- 1. Optionally, change the image URL in the request body (`https://upload.wikimedia.org/wikipedia/commons/thumb/5/56/Shorkie_Poo_Puppy.jpg/1280px-Shorkie_Poo_Puppy.jpg\`) to the URL of a different image from which to generate a thumbnail.

- curl -H "Ocp-Apim-Subscription-Key: <subscriptionKey>" -o <thumbnailFile> -H "Content-Type: application/json" "https://westus.api.cognitive.microsoft.com/vision/v3.2/generateThumbnail?width=100&height=100&smartCropping=true" -d "{\"url\":\"https://upload.wikimedia.org/wikipedia/commons/thumb/5/56/Shorkie_Poo_Puppy.jpg/1280px-Shorkie_Poo_Puppy.jpg\"}"

-## Recover a deleted resource

-If you have an Azure Cognitive Search resource protected by a private network, and want to allow Azure OpenAI on your data to access your search service, complete [an application form](https://aka.ms/applyacsvpnaoaionyourdata). The application will be reviewed in five business days and you will be contacted via email about the results. If you are eligible, we will send a private endpoint request to your search service, and you will need to approve the request.

- - Your chat model must use version `0301`. You can view or change your model version in [Azure OpenAI Studio](./concepts/models.md#model-updates).

-> Speech translation with language identification is only supported with Speech SDKs in C#, C++, and Python.

-Text Translation is a cloud-based feature of the Azure AI Translator service and is part of the Azure AI service family of REST APIs. The Text Translation API translates text between language pairs across all [supported languages and dialects](../../language-support.md). The available methods are listed in the table below:

-| language | **Optional query parameter**.<br/>Language tag identifying the language of the input text. If a code isn't specified, automatic language detection will be applied. |

-| script | **Optional query parameter**.<br/>Script tag identifying the script used by the input text. If a script isn't specified, the default script of the language will be assumed. |

-| Content-Length | **Required request header**.<br/>The length of the request body. |

-| X-ClientTraceId | **Optional**.<br/>A client-generated GUID to uniquely identify the request. You can omit this header if you include the trace ID in the query string using a query parameter named `ClientTraceId`. |

-* If the `language` query parameter is specified, then all array elements must be in the same language. Otherwise, language auto-detection is applied to each array element independently.

-* `sentLen`: An array of integers representing the lengths of the sentences in the text element. The length of the array is the number of sentences, and the values are the length of each sentence.

-The `detectedLanguage` property is only present in the result object when language auto-detection is requested.

-<table width="100%">

- <th width="20%">Headers</th>

- <th>Description</th>

- <tr>

- <td>X-RequestId</td>

- <td>Value generated by the service to identify the request. It's used for troubleshooting purposes.</td>

- </tr>

-</table>

-The following are the possible HTTP status codes that a request returns.

-<table width="100%">

- <th width="20%">Status Code</th>

- <th>Description</th>

- <tr>

- <td>200</td>

- <td>Success.</td>

- </tr>

- <tr>

- <td>400</td>

- <td>One of the query parameters is missing or not valid. Correct request parameters before retrying.</td>

- </tr>

- <tr>

- <td>401</td>

- <td>The request couldn't be authenticated. Check that credentials are specified and valid.</td>

- </tr>

- <tr>

- <td>403</td>

- <td>The request isn't authorized. Check the details error message. This response code often indicates that all free translations provided with a trial subscription have been used up.</td>

- </tr>

- <tr>

- <td>429</td>

- <td>The server rejected the request because the client has exceeded request limits.</td>

- </tr>

- <tr>

- <td>500</td>

- <td>An unexpected error occurred. If the error persists, report it with: date and time of the failure, request identifier from response header `X-RequestId`, and client identifier from request header `X-ClientTraceId`.</td>

- </tr>

- <tr>

- <td>503</td>

- <td>Server temporarily unavailable. Retry the request. If the error persists, report it with: date and time of the failure, request identifier from response header `X-RequestId`, and client identifier from request header `X-ClientTraceId`.</td>

- </tr>

-</table>

-If an error occurs, the request will also return a JSON error response. The error code is a 6-digit number combining the 3-digit HTTP status code followed by a 3-digit number to further categorize the error. Common error codes can be found on the [v3 Translator reference page](./v3-0-reference.md#errors).

-The following example shows how to obtain sentence boundaries for a single sentence. The language of the sentence is automatically detected by the service.

-| api-version | *Required parameter*.<br/>Version of the API requested by the client. Value must be `3.0`. |

-| Authentication header(s) | <em>Required request header</em>.<br/>See [available options for authentication](./v3-0-reference.md#authentication)</a>. |

-| Content-Type | *Required request header*.<br/>Specifies the content type of the payload. Possible values are: `application/json`. |

-| Content-Length | *Required request header*.<br/>The length of the request body. |

-| X-ClientTraceId | *Optional*.<br/>A client-generated GUID to uniquely identify the request. Note that you can omit this header if you include the trace ID in the query string using a query parameter named `ClientTraceId`. |

-The body of the request is a JSON array. Each array element is a JSON object with a string property named `Text`. Language detection is applied to the value of the `Text` property. The language auto-detection works better with longer input text. A sample request body looks like that:

-* The entire text included in the request cannot exceed 50,000 characters including spaces.

- * `language`: Code of the detected language.

- * `score`: A float value indicating the confidence in the result. The score is between zero and one and a low score indicates a low confidence.

- * `isTranslationSupported`: A boolean value which is true if the detected language is one of the languages supported for text translation.

- * `isTransliterationSupported`: A boolean value which is true if the detected language is one of the languages supported for transliteration.

-

- * `alternatives`: An array of other possible languages. Each element of the array is another object with the same properties listed above: `language`, `score`, `isTranslationSupported` and `isTransliterationSupported`.

-| X-RequestId | Value generated by the service to identify the request. It is used for troubleshooting purposes. |

-The following are the possible HTTP status codes that a request returns.

-| 401 | The request could not be authenticated. Check that credentials are specified and valid. |

-| 403 | The request is not authorized. Check the details error message. This often indicates that all free translations provided with a trial subscription have been used up. |

-If an error occurs, the request will also return a JSON error response. The error code is a 6-digit number combining the 3-digit HTTP status code followed by a 3-digit number to further categorize the error. Common error codes can be found on the [v3 Translator reference page](./v3-0-reference.md#errors).

-| api-version <img width=200/> | **Required parameter**.<br/>Version of the API requested by the client. Value must be `3.0`. |

-| from | **Required parameter**.<br/>Specifies the language of the input text. The source language must be one of the [supported languages](./v3-0-languages.md) included in the `dictionary` scope. |

-| to | **Required parameter**.<br/>Specifies the language of the output text. The target language must be one of the [supported languages](./v3-0-languages.md) included in the `dictionary` scope. |

-| Authentication header(s) <img width=200/> | **Required request header**.<br/>See <a href="v3-0-reference.md#authentication">available options for authentication</a>. |

-| Content-Type | **Required request header**.<br/>Specifies the content type of the payload. Possible values are: `application/json`. |

-| Content-Length | **Required request header**.<br/>The length of the request body. |

-| X-ClientTraceId | **Optional**.<br/>A client-generated GUID to uniquely identify the request. You can omit this header if you include the trace ID in the query string using a query parameter named `ClientTraceId`. |

- * `Text`: A string specifying the term to lookup. This should be the value of a `normalizedText` field from the back-translations of a previous [Dictionary lookup](./v3-0-dictionary-lookup.md) request. It can also be the value of the `normalizedSource` field.

- * `Translation`: A string specifying the translated text previously returned by the [Dictionary lookup](./v3-0-dictionary-lookup.md) operation. This should be the value from the `normalizedTarget` field in the `translations` list of the [Dictionary lookup](./v3-0-dictionary-lookup.md) response. The service will return examples for the specific source-target word-pair.

-* The text value of an array element cannot exceed 100 characters including spaces.

- * `normalizedSource`: A string giving the normalized form of the source term. Generally, this should be identical to the value of the `Text` field at the matching list index in the body of the request.

-

- * `normalizedTarget`: A string giving the normalized form of the target term. Generally, this should be identical to the value of the `Translation` field at the matching list index in the body of the request.

-

- * `examples`: A list of examples for the (source term, target term) pair. Each element of the list is an object with the following properties:

- * `sourcePrefix`: The string to concatenate _before_ the value of `sourceTerm` to form a complete example. Do not add a space character, since it is already there when it should be. This value may be an empty string.

- * `sourceTerm`: A string equal to the actual term looked up. The string is added with `sourcePrefix` and `sourceSuffix` to form the complete example. Its value is separated so it can be marked in a user interface, e.g., by bolding it.

- * `sourceSuffix`: The string to concatenate _after_ the value of `sourceTerm` to form a complete example. Do not add a space character, since it is already there when it should be. This value may be an empty string.

- * `targetPrefix`: A string similar to `sourcePrefix` but for the target.

- * `targetTerm`: A string similar to `sourceTerm` but for the target.

- * `targetSuffix`: A string similar to `sourceSuffix` but for the target.

-This example shows how to lookup examples for the pair made up of the English term `fly` and its Spanish translation `volar`.

-```

- },

-description: The Dictionary Lookup method provides alternative translations for a word and a small number of idiomatic phrases.

-Provides alternative translations for a word and a small number of idiomatic phrases. Each translation has a part-of-speech and a list of back-translations. The back-translations enable a user to understand the translation in context. The [Dictionary Example](./v3-0-dictionary-examples.md) operation allows further drill down to see example uses of each translation pair.

-| api-version <img width=200/> | **Required parameter**.<br/>Version of the API requested by the client. Value must be `3.0` |

-| Authentication header(s) <img width=200/> | **Required request header**.<br/>See <a href="v3-0-reference.md#authentication">available options for authentication</a>. |

-| Content-Type | **Required request header**.<br/>Specifies the content type of the payload. Possible values are: `application/json`. |

-| Content-Length | **Required request header**.<br/>The length of the request body. |

-The body of the request is a JSON array. Each array element is a JSON object with a string property named `Text`, which represents the term to lookup.

-* The text value of an array element cannot exceed 100 characters including spaces.

- * `normalizedSource`: A string giving the normalized form of the source term. For example, if the request is "JOHN", the normalized form will be "john". The content of this field becomes the input to [lookup examples](./v3-0-dictionary-examples.md).

-

- * `displaySource`: A string giving the source term in a form best suited for end-user display. For example, if the input is "JOHN", the display form will reflect the usual spelling of the name: "John".

- * `translations`: A list of translations for the source term. Each element of the list is an object with the following properties:

- * `normalizedTarget`: A string giving the normalized form of this term in the target language. This value should be used as input to [lookup examples](./v3-0-dictionary-examples.md).

- * `displayTarget`: A string giving the term in the target language and in a form best suited for end-user display. Generally, this will only differ from the `normalizedTarget` in terms of capitalization. For example, a proper noun like "Juan" will have `normalizedTarget = "juan"` and `displayTarget = "Juan"`.

- * `posTag`: A string associating this term with a part-of-speech tag.

- | Tag name | Description |

- |-|--|

- | ADJ | Adjectives |

- | ADV | Adverbs |

- | CONJ | Conjunctions |

- | DET | Determiners |

- | MODAL | Verbs |

- | NOUN | Nouns |

- | PREP | Prepositions |

- | PRON | Pronouns |

- | VERB | Verbs |

- | OTHER | Other |

- As an implementation note, these tags were determined by part-of-speech tagging the English side, and then taking the most frequent tag for each source/target pair. So if people frequently translate a Spanish word to a different part-of-speech tag in English, tags may end up being wrong (with respect to the Spanish word).

- * `confidence`: A value between 0.0 and 1.0 which represents the "confidence" (or perhaps more accurately, "probability in the training data") of that translation pair. The sum of confidence scores for one source word may or may not sum to 1.0.

- * `prefixWord`: A string giving the word to display as a prefix of the translation. Currently, this is the gendered determiner of nouns, in languages that have gendered determiners. For example, the prefix of the Spanish word "mosca" is "la", since "mosca" is a feminine noun in Spanish. This is only dependent on the translation, and not on the source. If there is no prefix, it will be the empty string.

-

- * `backTranslations`: A list of "back translations" of the target. For example, source words that the target can translate to. The list is guaranteed to contain the source word that was requested (e.g., if the source word being looked up is "fly", then it is guaranteed that "fly" will be in the `backTranslations` list). However, it is not guaranteed to be in the first position, and often will not be. Each element of the `backTranslations` list is an object described by the following properties:

- * `normalizedText`: A string giving the normalized form of the source term that is a back-translation of the target. This value should be used as input to [lookup examples](./v3-0-dictionary-examples.md).

- * `displayText`: A string giving the source term that is a back-translation of the target in a form best suited for end-user display.

- * `numExamples`: An integer representing the number of examples that are available for this translation pair. Actual examples must be retrieved with a separate call to [lookup examples](./v3-0-dictionary-examples.md). The number is mostly intended to facilitate display in a UX. For example, a user interface may add a hyperlink to the back-translation if the number of examples is greater than zero and show the back-translation as plain text if there are no examples. Note that the actual number of examples returned by a call to [lookup examples](./v3-0-dictionary-examples.md) may be less than `numExamples`, because additional filtering may be applied on the fly to remove "bad" examples.

-

- * `frequencyCount`: An integer representing the frequency of this translation pair in the data. The main purpose of this field is to provide a user interface with a means to sort back-translations so the most frequent terms are first.

-This example shows how to lookup alternative translations in Spanish of the English term `fly` .

-```

-This example shows what happens when the term being looked up does not exist for the valid dictionary pair.

-Since the term is not found in the dictionary, the response body includes an empty `translations` list.

-```

-<table width="100%">

- <th width="20%">Query parameter</th>

- <th>Description</th>

- <tr>

- <td>api-version</td>

- <td><em>Required parameter</em>.<br/>Version of the API requested by the client. Value must be `3.0`.</td>

- </tr>

- <tr>

- <td>scope</td>

- <td>*Optional parameter*.<br/>A comma-separated list of names defining the group of languages to return. Allowed group names are: `translation`, `transliteration` and `dictionary`. If no scope is given, then all groups are returned, which is equivalent to passing `scope=translation,transliteration,dictionary`.</td>

- </tr>

-</table>

-<table width="100%">

- <th width="20%">Headers</th>

- <th>Description</th>

- <tr>

- <td>Accept-Language</td>

- <td>*Optional request header*.<br/>The language to use for user interface strings. Some of the fields in the response are names of languages or names of regions. Use this parameter to define the language in which these names are returned. The language is specified by providing a well-formed BCP 47 language tag. For instance, use the value `fr` to request names in French or use the value `zh-Hant` to request names in Chinese Traditional.<br/>Names are provided in the English language when a target language isn't specified or when localization isn't available.

- </td>

- </tr>

- <tr>

- <td>X-ClientTraceId</td>

- <td>*Optional request header*.<br/>A client-generated GUID to uniquely identify the request.</td>

- </tr>

-</table>

-<table width="100%">

- <th width="20%">Headers</th>

- <th>Description</th>

- <tr>

- <td>ETag</td>

- <td>Current value of the entity tag for the requested groups of supported languages. To make subsequent requests more efficient, the client may send the `ETag` value in an `If-None-Match` header field.

- </td>

- </tr>

- <tr>

- <td>X-RequestId</td>

- <td>Value generated by the service to identify the request. It's used for troubleshooting purposes.</td>

- </tr>

-</table>

-<table width="100%">

- <th width="20%">Status Code</th>

- <th>Description</th>

- <tr>

- <td>200</td>

- <td>Success.</td>

- </tr>

- <tr>

- <td>304</td>

- <td>The resource hasn't been modified since the version specified by request headers `If-None-Match`.</td>

- </tr>

- <tr>

- <td>400</td>

- <td>One of the query parameters is missing or not valid. Correct request parameters before retrying.</td>

- </tr>

- <tr>

- <td>429</td>

- <td>The server rejected the request because the client has exceeded request limits.</td>

- </tr>

- <tr>

- <td>500</td>

- <td>An unexpected error occurred. If the error persists, report it with: date and time of the failure, request identifier from response header `X-RequestId`, and client identifier from request header `X-ClientTraceId`.</td>

- </tr>

- <tr>

- <td>503</td>

- <td>Server temporarily unavailable. Retry the request. If the error persists, report it with: date and time of the failure, request identifier from response header `X-RequestId`, and client identifier from request header `X-ClientTraceId`.</td>

- </tr>

-</table>

-description: Reference documentation for the Translator V3.0. Version 3 of the Translator provides a modern JSON-based Web API.

-Version 3 of the Translator provides a modern JSON-based Web API. It improves usability and performance by consolidating existing features into fewer operations and it provides new features.

-^`1` Customers with a resource located in Switzerland North or Switzerland West can ensure that their Text API requests are served within Switzerland. To ensure that requests are handled in Switzerland, create the Translator resource in the 'Resource region' 'Switzerland North' or 'Switzerland West', then use the resource's custom endpoint in your API requests. For example: If you create a Translator resource in Azure portal with 'Resource region' as 'Switzerland North' and your resource name is 'my-swiss-n', then your custom endpoint is "https://my-swiss-n.cognitiveservices.azure.com". And a sample request to translate is:

-| suggestedFrom | _Optional parameter_. <br>Specifies a fallback language if the language of the input text can't be identified. Language autodetection is applied when the `from` parameter is omitted. If detection fails, the `suggestedFrom` language will be assumed. |

-| allowFallback | _Optional parameter_. <br>Specifies that the service is allowed to fall back to a general system when a custom system doesn't exist. Possible values are: `true` (default) or `false`. <br> <br>`allowFallback=false` specifies that the translation should only use systems trained for the `category` specified by the request. If a translation for language X to language Y requires chaining through a pivot language E, then all the systems in the chain (X → E and E → Y) will need to be custom and have the same category. If no system is found with the specific category, the request will return a 400 status code. `allowFallback=true` specifies that the service is allowed to fall back to a general system when a custom system doesn't exist. |

- The `detectedLanguage` property is only present in the result object when language auto-detection is requested.

- * `alignment`: An object with a single string property named `proj`, which maps input text to translated text. The alignment information is only provided when the request parameter `includeAlignment` is `true`. Alignment is returned as a string value of the following format: `[[SourceTextStartIndex]:[SourceTextEndIndex]ΓÇô[TgtTextStartIndex]:[TgtTextEndIndex]]`. The colon separates start and end index, the dash separates the languages, and space separates the words. One word may align with zero, one, or multiple words in the other language, and the aligned words may be non-contiguous. When no alignment information is available, the alignment element will be empty. See [Obtain alignment information](#obtain-alignment-information) for an example and restrictions.

