run, you can see the results and artifacts for each test along with other information.

+> You can use Microsoft Playwright Testing service features independently. You can publish test results to the portal without using the cloud-hosted browsers feature and you can also use only cloud-hosted browsers to expedite your test suite without publishing test results.

+> [!NOTE]

+> The test results and artifacts that you publish are retained on the service for 90 days. After that, they are automatically deleted.

+- Only tests Playwright version 1.47 and higher is supported with the Microsoft Playwright Testing service package.

+ Title: Configure and manage Azure Route Server

+description: Learn how to configure and manage Azure Route Server using the Azure portal, PowerShell, or Azure CLI.

+# Configure Azure Route Server

+In this article, you learn how to configure and manage Azure Route Server using the Azure portal, PowerShell, or Azure CLI.

+## Prerequisites

+# [**Portal**](#tab/portal)

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- A route server.

+# [**PowerShell**](#tab/powershell)

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- A route server.

+- Azure Cloud Shell or Azure PowerShell.

+ The steps in this article run the Azure PowerShell cmdlets interactively in [Azure Cloud Shell](/azure/cloud-shell/overview). To run the cmdlets in the Cloud Shell, select **Open Cloud Shell** at the upper-right corner of a code block. Select **Copy** to copy the code and then paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.

+ You can also [install Azure PowerShell locally](/powershell/azure/install-azure-powershell) to run the cmdlets. If you run PowerShell locally, sign in to Azure using the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet.

+# [**Azure CLI**](#tab/cli)

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- A route server.

+- Azure Cloud Shell or Azure CLI.

+ The steps in this article run the Azure CLI commands interactively in [Azure Cloud Shell](/azure/cloud-shell/overview). To run the commands in the Cloud Shell, select **Open Cloud Shell** at the upper-right corner of a code block. Select **Copy** to copy the code, and paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.

+ You can also [install Azure CLI locally](/cli/azure/install-azure-cli) to run the commands. If you run Azure CLI locally, sign in to Azure using the [az login](/cli/azure/reference-index#az-login) command.

+## Add a peer

+In this section, you learn how to add a BGP peering to your route server to peer with a network virtual appliance (NVA).

+# [**Portal**](#tab/portal)

+1. Go to the route server that you want to peer with an NVA.

+1. under **Settings**, select **Peers**.

+1. Select **+ Add** to add a new peer.

+1. On the **Add Peer** page, enter the following information:

+ | Setting | Value |

+ | - | -- |

+ | Name | A name to identify the peer. It doesn't have to be the same name of the NVA. |

+ | ASN | The Autonomous System Number (ASN) of the NVA. For more information, see [What Autonomous System Numbers (ASNs) can I use?](route-server-faq.md#what-autonomous-system-numbers-asns-can-i-use) |

+ | IPv4 Address | The private IP address of the NVA. |

+1. Select **Add** to save the configuration.

+ :::image type="content" source="./media/configure-route-server/add-peer.png" alt-text="Screenshot that shows how to add the NVA to the route server as a peer." lightbox="./media/configure-route-server/add-peer.png":::

+ Once the peer NVA is successfully added, you can see it in the list of peers with a **Succeeded** provisioning state.

+ :::image type="content" source="./media/configure-route-server/peer-list.png" alt-text="Screenshot that shows the route server's peers." lightbox="./media/configure-route-server/peer-list.png":::

+ To complete the peering setup, you must configure the NVA to establish a BGP session with the route server's peer IPs and ASN. You can find the route server's Peer IPs and ASN in the **Overview** page:

+ :::image type="content" source="./media/configure-route-server/route-server-overview.png" alt-text="Screenshot that shows the Overview page of a route server. " lightbox="./media/configure-route-server/route-server-overview.png":::

+ [!INCLUDE [NVA peering note](../../includes/route-server-note-nva-peering.md)]

+# [**PowerShell**](#tab/powershell)

+Use [Add-AzRouteServerPeer](/powershell/module/az.network/add-azrouteserverpeer) cmdlet to add a new peer to the route server.

+```azurepowershell-interactive

+Add-AzRouteServerPeer -PeerName 'myNVA' -PeerAsn '65001' -PeerIp '10.0.0.4' -ResourceGroupName 'myResourceGroup' -RouteServerName 'myRouteServer'

+```

+| Parameter | Value |

+| -- | -- |

+| `-PeerName` | A name to identify the peer. It doesn't have to be the same name of the NVA. |

+| `-PeerAsn` | The Autonomous System Number (ASN) of the NVA. For more information, see [What Autonomous System Numbers (ASNs) can I use?](route-server-faq.md#what-autonomous-system-numbers-asns-can-i-use) |

+| `-PeerIp` | The private IP address of the NVA. |

+| `-ResourceGroupName` | The resource group name of your route server. |

+| `-RouteServerName` | The route server name. This parameter is required when there are more than one route server in the same resource group. |

+After you successfully add the peer NVA, you must configure the NVA to establish a BGP session with the route server's peer IPs and ASN. Use [Get-AzRouteServer](/powershell/module/az.network/get-azrouteserver) cmdlet to find the route server's peer IPs and ASN:

+```azurepowershell-interactive

+Get-AzRouteServer -ResourceGroupName 'myResourceGroup' -RouteServerName 'myRouteServer'

+```

+| Parameter | Value |

+| -- | -- |

+| `-ResourceGroupName` | The resource group name of your route server. |

+| `-RouteServerName` | The route server name. You need this parameter when there are more than one route server in the same resource group. |

+# [**Azure CLI**](#tab/cli)

+Use [az network routeserver peering create](/cli/azure/network/routeserver/peering#az-network-routeserver-peering-create) command to add a new peer to the route server.