-| X-mt-system | Specifies the system type that was used for translation for each 'to' language requested for translation. The value is a comma-separated list of strings. Each string indicates a type: <br><br>* Custom - Request includes a custom system and at least one custom system was used during translation.<br>* Team - All other requests |

-| X-metered-usage |Specifies consumption (the number of characters for which the user will be charged) for the translation job request. For example, if the word "Hello" is translated from English (en) to French (fr), this field will return the value '5'.|

-If an error occurs, the request will also return a JSON error response. The error code is a 6-digit number combining the 3-digit HTTP status code followed by a 3-digit number to further categorize the error. Common error codes can be found on the [v3 Translator reference page](./v3-0-reference.md#errors).

-```

-```

-```

-```

-```

-Normally the Translator service will retain profanity that is present in the source in the translation. The degree of profanity and the context that makes words profane differ between cultures, and as a result the degree of profanity in the target language may be amplified or reduced.

-If you want to avoid getting profanity in the translation, regardless of the presence of profanity in the source text, you can use the profanity filtering option. The option allows you to choose whether you want to see profanity deleted, whether you want to mark profanities with appropriate tags (giving you the option to add your own post-processing), or you want no action taken. The accepted values of `ProfanityAction` are `Deleted`, `Marked` and `NoAction` (default).

-| `NoAction` | NoAction is the default behavior. Profanity will pass from source to target. <br> <br>**Example Source (Japanese)**: 彼はジャッカスです。 <br>**Example Translation (English)**: He's a jack. |

-| `Deleted` | Profane words will be removed from the output without replacement. <br> <br>**Example Source (Japanese)**: 彼はジャッカスです。 <br>**Example Translation (English)**: He's a** |

-| `Marked` | Profane words are replaced by a marker in the output. The marker depends on the `ProfanityMarker` parameter. <br> <br>For `ProfanityMarker=Asterisk`, profane words are replaced with `***`: <br>**Example Source (Japanese)**: 彼はジャッカスです。 <br>**Example Translation (English)**: He's a \\*\\*\\*. <br> <br>For `ProfanityMarker=Tag`, profane words are surrounded by XML tags &lt;profanity&gt; and &lt;/profanity&gt;: <br>**Example Source (Japanese)**: 彼はジャッカスです。 <br>**Example Translation (English)**: He's a &lt;profanity&gt;jack&lt;/profanity&gt;. |

-```

-```

-It's common to translate content that includes markup such as content from an HTML page or content from an XML document. Include query parameter `textType=html` when translating content with tags. In addition, it's sometimes useful to exclude specific content from translation. You can use the attribute `class=notranslate` to specify content that should remain in its original language. In the following example, the content inside the first `div` element won't be translated, while the content in the second `div` element will be translated.

-```

-```

-In other words, the colon separates start and end index, the dash separates the languages, and space separates the words. One word may align with zero, one, or multiple words in the other language, and the aligned words may be non-contiguous. When no alignment information is available, the Alignment element will be empty. The method returns no error in that case.

-```

-* You won't receive alignment if the sentence is a canned translation. Example of a canned translation is "This is a test", "I love you" and other high frequency sentences.

-```

-```

-```

-This dynamic-dictionary feature works the same way with `textType=text` or with `textType=html`. The feature should be used sparingly. The appropriate and far better way of customizing translation is by using Custom Translator. Custom Translator makes full use of context and statistical probabilities. If you can create training data that shows your work or phrase in context, you'll get much better results. [Learn more about Custom Translator](../custom-translator/concepts/customization.md).

-| X-ClientTraceId | *Optional*.<br/>A client-generated GUID to uniquely identify the request. Note that you can omit this header if you include the trace ID in the query string using a query parameter named `ClientTraceId`. |

-* The text value of an array element cannot exceed 1,000 characters including spaces.

-* The entire text included in the request cannot exceed 5,000 characters including spaces.

- * `text`: A string which is the result of converting the input string to the output script.

-

- * `script`: A string specifying the script used in the output.

-| X-RequestId | Value generated by the service to identify the request. It is used for troubleshooting purposes. |

-The following are the possible HTTP status codes that a request returns.

-| 401 | The request could not be authenticated. Check that credentials are specified and valid. |

-| 403 | The request is not authorized. Check the details error message. This often indicates that all free translations provided with a trial subscription have been used up. |

-If an error occurs, the request also returns a JSON error response. The error code is a 6-digit number combining the 3-digit HTTP status code followed by a 3-digit number to further categorize the error. Common error codes can be found on the [v3 Translator reference page](./v3-0-reference.md#errors).

-If you are using cURL in a command-line window that does not support Unicode characters, take the following JSON payload and save it into a file named `request.txt`. Be sure to save the file with `UTF-8` encoding.

-AKS also initiates auto-upgrades for unsupported clusters. When a cluster in an n-3 version (where n is the latest supported AKS GA minor version) is about to drop to n-4, AKS automatically upgrades the cluster to n-2 to remain in an AKS support [policy][supported-kubernetes-versions]. Automatically upgrading a platform supported cluster to a supported version is enabled by default.

-| `node-image`| automatically upgrades the node image to the latest version available.| Microsoft provides patches and new images for image nodes frequently (usually weekly), but your running nodes don't get the new images unless you do a node image upgrade. Turning on the node-image channel automatically updates your node images whenever a new version is available. If you use this channel, Linux [unattended upgrades] are disabled by default.|

-| `SecurityPatch`|This channel is in preview and requires enabling the feature flag `NodeOsUpgradeChannelPreview`. Refer to the prerequisites section for details. AKS regularly updates the node's virtual hard disk (VHD) with patches from the image maintainer labeled "security only." There may be disruptions when the security patches are applied to the nodes. When the patches are applied, the VHD is updated and existing machines are upgraded to that VHD, honoring maintenance windows and surge settings. This option incurs the extra cost of hosting the VHDs in your node resource group. If you use this channel, Linux [unattended upgrades][unattended-upgrades] are disabled by default.|Azure Linux doesn't support this channel on GPU-enabled VMs.|

-| `NodeImage`|AKS updates the nodes with a newly patched VHD containing security fixes and bug fixes on a weekly cadence. The update to the new VHD is disruptive, following maintenance windows and surge settings. No extra VHD cost is incurred when choosing this option. If you use this channel, Linux [unattended upgrades][unattended-upgrades] are disabled by default.|

-Run the `az aks show` command and check the "autoUpgradeProfile" to determine what value the `nodeOsUpgradeChannel` is set to.

-description: Learn how to create an Application Gateway Ingress Controller (AGIC) in Azure Kubernetes Service (AKS) using Terraform.

-content_well_notification:

- - AI-contribution

-# Create an Application Gateway Ingress Controller (AGIC) in Azure Kubernetes Service (AKS) using Terraform

-[Azure Kubernetes Service (AKS)](/azure/aks/) manages your hosted Kubernetes environment. AKS makes it quick and easy to deploy and manage containerized applications without container orchestration expertise. AKS also eliminates the burden of taking applications offline for operational and maintenance tasks. With AKS, you can provision, upgrade, and scale resources on-demand.

-[Azure Application Gateway](/azure/Application-Gateway/) provides Application Gateway Ingress Controller (AGIC). AGIC enables various features for Kubernetes services, including reverse proxy, configurable traffic routing, and TLS termination. Kubernetes Ingress resources help configure the ingress rules for individual Kubernetes services. An ingress controller allows a single IP address to route traffic to multiple services in a Kubernetes cluster.

-In this article, you learn how to:

-> [!div class="checklist"]

->

-> * Create a random value for the Azure resource group name using [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet).

-> * Create an Azure resource group using [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group).

-> * Create a User Assigned Identity using [azurerm_user_assigned_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity).

-> * Create a virtual network (VNet) using [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network).

-> * Create a subnet using [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet).

-> * Create a public IP using [azurerm_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip).

-> * Create a Application Gateway using [azurerm_application_gateway](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway).

-> * Create a Kubernetes cluster using [azurerm_kubernetes_cluster](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster).

-> * Install and run a sample web app to test the availability of the Kubernetes cluster you create.

-## Prerequisites

-Before you get started, you need to install and configure the following tools:

-* [Terraform](/azure/developer/terraform/quickstart-configure)

-* [kubectl command-line tool](https://kubernetes.io/docs/tasks/tools/)

-* [Helm package manager](https://helm.sh/docs/intro/install/)

-* [GNU wget command-line tool](http://www.gnu.org/software/wget/)

-## Implement the Terraform code

-> [!NOTE]

-> You can find the sample code from this article in the [Azure Terraform GitHub repo](https://github.com/Azure/terraform/tree/master/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress). You can view the log file containing the [test results from current and previous versions of Terraform](https://github.com/Azure/terraform/tree/master/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/TestRecord.md).

->

-> For more information, see [articles and sample code showing how to use Terraform to manage Azure resources](/azure/terraform).

-1. Create a directory to test sample Terraform code and make it your working directory.

-2. Create a file named `providers.tf` and copy in the following code:

- :::code language="Terraform" source="~/terraform_samples/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/providers.tf":::

-3. Create a file named `main.tf` and copy in the following code:

- :::code language="Terraform" source="~/terraform_samples/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/main.tf":::

-4. Create a file named `variables.tf` and copy in the following code:

- :::code language="Terraform" source="~/terraform_samples/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/variables.tf":::

-5. Create a file named `outputs.tf` and copy in the following code:

- :::code language="Terraform" source="~/terraform_samples/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/outputs.tf":::

-## Initialize Terraform

-## Create a Terraform execution plan

-## Apply a Terraform execution plan

-## Test the Kubernetes cluster

-1. Get the Azure resource group name.

- ```console

- resource_group_name=$(terraform output -raw resource_group_name)

- ```

-2. Get the AKS cluster name.

- ```console

- aks_cluster_name=$(terraform output -raw aks_cluster_name)

- ```

-3. Get the Kubernetes configuration and access credentials for the cluster using the [`az aks get-credentials`](/cli/azure/aks#az-aks-get-credentials) command.

- ```azurecli-interactive

- az aks get-credentials \

- --name $aks_cluster_name \

- --resource-group $resource_group_name \

- --overwrite-existing

- ```

-4. Verify the health of the cluster using the [`kubectl get`](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get) command.

- ```console

- kubectl get nodes

- ```

- **Key points:**

- * The details of your worker nodes display with a status of **Ready**.

- :::image type="content" source="media/create-k8s-cluster-with-aks-application-gateway-ingress/kubectl-get-nodes.png" alt-text="Screenshot of kubectl showing the health of your Kubernetes cluster.":::

-## Install Azure Active Directory Pod Identity

-Azure Active Directory (Azure AD) Pod Identity provides token-based access to [Azure Resource Manager](/azure/azure-resource-manager/resource-group-overview).

-[Azure AD Pod Identity](https://github.com/Azure/aad-pod-identity) adds the following components to your Kubernetes cluster:

-* Kubernetes [CRDs](https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/): `AzureIdentity`, `AzureAssignedIdentity`, `AzureIdentityBinding`

-* [Managed Identity Controller (MIC)](https://github.com/Azure/aad-pod-identity#managed-identity-controllermic) component

-* [Node Managed Identity (NMI)](https://github.com/Azure/aad-pod-identity#node-managed-identitynmi) component

-To install Azure AD Pod Identity on your cluster, you need to know if RBAC is enabled or disabled. RBAC is disabled by default for this demo. Enabling or disabling RBAC is done in the `variables.tf` file via the `aks_enable_rbac` block's `default` value.

-* If RBAC is **enabled**, run the following `kubectl create` command.

- ```console

- kubectl create -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml

- ```

-* If RBAC is **disabled**, run the following `kubectl create` command.

- ```console

- kubectl create -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment.yaml

- ```

-## Install the AGIC Helm repo

-1. Add the AGIC Helm repo using the [`helm repo add`](https://helm.sh/docs/helm/helm_repo_add/) command.

- ```console

- helm repo add application-gateway-kubernetes-ingress https://appgwingress.blob.core.windows.net/ingress-azure-helm-package/

- ```

-2. Update the AGIC Helm repo using the [`helm repo update`](https://helm.sh/docs/helm/helm_repo_update/) command.

- ```console

- helm repo update

- ```

-## Configure AGIC using Helm

-1. Download `helm-config.yaml` to configure AGIC using the [`wget`](https://www.gnu.org/software/wget/) command.

- ```console

- wget https://raw.githubusercontent.com/Azure/application-gateway-kubernetes-ingress/master/docs/examples/sample-helm-config.yaml -O helm-config.yaml

- ```

-2. Open `helm-config.yaml` in a text editor.

-3. Enter the following value for the top level keys:

- * `verbosityLevel`: Specify the *verbosity level* of the AGIC logging infrastructure. For more information about logging levels, see [logging Levels section of Application Gateway Kubernetes Ingress](https://github.com/Azure/application-gateway-kubernetes-ingress/blob/463a87213bbc3106af6fce0f4023477216d2ad78/docs/troubleshooting.md).

-4. Enter the following values for the `appgw` block:

- * `appgw.subscriptionId`: Specify the Azure subscription ID used to create the App Gateway.

- * `appgw.resourceGroup`: Get the resource group name using the `echo "$(terraform output -raw resource_group_name)"` command.

- * `appgw.name`: Get the Application Gateway name using the `echo "$(terraform output -raw application_gateway_name)"` command.

- * `appgw.shared`: This boolean flag defaults to `false`. Set it to `true` if you need a [Shared App Gateway](https://github.com/Azure/application-gateway-kubernetes-ingress/blob/072626cb4e37f7b7a1b0c4578c38d1eadc3e8701/docs/setup/install-existing.md#multi-cluster--shared-app-gateway).

-5. Enter the following value for the `kubernetes` block:

- * `kubernetes.watchNamespace`: Specify the name space, which AGIC should watch. The namespace can be a single string value or a comma-separated list of namespaces. Leaving this variable commented out or setting it to a blank or an empty string results in the Ingress controller observing all accessible namespaces.

-6. Enter the following values for the `armAuth` block:

- * If you specify `armAuth.type` as `aadPodIdentity`:

- * `armAuth.identityResourceID`: Get the Identity resource ID by running `echo "$(terraform output -raw identity_resource_id)"`.

- * `armAuth.identityClientId`: Get the Identity client ID by running `echo "$(terraform output -raw identity_client_id)"`.

- * If you specify `armAuth.type` as `servicePrincipal`, see [Using a service principal](/azure/application-gateway/ingress-controller-install-existing#using-a-service-principal).

-## Install the AGIC package

-1. Install the AGIC package using the [`helm install`](https://helm.sh/docs/helm/helm_install/) command.

- ```console

- helm install -f helm-config.yaml application-gateway-kubernetes-ingress/ingress-azure --generate-name

- ```

-2. Get the Azure resource group name.

- ```console

- resource_group_name=$(terraform output -raw resource_group_name)

- ```

-3. Get the identity name.

- ```console

- identity_name=$(terraform output -raw identity_name)

- ```

-4. Get the key values from your identity using the [`az identity show`](/cli/azure/identity#az-identity-show) command.

- ```azurecli-interactive

- az identity show -g $resource_group_name -n $identity_name

- ```

-## Install a sample app

-1. Download the YAML file using the [`curl`](https://curl.se/) command.

- ```console

- curl https://raw.githubusercontent.com/Azure/application-gateway-kubernetes-ingress/master/docs/examples/aspnetapp.yaml -o aspnetapp.yaml

- ```

-2. Apply the YAML file using the [`kubectl apply`](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply) command.

- ```console

- kubectl apply -f aspnetapp.yaml

- ```

-## Test the sample app

-1. Get the app IP address.

- ```console

- echo "$(terraform output -raw application_ip_address)"

- ```

-2. In a browser, navigate to the IP address from the output of the previous step.

- :::image type="content" source="media/create-k8s-cluster-with-aks-application-gateway-ingress/sample-app.png" alt-text="Screenshot of sample app.":::

-## Clean up resources

-## Troubleshoot Terraform on Azure

-[Troubleshoot common problems when using Terraform on Azure](/azure/developer/terraform/troubleshoot)

-## Next steps

-> [!div class="nextstepaction"]

-> [Application Gateway Ingress Controller](https://azure.github.io/application-gateway-kubernetes-ingress/)

-PATCH_TAG=v2023040

-## Add a Windows node pool

-## Add a Windows Server 2019 or Windows Server 2022 node pool

-AKS supports Windows Server 2019 and 2022 node pools. Windows Server 2022 is the default operating system for Kubernetes versions 1.25.0 and higher. Windows Server 2019 is the default OS for earlier versions. To use Windows Server 2019 or Windows Server 2022, you need to specify the following parameters:

->

-> - Windows Server 2022 requires Kubernetes version 1.23.0 or higher.

-> - Windows Server 2019 is being retired after Kubernetes version 1.32 reaches end of life (EOL) and won't be supported in future releases. For more information about this retirement, see the [AKS release notes][aks-release-notes].

-## Add a Windows node pool

-## Add a Windows Server 2019 or Windows Server 2022 node pool

-AKS supports Windows Server 2019 and 2022 node pools. Windows Server 2022 is the default operating system for Kubernetes versions 1.25.0 and higher. Windows Server 2019 is the default OS for earlier versions. To use Windows Server 2019 or Windows Server 2022, you need to specify the following parameters:

-* `OsSKU` set to `Windows2019` *or* `Windows2022`

-> * Windows Server 2022 requires Kubernetes version 1.23.0 or higher.

- New-AzAksNodePool -ResourceGroupName myResourceGroup -ClusterName myAKSCluster -VmSetType VirtualMachineScaleSets -OsType Windows -OsSKU Windows2019 Windows -Name npwin

-# Deploy an application that uses OpenAI on Azure Kubernetes Service (AKS)

-In this article, you will learn how to deploy an application that uses Azure OpenAI or OpenAI on AKS. With OpenAI, you can easily adapt different AI models, such as content generation, summarization, semantic search, and natural language to code generation, for your specific tasks. You will start by deploying an AKS cluster in your Azure subscription. Then you will deploy your OpenAI service and the sample application.

-The sample cloud native application is representative of real-world implementations. The multi-container application is comprised of applications written in multiple languages and frameworks, including:

-> We don't recommend running stateful containers, such as MongoDB and Rabbit MQ, without persistent storage for production. These are used here for simplicity, but we recommend using managed services, such as Azure CosmosDB or Azure Service Bus.

-The codebase for [AKS Store Demo][aks-store-demo] can be found on GitHub.

-An [Azure resource group][azure-resource-group] is a logical group in which Azure resources are deployed and managed. When you create a resource group, you're prompted to specify a location. This location is the storage location of your resource group metadata and where your resources run in Azure if you don't specify another region during resource creation.

-* Create a resource group using the [`az group create`][az-group-create] command.

-

- The following output example resembles the successful creation of the resource group:

- ```json

-The following example creates a cluster named *myAKSCluster* in the resource group *myResourceGroup* created earlier.

-* Create an AKS cluster using the [`az aks create`][az-aks-create] command.

-To manage a Kubernetes cluster, use the Kubernetes command-line client, [kubectl][kubectl]. `kubectl` is already installed if you use Azure Cloud Shell.

- ```azurecli

- Use `sudo az aks install-cli` if elevated permission is required on Linux-based system.

- * Downloads credentials and configures the Kubernetes CLI to use them.

- * Uses `~/.kube/config`, the default location for the [Kubernetes configuration file][kubeconfig-file]. Specify a different location for your Kubernetes configuration file using *--file* argument.

- ```bash

- The following output example shows the single node created in the previous steps. Make sure the node status is *Ready*.

-## Deploy the application

-For the [AKS Store application][aks-store-demo], this manifest includes the following Kubernetes deployments and

-> We don't recommend running stateful containers, such as MongoDB and Rabbit MQ, without persistent storage for production. These are used here for simplicity, but we recommend using managed services, such as Azure CosmosDB or Azure Service Bus.

-1. Review the [YAML manifest](https://github.com/Azure-Samples/aks-store-demo/blob/main/aks-store-all-in-one.yaml) for the application. You will see a series of deployments and services that make up the entire application.

-1. Deploy the application using the [`kubectl apply`][kubectl-apply] command and specify the name of your yaml manifest.

- ```bash

- The following example resembles output showing successfully created deployments and services.

-1. In the Azure portal, create an Azure OpenAI instance.

-1. Create a new deployment using the **gpt-35-turbo** model.

-For more information on how to create a deployment in Azure OpenAI, check out [Get started generating text using Azure OpenAI Service][aoai-get-started].

-1. [Generate an OpenAI key][open-ai-new-key] by selecting **Create new secret key** and save the key. You will need this key in the [next step](#deploy-the-ai-service).

-1. [Start a paid plan][openai-paid] to use OpenAI API.

-

-Now that the application is deployed, you can deploy the Python-based microservice that uses OpenAI to automatically generate descriptions for new products being added to the store's catalog.

-1. Create a file named `ai-service.yaml` and copy the following manifest into it.

- memory: 46Mi

- memory: 50Mi

-1. Set the environment variable `USE_AZURE_OPENAI` to `"True"`

-1. Get your Azure OpenAI Deployment name from [Azure OpenAI studio][aoai-studio], and fill in the `AZURE_OPENAI_DEPLOYMENT_NAME` value.

-1. Get your Azure OpenAI endpoint and Azure OpenAI API key from the Azure portal by clicking on **Keys and Endpoint** in the left blade of the resource. Fill in your `AZURE_OPENAI_ENDPOINT` and `OPENAI_API_KEY` in the yaml accordingly.

-1. Deploy the application using the [`kubectl apply`][kubectl-apply] command and specify the name of your yaml manifest.

- ```bash

- The following example resembles output showing successfully created deployments and services.

-1. Create a file named `ai-service.yaml` and copy the following manifest into it.

- memory: 50Mi

-1. Set the environment variable `USE_AZURE_OPENAI` to `"False"`

-1. Set the environment variable `OPENAI_API_KEY` by pasting in the OpenAI key you generated in the [last step](#deploy-openai).

-1. [Find your OpenAI organization ID][open-ai-org-id], copy the value, and set the `OPENAI_ORG_ID` environment variable.

-1. Deploy the application using the [`kubectl apply`][kubectl-apply] command and specify the name of your yaml manifest.

- ```bash

- The following example resembles output showing successfully created deployments and services.

-1. See the status of the deployed pods using the [kubectl get pods][kubectl-get] command.

- ```bash

- Make sure all the pods are *Running* before continuing to the next step.

-1. To get the IP of the store admin web application and store front web application, use the `kubectl get service` command.

-

- ```bash

- The application exposes the Store Admin site to the internet via a public load balancer provisioned by the Kubernetes service. This process can take a few minutes to complete. **EXTERNAL IP** initially shows *pending*, until the service comes up and shows the IP address.

- Repeat the same step for the service named store-front.

-

-1. Open a web browser and browse to the external IP address of your service. In the example shown here, open 40.64.86.161 to see Store Admin in the browser. Repeat the same step for Store Front.

-1. In store admin, click on the products tab, then select **Add Products**.

-1. When the ai-service is running successfully, you should see the Ask OpenAI button next to the description field. Fill in the name, price, and keywords, then click Ask OpenAI to generate a product description. Then click save product. See the picture for an example of adding a new product.

-

-1. You can now see the new product you created on Store Admin used by sellers. In the picture, you can see Jungle Monkey Chew Toy is added.

-

-1. You can also see the new product you created on Store Front used by buyers. In the picture, you can see Jungle Monkey Chew Toy is added. Remember to get the IP address of store front by using [kubectl get service][kubectl-get].

-Now that you've seen how to add OpenAI functionality to an AKS application, learn more about what you can do with generative AI for your use cases. Here are some resources to get started:

-| K8s version | Upstream release | AKS preview | AKS GA | End of life |

-|--|-|--||-|

-| 1.25 | Aug 2022 | Oct 2022 | Dec 2022 | Dec 2023

-| 1.26 | Dec 2022 | Feb 2023 | Apr 2023 | Mar 2024

-| 1.27 | Apr 2023 | Jun 2023 | Jul 2023 | Jul 2024

-| 1.28 | Aug 2023 | Sep 2023 | Oct 2023 ||

-> [!NOTE]

-> If you're running an unsupported Kubernetes version, you'll be asked to upgrade when requesting support for the cluster. Clusters running unsupported Kubernetes releases aren't covered by the [AKS support policies](./support-policies.md).

-Platform support policy applies to clusters in an n-3 version (where n is the latest supported AKS GA minor version), before the cluster drops to n-4. For example, kubernetes v1.25 is considered platform support when v1.28 is the latest GA version. However, during the v1.29 GA release, v1.25 will then auto-upgrade to v1.26.

-* If performed via Azure CLI, the `aks-preview` CLI extension 0.5.134 or later must be installed.

- "message": "Control Plane upgrade is blocked due to recent usage of a Kubernetes API deprecated in the specified version. Please refer to https://kubernetes.io/docs/reference/using-api/deprecation-guide to migrate the usage. To bypass this error, set IgnoreKubernetesDeprecations in upgradeSettings.overrideSettings. Bypassing this error without migrating usage will result in the deprecated Kubernetes API calls failing. Usage details: 1 error occurred:\n\t* usage has been detected on API flowcontrol.apiserver.k8s.io.prioritylevelconfigurations.v1beta1, and was recently seen at: 2023-03-23 20:57:18 +0000 UTC, which will be removed in 1.26\n\n",

-Bypass validation to ignore API breaking changes using the [`az aks update`][az-aks-update] command and setting the `upgrade-settings` property to `IgnoreKubernetesDeprecations` and setting the `upgrade-override-until` property to define the end of the window during which validation is bypassed. If no value is set, it defaults the window to three days from the current time. The date and time you specify must be in the future.

-az aks update --name myAKSCluster --resource-group myResourceGroup --upgrade-settings IgnoreKubernetesDeprecations --upgrade-override-until 2023-04-01T13:00:00Z

-## Limitations

-The Azure Linux container host has the following limitations:

-* Image SKUs for SGX and FIPS aren't available.

-* It doesn't meet the [Federal Information Processing Standard (FIPS) 140](https://csrc.nist.gov/publications/detail/fips/140/3/final) compliance requirements and [Center for Internet Security (CIS)](https://www.cisecurity.org/) certification.

-* Azure Linux can't yet be deployed through the Azure portal.

-* Qualys, Trivy, and Microsoft Defender for Containers are the only vulnerability scanning tools that support Azure Linux today.

-* Azure Linux doesn't support AppArmor. Support for SELinux can be manually configured.

-* Some addons, extensions, and open-source integrations may not be supported yet on Azure Linux. Azure Monitor, Grafana, Helm, Key Vault, and Container Insights are supported.

-[azurelinux-capabilities]: https://microsoft.github.io/CBL-Mariner/docs/#key-capabilities-of-cbl-mariner-linux

-\* Limited availability and no support for dedicated host deployments

-resource= "?resource=https://management.azure.com/"

-* File an Azure support incident. Go to the [Azure support site](https://azure.microsoft.com/support/options/), and select **Get Support**.

-* Instance IDs must be between 1 and 256 characters.

-To update the extension bundle version in your project, open host.json and update the `extensionBundle` section to use version 3.x (`[3.*, 4.0.0)`).

- "version": "[3.*, 4.0.0)"

-#### Java (preview)

-Durable Functions 2.x is available starting in version 4.x of the [Azure Functions extension bundle](../functions-bindings-register.md#extension-bundles). You must use the Azure Functions 3.0 runtime or greater to execute Java functions.

-To update the extension bundle version in your project, open host.json and update the `extensionBundle` section to use version 4.x (`[4.*, 5.0.0)`). Because Java support is currently in preview, you must also use the `Microsoft.Azure.Functions.ExtensionBundle.Preview` bundle, which is different from product-ready bundles.

- "id": "Microsoft.Azure.Functions.ExtensionBundle.Preview",

-description: In this article, you'll learn how to use the bubble layer in an Azure Maps Power BI visual.

-Initially all bubbles have the same fill color. If a field is passed into the **Legend** bucket of the **Fields** pane, the bubbles will be colored based on their categorization. The outline of the bubbles is white be default but can be changed to a new color or by enabling the high-contrast outline option. The **High-contrast outline** option dynamically assigns an outline color that is a high-contrast variant of the fill color. This helps to ensure the bubbles are clearly visible regardless of the style of the map. The following are the primary settings in the **Format** pane that are available in the **Bubble layer** section.

-| Size | The size of each bubble. This option is hidden when a field is passed into the **Size** bucket of the **Fields** pane. More options will appear as outlined in the [Bubble size scaling](#bubble-size-scaling) section further down in this article. |

-| Color | Fill color of each bubble. This option is hidden when a field is passed into the **Legend** bucket of the **Fields** pane and a separate **Data colors** section will appear in the **Format** pane. |

-| Zoom | Settings for the zoom property include scale, maximum and minimum.<br/>&nbsp;&nbsp;&nbsp;&nbsp;ΓÇó Zoom scale is the amount the bubbles should scale relative to the zoom level. A zoom scale of one means no scaling. Large values will make bubbles smaller when zoomed out and larger when zoomed in. This helps to reduce the clutter on the map when zoomed out, yet ensures points stand out more when zoomed in. A value of 1 doesn't apply any scaling.<br/>&nbsp;&nbsp;&nbsp;&nbsp;ΓÇó Maximum zoom level tiles are available.<br/>&nbsp;&nbsp;&nbsp;&nbsp;ΓÇó Minimum zoom level tiles are available. |

-If a field is passed into the **Size** bucket of the **Fields** pane, the bubbles will be scaled relatively to the measure value of each data point. The **Size** option in the **Bubble layer** section of the **Format** pane will disappear when a field is passed into the **Size** bucket, as the bubbles will have their radii scaled between a min and max value. The following options will appear in the **Bubble layer** section of the **Format** pane when a **Size** bucket has a field specified.

-When the **Size scaling method** is set to **Log**, the following options will be made available.

-When the **Size scaling method** is set to **Cubic-Bezier**, the following options will be made available to customize the scaling curve.

-When displaying a **bubble layer** map, the **Category labels** settings will become active in the **Format visual** pane.

-| Show zeros | Specifies if points that have a size value of zero should be shown on the map using the minimum radius. |

-| Show negatives | Specifies if absolute value of negative size values should be plotted. |

- "preview": {

- "authentication": {

- "enabled": true,

- "type": "SAMI"

- }

- "preview": {

- "authentication": {

- "enabled": true,

- "type": "UAMI",

- "clientId":"<USER-ASSIGNED MANAGED IDENTITY CLIENT ID>"

- }

- }

- "preview": {

- "authentication": {

- "enabled": true,

- "type": "CLIENTSECRET",

- "clientId":"<YOUR CLIENT ID>",

- "clientSecret":"<YOUR CLIENT SECRET>",

- "tenantId":"<YOUR TENANT ID>"

- }

-If you're using the *exec* form, add the parameter `-javaagent:"path/to/applicationinsights-agent-3.4.16.jar"` to the parameter list somewhere before the `"-jar"` parameter, for example:

-ENTRYPOINT ["java", "-javaagent:path/to/applicationinsights-agent-3.4.16.jar", "-jar", "<myapp.jar>"]

-If you're using the *shell* form, add the JVM arg `-javaagent:"path/to/applicationinsights-agent-3.4.16.jar"` somewhere before `-jar`, for example:

-ENTRYPOINT java -javaagent:"path/to/applicationinsights-agent-3.4.16.jar" -jar <myapp.jar>

-COPY agent/applicationinsights-agent-3.4.16.jar applicationinsights-agent-3.4.16.jar

-ENTRYPOINT["java", "-javaagent:applicationinsights-agent-3.4.16.jar", "-jar", "app.jar"]

-In this example we have copied the `applicationinsights-agent-3.4.16.jar` and `applicationinsights.json` files from an `agent` folder (you can choose any folder of your machine). These two files have to be in the same folder in the Docker container.

-JAVA_OPTS="$JAVA_OPTS -javaagent:path/to/applicationinsights-agent-3.4.16.jar"

-CATALINA_OPTS="$CATALINA_OPTS -javaagent:path/to/applicationinsights-agent-3.4.16.jar"

-If the file `<tomcat>/bin/setenv.sh` already exists, modify that file and add `-javaagent:path/to/applicationinsights-agent-3.4.16.jar` to `CATALINA_OPTS`.

-set CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.4.16.jar

-set "CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.4.16.jar"

-If the file `<tomcat>/bin/setenv.bat` already exists, modify that file and add `-javaagent:path/to/applicationinsights-agent-3.4.16.jar` to `CATALINA_OPTS`.

-Locate the file `<tomcat>/bin/tomcat8w.exe`. Run that executable and add `-javaagent:path/to/applicationinsights-agent-3.4.16.jar` to the `Java Options` under the `Java` tab.

-Add `-javaagent:path/to/applicationinsights-agent-3.4.16.jar` to the existing `JAVA_OPTS` environment variable in the file `JBOSS_HOME/bin/standalone.conf` (Linux) or `JBOSS_HOME/bin/standalone.conf.bat` (Windows):

- JAVA_OPTS="-javaagent:path/to/applicationinsights-agent-3.4.16.jar -Xms1303m -Xmx1303m ..."

-Add `-javaagent:path/to/applicationinsights-agent-3.4.16.jar` to the existing `jvm-options` in `JBOSS_HOME/domain/configuration/host.xml`:

- <option value="-javaagent:path/to/applicationinsights-agent-3.4.16.jar"/>

-Add `-javaagent:path/to/applicationinsights-agent-3.4.16.jar` to the existing `jvm-options` in `glassfish/domains/domain1/config/domain.xml`:

- -javaagent:path/to/applicationinsights-agent-3.4.16.jar>

- -javaagent:path/to/applicationinsights-agent-3.4.16.jar

-Add the JVM arg `-javaagent:"path/to/applicationinsights-agent-3.4.16.jar"` somewhere before `-jar`, for example:

-java -javaagent:"path/to/applicationinsights-agent-3.4.16.jar" -jar <myapp.jar>

-If you're using the *exec* form, add the parameter `-javaagent:"path/to/applicationinsights-agent-3.4.16.jar"` to the parameter list somewhere before the `"-jar"` parameter, for example:

-ENTRYPOINT ["java", "-javaagent:path/to/applicationinsights-agent-3.4.16.jar", "-jar", "<myapp.jar>"]

-If you're using the *shell* form, add the JVM arg `-javaagent:"path/to/applicationinsights-agent-3.4.16.jar"` somewhere before `-jar`, for example:

-ENTRYPOINT java -javaagent:"path/to/applicationinsights-agent-3.4.16.jar" -jar <myapp.jar>

- <version>3.4.16</version>

-By default, Application Insights Java 3.x expects the configuration file to be named `applicationinsights.json`, and to be located in the same directory as `applicationinsights-agent-3.4.16.jar`.

-If you specify a relative path, it's resolved relative to the directory where `applicationinsights-agent-3.4.16.jar` is located.

-If you specify a relative path, it's resolved relative to the directory where `applicationinsights-agent-3.4.16.jar` is located.

- <version>3.4.16</version>

-## Authentication (preview)

-> The authentication feature is available starting from version 3.2.0.

-`applicationinsights-agent-3.4.16.jar` is located.

- .AddSource("OTel.AzureMonitor.Demo")

- .AddProcessor(new ActivityEnrichingProcessor())

- .AddAzureMonitorTraceExporter()

- .AddSource("OTel.AzureMonitor.Demo")

- .AddProcessor(new ActivityFilteringProcessor())

- .AddAzureMonitorTraceExporter()

- {

-Download the [applicationinsights-agent-3.4.16.jar](https://github.com/microsoft/ApplicationInsights-Java/releases/download/3.4.16/applicationinsights-agent-3.4.16.jar) file.

-Point the JVM to the jar file by adding `-javaagent:"path/to/applicationinsights-agent-3.4.16.jar"` to your application's JVM args.

- Create a configuration file named `applicationinsights.json`, and place it in the same directory as `applicationinsights-agent-3.4.16.jar` with the following content:

-The Diagnostic Settings Storage Retention feature is being deprecated. To configure retention for logs and metrics use Azure Storage Lifecycle Management.

-[Configure a lifecycle management policy](../../storage/blobs/lifecycle-management-policy-configure.md?tabs=azure-portal).