+```azurecli-interactive

+az network routeserver peering create --name 'myNVA' --peer-asn '65001' --peer-ip '10.0.0.4' --resource-group 'myResourceGroup' --routeserver 'myRouteServer'

+```

+| Parameter | Value |

+| -- | -- |

+| `--name` | A name to identify the peer. It doesn't have to be the same name of the NVA. |

+| `--peer-asn` | The Autonomous System Number (ASN) of the NVA. For more information, see [What Autonomous System Numbers (ASNs) can I use?](route-server-faq.md#what-autonomous-system-numbers-asns-can-i-use) |

+| `--peer-ip` | The private IP address of the NVA. |

+| `--resource-group` | The resource group name of your route server. |

+| `--routeserver` | The route server name. |

+After you successfully add the peer NVA, you must configure the NVA to establish a BGP session with the route server's peer IPs and ASN. Use [az network routeserver show](/cli/azure/network/routeserver#az-network-routeserver-show) command to find the route server's peer IPs and ASN:

+```azurecli-interactive

+az network routeserver show --name 'myRouteServer' --resource-group 'myResourceGroup'

+```

+| Parameter | Value |

+| -- | -- |

+| `--name` | The route server name. |

+| `--resource-group` | The resource group name of your route server. |

+## Configure route exchange

+In this section, you learn how to enable exchanging routes between your route server and the virtual network gateway (ExpressRoute or VPN) that exists in the same virtual network.

+# [**Portal**](#tab/portal)

+1. Go to the route server that you want to configure.

+1. Under **Settings**, select **Configuration**.

+1. Select **Enabled** for the **Branch-to-branch** setting and then select **Save**.

+ :::image type="content" source="./media/configure-route-server/enable-route-exchange.png" alt-text="Screenshot that shows how to enable route exchange in a route server." lightbox="./media/configure-route-server/enable-route-exchange.png":::

+# [**PowerShell**](#tab/powershell)

+Use [Update-AzRouteServer](/powershell/module/az.network/update-azrouteserver) cmdlet to enable or disable route exchange between the route server and the virtual network gateway.

+```azurepowershell-interactive

+Update-AzRouteServer -RouteServerName 'myRouteServer' -ResourceGroupName 'myResourceGroup' -AllowBranchToBranchTraffic 1

+```

+| Parameter | Value |

+| -- | -- |

+| `-RouteServerName` | The route server name. |

+| `-ResourceGroupName` | The resource group name of your route server. |

+| `-AllowBranchToBranchTraffic` | The route exchange parameter. Accepted values: `1` and `0`. |

+To disable route exchange, set the `-AllowBranchToBranchTraffic` parameter to `0`.

+Use [Get-AzRouteServer](/powershell/module/az.network/get-azrouteserver) cmdlet to verify the configuration.

+# [**Azure CLI**](#tab/cli)

+Use [az network routeserver update](/cli/azure/network/routeserver#az-network-routeserver-update) command to enable or disable route exchange between the route server and the virtual network gateway.

+```azurecli-interactive

+az network routeserver peering show --name 'myRouteServer' --resource-group 'myResourceGroup' --allow-b2b-traffic true

+```

+| Parameter | Value |

+| -- | -- |

+| `--name` | The route server name. |

+| `--resource-group` | The resource group name of your route server. |

+| `--allow-b2b-traffic` | The route exchange parameter. Accepted values: `true` and `false`. |

+To disable route exchange, set the `--allow-b2b-traffic` parameter to `false`.

+Use [az network routeserver show](/cli/azure/network/routeserver#az-network-routeserver-show) command to verify the configuration.

+## Configure routing preference

+In this section, you learn how to configure route preference to influence the route learning and selection of your route server.

+# [**Portal**](#tab/portal)

+1. Go to the route server that you want to configure.

+1. Under **Settings**, select **Configuration**.

+1. Select the routing preference that you want. Available options: **ExpressRoute** (default), **VPN**, and **ASPath**.

+1. Select **Save**

+ :::image type="content" source="./media/configure-route-server/configure-routing-preference.png" alt-text="Screenshot that shows how to configure routing preference in a route server." lightbox="./media/configure-route-server/configure-routing-preference.png":::

+# [**PowerShell**](#tab/powershell)

+Use [Update-AzRouteServer](/powershell/module/az.network/update-azrouteserver) cmdlet to configure the routing preference setting of your route server.