-```sql

-kusto

- - Retrieve performance data related to CPU utilization and filter to resources with the ΓÇ£prodΓÇ¥ tag.

- ```kusto

- InsightsMetrics

- | where Name == "UtilizationPercentage"

- | lookup (

- arg("").Resources

- | where type == 'microsoft.compute/virtualmachines'

- | project _ResourceId=tolower(id), tags

- )

- on _ResourceId

- | where tostring(tags.Env) == "Prod"

- ```

-* Identifying the Timestamp column in the cluster isn't supported. The Log Analytics Query API won't pass along the time filter.

-* The cross-service query ability is used for data retrieval only.

-* [Private Link](../logs/private-link-security.md) (private endpoints) and [IP restrictions](/azure/data-explorer/security-network-restrict-public-access) are not support cross-service queries.

-* mv-expand is limited to 2000 records.

-* The following operators do not work with the cross query with ability with Azure Resource Graph: smv-apply(), rand(), arg_max() , arg_min(), avg() , avg_if(), countif(), sumif(), percentile() , percentiles() , percentilew() , percentilesw(), stdev() , stdevif() , stdevp(), variance() , variancep() , varianceif().

-| Screen sharing | Share the entire screen from within the application | Γ£ö∩╕Å | Γ£ö∩╕Ź | Γ£ö∩╕Ź | Γ£ö∩╕Ź |

-| | Share a specific application (from the list of running applications) | Γ£ö∩╕Å | Γ£ö∩╕Ź | Γ¥î | Γ¥î |

-| | Share a web browser tab from the list of open tabs | ✔️ | | | |

-| | Get microphone list | Γ£ö∩╕Å | Γ£ö∩╕Å | Γ¥î ² | Γ¥î² |

-| | Set microphone | Γ£ö∩╕Å | Γ£ö∩╕Å | Γ¥î ² | Γ¥î ² |

-| | Get selected microphone | Γ£ö∩╕Å | Γ£ö∩╕Å | Γ¥î ² | Γ¥î ² |

-| | Get speakers list | Γ£ö∩╕Å | Γ£ö∩╕Å | Γ¥î ² | Γ¥î ² |

-| | Set speaker | Γ£ö∩╕Å | Γ£ö∩╕Å | Γ¥î ² | Γ¥î ² |

-| | Get selected speaker | Γ£ö∩╕Å | Γ£ö∩╕Å | Γ¥î ² | Γ¥î ² |

-1. The Share Screen capability can be achieved using Raw Media, if you want to learn, **how to add Raw Media**, visit [the quickstart guide](../../quickstarts/voice-video-calling/get-started-raw-media-access.md).

-The ACS native Calling SDK (Android, iOS, Windows) supports setting the maximum values of video resolution and framerate for outgoing video streams and setting the maximum resolution for incoming video streams. These constraints can be set at the start of the call and during the call.

-description: Using Event Grid Notification from Azure Communication Services Native Calling to Incoming VOIP payload to devices via ANH.

-# Deliver VOIP Push Notification to Devices without ACS Calling SDK

-This tutorial explains how to deliver VOIP push notifications to native applications without using the Azure Communication Services register push notifications API [here](../how-tos/calling-sdk/push-notifications.md).

-## Current Limitations

-The current limitations of using the ACS Native Calling SDK are that

- * There's a 24-hour limit after the register push notification API is called when the device token information is saved.

- After 24 hours, the device endpoint information is deleted. Any incoming calls on those devices will not be delivered to the devices if those devices don't call the register push notification API again.

- * Can't deliver push notifications using Baidu or any other notification types supported by Azure Notification Hub but not yet supported in the ACS SDK.

-## Setup for listening the events from Event Grid Notification

-1. Azure functions with APIs

- 1. Save device endpoint information.

- 2. Delete device endpoint information.

- 3. Get device endpoint information for a given `CommunicationIdentifier`.

-2. Azure function API with EventGridTrigger that listens to the `Microsoft.Communication.IncomingCall` event from the Azure Communication resource.

-3. Some kind of database like MongoDb to save the device endpoint information.

-4. Azure Notification Hub to deliver the VOIP notifications.

-## Steps to deliver the Push Notifications

-Here are the steps to deliver the push notification:

-1. Instead of calling the API `CallAgent.registerPushNotifications` with device token when the application starts, send the device token to the Azure function app.

-2. When there's an incoming call for an ACS user, Azure Communication calling resource will trigger the `EventGridTrigger` Azure function API with the incoming call payload.

-3. Get all the device token information from the database.

-4. Convert the payload to how the VOIP push notification payload is by `PushNotificationInfo.fromDictionary` API like in iOS SDK.

-5. Send the push payload using the REST API provided by Azure Notification Hub.

-6. VOIP push is successfully delivered to the device and `CallAgent.handlePush` API should be called.

-The sample provided below works for any Native platforms (iOS, Android , Windows).

-description: Learn how to use Azure Communication Services to embed a calling widget into your web application.

-# Embed a Teams call widget into your web application

-Enable your customers to talk with your support agent on Teams through a call interface directly embedded into your web application.

-## Prerequisites

-## Set up an Azure Function to provide access tokens

-Follow instructions from our [trusted user access service tutorial](../trusted-service-tutorial.md) to deploy your Azure Function for access tokens. This service returns an access token that our widget uses to authenticate to Azure Communication Services and start the call to the Teams user we define.

-## Set up boilerplate vanilla web application

-1. Create an HTML file named `https://docsupdatetracker.net/index.html` and add the following code to it:

- ``` html

- <!DOCTYPE html>

- <html>

- <head>

- <meta charset="utf-8">

- <title>Call Widget App - Vanilla</title>

- <link rel="stylesheet" href="style.css">

- </head>

- <body>

- <div id="call-widget">

- <div id="call-widget-header">

- <div id="call-widget-header-title">Call Widget App</div>

- <button class='widget'> ? </button >

- <div class='callWidget'></div>

- </div>

- </div>

- </body>

- </html>

- ```

-2. Create a CSS file named `style.css` and add the following code to it:

- ``` css

- .widget {

- height: 75px;

- width: 75px;

- position: absolute;

- right: 0;

- bottom: 0;

- background-color: blue;

- margin-bottom: 35px;

- margin-right: 35px;

- border-radius: 50%;

- text-align: center;

- vertical-align: middle;

- line-height: 75px;

- color: white;

- font-size: 30px;

- }

- .callWidget {

- height: 400px;

- width: 600px;

- background-color: blue;

- position: absolute;

- right: 35px;

- bottom: 120px;

- z-index: 10;

- display: none;

- border-radius: 5px;

- border-style: solid;

- border-width: 5px;

- }

- ```

-3. Configure the call window to be hidden by default. We show it when the user clicks the button.

- ``` html

- <script>

- var open = false;

- const button = document.querySelector('.widget');

- const content = document.querySelector('.callWidget');

- button.addEventListener('click', async function() {

- if(!open){

- open = !open;

- content.style.display = 'block';

- button.innerHTML = 'X';

- //Add code to initialize call widget here

- } else if (open) {

- open = !open;

- content.style.display = 'none';

- button.innerHTML = '?';

- }

- });

- async function getAccessToken(){

- //Add code to get access token here

- }

- </script>

- ```

-At this point, we have set up a static HTML page with a button that opens a call widget when clicked. Next, we add the widget script code. It makes a call to our Azure Function to get the access token and then use it to initialize our call client for Azure Communication Services and start the call to the Teams user we define.

-## Fetch an access token from your Azure Function

-Add the following code to the `getAccessToken()` function:

-``` javascript

- async function getAccessToken(){

- const response = await fetch('https://<your-function-name>.azurewebsites.net/api/GetAccessToken?code=<your-function-key>');

- const data = await response.json();

- return data.token;

- }

-```

-

-You need to add the URL of your Azure Function. You can find these values in the Azure portal under your Azure Function resource.

-## Initialize the call widget

-1. Add a script tag to load the call widget script:

- ``` html

- <script src="https://github.com/ddematheu2/ACS-UI-Library-Widget/releases/download/widget/callComposite.js"></script>

- ```

-We provide a test script hosted on GitHub for you to use for testing. For production scenarios, we recommend hosting the script on your own CDN. For more information on how to build your own bundle, see [this article](https://azure.github.io/communication-ui-library/?path=/docs/use-composite-in-non-react-environment--page#build-your-own-composite-js-bundle-files).

-2. Add the following code under the button event listener:

- ``` javascript

- button.addEventListener('click', async function() {

- if(!open){

- open = !open;

- content.style.display = 'block';

- button.innerHTML = 'X';

- let response = await getChatContext();

- console.log(response);

- const callAdapter = await callComposite.loadCallComposite(

- {

- displayName: "Test User",

- locator: { participantIds: ['INSERT USER UNIQUE IDENTIFIER FROM MICROSOFT GRAPH']},

- userId: response.user,

- token: response.userToken

- },

- content,

- {

- formFactor: 'mobile',

- key: new Date()

- }

- );

- } else if (open) {

- open = !open;

- content.style.display = 'none';

- button.innerHTML = '?';

- }

- });

- ```

-Add a Microsoft Graph [User](/graph/api/resources/user) ID to the `participantIds` array. You can find this value through [Microsoft Graph](/graph/api/user-get?tabs=http) or through [Microsoft Graph explorer](https://developer.microsoft.com/graph/graph-explorer) for testing purposes. There you can grab the `id` value from the response.

-## Run code

-Open the `https://docsupdatetracker.net/index.html` in a browser. This code initializes the call widget when the button is clicked. It makes a call to our Azure Function to get the access token and then use it to initialize our call client for Azure Communication Services and start the call to the Teams user we define.

-User Defined Routes (UDR) and controlled egress through NAT Gateway are supported in the workload profiles environment, which is in preview. In the Consumption only environment, these features aren't supported.

-| Cores | Memory Optimized Workload Profiles | 100 | Yes | The total cores available to all memory optimised (E-series) profiles within an environment. |

-| Cores | Compute Optimized Workload Profiles | 100 | Yes | The total cores available to all compute optimised (F-series) profiles within an environment. |

-Azure Cosmos DB gives you the option to configure [continuous backups](./continuous-backup-restore-introduction.md) on your account. With continuous backups, you can restore your data to any point in time within the past 30 days. To use continuous backups on an account where customer-managed keys are enabled, you must use a user-assigned managed identity in the Key Vault access policy. Azure Cosmos DB first-party identities or system-assigned managed identities aren't currently supported on accounts using continuous backups.

-| Resource | Worker node | Coordinator node |

-|--|--|-|

-| Compute, vCores | 4, 8, 16, 32, 64, 96, 104 | 4, 8, 16, 32, 64, 96 |

-| Memory per vCore, GiB | 8 | 4 |

-| Storage size, TiB | 0.5, 1, 2, 4, 8, 16 | 0.128, 0.25, 0.5, 1, 2, 4, 8, 16 |

-| Storage type | General purpose (SSD) | General purpose (SSD) |

-| Worker nodes | 0.5 TiB, total IOPS | 1 TiB, total IOPS | 2 or 4 TiB, total IOPS | 8 TiB, total IOPS | 16 TiB, total IOPS |

-|--||-||-|--|

-| 2 | 4,600 | 10,000 | 15,000 | 32,000 | 36,000 |

-| 3 | 6,900 | 15,000 | 22,500 | 48,000 | 54,000 |

-| 4 | 9,200 | 20,000 | 30,000 | 64,000 | 72,000 |

-| 5 | 11,500 | 25,000 | 37,500 | 80,000 | 90,000 |

-| 6 | 13,800 | 30,000 | 45,000 | 96,000 | 108,000 |

-| 7 | 16,100 | 35,000 | 52,500 | 112,000 | 126,000 |

-| 8 | 18,400 | 40,000 | 60,000 | 128,000 | 144,000 |

-| 9 | 20,700 | 45,000 | 67,500 | 144,000 | 162,000 |

-| 10 | 23,000 | 50,000 | 75,000 | 160,000 | 180,000 |

-| 11 | 25,300 | 55,000 | 82,500 | 176,000 | 198,000 |

-| 12 | 27,600 | 60,000 | 90,000 | 192,000 | 216,000 |

-| 13 | 29,900 | 65,000 | 97,500 | 208,000 | 234,000 |

-| 14 | 32,200 | 70,000 | 105,000 | 224,000 | 252,000 |

-| 15 | 34,500 | 75,000 | 112,500 | 240,000 | 270,000 |

-| 16 | 36,800 | 80,000 | 120,000 | 256,000 | 288,000 |

-| 17 | 39,100 | 85,000 | 127,500 | 272,000 | 306,000 |

-| 18 | 41,400 | 90,000 | 135,000 | 288,000 | 324,000 |

-| 19 | 43,700 | 95,000 | 142,500 | 304,000 | 342,000 |

-| 20 | 46,000 | 100,000 | 150,000 | 320,000 | 360,000 |

-For more in formation to [Review SUSE VM usage before you buy](understand-suse-reservation-charges.md#review-suse-vm-usage-before-you-buy)

-The **Cloud connectivity troubleshooting** pane opens on the right. If the sensor is connected to the Azure portal, the pane indicates that **The sensor is connected to cloud successfully**. If the sensor isn't connected, a description of the issue and any mitigation instructions are listed instead. For example: <!--need new image-->

-These events are triggered when a [User](/graph/api/resources/user) or [Group](/graph/api/resources/group) is created, updated or deleted in Azure AD or by operating over those resources using Microsoft Graph API.

-| `eventTime` | string | The time at which the resource state occurred. |

-* For information about how to configure an event subscription to select specific events to be delivered, consult [event filtering](event-filtering.md). You may also want to refer to [filter events](how-to-filter-events.md).

-Azure Communication Services integrates with [Azure Event Grid](https://azure.microsoft.com/services/event-grid/) to deliver real-time event notifications in a reliable, scalable and secure manner. The purpose of this article is to help you configure your applications to listen to Communication Services events. For example, you may want to update a database, create a work item and deliver a push notification whenever an SMS message is received by a phone number associated with your Communication Services resource.

-The `subject` field of all Communication Services events identifies the user, phone number or entity that is targeted by the event. Common prefixes are used to allow simple [Event Grid Filtering](event-filtering.md).

-Event subscriptions allow you to set up HTTP headers that are included in delivered events. This capability allows you to set custom headers that are required by a destination. You can set custom headers on the events that are delivered to Azure Event Hubs.

-| **[Colt](https://www.colt.net/direct-connect/azure/)** |Supported |Supported | Amsterdam<br/>Amsterdam2<br/>Berlin<br/>Chicago<br/>Dublin<br/>Frankfurt<br/>Geneva<br/>Hong Kong<br/>London<br/>London2<br/>Marseille<br/>Milan<br/>Munich<br/>Newport<br/>Osaka<br/>Paris<br/>Seoul<br/>Silicon Valley<br/>Singapore2<br/>Tokyo<br/>Tokyo2<br/>Washington DC<br/>Zurich |

-| **[Comcast](https://business.comcast.com/landingpage/microsoft-azure)** |Supported |Supported | Chicago<br/>Silicon Valley<br/>Washington DC |

-| **[CoreSite](https://www.coresite.com/solutions/cloud-services/public-cloud-providers/microsoft-azure-expressroute)** |Supported |Supported | Chicago<br/>Chicago2<br/>Denver<br/>Los Angeles<br/>New York<br/>Silicon Valley<br/>Silicon Valley2<br/>Washington DC<br/>Washington DC2 |

-| **[Cox Business Cloud Port](https://www.cox.com/business/networking/cloud-connectivity.html)** |Supported |Supported | Dallas<br/>Phoenix<br/>Silicon Valley<br/>Washington DC |

-| **Crown Castle** |Supported |Supported | New York |

- Unit: m/s

- This metric measures the overall or average latency of Azure Firewall. Administrators can use this metric for the following purposes:

- - As a reference, the average expected latency for a firewall is approximately 1 m/s. This may vary depending on deployment size and environment.

-> When you use this rule condition, be sure to include the protocol. For example, use `https://www.contoso.com` instead of just `www.contoso.com`.

-If the `policyAssignmentId` is for an initiative assignment, the **policyDefinitionReferenceId** property must be used to specify which policy definition(s) in the initiative the subject resource(s) are to be remediated. As a remediation can only remediation in a scope of one definition,

-this property is a _string_. The value must match the value in the initiative definition in the

-`policyDefinitions.policyDefinitionReferenceId` field.

-## Update Management Center

-HDInsight cluster is created with public DNS `clustername.azurehdinsight.net`. When you SSH to individual nodes or set connection to cluster nodes with in the same custom virtual network, you need to use host name, or fully qualified domain names (FQDN) of cluster nodes.

- sudo /etc/adu/du-config.json

-description: Troubleshoot logic apps by checking run status, reviewing trigger history, and enabling alerts in Azure Logic Apps.

-# Monitor run status, review trigger history, and set up alerts for Azure Logic Apps

-> [!NOTE]

-> This article applies only to Consumption logic apps. For information about reviewing run status and monitoring for Standard logic apps,

-> see the following sections in [Create an example Standard logic app workflow in single-tenant Azure Logic Apps](create-single-tenant-workflows-azure-portal.md):

-> [Review run history](create-single-tenant-workflows-azure-portal.md#review-run-history), [Review trigger history](create-single-tenant-workflows-azure-portal.md#review-trigger-history), and [Enable or open Application Insights after deployment](create-single-tenant-workflows-azure-portal.md#enable-open-application-insights).

-After you create and run a [Consumption logic app workflow](quickstart-create-example-consumption-workflow.md), you can check that workflow's run status, [trigger history](#review-trigger-history), [runs history](#review-runs-history), and performance. To get notifications about failures or other possible problems, set up [alerts](#add-azure-alerts). For example, you can create an alert that detects "when more than five runs fail in an hour."

-For real-time event monitoring and richer debugging, set up diagnostics logging for your logic app by using [Azure Monitor logs](../azure-monitor/overview.md). This Azure service helps you monitor your cloud and on-premises environments so that you can more easily maintain their availability and performance. You can then find and view events, such as trigger events, run events, and action events. By storing this information in [Azure Monitor logs](../azure-monitor/logs/data-platform-logs.md), you can create [log queries](../azure-monitor/logs/log-query-overview.md) that help you find and analyze this information. You can also use this diagnostic data with other Azure services, such as Azure Storage and Azure Event Hubs. For more information, see [Monitor logic apps by using Azure Monitor](monitor-workflows-collect-diagnostic-data.md).