+```azurepowershell-interactive

+Update-AzRouteServer -RouteServerName 'myRouteServer' -ResourceGroupName 'myResourceGroup' -HubRoutingPreference 'ASPath'

+```

+| Parameter | Value |

+| -- | -- |

+| `-RouteServerName` | The route server name. |

+| `-ResourceGroupName` | The resource group name of your route server. |

+| `-HubRoutingPreference` | The routing preference. Accepted values: `ExpressRoute` (default), `VpnGateway`, and `ASPath`. |

+Use [Get-AzRouteServer](/powershell/module/az.network/get-azrouteserver) cmdlet to verify the configuration.

+# [**Azure CLI**](#tab/cli)

+Use [az network routeserver update](/cli/azure/network/routeserver#az-network-routeserver-update) command to configure the routing preference setting of your route server.

+```azurecli-interactive

+az network routeserver peering show --name 'myRouteServer' --resource-group 'myResourceGroup' --hub-routing-preference 'ASPath'

+```

+| Parameter | Value |

+| -- | -- |

+| `--name` | The route server name. |

+| `--resource-group` | The resource group name of your route server. |

+| `--hub-routing-preference` | The routing preference. Accepted values: `ExpressRoute` (default), `VpnGateway`, and `ASPath`. |

+Use [az network routeserver show](/cli/azure/network/routeserver#az-network-routeserver-show) command to verify the configuration.

+## View a peer

+In this section, you learn how to view the details of a peer.

+# [**Portal**](#tab/portal)

+1. Go to the route server that you want to peer with an NVA.

+1. under **Settings**, select **Peers**.

+1. In the list of peers, you can see the name, ASN, IP address, and provisioning state of any of the configured peers.

+ :::image type="content" source="./media/configure-route-server/peer-list.png" alt-text="Screenshot that shows the configuration of a route server's peer." lightbox="./media/configure-route-server/peer-list.png":::

+# [**PowerShell**](#tab/powershell)

+Use [Get-AzRouteServerPeer](/powershell/module/az.network/get-azrouteserverpeer) cmdlet to view a route server peering.

+```azurepowershell-interactive

+Get-AzRouteServerPeer -PeerName 'myNVA' -ResourceGroupName 'myResourceGroup' -RouteServerName 'myRouteServer'

+```

+| Parameter | Value |

+| -- | -- |

+| `-PeerName` | The peer name. |

+| `-ResourceGroupName` | The resource group name of your route server. |

+| `-RouteServerName` | The route server name. |

+# [**Azure CLI**](#tab/cli)

+Use [az network routeserver peering show](/cli/azure/network/routeserver/peering#az-network-routeserver-peering-show) command to view a route server peering.

+```azurecli-interactive

+az network routeserver peering show --name 'myNVA' --resource-group 'myResourceGroup' --routeserver 'myRouteServer'

+```

+| Parameter | Value |

+| -- | -- |

+| `--name` | The peer name. |

+| `--resource-group` | The resource group name of your route server. |

+| `--routeserver` | The route server name. |

+## View advertised and learned routes

+In this section, you learn how to view the route server's advertised and learned routes.

+# [**Portal**](#tab/portal)

+Use [PowerShell](?tabs=powershell#view-advertised-and-learned-routes) or [Azure CLI](?tabs=cli#view-advertised-and-learned-routes) to view the advertised and learned routes.

+# [**PowerShell**](#tab/powershell)

+Use the [Get-AzRouteServerPeerAdvertisedRoute](/powershell/module/az.network/get-azrouteserverpeeradvertisedroute) cmdlet to view routes advertised by a route server.

+```azurepowershell-interactive

+Get-AzRouteServerPeerAdvertisedRoute -PeerName 'myNVA' -ResourceGroupName 'myResourceGroup' -RouteServerName 'myRouteServer'

+```

+Use the [Get-AzRouteServerPeerLearnedRoute](/powershell/module/az.network/get-azrouteserverpeerlearnedroute) cmdlet to view routes learned by a route server.

+```azurepowershell-interactive

+Get-AzRouteServerPeerLearnedRoute -PeerName 'myNVA' -ResourceGroupName 'myResourceGroup' -RouteServerName 'myRouteServer'

+```

+| Parameter | Value |

+| -- | -- |

+| `-PeerName` | The peer name. |

+| `-ResourceGroupName` | The resource group name of your route server. |

+| `-RouteServerName` | The route server name. |

+# [**Azure CLI**](#tab/cli)

+Use the [az network routeserver peering list-advertised-routes](/cli/azure/network/routeserver/peering#az-network-routeserver-peering-list-advertised-routes) command to view routes advertised by a route server.

+```azurecli-interactive

+az network routeserver peering list-advertised-routes --name 'myNVA' --resource-group 'myResourceGroup' --routeserver 'myRouteServer'

+```

+Use the [az network routeserver peering list-learned-routes](/cli/azure/network/routeserver/peering#az-network-routeserver-peering-list-learned-routes) command to view routes learned by a route server.

+```azurecli-interactive

+az network routeserver peering list-learned-routes --name 'myNVA' --resource-group 'myResourceGroup' --routeserver 'myRouteServer'

+```

+| Parameter | Value |

+| -- | -- |

+|` --name` | The peer name. |

+| `--resource-group` | The resource group name of your route server. |

+| `--routeserver` | The route server name. |

+## Delete a peer

+In this section, you learn how to delete an existing peering with a network virtual appliance (NVA).

+# [**Portal**](#tab/portal)

+1. Go to the route server that you want to delete its NVA peering.

+1. under **Settings**, select **Peers**.

+1. Select the ellipses **...** next to the peer that you want to delete, and then select **Delete**.

+ :::image type="content" source="./media/configure-route-server/delete-peer.png" alt-text="Screenshot that shows how to delete a route server's peer." lightbox="./media/configure-route-server/delete-peer.png":::

+# [**PowerShell**](#tab/powershell)

+Use [Remove-AzRouteServerPeer](/powershell/module/az.network/remove-azrouteserverpeer) cmdlet to delete a route server peering.

+```azurepowershell-interactive

+Get-AzRouteServerPeer -PeerName 'myNVA' -ResourceGroupName 'myResourceGroup' -RouteServerName 'myRouteServer'

+```

+| Parameter | Value |

+| -- | -- |

+| `-PeerName` | The peer name. |

+| `-ResourceGroupName` | The resource group name of your route server. |

+| `-RouteServerName` | The route server name. |

+# [**Azure CLI**](#tab/cli)

+Use [az network routeserver peering delete](/cli/azure/network/routeserver/peering#az-network-routeserver-peering-delete) command to delete a route server peering.

+```azurecli-interactive

+az network routeserver peering delete --name 'myNVA' --resource-group 'myResourceGroup' --routeserver 'myRouteServer'

+```

+| Parameter | Value |

+| -- | -- |

+| `--name` | The peer name. |

+| `--resource-group` | The resource group name of your route server. |

+| `--routeserver` | The route server name. |

+## Delete a route server

+In this section, you learn how to delete an existing route server.

+# [**Portal**](#tab/portal)

+1. Go to the route server that you want to delete.

+1. Select **Delete** from the **Overview** page.

+1. Select **Confirm** to delete the route server.

+ :::image type="content" source="./media/configure-route-server/delete-route-server.png" alt-text="Screenshot that shows how to delete a route server." lightbox="./media/configure-route-server/delete-route-server.png":::

+# [**PowerShell**](#tab/powershell)

+Use [Remove-AzRouteServer](/powershell/module/az.network/remove-azrouteserver) cmdlet to delete a route server.

+```azurepowershell-interactive

+Remove-AzRouteServer -RouteServerName 'myRouteServer' -ResourceGroupName 'myResourceGroup'

+```

+| Parameter | Value |

+| -- | -- |

+| `-RouteServerName` | The route server name. |

+| `-ResourceGroupName` | The resource group name of your route server. |

+# [**Azure CLI**](#tab/cli)

+Use [az network routeserver delete](/cli/azure/network/routeserver#az-network-routeserver-delete) command to delete a route server.

+```azurecli-interactive

+az network routeserver delete --name 'myRouteServer' --resource-group 'myResourceGroup'

+```

+| Parameter | Value |

+| -- | -- |

+| `--name` | The route server name. |

+| `--resource-group` | The resource group name of your route server. |

+## Related content

+- [Create a route server using the Azure portal](quickstart-configure-route-server-portal.md)

+- [Configure BGP peering between a route server and (NVA)](peer-route-server-with-virtual-appliance.md)

+- [Monitor Azure Route Server](monitor-route-server.md)

+> [Configure routing preference](configure-route-server.md#configure-routing-preference)

+- September 16, 2024: Included section on supported clock sources in Azure VMs in [SAP HANA infrastructure configurations and operations on Azure](./hana-vm-operations.md)

+You also can deploy a complete installed SAP HANA platform on the Azure VM services through the [SAP Cloud platform](https://cal.sap.com). The installation process is described in [Deploy SAP S/4HANA or BW/4HANA on Azure](./cal-s4h.md).

+### Clock source options in Azure VMs

+SAP HANA requires reliable and accurate timing information to perform optimally. Traditionally Azure VMs running on Azure hypervisor used only Hyper-V TSC page as a default clock source. Technology advancements in hardware, host OS and Linux guest OS kernels made it possible to provide "Invariant TSC" as a clock source option on some Azure VM SKUs.

+Hyper-V TSC page (`hyperv_clocksource_tsc_page`) is supported on all Azure VMs as a clock source.

+If the underlying hardware, hypervisor and guest OS linux kernel support Invariant TSC, `tsc` will be offered as available and supported clock source in the guest OS on Azure VMs.