-> If your logic apps run in an [integration service environment (ISE)](connect-virtual-network-vnet-isolated-environment-overview.md)

-1. In the [Azure portal](https://portal.azure.com), find and open your logic app workflow in the designer.

- 

- The Azure portal shows all the logic apps in your Azure subscription. You can filter this list based on name, subscription, resource group, location, and so on.

- 

-1. Select your logic app. On your logic app's menu, select **Overview**. On the Overview pane, select **Trigger history**.

- 

- Under **Trigger history**, all trigger attempts appear. Each time the trigger successfully fires, Azure Logic Apps creates an individual workflow instance and runs that instance. By default, each instance runs in parallel so that no workflow has to wait before starting a run. If your workflow triggers for multiple events or items at the same time, a trigger entry appears for each item with the same date and time.

- 

- | **Failed** | An error occurred. To review any generated error messages for a failed trigger, select that trigger attempt and choose **Outputs**. For example, you might find inputs that aren't valid. |

- |||

- 

- 

-1. In the [Azure portal](https://portal.azure.com), find and open your logic app workflow in the designer.

- 

- The Azure portal shows all the logic apps in your Azure subscription. You can filter this list based on name, subscription, resource group, location, and so on.

- 

-1. Select your logic app. On your logic app's menu, select **Overview**. On the Overview pane, select **Trigger history**.

- 

- 

- |||

- 

- 

- 

-Each time the trigger successfully fires, Azure Logic Apps creates a workflow instance and runs that instance. By default, each instance runs in parallel so that no workflow has to wait before starting a run. You can review what happened during each run, including the status, inputs, and outputs for each step in the workflow.

-1. In the [Azure portal](https://portal.azure.com), find and open your logic app workflow in the designer.

- To find your logic app, in the main Azure search box, enter **logic apps**, and then select **Logic apps**.

- 

- The Azure portal shows all the logic apps that are associated with your Azure subscriptions. You can filter this list based on name, subscription, resource group, location, and so on.

- 

-1. Select your logic app. On your logic app's menu, select **Overview**. On the Overview pane, select **Runs history**.

- 

- |||

- 

- 

- 

-1. In the [Azure portal](https://portal.azure.com), find and open your logic app workflow in the designer.

- To find your logic app, in the main Azure search box, enter **logic apps**, and then select **Logic apps**.

- 

- The Azure portal shows all the logic apps that are associated with your Azure subscriptions. You can filter this list based on name, subscription, resource group, location, and so on.

- 

-1. Select your logic app. On your logic app's menu, under **Workflows**, select **Workflows**, and then select your workflow.

-1. On your workflow's menu, select **Overview**. On the Overview pane, select **Run History**.

- 

- |||

- 

- 

- 

- 

-To get alerts based on specific metrics or exceeded thresholds for your logic app, set up [alerts in Azure Monitor](../azure-monitor/alerts/alerts-overview.md). For more information, review [Metrics in Azure](../azure-monitor/data-platform.md). To set up alerts without using [Azure Monitor](../azure-monitor/logs/log-query-overview.md), follow these steps.

-1. On your logic app menu, under **Monitoring**, select **Alerts**. On the toolbar, select **Create** > **Alert rule**.

- 

-1. On the **Select a signal** pane, under **Signal type**, select the signal for which you want to get an alert.

- > [!TIP]

- >

- > You can use the search box, or to sort the signals alphabetically,

- > select the **Signal name** column header.

- 1. In the **Signal name** column, find and select the **Triggers Failed** signal.

- 

- 1. On the **Configure signal logic** pane, under **Alert logic**, set up your condition, and select **Done**, for example:

- | **Operator** | **Greater than or equal to** |

- | **Threshold value** | **1** |

- | **Condition preview** | **Whenever the count of triggers failed is greater than or equal to 1** |

- | **Aggregation granularity (Period)** | **1 minute** |

- | **Frequency of evaluation** | **Every 1 Minute** |

- |||

- For more information, review [Create, view, and manage log alerts by using Azure Monitor](../azure-monitor/alerts/alerts-activity-log.md).

- The following screenshot shows the finished condition:

- 

- The **Create an alert rule** page now shows the condition that you created and the cost for running that alert.

- 

-1. If you're satisfied, select **Next: Details** to finish creating the rule.

-If you provide your own images, you are responsible for updating them.

-> To learn more about resource access while using Azure Machine Learning serverless Spark compute (preview), and attached Synapse Spark pool, see [Ensuring resource access for Spark jobs](apache-spark-environment-configuration.md#ensuring-resource-access-for-spark-jobs).

-This error is returned when the environment (docker image) is being built. You can check the build log for more information on the failure(s). The build log is located in the default storage for your Azure Machine Learning workspace. The exact location may be returned as part of the error. For example, `"The build log is available in the workspace blob store '[storage-account-name]' under the path '/azureml/ImageLogs/your-image-id/build.log'"`. In this case, "azureml" is the name of the blob container in the storage account.

-## Why I can't create or upgrade my flow when I disable public network access of storage account?

-Prompt flow relies on fileshare to store snapshot of flow. Prompt flow currently doesn't support private storage account. Here are some workarounds you can try:

-## Why I can't upgrade my old flow?

-Prompt flow relies on fileshare to store snapshot of flow. If fileshare have some issue, you may encounter this issue. Here are some workarounds you can try:

-

-> [!NOTE]

-> This feature is currently available only for [VMware agentless migration](tutorial-migrate-vmware.md).

-# Migrate machines as physical servers to Azure

-# High availability for Azure Notification Hubs (preview)

-Virtual Machine (VM) and Virtual Machine Scale Sets are zonal services, which means that VM resources can be deployed by using one of the following methods:

-When you migrate resources to availability zone support, we recommend that you select multiple zones for your new VMs and Virtual Machine Scale Sets, to ensure high-availability of your compute resources.

-Learn more about:

-> [!div class="nextstepaction"]

-> [Azure services and regions that support availability zones](availability-zones-service-support.md)

-[Azure Virtual Machine Scale Sets](../virtual-machines/availability.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

-This article contains [specific reliability recommendations for Virtual Machines](#reliability-recommendations), as well as detailed information on VM regional resiliency with [availability zones](#availability-zone-support) and [cross-region resiliency with disaster recovery](#disaster-recovery-cross-region-failover).

-| [**High Availability**](#high-availability) |:::image type="icon" source="media/icon-recommendation-high.svg":::| [VM-1: Run production workloads on two or more VMs using Azure Virtual Machine Scale Sets(VMSS) Flex](#-vm-1-run-production-workloads-on-two-or-more-vms-using-vmss-flex) |

-||:::image type="icon" source="media/icon-recommendation-high.svg"::: |[VM-2: Deploy VMs across availability zones or use VMSS Flex with zones](#-vm-2-deploy-vms-across-availability-zones-or-use-vmss-flex-with-zones) |

-||:::image type="icon" source="media/icon-recommendation-high.svg":::|[VM-3: Migrate VMs using availability sets to VMSS Flex](#-vm-3-migrate-vms-using-availability-sets-to-vmss-flex) |

-||:::image type="icon" source="media/icon-recommendation-high.svg"::: |[VM-5: Use managed disks for VM disks](#-vm-5-use-managed-disks-for-vm-disks)|

-|[**Disaster Recovery**](#disaster-recovery)| :::image type="icon" source="media/icon-recommendation-medium.svg"::: |[ VM-4: Replicate VMs using Azure Site Recovery](#-vm-4-replicate-vms-using-azure-site-recovery) |

-||:::image type="icon" source="media/icon-recommendation-medium.svg"::: |[VM-7: Backup data on your VMs with Azure Backup service](#-vm-7-backup-data-on-your-vms-with-azure-backup-service) |

-|[**Performance**](#performance) |:::image type="icon" source="media/icon-recommendation-low.svg"::: | [VM-6: Host application and database data on a data disk](#-vm-6-host-application-and-database-data-on-a-data-disk)|

-||:::image type="icon" source="media/icon-recommendation-high.svg"::: | [VM-8: Production VMs should be using SSD disks](#-vm-8-production-vms-should-be-using-ssd-disks)|

-||:::image type="icon" source="media/icon-recommendation-medium.svg"::: |[VM-10: Enable Accelerated Networking (AccelNet)](#-vm-10-enable-accelerated-networking-accelnet) |

-||:::image type="icon" source="media/icon-recommendation-low.svg"::: |[VM-11: Accelerated Networking is enabled, make sure you update the GuestOS NIC driver every 6 months](#-vm-11-when-accelnet-is-enabled-you-must-manually-update-the-guestos-nic-driver) |

-|[**Management**](#management)|:::image type="icon" source="media/icon-recommendation-low.svg"::: |[VM-9: Watch for VMs in Stopped state](#-vm-9-review-vms-in-stopped-state) |

-||:::image type="icon" source="media/icon-recommendation-high.svg"::: |[VM-22: Use maintenance configurations for the VM](#-vm-22-use-maintenance-configurations-for-the-vm) |

-|[**Security**](#security)|:::image type="icon" source="media/icon-recommendation-medium.svg"::: |[VM-12: VMs should not have a Public IP directly associated](#-vm-12-vms-should-not-have-a-public-ip-directly-associated) |

-||:::image type="icon" source="media/icon-recommendation-low.svg"::: |[VM-13: Virtual Network Interfaces have an NSG associated](#-vm-13-vm-network-interfaces-have-a-network-security-group-nsg-associated) |

-||:::image type="icon" source="media/icon-recommendation-medium.svg"::: |[VM-14: IP Forwarding should only be enabled for Network Virtual Appliances](#-vm-14-ip-forwarding-should-only-be-enabled-for-network-virtual-appliances) |

-||:::image type="icon" source="media/icon-recommendation-low.svg"::: |[VM-17: Network access to the VM disk should be set to "Disable public access and enable private access"](#-vm-17-network-access-to-the-vm-disk-should-be-set-to-disable-public-access-and-enable-private-access) |

-||:::image type="icon" source="media/icon-recommendation-medium.svg"::: |[VM-19: Enable disk encryption and data at rest encryption by default](#-vm-19-enable-disk-encryption-and-data-at-rest-encryption-by-default) |

-|[**Networking**](#networking) | :::image type="icon" source="media/icon-recommendation-low.svg"::: |[VM-15: Customer DNS Servers should be configured in the Virtual Network level](#-vm-15-dns-servers-should-be-configured-in-the-virtual-network-level) |

-|[**Storage**](#storage) |:::image type="icon" source="media/icon-recommendation-medium.svg"::: |[VM-16: Shared disks should only be enabled in clustered servers](#-vm-16-shared-disks-should-only-be-enabled-in-clustered-servers) |

-|[**Compliance**](#compliance)| :::image type="icon" source="media/icon-recommendation-low.svg"::: |[VM-18: Ensure that your VMs are compliant with Azure Policies](#-vm-18-ensure-that-your-vms-are-compliant-with-azure-policies) |

-|[**Monitoring**](#monitoring)| :::image type="icon" source="media/icon-recommendation-low.svg"::: |[VM-20: Enable VM Insights](#-vm-20-enable-vm-insights) |

-||:::image type="icon" source="media/icon-recommendation-low.svg"::: |[VM-21: Configure diagnostic settings for all Azure resources](#-vm-21-configure-diagnostic-settings-for-all-azure-resources) |

-#### :::image type="icon" source="media/icon-recommendation-high.svg"::: **VM-1: Run production workloads on two or more VMs using VMSS Flex**

-To safeguard application workloads from downtime due to the temporary unavailability of a disk or VM, it's recommended that you run production workloads on two or more VMs using VMSS Flex.

-To achieve this you can use:

-#### :::image type="icon" source="media/icon-recommendation-high.svg"::: **VM-2: Deploy VMs across availability zones or use VMSS Flex with zones**

-For information on how to migrate your existing VMs to availability zone support, see [Availability zone support redeployment and migration](#availability-zone-redeployment-and-migration).

-#### :::image type="icon" source="media/icon-recommendation-high.svg"::: **VM-3: Migrate VMs using availability sets to VMSS Flex**

-Availability sets will be retired in the near future. Modernize your workloads by migrating them from VMs to VMSS Flex.

-With VMSS Flex, you can deploy your VMs in one of two ways:

-In an N-tier application, it's recommended that you place each application tier into its own VMSS Flex.

-#### :::image type="icon" source="media/icon-recommendation-high.svg"::: **VM-5: Use managed disks for VM disks**

-#### :::image type="icon" source="media/icon-recommendation-low.svg"::: **VM-4: Replicate VMs using Azure Site Recovery**

-When you replicate Azure VMs using Site Recovery, all the VM disks are continuously replicated to the target region asynchronously. The recovery points are created every few minutes. This gives you a Recovery Point Objective (RPO) in the order of minutes. You can conduct disaster recovery drills as many times as you want, without affecting the production application or the ongoing replication.

-#### :::image type="icon" source="media/icon-recommendation-medium.svg"::: **VM-7: Backup data on your VMs with Azure Backup service**

-#### :::image type="icon" source="media/icon-recommendation-low.svg"::: **VM-6: Host application and database data on a data disk**

-A data disk is a managed disk thatΓÇÖs attached to a VM. Use the data disk to store application data, or other data you need to keep. Data disks are registered as SCSI drives and are labeled with a letter that you choose. Hosting your data on a data disk makes it easy to backup or restore your data. You can also migrate the disk without having to move the entire VM and Operating System. Also, you'll be able to select a different disk SKU, with different type, size, and performance that meet your requirements. For more information on data disks, see [Data Disks](/azure/virtual-machines/managed-disks-overview#data-disk).

-#### :::image type="icon" source="media/icon-recommendation-high.svg"::: **VM-8: Production VMs should be using SSD disks**

-It is recommended that you:

-### :::image type="icon" source="media/icon-recommendation-medium.svg"::: **VM-10: Enable Accelerated Networking (AccelNet)**

-#### :::image type="icon" source="media/icon-recommendation-low.svg"::: **VM-11: When AccelNet is enabled, you must manually update the GuestOS NIC driver**

-When AccelNet is enabled, the default Azure Virtual Network interface in the GuestOS is replaced for a Mellanox interface. As a result, the GuestOS NIC driver is provided from Mellanox, a 3rd party vendor. Although Marketplace images maintained by Microsoft are offered with the latest version of Mellanox drivers, once the VM is deployed, you'll need to manually update GuestOS NIC driver every six months.

-#### :::image type="icon" source="media/icon-recommendation-low.svg"::: **VM-9: Review VMs in stopped state**

-#### :::image type="icon" source="media/icon-recommendation-high.svg"::: **VM-22: Use maintenance configurations for the VM**

-#### :::image type="icon" source="media/icon-recommendation-medium.svg"::: **VM-12: VMs should not have a Public IP directly associated**

-If a VM requires outbound internet connectivity, it's recommended that you use NAT Gateway or Azure Firewall. NAT Gateway or Azure Firewall help to increase security and resiliency of the service, since both services have much higher availability and [Source Network Address Translation (SNAT)](/azure/load-balancer/load-balancer-outbound-connections) ports. For inbound internet connectivity, it's recommended that you use a load balancing solution such as Azure Load Balancer and Application Gateway.

-#### :::image type="icon" source="media/icon-recommendation-low.svg"::: **VM-13: VM network interfaces have a Network Security Group (NSG) associated**

-It's recommended that you associate a NSG to a subnet, or a network interface, but not both. Since rules in a NSG associated to a subnet can conflict with rules in a NSG associated to a network interface, you can have unexpected communication problems that require troubleshooting. For more information, see [Intra-Subnet traffic](/azure/virtual-network/network-security-group-how-it-works#intra-subnet-traffic).

-#### :::image type="icon" source="media/icon-recommendation-medium.svg"::: **VM-14: IP forwarding should only be enabled for network virtual appliances**

-#### :::image type="icon" source="media/icon-recommendation-low.svg"::: **VM-17: Network access to the VM disk should be set to "Disable public access and enable private access"**

-#### :::image type="icon" source="media/icon-recommendation-medium.svg"::: **VM-19: Enable disk encryption and data at rest encryption by default**

-#### :::image type="icon" source="media/icon-recommendation-low.svg"::: **VM-15: DNS Servers should be configured in the Virtual Network level**

-#### :::image type="icon" source="media/icon-recommendation-medium.svg"::: **VM-16: Shared disks should only be enabled in clustered servers**

-Azure shared disks is a feature for Azure managed disks that enables you to attach a managed disk to multiple VMs simultaneously. Attaching a managed disk to multiple VMs allows you to either deploy new or migrate existing clustered applications to Azure and should only be used in those situations where the disk will be assigned to more than one VM member of a cluster.

-#### :::image type="icon" source="media/icon-recommendation-low.svg"::: **VM-18: Ensure that your VMs are compliant with Azure Policies**

-#### :::image type="icon" source="media/icon-recommendation-low.svg"::: **VM-20: Enable VM Insights**

-#### :::image type="icon" source="media/icon-recommendation-low.svg"::: **VM-21: Configure diagnostic settings for all Azure resources**

-Virtual machines support availability zones with three availability zones per supported Azure region and are also zone-redundant and zonal. For more information, see [availability zones support](availability-zones-service-support.md). The customer will be responsible for configuring and migrating their virtual machines for availability. Refer to the following readiness options below for availability zone enablement:

-Customers can set up virtual machines to failover to another zone using the Site Recovery service. For more information, see [Site Recovery](../site-recovery/site-recovery-overview.md).

-Virtual machines can failover to another server in a cluster, with the VM's operating system restarting on the new server. Customers should refer to the failover process for disaster recovery, gathering virtual machines in recovery planning, and running disaster recovery drills to ensure their fault tolerance solution is successful.

-During a zone-wide outage, you should expect a brief degradation of performance until the virtual machine service self-healing re-balances underlying capacity to adjust to healthy zones. This isn't dependent on zone restoration; it's expected that the Microsoft-managed service self-healing state will compensate for a lost zone, leveraging capacity from other zones.

-Customers should also prepare for the possibility that there's an outage of an entire region. If there's a service disruption for an entire region, the locally redundant copies of your data would temporarily be unavailable. If geo-replication is enabled, three additional copies of your Azure Storage blobs and tables are stored in a different region. In the event of a complete regional outage or a disaster in which the primary region isn't recoverable, Azure remaps all of the DNS entries to the geo-replicated region.