+ Title: Optimize costs with a pre-purchase plan

+description: Learn how to save costs and buy a Microsoft Sentinel pre-purchase plan

+#customerintent: As a SOC administrator or a billing specialist, I want to know how to buy a pre-purchase plan and whether commit units will benefit us financially.

+# Optimize Microsoft Sentinel costs with a pre-purchase plan

+Save on your Microsoft Sentinel costs when you buy a pre-purchase plan. Pre-purchase plans are commit units (CUs) bought at discounted tiers in your purchasing currency for a specific product. The more you buy, the greater the discount. Purchased CUs pay down qualifying costs in US dollars (USD). So, if Microsoft Sentinel generates a retail cost of $100, then 100 Sentinel CUs (SCUs) are consumed.

+Any eligible Microsoft Sentinel retail costs automatically deduct first from your SCUs over the course of its one year term or until they are depleted. Your pre-purchase plan SCUs start paying for your Microsoft Sentinel workspace costs without needing to redeploy or reassign the plan, and by default automatically renew to ensure you continue saving.

+## Prerequisites

+To buy a pre-purchase plan, you must have one of the following Azure subscriptions and roles:

+- For an Azure subscription, the owner role or reservation purchaser role is required.

+- For an Enterprise Agreement (EA) subscription, the [**Reserved Instances** policy option](../cost-management-billing/manage/direct-ea-administration.md#view-and-manage-enrollment-policies) must be enabled. To enable that policy option, you must be an EA administrator of the subscription.

+- For a Cloud Solution Provider (CSP) subscription, follow one of these articles:

+ - [Buy Azure reservations on behalf of a customer](/partner-center/customers/azure-reservations-buying)

+ - [Allow the customer to buy their own reservations](/partner-center/customers/give-customers-permission)

+>[!NOTE]

+> Microsoft Sentinel Commit Units are different from Security Compute Units in Copilot for Security. Customers cannot use Sentinel Commit Units to run Copilot workloads and vice versa.

+## Determine the right size to buy

+Pre-purchase plans pair nicely with Microsoft Sentinel commitment tiers. Once you plan your Microsoft Sentinel ingestion volume, choose an appropriate commitment tier. Then it's easier to decide on the size of a pre-purchase plan to buy. Microsoft Sentinel pre-purchase plans have a term agreement of one year.

+Here's an example of the decision making and cost savings for a pre-purchase plan. If you have a commitment tier of 200 GB/day, there's an associated monthly estimated cost for both the ingestion to the workspace and the analysis for Microsoft Sentinel. For example purposes, let's say that monthly cost is $20,000 USD with simplified pricing and provides a 39% savings over the pay-as-you-go tier with the same 200 GB/day.

+A $100,000 USD pre-purchase plan covers five months of that commitment tier but is valid for paying Microsoft Sentinel costs for 12 months. That pre-purchase plan is bought at a 22% discount for $78,000 USD.

+The savings for the commitment tier and the pre-purchase plan combine. The original pay-as-you-go price for five months of 200 GB/day ingestion and analysis costs is about $160,000 USD. With an accurate commitment tier and a pre-purchase plan, the cost is reduced to $78,000 USD for a combined savings of over 51%.

+For more information, see the following articles:

+- [Switch to simplified pricing](enroll-simplified-pricing-tier.md)

+- [Set or change commitment tier](billing-reduce-costs.md#set-or-change-pricing-tier)

+>[!IMPORTANT]

+> The prices mentioned are for example purposes only. To determine the latest commitment tier prices, see [Microsoft Sentinel pricing](https://azure.microsoft.com/pricing/details/microsoft-sentinel/).

+All Microsoft Sentinel pricing tiers qualify for Microsoft Sentinel pre-purchase plans. From your Microsoft Sentinel bill, these costs are the entries with the **Sentinel** service name in the invoice details. These costs don't include Azure Monitor tiers, retention, restore and search costs. Eligible Microsoft Sentinel usage is deducted from the pre-purchased Microsoft Sentinel CUs automatically.

+For more information on how to view Microsoft Sentinel simplified or classic pricing tiers in your invoice details, see [Understand your Microsoft Sentinel bill](billing.md#understand-your-microsoft-sentinel-bill).

+Keep in mind, Microsoft Sentinel integrates with many other Azure services that have separate costs not eligible to use with the pre-purchase SCUs. For more information, see [Costs and pricing for other services](billing.md#costs-and-pricing-for-other-services).

+## Purchase Microsoft Sentinel commit units

+Purchase Microsoft Sentinel pre-purchase plans in the [Azure portal reservations](https://portal.azure.com/#view/Microsoft_Azure_Reservations/ReservationsBrowseBlade/productType/Reservations).

+1. Go to the [Azure portal](https://portal.azure.com)

+1. Navigate to the **Reservations** service.

+1. On the **Purchase reservations page**, select **Microsoft Sentinel Pre-Purchase Plan**.

+1. On the **Select the product you want to purchase** page, select a subscription. Use the **Subscription** list to select the subscription used to pay for the reserved capacity. The payment method of the subscription is charged the upfront costs for the reserved capacity. Charges are deducted from the enrollment's Azure Prepayment (previously called monetary commitment) balance or charged as overage.

+1. Select a scope.

+ - **Single resource group scope** - Applies the reservation discount to the matching resources in the selected resource group only.

+ - **Single subscription scope** - Applies the reservation discount to the matching resources in the selected subscription.

+ - **Shared scope** - Applies the reservation discount to matching resources in eligible subscriptions that are in the billing context. For Enterprise Agreement customers, the billing context is the enrollment.

+ - **Management group** - Applies the reservation discount to the matching resource in the list of subscriptions that are a part of both the management group and billing scope.

+1. Select how many Microsoft Sentinel commit units you want to purchase.

+ `Need Sentinel screenshot here`

+ :::image type="content" source="media/sentinel-pre-purchase-plan.png" alt-text="Screenshot showing Microsoft Sentinel pre-purchase plan discount tiers and their term lengths." lightbox="media/sentinel-pre-purchase-plan.png":::

+1. Choose to automatically renew the pre-purchase reservation. *The setting is configured to renew automatically by default*. For more information, see [Renew a reservation](../cost-management-billing/reservations/reservation-renew.md).

+## Change scope and ownership

+You can make the following types of changes to a reservation after purchase:

+- Update reservation scope

+- Update who can view or manage the reservation. For more information, see [Who can manage a reservation by default](../cost-management-billing/reservations/manage-reserved-vm-instance.md#who-can-manage-a-reservation-by-default).

+You can't split or merge a **Microsoft Sentinel Pre-Purchase Plan**. For more information about managing reservations, see [Manage reservations after purchase](../cost-management-billing/reservations/manage-reserved-vm-instance.md).

+## Cancellations and exchanges

+Cancel and exchange isn't supported for **Microsoft Sentinel Pre-Purchase Plans**. All purchases are final.

+## Related content

+To learn more about Azure Reservations, see the following articles:

+- [What are Azure Reservations?](../cost-management-billing/reservations/save-compute-costs-reservations.md)

+- [Manage Azure Reservations](../cost-management-billing/reservations/manage-reserved-vm-instance.md)

+To learn more about Microsoft Sentinel costs, see [Plan costs and understand Microsoft Sentinel pricing and billing](billing.md).

+## Buy a pre-purchase plan

+Save on your Microsoft Sentinel costs when you pre-purchase Microsoft Sentinel commit units (CUs). Use the pre-purchased CUs at any time during the one year purchase term.

+Any eligible Microsoft Sentinel costs deduct first from the pre-purchased CUs automatically. You don't need to redeploy or assign a pre-purchased plan to your Microsoft Sentinel workspaces for the CU usage to get the pre-purchase discounts.

+For more information, see [Optimize Microsoft Sentinel costs with a pre-purchase plan](billing-pre-purchase-plan.md).

+- [Exchange Security Insights On-Premises Collector](data-connectors/exchange-security-insights-on-premises-collector.md)

+ Title: "Cyber Blind Spot Integration (using Azure Functions) connector for Microsoft Sentinel"

+description: "Learn how to install the connector Cyber Blind Spot Integration (using Azure Functions) to connect your data source to Microsoft Sentinel."

+# Cyber Blind Spot Integration (using Azure Functions) connector for Microsoft Sentinel

+Through the API integration, you have the capability to retrieve all the issues related to your CBS organizations via a RESTful interface.

+This is autogenerated content. For changes, contact the solution provider.

+## Connector attributes

+| Connector attribute | Description |

+| | |

+| **Azure function app code** | https://raw.githubusercontent.com/CTM360-Integrations/Azure-Sentinel/ctm360-HV-CBS-azurefunctionapp/Solutions/CTM360/Data%20Connectors/CBS/AzureFunctionCTM360_CBS.zip |

+| **Log Analytics table(s)** | CBSLog_Azure_1_CL<br/> |

+| **Data collection rules support** | Not currently supported |

+| **Supported by** | [Cyber Threat Management 360](https://www.ctm360.com/) |

+## Query samples

+**All logs**

+ ```kusto

+CBSLog_Azure_1_CL

+

+ | take 10

+ ```

+## Prerequisites

+To integrate with Cyber Blind Spot Integration (using Azure Functions) make sure you have:

+- **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](/azure/azure-functions/).

+## Vendor installation instructions

+> [!NOTE]

+ > This connector uses Azure Functions to connect to a 'CyberBlindSpot' to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.

+>**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.

+**STEP 1 - Configuration steps for the 'CyberBlindSpot' API**

+The provider should provide or link to detailed steps to configure the 'CyberBlindSpot' API endpoint so that the Azure Function can authenticate to it successfully, get its authorization key or token, and pull the appliance's logs into Microsoft Sentinel.

+**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**

+>**IMPORTANT:** Before deploying the 'CyberBlindSpot' connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the 'CyberBlindSpot' API authorization key(s) readily available.