-The following guidance is provided for Azure virtual machines in the case of a service disruption of the entire region where your Azure virtual machine application is deployed:

-When you opt for availability zones isolation, you should utilize safe deployment techniques for application code, as well as application upgrades. In addition to configuring Azure Site Recovery, below are recommended safe deployment techniques for VMs:

- As Microsoft periodically performs planned maintenance updates, there may be rare instances when these updates require a reboot of your virtual machine to apply the required updates to the underlying infrastructure. To learn more, see [availability considerations](../virtual-machines/maintenance-and-updates.md#availability-considerations-during-scheduled-maintenance) during scheduled maintenance.

-Follow the health signals below for monitoring before upgrading your next set of nodes in another zone:

-### Availability zone redeployment and migration

-For migrating existing virtual machine resources to a zone redundant configuration, refer to the below resources:

- - [CLI](/azure/azure-resource-manager/management/move-resource-group-and-subscription#use-azure-cli)

- - [PowerShell](/azure/azure-resource-manager/management/move-resource-group-and-subscription#use-azure-powershell)

-## Disaster recovery: cross-region failover

-You can use Cross Region restore to restore Azure VMs via paired regions. With Cross Region restore, you can restore all the Azure VMs for the selected recovery point if the backup is done in the secondary region. For more details on Cross Region restore, refer to the Cross Region table row entry in our [restore options](../backup/backup-azure-arm-restore-vms.md#restore-options).

-### Cross-region disaster recovery in multi-region geography

-In the case of a region-wide service disruption, Microsoft works diligently to restore the virtual machine service. However, you will still have to rely on other application-specific backup strategies to achieve the highest level of availability. For more information, see the section on [Data strategies for disaster recovery](/azure/architecture/reliability/disaster-recovery#disaster-recovery-plan).

-With disaster recovery set up, Azure VMs continuously replicate to a different target region. If an outage occurs, you can fail over VMs to the secondary region, and access them from there.

-When you replicate Azure VMs using [Site Recovery](../site-recovery/site-recovery-overview.md), all the VM disks are continuously replicated to the target region asynchronously. The recovery points are created every few minutes. This gives you a Recovery Point Objective (RPO) in the order of minutes. You can conduct disaster recovery drills as many times as you want, without affecting the production application or the ongoing replication. For more information, see [Run a disaster recovery drill to Azure](../site-recovery/tutorial-dr-drill-azure.md).

-Microsoft and its customers operate under the Shared Responsibility Model. This means that for customer-enabled DR (customer-responsible services), the customer must address DR for any service they deploy and control. To ensure that recovery is proactive, customers should always pre-deploy secondaries because there's no guarantee of capacity at time of impact for those who haven't pre-allocated.

-For deploying virtual machines, customers can use [flexible orchestration](../virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes.md#scale-sets-with-flexible-orchestration) mode on Virtual Machine Scale Sets. All VM sizes can be used with flexible orchestration mode. Flexible orchestration mode also offers high availability guarantees (up to 1000 VMs) by spreading VMs across fault domains in a region or within an Availability Zone.

-| `DataActions`</br>`dataActions` | No | String[] | An array of strings that specifies the data plane actions that the role allows to be performed to your data within that object. If you create a custom role with `DataActions`, that role can't be assigned at the management group scope. For more information, see [DataActions](role-definitions.md#dataactions). |

-ExpressRoute is preferred over VPN or SDWAN.

-online version: https://github.com/Azure/sap-hana

-The `install_workloadzone.sh` command deploys a new SAP workload zone. The workload zone contains the shared resources for all VMs.

-export subscriptionId=<subscriptionID>

-export appId=<appID>

-export spnSecret="<password>"

-export tenantId=<tenantID>

-export keyvault=<keyvaultName>

-export storageAccount=<storageaccountName>

-online version: https://github.com/Azure/sap-hana

-# prepare_region.sh

-The `prepare_region.sh` script deploys the control plane, including the deployer VM, Azure Key Vault, and the SAP library.

-The deployer VM has installations of Ansible and Terraform. This VM deploys the SAP artifacts.

-prepare_region.sh [ --deployer_parameter_file ] <String> [ --library_parameter_file ] <String>

-${DEPLOYMENT_REPO_PATH}/deploy/scripts/prepare_region.sh \

- --deployer_parameter_file DEPLOYER/MGMT-WEEU-DEP00-INFRASTRUCTURE/MGMT-WEEU-DEP00-INFRASTRUCTURE.tfvars \

- --library_parameter_file LIBRARY/MGMT-WEEU-SAP_LIBRARY/MGMT-WEEU-SAP_LIBRARY.tfvars

-cd ~/Azure_SAP_Automated_Deployment/WORKSPACES

-az login

-export subscriptionId=<subscriptionID>

-export appId=<appID>

-export spnSecret="<password>"

-export tenantId=<tenantID>

-${DEPLOYMENT_REPO_PATH}/deploy/scripts/prepare_region.sh \

- --deployer_parameter_file DEPLOYER/MGMT-WEEU-DEP00-INFRASTRUCTURE/MGMT-WEEU-DEP00-INFRASTRUCTURE.tfvars \

- --library_parameter_file LIBRARY/MGMT-WEEU-SAP_LIBRARY/MGMT-WEEU-SAP_LIBRARY.tfvars \

- --subscription $subscriptionId \

- --spn_id $appId \

- --spn_secret $spnSecret \

- --tenant_id $tenantId

-online version: https://github.com/Azure/sap-hana

-# Remove_region.sh

-Removes the control plane, including the deployer VM and the SAP library. It is important to remove the terraform deployed artifacts using Terraform to ensure that the removals are done correctly.

-remove_region.sh [-d or --deployer_parameter_file ] <String> [-l or --library_parameter_file ] <String>

-${DEPLOYMENT_REPO_PATH}/deploy/scripts/remove_region.sh \

- --deployer_parameter_file DEPLOYER/MGMT-WEEU-DEP00-INFRASTRUCTURE/MGMT-WEEU-DEP00-INFRASTRUCTURE.tfvars \

- --library_parameter_file LIBRARY/MGMT-WEEU-SAP_LIBRARY/MGMT-WEEU-SAP_LIBRARY.tfvars

-${DEPLOYMENT_REPO_PATH}/deploy/scripts/remove_region.sh \

- --deployer_parameter_file DEPLOYER/MGMT-WEEU-DEP00-INFRASTRUCTURE/MGMT-WEEU-DEP00-INFRASTRUCTURE.tfvars \

- --library_parameter_file LIBRARY/MGMT-WEEU-SAP_LIBRARY/MGMT-WEEU-SAP_LIBRARY.tfvars \

- --subscription xxxxxxxxxxx

- --storage_account mgmtweeutfstate###

-You can deploy or update the control plane by using the [prepare_region](bash/prepare-region.md) shell script.

-Remove the control plane by using the [remove_region](bash/remove-region.md) shell script.

- mkdir -p ~/Azure_SAP_Automated_Deployment

- cd ~/Azure_SAP_Automated_Deployment

- git clone https://github.com/Azure/sap-automation.git

- git clone https://github.com/Azure/sap-automation-samples.git

- - `terraform` version 1.2.8 or higher. [Upgrade by using the Terraform instructions](https://www.terraform.io/upgrade-guides/0-12.html), as necessary.

- cd ~/Azure_SAP_Automated_Deployment/sap-automation-samples/Terraform

- cd ~/Azure_SAP_Automated_Deployment/WORKSPACES

- export CONFIG_REPO_PATH="${HOME}/Azure_SAP_Automated_Deployment/sap-automation-samples/Terraform/WORKSPACES"

- export SAP_AUTOMATION_REPO_PATH="${HOME}/Azure_SAP_Automated_Deployment/sap-automation"

- ${DEPLOYMENT_REPO_PATH}/deploy/scripts/deploy_controlplane.sh \

- --deployer_parameter_file DEPLOYER/${env_code}-${region_code}-DEP00-INFRASTRUCTURE/${env_code}-${region_code}-DEP00-INFRASTRUCTURE.tfvars \

- --library_parameter_file LIBRARY/${env_code}-${region_code}-SAP_LIBRARY/${env_code}-${region_code}-SAP_LIBRARY.tfvars \

- --subscription "${subscriptionId}" \

- --spn_id "${spn_id}" \

- --spn_secret "${spn_secret}" \

- --tenant_id "${tenant_id}" \

-mkdir -p ~/Azure_SAP_Automated_Deployment

-cd ~/Azure_SAP_Automated_Deployment

-git clone https://github.com/Azure/sap-automation.git

-1. If necessary, register the SPN.

- The first time an environment is instantiated, an SPN must be registered. In this tutorial, the control plane is in the `MGMT` environment and the workload zone is in `DEV`. Therefore, an SPN must be registered for `DEV` at this time.

- export subscriptionId="<subscriptionId>"

- export spn_id="<appID>"

- export spn_secret="<password>"

- export tenant_id="<tenant>"

- export key_vault="<vaultID>"

- export env_code="DEV"

- export region_code="<region_code>"

- ${DEPLOYMENT_REPO_PATH}/deploy/scripts/set_secrets.sh \

-1. Go to the `sap-automation` folder and optionally refresh the repository.

- ```bash

- cd ~/Azure_SAP_Automated_Deployment/sap-automation/

- git pull

- ```

-1. Go into the `WORKSPACES/LANDSCAPE` folder and copy the sample configuration files to use from the repository.

- ```bash

- cd ~/Azure_SAP_Automated_Deployment/WORKSPACES/LANDSCAPE

- cp -Rp ../../sap-automation/training-materials/WORKSPACES/LANDSCAPE/DEV-[REGION]-SAP01-INFRASTRUCTURE .

- ```

- ${DEPLOYMENT_REPO_PATH}/deploy/scripts/install_workloadzone.sh \

- --parameterfile ./${sap_env_code}-${region_code}-SAP01-INFRASTRUCTURE.tfvars \

- --deployer_environment "${deployer_env_code}" \

- --deployer_tfstate_key "${deployer_env_code}-${region_code}-DEP00-INFRASTRUCTURE.terraform.tfstate" \

- --keyvault "${key_vault}" \

- --storageaccountname "${tfstate_storage_account}" \

- --auto-approve

-```bash

-cd ~/Azure_SAP_Automated_Deployment/WORKSPACES/SYSTEM

-cp -Rp ../../sap-automation/training-materials/WORKSPACES/SYSTEM/DEV-[REGION]-SAP01-X00 .

-```

-export sap_env_code="DEV"

-export region_code="<region_code>"

-cd ~/Azure_SAP_Automated_Deployment/WORKSPACES/SYSTEM/${sap_env_code}-${region_code}-SAP01-X00

-${DEPLOYMENT_REPO_PATH}/deploy/scripts/installer.sh \

- --parameterfile "${sap_env_code}-${region_code}-SAP01-X00.tfvars" \

- --type sap_system \

- --auto-approve

-The deployment command for the `northeurope` example will look like:

-Make sure you have the following files in the current folders: `sap-parameters.yaml` and `SID_host.yaml`.

-### Playbook: HANA DB install

-This playbook installs the HANA database instances.

-cd ~/Azure_SAP_Automated_Deployment/WORKSPACES/SYSTEM/${sap_env_code}-${region_code}-SAP01-X00

- --parameterfile "${sap_env_code}-${region_code}-SAP01-X00.tfvars" \

-cd ~/Azure_SAP_Automated_Deployment/WORKSPACES/LANDSCAPE/${sap_env_code}-${region_code}-SAP01-INFRASTRUCTURE

-${DEPLOYMENT_REPO_PATH}/deploy/scripts/remover.sh \

- --parameterfile ${sap_env_code}-${region_code}-SAP01-INFRASTRUCTURE.tfvars \

-${DEPLOYMENT_REPO_PATH}/deploy/scripts/remove_controlplane.sh \

- --deployer_parameter_file DEPLOYER/MGMT-${region_code}-DEP00-INFRASTRUCTURE/MGMT-${region_code}-DEP00-INFRASTRUCTURE.tfvars \

- --library_parameter_file LIBRARY/MGMT-${region_code}-SAP_LIBRARY/MGMT-${region_code}-SAP_LIBRARY.tfvars

- sudo vi /etc/waagent.conf

-

- # Check if property ResourceDisk.Format is already set to y and if not, set it

- ResourceDisk.Format=y

-

- # Set the property ResourceDisk.EnableSwap to y

- # Create and use swapfile on resource disk.

- ResourceDisk.EnableSwap=y

-

- # Set the size of the SWAP file with property ResourceDisk.SwapSizeMB

- # The free space of resource disk varies by virtual machine size. Make sure that you do not set a value that is too big. You can check the SWAP space with command swapon

- # Size of the swapfile.

- ResourceDisk.SwapSizeMB=2000

- Restart the Agent to activate the change

- sudo service waagent restart

-## Known issues

- There can only be one workspace transformation DCR for an entire workspace. Within that DCR, each table can use a separate input stream with its own transformation. However, if you have two different MMA-based data connectors sending data to the *Syslog* table, they will both have to use the same input stream configuration in the DCR.

-This page shows the supported authentication types and client types of Azure Blob Storage using Service Connector. You might still be able to connect to Azure Blob Storage in other programming languages without using Service Connector. This page also shows default environment variable names and values (or Spring Boot configuration) you get when you create the service connection. You can learn more about [Service Connector environment variable naming convention](concept-service-connector-internals.md).

-## Default environment variable names or application properties

-Use the connection details below to connect compute services to Blob Storage. For each example below, replace the placeholder texts

-`<account name>`, `<account-key>`, `<client-ID>`, `<client-secret>`, `<tenant-ID>`, and `<storage-account-name>` with your own account name, account key, client ID, client secret, tenant ID and storage account name.

-### Secret / connection string

-#### .NET, Java, Node.JS, Python

-| Default environment variable name | Description | Example value |

-||--||

-| AZURE_STORAGEBLOB_CONNECTIONSTRING | Blob Storage connection string | `DefaultEndpointsProtocol=https;AccountName=<account name>;AccountKey=<account-key>;EndpointSuffix=core.windows.net` |

-#### Java - SpringBoot

-| Application properties | Description | Example value |

-|--|--||

-| azure.storage.account-name | Your Blob storage-account-name | `<storage-account-name>` |

-| azure.storage.account-key | Your Blob Storage account key | `<account-key>` |

-| azure.storage.blob-endpoint | Your Blob Storage endpoint | `https://<storage-account-name>.blob.core.windows.net/` |

-Follow the tutorials listed below to learn more about Service Connector.

-# Deploy a custom Windows virtual machine scale set image on new node types within a Service Fabric Managed Cluster (preview)

-Custom windows images are like marketplace images, but you create them yourself for each new node type within a cluster. Custom images can be used to bootstrap configurations such as preloading applications, application configurations, and other OS configurations. Once you create a custom windows image, you can then deploy to one or more new node types within a Service Fabric Managed Cluster.

-When you create a new node type, you will need to modify your ARM template with the new property: VmImageResourceId: <Image name>. The following is an example:

->

-> * An Availability Zone spanning virtual machine scale set with Silver or higher durability should have at least 15 VMs.

-```

- 

-Before you continue, get a quick overview with this video about how to fail back from Azure to an on-premises site.<br /><br />

-## Reprotection/failback components

-1. Note the master target server [requirements and limitations](#reprotectionfailback-components).

-[Reprotect](vmware-azure-reprotect.md) a VM.

-When you assign an endpoint on an application in an Azure Spring Apps service instance deployed in your virtual network, the endpoint is a private fully qualified domain name (FQDN). The domain is only accessible in the private network. Apps and services use the application endpoint. They include the *Test Endpoint* described in [View apps and deployments](./how-to-staging-environment.md#view-apps-and-deployments). *Log streaming*, described in [Stream Azure Spring Apps app logs in real-time](./how-to-log-streaming.md), also works only within the private network.

-#### [Portal](#tab/azure-portal)

-1. Select the virtual network resource you created as explained in [Deploy Azure Spring Apps in your Azure virtual network (VNet injection)](./how-to-deploy-in-azure-virtual-network.md).

-2. In the **Connected devices** search box, enter *kubernetes-internal*.

-3. In the filtered result, find the **Device** connected to the **Service Runtime Subnet** of the service instance, and copy its **IP Address**. In this sample, the IP Address is *10.1.0.7*.

- > [!WARNING]

- > Be sure that the IP Address belongs to **Service Runtime subnet** instead of **Spring Boot microservice apps subnet**. Subnet specifications are provided when you deploy an Azure Spring Apps instance. For more information, see the [Deploy an Azure Spring Apps instance](./how-to-deploy-in-azure-virtual-network.md#deploy-an-azure-spring-apps-instance) section of [Deploy Azure Spring Apps in a virtual network](./how-to-deploy-in-azure-virtual-network.md).

- :::image type="content" source="media/spring-cloud-access-app-vnet/create-dns-record.png" alt-text="Screenshot of the Azure portal showing the Connected devices page for a virtual network, filtered for kubernetes-internal devices, with the IP Address for the service runtime subnet highlighted." lightbox="media/spring-cloud-access-app-vnet/create-dns-record.png":::

-#### [CLI](#tab/azure-CLI)

-#### [Portal](#tab/azure-portal)

-#### [CLI](#tab/azure-CLI)

-#### [Portal](#tab/azure-portal)

-#### [CLI](#tab/azure-CLI)

-#### [Portal](#tab/azure-portal)

-#### [CLI](#tab/azure-CLI)

-#### [Portal](#tab/azure-portal)

-#### [CLI](#tab/azure-CLI)

-## My application can't be registered

-If your virtual network is not configured with custom DNS settings, or if your virtual network is configured with custom DNS settings and you've already added Azure DNS IP `168.63.129.16` as the upstream DNS server in the custom DNS server, then complete the following steps:

-| global.prod.microsoftmetrics.com:443 and \*.livediagnostics.monitor.azure.com:443 *or* [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - AzureMonitor:443 | TCP:443 | Azure Monitor. | Allows outbound calls to Azure Monitor. |

-| global.prod.microsoftmetrics.com:443 and \*.livediagnostics.monitor.azure.com:443 *or* [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - AzureMonitor:443 | TCP:443 | Azure Monitor. | Allows outbound calls to Azure Monitor. |

-This article helps you to enable a hierarchical namespace and unlock capabilities such as file and directory-level security and faster operations. These capabilities are widely used by big data analytics workloads and are referred to collectively as Azure Data Lake Storage Gen2. The most popular capabilities include:

-To learn more about them, see [Introduction to Azure Data Lake storage Gen2](data-lake-storage-introduction.md).