+**Option 1 - Azure Resource Manager (ARM) Template**

+Use this method for automated deployment of the 'CyberBlindSpot' connector.

+1. Click the **Deploy to Azure** button below.

+ [](https://aka.ms/sentinel-CTM360-CBS-azuredeploy) [](https://aka.ms/sentinel-CTM360-CBS-azuredeploy-gov)

+2. Select the preferred **Subscription**, **Resource Group** and **Location**.

+3. Enter the **Workspace ID**, **Workspace Key**, **API **, 'and/or Other required fields'.

+>Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](/azure/app-service/app-service-key-vault-references) for further details.

+4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.

+5. Click **Purchase** to deploy.

+Option 2 - Manual Deployment of Azure Functions

+Use the following step-by-step instructions to deploy the CTM360 CBS data connector manually with Azure Functions (Deployment via Visual Studio Code).

+**1. Deploy a Function App**

+> **NOTE:** You will need to [prepare VS code](/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.

+1. Download the [Azure Function App](https://raw.githubusercontent.com/CTM360-Integrations/Azure-Sentinel/ctm360-HV-CBS-azurefunctionapp/Solutions/CTM360/Data%20Connectors/CBS/AzureFunctionCTM360_CBS.zip) file. Extract archive to your local development computer.

+2. Start VS Code. Choose File in the main menu and select Open Folder.

+3. Select the top level folder from extracted files.

+4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.

+If you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**

+If you're already signed in, go to the next step.

+5. Provide the following information at the prompts:

+ a. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.

+ b. **Select Subscription:** Choose the subscription to use.

+ c. Select **Create new Function App in Azure** (Don't choose the Advanced option)

+ d. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CTIXYZ).

+ e. **Select a runtime:** Choose Python 3.8.

+ f. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.

+6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.

+7. Go to Azure Portal for the Function App configuration.

+**2. Configure the Function App**

+1. In the Function App, select the Function App Name and select **Configuration**.

+2. In the **Application settings** tab, select **+ New application setting**.

+3. Add each of the following application settings individually, with their respective string values (case-sensitive):

+ CTM360AccountID

+ WorkspaceID

+ WorkspaceKey

+ CTM360Key

+ FUNCTION_NAME

+ logAnalyticsUri - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`.

+3. Once all application settings have been entered, click **Save**.

+## Next steps

+For more information, go to the [related solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/ctm360wll1698919697848.ctm360_microsoft_sentinel_solution?tab=Overview) in the Azure Marketplace.

+ Title: "Exchange Security Insights On-Premises Collector connector for Microsoft Sentinel"

+description: "Learn how to install the connector Exchange Security Insights On-Premises Collector to connect your data source to Microsoft Sentinel."

+# Exchange Security Insights On-Premises Collector connector for Microsoft Sentinel

+Connector used to push Exchange On-Premises Security configuration for Microsoft Sentinel Analysis

+This is autogenerated content. For changes, contact the solution provider.

+## Connector attributes

+| Connector attribute | Description |

+| | |

+| **Log Analytics table(s)** | ESIExchangeConfig_CL<br/> |

+| **Data collection rules support** | Not currently supported |

+| **Supported by** | [Community](https://github.com/Azure/Azure-Sentinel/issues) |

+## Query samples

+**View how many Configuration entries exist on the table**

+ ```kusto

+ESIExchangeConfig_CL

+ | summarize by GenerationInstanceID_g, EntryDate_s, ESIEnvironment_s

+ ```

+## Prerequisites

+To integrate with Exchange Security Insights On-Premises Collector make sure you have:

+- **Service Account with Organization Management role**: The service Account that launch the script as scheduled task needs to be Organization Management to be able to retrieve all the needed security Information.

+## Vendor installation instructions

+Parser deployment **(When using Microsoft Exchange Security Solution, Parsers are automatically deployed)**

+> [!NOTE]

+ > This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps for each Parser to create the Kusto Functions alias : [**ExchangeConfiguration**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)

+1. Install the ESI Collector Script on a server with Exchange Admin PowerShell console

+This is the script that will collect Exchange Information to push content in Microsoft Sentinel.

+

+2. Configure the ESI Collector Script

+Be sure to be local administrator of the server.

+In 'Run as Administrator' mode, launch the 'setup.ps1' script to configure the collector.

+ Fill the Log Analytics (Microsoft Sentinel) Workspace information.

+ Fill the Environment name or leave empty. By default, choose 'Def' as Default analysis. The other choices are for specific usage.

+3. Schedule the ESI Collector Script (If not done by the Install Script due to lack of permission or ignored during installation)

+The script needs to be scheduled to send Exchange configuration to Microsoft Sentinel.

+ We recommend scheduling the script once a day.

+ The account used to launch the Script needs to be a member of the group Organization Management

+## Next steps

+For more information, go to the [related solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/microsoftsentinelcommunity.azure-sentinel-solution-exchangesecurityinsights?tab=Overview) in the Azure Marketplace.