-Make sure to plan for some downtime in your account while the upgrade process completes. Write operations are disabled while your account is being upgraded. Read operations aren't disabled, but we strongly recommend that you suspend read operations as those operations might destabilize the upgrade process.

-Any Hadoop workloads that use Windows Azure Storage Blob driver or [WASB](https://hadoop.apache.org/docs/current/hadoop-azure/https://docsupdatetracker.net/index.html) driver, must be modified to use the [Azure Blob File System (ABFS)](https://hadoop.apache.org/docs/stable/hadoop-azure/abfs.html) driver. Unlike the WASB driver that makes requests to the **Blob service** endpoint, the ABFS driver will make requests to the **Data Lake Storage** endpoint of your account.

-Azure services and tools (such as AzCopy) might use the Data Lake storage endpoint to interact with the data in your storage account. Also, you'll need to use this new endpoint for any operations that you perform by using the [Data Lake Storage Gen2 SDKs](data-lake-storage-directory-file-acl-dotnet.md), [PowerShell commands](data-lake-storage-directory-file-acl-powershell.md), or [Azure CLI commands](data-lake-storage-directory-file-acl-cli.md).

-Before migration, blob metadata is associated with the blob name along with it's entire virtual path. After migration, the metadata is associated only with the blob. The virtual path to the blob becomes a collection of directories. Metadata of a blob is not applied to any of those directories.

-When you upload a blob, and the path that you specify includes a directory that doesn't exist, the operation creates that directory, and then adds a blob to it. This behavior is logical in the context of a hierarchical folder structure. In a Blob storage account that does not have a hierarchical namespace, the operation doesn't create a directory. Instead, the directory name is added to the blob's namespace.

-Aside from pricing changes, consider the costs savings associated with Data Lake Storage Gen2 capabilities. Overall total of cost of ownership typically declines because of higher throughput and optimized operations. Higher throughput enables you to transfer more data in less time. A hierarchical namespace improves the efficiency of operations.

-While most Azure service integrations will continue to work after you've enable these capabilities, some of them remain in preview or not yet supported. See [Azure services that support Azure Data Lake Storage Gen2](data-lake-storage-supported-azure-services.md) to understand the current support for Azure service integrations with Data Lake Storage Gen2.

-## Impact on tools, features and documentation

-After you upgrade, the way that interact with some features will change. This section describes those changes.

-### Blob Storage feature support

-While most of Blob storage features will continue to work after you've enable these capabilities, some of them remain in preview or not yet supported.

-Policies that move or delete all of the blobs in a directory won't delete the directory that contains those blobs until the next day. That's because the directory can't be deleted until all of the blobs that are located in that directory are first removed. The next day, the directory will be removed.

-The following buttons don't yet appear in the Ribbon of Azure Storage Explorer.

-Azurite supports basic authentication by specifying the `basic` parameter to the `--oauth` switch. Azurite performs basic authentication, like validating the incoming bearer token, checking the issuer, audience, and expiry. Azurite doesn't check the token signature or permissions. To learn more about authorization, see [Authorization for tools and SDKs](#authorization-for-tools-and-sdks).

-## Authorization for tools and SDKs

-Connect to Azurite from Azure Storage SDKs or tools, like [Azure Storage Explorer](https://azure.microsoft.com/features/storage-explorer/), by using any authentication strategy. Authentication is required. Azurite supports authorization with OAuth, Shared Key, and shared access signatures (SAS). Azurite also supports anonymous access to public containers.

-If you're using the Azure SDKs, start Azurite with the `--oauth basic and --cert --key/--pwd` options. To learn more about using Azurite with the Azure SDKs, see [Azure SDKs](#azure-sdks).

-To use Azurite with the [Azure SDKs](https://aka.ms/azsdk), use OAuth and HTTPS options:

-Run the following commands to assign Contributor role to AKS managed identity. Remember to replace `<resource-group>` and `<cluster-name>` with your own values.

-export AKS_NODE_RG=$(az aks show --name <cluster-name> --resource-group <resource-group> --query "nodeResourceGroup" -o tsv)

-az role assignment create --assignee $AKS_MI_OBJECT_ID --role "Contributor" --resource-group "$AKS_NODE_RG"

-1. Paste in the following code and save the file. The storage pool **name** value can be whatever you want.

- apiVersion: containerstorage.azure.com/v1alpha1

- azureDisk: {}

- requests: {"storage": 1Ti}

-> In Azure Synapse Analytics, the IDENTITY value increases on its own in each distribution and does not overlap with IDENTITY values in other distributions. The IDENTITY value in Synapse is not guaranteed to be unique if the user explicitly inserts a duplicate value with ΓÇ£SET IDENTITY_INSERT ONΓÇ¥ or reseeds IDENTITY. For details, see [CREATE TABLE (Transact-SQL) IDENTITY (Property)](/sql/t-sql/statements/create-table-transact-sql-identity-property?view=azure-sqldw-latest&preserve-view=true).

-description: The article describes the assessment options available in Update Manager (preview).

-# Assessment options in Update Manager (preview)

-This article provides an overview of the assessment options available by Update Manager (preview).

-Update Manager (preview) provides you the flexibility to assess the status of available updates and manage the process of installing required updates for your machines.

- Periodic assessment is an update setting on a machine that allows you to enable automatic periodic checking of updates by Update Manager (preview). We recommend that you enable this property on your machines as it allows Update Manager (preview) to fetch latest updates for your machines every 24 hours and enables you to view the latest compliance status of your machines. You can enable this setting using update settings flow as detailed [here](manage-update-settings.md#configure-settings-on-a-single-vm) or enable it at scale by using [Policy](periodic-assessment-at-scale.md).

-Update Manager (preview) allows you to check for latest updates on your machines at any time, on-demand. You can view the latest update status and act accordingly. Go to **Updates** blade on any VM and select **Check for updates** or select multiple machines from Update Manager (preview) and check for updates for all machines at once. For more information, see [check and install on-demand updates](view-updates.md).

-* To view update assessment and deployment logs generated by Update Manager (preview), see [query logs](query-logs.md).

-description: This article tells how to configure Windows update settings to work with Azure Update Manager (preview).

-# Configure Windows update settings for Azure Update Manager (preview)

-Azure Update Manager (preview) relies on the [Windows Update client](/windows/deployment/update/windows-update-overview) to download and install Windows updates. There are specific settings that are used by the Windows Update client when connecting to Windows Server Update Services (WSUS) or Windows Update. Many of these settings can be managed by:

-The Update Manager (preview) respects many of the settings specified to control the Windows Update client. If you use settings to enable non-Windows updates, the Update Manager (preview) will also manage those updates. If you want to enable downloading of updates before an update deployment occurs, update deployment can be faster, more efficient, and less likely to exceed the maintenance window.

-To configure the automatic downloading of updates without automatically installing them, you can use Group Policy to [configure the Automatic Updates setting](/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates#configure-automatic-updates) to 3. This setting enables downloads of the required updates in the background, and notifies you that the updates are ready to install. In this way, Update Manager (preview) remains in control of schedules, but allows downloading of updates outside the maintenance window. This behavior prevents `Maintenance window exceeded` errors in Update Manager (preview)

-Update Manager (preview) supports WSUS settings. You can specify sources for scanning and downloading updates using instructions in [Specify intranet Microsoft Update service location](/windows/deployment/update/waas-wu-settings#specify-intranet-microsoft-update-service-location). By default, the Windows Update client is configured to download updates from Windows Update. When you specify a WSUS server as a source for your machines, the update deployment fails, if the updates aren't approved in WSUS.

-description: This article details how to use Azure Update Manager (preview) in the Azure portal to deploy updates and view results for supported machines.

-# Deploy updates now and track results with Azure Update Manager (preview)

-This article describes how to perform an on-demand update on a single virtual machine (VM) or multiple VMs by using Azure Update Manager (preview).

-Update Manager (preview) is available in all [Azure public regions](support-matrix.md#supported-regions).

-You can install updates from **Overview** or **Machines** on the **Update Manager (preview)** page or from the selected VM.

-1. On **Update Manager (preview)** > **Overview**, select your subscription and select **One-time update** to install updates.

- > - **Selected Updates** shows a preview of OS updates that you can install based on the last OS update assessment information available. If the OS update assessment information in Update Manager (preview) is obsolete, the actual updates installed would vary. Especially if you've chosen to install a specific update category, where the OS updates applicable might vary as new packages or KB IDs might be available for the category.

- > - Update Manager (preview) doesn't support driver updates.

- - Select **Include KB ID/package** to include in the updates. Enter a comma separated list of Knowledge Base article ID numbers to include or exclude for Windows updates. For example, use `3103696` or `3134815`. For Windows, you can refer to the [MSRC webpage](https://msrc.microsoft.com/update-guide/deployments) to get the details of the latest Knowledge Base release. For supported Linux distros, you specify a comma separated list of packages by the package name, and you can include wildcards. For example, use `kernel*`, `glibc`, or `libc=1.0.1`. Based on the options specified, Update Manager (preview) shows a preview of OS updates under the **Selected Updates** section.

-1. On **Update Manager (preview)** > **Machine**, select your subscription, select your machine, and select **One-time update** to install updates.

-1. On **Update Manager (preview)** > **Overview**, select your subscription and select **One-time update** > **Install now** to install updates.

-**Windows update history** currently doesn't show the updates that are installed from Azure Update Management. To view a summary of the updates applied on your machines, go to **Update Manager (preview)** > **Manage** > **History**.

-* To view update assessment and deployment logs generated by Update Manager (preview), see [Query logs](query-logs.md).

-* To troubleshoot issues, see [Troubleshoot issues with Azure Update Manager (preview)](troubleshoot.md).

-description: This article provides information about dynamic scoping (preview), its purpose and advantages.

-# About Dynamic Scoping (preview)

-Dynamic scoping (preview) is an advanced capability of schedule patching that allows users to:

-For dynamic scoping (preview) and configuration assignment, ensure that you have the following permissions:

-1. Sign in to the [Azure portal](https://portal.azure.com) and search for Azure Update Manager (preview).

-1. In the **Azure Update Manager (Preview)** home page, under **Manage** > **Machines**, select your subscription to view all your machines.

-description: This article tells how to use Azure Update Manager (preview) using REST API with Azure Arc-enabled servers.

-This article walks you through the process of using the Azure REST API to trigger an assessment and an update deployment on your Azure Arc-enabled servers with Azure Update Manager (preview) in Azure. If you're new to Azure Update Manager (preview) and you want to learn more, see [overview of Update Manager (preview)](overview.md). To use the Azure REST API to manage Azure virtual machines, see [How to programmatically work with Azure virtual machines](manage-vms-programmatically.md).

-Update Manager (preview) in Azure enables you to use the [Azure REST API](/rest/api/azure) for access programmatically. Additionally, you can use the appropriate REST commands from [Azure PowerShell](/powershell/azure) and [Azure CLI](/cli/azure).

-Support for Azure REST API to manage Azure Arc-enabled servers is available through the Update Manager (preview) virtual machine extension.

-* To view update assessment and deployment logs generated by Update Manager (preview), see [query logs](query-logs.md).

-* To troubleshoot issues, see the [Troubleshoot](troubleshoot.md) Update Manager (preview).

-description: This article describes how to manage dynamic scoping (preview) operations

-1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to Update Manager (preview).

-1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to **Update Manager (preview)**.

-1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to Update Manager (preview).

-1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to Update Manager (preview).

-1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to Update Manager (preview).

-description: This article explains how to use Azure Update Manager (preview) in Azure to manage multiple supported machines and view their compliance state in the Azure portal.

-# Manage multiple machines with Azure Update Manager (preview)

-This article describes the various features that Azure Update Manager (preview) offers to manage the system updates on your machines. By using the Update Manager (preview), you can:

-## View Update Manager (preview) status

-1. To view update assessment across all machines, including Azure Arc-enabled servers, go to **Update Manager (preview)**.

- The graph provides a snapshot for all your machines in your subscription, regardless of whether you've used Update Manager (preview) for that machine. This assessment data comes from Azure Resource Graph, and it stores the data for seven days.

-Update Manager (preview) in Azure enables you to browse information about your Azure VMs and Azure Arc-enabled servers across your Azure subscriptions relevant to Update Manager (preview).

- On the **Update Manager (preview)** page, select **Machines** from the left menu.

- :::image type="content" source="./media/manage-multiple-machines/update-center-machines-page-inline.png" alt-text="Screenshot that shows the Update Manager (preview) Machines page in the Azure portal." lightbox="./media/manage-multiple-machines/update-center-machines-page-expanded.png":::

-Select a machine from the list to open Update Manager (preview) scoped to that machine. Here, you can view its detailed assessment status and update history, configure its patch orchestration options, and begin an update deployment.

-Update Manager (preview) enables you to browse information about your Azure VMs and Azure Arc-enabled servers across your Azure subscriptions relevant to Update Manager (preview). You can filter information to understand the update assessment and deployment history for multiple machines. On the **Update Manager (preview)** page, select **History** from the left menu.

-When the Resource Graph Explorer opens, it's automatically populated with the same query used to generate the results presented in the table on the **History** page in Update Manager (preview). Ensure that you review [Overview of query logs in Azure Update Manager (preview)](query-logs.md) to learn about the log records and their properties, and the sample queries included.

-* To view update assessment and deployment logs generated by Update Manager (preview), see [Query logs](query-logs.md).

-description: This article describes how to manage the update settings for your Windows and Linux machines managed by Azure Update Manager (preview).

-This article describes how to configure update settings from Azure Update Manager (preview) to control the update settings on your Azure virtual machines (VMs) and Azure Arc-enabled servers for one or more machines.

-You can schedule updates from **Overview** or **Machines** on the **Update Manager (preview)** page or from the selected VM.

- - **Hotpatch**: You can enable [hotpatching](../automanage/automanage-hotpatch.md) for Windows Server Azure Edition VMs. Hotpatching is a new way to install updates on supported Windows Server Azure Edition VMs that doesn't require a reboot after installation. You can use Update Manager (preview) to install other patches by scheduling patch installation or triggering immediate patch deployment. You can enable, disable, or reset this setting.

-* To view update assessment and deployment logs generated by Update Manager (preview), see [Query logs](query-logs.md).

-* To troubleshoot issues, see [Troubleshoot issues with Update Manager (preview)](troubleshoot.md).

-If you're using Azure Compute Gallery (formerly known as Shared Image Gallery) to create customized images, you can use Update Manager (preview) operations such as **Check for updates**, **One-time update**, **Schedule updates**, or **Periodic assessment** to validate if the VMs are supported for guest patching. If the VMs are supported, you can begin patching.

-description: This article tells how to use Azure Update Manager (preview) in Azure using REST API with Azure virtual machines.

-This article walks you through the process of using the Azure REST API to trigger an assessment and an update deployment on your Azure virtual machine with Azure Update Manager (preview) in Azure. If you're new to Update Manager (preview) and you want to learn more, see [overview of Azure Update Manager (preview)](overview.md). To use the Azure REST API to manage Arc-enabled servers, see [How to programmatically work with Arc-enabled servers](manage-arc-enabled-servers-programmatically.md).

-Azure Update Manager (preview) in Azure enables you to use the [Azure REST API](/rest/api/azure/) for access programmatically. Additionally, you can use the appropriate REST commands from [Azure PowerShell](/powershell/azure/) and [Azure CLI](/cli/azure/).

-Support for Azure REST API to manage Azure VMs is available through the Update Manager (preview) virtual machine extension.

-* To view update assessment and deployment logs generated by Update Manager (preview), see [query logs](query-logs.md).

-* To troubleshoot issues, see [Troubleshoot](troubleshoot.md) Update Manager (preview).

-# Create reports in Azure Update Manager (preview)

-1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to Update Manager (preview).

-1. Under **Monitoring**, selectΓÇ»**Workbooks** to view the Update Manager (preview)| Workbooks|Gallery.

-1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to Update Manager (preview).

-1. Under **Monitoring**, selectΓÇ»**Workbooks** to view the Update Manager (preview)| Workbooks|Gallery.

-1. Select **Update Manager** tile > **Overview** to view the Update Manager (preview)|Workbooks|Overview page.

-description: The article tells what Azure Update Manager (preview) in Azure is and the system updates for your Windows and Linux machines in Azure, on-premises, and other cloud environments.

-# About Azure Update Manager (preview)

-> - [Automation Update management](../automation/update-management/overview.md) relies on [Log Analytics agent](../azure-monitor/agents/log-analytics-agent.md) (aka MMA agent), which is on a deprecation path and wonΓÇÖt be supported after **August 31, 2024**. Update manager (preview) is the v2 version of Automation Update management and the future of Update management in Azure. Azure Update Manager (preview) is a native service in Azure and does not rely on [Log Analytics agent](../azure-monitor/agents/log-analytics-agent.md) or [Azure Monitor agent](../azure-monitor/agents/agents-overview.md).

-> - Guidance for migrating from Automation Update management to Update manager (preview) will be provided to customers once the latter is Generally Available. For customers using Automation Update management, we recommend continuing to use the Log Analytics agent and **NOT** migrate to Azure Monitoring agent until migration guidance is provided for Update management or else Automation Update management will not work. Also, the Log Analytics agent would not be deprecated before moving all Automation Update management customers to Update Manager (preview).

-Update Manager (preview) is a unified service to help manage and govern updates for all your machines. You can monitor Windows and Linux update compliance across your deployments in Azure, on-premises, and on the other cloud platforms from a single dashboard. In addition, you can use the Update Manager (preview) to make real-time updates or schedule them within a defined maintenance window.

-You can use the Update Manager (preview) in Azure to:

-Before you enable your machines for Update Manager (preview), make sure that you understand the information in the following sections.

-> - Update Manager (preview) doesnΓÇÖt store any customer data.

-> - Update Manager (preview) can manage machines that are currently managed by Azure Automation [Update management](../automation/update-management/overview.md) feature without interrupting your update management process. However, we don't recommend migrating from Automation Update Management since this preview gives you a chance to evaluate and provide feedback on features before it's generally available (GA).

-Update Manager (preview) has been redesigned and doesn't depend on Azure Automation or Azure Monitor Logs, as required by the [Azure Automation Update Management feature](../automation/update-management/overview.md). Update Manager (preview) offers many new features and provides enhanced functionality over the original version available with Azure Automation and some of those benefits are listed below:

-The following diagram illustrates how Update Manager (preview) assesses and applies updates to all Azure machines and Arc-enabled servers for both Windows and Linux.