+Though the goal of the experience is to merely simplify the pricing and cost management experience without impacting actual costs, three primary scenarios exist for a cost reduction when switching to a simplified pricing tier.

+- Reduce Microsoft Sentinel costs with a [pre-purchase plan](billing-pre-purchase-plan.md). Commit units of a pre-purchase plan don't apply to Log Analytics costs in the classic pricing tier. Since the entire simplified pricing tier is categorized as a Microsoft Sentinel cost, your effective spend with the simplified pricing tier is reduced with a pre-purchase plan that approaches your commitment tier.

+This procedure describes a sample process for using summary rules with [auxiliary logs](basic-logs-use-cases.md), using a custom connection created via an ARM template to ingest CEF data from Logstash.

+- Installed [VirusTotal Solution from the Content Hub](https://azuremarketplace.microsoft.com/en-gb/marketplace/apps/azuresentinel.azure-sentinel-solution-virustotal?tab=Overview)

+- [Azure reservations now have pre-purchase plans available for Microsoft Sentinel](#pre-purchase-plans-now-available-for-microsoft-sentinel)

+### Pre-purchase plans now available for Microsoft Sentinel

+Pre-purchase plans are a type of Azure reservation. When you buy a pre-purchase plan, you get commit units (CUs) at discounted tiers for a specific product. Microsoft Sentinel commit units (SCUs) apply towards eligible costs in your workspace. When you have predictable costs, choosing the right pre-purchase plan saves you money!

+For more information, see [Optimize costs with a pre-purchase plan](billing-pre-purchase-plan.md).

+Another useful metric to consider for scaling is the time between when the latest message was sent and when it was processed, also known as "critical time". This is helpful for scenarios where a queue may have thousands of messages in it, but the processing is fast enough to keep up, giving a "critical time" of only a couple of seconds, which may be more than enough for something like an email sending endpoint. Third-party libraries like [NServiceBus](https://docs.particular.net/nservicebus/operations/opentelemetry#meters-emitted-meters) emit this and other useful metrics via OpenTelemetry.

+When a producer sends a message through a queue, it typically happens in the scope of some other logical operation, initiated by some other client or service. The same operation is continued by consumer once it receives a message. Both producer and consumer (and other services that process the operation), presumably emit telemetry events to trace the operation flow and result. In order to correlate such events and trace operation end-to-end, each service that reports telemetry has to stamp every event with a trace context. One library that can help developers have all of this telemetry emitted by default is [NServiceBus](https://docs.particular.net/nservicebus/operations/opentelemetry).

+The list goes on, but we can solve most of these use cases by [bridging](/azure/architecture/patterns/messaging-bridge) RabbitMQ to Azure.

+Before you can use that connection string, you'll need to convert it to RabbitMQ's AMQP connection format. So go to the [connection string converter tool](https://amqpconnconverter.github.io/) and paste your connection string in the form, click convert. You'll get a connection string that's RabbitMQ ready. (That website runs everything local in your browser so your data isn't sent over the wire). You can access its source code on [GitHub](https://github.com/amqpconnconverter/amqpconnconverter.github.io).

+1. Name the new file share *qsfileshare* and enter "100" for the minimum **Provisioned capacity**, or provision more capacity (up to 102,400 GiB) to get more performance. Select **NFS** protocol, choose a **Root Squash** setting, and select **Create**. To learn more about root squash and its security benefits for NFS file shares, see [Configure root squash for Azure Files](nfs-root-squash.md).

+> * End of Support was announced for Azure Synapse Runtime for Apache Spark 3.2 July 8, 2023. In accordance with the Synapse runtime for Apache Spark lifecycle policy, Azure Synapse runtime for Apache Spark 3.2 retired as of July 8, 2024. Existing workflows will continue to run but security updates and bug fixes will no longer be available. Metadata will temporarily remain in the Synapse workspace.

+> * Effective July 8, 2024, Azure Synapse discontinued official support for Spark 3.2 Runtimes. However, based on requests received from multiple customers, we have extended the usage of this runtime until **October 31st, 2024,** and **job disablement** will start soon after that.

+> * **We strongly recommend that you upgrade your Apache Spark 3.2 workloads to** **[Azure Synapse Runtime for Apache Spark 3.4](./apache-spark-34-runtime.md).**

+> * For up-to-date information, a detailed list of changes, and specific release notes for Spark runtimes, check and subscribe to **[Spark Runtimes Releases and Updates](https://github.com/microsoft/synapse-spark-runtime)**.

+> Virtual network TAP Preview is currently in Private Preview in select Azure regions. You can sign up for our Previews using the sign form (https://forms.office.com/r/EWqbgLGNcV) and we will notify you when you are selected. In the interim, you can use agent based or NVA solutions that provide TAP/Network Visibility functionality through our [Packet Broker partner solutions](#virtual-network-tap-partner-solutions) available in [Azure Marketplace Offerings](https://azuremarketplace.microsoft.com/marketplace/apps/category/networking?page=1&subcategories=appliances%3Ball&search=Network%20Traffic&filters=partners).