-To support management of your Azure VM or non-Azure machine, Update Manager (preview) relies on a new [Azure extension](../virtual-machines/extensions/overview.md) designed to provide all the functionality required to interact with the operating system to manage the assessment and application of updates. This extension is automatically installed when you initiate any Update manager (preview) operations such as **check for updates**, **install one time update**, **periodic assessment** on your machine. The extension supports deployment to Azure VMs or Arc-enabled servers using the extension framework. The Update Manager (preview) extension is installed and managed using the following:

- The extension agent installation and configuration are managed by the Update Manager (preview). There's no manual intervention required as long as the Azure VM agent or Azure Arc-enabled server agent is functional. The Update Manager (preview) extension runs code locally on the machine to interact with the operating system, and it includes:

-All assessment information and update installation results are reported to Update Manager (preview) from the extension and is available for analysis with [Azure Resource Graph](../governance/resource-graph/overview.md). You can view up to the last seven days of assessment data, and up to the last 30 days of update installation results.

-The machines assigned to Update Manager (preview) report how up to date they're based on what source they're configured to synchronize with. [Windows Update Agent (WUA)](/windows/win32/wua_sdk/updating-the-windows-update-agent) on Windows machines can be configured to report to [Windows Server Update Services](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or Microsoft Update which is by default, and Linux machines can be configured to report to a local or public YUM or APT package repository. If the Windows Update Agent is configured to report to WSUS, depending on when WSUS last synchronized with Microsoft update, the results in Update Manager (preview) might differ from what Microsoft update shows. This behavior is the same for Linux machines that are configured to report to a local repository instead of a public package repository.

-> You can manage your Azure VMs or Arc-enabled servers directly, or at-scale with Update Manager (preview).

-Along with the prerequisites listed below, see [support matrix](support-matrix.md) for Update Manager (preview).

-You need the following permissions to create and manage update deployments. The following table shows the permissions needed when using the Update Manager (preview).

-> Currently, Update Manager (preview) has the following limitations regarding the operating system support:

-> - [Specialized images](../virtual-machines/linux/imaging.md#specialized-images) and **VMs created by Azure Migrate, Azure Backup, Azure Site Recovery** aren't fully supported for now. However, you can **use on-demand operations such as one-time update and check for updates** in Update Manager (preview).

-> For the above limitations, we recommend that you use [Automation update management](../automation/update-management/overview.md) till the support is available in Update Manager (preview). [Learn more](support-matrix.md#supported-operating-systems).

-To prepare your network to support Update Manager (preview), you may need to configure some infrastructure components.

-description: This article describes how to manage the update settings for your Windows and Linux machines managed by Azure Update Manager (preview).

-This article describes how to enable Periodic Assessment for your machines at scale using Azure Policy. Periodic Assessment is a setting on your machine that enables you to see the latest updates available for your machines and removes the hassle of performing assessment manually every time you need to check the update status. Once you enable this setting, Update Manager (preview) fetches updates on your machine once every 24 hours.

-* To view update assessment and deployment logs generated by Update Manager (preview), see [query logs](query-logs.md).

-* To troubleshoot issues, see the [Troubleshoot](troubleshoot.md) Update Manager (preview).

-description: The article describes the new prerequisites to configure scheduled patching to ensure business continuity in Azure Update Manager (preview).

-1. Go to **Update Manager (preview)** home page and select **Machines** tab.

-1. Go to **Update Manager (preview)**, select **Update Settings**.

-1. Go to **Update Manager (preview)**, select **Update Settings**.

-* To troubleshoot issues, see the [Troubleshoot](troubleshoot.md) Update Manager (preview).

-description: The article provides details on how you can review logs and search results from update manager (preview) in Azure using Azure Resource Graph

-# Overview of query logs in Azure Update Manager (preview)

-Logs created from operations like update assessments and installations are stored by Update Manager (preview) in an [Azure Resource Graph](../governance/resource-graph/overview.md). The Azure Resource Graph is a service in Azure designed to be the store for Azure service details without any cost or deployment requirements. Update Manager (preview) uses the Azure Resource Graph to store its results, and you can view the update history of the last 30 days from the resources.

-The article describes the structure of the logs from Update Manager (preview) and how you can use [Azure Resource Graph Explorer](../governance/resource-graph/first-query-portal.md) to analyze them in support of your reporting, visualizing, and export needs.

-Update Manager (preview) sends the results of all its operation into Azure Resource Graph as logs, which are available for 30 days. Listed below are the structure of logs being sent to Azure Resource Graph.

-|`rebootBehavior` |Behavior set in the OS update installation runs job when configuring the update deployment if Update Manager (preview) can reboot the target machine. |

-|`rebootBehavior` |Behavior set in the OS update installation runs job by user, regarding allowing Update Manager (preview) to reboot the OS. |

-description: This quickstart helps you to deploy updates immediately and view results for supported machines in Azure Update Manager (preview) using the Azure portal.

-Using the Update Manager (preview) you can update automatically at scale with the help of built-in policies and schedule updates on a recurring basis or you can also take control by checking and installing updates manually.

-1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to Update Manager (preview).

-1. In **Update Manager (preview)|Getting started**, in **On-demand assessment and updates**, selectΓÇ»**Update settings**.

-1. In the **Update Manager (preview)|Getting started** page, in **On-demand assessment and updates**, selectΓÇ»**Install updates by machines**.

-description: The article provides details of sample query logs from Azure Update Manager (preview) in Azure using Azure Resource Graph

-description: The article details how to use Azure Update Manager (preview) in Azure to set update schedules that install recurring updates on your machines.

-You can use Update Manager (preview) in Azure to create and save recurring deployment schedules. You can create a schedule on a daily, weekly or hourly cadence, specify the machines that must be updated as part of the schedule, and the updates to be installed. This schedule will then automatically install the updates as per the created schedule for single VM and at scale.

-Update Manager (preview) uses maintenance control schedule instead of creating its own schedules. Maintenance control enables customers to manage platform updates. For more information, see [Maintenance control documentation](/azure/virtual-machines/maintenance-control).

-1. See [Prerequisites for Update Manager (preview)](./overview.md#prerequisites)

-> You can schedule updates from the Overview or Machines blade in Update Manager (preview) page or from the selected VM.

-1. In **Update Manager (preview)**, **Overview**, select your **Subscription**, and select **Schedule updates**.

- > Update Manager (preview) doesn't support driver updates.

-1. In **Update Manager (preview)**, **Machines**, select your **Subscription**, select your machine and select **Schedule updates**.

-1. In **Update Manager (preview)**, **Overview**, select your **Subscription** and select **Schedule updates**.

- > Update Manager (preview) doesn't support driver updates.

-1. In **Update Manager (preview)**, **Machines**, select your **Subscription**, select your machines and select **Schedule updates**.

-The update Manager (preview) allows you to target a group of Azure or non-Azure VMs for update deployment via Azure Policy. The grouping using policy, keeps you from having to edit your deployment to update machines. You can use subscription, resource group, tags or regions to define the scope and use this feature for the built-in policies which you can customize as per your use-case.

-* To view update assessment and deployment logs generated by Update Manager (preview), see [query logs](query-logs.md).

-* To troubleshoot issues, see the [Troubleshoot](troubleshoot.md) Update Manager (preview).

-# Support matrix for Azure Update Manager (preview)

-This article details the Windows and Linux operating systems supported and system requirements for machines or servers managed by Update Manager (preview) including the supported regions and specific versions of the Windows Server and Linux operating systems running on Azure VMs or machines managed by Arc-enabled servers.

-**Windows**: [Windows Update Agent (WUA)](/windows/win32/wua_sdk/updating-the-windows-update-agent) reports to Microsoft Update by default, but you can configure it to report to [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). If you configure WUA to report to WSUS, based on the WSUS's last synchronization with Microsoft update, the results in the Update Manager (preview) might differ to what the Microsoft update shows. You can specify sources for scanning and downloading updates using [specify intranet Microsoft Update service location](/windows/deployment/update/waas-wu-settings?branch=main#specify-intranet-microsoft-update-service-location). To restrict machines to the internal update service, see [Do not connect to any Windows Update Internet locations](/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates?branch=main#do-not-connect-to-any-windows-update-internet-locations)

-**Linux**: You can configure Linux machines to report to a local or public YUM or APT package repository. The results shown in Update Manager (preview) depend on where the machines are configured to report.

-Update Manager (preview) supports operating system updates for both Windows and Linux.

-> Update Manager (preview) doesn't support driver Updates.

-Update Manager (preview) will scale to all regions for both Azure VMs and Azure Arc-enabled servers. Listed below are the Azure public cloud where you can use Update Manager (preview).

-Update Manager (preview) is available in all Azure public regions where compute virtual machines are available.

-Update Manager (preview) is supported in the following regions currently. It implies that VMs must be in below regions:

-Australia | Australia East

-> - Update Manager (preview) doesn't support CIS hardened images.

-> - [Specialized images](../virtual-machines/linux/imaging.md#specialized-images) and **VMs created by Azure Migrate, Azure Backup, Azure Site Recovery** aren't fully supported for now. However, you can **use on-demand operations such as one-time update and check for updates** in Update Manager (preview).

-> For the above limitation, we recommend that you use [Automation Update management](../automation/update-management/overview.md) till the support is available in Update Manager (preview).

-We support [generalized](../virtual-machines/linux/imaging.md#generalized-images) custom images. Table below lists the operating systems that we support for generalized images. Refer to [custom images (preview)](manage-updates-customized-images.md) for instructions on how to start using Update Manager (preview) to manage updates on custom images.

-As the Update Manager (preview) depends on your machine's OS package manager or update service, ensure that the Linux package manager, or Windows Update client are enabled and can connect with an update source or repository. If you're running a Windows Server OS on your machine, see [configure Windows Update settings](configure-wu-agent.md).

-description: The article provides details on the known issues and troubleshooting any problems with Azure Update Manager (preview).

-# Troubleshoot issues with Azure Update Manager (preview)

-This article describes the errors that might occur when you deploy or use Update Manager (preview), how to resolve them and the known issues and limitations of scheduled patching.

-* To learn more about Azure Update Manager (preview), see the [Overview](overview.md).

-* To view logged results from all your machines, see [Querying logs and results from update Manager (preview)](query-logs.md).

-1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to Update Manager (preview).

-description: The article describes the updates and maintenance options available in Azure Update Manager (preview).

-# Update options in Azure Update Manager (preview)

-This article provides an overview of the various update and maintenance options available by Update Manager (preview).

-Update Manager (preview) provides you the flexibility to take an immediate action or schedule an update within a defined maintenance window. It also supports new patching methods such as [automatic VM guest patching](../virtual-machines/automatic-vm-guest-patching.md), [Hotpatching](../automanage/automanage-hotpatch.md?context=%2fazure%2fvirtual-machines%2fcontext%2fcontext) and so on.

-Update Manager (preview) allows you to secure your machines immediately by installing updates on demand. To perform the on-demand updates, see [Check and install one time updates](deploy-updates.md#install-updates-on-a-single-vm).

-Update Manager (preview) uses maintenance control schedule instead of creating its own schedules. Maintenance control enables customers to manage platform updates. For more information, see the [Maintenance control documentation](/azure/virtual-machines/maintenance-control).

-Hotpatching property is available as a setting in Update Manager (preview) which you can enable by using Update settings flow. Refer to detailed instructions [here](manage-update-settings.md#configure-settings-on-a-single-vm)

-* To view update assessment and deployment logs generated by Update Manager (preview), see [query logs](query-logs.md).

-* To troubleshoot issues, see the [Troubleshoot](troubleshoot.md) Update Manager (preview).

-description: The article details how to use Azure Update Manager (preview) in the Azure portal to assess update compliance for supported machines.

-# Check update compliance with Azure Update Manager (preview)

-This article details how to check the status of available updates on a single VM or multiple VMs using Update Manager (preview).

-> You can check the updates from the Overview or Machines blade in Update Manager (preview) page or from the selected VM.

-1. In Update Manager (preview), **Overview**, select your **Subscription** to view all your machines and select **Check for updates**.

-1. In Update Manager (preview), **Machines**, select your **Subscription** to view all your machines.

-1. In Update Manager (preview), **Overview**, select your **Subscription** to view all your machines and select **Check for updates**.

-1. In Update Manager (preview), **Machines**, select your **Subscription** to view all your machines.

- A notification appears when the operation is initiated and completed. After a successful scan, the **Update Manager (preview) | Machines** page is refreshed to display the updates.

-> In update Manager (preview), you can initiate a software updates compliance scan on the machine to get the current list of operating system (guest) updates including the security and critical updates. On Windows, the software update scan is performed by the Windows Update Agent. On Linux, the software update scan is performed using OVAL-compatible tools to test for the presence of vulnerabilities based on the OVAL Definitions for that platform, which is retrieved from a local or remote repository.

-* To view the update assessment and deployment logs generated by Update Manager (preview), see [query logs](query-logs.md).

-* To troubleshoot issues, see [Troubleshoot](troubleshoot.md) Azure Update Manager (preview).

-description: Learn about what's new and recent updates in the Azure Update Manager (preview) service.

-# What's new in Azure Update Manager (Preview)

-[Azure Update Manager (preview)](overview.md) helps you manage and govern updates for all your machines. You can monitor Windows and Linux update compliance across your deployments in Azure, on-premises, and on the other cloud platforms from a single dashboard. This article summarizes new releases and features in Update Manager (preview).

-Azure Update Manager (preview) is now available in Canada East and Sweden Central regions for Arc-enabled servers. [Learn more](support-matrix.md#supported-regions).

-Update Manager (preview) now supports [generalized](../virtual-machines/linux/imaging.md#generalized-images) custom images, and a combination of offer, publisher, and SKU for Marketplace/PIR images.See the [list of supported operating systems](support-matrix.md#supported-operating-systems).

-The limit on the number of subscriptions that you can manage to use the Update Manager (preview) portal has now been removed. You can now manage all your subscriptions using the update Manager (preview) portal.

-Update Manager (preview) now supports new five regions for Azure Arc-enabled servers. [Learn more](support-matrix.md#supported-regions).

-description: Learn about what's upcoming and updates in the Update manager (preview) service.

-# What are the upcoming features in Azure Update Manager (preview)

-The primary [what's New in Azure Update Manager (preview)](whats-new.md) contains updates of feature releases and this article lists all the upcoming features.

-Workbooks help you to create visual reports that help in data analysis. This article describes the various features that Workbooks offer in Update Manager (preview).

-description: Learn how to use Custom image templates to create custom images when deploying session hosts in Azure Virtual Desktop.

-# Use Custom image templates to create custom images in Azure Virtual Desktop (preview)

-> [!IMPORTANT]

-> Custom image templates in Azure Virtual Desktop is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

- | Managed Identity | Select the Managed Identity to use for creating the custom image template. |

- | Resource group | Select an existing resource group from the list for the managed image.<br /><br />If you choose a different resource group to the one you selected on the **Basics** tab, you'll also need to add the same role assignment for the Managed Identity. |

- | OS disk size GB) | Select the resource group you assigned the Managed Identity to.<br /><br />Alternatively, if you assigned the Managed Identity to the subscription, you can create a new resource group here. |

- | Virtual network | Select an existing virtual network for the VM used to build the template. This is optional. If you don't select an existing virtual network, a temporary one is created, along with a public IP address for the temporary VM. |

- 1. Select the scripts you want to use from the list, and complete any required information.

-description: Learn about Custom image templates in Azure Virtual Desktop, where you can create custom images that you can use when deploying session host virtual machines.

-# Custom image templates in Azure Virtual Desktop (preview)

-> [!IMPORTANT]

-> Custom image templates in Azure Virtual Desktop is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-We've added several built-in scripts available for you to use that configures some of the most popular features and settings when using Azure Virtual Desktop. You can also add your own custom scripts to the template, as long as they're hosted at a publicly available location, such as GitHub or a web service. You need to specify a duration for the build, so make sure you allow enough time for your scripts to complete. Here are some examples of the built-in scripts you can add to a custom image template:

-When the custom image is being created and distributed, Azure Image Builder uses a user-assigned Managed Identity. Azure Image Builder uses this Managed Identity to create several resources in your subscription, such as a resource group, a VM used to build the image, Key Vault, and a storage account. The VM needs internet access to download the built-in scripts or your own scripts that you added. The built-in scripts are stored in the *RDS-templates* GitHub repository at [https://github.com/Azure/RDS-Templates](https://github.com/Azure/RDS-Templates).

-description: Troubleshoot Custom image templates in Azure Virtual Desktop.

-# Troubleshoot Custom image templates in Azure Virtual Desktop (preview)

-> [!IMPORTANT]

-> Custom image templates in Azure Virtual Desktop is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-> If you block access to IP address 168.63.129.16 by using the guest firewall or via a proxy, extensions fail. Failure occurs even if you use a supported version of the VM Agent or you configure outbound access. Ports 80, 443, and 32526 are required.

-## Update Manager (preview)

-[Update Manager (preview)](../update-center/overview.md) is a new-age unified service in Azure to manage and govern updates (Windows and Linux), both on-premises and other cloud platforms, across hybrid environments from a single dashboard. The new functionality provides native and out-of-the-box experience, granular access controls, flexibility to create schedules or take action now, ability to check updates automatically and much more. The enhanced functionality ensures that the administrators have visibility into the health of all systems in the environment. For more information, see [key benefits](../update-center/overview.md#key-benefits).

-> * Create a Windows VM with an IIS web server using [azurerm_windows_virtual_machine](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine).

-3. In the search results, select **Bastions**.

- | Virtual network | Select **Create new**. </br> Enter **myVNet** in **Name**. </br> Leave the default address space of **10.4.0.0/16**. </br> Leave the default subnet of **10.4.0.0/24**. </br> In the text box under the **default** subnet, enter **AzureBastionSubnet**. </br> In address range, enter **10.4.1.0/27**. </br> Select **OK**. |

-In this article, you'll learn how to create a VPN gateway using an existing public IP in your subscription.

-In this section, you'll create a VPN gateway. You'll select the IP address you created in the prerequisites as the public IP for the VPN gateway.

-2. In the search box at the top of the portal, enter **Virtual network**.

-3. In the search results, select **Virtual networks**.

-4. Select **+ Create**.

-5. In **Create virtual network**, enter or select the following information.

-6. Select the **Review + create** tab, or select the blue **Review + create** button.